From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 11 Jul 2006 05:00:00 +0000 (-0500)
Subject: postfix-2.4-20060711
X-Git-Tag: v2.4.0-RC1~53
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44d36d21dc02f77fd9c26b7ce3ec7b0083836670;p=thirdparty%2Fpostfix.git

postfix-2.4-20060711
---

diff --git a/postfix/AAAREADME b/postfix/AAAREADME
index 5340587de..d68a0f16d 100644
--- a/postfix/AAAREADME
+++ b/postfix/AAAREADME
@@ -47,7 +47,6 @@ Web sites:
 Mail addresses (PLEASE send questions to the mailing list)
 
     postfix-users@postfix.org		Postfix users mailing list
-    wietse@porcupine.org		the original author
 
 In order to subscribe to the mailing list, see http://www.postfix.org/.
 
@@ -162,8 +161,9 @@ Miscellaneous:
     auxiliary/		Auxiliary software etc.
     bin/		Postfix command executables
     conf/		Configuration files, run-time scripts
-    include/		Installed include files
-    lib/		Installed object libraries
+    include/		Include files
+    implementation-notes/ Background information
+    lib/		Object libraries
     libexec/		Postfix daemon executables
-    mantools/		Manual page utilities
+    mantools/		Documentation utilities
     proto/		Documentation source
diff --git a/postfix/COMPATIBILITY b/postfix/COMPATIBILITY
index b48862241..d5da65235 100644
--- a/postfix/COMPATIBILITY
+++ b/postfix/COMPATIBILITY
@@ -8,12 +8,13 @@ address probing	yes (optional persistent database)
 aliases		yes (can enable/disable mail to /file or |command)
 bare newlines	yes (but will send CRLF)
 blacklisting	yes (client name/addr; helo hostname; mail from; rcpt to)
-connection caching yes (SMTP shared cache; LMTP in-process cache)
+connection caching yes (SMTP shared cache; LMTP shared cache)
 content filter	yes (before and after queue, internal and external)
 db tables	yes (compile time option)
 dbm tables	yes (compile time option)
 delivered-to	yes (configurable with prepend_delivered_header)
-dsn		almost (supports enhanced status codes and DSN format bounces)
+dsn		yes
+enhanced status codes	yes
 errors-to:	no (removed with Postfix 2.2)
 esmtp		yes
 etrn support	yes (per-destination log for authorized destinations only)
@@ -23,9 +24,9 @@ genericstable	yes (Postfix 2.2 generic(5) table)
 greylist	yes (delegated policy script)
 home mailbox	yes
 ident lookup	no
-ipv6	        yes (compatibility for ipv4-only kernels/libraries)
+ipv6	        yes (compatibility for ipv4-only systems)
 ldap tables	yes (contributed)
-lmtp support	yes (client)
+lmtp support	yes (client only)
 luser relay	yes
 m4 config	no
 mail to command	yes (configurable for .forward, aliases, :include:)
@@ -34,6 +35,7 @@ maildir		yes (in home, system mailspool, /file/name/ alias)
 mailertable	yes (it's called transport)
 mailq		yes
 majordomo	yes (edit approve script to delete /^delivered-to:/i)
+milter		yes (except body replacement)
 mime		yes (including 8bit to quoted-printable conversion)
 mysql tables	yes (contributed)
 netinfo tables	yes (contributed)
@@ -42,11 +44,11 @@ nis tables	yes
 nis+ tables	yes (contributed)
 no <> in smtp	yes (most common address forms)
 pgsql tables	yes (contributed)
-pipeline option	yes (server and client)
-pop/imap	yes (with third-party daemons that use mailbox or maildir)
+pipeline option	yes (SMTP server and client; LMTP client)
+pop/imap	no
 qmqp server	yes (with verp support)
 rbl support	yes
-return-receipt:	no
+return-receipt:	no (use DSN NOTIFY=SUCCESS)
 rhsbl support	yes
 sasl support	yes (compile time option)
 sendmail -bt	no
diff --git a/postfix/DSN_NOTES b/postfix/DSN_NOTES
deleted file mode 100644
index 8e85c4b3d..000000000
--- a/postfix/DSN_NOTES
+++ /dev/null
@@ -1,48 +0,0 @@
-Postfix DSN support implementation notes
-========================================
-
-In delivery status reports, Postfix now properly reports remote
-LMTP/SMTP server replies with Diagnostic-Type: SMTP, with the
-Diagnostic-Code: equal to the server reply, and with Remote-MTA:
-equal to the name of the remote MTA.
-
-Of course Postfix still produces the same "informal" error descriptions
-that it produced before (for example, the error text that appears
-in the first section of a bounce report).
-
-The Postfix LMTP/SMTP clients also report locally generated SMTP-style
-Diagnostic-Code: text (such as "420 conversation timed out") while
-taking care NOT to present these as if they are replies from the
-remote MTA (Sendmail appears to violate RFC 3464 here).
-
-That was the easy part. The remainder of Postfix is still somewhat
-inconsistent in the way that it creates the formal Diagnostic-Type:
-and Diagnostic-Code: information.
-
-- The queue manager attempts to produce standard SMTP Diagnostic-Type:
-and Diagnostic-Code: information for errors that it detects. It
-also receives error information from delivery agents and reports
-that information unmodified when it decides to "temporarily suspend"
-a delivery channel.
-
-- The "pipe to command" code in local(8) and pipe(8) produces
-Diagnostic-Type: X-UNIX, and Diagnostic-Code: text that is taken
-from /usr/include/sysexits.h or from the command output.  This could
-be morphed into SMTP-style information, by mapping a sysexits error
-code to an SMTP error code, and combining that SMTP code with the
-sysexits.h text or command output.  The advantage of this would be
-more useful Diagnostic-Code: information.
-
-- The code that delivers to mailbox produces Diagnostic-Type:
-X-Postfix and Diagnostic-Code: text that is the same good old Postfix
-error message that we are already familiar with. Typically these
-are errno-style reports about locking a file or appending a file.
-This information could be morphed into SMTP-style information, by
-mapping an errno error code into an SMTP error code, and combining
-that SMTP code with the Postfix-style text that we already have
-(such as text that says unable to lock mailbox, or mailbox file
-size limit exceeded).
-
-I'm not (yet) religious about banning X-UNIX and X-Postfix from the
-formal part of a delivery status report, but all these non-standard
-diagnostic codes aren't really very useful.
diff --git a/postfix/HISTORY b/postfix/HISTORY
index df09f5efd..5fb213647 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -12222,27 +12222,29 @@ Apologies for any names omitted.
 	tls/tls_misc.c, tls/tls_server.c.
 
 	Added smtpd_tls_protocols parameter to complement
-	smtp_tls_protocols.
+	smtp_tls_protocols. Victor Duchovni.
 
 20060517
 
 	The smtp_tls_policy_maps table now implements parent domain
 	matching for destinations that are bare domains (without
 	enclosin [] or optional :port suffix). This allows one to
-	set TLS policy for a domain and all sub-domains.
+	set TLS policy for a domain and all sub-domains. Victor
+	Duchovni.
 
 20060519
 
 	The same parameter can bind to different variables in
 	different daemons, ignore the variable name when eliminating
-	duplicates in extract.awk.
+	duplicates in extract.awk. Victor Duchovni.
 
 20060523
 
 	Improved handling of smtp_tls_protocols and smtpd_tls_protocols,
 	names now processed via name_mask(3) and canonicalized prior
 	to use in the SMTP/LMTP client TLS session lookup key. Also
-	simplifies the corresponding code in the TLS driver.
+	simplifies the corresponding code in the TLS driver. Victor
+	Duchovni.
 
 20060524
 
@@ -12259,7 +12261,7 @@ Apologies for any names omitted.
 20060601
 
 	Fixed default value of LMTP TLS client certificate parameters,
-	using the SMTP values as a default was wrong.
+	using the SMTP values as a default was wrong. Victor Duchovni.
 
 20060603
 
@@ -12267,7 +12269,7 @@ Apologies for any names omitted.
 	settings. We need to add the transport name to the TLS
 	session lookup key so that sessions verified with one set
 	of trusted roots are not inadvertantly considered verified
-	for another.
+	for another. Victor Duchovni.
 
 20060604
 
@@ -12301,7 +12303,7 @@ Apologies for any names omitted.
 20060606
 
 	Portability: Some systems no longer support the traditional
-	"sort +0 -2 +3".
+	"sort +0 -2 +3". Victor Duchovni.
 
 20060607
 
@@ -12340,18 +12342,18 @@ Apologies for any names omitted.
 
 20060612
 
-	Changed smtp security level parsing and level to name
-	convertion to use name_code(3).
+	Changed smtp security level parsing and level->name conversion
+	to use name_code(3). Victor Duchovni.
 
 	Implemented new smtp_tls_security_level parameter, to replace
 	the unnecessarily complex smtp_use_tls, smtp_enforce_tls
 	and smtp_tls_enforce_peername parameters. The main.cf
 	security level settings are now consistent with the new
-	policy table.
+	policy table. Victor Duchovni.
 
 	The smtp_sasl_tls_verified_security_options feature is not
 	yet complete, added #ifdef SNAPSHOT and changed documentation
-	to delay introduction until Postfix 2.4.
+	to delay introduction until Postfix 2.4. Victor Duchovni.
 
 20060614
 
@@ -12360,10 +12362,10 @@ Apologies for any names omitted.
 	personality of the unified SMTP/LMTP client.
 
 	Allow mandatory TLS encryption with LMTP over UNIX-domain
-	sockets.
+	sockets. Victor Duchovni.
 
 	Safety: improved code to avoid I/O on connections after the
-	TLS handshake fails.
+	TLS handshake fails. Victor Duchovni.
 
 20060615
 
@@ -12375,7 +12377,7 @@ Apologies for any names omitted.
 
 	The qshape.pl script was updated for the pointer records
 	that were introduced to support message content modification
-	by Milter applications.
+	by Milter applications. Victor Duchovni.
 
 20060620
 
@@ -12387,7 +12389,8 @@ Apologies for any names omitted.
 	The levels are "high", "medium" (or better), "low" (or
 	better), "export" (or better) and "null".  The underlying
 	definitions of these levels are configurable, but users are
-	strongly encouraged to not change those definitions.
+	strongly encouraged to not change those definitions. Victor
+	Duchovni.
 
 20060626
 
@@ -12408,60 +12411,167 @@ Apologies for any names omitted.
 	mumble_tls_mandatory_mumble; added _mandatory_ qualifier
 	to names of parameters that affect only mandatory TLS.
 
+20060630
+
+	Features promoted from SNAPSHOT to STABLE: the "sleep"
+	pseudo restriction; Postfix daemons now read the local
+	timezone file before chrooting; trivial-rewrite now detects
+	table changes every 10 seconds, so it restarts more timely.
+
+	Features that stay #ifdef SNAPSHOT: tcp_table,
+	lmtp_sasl_tls_verified_security_options, and
+	smtp_sasl_tls_verified_security_options.
+
+	Compatibility: Sendmail does not send its own Received:
+	header to Milter applications. Offsets in header replace
+	requests are relative to the message content as received
+	(i.e. without our own Received: header), while offsets in
+	header insert requests are relative to the message as
+	delivered (i.e. they include our own Received: header).
+	This explains why dk-filter would sign our own Received:
+	header but place the signature between our own Received:
+	header and the rest of the message, violating the draft
+	domainkeys spec.
+
+20060702
+
+	Cleanup: more graceful handling of queue file read/write
+	errors while processing milter message modification requests.
+	Files: cleanup/cleanup_milter.c, milter/milter8.c.
+
+20060703
+
+	Debugging: the Postfix milter client gives more context
+	when it experiences trouble while talking to an uncooperative
+	Milter application. File: milter/milter8.c.
+
+	Compatibility: with OpenBSD 2.7 and later, the alias file
+	is now in /etc/mail/aliases.
+
+20060704
+
+	Bugfix: the Milter client skipped zero-length body lines.
+	File: milter/milter8.c.
+
+	Feature (just this one): RFC 3834 "Auto-Submitted:" message
+	header in DSNs.  File: bounce/bounce_notify_util.c.
+
+20060705
+
+	Portability: LP64 systems required a few ssize_t->int casts
+	in debug logging statements.  Files: milter/test_milter.c,
+	cleanup/cleanup_milter.c.
+
+	Cleanup: comments, error messages, and crumbling interfaces.
+
+20060707
+
+	Workaround: apparently, Solaris gettimeofday() can return
+	out-of range microsecond values.  File: src/global/log_adhoc.c.
+
+	Robustness: the SMTPD policy client now encodes the
+	ccert_subject and ccert-issuer attributes as xtext.  Some
+	characters are replaced by +XX, where XX is the two-digit
+	hexadecimal code for the character value.  File:
+	smtpd/smtpd_check.c.
+
+	Safety: the SMTP/LMTP client now defers delivery when a
+	SASL password exists, but the server does not offer SASL
+	authentication. Mail could be rejected otherwise. This may
+	become an issue now that Postfix retries delivery in plaintext
+	after an opportunistic TLS handshake fails. Specify
+	"smtp_sasl_auth_enforce = no" to deliver mail anyway.  File:
+	smtp/smtp_proto.c. See workaround 20060711 for sender-dependent
+	SASL passwords.
+
+20060709
+
+	Cleanup: the new single smtpd_tls_security_level parameter
+	obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
+	parameters. This is done for consistency with the Postfix
+	SMTP client. In the Postfix SMTP server, the levels "verify"
+	and "secure" are currently not applicable, and are treated
+	as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
+	tls/tls_level.c, smtp/smtp_session.c.
+
+	Compatibility: don't send the first (blank) body line to
+	Milter applications.  This broke domain key etc. signatures
+	when verified by non-Postfix MTAs.  File: milter/milter8.c.
+
+20060710
+
+	Cleanup: more consistency between smtpd(8) and smtp(8) TLS
+	configuration interfaces: smtpd_tls_mandatory_exclude_ciphers,
+	smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols.
+	By Victor. Files:smtpd/smtpd.c.
+
+	Cleanup: to support domainkey signing of bounces and
+	Postmaster notices, enable content inspection of Postfix-
+	generated mail with the new internal_mail_filter_classes
+	feature.  This is disabled by default, because it is not
+	yet safe enough. Files: global/int_filt.[hc] and everything
+	that calls post_mail_fopen*().
+
+20060711
+
+	Cleanup: smtpd_tls_mumble -> smtpd_tls_mandatory_mumble,
+	and finer control over the Postfix SMTP server TLS ciphers,
+	all this for consistency with the same functionality in the
+	Postfix SMTP client. Victor Duchovni.
+
+	Compatibility: Sendmail's milter client handles whitespace
+	after the header label and ":" in an interesting manner.
+	It eats one space (not tab). File: milter/milter8.c.
+
+	Workaround: if sender-depedendent SASL passwords are enabled,
+	don't defer delivery when a SASL password exists but the
+	server doesn't announce SASL support. File: smtp/smtp_proto.c.
+
+	Cleanup: format of cleanup milter reject messages.  File:
+	cleanup_milter.c.
+
+	Bugfix: file/memory leak if a transfer of multiple milters
+	from smtpd to cleanup broke in the middle.  Found by Coverity.
+	File: milter/milter.c.
+
 Wish list:
 
-	In the SMTPD policy client (encode or strip) non-printable
-	non-ASCII in (TLS or all) attributes.
+	The usage of TLScontext->cache_type is unclear. It specifies
+	a TLS session cache type (smtpd, smtp, or lmtp), but it is
+	sometimes used as an indicator that TLS session caching is
+	unavailable.  In reality, that decision is made by not
+	registering call-back functions for cache maintenance.
 
-	run real sendmail through test-milter and check the data
-	for bit-wise compatibility with Postfix.
+	Postfix TLS library code should copy any strings that it
+	receives from the application, instead of passing them
+	around as pointers. TLScontext->cache_type is a case in
+	point.
 
 	Are transport:nexthop null fields the same as in the case
 	of default_transport etc. parameters?
 
-	Introduce the notion of required security level into smtpd(8)
-	just like with smtp(8): if the level is specified, ignore
-	the legacy boolean parameters.
-
 	Introduce structured API for tls_server_mumble() just like
 	with smtp(8): this eliminates ever-growing lists of arguments.
 
-	Cleanup: declare smtp_tls_levels[] in a header file, probably
-	one that is owned by the Postfix TLS library instead of
-	smtp(8).  Better, encapsulate the name to code conversion
-	as a Postfix TLS library service routine.
-
-	With (non)delivery notifications, prepend an "Auto-Submitted:
-	auto-replied" header, as per RFC 3834.
-
-	Defer delivery when a SASL password exists but the server
-	does not offer SASL authentication, as mail might otherwise
-	be bounced. This may become an issue now that Postfix will
-	retry in plaintext after optional TLS fails. Make this
-	configurable so people can get the old behavior.
-
 	Don't lose bits when converting st_dev into maildir file
 	name. It's 64 bits on Linux. Found with the BEAM source
-	code analyzer.
+	code analyzer. Is this really a problem, or are they just
+	using 64 bits for upwards compatibility with LP64 systems?
 
 	Do or don't introduce unknown_reverse_client_reject_code.
 
-	mail_addr/rcpt_addr should be externalized as they are in
-	Sendmail. Likewise, addresses in add/delete requests should
-	be internalized before updating the queue file.
-
-	Check that UINT32 == in choice is ok (i.e. LP64 UNIX).
+	In Milter events, mail_addr/rcpt_addr should be externalized
+	as they are in Sendmail. Likewise, addresses in add/delete
+	requests should be internalized before updating the queue
+	file.
 
-	Fix milter_argv() so it does not forget how much memory it
-	has.
+	Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
+	UNIX).
 
 	Tempfail when a Milter application wants content access,
 	while it is configured in an SMTP server that runs before
 	the smtpd_proxy filter.
 
-	Don't send xforward attributes to every site that announces
-	xforward support.
-
 	The sendmail command should not return non-std exit status
 	after fatal error in some internal library routine.
 
@@ -12469,20 +12579,10 @@ Wish list:
 
 	Keep whitespace between label and ":"?
 
-	Make XCLIENT/XFORWARD future proof: send xtext and accept
-	old non-xtext.
-
 	Make the map case folding/locking options configurable, if
 	not at run-time then at least at compile time so we get
 	consistent behavior across applications.
 
-	Investigate if it is feasible to eliminate cleanup(8) from
-	the path of mail that is forwarded or generated internally.
-	Good: we don't want header rewriting or content inspection.
-	Bad: we still need virtual aliasing, even when mail is
-	forwarded internally. This almost seems to imply that we
-	do virtual aliasing earlier?
-
 	Investigate what it would take to eliminate oqmgr, and to
 	make the old behavior configurable in a unified queue
 	manager.  This would shave another 2.7 KLOC from the source
@@ -12494,8 +12594,8 @@ Wish list:
 	Eliminate the (incoming,deferred)->active rename operation.
 
 	Softbounce fallback-to-ISP for SOHO users. This requires
-	playing with with the soft_error test in the smtp_trouble.c
-	module, and a way to avoid trying direct-to-MX-backup.
+	playing with the soft_error test in the smtp_trouble.c
+	module, and avoiding delivery to backup MX hosts.
 
 	select -> kqueue, epoll, /dev/poll, poll() ...
 
@@ -12505,7 +12605,8 @@ Wish list:
 	access rule.
 
 	Centralize main.cf parameter input so that defaults work
-	consistently.
+	consistently. What about parameter names that are prefixed
+	with mail delivery transport names?
 
 	Fix default time unit handling so that we can have a default
 	bounce lifetime of $maximal_queue_lifetime, without causing
@@ -12521,8 +12622,6 @@ Wish list:
 	Remove defer(8) and trace(8) references and man pages. These
 	are services not program names.
 
-	dsb_formal -> dsb_form_all, dsb_status -> dsb_form_status
-
 	Is it safe to cache a connection after it has been used for
 	more than some number of address verification probes?
 
@@ -12539,13 +12638,6 @@ Wish list:
 	Low: replace_sender/replace_recipient actions in access
 	maps?
 
-	Feature: need "soft-bounce before fall-back relay" for SOHO
-	type operations, so they can send direct mail without having
-	to route everything through a provider.
-
-	Med: disable header address rewriting after XCLIENT?
-	Introduce a better concept of original submission?
-
 	Low: configurable order of local(8) delivery methods.
 
 	Med: local and remote source port and IP address for smtpd
@@ -12595,8 +12687,6 @@ Wish list:
 
 	Low: configurable internal/system locking method.
 
-	Low: make sure CCARGS -I options come at the end.
-
 	Low: add INSTALL section for pre-existing Postfix systems.
 
 	Low: add INSTALL section for pre-existing RPM Postfixes.
@@ -12628,7 +12718,7 @@ Wish list:
 	Med: postsuper -r should do something with recipients in
 	bounce logfiles, to make sure the sender will be notified.
 	To be perfectly safe, no process other than the queue manager
-	should move a queue file from the active queue.
+	should move a queue file away from the active queue.
 
 	This could involve tagging a queue file, and use up another
 	permission bit.
diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README
index 15679b7b0..5db4991d1 100644
--- a/postfix/README_FILES/ADDRESS_VERIFICATION_README
+++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README
@@ -124,6 +124,10 @@ surprises. If a recipient probe fails, then Postfix rejects mail for the
 recipient address. If a recipient probe succeeds, then Postfix accepts mail for
 the recipient address.
 
+By default, address verification results are not saved. To avoid probing the
+same address repeatedly, you can store the result in a persistent database as
+described later.
+
     /etc/postfix/main.cf:
         smtpd_recipient_restrictions =
             permit_mynetworks
diff --git a/postfix/README_FILES/FILTER_README b/postfix/README_FILES/FILTER_README
index 3a70f3c2b..cace42a9e 100644
--- a/postfix/README_FILES/FILTER_README
+++ b/postfix/README_FILES/FILTER_README
@@ -330,6 +330,7 @@ the Postfix master.cf file:
         # =============================================================
         scan      unix  -       -       n       -       10      smtp
             -o smtp_send_xforward_command=yes
+            -o disable_mime_output_conversion=yes
 
   * This runs up to 10 content filters in parallel. Instead of a limit of 10
     concurrent processes, use whatever process limit is feasible for your
@@ -343,6 +344,13 @@ the Postfix master.cf file:
     real client name IP address. See smtp(8) and XFORWARD_README for more
     information.
 
+  * With "-o disable_mime_output_conversion=yes", the scan delivery agent will
+    not convert 8BITMIME mail to quoted-printable form while delivering to the
+    content filter, as that would invalidate domainkeys and other digital
+    signatures. This workaround is needed because some SMTP-based content
+    filters don't announce 8BITMIME support, even though they can handle it
+    just fine.
+
 AAddvvaanncceedd ccoonntteenntt ffiilltteerr:: rruunnnniinngg tthhee ccoonntteenntt ffiilltteerr
 
 The content filter can be set up with the Postfix spawn service, which is the
diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL
index cbb05de87..295a0d8d9 100644
--- a/postfix/README_FILES/INSTALL
+++ b/postfix/README_FILES/INSTALL
@@ -95,7 +95,7 @@ At some point in time, a version of Postfix was supported on:
     OSF1.V3 - OSF1.V5 (Digital UNIX)
     Reliant UNIX 5.x
     Rhapsody 5.x
-    SunOS 4.1.4 (December 2005)
+    SunOS 4.1.4 (July 2006)
     SunOS 5.4 - 5.9 (Solaris 2.4..9)
     Ultrix 4.x (well, that was long ago)
 
diff --git a/postfix/README_FILES/MAILDROP_README b/postfix/README_FILES/MAILDROP_README
index ca8580847..2693f655a 100644
--- a/postfix/README_FILES/MAILDROP_README
+++ b/postfix/README_FILES/MAILDROP_README
@@ -66,14 +66,17 @@ Note: Do not use the postfix user as the maildrop user.
 
     /etc/postfix/master.cf:
         maildrop  unix  -       n       n       -       -       pipe
-          flags=DRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+          flags=ODRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+
+The pipe(8) manual page gives a detailed description of the above command line
+arguments, and more.
 
 If you want to support user+extension@domain style addresses, use the following
 instead:
 
     /etc/postfix/master.cf:
         maildrop  unix  -       n       n       -       -       pipe
-          flags=DRhu user=vmail argv=/path/to/maildrop
+          flags=ODRhu user=vmail argv=/path/to/maildrop
           -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
 
 The mail is delivered to ${user}@${nexthop} (match key for maildrop userdb
diff --git a/postfix/README_FILES/MILTER_README b/postfix/README_FILES/MILTER_README
index 5a036a892..66356a095 100644
--- a/postfix/README_FILES/MILTER_README
+++ b/postfix/README_FILES/MILTER_README
@@ -12,12 +12,12 @@ FROM, etc.) as well as mail content. All this happens before mail is queued.
 The reason for adding Milter support to Postfix is that there exists a large
 collection of applications, not only to block unwanted mail, but also to verify
 authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail
-(example: Domain keys). Having yet another MTA-specific version of all that
+(example: Domain keys). Having yet another Postfix-specific version of all that
 software is a poor use of human and system resources.
 
 Postfix 2.3 implements all the requests of Sendmail version 8 Milter protocols
 up to version 4, except one: message body replacement. See, however, the
-limitations section at the end of this document.
+workarounds and limitations sections at the end of this document.
 
 This document provides information on the following topics:
 
@@ -125,7 +125,11 @@ RRuunnnniinngg MMiilltteerr aapppplliiccaattiioonnss
 To run a Milter application, see the documentation of the filter for options. A
 typical command looks like this:
 
-    $ //ssoommee//wwhheerree//ddkk--ffiilltteerr --pp iinneett::ppoorrttnnuummbbeerr@@llooccaallhhoosstt ......ootthheerr ooppttiioonnss......
+    # //ssoommee//wwhheerree//ddkk--ffiilltteerr --uu uusseerriidd --pp iinneett::ppoorrttnnuummbbeerr@@llooccaallhhoosstt ......ootthheerr
+    ooppttiioonnss......
+
+Please specify a userid value that isn't used for other applications (not
+"postfix", not "www", etc.).
 
 CCoonnffiigguurriinngg PPoossttffiixx
 
@@ -152,6 +156,11 @@ mail from authorized SMTP clients. Mail that arrives via the Postfix smtpd(8)
 server is not filtered by the non-SMTP filters that are described in the next
 section.
 
+NOTE: Do not use the header_checks(5) IGNORE action to remove Postfix's own
+Received: message header. This causes problems with mail signing filters.
+Instead, keep Postfix's own Received: message header and use the header_checks
+(5) REPLACE action to sanitize information.
+
 You specify SMTP-only Milter applications (there can be more than one) with the
 smtpd_milters parameter. Each Milter application is identified by the name of
 its listening socket; other Milter configuration options will be discussed in
@@ -176,7 +185,7 @@ The general syntax for listening sockets is as follows:
         Connect to the specified TCP port on the specified local or remote
         host. The host and port can be specified in numeric or symbolic form.
 
-        Note: Postfix syntax differs from Milter syntax which has the form
+        NOTE: Postfix syntax differs from Milter syntax which has the form
         iinneett::port@@host.
 
 NNoonn--SSMMTTPP MMiilltteerr aapppplliiccaattiioonnss
@@ -188,6 +197,11 @@ unwanted mail, there are limitations as discussed later in this section. Mail
 that arrives via the Postfix smtpd(8) server is not filtered by the non-SMTP
 filters.
 
+NOTE: Do not use the header_checks(5) IGNORE action to remove Postfix's own
+Received: message header. This causes problems with mail signing filters.
+Instead, keep Postfix's own Received: message header and use the header_checks
+(5) REPLACE action to sanitize information.
+
 You specify non-SMTP Milter applications with the non_smtpd_milters parameter.
 This parameter uses the same syntax as the smtpd_milters parameter in the
 previous section. As with the SMTP-only filters, you can specify more than one
@@ -367,10 +381,19 @@ message).
 
 WWoorrkkaarroouunnddss
 
+Content filters may break domain key etc. signatures. If you use an SMTP-based
+filter as described in FILTER_README, then you should add a line to master.cf
+with "disable_mime_output_conversion = yes", as described in the advanced
+content filter example.
+
 Sendmail Milter applications were originally developed for the Sendmail version
 8 MTA, which has a different architecture than Postfix. The result is that some
 Milter applications make assumptions that aren't true in a Postfix environment.
 
+  * Some Milter applications use the "{if_addr}" macro to recognize local mail;
+    this macro does not exist in Postfix. Workaround: use the "{client_addr}"
+    macro instead.
+
   * Some Milter applications log a warning that looks like this:
 
         sid-filter[36540]: WARNING: sendmail symbol 'i' not available
@@ -380,12 +403,13 @@ Milter applications make assumptions that aren't true in a Postfix environment.
         X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com <unknown-
         msgid>
 
-    This happens because the Milter application expects that the queue ID is
+    This happens because some Milter applications expect that the queue ID is
     known before the MTA accepts the MAIL FROM (sender) command. Postfix, on
-    the other hand, does not create a queue file until after Postfix accepts
-    the first valid RCPT TO (recipient) command. This queue file name must be
-    globally unique across multiple queue directories, so it cannot be chosen
-    until the file is actually created.
+    the other hand, does not choose a queue file name until after it accepts
+    the first valid RCPT TO (recipient) command. Postfix queue file names must
+    be unique across multiple directories, so the name can't be chosen before
+    the file is created. If multiple messages were to use the same queue ID
+    simultaneously, mail would be lost.
 
     To work around the ugly message header from Milter applications, we add a
     little code to the Milter source to look up the queue ID after Postfix
@@ -397,19 +421,27 @@ Milter applications make assumptions that aren't true in a Postfix environment.
       o Look up the mlfi_eom() function and add code near the top shown as bboolldd
         text below:
 
-        sic = (Context) smfi_getpriv(ctx);
-        assert(sic != NULL);
+        dfc = cc->cctx_msg;
+        assert(dfc != NULL);
 
-        //**
-        ****  DDeetteerrmmiinnee tthhee jjoobb IIDD ffoorr llooggggiinngg..
-        **//
-        iiff ((ssiicc-->>ccttxx__jjoobbiidd ==== 00 |||| ssttrrccmmpp((ssiicc-->>ccttxx__jjoobbiidd,, MMSSGGIIDDUUNNKKNNOOWWNN)) ==== 00)) {{
+        //** DDeetteerrmmiinnee tthhee jjoobb IIDD ffoorr llooggggiinngg.. **//
+        iiff ((ddffcc-->>mmccttxx__jjoobbiidd ==== 00 |||| ssttrrccmmpp((ddffcc-->>mmccttxx__jjoobbiidd,, JJOOBBIIDDUUNNKKNNOOWWNN)) ==== 00))
+        {{
                 cchhaarr **jjoobbiidd == ssmmffii__ggeettssyymmvvaall((ccttxx,, ""ii""));;
                 iiff ((jjoobbiidd !!== 00))
-                        ssiicc-->>ccttxx__jjoobbiidd == jjoobbiidd;;
+                        ddffcc-->>mmccttxx__jjoobbiidd == jjoobbiidd;;
         }}
 
-    This does not remove the WARNING message, however.
+        /* get hostname; used in the X header and in new MIME boundaries */
+
+    NOTES:
+
+      o Different mail filters use slightly different names for variables. If
+        the above code does not compile, look for the code at the start of the
+        mlfi_eoh() routine.
+
+      o This fixes only the ugly message header, but not the WARNING message.
+        Fortunately, dk-filter logs that message only once.
 
     With some Milter applications we can fix both the WARNING and the "unknown-
     msgid" by postponing the call of mlfi_eoh() (or whatever routine logs the
@@ -437,7 +469,7 @@ Milter applications make assumptions that aren't true in a Postfix environment.
 LLiimmiittaattiioonnss
 
 This section lists limitations of the Postfix Milter implementation. Some
-limitations will be removed disappear as support is extended over time. Of
+limitations will be removed as the implementation is extended over time. Of
 course the usual limitations of before-queue filtering will always apply. See
 the CONTENT_INSPECTION_README document for a discussion.
 
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index e3c8d7cbb..163ca0416 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -227,7 +227,8 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
     configuration can be set with:
 
         /etc/postfix/main.cf:
-            smtpd_sasl_application_name = smtpd
+            smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+            smtpd_sasl_path = smtpd (Postfix 2.3 and later)
 
     The pwcheck daemon is contained in the cyrus-sasl source tarball.
 
@@ -453,7 +454,8 @@ CCrreeddiittss
     reject_authenticated_sender_login_mismatch and
     reject_unauthenticated_sender_login_mismatch, and revised the docs.
   * Wietse made another iteration through the code to add plug-in support for
-    multiple SASL implementations.
+    multiple SASL implementations, and changed smtpd_sasl_application_name into
+    smtpd_sasl_path.
   * The Dovecot SMTP server-only plug-in was originally implemented by Timo
     Sirainen of Procontrol, Finland.
 
diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README
index efa61a323..6ce119b84 100644
--- a/postfix/README_FILES/SMTPD_POLICY_README
+++ b/postfix/README_FILES/SMTPD_POLICY_README
@@ -58,7 +58,7 @@ a delegated SMTPD access policy request:
     sasl_sender=
     size=12345
     ccert_subject=solaris9.porcupine.org
-    ccert_issuer=Wietse Venema
+    ccert_issuer=Wietse+20Venema
     ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
     PPoossttffiixx vveerrssiioonn 22..33 aanndd llaatteerr::
     encryption_protocol=TLSv1/SSLv3
@@ -114,7 +114,9 @@ Notes:
 
   * The "ccert_*" attributes (Postfix 2.2 and later) specify information about
     how the client was authenticated via TLS. These attributes are empty in
-    case of no certificate authentication.
+    case of no certificate authentication. As of Postfix 2.2.11 these attribute
+    values are encoded as xtext: some characters are represented by +XX, where
+    XX is the two-digit hecadecimal representation of the character value.
 
   * The "encryption_*" attributes (Postfix 2.3 and later) specify information
     about how the connection is encrypted. With plaintext connections the
diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README
index 868615078..a5353848a 100644
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -146,9 +146,8 @@ clients will not, as a rule, fall back to plain text after a TLS handshake
 failure, the server will be unable to receive email from most TLS enabled
 clients. To avoid accidental configurations with no certificates, Postfix 2.3
 enables certificate-less operation only when the administrator explicitly sets
-"smtpd_tls_cert_file = none". This ensures that new Postfix configurations with
-just "smtpd_use_tls = yes" added, will not accidentally run with no
-certificates.
+"smtpd_tls_cert_file = none". This ensures that new Postfix configurations will
+not accidentally run with no certificates.
 
 Both RSA and DSA certificates are supported. Typically you will only have RSA
 certificates issued by a commercial CA. In addition, the tools supplied with
@@ -282,11 +281,16 @@ Example:
 EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
 
 By default, TLS is disabled in the Postfix SMTP server, so no difference to
-plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
+plain Postfix is visible. Explicitly switch it on with
+"smtpd_tls_security_level = may" (Postfix 2.3 and later) or "smtpd_use_tls =
+yes" (obsolete but still supported).
 
 Example:
 
     /etc/postfix/main.cf:
+        # Postfix 2.3 and later
+        smtpd_tls_security_level = may
+        # Obsolete, but still supported
         smtpd_use_tls = yes
 
 With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but
@@ -298,13 +302,17 @@ is intended behavior.
 
 You can ENFORCE the use of TLS, so that the Postfix SMTP server announces
 STARTTLS and accepts no mail without TLS encryption, by setting
-"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
-case of a publicly-referenced Postfix SMTP server. This option is off by
-default and should only seldom be used.
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and later) or
+"smtpd_enforce_tls = yes" (obsolete but still supported). According to RFC 2487
+this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server.
+This option is off by default and should only seldom be used.
 
 Example:
 
     /etc/postfix/main.cf:
+        # Postfix 2.3 and later
+        smtpd_tls_security_level = encrypt
+        # Obsolete, but still supported
         smtpd_enforce_tls = yes
 
 TLS is sometimes used in the non-standard "wrapper" mode where a server always
@@ -343,8 +351,11 @@ server is configured to ask for client certificates.
 Example:
 
     /etc/postfix/main.cf:
-        smtpd_use_tls = yes
         smtpd_tls_ask_ccert = yes
+        # Postfix 2.3 and later
+        smtpd_tls_security_level = may
+        # Obsolete, but still supported
+        smtpd_use_tls = yes
 
 When TLS is enforced you may also decide to REQUIRE a remote SMTP client
 certificate for all TLS connections, by setting "smtpd_tls_req_ccert = yes".
@@ -354,8 +365,11 @@ This feature implies "smtpd_tls_ask_ccert = yes". When TLS is not enforced,
 Example:
 
     /etc/postfix/main.cf:
-        smtpd_enforce_tls = yes
         smtpd_tls_req_ccert = yes
+        # Postfix 2.3 and later
+        smtpd_tls_security_level = encrypt
+        # Obsolete, but still supported
+        smtpd_enforce_tls = yes
 
 A client certificate verification depth of 1 is sufficient if the certificate
 is directly issued by a CA listed in the CA file. The default value (5) should
@@ -370,12 +384,14 @@ Example:
 SSuuppppoorrttiinngg AAUUTTHH oovveerr TTLLSS oonnllyy
 
 Sending AUTH data over an unencrypted channel poses a security risk. When TLS
-layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
-will announce and accept AUTH only after the TLS layer has been activated with
-STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
-may however still be useful to only offer AUTH when TLS is active. To maintain
-compatibility with non-TLS clients, the default is to accept AUTH without
-encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
+layer encryption is required ("smtpd_tls_security_level = encrypt" or the
+obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and
+accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS
+layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH
+when TLS is active. To maintain compatibility with non-TLS clients, the default
+is to accept AUTH without encryption. In order to change this behavior, set
+"smtpd_tls_auth_only = yes".
 
 Example:
 
@@ -468,33 +484,42 @@ SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss
 
 The description below is for Postfix 2.3; for Postfix < 2.3 the
 smtpd_tls_cipherlist parameter specifies the acceptable ciphers as an explicit
-OpenSSL cipherlist.
+OpenSSL cipherlist. The obsolete setting applies even when TLS encryption is
+not enforced. Use of this control on public MX hosts is strongly discouraged.
+
+With mandatory TLS encryption, the Postfix SMTP server will by default only use
+SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. This is
+controlled by the smtpd_tls_mandatory_protocols configuration parameter.
 
 The Postfix SMTP server supports 5 distinct cipher security levels as specified
-by the smtpd_tls_ciphers configuration parameter. The default value is "export"
-which is the only one appropriate for public MX hosts. On private MX hosts or
-MSAs one can further restrict the OpenSSL cipherlist selection.
+by the smtpd_tls_mandatory_ciphers configuration parameter, which determines
+the cipher grade with mandatory TLS encryption. The default value is "medium"
+which is essentially 128-bit encryption or better. With opportunistic TLS
+encryption, the minimum accepted cipher grade is always "export".
 
 By default anonymous ciphers are allowed, and automatically disabled when
 client certificates are requested. If clients are expected to always verify the
 server certificate you may want to exclude anonymous ciphers by setting
-"smtpd_tls_exclude_ciphers = aNULL". One can't force a client to check the
-server certificate, so excluding anonymous ciphers is generally unnecessary.
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". One can't force a client to
+check the server certificate, so excluding anonymous ciphers is generally
+unnecessary.
 
 For a server that is not a public Internet MX host, Postfix 2.3 supports
 configurations with no server certificates that use oonnllyy the anonymous ciphers.
 This is enabled by explicitly setting "smtpd_tls_cert_file = none" and not
 specifying an smtpd_tls_dcert_file.
 
-Example: (MSA that requires TLS with reasonably secure ciphers)
+Example: (MSA that requires TLS with high grade ciphers)
 
     /etc/postfix/main.cf:
-        smtpd_use_tls = yes
-        smtpd_enforce_tls = yes
         smtpd_tls_cert_file = /etc/postfix/cert.pem
         smtpd_tls_key_file = /etc/postfix/key.pem
-        smtpd_tls_ciphers = medium
-        smtpd_tls_exclude_ciphers = aNULL, MD5
+        smtpd_tls_mandatory_ciphers = high
+        smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
+        # Postfix 2.3 and later
+        smtpd_tls_security_level = encrypt
+        # Obsolete, but still supported
+        smtpd_enforce_tls = yes
 
 If you want to take advantage of ciphers with EDH, DH parameters are needed.
 Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
@@ -852,7 +877,7 @@ grade or better ciphers are used.
 With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
 default (backwards compatible) empty value, the appropriate configuration
 settings are "smtp_use_tls = yes" and "smtp_enforce_tls = no". For LMTP use the
-corresponding "lmtp" parameters.
+corresponding "lmtp_" parameters.
 
 With opportunistic TLS, mail delivery continues even if the server certificate
 is untrusted or bears the wrong name. Starting with Postfix 2.3, when the TLS
@@ -909,7 +934,7 @@ interoperability and security guidelines.
 With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
 default (backwards compatible) empty value, the appropriate configuration
 settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = no". For
-LMTP use the corresponding lmtp_ parameters.
+LMTP use the corresponding "lmtp_" parameters.
 
 Despite the potential for eliminating passive eavesdropping attacks, mandatory
 TLS encryption is not viable as a default security level for mail delivery to
@@ -993,18 +1018,18 @@ the new policy table instead.
 MMaannddaattoorryy sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
 
 At the "verify" TLS security level, messages are sent only over TLS encrypted
-sessions for which server certificate verification succeeds. If no suitable
-servers are found, the message will be deferred. With Postfix 2.3 and later,
-mandatory server certificate verification can be configured by setting
-"smtp_tls_security_level = verify", the smtp_tls_verify_cert_match parameter
-can override the default "hostname" certificate match strategy. Fine-tuning the
-matching strategy is generally only appropriate for secure-channel
-destinations.
+sessions if the server certificate is valid (not expired or revoked, and signed
+by a trusted certificate authority) and if the server certificate name matches
+a known pattern. Mandatory server certificate verification can be configured by
+setting "smtp_tls_security_level = verify". The smtp_tls_verify_cert_match
+parameter can override the default "hostname" certificate name matching
+strategy. Fine-tuning the matching strategy is generally only appropriate for
+secure-channel destinations.
 
 With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
 default (backwards compatible) empty value, the appropriate configuration
 settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
-For LMTP use the corresponding lmtp_ parameters.
+For LMTP use the corresponding "lmtp_" parameters.
 
 If the server certificate chain is trusted (see smtp_tls_CAfile and
 smtp_tls_CApath), any DNS names in the SubjectAlternativeName certificate
@@ -1070,7 +1095,7 @@ With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
 default (backwards compatible) empty value, the appropriate configuration
 settings are "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes"
 with additional settings to harden peer certificate verification against forged
-DNS data. For LMTP, use the corresponding lmtp_ parameters.
+DNS data. For LMTP, use the corresponding "lmtp_" parameters.
 
 If the server certificate chain is trusted (see smtp_tls_CAfile and
 smtp_tls_CApath), any DNS names in the SubjectAlternativeName certificate
@@ -1197,10 +1222,9 @@ configuration is repaired, encryption will be used.
 
 The new policy table is specified via the smtp_tls_policy_maps parameter. This
 lists optional lookup tables with the Postfix SMTP client TLS security policy
-by next-hop destination. It supersedes the obsolete smtp_tls_per_site
-parameter. When $smtp_tls_policy_maps is not empty, the smtp_tls_per_site
-parameter is ignored (a warning is written to the logs if it is also non-
-empty).
+by next-hop destination. When $smtp_tls_policy_maps is not empty, the obsolete
+smtp_tls_per_site parameter is ignored (a warning is written to the logs if
+both parameter values are non-empty).
 
 The TLS policy table is indexed by the full next-hop destination, which is
 either the recipient domain, or the verbatim next-hop specified in the
@@ -1230,27 +1254,39 @@ nnoonnee
 mmaayy
     Opportunistic TLS. No additional attributes are supported at this level.
 eennccrryypptt
-    Mandatory TLS encryption. At this level and higher the optional "ciphers"
-    attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter and
-    the optional "protocols" keyword overrides the main.cf
-    smtp_tls_mandatory_protocols parameter. In the policy table, multiple
-    protocols must be separated by colons, as attribute values may not contain
-    whitespace or commas.
+    Mandatory TLS encryption. Mail is delivered only if remote SMTP server
+    offers STARTTLS and the TLS handshake succeeds. At this level and higher
+    the optional "ciphers" attribute overrides the main.cf
+    smtp_tls_mandatory_ciphers parameter and the optional "protocols" keyword
+    overrides the main.cf smtp_tls_mandatory_protocols parameter.
 vveerriiffyy
-    Mandatory server certificate verification. The optional "match" attribute
-    overrides the main.cf smtp_tls_verify_cert_match parameter. In the policy
-    table, multiple match patterns and strategies must be separated by colons.
+    Mandatory server certificate verification. Mail is delivered only if the
+    TLS handshake succeeds, if the server certificate can be validated (not
+    expired or revoked, and signed by a trusted certificate authority), and if
+    the server certificate name matches the optional "match" attribute (or the
+    main.cf smtp_tls_verify_cert_match parameter value when no optional "match"
+    attribute is specified).
 sseeccuurree
-    Secure-channel TLS. The optional "match" attribute overrides the main.cf
-    smtp_tls_secure_cert_match parameter. In the policy table, multiple match
-    patterns and strategies must be separated by colons. The match attribute is
-    useful when additional domains are supported by common server, the policy
-    entries for the additional domains specify matching rules for the primary
-    domain certificate. While transport table overrides routing secondary
-    domains to the primary nexthop also allow secure verification, they risk
-    delivery to the wrong destination when domains change hands or are re-
-    assigned to new gateways. With the "match" attribute approach, routing is
-    not perturbed, and mail is deferred if verification of a new MX host fails.
+    Secure-channel TLS. Mail is delivered only if the TLS handshake succeeds,
+    if the server certificate can be validated (not expired or revoked, and
+    signed by a trusted certificate authority), and if the server certificate
+    name matches the optional "match" attribute (or the main.cf
+    smtp_tls_secure_cert_match parameter value when no optional "match"
+    attribute is specified).
+Notes:
+
+  * The "match" attribute is especially useful to verify TLS certificates for
+    domains that are hosted on a shared server. In that case, specify "match"
+    rules for the shared server's name. While secure verification can also be
+    achieved with manual routing overrides in Postfix transport(5) tables, that
+    approach can deliver mail to the wrong host when domains are assigned to
+    new gateway hosts. The "match" attribute approach avoids the problems of
+    manual routing overrides; mail is deferred if verification of a new MX host
+    fails.
+
+  * When a policy table entry specifies multiple match patterns, multiple match
+    strategies, or multiple protocols, these must be separated by colons.
+
 Example:
 
     /etc/postfix/main.cf:
@@ -1337,8 +1373,8 @@ are allowed. On the right hand side specify one of the following keywords:
     MAY
         Opportunistic TLS. This has less precedence than a more specific result
         (including "NONE") from the alternate host or next-hop lookup key, and
-        has less precedence than the more specific global
-        "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername = yes".
+        has less precedence than the more specific global "smtp_enforce_tls =
+        yes" or "smtp_tls_enforce_peername = yes".
     MUST_NOPEERMATCH
         Mandatory TLS encryption. This overrides a less secure "NONE" or a less
         specific "MAY" lookup result from the alternate host or next-hop lookup
@@ -1469,9 +1505,9 @@ today's crypt-analytic methods. See smtp_tls_policy_maps for information on how
 to configure ciphers on a per-destination basis.
 
 By default anonymous ciphers are allowed, and automatically disabled when
-server certificates are verified. If you want to disable even at the "encrypt"
-security level, set "smtp_tls_mandatory_exclude_ciphers = aNULL", to disable
-anonymous ciphers even with opportunistic TLS, set
+server certificates are verified. If you want to disable anonymous ciphers even
+at the "encrypt" security level, set "smtp_tls_mandatory_exclude_ciphers =
+aNULL"; and to disable anonymous ciphers even with opportunistic TLS, set
 "smtp_tls_exclude_ciphers = aNULL". There is generally no need to take these
 measures. Anonymous ciphers save bandwidth and TLS session cache space, if
 certificates are ignored, there is little point in requesting them.
@@ -1663,18 +1699,22 @@ indicates a super-user shell.
     certificate and key incorrectly, you will be unable to send mail to sites
     that request client certificate, but don't require them from all clients.
 
-        smtp_tls_CAfile = /etc/postfix/cacert.pem
-        smtp_tls_session_cache_database =
-            btree:/var/spool/postfix/smtp_tls_session_cache
-        smtp_use_tls = yes
-        smtpd_tls_CAfile = /etc/postfix/cacert.pem
-        smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-        smtpd_tls_key_file = /etc/postfix/FOO-key.pem
-        smtpd_tls_received_header = yes
-        smtpd_tls_session_cache_database =
-            btree:/var/spool/postfix/smtpd_tls_session_cache
-        smtpd_use_tls = yes
-        tls_random_source = dev:/dev/urandom
+        /etc/postfix/main.cf:
+            smtp_tls_CAfile = /etc/postfix/cacert.pem
+            smtp_tls_session_cache_database =
+        	btree:/var/spool/postfix/smtp_tls_session_cache
+            smtp_use_tls = yes
+            smtpd_tls_CAfile = /etc/postfix/cacert.pem
+            smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+            smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+            smtpd_tls_received_header = yes
+            smtpd_tls_session_cache_database =
+        	btree:/var/spool/postfix/smtpd_tls_session_cache
+            tls_random_source = dev:/dev/urandom
+            # Postfix 2.3 and later
+            smtpd_tls_security_level = may
+            # Obsolete, but still supported
+            smtpd_use_tls = yes
 
 RReeppoorrttiinngg pprroobblleemmss
 
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 7409e7650..4fd0e0b11 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,754 +1,19 @@
-The stable Postfix release is called postfix-2.2.x where 2=major
-release number, 2=minor release number, x=patchlevel.  The stable
+The stable Postfix release is called postfix-2.3.x where 2=major
+release number, 3=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-2.3-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-2.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
-Incompatibility with Postfix 2.1 and earlier
+Incompatibility with Postfix 2.2 and earlier
 ============================================
 
-If you upgrade from Postfix 2.1 or earlier, read RELEASE_NOTES-2.2
+If you upgrade from Postfix 2.2 or earlier, read RELEASE_NOTES-2.3
 before proceeding.
 
-Major changes with snapshot 20060626
-====================================
-
-Both the SMTP client and server can be configured without a client
-or server certificate. An SMTP server without certificate can use
-only anonymous ciphers, and will not interoperate with most clients.
-
-The SMTP server supports anonymous ciphers when client certificates
-are not requested or required, and the administrator has not excluded
-the "aNULL" OpenSSL cipher type.
-
-The SMTP client supports anonymous ciphers when no server certificate
-is required (notably Postfix 2.3 in "opportunistic" mode) and the
-administrator has not excluded the "aNULL" OpenSSL cipher type.
-
-Instead of cipher lists you can now specify cipher grades.  The
-smtp_tls_ciphers, lmtp_tls_ciphers and smtpd_tls_ciphers parameters
-specify one of "high", "medium", "low", "export" or "null". See the
-documentation for details.
-
-Incompatibility with Postfix snapshot 20060614
-==============================================
-
-The smtp_sasl_tls_verified_security_options feature is not yet
-complete, and will therefore not appear in the stable Postfix 2.3
-release.
-
-New smtp_tls_mandatory_protocols feature used for mandatory TLS
-destinations.  The default value is "SSLv3, TLSv1". SSLv2 is by
-default no longer used with mandatory TLS.
-
-The smtp_tls_cipherlist parameter only applies when TLS is mandatory,
-it is ignored for opportunistic TLS sessions.
-
-At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix now also logs TLS
-session cache activity. Use level 2 and higher for debugging only,
-use levels 0 or 1 as production settings.
-
-Major changes with snapshot 20060614
-====================================
-
-New design of the TLS policy interface (minimum security levels,
-cipher and protocol selection).
-
-New smtp_tls_security_level parameter obsoletes the unnecessarily
-complex smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
-parameters. Use smtp_tls_security_level instead. The old parameters
-will be removed in a future Postfix release.
-
-New smtp_tls_policy_maps feature obsoletes smtp_tls_per_site, the
-old feature is only used when smtp_tls_policy_maps is not set.  Use
-smtp_tls_policy_maps instead. This also implements parent domain
-matching for destinations that are bare domains (without enclosing
-[] or optional :port suffix). One can now set TLS policy for a
-domain and all sub-domains.
-
-New smtpd_tls_protocols parameter complements the
-smtp_tls_mandatory_protocols parameter, only recommended for MSA
-configurations, not MX hosts.
-
-The unified SMTP/LMTP client now has complete sets of configuration
-parameters for each protocol.
-
-Incompatibility with snapshot 20060611
-======================================
-
-Postfix internal protocols have has changed. You need to "postfix
-reload" or restart Postfix, otherwise the cleanup server or delivery
-agents will log "unexpected attribute" warnings and mail will not
-be delivered.
-
-Incompatibility with snapshot 20060515
-======================================
-
-Milter support introduces a three new queue file record types. Queue
-files created with this Postfix version will be understood by older
-Postfix versions ONLY if Milter support is turned off, which is
-the default.
-
-Milter support introduces new logging event types: milter-reject,
-milter-discard and milter-hold, that identify actions from Milter
-applications. This may affect logfile processing software.
-
-Major changes with snapshot 20060515
-====================================
-
-Milter (mail filter) application support, compatible with Sendmail
-version 8. This allows you to run a large number of plug-ins to
-reject unwanted mail and to sign mail with, for example, domain
-keys. All Milter functions are implemented except replacing the
-message body, which will be added later. Milters are before-queue
-filters, so they don't change the queue ID.
-
-See the MILTER_README document for a discussion of how to use Milter
-support with Postfix.
-
-Incompatibility with snapshot 20060611
-======================================
-
-The PostgreSQL client was updated after the PostgreSQL developers
-made major database API changes in response to SQL injection problems.
-This breaks support for PGSQL versions prior to 8.1.4, 8.0.8, 7.4.13,
-and 7.3.15. Support for these requires major code changes which are
-not possible in the time that is left for completing the Postfix
-2.3 stable release.
-
-The SMTP server XCLIENT implementation has changed. The SMTP server
-now resets state to the initial server greeting stage, so that it
-can accurately simulate the effect of connection-level access
-restrictions.  Without this change, XCLIENT will not work at all
-with Milter applications.
-
-The SMTP server XCLIENT and XFORWARD commands now expect that
-attributes are xtext encoded (RFC 1891). For backwards compatibility
-they will accept unencoded attribute values. The XFORWARD client
-code in the SMTP client and in the SMTPD_PROXY client will always
-encode attribute values. This change will have effect only for
-malformed hostname and helo parameter values.
-
-For more details, see the XCLIENT_README and XFORWARD_README
-documents.
-
-Incompatibility with snapshot 20060207
-======================================
-
-The Postfix SMTP server no longer complains when TLS support is not
-compiled in, but permit_tls_clientcerts, permit_tls_all_clientcerts,
-or check_ccert_access are used. These features now are effectively
-ignored.  However, the reject_plaintext_session feature is not
-ignored and will reject mail.
-
-Incompatibility with snapshot 20060123
-======================================
-
-Postfix now preserves uppercase information while mapping addresses
-with canonical, virtual, relocated or generic maps; this happens
-even with $number substitutions in regular expression maps. However,
-the local(8) and virtual(8) delivery agents still fold addresses
-to lower case.
-
-By default, Postfix now folds the search string to lowercase only
-with tables that have fixed-case lookup fields such as btree:,
-hash:, dbm:, ldap:, or *sql:. The search string is no longer case
-folded with tables whose lookup fields can match both upper or lower
-case, such as regexp:, pcre:, or cidr:.
-
-For safety reasons, Postfix no longer allows $number substitution
-in regexp: or pcre: transport tables or per-sender relayhost tables.
-
-Major changes with snapshot 20060123
-====================================
-
-Postfix now does a better job at preserving upper/lower case
-information while transforming addresses.  The table lookup code
-was revised, and is now more careful about when it folds search
-strings to lower case.  As a side effect, Postfix now also does a
-better job at being case insensitive where it should, for example
-while searching per-host TLS policies or SASL passwords.
-
-Some obscure behavior was eliminated from the smtp_tls_per_site
-feature, without changes to the user interface. Some Postfix internals
-had to be re-structured in preparation for a more general TLS policy
-mechanism; this required that smtp_tls_per_site be re-implemented
-from scratch.
-
-Postfix 2.3 is expected to provide a new per-site TLS policy mechanism
-that eliminates DNS spoofing attacks more effectively; the legacy
-smtp_tls_per_site feature will be kept intact for a few releases
-so that sites can upgrade Postfix without being forced to use a
-different TLS policy mechanism.
-
-Incompatibility with snapshot 20060112
-======================================
-
-The queue manager delivery request protocol has changed. You must
-reload Postfix when upgrading. If you omit this step, delivery
-agents complain with "warning: unexpected attribute original_recipient"
-and mail will not be delivered.
-
-The Postfix SMTP/LMTP client by default no longer allows DNS CNAME
-records to override the server hostname that is used for logging,
-SASL password lookup, TLS policy selection and TLS server certificate
-verification. Specify "smtp_cname_overrides_servername = yes" to get
-the old behavior.
-
-Postfix DSN reports no longer make up their own surrogate SMTP
-replies for errors that were not reported by a remote SMTP server.
-
-Incompatibility with snapshot 20060103
-======================================
-
-The Postfix SMTP/LMTP client no longer defers mail when it receives
-a malformed SMTP server reply in a session with command pipelining.
-When helpful warnings are enabled, it will suggest that command
-pipelining be disabled for the affected destination.
-
-Major changes with snapshot 20051222
-====================================
-
-Dovecot SASL support (SMTP server only). Details can be found
-in the SASL_README document.
-
-You can now use "resolve_numeric_domain = yes" to stop Postfix
-from rejecting user@ipaddress as an invalid destination. It will
-deliver the mail to user@[ipaddress] instead.
-
-Incompatibility with snapshot 20051220
-======================================
-
-The Postfix-with-Cyrus-SASL build procedure has changed. You now
-need to specify -DUSE_CYRUS_SASL in addition to -DUSE_SASL_AUTH or
-else you end up without any Cyrus SASL support. The error messages
-are:
-
-    unsupported SASL server implementation: cyrus
-    unsupported SASL client implementation: cyrus
-
-Major changes with snapshot 20051220
-====================================
-
-Plug-in support for SASL authentication in the SMTP server and in
-the SMTP+LMTP client. With this, Postfix can support multiple SASL
-implementations without source code patches.  Some distributors may
-even make SASL support a run-time linking option, just like they
-do with Postfix lookup tables.
-
-Hints and tips for plug-in developers are in the xsasl/README file.
-
-For backwards compatibility the default plug-in type is Cyrus SASL,
-so everything should behave like it did before. Some error messages
-are slightly different, but these are generally improvements.
-
-The "postconf -a" command shows what plug-in implementations are
-available for the SMTP server, and "postconf -A" does the same for
-the SMTP+LMTP client.  Plug-in implementations are selected with
-the smtpd_sasl_type, smtp_sasl_type and lmtp_sasl_type configuration
-parameters.
-
-Other new configuration parameters are smtpd_sasl_path, smtp_sasl_path
-and lmtp_sasl_path. These are better left alone; they are introduced
-for the convenience of other SASL implementations.
-
-Incompatibility with snapshot 20051208
-======================================
-
-The fallback_relay feature is renamed to smtp_fallback_relay, to
-make clear that the combined SMTP+LMTP client uses this setting
-only for SMTP deliveries. The old name still works.
-
-The LMTP client now reports the server as "myhostname[/path/name]".
-With the real server hostname in delivery status reports, the
-information will be more useful.
-
-Major changes with snapshot 20051208
-====================================
-
-The SMTP client now implements the LMTP protocol.  Most but not all
-smtp_xxx parameters have an lmtp_xxx "ghost" parameter.  This means
-there are lot of new LMTP features, including support for TLS and
-for the shared connection cache. There are no lmtp_xxx "ghost"
-parameters for the HELO or EHLO commands, because those commands
-exist only in SMTP.
-
-Incompatibility with snapshot 20051202
-======================================
-
-The Postfix SMTP daemon will not receive mail from the network if
-it isn't running with postfix mail_owner privileges.  This prevents
-surprises when, for example, "sendmail -bs" is configured to run
-as root from xinetd.
-
-Incompatibility with snapshot 20051125
-======================================
-
-You MUST stop and restart Postfix, because the address resolver
-protocol has changed. If you don't stop and restart Postfix, you
-will have an endless stream of warning messages with "problem talking
-to service rewrite: Unknown error: 0" and "warning: unexpected
-attribute address in input from rewrite socket".
-
-Major changes with snapshot 20051125
-====================================
-
-This snapshot adds support for sender-dependent ISP accounts.
-
-- Sender-dependent smarthost lookup tables.  The maps are searched
-  with the sender address and with the sender @domain.  The result
-  overrides the global relayhost setting, but otherwise has identical
-  behavior. See the postconf(5) manual page for more details.
-
-  Example:
-    /etc/postfix/main.cf:
-	sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
-
-- Sender-dependent SASL authentication support. This disables SMTP
-  connection caching to ensure that mail from different senders
-  will use the correct authentication credentials. The SMTP SASL
-  password file is first searched by sender address, and then by
-  the remote domain and hostname as usual.
-
-  Example:
-    /etc/postfix/main.cf:
-	smtp_sasl_auth_enable = yes
-	smtp_sender_dependent_authentication = yes
-	smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
-
-Incompatibility with snapshot 20051121
-======================================
-
-For compatibility reasons, the permit_mx_backup feature will accept
-mail for authorized destinations (see permit_mx_backup for definition).
-Only with other destinations will it require that the local MTA is
-listed as non-primary MX.
-
-Incompatibility with snapshot 20051120
-======================================
-
-The permit_mx_backup feature now requires that the local MTA is not
-listed as primary MX host for the recipient domain. This prevents
-mail loop problems when someone points the primary MX record at
-Postfix.
-
-Major changes with snapshot 20051113
-====================================
-
-Configurable bounce messages, based on a format that was developed
-by Nicolas Riendeau. The file with templates is specified with the
-bounce_template_file parameter. Details are in the bounce(5) manual
-page, and examples of the built-in templates can be found in a file
-bounce.cf.default in the Postfix configuration directory. The
-template for the default bounce message looks like this:
-
-    failure_template = <<EOF
-    Charset: us-ascii
-    From: MAILER-DAEMON (Mail Delivery System)
-    Subject: Undelivered Mail Returned to Sender
-    Postmaster-Subject: Postmaster Copy: Undelivered Mail
-
-    This is the $mail_name program at host $myhostname.
-
-    I'm sorry to have to inform you that your message could not
-    be delivered to one or more recipients. It's attached below.
-
-    For further assistance, please send mail to <postmaster>
-
-    If you do so, please include this problem report. You can
-    delete your own text from the attached returned message.
-
-                            The $mail_name program
-    EOF
-
-Incompatibility with snapshot 20051106
-======================================
-
-The relay=... logging has changed and now includes the remote SMTP
-server port number as hostname[hostaddr]:port.
-
-Incompatibility with snapshot 20051105
-======================================
-
-qshape needs to be updated. See the file qshape-microsecond-patch.
-
-All delay logging now has sub-second resolution, including the
-over-all "delay=nnn" logging.
-
-At this point the Postfix logging for a recipient looks like this:
-
-    Nov  3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE:
-    to=<wietse@test.example.com>, orig_to=<wietse@test>,
-    relay=mail.example.com[1.2.3.4], conn_use=2, delay=0.22,
-    delays=0.04/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok)
-
-
-Incompatibility with snapshot 20051103
-======================================
-
-pflogsumm needs to be updated. See the pflogsumm-conn-delays-dsn-patch
-file.
-
-The queue manager protocol has changed. You need to "postfix reload"
-after "make upgrade".
-
-The logging of recipient status information has changed.  This may
-require changes to logfile processing tools.
-
-- Postfix now logs an additional attribute with detailed delay
-information (delays=a/b/c/d) as described below.
-
-- Postfix now logs an additional attribute with the connection reuse
-count (conn_use=nnn) as described below.
-
-Major changes with snapshot 20051103
-====================================
-
-This release makes a beginning with a series of new attributes in
-Postfix logfile records. 
-
-- Better insight into the nature of performance bottle necks, with
-detailed logging of delays in various stages of message delivery.
-Postfix logs additional delay information as "delays=a/b/c/d" where
-a=time before queue manager, including message transmission; b=time
-in queue manager; c=connection setup time including DNS, HELO and
-TLS; d=message transmission time.
-
-- Logging of the connection reuse count when SMTP connections are
-used for more than one message delivery.  This information is needed
-because Postfix can now reuse connections hundreds of times or more,
-and can help to diagnose interoperability problems with servers
-that suffer from memory leaks or other resource leaks.
-
-At this point the Postfix logging for a recipient looks like this:
-
-    Nov  3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE:
-    to=<wietse@test.example.com>, orig_to=<wietse@test>,
-    relay=mail.example.com[1.2.3.4], conn_use=2, delay=0,
-    delays=0/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok)
-
-The following two logfile fields may or may not be present:
-
-    orig_to     This is omitted when the address did not change.
-    conn_use    This is omitted when a connection is used once.
-
-Incompatibility with snapshot 20051026
-======================================
-
-The connection cache protocol for SMTP connections has changed.
-You need to "postfix reload" after "make upgrade".
-
-The smtp_connection_cache_reuse_limit parameter (which limits the
-number of deliveries per SMTP connection) is replaced by the new
-smtp_connection_reuse_time_limit parameter (the time after which a
-connection is no longer stored into the connection cache).
-
-Major changes with snapshot 20051026
-====================================
-
-This snapshot addresses a performance stability problem with remote
-SMTP servers. The problem is not specific to Postfix: it can happen
-when any MTA sends large amounts of SMTP email to a site that has
-multiple MX hosts. The insight that led to the solution, as well
-as an initial implementation, are due to Victor Duchovni.
-
-The problem starts when one of a set of MX hosts becomes slower
-than the rest.  Even though SMTP clients connect to fast and slow
-MX hosts with equal probability, the slow MX host ends up with more
-simultaneous inbound connections than the faster MX hosts, because
-the slow MX host needs more time to serve each client request.
-
-The slow MX host becomes a connection attractor.  If one MX host
-becomes N times slower than the rest, it dominates mail delivery
-latency unless there are more than N fast MX hosts to counter the
-effect. And if the number of MX hosts is smaller than N, the mail
-delivery latency becomes effectively that of the slowest MX host
-divided by the total number of MX hosts.
-
-The solution uses connection caching in a way that differs from
-Postfix 2.2.  By limiting the amount of time during which a connection
-can be used repeatedly (instead of limiting the number of deliveries
-over that connection), Postfix not only restores fairness in the
-distribution of simultaneous connections across a set of MX hosts,
-it also favors deliveries over connections that perform well, which
-is exactly what we want.
-
-The smtp_connection_reuse_time_limit feature implements the connection
-reuse time limit as discussed above.  It limits the amount of time
-after which an SMTP connection is no longer stored into the connection
-cache. The default limit, 300s, can result in a huge number of
-deliveries over a single connection.
-
-This solution will be complete when Postfix logging is updated to
-include information about the number of times that a connection was
-used. This information is needed to diagnose inter-operability
-problems with servers that exhibit bugs when they receive multiple
-messages over the same connection.
-
-Incompatibility with snapshot 20051011
-======================================
-
-The Postfix local(8) delivery agent no longer updates its idea of
-the Delivered-To: address while it expands aliases or .forward
-files. With deeply nested aliases or .forward files, this can greatly
-reduce the number of queue files and cleanup process instances. To
-get the earlier behavior, specify "frozen_delivered_to = no".
-
-The frozen_delivered_to feature can help to alleviate a long-standing
-problem with multiple deliveries to recipients that are listed
-multiple times in a hierarchy of nested aliases. For this to work,
-only the top-level alias should have an owner- alias, and none of
-the subordinate aliases.
-
-Major changes with snapshot 20051011
-====================================
-
-Optional protection against SMTP clients that hammer the server
-with too many new (i.e. uncached) SMTP-over-TLS sessions. Cached
-sessions are much less expensive in terms of CPU cycles. Use the
-smtpd_client_new_tls_session_rate_limit parameter to specify a limit
-that is at least the inbound client concurrency limit, or else you
-may deny legitimate service requests.
-
-Optional suppression of remote SMTP client hostname lookup and
-hostname verification. Specify "smtpd_peername_lookup = no" to
-eliminate DNS lookup latencies, but do so only under extreme
-conditions, as it makes Postfix logging less informative.
-
-Incompatibility with snapshot 20050828
-======================================
-
-When a header/body_checks or message_reject_characters rule rejects
-mail that was submitted with the Postfix sendmail command (or
-re-queued with "postsuper -r"), the returned message is now limited
-to just the message headers, to avoid the risk of exposure to harmful
-content in the message body or attachments.
-
-When the cleanup server rejects the content or size of mail that
-was submitted with the Postfix sendmail command, forwarded with the
-local(8) delivery agent, or that was re-queued with "postsuper -r",
-Postfix no longer sends DSN SUCCESS notification of virtual alias
-expansions. Since all the recipients are reported as failed, the
-SUCCESS notification seems redundant.
-
-Major changes with snapshot 20050828
-====================================
-
-Configurable filters to reject or remove unwanted characters in
-email content. The message_reject_characters and message_strip_characters
-parameters understand the usual C-like escape sequences: \a \b \f
-\n \r \t \v \ddd (up to three octal digits) and \\.
-
-Incompatibility with snapshot 20050726
-======================================
-
-Name server replies that contain a malformed hostname are now flagged
-as permanent errors instead of transient errors. This change works
-around a questionable proposal to use syntactically invalid hostnames
-in MX records.
-
-Major changes with snapshot 20050724
-====================================
-
-SMTPD Access control based on the existence of an address->name
-mapping, with reject_unknown_reverse_client_hostname. There is
-no corresponding access table lookup feature, because the name
-is not validated in any way (except that it has proper syntax).
-
-Several confusing SMTPD access restrictions were renamed:
-
-    reject_unknown_client -> reject_unknown_client_hostname,
-    reject_unknown_hostname -> reject_unknown_helo_hostname,
-    reject_invalid_hostname -> reject_invalid_helo_hostname,
-    reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
-
-The old names are still recognized and documented.
-
-Incompatibility with snapshot 20050716
-======================================
-
-Internal interfaces have changed; this may break third-party patches
-because the text of function argument and result type definitions
-has changed.  The type of buffer lengths and offsets were changed
-from "(unsigned) int" (32 bit on 32-bit and LP64 systems) to
-"(s)size_t" (64 bit on LP64 systems, 32 bit on 32-bit systems).
-
-Otherwise, this change makes no difference on 32-bit systems. On
-LP64 systems, however, software may mis-behave 1) when Postfix is
-linked with pre-compiled code that was compiled with old Postfix
-interface definitions and 2) when compiling Postfix source that was
-modified by a third-party patch: incorrect code may be generated
-when the patch passes the wrong integer argument type in contexts
-that disable automatic argument type conversions.  Examples of such
-contexts are formatting with printf-like arguments, and invoking
-functions that write Postfix request or reply attributes across
-inter-process communication channels.  Unfortunately, gcc does not
-report "(unsigned) int" versus "(s)size_t" format string argument
-mis-matches on 32-bit systems; they can be found only on 64-bit
-systems.
-
-Major changes with snapshot 20050716
-====================================
-
-Improved portability to LP64 systems, by converting the type of
-buffer lengths and offsets from "(unsigned) int" to "(s)size_t".
-This change has zero effect on 32-bit systems. On LP64 platforms,
-however, this change not only eliminates some obscure portability
-bugs, it also eliminates unnecessary conversions between 32/64 bit
-integer types, because many system library routines take "(s)size_t"
-arguments or return "(s)size_t" values.
-
-Incompatibility with snapshot 20050707
-======================================
-
-The connection cache protocol is changed. You may need to "postfix
-reload" after upgrading.
-
-Incompatibility with snapshot 20050627
-======================================
-
-The Postfix SMTP client no longer applies the smtp_mx_session_limit
-to non-permanent errors during the TCP, SMTP, HELO or TLS handshake.
-Previous versions did that only with TCP and SMTP handshake errors.
-
-Incompatibility with snapshot 20050622
-======================================
-
-The Postfix SMTP client by default limits the number of MX server
-addresses to smtp_mx_address_limit=5. Previously this limit was
-disabled by default. The new limit prevents Postfix from spending
-lots of time trying to connect to lots of bogus MX servers.
-
-The Postfix SMTP error handling of [45]XX server greetings was
-cleaned up. The server reply is now properly reported.
-
-Incompatibility with snapshot 20050615
-======================================
-
-Many internal protocols have changed. You must reload Postfix or
-else the queue manager and delivery agents will complain about
-unexpected request and reply attributes.
-
-The new DSN support conflicts with VERP support. For Sendmail
-compatibility, Postfix now uses the sendmail -V command line option
-for DSN.  In order to request VERP style delivery, you must now
-specify -XV instead of -V.  The Postfix sendmail command will
-recognize if you try to use -V for VERP-style delivery.  It will
-do the right thing and will remind you of the new syntax.
-
-The queue file format is backwards compatible (again) with Postfix
-2.2. Postfix 2.3 stores attributes that older versions will ignore.
-
-Major changes with snapshot 20050615
-====================================
-
-DSN support as described in RFC 3461 .. RFC 3464. This gives senders
-control over successful and failed delivery notifications.  DSN
-involves extra parameters to the SMTP MAIL FROM and RCPT TO commands,
-as well as extra Postfix sendmail command line options that provide
-a sub-set of the functions of those extra SMTP command parameters.
-
-See DSN_README for details. Some implementation notes are in
-DSN_NOTES, in the top-level source code directory.
-
-Major changes with snapshot 20050510
-====================================
-
-This release improves usability of enhanced status codes in Postfix
-access tables, RBL reply templates and in transport maps that use
-the error(8) delivery agent.
-
-- When the SMTP server rejects a sender address, it transforms a
-  recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding
-  sender DSN status, and vice versa.
-
-- When the SMTP server rejects non-address information (such as the
-  HELO command parameter or the client hostname/address), it
-  transforms a sender or recipient DSN status into a generic
-  non-address DSN status (e.g., 4.0.0).
-
-These transformations are needed when the same access table or RBL
-reply template are used for client, helo, sender, or recipient
-restrictions; or when the same error(8) mailer information is used
-for both senders and recipients.
-
-Incompatibility with snapshot 20050503
-======================================
-
-The format of some "warning:" messages in the maillog has changed
-so that they are easier to sort:
-
-- The logging now talks about "access table", instead of using three
-different expressions "access table", "access map" and "SMTPD access
-map" for the same thing.
-
-- "non-SMTP command" is now logged BEFORE the client name/address
-and the offending client input, instead of at the end.
-
-Major change with snapshot 20050427+DSN
-=======================================
-
-This is experimental DSN support added to snapshot 20050427.  The
-code is not for production purposes; it is not fully tested, some
-names and interfaces are still rough around the edges, and it does
-not update the oqmgr so you have to use qmgr instead.  Some
-implementation notes and open issues are described in the
-DSN_SUPPORT_README file (top-level directory).
-
-Incompatibility with snapshot 20050329
-======================================
-
-If you use TLS, you need to execute "postfix reload" because the
-TLS manager protocol has changed.
-
-Incompatibility with snapshot 20050328
-======================================
-
-The logging format has changed. Postfix delivery agents now log the
-RFC 3463 enhanced status code as "dsn=x.y.z" where y and z can be
-up to three digits each. See the file pfloggsum-dsn-patch for an
-update to the pfloggsum script.
-
-After you upgrade from Postfix 2.2 or 2.3 you need to execute
-"postfix reload", otherwise you will keep running the old Postfix
-queue manager, which gives no special treatment to the enhanced
-status codes that it receives from Postfix delivery agents.
-
-Major changes with snapshot 20050328
-====================================
-
-This release introduces support for RFC 3463 enhanced status codes.
-For example, status code 5.1.1 means "recipient unknown". Postfix
-recognizes enhanced status codes in remote server replies, generates
-enhanced status codes while handling email, and reports enhanced
-status codes in non-delivery notifications.  This improves the user
-interaction with mail clients that hide the text of error messages
-from users.
-
-You can, but don't have to, specify RFC 3463 enhanced status codes
-in the output from commands that receive mail from a pipe. If a
-command terminates with non-zero exit status, and an enhanced status
-code is present at the beginning of the command output, then that
-status code takes precedence over the non-zero exit status.
-
-You can, but don't have to, specify RFC 3463 enhanced status codes
-in Postfix access maps, header/body_checks REJECT actions, or in
-RBL replies.  For example:
-
-    REJECT 5.7.1 You can't go here from there
-
-The status 5.7.1 means "no authorization, message refused", and is
-the default for access maps, header/body_checks REJECT actions, and
-for RBL replies.
-
-If you specify your own enhanced status code, the Postfix SMTP
-server will automatically change a leading '5' digit (hard error)
-into '4' where appropriate.  This is needed, for example, with
-soft_bounce=yes.
diff --git a/postfix/RELEASE_NOTES_2.3 b/postfix/RELEASE_NOTES_2.3
new file mode 100644
index 000000000..a1ac8c040
--- /dev/null
+++ b/postfix/RELEASE_NOTES_2.3
@@ -0,0 +1,761 @@
+The stable Postfix release is called postfix-2.3.x where 2=major
+release number, 3=minor release number, x=patchlevel.  The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-2.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day).  Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+Critical notes
+--------------
+
+See RELEASE_NOTES_2.2 if you upgrade from Postfix 2.1 or earlier.
+
+Some Postfix internal protocols have changed.  You need to "postfix
+reload" or restart Postfix, otherwise many servers will log warning
+messages like "unexpected attribute xxx" or "problem talking to
+service yyy", and mail will not be delivered.
+
+The Sendmail-compatible Milter support introduces three new queue
+file record types. As long as you leave this feature turned off,
+you can still go back to Postfix version 2.2 without losing mail
+that was received by Postfix 2.3.
+
+Major changes - DNS lookups
+---------------------------
+
+[Incompat 20050726] Name server replies that contain a malformed
+hostname are now flagged as permanent errors instead of transient
+errors. This change works around a questionable proposal to use
+syntactically invalid hostnames in MX records.
+
+Major changes - DSN
+-------------------
+
+[Feature 20050615] DSN support as described in RFC 3461 .. RFC 3464.
+This gives senders control over successful and failed delivery
+notifications.  DSN involves extra parameters to the SMTP "MAIL
+FROM" and "RCPT TO" commands, as well as extra Postfix sendmail
+command line options for mail submission.
+
+See DSN_README for details. Some implementation notes can be found
+in implementation-notes/DSN.
+
+[Incompat 20050615] The new DSN support conflicts with VERP support.
+For Sendmail compatibility, Postfix now uses the sendmail -V command
+line option for DSN.  To request VERP style delivery, you must now
+specify -XV instead of -V.  The Postfix sendmail command will
+recognize if you try to use -V for VERP-style delivery.  It will
+usually do the right thing, and remind you of the new syntax.
+
+[Incompat 20050828] Postfix no longer sends DSN SUCCESS notification
+after virtual alias expansions when the cleanup server rejects the
+content or size of mail that was submitted with the Postfix sendmail
+command, mail that was forwarded with the local(8) delivery agent,
+or mail that was re-queued with "postsuper -r". Since all the
+recipients are reported as failed, the SUCCESS notification seems
+redundant.
+
+Major changes - LMTP client
+---------------------------
+
+See the "SASL authentication" and "TLS" sections for changes related
+to SASL authentication and TLS support, respectively.
+
+[Feature 20051208] The SMTP client now implements the LMTP protocol.
+Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
+This means there are lot of new LMTP features, including support
+for TLS and for the shared connection cache. See the "SMTP client"
+section for details.
+
+[Incompat 20051208] The LMTP client now reports the server as
+"myhostname[/path/name]".  With the real server hostname in delivery
+status reports, the information will be more useful.
+
+Major changes - Milter support
+------------------------------
+
+[Feature 20060515] Milter (mail filter) application support,
+compatible with Sendmail version 8.13.6 and earlier. This allows
+you to run a large number of plug-ins to reject unwanted mail, and
+to sign mail with for example domain keys. All Milter functions are
+implemented except replacing the message body, which will be added
+later. Milters are before-queue filters, so they don't change the
+queue ID.
+
+See the MILTER_README document for a discussion of how to use Milter
+support with Postfix, and limitations of the current implementation.
+
+The Sendmail-compatible Milter support introduces three new queue
+file record types. As long as you leave this feature turned off,
+you can still go back to Postfix version 2.2 without losing mail
+that was received by Postfix 2.3.
+
+[Incompat 20060515] Milter support introduces new logfile event
+types: milter-reject, milter-discard and milter-hold, that identify
+actions from Milter applications. This may affect logfile processing
+software.
+
+Major changes - SASL authentication
+-----------------------------------
+
+[Feature 20051220] Plug-in support for SASL authentication in the
+SMTP server and in the SMTP/LMTP client. With this, Postfix can
+support multiple SASL implementations without source code patches.
+Some distributors may even make SASL support a run-time linking
+option, just like they already do with Postfix lookup tables.
+
+Hints and tips for plug-in developers are in the xsasl/README file.
+
+For backwards compatibility the default plug-in type is Cyrus SASL,
+so everything should behave like it did before. Some error messages
+are slightly different, but these are generally improvements.
+
+The "postconf -a" command shows what plug-in implementations are
+available for the SMTP server, and "postconf -A" does the same for
+the SMTP/LMTP client.  Plug-in implementations are selected with
+the smtpd_sasl_type, smtp_sasl_type and lmtp_sasl_type configuration
+parameters.
+
+Other new configuration parameters are smtpd_sasl_path, smtp_sasl_path
+and lmtp_sasl_path. These are better left alone; they are introduced
+for the convenience of other SASL implementations.
+
+[Feature 20051222] Dovecot SASL support (SMTP server only). Details
+can be found in the SASL_README document.
+
+[Incompat 20051220] The Postfix-with-Cyrus-SASL build procedure has
+changed. You now need to specify -DUSE_CYRUS_SASL in addition to
+-DUSE_SASL_AUTH or else you end up without any Cyrus SASL support.
+The error messages are:
+
+    unsupported SASL server implementation: cyrus
+    unsupported SASL client implementation: cyrus
+
+[Feature 20051125] This snapshot adds support for sender-dependent
+ISP accounts.
+
+- Sender-dependent smarthost lookup tables.  The maps are searched
+  with the sender address and with the sender @domain.  The result
+  overrides the global relayhost setting, but otherwise has identical
+  behavior. See the postconf(5) manual page for more details.
+
+  Example:
+    /etc/postfix/main.cf:
+	sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+
+- Sender-dependent SASL authentication support. This disables SMTP
+  connection caching to ensure that mail from different senders
+  will use the correct authentication credentials. The SMTP SASL
+  password file is first searched by sender address, and then by
+  the remote domain and hostname as usual.
+
+  Example:
+    /etc/postfix/main.cf:
+	smtp_sasl_auth_enable = yes
+	smtp_sender_dependent_authentication = yes
+	smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
+
+[Incompat 20060707] The SMTP/LMTP client now defers delivery when
+a SASL password exists but the server does not announce support for
+SASL authentication.  This can happen with servers that announce
+SASL support only when TLS is turned on.  When an opportunistic TLS
+handshake fails, Postfix >= 2.3 retries delivery in plaintext, and
+the remote server rejects mail from the unauthenticated client.
+Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway.
+
+Major changes - SMTP client
+---------------------------
+
+See the "SASL authentication" and "TLS" sections for changes related
+to SASL authentication and TLS support, respectively.
+
+[Feature 20051208] The SMTP client now implements the LMTP protocol.
+Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
+This means there are lot of new LMTP features, including support
+for TLS and for the shared connection cache.
+
+[Incompat 20060112] The Postfix SMTP/LMTP client by default no
+longer allows DNS CNAME records to override the server hostname
+that is used for logging, SASL password lookup, TLS policy selection
+and TLS server certificate verification. Specify
+"smtp_cname_overrides_servername = yes" to get the old behavior.
+
+[Incompat 20060103] The Postfix SMTP/LMTP client no longer defers
+mail delivery when it receives a malformed SMTP server reply in a
+session with command pipelining.  When helpful warnings are enabled,
+it will suggest that command pipelining be disabled for the affected
+destination.
+
+[Incompat 20051208] The fallback_relay feature is renamed to
+smtp_fallback_relay, to make clear that the combined SMTP/LMTP
+client uses this setting only for SMTP deliveries. The old name
+still works.
+
+[Incompat 20051106] The relay=... logging has changed and now
+includes the remote SMTP server port number as hostname[hostaddr]:port.
+
+[Incompat 20051026] The smtp_connection_cache_reuse_limit parameter
+(which limits the number of deliveries per SMTP connection) is
+replaced by the new smtp_connection_reuse_time_limit parameter (the
+time after which a connection is no longer stored into the connection
+cache).
+
+[Feature 20051026] This snapshot addresses a performance stability
+problem with remote SMTP servers. The problem is not specific to
+Postfix: it can happen when any MTA sends large amounts of SMTP
+email to a site that has multiple MX hosts. The insight that led
+to the solution, as well as an initial implementation, are due to
+Victor Duchovni.
+
+The problem starts when one of a set of MX hosts becomes slower
+than the rest.  Even though SMTP clients connect to fast and slow
+MX hosts with equal probability, the slow MX host ends up with more
+simultaneous inbound connections than the faster MX hosts, because
+the slow MX host needs more time to serve each client request.
+
+The slow MX host becomes a connection attractor.  If one MX host
+becomes N times slower than the rest, it dominates mail delivery
+latency unless there are more than N fast MX hosts to counter the
+effect. And if the number of MX hosts is smaller than N, the mail
+delivery latency becomes effectively that of the slowest MX host
+divided by the total number of MX hosts.
+
+The solution uses connection caching in a way that differs from
+Postfix 2.2.  By limiting the amount of time during which a connection
+can be used repeatedly (instead of limiting the number of deliveries
+over that connection), Postfix not only restores fairness in the
+distribution of simultaneous connections across a set of MX hosts,
+it also favors deliveries over connections that perform well, which
+is exactly what we want.
+
+The smtp_connection_reuse_time_limit feature implements the connection
+reuse time limit as discussed above.  It limits the amount of time
+after which an SMTP connection is no longer stored into the connection
+cache. The default limit, 300s, can result in a huge number of
+deliveries over a single connection.
+
+This solution will be complete when Postfix logging is updated to
+include information about the number of times that a connection was
+used. This information is needed to diagnose inter-operability
+problems with servers that exhibit bugs when they receive multiple
+messages over the same connection.
+
+[Incompat 20050627] The Postfix SMTP client no longer applies the
+smtp_mx_session_limit to non-permanent errors during the TCP, SMTP,
+HELO or TLS handshake.  Previous versions did that only with TCP
+and SMTP handshake errors.
+
+[Incompat 20050622] The Postfix SMTP client by default limits the
+number of MX server addresses to smtp_mx_address_limit=5. Previously
+this limit was disabled by default. The new limit prevents Postfix
+from spending lots of time trying to connect to lots of bogus MX
+servers.
+
+Major changes - SMTP server
+---------------------------
+
+See the "SASL authentication" and "TLS" sections for changes related
+to SASL authentication and TLS support, respectively.
+
+[Feature 20051222] To accept the non-compliant user@ipaddress form,
+specify "resolve_numeric_domain = yes".  Postfix will deliver the
+mail to user@[ipaddress] instead.
+
+[Incompat 20051202] The Postfix SMTP server now refuses to receive
+mail from the network if it isn't running with postfix mail_owner
+privileges.  This prevents surprises when, for example, "sendmail
+-bs" is configured to run as root from xinetd.
+
+[Incompat 20051121] Although the permit_mx_backup feature still
+accepts mail for authorized destinations (see permit_mx_backup for
+definition), with all other destinations it now requires that the
+local MTA is listed as non-primary MX server. This prevents mail
+loop problems when someone points their primary MX record at a
+Postfix system.
+
+[Feature 20051011] Optional suppression of remote SMTP client
+hostname lookup and hostname verification. Specify "smtpd_peername_lookup
+= no" to eliminate DNS lookup latencies, but do so only under extreme
+conditions, as it makes Postfix logging less informative.
+
+[Feature 20050724] SMTPD Access control based on the existence of
+an address->name mapping, with reject_unknown_reverse_client_hostname.
+There is no corresponding access table lookup feature, because the
+name is not validated in any way (except that it has proper syntax).
+
+Several confusing SMTPD access restrictions were renamed:
+
+    reject_unknown_client -> reject_unknown_client_hostname,
+    reject_unknown_hostname -> reject_unknown_helo_hostname,
+    reject_invalid_hostname -> reject_invalid_helo_hostname,
+    reject_non_fqdn_hostname -> reject_non_fqdn_helo_hostname.
+
+The old names are still recognized and documented.
+
+Major changes - TLS
+-------------------
+
+Major revisions were made to Postfix TLS support; see TLS_README
+for the details. For backwards compatibility, the old TLS policy
+user interface will be kept intact for a few releases so that sites
+can upgrade Postfix without being forced to use a different TLS
+policy mechanism.
+
+[Feature 20060614] New concept: TLS security levels ("none", "may",
+"encrypt", "verify" or "secure") in the Postfix SMTP client.  You
+can specify the TLS security level via the smtp_tls_security_level
+parameter.  This is more convenient than controlling TLS with the
+multiple smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername,
+parameters.
+
+[Feature 20060709] TLS security levels ("none", "may", "encrypt")
+in the Postfix SMTP server. You specify the security level with the
+smtpd_tls_security_level parameter. This overrides the multiple
+smtpd_use_tls and smtpd_enforce_tls parameters.  When one of the
+unimplemented "verify" or "secure" levels is specified, the Postfix
+SMTP server logs a warning and uses "encrypt" instead.
+
+[Feature 20060123] A new per-site TLS policy mechanism for the
+Postfix SMTP client that supports the new TLS security levels,
+and that eliminates DNS spoofing attacks more effectively.
+
+[Feature 20060626] Both the Postfix SMTP client and server can be
+configured without a client or server certificate. An SMTP server
+without certificate can use only anonymous ciphers, and will not
+inter-operate with most clients.
+
+The Postfix SMTP server supports anonymous ciphers when 1) no client
+certificates are requested or required, and 2) the administrator
+has not excluded the "aNULL" OpenSSL cipher type with the
+smtpd_tls_exclude_ciphers parameter.
+
+The Postfix SMTP client supports anonymous ciphers when 1) no server
+certificate is required and 2) the administrator has not excluded
+the "aNULL" OpenSSL cipher type with the smtp_tls_exclude_ciphers
+parameter.
+
+[Incompat 20060707] The SMTPD policy client now encodes the
+ccert_subject and ccert_issuer attributes as xtext. Some characters
+are represented by +XX, where XX is the two-digit hexadecimal
+representation of the character value.
+
+[Feature 20060614] The smtpd_tls_protocols parameter restricts the
+list of TLS protocols supported by the SMTP server.  This is
+recommended for use with MSA configurations only.  It should not
+be used with MX hosts that receive mail from the Internet, as it
+reduces inter-operability.
+
+[Incompat 20060614] The smtp_tls_cipherlist parameter only applies
+when TLS is mandatory.  It is ignored with opportunistic TLS sessions.
+
+[Incompat 20060614] At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix
+now also logs TLS session cache activity. Use level 2 and higher
+for debugging only; use levels 0 or 1 as production settings.
+
+[Incompat 20060207] The Postfix SMTP server no longer complains
+when TLS support is not compiled in while permit_tls_clientcerts,
+permit_tls_all_clientcerts, or check_ccert_access are specified in
+main.cf. These features now are effectively ignored.  However, the
+reject_plaintext_session feature is not ignored and will reject
+plain-text mail.
+
+[Feature 20060123] Some obscure behavior was eliminated from the
+smtp_tls_per_site feature, without changes to the user interface.
+Some Postfix internals had to be re-structured for the new TLS
+policy mechanism; for this, smtp_tls_per_site had to be re-implemented.
+The obscure behavior was found during compatibility testing.
+
+[Feature 20051011] Optional protection against SMTP clients that
+hammer the server with too many new (i.e. uncached) SMTP-over-TLS
+sessions. Cached sessions are much less expensive in terms of CPU
+cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
+to specify a limit that is at least the inbound client concurrency
+limit, or else you may deny legitimate service requests.
+
+Major changes - VERP
+--------------------
+
+[Incompat 20050615] The new DSN support conflicts with VERP support.
+For Sendmail compatibility, Postfix now uses the sendmail -V command
+line option for DSN.  In order to request VERP style delivery, you
+must now specify -XV instead of -V.  The Postfix sendmail command
+will recognize if you try to use -V for VERP-style delivery.  It
+will do the right thing and will remind you of the new syntax.
+
+Major changes - XCLIENT and XFORWARD
+------------------------------------
+
+[Incompat 20060611] The SMTP server XCLIENT implementation has
+changed. The SMTP server now resets state to the initial server
+greeting stage, immediately before the EHLO/HELO greeting.  This
+was needed to correctly simulate the effect of connection-level
+access restrictions.  Without this change, XCLIENT would not work
+at all with Milter applications.
+
+[Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands
+now expect that attributes are xtext encoded (RFC 1891). For backwards
+compatibility they will also accept unencoded attribute values. The
+XFORWARD client code in the SMTP client and in the SMTPD_PROXY
+client now always encode attribute values. This change will have a
+visible effect only for malformed hostname and helo parameter values.
+
+For more details, see the XCLIENT_README and XFORWARD_README
+documents.
+
+Major changes - address manipulation
+------------------------------------
+
+[Incompat 20060123] Postfix now preserves uppercase information
+while mapping addresses with canonical, virtual, relocated or generic
+maps; this happens even with $number substitutions in regular
+expression maps. However, the local(8) and virtual(8) delivery
+agents still fold addresses to lower case.
+
+As a side effect, Postfix now also does a better job at being case
+insensitive where it should be, for example while searching per-host
+TLS policies or SASL passwords.
+
+By default, Postfix now folds the search string to lowercase only
+with tables that have fixed-case lookup fields such as btree:,
+hash:, dbm:, ldap:, or *sql:. The search string is no longer case
+folded with tables whose lookup fields can match both upper or lower
+case, such as regexp:, pcre:, or cidr:.
+
+For safety reasons, Postfix no longer allows $number substitution
+in regexp: or pcre: transport tables or per-sender relayhost tables.
+
+Major changes - bounce message templates
+----------------------------------------
+
+[Feature 20051113] Configurable bounce messages, based on a format
+that was developed by Nicolas Riendeau. The file with templates is
+specified with the bounce_template_file parameter. Details are in
+the bounce(5) manual page, and examples of the built-in templates
+can be found in $config_directory/bounce.cf.default. The template
+for the default bounce message looks like this:
+
+    failure_template = <<EOF
+    Charset: us-ascii
+    From: MAILER-DAEMON (Mail Delivery System)
+    Subject: Undelivered Mail Returned to Sender
+    Postmaster-Subject: Postmaster Copy: Undelivered Mail
+
+    This is the $mail_name program at host $myhostname.
+
+    I'm sorry to have to inform you that your message could not
+    be delivered to one or more recipients. It's attached below.
+
+    For further assistance, please send mail to <postmaster>
+
+    If you do so, please include this problem report. You can
+    delete your own text from the attached returned message.
+
+                            The $mail_name program
+    EOF
+
+Major changes - built-in filters
+--------------------------------
+
+[Feature 20050828] Configurable filters to reject or remove unwanted
+characters in email content. The message_reject_characters and
+message_strip_characters parameters understand the usual C-like
+escape sequences: \a \b \f \n \r \t \v \ddd (up to three octal
+digits) and \\.
+
+[Incompat 20050828] When a header/body_checks rule or when
+message_reject_characters rejects mail that was submitted with the
+Postfix sendmail command (or re-queued with "postsuper -r"), the
+returned message is now limited to just the message headers, to
+avoid the risk of exposure to harmful content in the message body
+or attachments.
+
+Major changes - database support
+--------------------------------
+
+[Incompat 20060611] The PostgreSQL client was updated after the
+PostgreSQL developers made major database API changes in response
+to SQL injection problems.  This breaks support for PGSQL versions
+prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15. Support for these requires
+major code changes which are not possible in the time that is left
+for completing the Postfix 2.3 stable release.
+
+Major changes - enhanced status codes
+-------------------------------------
+
+[Feature 20050328] This release introduces support for RFC 3463
+enhanced status codes.  For example, status code 5.1.1 means
+"recipient unknown". Postfix recognizes enhanced status codes in
+remote server replies, generates enhanced status codes while handling
+email, and reports enhanced status codes in non-delivery notifications.
+This improves the user experience with mail clients that translate
+enhanced status codes into text in the user's own language.
+
+You can, but don't have to, specify RFC 3463 enhanced status codes
+in the output from commands that receive mail from a pipe. If a
+command terminates with non-zero exit status, and an enhanced status
+code is present at the beginning of the command output, then that
+status code takes precedence over the non-zero exit status.
+
+You can, but don't have to, specify RFC 3463 enhanced status codes
+in Postfix access maps, header/body_checks REJECT actions, or in
+RBL replies.  For example:
+
+    REJECT 5.7.1 You can't go here from there
+
+The status 5.7.1 means "no authorization, message refused", and is
+the default for access maps, header/body_checks REJECT actions, and
+for RBL replies.
+
+[Feature 20050328] If you specify your own enhanced status code,
+the Postfix SMTP server will automatically change a leading '5'
+digit (hard error) into '4' where appropriate.  This is needed, for
+example, with soft_bounce=yes.
+
+[Feature 20050510] This release improves usability of enhanced
+status codes in Postfix access tables, RBL reply templates and in
+transport maps that use the error(8) delivery agent.
+
+- When the SMTP server rejects a sender address, it transforms a
+  recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding
+  sender DSN status, and vice versa.
+
+- When the SMTP server rejects non-address information (such as the
+  HELO command parameter or the client hostname/address), it
+  transforms a sender or recipient DSN status into a generic
+  non-address DSN status (e.g., 4.0.0).
+
+These transformations are needed when the same access table or RBL
+reply template are used for client, helo, sender, or recipient
+restrictions; or when the same error(8) mailer information is used
+for both senders and recipients.
+
+Major changes - local alias expansion
+-------------------------------------
+
+[Incompat 20051011] The Postfix local(8) delivery agent no longer
+updates its idea of the Delivered-To: address while it expands
+aliases or .forward files. With deeply nested aliases or .forward
+files, this can greatly reduce the number of queue files and cleanup
+process instances. To get the earlier behavior, specify
+"frozen_delivered_to = no".
+
+The frozen_delivered_to feature can help to alleviate a long-standing
+problem with multiple deliveries to recipients that are listed
+multiple times in a hierarchy of nested aliases. For this to work,
+only the top-level alias should have an owner- alias, and none of
+the subordinate aliases.
+
+Major changes - logging
+-----------------------
+
+[Incompat 20060515] Milter support introduces new logfile event
+types: milter-reject, milter-discard and milter-hold, that identify
+actions from Milter applications. This may affect logfile processing
+software.
+
+[Incompat 20051106] The relay=... logging has changed and now
+includes the remote SMTP server port number as hostname[hostaddr]:port.
+
+[Incompat 20060112] The Postfix SMTP/LMTP client by default no
+longer allows DNS CNAME records to override the server hostname
+that is used for logging, SASL password lookup, TLS policy selection
+and TLS server certificate verification. Specify
+"smtp_cname_overrides_servername = yes" to get the old behavior.
+
+[Incompat 20051105] All delay logging now has sub-second resolution,
+including the over-all "delay=nnn" logging.  A patch is available
+for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
+has been updated (auxiliary/qshape/qshape.pl).
+
+[Feature 20051103] This release makes a beginning with a series of
+new attributes in Postfix logfile records.
+
+- Better insight into the nature of performance bottle necks, with
+  detailed logging of delays in various stages of message delivery.
+  Postfix logs additional delay information as "delays=a/b/c/d"
+  where a=time before queue manager, including message transmission;
+  b=time in queue manager; c=connection setup time including DNS,
+  HELO and TLS; d=message transmission time.
+
+- Logging of the connection reuse count when SMTP connections are
+  used for more than one message delivery.  This information is
+  needed because Postfix can now reuse connections hundreds of times
+  or more. Logging of the connection reuse count can help to diagnose
+  inter-operability problems with servers that suffer from memory
+  leaks or other resource leaks.
+
+At this point the Postfix logging for a recipient looks like this:
+
+    Nov  3 16:04:31 myname postfix/smtp[30840]: 19B6B2900FE:
+    to=<wietse@test.example.com>, orig_to=<wietse@test>,
+    relay=mail.example.com[1.2.3.4], conn_use=2, delay=0,
+    delays=0/0.01/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok)
+
+The following two logfile fields may or may not be present:
+
+    orig_to     This is omitted when the address did not change.
+    conn_use    This is omitted when a connection is used once.
+
+[Incompat 20050503] The format of some "warning:" messages in the
+maillog has changed so that they are easier to sort:
+
+- The logging now talks about "access table", instead of using three
+  different expressions "access table", "access map" and "SMTPD
+  access map" for the same thing.
+
+- "non-SMTP command" is now logged BEFORE the client name/address
+  and the offending client input, instead of at the end.
+
+[Incompat 20050328] The logging format has changed. Postfix delivery
+agents now log the RFC 3463 enhanced status code as "dsn=x.y.z"
+where y and z can be up to three digits each.
+
+[Incompat 20051208] The LMTP client now reports the server as
+"myhostname[/path/name]".  With the real server hostname in delivery
+status reports, the information will be more useful.
+
+Major changes - performance
+---------------------------
+
+[Incompat 20051105] All delay logging now has sub-second resolution,
+including the over-all "delay=nnn" logging.  A patch is available
+for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
+has been updated (auxiliary/qshape/qshape.pl).
+
+[Incompat 20050622] The Postfix SMTP client by default limits the
+number of MX server addresses to smtp_mx_address_limit=5. Previously
+this limit was disabled by default. The new limit prevents Postfix
+from spending lots of time trying to connect to lots of bogus MX
+servers.
+
+[Feature 20051026] This snapshot addresses a performance stability
+problem with remote SMTP servers. The problem is not specific to
+Postfix: it can happen when any MTA sends large amounts of SMTP
+email to a site that has multiple MX hosts. The insight that led
+to the solution, as well as an initial implementation, are due to
+Victor Duchovni.
+
+The problem starts when one of a set of MX hosts becomes slower
+than the rest.  Even though SMTP clients connect to fast and slow
+MX hosts with equal probability, the slow MX host ends up with more
+simultaneous inbound connections than the faster MX hosts, because
+the slow MX host needs more time to serve each client request.
+
+The slow MX host becomes a connection attractor.  If one MX host
+becomes N times slower than the rest, it dominates mail delivery
+latency unless there are more than N fast MX hosts to counter the
+effect. And if the number of MX hosts is smaller than N, the mail
+delivery latency becomes effectively that of the slowest MX host
+divided by the total number of MX hosts.
+
+The solution uses connection caching in a way that differs from
+Postfix 2.2.  By limiting the amount of time during which a connection
+can be used repeatedly (instead of limiting the number of deliveries
+over that connection), Postfix not only restores fairness in the
+distribution of simultaneous connections across a set of MX hosts,
+it also favors deliveries over connections that perform well, which
+is exactly what we want.
+
+The smtp_connection_reuse_time_limit feature implements the connection
+reuse time limit as discussed above.  It limits the amount of time
+after which an SMTP connection is no longer stored into the connection
+cache. The default limit, 300s, can result in a huge number of
+deliveries over a single connection.
+
+This solution will be complete when Postfix logging is updated to
+include information about the number of times that a connection was
+used. This information is needed to diagnose inter-operability
+problems with servers that exhibit bugs when they receive multiple
+messages over the same connection.
+
+[Feature 20051011] Optional protection against SMTP clients that
+hammer the server with too many new (i.e. uncached) SMTP-over-TLS
+sessions. Cached sessions are much less expensive in terms of CPU
+cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
+to specify a limit that is at least the inbound client concurrency
+limit, or else you may deny legitimate service requests.
+
+[Feature 20051011] Optional suppression of remote SMTP client
+hostname lookup and hostname verification. Specify "smtpd_peername_lookup
+= no" to eliminate DNS lookup latencies, but do so only under extreme
+conditions, as it makes Postfix logging less informative.
+
+Major changes - portability
+---------------------------
+
+[Incompat 20050716] Internal interfaces have changed; this may break
+third-party patches because the types of function arguments and of
+result values have changed.  The types of buffer lengths and offsets
+were changed from "int" or "unsigned int" (32 bit on 32-bit and
+LP64 systems) to "ssize_t" or "size_t" (64 bit on LP64 systems, 32
+bit on 32-bit systems).
+
+This change makes no difference in Postfix behavior on 32-bit
+systems. On LP64 systems, however, this change not only eliminates
+some obscure portability bugs, it also eliminates unnecessary
+conversions between 32/64 bit integer types, because many system
+library routines take "(s)size_t" arguments or return "(s)size_t"
+values.
+
+This change may break software on LP64 systems 1) when Postfix is
+linked with pre-compiled code that was compiled with old Postfix
+interface definitions and 2) when compiling Postfix source that was
+modified by a third-party patch: incorrect code will be generated
+when the patch passes the wrong integer argument type in contexts
+that disable automatic argument type conversions.  Examples of such
+contexts are formatting with printf-like arguments, and invoking
+functions that write Postfix request or reply attributes across
+inter-process communication channels.  Unfortunately, gcc reports
+"(unsigned) int" versus "(s)size_t" format string argument mis-matches
+only on LP64 systems.
+
+Major changes - safety
+----------------------
+
+[Incompat 20051121] Although the permit_mx_backup feature still
+accepts mail for authorized destinations (see permit_mx_backup for
+definition), with all other destinations it now requires that the
+local MTA is listed as non-primary MX. This prevents mail loop
+problems when someone points the primary MX record at a Postfix
+system.
+
+[Incompat 20051011] The Postfix local(8) delivery agent no longer
+updates its idea of the Delivered-To: address while it expands
+aliases or .forward files. With deeply nested aliases or .forward
+files, this can greatly reduce the number of queue files and cleanup
+process instances. To get the earlier behavior, specify
+"frozen_delivered_to = no".
+
+The frozen_delivered_to feature can help to alleviate a long-standing
+problem with multiple deliveries to recipients that are listed
+multiple times in a hierarchy of nested aliases. For this to work,
+only the top-level alias should have an owner- alias, and none of
+the subordinate aliases.
+
+[Incompat 20050828] When a header/body_checks rule or when
+message_reject_characters rejects mail that was submitted with the
+Postfix sendmail command (or re-queued with "postsuper -r"), the
+returned message is now limited to just the message headers, to
+avoid the risk of exposure to harmful content in the message body
+or attachments.
+
+[Incompat 20051202] The Postfix SMTP server now refuses to receive
+mail from the network if it isn't running with postfix mail_owner
+privileges.  This prevents surprises when, for example, "sendmail
+-bs" is configured to run as root from xinetd.
+
+[Incompat 20060123] For safety reasons, Postfix no longer allows
+$number substitution in regexp: or pcre: transport tables or
+per-sender relayhost tables.
+
+[Incompat 20060112] The Postfix SMTP/LMTP client by default no
+longer allows DNS CNAME records to override the server hostname
+that is used for logging, SASL password lookup, TLS policy selection
+and TLS server certificate verification. Specify
+"smtp_cname_overrides_servername = yes" to get the old behavior.
diff --git a/postfix/conf/access b/postfix/conf/access
index 975bf7c16..633f4d03b 100644
--- a/postfix/conf/access
+++ b/postfix/conf/access
@@ -355,7 +355,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.2.
+#        Postfix version 2.3.
 # 
 #        Each  lookup  operation uses the entire query string once.
 #        Depending on the application, that  string  is  an  entire
diff --git a/postfix/conf/canonical b/postfix/conf/canonical
index 3ae946aaf..1dc739589 100644
--- a/postfix/conf/canonical
+++ b/postfix/conf/canonical
@@ -156,7 +156,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.2.
+#        Postfix version 2.3.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
 #        user@domain  mail  addresses  are not broken up into their
diff --git a/postfix/conf/generic b/postfix/conf/generic
index 3d5c616c1..232e7b058 100644
--- a/postfix/conf/generic
+++ b/postfix/conf/generic
@@ -136,7 +136,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.2.
+#        Postfix version 2.3.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
 #        user@domain  mail  addresses  are not broken up into their
diff --git a/postfix/conf/relocated b/postfix/conf/relocated
index 468dd4dc6..ba018e5bc 100644
--- a/postfix/conf/relocated
+++ b/postfix/conf/relocated
@@ -85,7 +85,7 @@
 #        regexp_table(5) or pcre_table(5). For a description of the
 #        TCP client/server table lookup protocol, see tcp_table(5).
 #        This feature is not available up to and including  Postfix
-#        version 2.2.
+#        version 2.3.
 # 
 #        Each  pattern  is  a regular expression that is applied to
 #        the entire address being looked up. Thus, user@domain mail
@@ -106,7 +106,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.2.
+#        Postfix version 2.3.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
 #        user@domain mail addresses are not broken  up  into  their
diff --git a/postfix/conf/transport b/postfix/conf/transport
index e83b52a09..da6e0ef40 100644
--- a/postfix/conf/transport
+++ b/postfix/conf/transport
@@ -237,7 +237,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.2.
+#        Postfix version 2.3.
 # 
 #        Each  lookup  operation  uses the entire recipient address
 #        once.  Thus, some.domain.hierarchy is not  looked  up  via
diff --git a/postfix/conf/virtual b/postfix/conf/virtual
index 1790f062a..64e2a26fa 100644
--- a/postfix/conf/virtual
+++ b/postfix/conf/virtual
@@ -203,7 +203,7 @@
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
-#        Postfix version 2.2.
+#        Postfix version 2.3.
 # 
 #        Each lookup operation uses the entire address once.  Thus,
 #        user@domain  mail  addresses  are not broken up into their
diff --git a/postfix/html/ADDRESS_VERIFICATION_README.html b/postfix/html/ADDRESS_VERIFICATION_README.html
index 364dea607..7f6ab85ca 100644
--- a/postfix/html/ADDRESS_VERIFICATION_README.html
+++ b/postfix/html/ADDRESS_VERIFICATION_README.html
@@ -230,6 +230,10 @@ and there are no surprises. If a recipient probe fails, then Postfix
 rejects mail for the recipient address.  If a recipient probe
 succeeds, then Postfix accepts mail for the recipient address. </p>
 
+<p> By default, address verification results are not saved. To avoid
+probing the same address repeatedly, you can store the result in a
+<a href="#caching">persistent database</a> as described later.  </p>
+
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
diff --git a/postfix/html/FILTER_README.html b/postfix/html/FILTER_README.html
index 10c8f2c26..01d08b6d7 100644
--- a/postfix/html/FILTER_README.html
+++ b/postfix/html/FILTER_README.html
@@ -615,6 +615,7 @@ how one would set up the service in the Postfix <a href="master.5.html">master.c
     # =============================================================
     scan      unix  -       -       n       -       10      smtp
         -o <a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a>=yes
+        -o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes
 </pre>
 </blockquote>
 
@@ -633,6 +634,13 @@ after-filter smtpd process, so that filtered mail is logged with
 the real client name IP address. See <a href="smtp.8.html">smtp(8)</a> and <a href="XFORWARD_README.html">XFORWARD_README</a>
 for more information. </p>
 
+<li> <p> With "-o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes", the scan
+delivery agent will not convert 8BITMIME mail to quoted-printable
+form while delivering to the content filter, as that would invalidate
+domainkeys and other digital signatures.  This workaround is needed
+because some SMTP-based content filters don't announce 8BITMIME
+support, even though they can handle it just fine.  </p>
+
 </ul>
 
 <h3>Advanced content filter: running the content filter</h3>
diff --git a/postfix/html/INSTALL.html b/postfix/html/INSTALL.html
index 267d0dd6f..d5f03a4e3 100644
--- a/postfix/html/INSTALL.html
+++ b/postfix/html/INSTALL.html
@@ -156,7 +156,7 @@ OPENSTEP 4.x <br>
 OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
 Reliant UNIX 5.x <br>
 Rhapsody 5.x <br>
-SunOS 4.1.4 (December 2005) <br>
+SunOS 4.1.4 (July 2006) <br>
 SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
 Ultrix 4.x (well, that was long ago) <br>
 </p>
@@ -478,13 +478,13 @@ one of the following commands as the super-user:</p>
 <ul>
 
 <li> <p> The non-interactive version ("make upgrade") needs the
-/etc/postfix/main.cf file from a previous installation. If the file
+/etc/postfix/<a href="postconf.5.html">main.cf</a> file from a previous installation. If the file
 does not exist, use interactive installation ("make install")
 instead. </p>
 
 <li> <p> The interactive version offers suggestions for pathnames
 that you can override interactively, and stores your preferences
-in /etc/postfix/main.cf for convenient future upgrades. </p>
+in /etc/postfix/<a href="postconf.5.html">main.cf</a> for convenient future upgrades. </p>
 
 </ul>
 
@@ -520,13 +520,13 @@ configuration file edits</a>" in section 10, and review the "<a
 href="#hamlet">To chroot or not to chroot</a>" text in section
 11. </p>
 
-<p> You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf,
+<p> You MUST comment out the "smtp inet" entry in /etc/postfix/<a href="master.5.html">master.cf</a>,
 in order to avoid conflicts with the real sendmail. Put a "#"
 character in front of the line that defines the smtpd service: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
     #smtp      inet  n       -       n       -       -       smtpd
 </pre>
 </blockquote>
@@ -585,11 +585,11 @@ receive mail while leaving your Sendmail setup intact, by running
 Postfix on a virtual interface address.  Simply configure your mail
 user agent to directly invoke the Postfix sendmail program.  </p>
 
-<p> In the /etc/postfix/main.cf file, I would specify </p>
+<p> In the /etc/postfix/<a href="postconf.5.html">main.cf</a> file, I would specify </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#myhostname">myhostname</a> = virtual.host.tld
     <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
     <a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
@@ -722,12 +722,12 @@ presented below is targeted at experienced system administrators.
 <h3>10.1 - Postfix configuration files</h3>
 
 <p> By default, Postfix configuration files are in /etc/postfix.
-The two most important files are main.cf and master.cf; these files
+The two most important files are <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a>; these files
 must be owned by root.  Giving someone else write permission to
-main.cf or master.cf (or to their parent directories) means giving
+<a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> (or to their parent directories) means giving
 root privileges to that person. </p>
 
-<p> In /etc/postfix/main.cf, you will have to set up a minimal number
+<p> In /etc/postfix/<a href="postconf.5.html">main.cf</a>, you will have to set up a minimal number
 of configuration parameters.  Postfix configuration parameters  
 resemble shell variables, with two important differences: the first  
 one is that Postfix does not know about quotes like the UNIX shell
@@ -737,7 +737,7 @@ does.</p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     parameter = value
 </pre>
 </blockquote>
@@ -746,7 +746,7 @@ does.</p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     other_parameter = $parameter
 </pre>
 </blockquote>
@@ -756,7 +756,7 @@ second main difference with UNIX shell variables). The Postfix
 configuration language uses lazy evaluation, and does not look at
 a parameter value until it is needed at runtime.  </p>
 
-<p> Whenever you make a change to the main.cf or master.cf file,
+<p> Whenever you make a change to the <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> file,
 execute the following command in order to refresh a running mail
 system: </p>
 
@@ -777,7 +777,7 @@ probably OK only for very small sites.  </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#myhostname">myhostname</a>    (send mail as "user@$<a href="postconf.5.html#myhostname">myhostname</a>")
     <a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>      (send mail as "user@$<a href="postconf.5.html#mydomain">mydomain</a>")
 </pre>
@@ -792,7 +792,7 @@ locally. </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost
     <a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost, $<a href="postconf.5.html#mydomain">mydomain</a>
     <a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
@@ -819,7 +819,7 @@ mail delivery loops will happen when the primary MX host is down.
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 (the proxy/NAT external network address)
 </pre>
 </blockquote>
@@ -834,7 +834,7 @@ permission to too many clients.  My own settings are: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#mynetworks">mynetworks</a> = 168.100.189.0/28, 127.0.0.0/8
 </pre>
 </blockquote>
@@ -849,7 +849,7 @@ too many destinations.  Recommended settings (use only one): </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#relay_domains">relay_domains</a> =            (do not forward mail from strangers)
     <a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a>  (my domain and subdomains)
     <a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a>, other.domain.tld, ...
@@ -868,7 +868,7 @@ a hard-coded hostname.  </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
     <a href="postconf.5.html#relayhost">relayhost</a> = [mail.$<a href="postconf.5.html#mydomain">mydomain</a>]
 </pre>
@@ -882,7 +882,7 @@ turn off SMTP client DNS lookups like this: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = yes
 </pre>
 </blockquote>
@@ -928,7 +928,7 @@ following commands: </p>
 
 <h2><a name="hamlet">11 - To chroot or not to chroot</a></h2>
 
-<p> Postfix daemon processes can be configured (via master.cf) to
+<p> Postfix daemon processes can be configured (via <a href="master.5.html">master.cf</a>) to
 run in a chroot jail.  The processes run at a fixed low privilege
 and with access only to the Postfix queue directories (/var/spool/postfix).
 This provides a significant barrier against intrusion. The barrier
@@ -944,9 +944,9 @@ processes, and perhaps also the <a href="lmtp.8.html">lmtp(8)</a> client. The au
 porcupine.org mail server runs all daemons chrooted that can be
 chrooted. </p>
 
-<p> The default /etc/postfix/master.cf file specifies that no
+<p> The default /etc/postfix/<a href="master.5.html">master.cf</a> file specifies that no
 Postfix daemon runs chrooted.  In order to enable chroot operation,
-edit the file /etc/postfix/master.cf. Instructions are in the file.
+edit the file /etc/postfix/<a href="master.5.html">master.cf</a>. Instructions are in the file.
 </p>
 
 <p> Note that a chrooted daemon resolves all filenames relative to
diff --git a/postfix/html/MAILDROP_README.html b/postfix/html/MAILDROP_README.html
index 1216218c4..20f9b5422 100644
--- a/postfix/html/MAILDROP_README.html
+++ b/postfix/html/MAILDROP_README.html
@@ -45,7 +45,7 @@ and for someother.domain.  </p>
 
 <blockquote>
 <pre>
- 1 /etc/postfix/main.cf:
+ 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
  2     maildrop_destination_recipient_limit = 1
  3     <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = some.domain someother.domain
  4     <a href="postconf.5.html#virtual_transport">virtual_transport</a> = maildrop
@@ -70,7 +70,7 @@ at a time to the maildrop delivery agent.  </p>
 
 <li> <p> Line 3 informs Postfix that some.domain and someother.domain
 are so-called <a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">virtual mailbox domains</a>.
-Instead of listing the names in main.cf you can also
+Instead of listing the names in <a href="postconf.5.html">main.cf</a> you can also
 list them in a file; see the <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> documentation for
 details. </p>
 
@@ -98,20 +98,23 @@ to deliver the mail.  </p>
 
 <blockquote>
 <pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
     maildrop  unix  -       n       n       -       -       pipe
-      flags=DRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+      flags=ODRhu user=vmail argv=/path/to/maildrop -d ${recipient}
 </pre>
 </blockquote>
 
+<p> The <a href="pipe.8.html">pipe(8)</a> manual page gives a detailed description of the
+above command line arguments, and more. </p>
+
 <p> If you want to support user+extension@domain style addresses,
 use the following instead: </p>
 
 <blockquote>
 <pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
     maildrop  unix  -       n       n       -       -       pipe
-      flags=DRhu user=vmail argv=/path/to/maildrop 
+      flags=ODRhu user=vmail argv=/path/to/maildrop 
       -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
 </pre>
 </blockquote>
@@ -119,7 +122,7 @@ use the following instead: </p>
 <p> The mail is delivered to ${user}@${nexthop} (match key for
 maildrop userdb lookup). The ${extension} and the other address
 components are available to maildrop rules as $1, $2, $3, ...  and
-can be omitted from master.cf or ignored by maildrop when not
+can be omitted from <a href="master.5.html">master.cf</a> or ignored by maildrop when not
 needed. </p>
 
 <h2><a name="indirect">Indirect delivery via the local delivery agent</a></h2>
@@ -135,7 +138,7 @@ You would typically use this for domains that are listed in
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#mailbox_command">mailbox_command</a> = /path/to/maildrop -d ${USER}
 </pre>
 </blockquote>
@@ -148,7 +151,7 @@ use the Postfix <a href="local.8.html">local(8)</a> delivery agent's <a href="po
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a> = hash:/etc/postfix/mailbox_commands
 
 /etc/postfix/mailbox_commands:
diff --git a/postfix/html/MILTER_README.html b/postfix/html/MILTER_README.html
index 926bc41bb..1ae1d0676 100644
--- a/postfix/html/MILTER_README.html
+++ b/postfix/html/MILTER_README.html
@@ -32,13 +32,14 @@ href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
 <a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
 or to digitally sign mail (example: <a
 href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
-Having yet another MTA-specific version of all that software is a
-poor use of human and system resources. </p>
+Having yet another Postfix-specific version of all that software
+is a poor use of human and system resources. </p>
 
 <p> Postfix 2.3 implements all the requests of Sendmail version 8
 Milter protocols up to version 4, except one: message body replacement.
-See, however, the <a href="#limitations">limitations</a> section
-at the end of this document. </p>
+See, however, the <a href="#workarounds">workarounds</a> and <a
+href="#limitations">limitations</a> sections at the end of this
+document. </p>
 
 <p> This document provides information on the following topics: </p>
 
@@ -257,10 +258,13 @@ for options.  A typical command looks like this:</p>
 
 <blockquote>
 <pre>
-$ <b>/some/where/dk-filter -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
+# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
 </pre>
 </blockquote>
 
+<p> Please specify a <i>userid</i> value that isn't used for other
+applications (not "postfix", not "www", etc.). </p>
+
 <h2><a name="config">Configuring Postfix</a></h2>
 
 <p> Like Sendmail, Postfix has a lot of configuration options that
@@ -295,6 +299,12 @@ unwanted mail, and to sign mail from authorized SMTP clients.  Mail
 that arrives via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server is not filtered by the
 non-SMTP filters that are described in the next section. </p>
 
+<p> NOTE: Do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the <a href="header_checks.5.html">header_checks(5)</a> REPLACE action to sanitize
+information. </p>
+
 <p> You specify SMTP-only Milter applications (there can be more
 than one) with the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> parameter.  Each Milter application
 is identified by the name of its listening socket; other Milter
@@ -328,7 +338,7 @@ Connect to the specified TCP port on the specified local or remote
 host.  The host and port can be specified in numeric or symbolic
 form.</p>
 
-<p> Note: Postfix syntax differs from Milter syntax which has the
+<p> NOTE: Postfix syntax differs from Milter syntax which has the
 form <b>inet:</b><i>port</i><b>@</b><i>host</i>. </p>  </dd>
 
 </dl>
@@ -345,6 +355,12 @@ limitations as discussed later in this section.  Mail that arrives
 via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server is not filtered by the non-SMTP
 filters.  </p>
 
+<p> NOTE: Do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the <a href="header_checks.5.html">header_checks(5)</a> REPLACE action to sanitize
+information. </p>
+
 <p> You specify non-SMTP Milter applications with the <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>
 parameter. This parameter uses the same syntax as the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>
 parameter in the previous section. As with the SMTP-only filters,
@@ -596,6 +612,13 @@ TO </td> </tr>
 
 <h2><a name="workarounds">Workarounds</a></h2>
 
+<p> Content filters may break domain key etc. signatures. If you
+use an SMTP-based filter as described in <a href="FILTER_README.html">FILTER_README</a>, then you
+should add a line to <a href="master.5.html">master.cf</a> with "<a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>
+= yes", as described in the <a
+href="FILTER_README.html#advanced_filter">advanced content filter</a>
+example. </p>
+
 <p> Sendmail Milter applications were originally developed for the
 Sendmail version 8 MTA, which has a different architecture than
 Postfix.  The result is that some Milter applications make assumptions
@@ -603,6 +626,10 @@ that aren't true in a Postfix environment. </p>
 
 <ul>
 
+<li> <p> Some Milter applications use the "<tt>{if_addr}</tt>" macro
+to recognize local mail; this macro does not exist in Postfix.
+Workaround: use the "<tt>{client_addr}</tt>" macro instead. </p>
+
 <li> <p> Some Milter applications log a warning that looks like
 this: </p>
 
@@ -620,13 +647,14 @@ X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com &lt;unknown-msgid&
 </pre>
 </blockquote>
 
-<p> This happens because the Milter application expects that the
+<p> This happens because some Milter applications expect that the
 queue ID is known <i>before</i> the MTA accepts the MAIL FROM
-(sender) command.  Postfix, on the other hand, does not create a
-queue file until <i>after</i> Postfix accepts the first valid RCPT
-TO (recipient) command. This queue file name must be globally unique
-across multiple queue directories, so it cannot be chosen until the
-file is actually created. </p>
+(sender) command.  Postfix, on the other hand, does not choose a
+queue file name until <i>after</i> it accepts the first valid RCPT
+TO (recipient) command. Postfix queue file names must be unique
+across multiple directories, so the name can't be chosen before the
+file is created.  If multiple messages were to use the same queue
+ID <i>simultaneously</i>, mail would be lost.  </p>
 
 <p> To work around the ugly message header from Milter applications,
 we add a little code to the Milter source to look up the queue ID
@@ -644,21 +672,32 @@ the top shown as <b>bold</b> text below: </p>
 
 <blockquote>
 <pre>
-sic = (Context) smfi_getpriv(ctx);
-assert(sic != NULL);
+dfc = cc->cctx_msg;
+assert(dfc != NULL);
 <b>
-/*
-**  Determine the job ID for logging.
-*/
-if (sic->ctx_jobid == 0 || strcmp(sic->ctx_jobid, MSGIDUNKNOWN) == 0) {
+/* Determine the job ID for logging. */
+if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
         char *jobid = smfi_getsymval(ctx, "i");
         if (jobid != 0)
-                sic->ctx_jobid = jobid;
+                dfc->mctx_jobid = jobid;
 }</b>
+
+/* get hostname; used in the X header and in new MIME boundaries */
 </pre>
 </blockquote>
 
-<p> This does not remove the WARNING message, however. </p>
+<p> NOTES: </p>
+
+<ul>
+
+<li> <p> Different mail filters use slightly different names for
+variables. If the above code does not compile, look for the code
+at the start of the <tt>mlfi_eoh()</tt> routine. </p>
+
+<li> <p> This fixes only the ugly message header, but not the WARNING
+message.  Fortunately, dk-filter logs that message only once. </p>
+
+</ul>
 
 <p> With some Milter applications we can fix both the WARNING and
 the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
@@ -699,7 +738,7 @@ will dump core when you do this. </p>
 <h2><a name="limitations">Limitations</a></h2>
 
 <p> This section lists limitations of the Postfix Milter implementation.
-Some limitations will be removed disappear as support is extended
+Some limitations will be removed as the implementation is extended
 over time. Of course the usual limitations of before-queue filtering
 will always apply. See the <a href="CONTENT_INSPECTION_README.html">CONTENT_INSPECTION_README</a> document for
 a discussion. </p>
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index 3c1825b2d..d177f7f15 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -359,7 +359,8 @@ library for configuration can be set with: </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    smtpd_sasl_application_name = smtpd
+    smtpd_sasl_application_name = smtpd (Postfix &lt; 2.3)
+    <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> = smtpd (Postfix 2.3 and later)
 </pre>
 </blockquote>
 
@@ -687,8 +688,9 @@ of SuSE Rhein/Main AG.
 <a href="postconf.5.html#reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a> and
 <a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a>, and revised the docs.
 
-<li> Wietse made another iteration through the code to add
-plug-in support for multiple SASL implementations.
+<li> Wietse made another iteration through the code to add plug-in
+support for multiple SASL implementations, and changed
+smtpd_sasl_application_name into <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.
 
 <li> The Dovecot SMTP server-only plug-in was originally implemented by
 Timo Sirainen of Procontrol, Finland.
diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html
index d1b0c73f9..76f4cd8e6 100644
--- a/postfix/html/SMTPD_POLICY_README.html
+++ b/postfix/html/SMTPD_POLICY_README.html
@@ -90,7 +90,7 @@ sasl_username=you
 sasl_sender=
 size=12345
 ccert_subject=solaris9.porcupine.org
-ccert_issuer=Wietse Venema
+ccert_issuer=Wietse+20Venema
 ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
 <b>Postfix version 2.3 and later:</b>
 encryption_protocol=TLSv1/SSLv3
@@ -161,6 +161,9 @@ etrn_domain=
     <li> <p> The "ccert_*" attributes (Postfix 2.2 and later) specify
     information about how the client was authenticated via TLS.
     These attributes are empty in case of no certificate authentication.
+    As of Postfix 2.2.11 these attribute values are encoded as
+    xtext: some characters are represented by +XX, where XX is the
+    two-digit hecadecimal representation of the character value.
     </p>
 
     <li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index 05e39eb5f..42ed35f78 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -247,9 +247,8 @@ back to plain text after a TLS handshake failure, the server will
 be unable to receive email from most TLS enabled clients. To avoid
 accidental configurations with no certificates, Postfix 2.3 enables
 certificate-less operation only when the administrator explicitly sets
-"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>&nbsp;=&nbsp;none". This ensures that new Postfix
-configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>&nbsp;=&nbsp;yes" added, will
-not accidentally run with no certificates. </p>
+"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
 
 <p> Both RSA and DSA certificates are supported. Typically you will
 only have RSA certificates issued by a commercial CA. In addition,
@@ -437,13 +436,18 @@ since the headers may be changed by intermediate servers. </p>
 
 <p> By default, TLS is disabled in the Postfix SMTP server, so no
 difference to plain Postfix is visible.  Explicitly switch it on
-using "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>&nbsp;=&nbsp;yes". </p>
+with "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may" (Postfix 2.3 and
+later) or "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes" (obsolete but still
+supported). </p>
 
 <p> Example: </p>
  
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    # Postfix 2.3 and later
+    <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+    # Obsolete, but still supported
     <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
 </pre>
 </blockquote>
@@ -456,18 +460,23 @@ SMTP clients, but does not require that clients use TLS encryption.
 is never offered due to insufficient privileges to access the server
 private key. This is intended behavior. </p>
 
-<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;yes". According
-to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server.  This option is off by default and should only
-seldom be used. </p>
+<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt" (Postfix 2.3 and
+later) or "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" (obsolete but still
+supported). According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server.  This option is off
+by default and should only seldom be used. </p>
 
 <p> Example: </p>
  
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    # Postfix 2.3 and later
+    <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+    # Obsolete, but still supported
     <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
 </pre>
 </blockquote>
@@ -481,7 +490,7 @@ and OE (5.01 Mac on all ports). </p>
 
 <p> It is strictly discouraged to use this mode from <a href="postconf.5.html">main.cf</a>. If
 you want to support this service, enable a special port in <a href="master.5.html">master.cf</a>
-and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>&nbsp;=&nbsp;yes" as an <a href="smtpd.8.html">smtpd(8)</a> command
+and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> = yes" as an <a href="smtpd.8.html">smtpd(8)</a> command
 line option.  Port 465 (smtps) was once chosen for this feature.
 </p>
 
@@ -517,16 +526,19 @@ when the server is configured to ask for client certificates. </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
     <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes
+    # Postfix 2.3 and later
+    <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+    # Obsolete, but still supported
+    <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
 </pre>
 </blockquote>
 
 <p> When TLS is <a href="#server_enforce">enforced</a> you may also decide
 to REQUIRE a remote SMTP client certificate for all TLS connections,
-by setting "<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>&nbsp;=&nbsp;yes". This feature implies
-"<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>&nbsp;=&nbsp;yes". When TLS is not enforced,
-"<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>&nbsp;=&nbsp;yes" is ignored and a warning is
+by setting "<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes". This feature implies
+"<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes". When TLS is not enforced,
+"<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes" is ignored and a warning is
 logged. </p>
 
 <p> Example: </p>
@@ -534,8 +546,11 @@ logged. </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
     <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes
+    # Postfix 2.3 and later
+    <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+    # Obsolete, but still supported
+    <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
 </pre>
 </blockquote>
 
@@ -556,15 +571,18 @@ CA issues special CA which then issues the actual certificate...)
 
 <h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
 
-<p> Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a>&nbsp;=&nbsp;yes". </p>
+<p> Sending AUTH data over an unencrypted channel poses a security
+risk.  When TLS layer encryption is required
+("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt" or the obsolete
+"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may" or the obsolete
+"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
 
 <p> Example: </p>
  
@@ -688,39 +706,49 @@ the user or host.</p>
 <h3><a name="server_cipher">Server-side cipher controls</a> </h3>
 
 <p> The description below is for Postfix 2.3; for Postfix &lt; 2.3 the
-smtpd_tls_cipherlist parameter specifies the acceptable ciphers as an
-explicit OpenSSL cipherlist. </p>
+<a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> parameter specifies the acceptable ciphers as an
+explicit OpenSSL cipherlist. The obsolete setting applies even when TLS
+encryption is not enforced. Use of this control on public MX hosts is
+strongly discouraged. </p>
+
+<p> With mandatory TLS encryption, the Postfix SMTP server will by
+default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+is optional. This is controlled by the <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
+configuration parameter. </p>
 
 <p> The Postfix SMTP server supports 5 distinct cipher security levels
-as specified by the <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> configuration parameter. The
-default value is "export" which is the only one appropriate for public
-MX hosts.  On private MX hosts or MSAs one can further restrict the
-OpenSSL cipherlist selection. </p>
+as specified by the <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> configuration parameter,
+which determines the cipher grade with mandatory TLS encryption. The
+default value is "medium" which is essentially 128-bit encryption or better.
+With opportunistic TLS encryption, the minimum accepted cipher grade is
+always "export". </p>
 
 <p> By default anonymous ciphers are allowed, and automatically disabled
 when client certificates are requested. If clients are expected to always
 verify the server certificate you may want to exclude anonymous ciphers
-by setting "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>&nbsp;=&nbsp;aNULL".  One can't
-force a client to check the server certificate, so excluding anonymous
-ciphers is generally unnecessary. </p>
+by setting "<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL".
+One can't force a client to check the server certificate, so excluding
+anonymous ciphers is generally unnecessary. </p>
 
 <p> For a server that is not a public Internet MX host, Postfix 2.3
 supports configurations with no <a href="#server_cert_key">server
 certificates</a> that use <b>only</b> the anonymous ciphers. This is
-enabled by explicitly setting "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>&nbsp;=&nbsp;none"
+enabled by explicitly setting "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none"
 and not specifying an <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>. </p>
 
-<p> Example: (MSA that requires  TLS with reasonably secure ciphers) </p>
+<p> Example: (MSA that requires  TLS with high grade ciphers) </p>
 
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
-    <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
     <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/cert.pem
     <a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/key.pem
-    <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> = medium
-    <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL, MD5
+    <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> = high
+    <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL, MD5
+    # Postfix 2.3 and later
+    <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+    # Obsolete, but still supported
+    <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
 </pre>
 </blockquote>
 
@@ -1166,11 +1194,11 @@ in the sections that follow.</p>
 
 <p> At the "none" TLS security level, TLS encryption is
 disabled. This is the default security level. With Postfix 2.3 and later,
-it can be configured explicitly by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;none". </p>
+it can be configured explicitly by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = none". </p>
 
 <p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> is set to
 its default (backwards compatible) empty value, the appropriate configuration
-settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>&nbsp;=&nbsp;no" and "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;no".
+settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = no" and "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no".
 With either approach, TLS is not used even if supported by the server.
 For LMTP, use the corresponding "lmtp_" parameters. </p>
 
@@ -1191,7 +1219,7 @@ table, specify the "NONE" keyword. </p>
 The SMTP transaction is encrypted if the STARTTLS ESMTP feature
 is supported by the server. Otherwise, messages are sent in the clear.
 With Postfix 2.3 and later, opportunistic TLS can be configured by
-setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;may".
+setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may".
 
 <p> Since sending in the clear is acceptable, demanding stronger
 than default TLS security merely reduces inter-operability.  For
@@ -1202,9 +1230,9 @@ better ciphers are used. </p>
 
 <p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> is
 set to its default (backwards compatible) empty value, the appropriate
-configuration settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>&nbsp;=&nbsp;yes" and
-"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;no".
-For LMTP use the corresponding "lmtp" parameters. </p>
+configuration settings are "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes" and
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no".
+For LMTP use the corresponding "lmtp_" parameters. </p>
 
 <p> With opportunistic TLS, mail delivery continues even if the
 server certificate is untrusted or bears the wrong name.  Starting
@@ -1257,12 +1285,12 @@ on TLS <a href="#client_tls_limits">limitations</a> above. </p>
 
 <p> At the "encrypt" TLS security level, messages are sent only
 over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. </p>
+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. </p>
 
 <p> At this security level and higher, the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
 and <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> configuration parameters determine
@@ -1274,9 +1302,9 @@ parameters includes useful interoperability and security guidelines.
 
 <p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
 is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;yes"
-and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;no". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes"
+and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no". For LMTP use the corresponding
+"lmtp_" parameters. </p>
 
 <p> Despite the potential for eliminating passive eavesdropping attacks,
 mandatory TLS encryption is not viable as a default security level for
@@ -1382,22 +1410,22 @@ use the new <a href="#client_tls_policy">policy table</a> instead. </p>
 <h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
 </h3>
 
-<p> At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;verify", the
+<p> At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern.  Mandatory
+server certificate verification can be configured by setting
+"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = verify".  The
 <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for <a
+"hostname" certificate name matching strategy. Fine-tuning the
+matching strategy is generally only appropriate for <a
 href="#client_tls_secure">secure-channel</a> destinations. </p>
 
 <p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
 is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;yes" and
-"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;yes". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes". For LMTP use the corresponding
+"lmtp_" parameters. </p>
 
 <p> If the server certificate chain is trusted (see <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>
 and <a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>), any DNS names in the SubjectAlternativeName
@@ -1471,16 +1499,16 @@ to <i>example.com</i> recipients uses "high" grade ciphers. </p>
 <i>secure-channel</i> TLS sessions where DNS forgery resistant server
 certificate verification succeeds. If no suitable servers are found, the
 message will be deferred. With Postfix 2.3 and later, secure-channels
-can be configured by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;secure".
+can be configured by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = secure".
 The <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter can override the default
 "nexthop, dot-nexthop" certificate match strategy. </p>
 
 <p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
 is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;yes"
-and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;yes" with additional settings to
+appropriate configuration settings are "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes"
+and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" with additional settings to
 <a href="#client_tls_harden">harden</a> peer certificate verification
-against forged DNS data. For LMTP, use the corresponding <i>lmtp_</i>
+against forged DNS data. For LMTP, use the corresponding "lmtp_"
 parameters. </p>
 
 <p> If the server certificate chain is trusted (see <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and
@@ -1636,10 +1664,10 @@ will be used. </p>
 
 <p> The new policy table is specified via the <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
 parameter. This lists optional lookup tables with the Postfix SMTP client
-TLS security policy by next-hop destination. It supersedes the obsolete
-<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. When $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> is not empty,
-the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter is ignored (a warning is written to the
-logs if it is also non-empty). </p>
+TLS security policy by next-hop destination. When $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
+is not empty, the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter is ignored
+(a warning is written to the logs if both parameter values are
+non-empty).  </p>
 
 <p> The TLS policy table is indexed by the full next-hop destination,
 which is either the recipient domain, or the verbatim next-hop
@@ -1676,33 +1704,51 @@ describe the corresponding table syntax: </p>
 <dd>Opportunistic TLS. No additional attributes are supported at this
 level. </dd>
 
-<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the <a href="postconf.5.html">main.cf</a>
-<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter and the optional "protocols"
-keyword overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.</dd>
-
-<dt><b>verify</b></dt>
-<dd>Mandatory server certificate verification. The optional "match"
-attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. </dd>
-
-<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
-attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. </dd>
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds.  At this level and higher the optional "ciphers"
+attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter
+and the optional "protocols" keyword overrides the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter. </dd>
+
+<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter value when no optional "match"
+attribute is specified).  </dd>
+
+<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
+parameter value when no optional "match" attribute is specified).
+</dd>
 
 </dl>
 
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server.  In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix <a href="transport.5.html">transport(5)</a> tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts.  The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails.  </p>
+
+<li> <p> When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons.  </p>
+
+</ul>
+
 <p>
 Example:
 </p>
@@ -1761,7 +1807,7 @@ encryption regardless of which table is used. The
 for the obsolete "MUST" keyword in the same way as for the "verify"
 level in the new policy. </p>
 
-<p> With Postfix &lt; 2.3, the obsolete smtp_tls_cipherlist parameter
+<p> With Postfix &lt; 2.3, the obsolete <a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> parameter
 is also applied for opportunistic TLS sessions, and should be used with
 care, or not at all. Setting cipherlist restrictions that are incompatible
 with a remote SMTP server render that server unreachable, TLS handshakes
@@ -1816,7 +1862,7 @@ settings. </dd>
 <dt> MAY </dt> <dd> Opportunistic TLS. This has less precedence than
 a more specific result (including "NONE") from the alternate host or
 next-hop lookup key, and has less precedence than the more specific global
-"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;yes".  </dd>
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".  </dd>
 
 <dt> MUST_NOPEERMATCH </dt> <dd> Mandatory TLS encryption. This
 overrides a less secure "NONE" or a less specific "MAY" lookup result
@@ -1842,8 +1888,8 @@ policies can be summarized as follows: </p>
 <li> <p> When neither the remote SMTP server hostname nor the
 next-hop destination are found in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, the
 policy is based on <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and
-<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;yes" and
-"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>&nbsp;=&nbsp;yes". </p>
+<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
 
 <li> <p> When both hostname and next-hop destination lookups produce
 a result, the more specific per-site policy (NONE, MUST, etc)
@@ -1853,7 +1899,7 @@ policy (MUST, etc) overrides the less secure one (NONE).  </p>
 <li> <p> After the per-site policy lookups are combined, the result
 generally overrides the global policy. The exception is the less
 specific "MAY" per-site policy, which is overruled by the more
-specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;yes" with server certificate
+specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" with server certificate
 verification as specified with the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
 parameter.  </p>
 
@@ -1891,7 +1937,7 @@ server hostname that is used for TLS policy lookup and server certificate
 verification. </p>
 
 <li> <p> Disallow CNAME hostname overrides. In <a href="postconf.5.html">main.cf</a>, specify
-"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a>&nbsp;=&nbsp;no". This prevents false hostname
+"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
 information in DNS CNAME records from changing the server hostname
 that Postfix uses for TLS policy lookup and server certificate
 verification. This feature requires Postfix 2.2.9 or later.  The
@@ -1987,14 +2033,14 @@ methods. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps
 ciphers on a per-destination basis. </p>
 
 <p> By default anonymous ciphers are allowed, and automatically
-disabled when server certificates are verified. If you
-want to disable even at the "encrypt" security level, set
-"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>&nbsp;=&nbsp;aNULL",
-to disable anonymous ciphers even with opportunistic TLS, set
-"<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>&nbsp;=&nbsp;aNULL". There is generally no
-need to take these measures. Anonymous ciphers save bandwidth and TLS
-session cache space, if certificates are ignored, there is little point
-in requesting them. </p>
+disabled when server certificates are verified. If you want to
+disable anonymous ciphers even at the "encrypt" security level, set
+"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = aNULL"; and to
+disable anonymous ciphers even with opportunistic TLS, set
+"<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL". There is generally
+no need to take these measures. Anonymous ciphers save bandwidth
+and TLS session cache space, if certificates are ignored, there is
+little point in requesting them. </p>
 
 <p> Example: </p>
  
@@ -2238,18 +2284,22 @@ but don't require them from all clients. </p>
 
 <blockquote>
 <pre>
-<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
-<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
-    btree:/var/spool/postfix/smtp_tls_session_cache
-<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes
-<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
-<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/FOO-cert.pem
-<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/FOO-key.pem
-<a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
-<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
-    btree:/var/spool/postfix/smtpd_tls_session_cache
-<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
-<a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
+    <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
+	btree:/var/spool/postfix/smtp_tls_session_cache
+    <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes
+    <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
+    <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/FOO-cert.pem
+    <a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/FOO-key.pem
+    <a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
+    <a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
+	btree:/var/spool/postfix/smtpd_tls_session_cache
+    <a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
+    # Postfix 2.3 and later
+    <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
+    # Obsolete, but still supported
+    <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
 </pre>
 </blockquote>
 
@@ -2294,14 +2344,14 @@ generation (PRNG) pool, and in order to access the TLS session
 cache databases. Such a protocol cannot be run across fifos. </p>
 
 <li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: the MUST_NOPEERMATCH per-site policy
-cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;yes" setting.
+cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" setting.
 </p>
 
 <li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: a combined (NONE + MAY) lookup result
 for (hostname and next-hop destination) produces counter-intuitive
 results for different <a href="postconf.5.html">main.cf</a> settings.  TLS is enabled with
-"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;no", but it is disabled when both
-"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>&nbsp;=&nbsp;yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>&nbsp;=&nbsp;yes".
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no", but it is disabled when both
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".
 </p>
 
 </ul>
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index a55106809..1500b784a 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -361,7 +361,7 @@ ACCESS(5)                                                            ACCESS(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.2.
+       Postfix version 2.3.
 
        Each  lookup  operation uses the entire query string once.
        Depending on the application, that  string  is  an  entire
diff --git a/postfix/html/bounce.8.html b/postfix/html/bounce.8.html
index da749a991..6256c3efc 100644
--- a/postfix/html/bounce.8.html
+++ b/postfix/html/bounce.8.html
@@ -43,10 +43,11 @@ BOUNCE(8)                                                            BOUNCE(8)
 
 <b>STANDARDS</b>
        <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
+       <a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a> (Format of Internet Message Bodies)
        <a href="http://www.faqs.org/rfcs/rfc2822.html">RFC 2822</a> (ARPA Internet Text Messages)
        <a href="http://www.faqs.org/rfcs/rfc3462.html">RFC 3462</a> (Delivery Status Notifications)
        <a href="http://www.faqs.org/rfcs/rfc3464.html">RFC 3464</a> (Delivery Status Notifications)
-       <a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a> (Format of Internet Message Bodies)
+       <a href="http://www.faqs.org/rfcs/rfc3834.html">RFC 3834</a> (Auto-Submitted: message header)
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8).
@@ -107,6 +108,11 @@ BOUNCE(8)                                                            BOUNCE(8)
               The time limit for sending or receiving information
               over an internal communication channel.
 
+       <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
+              What categories of Postfix-generated mail are  sub-
+              ject   to   before-queue   content   inspection  by
+              <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
+
        <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
               The mail system name that is displayed in Received:
               headers,  in  the  SMTP  greeting  banner,  and  in
diff --git a/postfix/html/canonical.5.html b/postfix/html/canonical.5.html
index fbcfc5e66..8ee71e649 100644
--- a/postfix/html/canonical.5.html
+++ b/postfix/html/canonical.5.html
@@ -162,7 +162,7 @@ CANONICAL(5)                                                      CANONICAL(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.2.
+       Postfix version 2.3.
 
        Each lookup operation uses the entire address once.  Thus,
        <i>user@domain</i>  mail  addresses  are not broken up into their
diff --git a/postfix/html/generic.5.html b/postfix/html/generic.5.html
index 8ff79b1bb..e0c2a5e00 100644
--- a/postfix/html/generic.5.html
+++ b/postfix/html/generic.5.html
@@ -142,7 +142,7 @@ GENERIC(5)                                                          GENERIC(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.2.
+       Postfix version 2.3.
 
        Each lookup operation uses the entire address once.  Thus,
        <i>user@domain</i>  mail  addresses  are not broken up into their
diff --git a/postfix/html/master.5.html b/postfix/html/master.5.html
index 376ad3d1a..06b0f6238 100644
--- a/postfix/html/master.5.html
+++ b/postfix/html/master.5.html
@@ -16,7 +16,7 @@ MASTER(5)                                                            MASTER(5)
 
        Postfix  services  are  implemented  by  daemon processes.
        These run in the background under control of the <a href="master.8.html"><b>master</b>(8)</a>
-       process.   The  master.cf configuration file defines how a
+       process.   The  <a href="master.5.html">master.cf</a> configuration file defines how a
        client program connects to a service, and what daemon pro-
        gram  runs  when a service is requested.  Most daemon pro-
        cesses are short-lived and terminate after serving <b><a href="postconf.5.html#max_use">max_use</a></b>
@@ -28,17 +28,17 @@ MASTER(5)                                                            MASTER(5)
        <a href="local.8.html"><b>local</b>(8)</a>, <a href="pipe.8.html"><b>pipe</b>(8)</a> or <a href="spawn.8.html"><b>spawn</b>(8)</a> services, or run the  server
        under control by <b>inetd</b>(8) or equivalent.
 
-       After changing master.cf you must execute "<b>postfix reload</b>"
+       After changing <a href="master.5.html">master.cf</a> you must execute "<b>postfix reload</b>"
        to reload the configuration.
 
 <b>SYNTAX</b>
-       The general format of the master.cf file is as follows:
+       The general format of the <a href="master.5.html">master.cf</a> file is as follows:
 
        <b>o</b>      Each logical line defines a single Postfix service.
               Each  service is identified by its name and type as
               described below.  When multiple lines  specify  the
               same  service  name  and type, only the last one is
-              remembered.  Otherwise, the order of master.cf ser-
+              remembered.  Otherwise, the order of <a href="master.5.html">master.cf</a> ser-
               vice definitions does not matter.
 
        <b>o</b>      Empty  lines and whitespace-only lines are ignored,
@@ -51,7 +51,7 @@ MASTER(5)                                                            MASTER(5)
 
        Each  logical  line  consists of eight fields separated by
        whitespace.  These are described below  in  the  order  as
-       they appear in the master.cf file.
+       they appear in the <a href="master.5.html">master.cf</a> file.
 
        Where applicable a field of "-" requests that the built-in
        default value be used. For boolean fields specify  "y"  or
@@ -86,9 +86,9 @@ MASTER(5)                                                            MASTER(5)
 
                      Note: with Postfix  version  2.2  and  later
                      specify "<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = loopback-only</b>" in
-                     main.cf, instead of hard-coding loopback  IP
-                     address   information  in  master.cf  or  in
-                     main.cf.
+                     <a href="postconf.5.html">main.cf</a>, instead of hard-coding loopback  IP
+                     address   information  in  <a href="master.5.html">master.cf</a>  or  in
+                     <a href="postconf.5.html">main.cf</a>.
 
               <b>unix</b>   The service listens on a UNIX-domain  socket
                      and is accessible for local clients only.
@@ -96,7 +96,7 @@ MASTER(5)                                                            MASTER(5)
                      The  service  name is a pathname relative to
                      the Postfix queue directory  (pathname  con-
                      trolled  with the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> configura-
-                     tion parameter in main.cf).
+                     tion parameter in <a href="postconf.5.html">main.cf</a>).
 
                      On Solaris systems the <b>unix</b> type  is  imple-
                      mented with streams sockets.
@@ -107,7 +107,7 @@ MASTER(5)                                                            MASTER(5)
                      The service name is a pathname  relative  to
                      the  Postfix  queue directory (pathname con-
                      trolled with the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b>  configura-
-                     tion parameter in main.cf).
+                     tion parameter in <a href="postconf.5.html">main.cf</a>).
 
        <b>Private (default: y)</b>
               Whether  or  not  access  is restricted to the mail
@@ -118,7 +118,7 @@ MASTER(5)                                                            MASTER(5)
               Whether the service runs with root privileges or as
               the owner of the Postfix system (the owner name  is
               controlled by the <b><a href="postconf.5.html#mail_owner">mail_owner</a></b> configuration variable
-              in the main.cf file).
+              in the <a href="postconf.5.html">main.cf</a> file).
 
               The <a href="local.8.html"><b>local</b>(8)</a>,  <a href="pipe.8.html"><b>pipe</b>(8)</a>,  <a href="spawn.8.html"><b>spawn</b>(8)</a>,  and  <a href="virtual.8.html"><b>virtual</b>(8)</a>
               daemons require privileges.
@@ -127,7 +127,7 @@ MASTER(5)                                                            MASTER(5)
               Whether  or  not  the  service runs chrooted to the
               mail queue directory (pathname is controlled by the
               <b><a href="postconf.5.html#queue_directory">queue_directory</a></b>   configuration   variable  in  the
-              main.cf file).
+              <a href="postconf.5.html">main.cf</a> file).
 
               Chroot  should  not  be  used  with  the  <a href="local.8.html"><b>local</b>(8)</a>,
               <a href="pipe.8.html"><b>pipe</b>(8)</a>,    <a href="spawn.8.html"><b>spawn</b>(8)</a>,   and   <a href="virtual.8.html"><b>virtual</b>(8)</a>   daemons.
@@ -136,19 +136,19 @@ MASTER(5)                                                            MASTER(5)
               service in the first place.
 
               The files in the examples/chroot-setup subdirectory
-              of  the  Postfix source archive describe how to set
-              up a Postfix chroot environment for  your  type  of
-              machine,  and  <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> discusses
-              issues related to running daemons chrooted.
+              of the Postfix source archive show set up a Postfix
+              chroot environment on a  variety  of  systems.  See
+              also  <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> for issues related
+              to running daemons chrooted.
 
        <b>Wake up time (default: 0)</b>
               Automatically wake up the named service  after  the
               specified  number of seconds. The wake up is imple-
               mented by connecting to the service and  sending  a
               wake  up  request.   A  ? at the end of the wake-up
-              time field requests that wake  up  events  be  sent
-              only  to  services  that  are  actually being used.
-              Specify 0 for no automatic wake up.
+              time field requests that no wake up events be  sent
+              before the service is used.  Specify 0 for no auto-
+              matic wake up.
 
               The <a href="pickup.8.html"><b>pickup</b>(8)</a>, <a href="qmgr.8.html"><b>qmgr</b>(8)</a> and <a href="flush.8.html"><b>flush</b>(8)</a> daemons require
               a wake up timer.
@@ -182,21 +182,21 @@ MASTER(5)                                                            MASTER(5)
 
               <b>-D</b>     Run  the daemon under control by the command
                      specified with the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> variable
-                     in  the  main.cf  configuration  file.   See
+                     in  the  <a href="postconf.5.html">main.cf</a>  configuration  file.   See
                      <a href="DEBUG_README.html">DEBUG_README</a> for hints and tips.
 
               <b>-o</b> <i>name</i>=<i>value</i>
-                     Override  the  named  main.cf  configuration
+                     Override  the  named  <a href="postconf.5.html">main.cf</a>  configuration
                      parameter.  The parameter value can refer to
                      other parameters as <i>$name</i> etc., just like in
-                     main.cf.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for syntax.
+                     <a href="postconf.5.html">main.cf</a>.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for syntax.
 
                      NOTE 1: do not specify whitespace around the
                      "=".  In  parameter  values,  either   avoid
                      whitespace altogether, use commas instead of
                      spaces,  or  consider  overrides  like   "-o
                      name=$override_parameter"     with    $over-
-                     ride_parameter set in main.cf.
+                     ride_parameter set in <a href="postconf.5.html">main.cf</a>.
 
                      NOTE 2: Over-zealous use of parameter  over-
                      rides  makes  the Postfix configuration hard
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 5f3cfb01c..0600eabab 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -1002,7 +1002,8 @@ the Postfix SMTP client returns such mail as undeliverable.
 
 <p>
 Specify, for example, "<a href="postconf.5.html#best_mx_transport">best_mx_transport</a> = local" to pass the mail
-from the SMTP client to the <a href="local.8.html">local(8)</a> delivery agent. You can specify
+from the Postfix SMTP client to the <a href="local.8.html">local(8)</a> delivery agent. You
+can specify
 any message delivery "transport" or "transport:nexthop" that is
 defined in the <a href="master.5.html">master.cf</a> file. See the <a href="transport.5.html">transport(5)</a> manual page
 for the syntax and meaning of "transport" or "transport:nexthop".
@@ -2858,7 +2859,8 @@ for IPv6. </p>
 <p>
 A better solution for multi-homed firewalls is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
 at the default value and instead use explicit IP addresses in
-the <a href="master.5.html">master.cf</a> SMTP server definitions.  This preserves the SMTP client's
+the <a href="master.5.html">master.cf</a> SMTP server definitions.  This preserves the Postfix
+SMTP client's
 loop detection, by ensuring that each side of the firewall knows that the
 other IP address is still the same host. Setting $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> to a
 single IPv4 and/or IPV6 address is primarily useful with virtual
@@ -2949,6 +2951,32 @@ block all mail to a site.
 </p>
 
 
+</DD>
+
+<DT><b><a name="internal_mail_filter_classes">internal_mail_filter_classes</a>
+(default: empty)</b></DT><DD>
+
+<p> What categories of Postfix-generated mail are subject to
+before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a>
+and <a href="postconf.5.html#body_checks">body_checks</a>.  Specify zero or more of the following, separated
+by whitespace or comma.  </p>
+
+<dl>
+
+<dt> <b> bounce </b> </dt> <dd> Inspect the content of delivery
+status notifications. </dd>
+
+<dt> <b> notify </b> </dt> <dd> Inspect the content of postmaster
+notifications by the <a href="smtp.8.html">smtp(8)</a> and <a href="smtpd.8.html">smtpd(8)</a> processes. </dd>
+
+</dl>
+
+<p> NOTE: It's generally not safe to enable content inspection of
+Postfix-generated email messages. The user is warned. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="invalid_hostname_reject_code">invalid_hostname_reject_code</a>
@@ -3528,6 +3556,17 @@ Enable SASL authentication in the Postfix LMTP client.
 </p>
 
 
+</DD>
+
+<DT><b><a name="lmtp_sasl_auth_enforce">lmtp_sasl_auth_enforce</a>
+(default: yes)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a>
+configuration parameter.  See there for details. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="lmtp_sasl_mechanism_filter">lmtp_sasl_mechanism_filter</a>
@@ -4144,8 +4183,8 @@ lists: Postfix needs to know only if a lookup string is found or
 not, but it does not use the result from table lookup.  </p>
 
 <p>
-If this parameter is non-empty (the default), then the Postfix SMTP server
-will reject mail for unknown local users.
+If this parameter is non-empty (the default), then the Postfix SMTP
+server will reject mail for unknown local users.
 </p>
 
 <p>
@@ -6802,8 +6841,8 @@ the word "ESMTP" appears in the server greeting banner (example:
 (default: empty)</b></DT><DD>
 
 <p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
 </p>
 
 <p>
@@ -6833,8 +6872,8 @@ but this form is not recommended here. </p>
 (default: empty)</b></DT><DD>
 
 <p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
 </p>
 
 <p> This feature is available in Postfix 2.2 and later. </p>
@@ -6887,7 +6926,8 @@ zero (use the operating system built-in time limit).
 </p>
 
 <p>
-When no connection can be made within the deadline, the SMTP client
+When no connection can be made within the deadline, the Postfix
+SMTP client
 tries the next address on the mail exchanger list. Specify 0 to
 disable the time limit (i.e. use whatever timeout is implemented by
 the operating system).
@@ -7078,7 +7118,7 @@ The default time unit is s (seconds).
 <p>
 The SMTP client time limit for sending the SMTP message content.
 When the connection makes no progress for more than $<a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a>
-seconds the SMTP client terminates the transfer.
+seconds the Postfix SMTP client terminates the transfer.
 </p>
 
 <p>
@@ -7145,7 +7185,7 @@ into concurrency per recipient.  </p>
 
 <p> Lookup tables, indexed by the remote SMTP server address, with
 case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
 remote SMTP server. See <a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> for details. The
 table is not indexed by hostname for consistency with
 <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>. </p>
@@ -7159,8 +7199,8 @@ table is not indexed by hostname for consistency with
 (default: empty)</b></DT><DD>
 
 <p> A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server. </p>
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server. </p>
 
 <p> This feature is available in Postfix 2.2 and later. </p>
 
@@ -7300,7 +7340,7 @@ The default time unit is s (seconds).
 (default: dns)</b></DT><DD>
 
 <p>
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
 address.  This parameter is ignored when DNS lookups are disabled.
 </p>
 
@@ -7550,6 +7590,19 @@ Example:
 </pre>
 
 
+</DD>
+
+<DT><b><a name="smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a>
+(default: yes)</b></DT><DD>
+
+<p> If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> contains SASL login/password information
+for that server.  </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
@@ -7705,8 +7758,8 @@ for authentication.  The available types are listed with the
 (default: no)</b></DT><DD>
 
 <p>
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
 </p>
 
 <p>
@@ -7728,7 +7781,7 @@ This feature is available in Postfix 2.1 and later.
 (default: no)</b></DT><DD>
 
 <p>
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
 available only with SASL authentication, and disables SMTP connection
 caching to ensure that mail from different senders will use the
 appropriate credentials.  </p>
@@ -7897,7 +7950,7 @@ hence pass the "openssl verify -purpose sslclient ..." test. </p>
 (default: empty)</b></DT><DD>
 
 <p> Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
-cipher list. As this feature applies to all security levels, it is easy
+cipher list. As this feature applies to all TLS security levels, it is easy
 to create inter-operability problems by choosing a non-default cipher
 list. Do not use a non-default TLS cipher list on hosts that deliver email
 to the public Internet: you will be unable to send email to servers that
@@ -7951,7 +8004,7 @@ specified with $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file<
 <DT><b><a name="smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
 (default: yes)</b></DT><DD>
 
-<p> When TLS encryption is enforced, require that the remote SMTP
+<p> With mandatory TLS encryption, require that the remote SMTP
 server hostname matches the information in the remote SMTP server
 certificate.  As of <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> the requirements for hostname checking
 for MTA clients are not specified. </p>
@@ -7974,8 +8027,9 @@ Postfix 2.3 and later use <a href="postconf.5.html#smtp_tls_security_level">smtp
 <DT><b><a name="smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>
 (default: empty)</b></DT><DD>
 
-<p> List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels. This is not an OpenSSL cipherlist, it is
+<p> List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels. This is not an OpenSSL cipherlist, it is
 a simple list separated by whitespace and/or commas. The elements are a
 single cipher, or one or more "+" separated cipher properties, in which
 case only ciphers matching <b>all</b> the properties are excluded. </p>
@@ -8057,12 +8111,13 @@ loglevel 4 is strongly discouraged. </p>
 <DT><b><a name="smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>
 (default: medium)</b></DT><DD>
 
-<p> The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher.  The default
-value "medium" is suitable for most destinations with which you may
-want to enforce TLS, and is beyond the reach of today's crypt-analytic
-methods. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> for information on how to configure
-ciphers on a per-destination basis. </p>
+<p> The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption.  The default value "medium" is suitable
+for most destinations with which you may want to enforce TLS, and
+is beyond the reach of today's crypt-analytic methods. See
+<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> for information on how to configure ciphers
+on a per-destination basis. </p>
 
 <p> The following cipher grades are supported: </p>
 
@@ -8132,11 +8187,10 @@ encryption or authentication). </dd>
 <DT><b><a name="smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>
 (default: empty)</b></DT><DD>
 
-<p> List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure". See <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> for syntax details. When
-both "exclude" parameters are defined, the combined list of ciphers is
-excluded (provided the TLS security level is "encrypt" or higher). </p>
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>
+(see there for syntax details).  </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
@@ -8146,8 +8200,8 @@ excluded (provided the TLS security level is "encrypt" or higher). </p>
 <DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
 (default: SSLv3, TLSv1)</b></DT><DD>
 
-<p> List of TLS protocol versions that are secure enough to be used
-with the "encrypt" security level and higher. In <a href="postconf.5.html">main.cf</a> the values
+<p> List of TLS protocols that the Postfix SMTP client will use
+with mandatory TLS encryption.  In <a href="postconf.5.html">main.cf</a> the values
 are separated by whitespace, commas or colons. In the policy table
 (see <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid separator is colon. An
 empty value means allow all protocols. The valid protocol names,
@@ -8434,9 +8488,10 @@ example.net     secure match=example.com:.example.com
 <DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
 (default: empty)</b></DT><DD>
 
-<p> The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.  </p>
+<p> The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+</p>
 
 <p> Specify one of the following security levels: </p>
 
@@ -9434,19 +9489,20 @@ applies in the context of the SMTP END-OF-DATA command. </p>
 <DT><b><a name="smtpd_enforce_tls">smtpd_enforce_tls</a>
 (default: no)</b></DT><DD>
 
-<p> Enforcement mode: announce STARTTLS support to SMTP clients,
+<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
 and require that clients use TLS encryption.  According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a>
 this MUST NOT be applied in case of a publicly-referenced SMTP
 server.  This option is off by default and should be used only on
 dedicated servers. </p>
 
-<p> Note 1: this mode implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
+<p> Note 1: "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
 
 <p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior. </p>
 
-<p> This feature is available in Postfix 2.2 and later.  </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
 
 
 </DD>
@@ -9763,7 +9819,7 @@ null sender address.
 <DT><b><a name="smtpd_peername_lookup">smtpd_peername_lookup</a>
 (default: yes)</b></DT><DD>
 
-<p> Attempt to look up the SMTP client hostname, and verify that
+<p> Attempt to look up the Postfix SMTP client hostname, and verify that
 the name matches the client IP address. A client name is set to
 "unknown" when it cannot be looked up or verified, or when name
 lookup is disabled.  Turning off name lookup reduces delays due to
@@ -10208,7 +10264,8 @@ is <b>smtpd</b>, corresponding to a SASL configuration file named
 </p>
 
 <p>
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.
 </p>
 
 
@@ -10333,7 +10390,8 @@ the SASL plug-in implementation that is selected with
 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.  Typically this specifies the name of a
 configuration file or rendezvous point. </p>
 
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application. </p>
 
 
 </DD>
@@ -10780,15 +10838,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
 similar software, it will still insist on a server certificate. </p>
 
 <p> For servers that are <b>not</b> public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This
-ensures that new Postfix configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes"
-added, will not accidentally run with no certificates. </p>
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
 
 <p> Both RSA and DSA certificates are supported.  When both types
 are present, the cipher used determines which certificate will be
@@ -10841,81 +10899,7 @@ clients. </p>
 <p> <b>Note:</b> do not use "" quotes around the parameter value. </p>
 
 <p>This feature is available with Postfix version 2.2. It is not used with
-Postfix 2.3 and later; use <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> instead. </p>
-
-
-</DD>
-
-<DT><b><a name="smtpd_tls_ciphers">smtpd_tls_ciphers</a>
-(default: export)</b></DT><DD>
-
-<p> The minimum acceptable SMTP server TLS cipher grade. It is easy to
-create inter-operability problems by choosing a non-default cipher grade.
-Do not use a stronger than default minimum cipher grade for MX hosts on
-the public Internet. Clients that begin the TLS handshake, but are unable
-to agree on a common cipher, may not be able to send any email to the
-SMTP server. Using a restricted cipher list may be more appropriate for a
-dedicated MSA or an internal mailhub, where one can exert some control over
-the TLS software and settings of the connecting clients. Configurations
-with no certificates are also not likely to inter-operate with most
-clients, see the notes for "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>". </p>
-
-<p> The following cipher grades are supported: </p>
-
-<dl>
-<dt><b>export</b></dt>
-<dd> Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts. The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>low</b></dt>
-<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>medium</b></dt>
-<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>high</b></dt>
-<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. The default
-value of <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers, set
-"<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". </dd>
-
-<dt><b>null</b></dt>
-<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
-without encryption.  This setting is only appropriate in the rare
-case that all clients are prepared to use NULL ciphers (not normally
-enabled in TLS clients). The underlying cipherlist is specified via the
-<a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> configuration parameter, which you are strongly
-encouraged to not change. The default value of <a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a>
-excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
-data integrity without encryption or authentication). </dd>
-
-</dl>
-
-<p> This feature is available in Postfix 2.3 and later. </p>
+Postfix 2.3 and later; use <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> instead. </p>
 
 
 </DD>
@@ -10956,7 +10940,7 @@ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
 
 <p> Your actual source for entropy may differ. Some systems have
 /dev/random; on other system you may consider using the "Entropy
-Gathering Daemon EGD", available at <a href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech/crypto/</a>.
+Gathering Daemon EGD", available at <a href="http://egd.sourceforge.net/">http://egd.sourceforge.net/</a>
 </p>
 
 <p> Example: </p>
@@ -11009,10 +10993,12 @@ must be accessible without password. </p>
 (default: empty)</b></DT><DD>
 
 <p> List of ciphers or cipher types to exclude from the SMTP server
-cipher list. This is not an OpenSSL cipherlist; it is a simple list
-separated by whitespace and/or commas. The elements are a single
-cipher, or one or more "+" separated cipher properties, in which
-case only ciphers matching <b>all</b> the properties are excluded. </p>
+cipher list at all TLS security levels. Excluding valid ciphers
+can create interoperability problems. DO NOT exclude ciphers unless it
+is essential to do so. This is not an OpenSSL cipherlist; it is a simple
+list separated by whitespace and/or commas. The elements are a single
+cipher, or one or more "+" separated cipher properties, in which case
+only ciphers matching <b>all</b> the properties are excluded. </p>
 
 <p> Examples (some of these will cause problems): </p>
 
@@ -11080,25 +11066,115 @@ loglevel 4 is strongly discouraged. </p>
 
 </DD>
 
-<DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
+<DT><b><a name="smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>
+(default: medium)</b></DT><DD>
+
+<p> The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption. Cipher types listed in <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>
+or <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> are excluded from the base definition
+of the selected cipher grade. With opportunistic TLS encryption,
+the "export" grade is used unconditionally with exclusions specified
+only via <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>. </p>
+
+<p> The following cipher grades are supported: </p>
+
+<dl>
+<dt><b>export</b></dt>
+<dd> Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
+This is the most appropriate setting for public MX hosts, and is always
+used with opportunistic TLS encryption. The underlying cipherlist
+is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration parameter,
+which you are strongly encouraged to not change. The default value
+of <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> includes anonymous ciphers, but these are
+automatically filtered out if the server is configured to ask for
+client certificates. If you must always exclude anonymous ciphers,
+set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". To exclude anonymous ciphers
+only when TLS is enforced, set "<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> =
+aNULL". </dd>
+
+<dt><b>low</b></dt>
+<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
+underlying cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a>
+configuration parameter, which you are strongly encouraged to
+not change. The default value of <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL". </dd>
+
+<dt><b>medium</b></dt>
+<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These
+are essentially the 128-bit or stronger ciphers. This is the default
+minimum strength for mandatory TLS encryption. MSAs that enforce
+TLS and have clients that do not support any "MEDIUM" or "HIGH"
+grade ciphers, may need to configure a weaker ("low" or "export")
+minimum cipher grade. The underlying cipherlist is specified via the
+<a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> configuration parameter, which you are strongly
+encouraged to not change. The default value of <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a>
+includes anonymous ciphers, but these are automatically filtered out if
+the server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL". </dd>
+
+<dt><b>high</b></dt>
+<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a>
+configuration parameter, which you are strongly encouraged to
+not change. The default value of <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL". </dd>
+
+<dt><b>null</b></dt>
+<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
+without encryption.  This setting is only appropriate in the rare
+case that all clients are prepared to use NULL ciphers (not normally
+enabled in TLS clients). The underlying cipherlist is specified via the
+<a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> configuration parameter, which you are strongly
+encouraged to not change. The default value of <a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a>
+excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
+data integrity without encryption or authentication). </dd>
+
+</dl>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>
 (default: empty)</b></DT><DD>
 
-<p> The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. </p>
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>
+(see there for syntax details).  </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
 
-<p> DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. </p>
+
+</DD>
+
+<DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
+(default: SSLv3, TLSv1)</b></DT><DD>
+
+<p> The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption.  With opportunistic TLS encryption, all
+protocols are always accepted. If the list is empty, the server
+supports all available TLS protocol versions.  A non-empty value
+is a list of protocol names separated by whitespace, commas or
+colons. The supported protocol names are "SSLv2", "SSLv3" and
+"TLSv1", and are not case sensitive. </p>
 
 <p> Example: </p>
 
 <pre>
-<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = SSLv3, TLSv1
+<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = SSLv3, TLSv1
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
@@ -11124,7 +11200,7 @@ that was recorded by the final destination can be trusted. </p>
 <DT><b><a name="smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>
 (default: no)</b></DT><DD>
 
-<p> When TLS encryption is enforced, require a remote SMTP client
+<p> With mandatory TLS encryption, require a remote SMTP client
 certificate in order to allow TLS connections to proceed.  This
 option implies "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes". </p>
 
@@ -11134,6 +11210,50 @@ a warning written to the mail log. </p>
 <p> This feature is available in Postfix 2.2 and later.  </p>
 
 
+</DD>
+
+<DT><b><a name="smtpd_tls_security_level">smtpd_tls_security_level</a>
+(default: empty)</b></DT><DD>
+
+<p> The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. This parameter is ignored with
+"<a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> = yes".  </p>
+
+<p> Specify one of the following security levels: </p>
+
+<dl>
+
+<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
+
+<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+</dd>
+
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. </dd>
+
+</dl>
+
+<p> Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see <a href="TLS_README.html">TLS_README</a> for a discussion
+of the <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>, <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>, and <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
+features.  </p>
+
+<p> Note 2: The parameter setting "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> =
+encrypt" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes".</p>
+
+<p> Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.</p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>
@@ -11200,14 +11320,15 @@ purpose. </p>
 <DT><b><a name="smtpd_use_tls">smtpd_use_tls</a>
 (default: no)</b></DT><DD>
 
-<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
+<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
 but do not require that clients use TLS encryption. </p>
 
 <p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior. </p>
 
-<p> This feature is available in Postfix 2.2 and later.  </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
 
 
 </DD>
@@ -11460,7 +11581,7 @@ bytes (equivalent to 256 bits) is sufficient to generate a 128bit
 (default: ALL:+RC4:@STRENGTH)</b></DT><DD>
 
 <p> The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+defines the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
 <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. This is
 the cipherlist for the opportunistic ("may") TLS client security
 level and is the default cipherlist for the SMTP server. You are
@@ -11475,7 +11596,7 @@ strongly encouraged to not change this setting. </p>
 (default: !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)</b></DT><DD>
 
 <p> The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+the meaning of the "high" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
 <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are
 strongly encouraged to not change this setting. </p>
 
@@ -11488,7 +11609,7 @@ strongly encouraged to not change this setting. </p>
 (default: !EXPORT:ALL:+RC4:@STRENGTH)</b></DT><DD>
 
 <p> The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
 <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are
 strongly encouraged to not change this setting. </p>
 
@@ -11501,7 +11622,7 @@ strongly encouraged to not change this setting. </p>
 (default: !EXPORT:!LOW:ALL:+RC4:@STRENGTH)</b></DT><DD>
 
 <p> The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
+defines the meaning of the "medium" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
 <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. This is
 the default cipherlist for mandatory TLS encryption in the TLS
 client (with anonymous ciphers disabled when verifying server
@@ -11518,7 +11639,7 @@ setting. </p>
 
 <p> The OpenSSL cipherlist for "NULL" grade ciphers that provide
 authentication without encryption. This defines the meaning of the "null"
-setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
+setting in smtpd_mandatory_tls_ciphers, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
 <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>.  You are strongly encouraged to not
 change this setting. </p>
 
diff --git a/postfix/html/relocated.5.html b/postfix/html/relocated.5.html
index bc82e5b50..f3d27d524 100644
--- a/postfix/html/relocated.5.html
+++ b/postfix/html/relocated.5.html
@@ -91,7 +91,7 @@ RELOCATED(5)                                                      RELOCATED(5)
        <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. For a description of the
        TCP client/server table lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
        This feature is not available up to and including  Postfix
-       version 2.2.
+       version 2.3.
 
        Each  pattern  is  a regular expression that is applied to
        the entire address being looked up. Thus, <i>user@domain</i> mail
@@ -112,7 +112,7 @@ RELOCATED(5)                                                      RELOCATED(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.2.
+       Postfix version 2.3.
 
        Each lookup operation uses the entire address once.  Thus,
        <i>user@domain</i> mail addresses are not broken  up  into  their
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index f4ce54915..ca2302a55 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -206,14 +206,14 @@ SMTP(8)                                                                SMTP(8)
               Lookup tables, indexed by the  remote  SMTP  server
               address,  with  case insensitive lists of EHLO key-
               words (pipelining, starttls, auth, etc.)  that  the
-              SMTP client will ignore in the EHLO response from a
-              remote SMTP server.
+              Postfix   SMTP  client  will  ignore  in  the  EHLO
+              response from a remote SMTP server.
 
        <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
               A case insensitive list of EHLO keywords  (pipelin-
-              ing,  starttls,  auth,  etc.)  that the SMTP client
-              will ignore in the EHLO response from a remote SMTP
-              server.
+              ing,  starttls,  auth,  etc.) that the Postfix SMTP
+              client will ignore in  the  EHLO  response  from  a
+              remote SMTP server.
 
        <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
               Optional lookup tables that perform address rewrit-
@@ -293,12 +293,19 @@ SMTP(8)                                                                SMTP(8)
 
        Available in Postfix version 2.3 and later:
 
+       <b><a href="postconf.5.html#smtp_sasl_auth_enforce">smtp_sasl_auth_enforce</a> (yes)</b>
+              If sender-dependent SASL passwords are turned  off,
+              defer  mail  delivery  when an SMTP server does not
+              support SASL authentication, while  <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_pass</a>-
+              <a href="postconf.5.html#smtp_sasl_password_maps">word_maps</a>  contains SASL login/password information
+              for that server.
+
        <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
-              Enable sender-dependent authentication in the  SMTP
-              client;  this is available only with SASL authenti-
-              cation, and disables  SMTP  connection  caching  to
-              ensure  that  mail  from different senders will use
-              the appropriate credentials.
+              Enable sender-dependent authentication in the Post-
+              fix  SMTP  client; this is available only with SASL
+              authentication,  and   disables   SMTP   connection
+              caching  to ensure that mail from different senders
+              will use the appropriate credentials.
 
        <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
               Implementation-specific information that is  passed
@@ -314,82 +321,72 @@ SMTP(8)                                                                SMTP(8)
        found in the <a href="TLS_README.html">TLS_README</a> document.
 
        <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
-              The default SMTP TLS security level for all  desti-
-              nations;  when a non-empty value is specified, this
-              overrides  the  obsolete  parameters  <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
-              <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
+              The default SMTP TLS security level for the Postfix
+              SMTP  client;  when a non-empty value is specified,
+              this    overrides    the    obsolete     parameters
+              <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
+              <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
 
        <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
        <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
-              The  SASL  authentication security options that the
-              Postfix SMTP client uses  for  TLS  encrypted  SMTP
+              The SASL authentication security options  that  the
+              Postfix  SMTP  client  uses  for TLS encrypted SMTP
               sessions.
 
        <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
-              Time  limit  for Postfix SMTP client write and read
-              operations during TLS startup  and  shutdown  hand-
+              Time limit for Postfix SMTP client write  and  read
+              operations  during  TLS  startup and shutdown hand-
               shake procedures.
 
        <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
-              The  file with the certificate of the certification
-              authority (CA) that issued the Postfix SMTP  client
+              The file with the certificate of the  certification
+              authority  (CA) that issued the Postfix SMTP client
               certificate.
 
        <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
-              Directory  with  PEM  format  certificate authority
-              certificates that the Postfix SMTP client  uses  to
+              Directory with  PEM  format  certificate  authority
+              certificates  that  the Postfix SMTP client uses to
               verify a remote SMTP server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
-              File  with  the Postfix SMTP client RSA certificate
+              File with the Postfix SMTP client  RSA  certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
-              The minimum SMTP client TLS cipher  grade  that  is
-              strong  enough  to be used with the "encrypt" secu-
-              rity level and higher.
+              The  minimum TLS cipher grade that the Postfix SMTP
+              client will use with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
               List of ciphers or cipher types to exclude from the
-              SMTP client cipher list at all security levels.
+              Postfix SMTP client cipher list at all TLS security
+              levels.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
-              List of ciphers or cipher types to exclude from the
-              SMTP client cipher list at the mandatory TLS  secu-
-              rity levels: "encrypt", "verify" and "secure".
+              Additional list  of  ciphers  or  cipher  types  to
+              exclude  from the SMTP client cipher list at manda-
+              tory TLS security levels.
 
        <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
-              File  with  the Postfix SMTP client DSA certificate
+              File with the Postfix SMTP client  DSA  certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
-              File with the Postfix SMTP client DSA  private  key
+              File  with  the Postfix SMTP client DSA private key
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
-              File  with  the Postfix SMTP client RSA private key
+              File with the Postfix SMTP client RSA  private  key
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
-              Enable additional Postfix SMTP  client  logging  of
+              Enable  additional  Postfix  SMTP client logging of
               TLS activity.
 
        <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
-              Log  the  hostname  of  a  remote  SMTP server that
-              offers STARTTLS, when TLS is  not  already  enabled
+              Log the hostname  of  a  remote  SMTP  server  that
+              offers  STARTTLS,  when  TLS is not already enabled
               for that server.
 
-       <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
-              Optional lookup tables with the Postfix SMTP client
-              TLS security policy by next-hop destination; when a
-              non-empty  value  is  specified, this overrides the
-              obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
-
-       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
-              List of  TLS  protocol  versions  that  are  secure
-              enough to be used with the "encrypt" security level
-              and higher.
-
        <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
               The verification depth for remote SMTP server  cer-
               tificates.
@@ -460,7 +457,7 @@ SMTP(8)                                                                SMTP(8)
               clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              When TLS encryption is enforced, require  that  the
+              With mandatory TLS  encryption,  require  that  the
               remote SMTP server hostname matches the information
               in the remote SMTP server certificate.
 
@@ -469,30 +466,34 @@ SMTP(8)                                                                SMTP(8)
               TLS  usage  policy  by  next-hop destination and by
               remote SMTP server hostname.
 
+       <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP
+              client TLS cipher list.
+
 <b>RESOURCE AND RATE CONTROLS</b>
        <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
-              The maximal number of parallel  deliveries  to  the
-              same  destination  via  the  smtp  message delivery
+              The  maximal  number  of parallel deliveries to the
+              same destination  via  the  smtp  message  delivery
               transport.
 
        <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
-              The maximal number of recipients per  delivery  via
+              The  maximal  number of recipients per delivery via
               the smtp message delivery transport.
 
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The  SMTP  client  time  limit for completing a TCP
+              The SMTP client time limit  for  completing  a  TCP
               connection,  or  zero  (use  the  operating  system
               built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  SMTP client time limit for sending the HELO or
-              EHLO command, and for receiving the initial  server
+              The SMTP client time limit for sending the HELO  or
+              EHLO  command, and for receiving the initial server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
-              The  LMTP  client  time  limit for sending the LHLO
+              The LMTP client time limit  for  sending  the  LHLO
               command,  and  for  receiving  the  initial  server
               response.
 
@@ -501,30 +502,30 @@ SMTP(8)                                                                SMTP(8)
               command, and for receiving the server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  MAIL
-              FROM   command,   and   for  receiving  the  server
+              The  SMTP  client  time  limit for sending the MAIL
+              FROM  command,  and  for   receiving   the   server
               response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
-              RCPT  TO  command,  and  for  receiving  the server
+              The  SMTP  client  time  limit for sending the SMTP
+              RCPT TO  command,  and  for  receiving  the  server
               response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
-              DATA   command,   and   for  receiving  the  server
+              The  SMTP  client  time  limit for sending the SMTP
+              DATA  command,  and  for   receiving   the   server
               response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
+              The  SMTP  client  time  limit for sending the SMTP
               message content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
-              The  SMTP  client  time  limit for sending the SMTP
+              The SMTP client time limit  for  sending  the  SMTP
               ".", and for receiving the server response.
 
        <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  QUIT
+              The  SMTP  client  time  limit for sending the QUIT
               command, and for receiving the server response.
 
        Available in Postfix version 2.1 and later:
@@ -535,12 +536,12 @@ SMTP(8)                                                                SMTP(8)
               lookups, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal  number  of SMTP sessions per delivery
-              request before giving up or delivering to  a  fall-
+              The maximal number of SMTP  sessions  per  delivery
+              request  before  giving up or delivering to a fall-
               back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
-              The  SMTP  client  time  limit for sending the RSET
+              The SMTP client time limit  for  sending  the  RSET
               command, and for receiving the server response.
 
        Available in Postfix version 2.2 and earlier:
@@ -552,11 +553,11 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable SMTP connection caching for the
+              Permanently enable SMTP connection caching for  the
               specified destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a
+              Temporarily  enable SMTP connection caching while a
               destination has a high volume of mail in the active
               queue.
 
@@ -566,57 +567,62 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
               When SMTP connection caching is enabled, the amount
-              of time that an unused SMTP client socket  is  kept
+              of  time  that an unused SMTP client socket is kept
               open before it is closed.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit  for  connection cache connect, send or
+              Time limit for connection cache  connect,  send  or
               receive operations.
 
 <b>TROUBLE SHOOTING CONTROLS</b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment  in  verbose  logging  level  when  a
-              remote  client  or  server matches a pattern in the
+              The  increment  in  verbose  logging  level  when a
+              remote client or server matches a  pattern  in  the
               <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional list of remote client or  server  hostname
-              or  network address patterns that cause the verbose
-              logging level to increase by the  amount  specified
+              Optional  list  of remote client or server hostname
+              or network address patterns that cause the  verbose
+              logging  level  to increase by the amount specified
               in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster  notifications about
-              mail delivery problems that are caused  by  policy,
+              The recipient  of  postmaster  notifications  about
+              mail  delivery  problems that are caused by policy,
               resource, software or protocol errors.
 
+       <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
+              What categories of Postfix-generated mail are  sub-
+              ject   to   before-queue   content   inspection  by
+              <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
+
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The  list of error classes that are reported to the
+              The list of error classes that are reported to  the
               postmaster.
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where the Postfix SMTP client should  deliver  mail
+              Where  the  Postfix SMTP client should deliver mail
               when it detects a "mail loops back to myself" error
               condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number  of  digits  after the decimal
+              The maximal number  of  digits  after  the  decimal
               point when logging sub-second delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
-              Disable DNS lookups in the Postfix  SMTP  and  LMTP
+              Disable  DNS  lookups  in the Postfix SMTP and LMTP
               clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@@ -624,7 +630,7 @@ SMTP(8)                                                                SMTP(8)
               tem receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
-              The Internet protocols Postfix will attempt to  use
+              The  Internet protocols Postfix will attempt to use
               when making or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@@ -632,74 +638,74 @@ SMTP(8)                                                                SMTP(8)
               over an internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
-              The default TCP port that the Postfix  LMTP  client
+              The  default  TCP port that the Postfix LMTP client
               connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits for the next service request
               before exiting.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
+              The maximal number of connection requests before  a
               Postfix daemon process terminates.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
               The network interface addresses that this mail sys-
-              tem  receives  mail on by way of a proxy or network
+              tem receives mail on by way of a proxy  or  network
               address translation unit.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An optional numerical network address that the SMTP
-              client  should  bind to when making an IPv4 connec-
-              tion.
+              An  optional  numerical  network  address  that the
+              Postfix SMTP client should bind to when  making  an
+              IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An optional numerical network address that the SMTP
-              client  should  bind to when making an IPv6 connec-
-              tion.
+              An  optional  numerical  network  address  that the
+              Postfix SMTP client should bind to when  making  an
+              IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The hostname to send in the SMTP EHLO or HELO  com-
+              The  hostname to send in the SMTP EHLO or HELO com-
               mand.
 
        <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
               The hostname to send in the LMTP LHLO command.
 
        <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
-              What  mechanisms  when the SMTP client uses to look
-              up a host's IP address.
+              What mechanisms when the Postfix SMTP  client  uses
+              to look up a host's IP address.
 
        <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
-              Randomize the order  of  equal-preference  MX  host
+              Randomize  the  order  of  equal-preference MX host
               addresses.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available with Postfix 2.2 and earlier:
 
        <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
-              Optional  list of relay hosts for SMTP destinations
+              Optional list of relay hosts for SMTP  destinations
               that can't be found or that are unreachable.
 
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional list of relay hosts for SMTP  destinations
+              Optional  list of relay hosts for SMTP destinations
               that can't be found or that are unreachable.
 
 <b>SEE ALSO</b>
@@ -717,7 +723,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 70e407e6e..0a55a893b 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -328,87 +328,89 @@ SMTPD(8)                                                              SMTPD(8)
        Detailed  information  about STARTTLS configuration may be
        found in the <a href="TLS_README.html">TLS_README</a> document.
 
-       <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
-              Opportunistic mode: announce  STARTTLS  support  to
-              SMTP  clients,  but do not require that clients use
-              TLS encryption.
-
-       <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
-              Enforcement mode: announce STARTTLS support to SMTP
-              clients,  and  require that clients use TLS encryp-
-              tion.
+       <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
+              The SMTP TLS security level for  the  Postfix  SMTP
+              server;  when  a non-empty value is specified, this
+              overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
+              <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
 
        <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a>         ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b>
        <b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b>
-              The SASL authentication security options  that  the
-              Postfix  SMTP  server  uses  for TLS encrypted SMTP
+              The  SASL  authentication security options that the
+              Postfix SMTP server uses  for  TLS  encrypted  SMTP
               sessions.
 
        <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (300s)</b>
-              The time limit for Postfix SMTP  server  write  and
-              read  operations  during  TLS  startup and shutdown
+              The  time  limit  for Postfix SMTP server write and
+              read operations during  TLS  startup  and  shutdown
               handshake procedures.
 
        <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
-              The file with the certificate of the  certification
-              authority  (CA) that issued the Postfix SMTP server
+              The  file with the certificate of the certification
+              authority (CA) that issued the Postfix SMTP  server
               certificate.
 
        <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
-              The file with the certificate of the  certification
-              authority  (CA) that issued the Postfix SMTP server
+              The  file with the certificate of the certification
+              authority (CA) that issued the Postfix SMTP  server
               certificate.
 
        <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
-              Ask a remote SMTP client for a client  certificate.
+              Ask  a remote SMTP client for a client certificate.
 
        <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
               When TLS encryption is optional in the Postfix SMTP
-              server, do not announce or accept SASL  authentica-
+              server,  do not announce or accept SASL authentica-
               tion over unencrypted connections.
 
        <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (5)</b>
-              The  verification depth for remote SMTP client cer-
+              The verification depth for remote SMTP client  cer-
               tificates.
 
        <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
-              File with the Postfix SMTP server  RSA  certificate
+              File  with  the Postfix SMTP server RSA certificate
               in PEM format.
 
-       <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b>
-              The  minimum  acceptable  SMTP  server  TLS  cipher
-              grade.
-
        <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b>
               List of ciphers or cipher types to exclude from the
-              SMTP server cipher list.
+              SMTP server cipher list at all TLS security levels.
 
        <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
-              File  with  the Postfix SMTP server DSA certificate
+              File with the Postfix SMTP server  DSA  certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
-              File with  DH  parameters  that  the  Postfix  SMTP
+              File  with  DH  parameters  that  the  Postfix SMTP
               server should use with EDH ciphers.
 
        <b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
-              File  with  DH  parameters  that  the  Postfix SMTP
+              File with  DH  parameters  that  the  Postfix  SMTP
               server should use with EDH ciphers.
 
        <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
-              File with the Postfix SMTP server DSA  private  key
+              File  with  the Postfix SMTP server DSA private key
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
-              File  with  the Postfix SMTP server RSA private key
+              File with the Postfix SMTP server RSA  private  key
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
-              Enable additional Postfix SMTP  server  logging  of
+              Enable  additional  Postfix  SMTP server logging of
               TLS activity.
 
-       <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
-              The  list of TLS protocols supported by the server.
+       <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b>
+              The minimum TLS cipher grade that the Postfix  SMTP
+              server will use with mandatory TLS encryption.
+
+       <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b>
+              Additional  list  of  ciphers  or  cipher  types to
+              exclude from the SMTP server cipher list at  manda-
+              tory TLS security levels.
+
+       <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
+              The  TLS  protocols  accepted  by  the Postfix SMTP
+              server with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
               Request  that  the  Postfix  SMTP  server  produces
@@ -418,7 +420,7 @@ SMTPD(8)                                                              SMTPD(8)
               CommonName.
 
        <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
-              When TLS encryption is enforced, require  a  remote
+              With mandatory TLS  encryption,  require  a  remote
               SMTP  client certificate in order to allow TLS con-
               nections to proceed.
 
@@ -461,60 +463,84 @@ SMTPD(8)                                                              SMTPD(8)
               The OpenSSL cipherlist  for  "NULL"  grade  ciphers
               that provide authentication without encryption.
 
+<b>OBSOLETE STARTTLS CONTROLS</b>
+       The  following configuration parameters exist for compati-
+       bility with Postfix versions before 2.3. Support for these
+       will be removed in a future release.
+
+       <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
+              Opportunistic  TLS:  announce  STARTTLS  support to
+              SMTP clients, but do not require that  clients  use
+              TLS encryption.
+
+       <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
+              Mandatory  TLS:  announce  STARTTLS support to SMTP
+              clients, and require that clients use  TLS  encryp-
+              tion.
+
+       <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP
+              server TLS cipher list.
+
 <b>VERP SUPPORT CONTROLS</b>
-       With  VERP  style  delivery,  each  recipient of a message
+       With VERP style delivery,  each  recipient  of  a  message
        receives a customized copy of the message with his/her own
-       recipient  address encoded in the envelope sender address.
+       recipient address encoded in the envelope sender  address.
        The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
-       details  of  Postfix  support for variable envelope return
+       details of Postfix support for  variable  envelope  return
        path addresses.  VERP style delivery is requested with the
-       SMTP  XVERP command or with the "sendmail -V" command-line
-       option and is available in Postfix version 1.1 and  later.
+       SMTP XVERP command or with the "sendmail -V"  command-line
+       option  and is available in Postfix version 1.1 and later.
 
        <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
               The two default VERP delimiter characters.
 
        <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
-              The  characters  Postfix  accepts as VERP delimiter
-              characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command  line
+              The characters Postfix accepts  as  VERP  delimiter
+              characters  on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
               and in SMTP commands.
 
        Available in Postfix version 1.1 and 2.0:
 
        <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
-              What  SMTP clients are allowed to specify the XVERP
+              What SMTP clients are allowed to specify the  XVERP
               command.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
-              What SMTP clients are allowed to specify the  XVERP
+              What  SMTP clients are allowed to specify the XVERP
               command.
 
 <b>TROUBLE SHOOTING CONTROLS</b>
-       The  <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
-       the Postfix mail system. The methods vary from making  the
-       software  log a lot of detail, to running some daemon pro-
+       The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts  of
+       the  Postfix mail system. The methods vary from making the
+       software log a lot of detail, to running some daemon  pro-
        cesses under control of a call tracer or debugger.
 
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment  in  verbose  logging  level  when  a
-              remote  client  or  server matches a pattern in the
+              The  increment  in  verbose  logging  level  when a
+              remote client or server matches a  pattern  in  the
               <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional list of remote client or  server  hostname
-              or  network address patterns that cause the verbose
-              logging level to increase by the  amount  specified
+              Optional  list  of remote client or server hostname
+              or network address patterns that cause the  verbose
+              logging  level  to increase by the amount specified
               in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster  notifications about
-              mail delivery problems that are caused  by  policy,
+              The recipient  of  postmaster  notifications  about
+              mail  delivery  problems that are caused by policy,
               resource, software or protocol errors.
 
+       <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
+              What categories of Postfix-generated mail are  sub-
+              ject   to   before-queue   content   inspection  by
+              <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
+
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The  list of error classes that are reported to the
+              The list of error classes that are reported to  the
               postmaster.
 
        <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@@ -524,22 +550,22 @@ SMTPD(8)                                                              SMTPD(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
-              What  SMTP  clients  are allowed to use the XCLIENT
+              What SMTP clients are allowed to  use  the  XCLIENT
               feature.
 
 <b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
-       As of Postfix version 2.0, the SMTP  server  rejects  mail
-       for  unknown recipients. This prevents the mail queue from
-       clogging up  with  undeliverable  MAILER-DAEMON  messages.
-       Additional   information   on   this   topic   is  in  the
+       As  of  Postfix  version 2.0, the SMTP server rejects mail
+       for unknown recipients. This prevents the mail queue  from
+       clogging  up  with  undeliverable  MAILER-DAEMON messages.
+       Additional  information  on   this   topic   is   in   the
        <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
 
        <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
-              Display  the  name  of  the  recipient table in the
+              Display the name of  the  recipient  table  in  the
               "User unknown" responses.
 
        <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
-              Optional address mapping lookup tables for  message
+              Optional  address mapping lookup tables for message
               headers and envelopes.
 
        <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
@@ -550,7 +576,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#mydestination">mydestination</a>  ($<a href="postconf.5.html#myhostname">myhostname</a>,  localhost.$<a href="postconf.5.html#mydomain">mydomain</a>,  local-</b>
        <b>host)</b>
-              The list of domains  that  are  delivered  via  the
+              The  list  of  domains  that  are delivered via the
               $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@@ -559,145 +585,146 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
               The network interface addresses that this mail sys-
-              tem  receives  mail on by way of a proxy or network
+              tem receives mail on by way of a proxy  or  network
               address translation unit.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
-              The Internet protocols Postfix will attempt to  use
+              The  Internet protocols Postfix will attempt to use
               when making or accepting connections.
 
        <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>             (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
        <b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
-              Lookup  tables with all names or addresses of local
-              recipients: a recipient address is local  when  its
-              domain  matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
+              Lookup tables with all names or addresses of  local
+              recipients:  a  recipient address is local when its
+              domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>  or
               $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
 
        <b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when    a   recipient   address   is   local,   and
-              $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a  list  of  lookup
+              The  numerical  Postfix  SMTP  server response code
+              when   a   recipient   address   is   local,    and
+              $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>  specifies  a  list of lookup
               tables that does not match the recipient.
 
-       Parameters  concerning  known/unknown  recipients of relay
+       Parameters concerning known/unknown  recipients  of  relay
        destinations:
 
        <b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
-              What destination domains (and  subdomains  thereof)
+              What  destination  domains (and subdomains thereof)
               this system will relay mail to.
 
        <b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
-              Optional  lookup tables with all valid addresses in
+              Optional lookup tables with all valid addresses  in
               the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
 
        <b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
               The numerical Postfix SMTP server reply code when a
-              recipient   address   matches  $<a href="postconf.5.html#relay_domains">relay_domains</a>,  and
-              <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies  a  list  of  lookup
+              recipient  address  matches   $<a href="postconf.5.html#relay_domains">relay_domains</a>,   and
+              <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a>  specifies  a  list  of lookup
               tables that does not match the recipient address.
 
-       Parameters  concerning known/unknown recipients in virtual
+       Parameters concerning known/unknown recipients in  virtual
        alias domains:
 
        <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
               Postfix is final destination for the specified list
-              of  virtual  alias  domains,  that  is, domains for
-              which all addresses are  aliased  to  addresses  in
+              of virtual alias  domains,  that  is,  domains  for
+              which  all  addresses  are  aliased to addresses in
               other local or remote domains.
 
        <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
-              Optional  lookup  tables  that  alias specific mail
-              addresses or  domains  to  other  local  or  remote
+              Optional lookup tables  that  alias  specific  mail
+              addresses  or  domains  to  other  local  or remote
               address.
 
        <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
               The SMTP server reply code when a recipient address
-              matches    $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>,    and     $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
-              <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a>  specifies  a list of lookup tables
+              matches     $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>,    and    $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
+              <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of  lookup  tables
               that does not match the recipient address.
 
-       Parameters concerning known/unknown recipients in  virtual
+       Parameters  concerning known/unknown recipients in virtual
        mailbox domains:
 
        <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
               Postfix is final destination for the specified list
-              of  domains;  mail  is  delivered  via  the   $<a href="postconf.5.html#virtual_transport">vir</a>-
+              of   domains;  mail  is  delivered  via  the  $<a href="postconf.5.html#virtual_transport">vir</a>-
               <a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
 
        <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
-              Optional  lookup tables with all valid addresses in
+              Optional lookup tables with all valid addresses  in
               the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
 
        <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
               The SMTP server reply code when a recipient address
-              matches    $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,    and   $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
+              matches   $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,    and    $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
               <a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
               that does not match the recipient address.
 
 <b>RESOURCE AND RATE CONTROLS</b>
-       The  following parameters limit resource usage by the SMTP
+       The following parameters limit resource usage by the  SMTP
        server and/or control client request rates.
 
        <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
-              Upon input, long lines are chopped up  into  pieces
-              of  at  most this length; upon delivery, long lines
+              Upon  input,  long lines are chopped up into pieces
+              of at most this length; upon delivery,  long  lines
               are reconstructed.
 
        <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
-              The minimal amount of free space in  bytes  in  the
+              The  minimal  amount  of free space in bytes in the
               queue file system that is needed to receive mail.
 
        <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
-              The  maximal  size in bytes of a message, including
+              The maximal size in bytes of a  message,  including
               envelope information.
 
        <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
-              The maximal number of recipients that  the  Postfix
+              The  maximal  number of recipients that the Postfix
               SMTP server accepts per message delivery request.
 
        <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (300s)</b>
-              The  time  limit  for sending a Postfix SMTP server
-              response and for receiving  a  remote  SMTP  client
+              The time limit for sending a  Postfix  SMTP  server
+              response  and  for  receiving  a remote SMTP client
               request.
 
        <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
-              The  maximal  number  of  lines in the Postfix SMTP
-              server command history before it  is  flushed  upon
+              The maximal number of lines  in  the  Postfix  SMTP
+              server  command  history  before it is flushed upon
               receipt of EHLO, RSET, or end of DATA.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
-              Attempt  to  look  up the SMTP client hostname, and
-              verify that the name matches the client IP address.
+              Attempt to look up the Postfix  SMTP  client  host-
+              name,  and  verify that the name matches the client
+              IP address.
 
        The per SMTP client connection count and request rate lim-
        its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
-       vice,  and are available in Postfix version 2.2 and later.
+       vice, and are available in Postfix version 2.2 and  later.
 
        <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
-              How many simultaneous  connections  any  client  is
+              How  many  simultaneous  connections  any client is
               allowed to make to this service.
 
        <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
               The  maximal  number  of  connection  attempts  any
-              client is allowed to make to this service per  time
+              client  is allowed to make to this service per time
               unit.
 
        <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
-              The  maximal  number  of  message delivery requests
-              that any client is allowed to make to this  service
+              The maximal number  of  message  delivery  requests
+              that  any client is allowed to make to this service
               per time unit, regardless of whether or not Postfix
               actually accepts those messages.
 
        <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
-              The maximal number of recipient addresses that  any
-              client  is allowed to send to this service per time
+              The  maximal number of recipient addresses that any
+              client is allowed to send to this service per  time
               unit, regardless of whether or not Postfix actually
               accepts those recipients.
 
        <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
-              Clients  that  are  excluded from connection count,
+              Clients that are excluded  from  connection  count,
               connection rate, or SMTP request rate restrictions.
 
        Available in Postfix version 2.3 and later:
@@ -708,52 +735,52 @@ SMTPD(8)                                                              SMTPD(8)
               tiate with this service per time unit.
 
 <b>TARPIT CONTROLS</b>
-       When  a  remote SMTP client makes errors, the Postfix SMTP
-       server can insert delays before responding. This can  help
-       to  slow  down  run-away  software.   The behavior is con-
-       trolled by an error counter  that  counts  the  number  of
-       errors  within an SMTP session that a client makes without
+       When a remote SMTP client makes errors, the  Postfix  SMTP
+       server  can insert delays before responding. This can help
+       to slow down run-away  software.   The  behavior  is  con-
+       trolled  by  an  error  counter  that counts the number of
+       errors within an SMTP session that a client makes  without
        delivering mail.
 
        <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
               With Postfix version 2.1 and later: the SMTP server
-              response  delay  after  a client has made more than
-              $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>  errors,  and  fewer   than
-              $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a>  errors, without delivering
+              response delay after a client has  made  more  than
+              $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>   errors,  and  fewer  than
+              $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without  delivering
               mail.
 
        <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
-              The number  of  errors  a  remote  SMTP  client  is
-              allowed  to make without delivering mail before the
+              The  number  of  errors  a  remote  SMTP  client is
+              allowed to make without delivering mail before  the
               Postfix SMTP server slows down all its responses.
 
        <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (20)</b>
-              The maximal number of errors a remote  SMTP  client
+              The  maximal  number of errors a remote SMTP client
               is allowed to make without delivering mail.
 
        <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (100)</b>
-              The  number  of  junk commands (NOOP, VRFY, ETRN or
+              The number of junk commands (NOOP,  VRFY,  ETRN  or
               RSET) that a remote SMTP client can send before the
-              Postfix  SMTP  server starts to increment the error
+              Postfix SMTP server starts to increment  the  error
               counter with each junk command.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
-              The number of recipients that a remote SMTP  client
-              can  send  in  excess  of  the limit specified with
+              The  number of recipients that a remote SMTP client
+              can send in excess  of  the  limit  specified  with
               $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>,  before  the  Postfix  SMTP
-              server  increments  the per-session error count for
+              server increments the per-session error  count  for
               each excess recipient.
 
 <b>ACCESS POLICY DELEGATION CONTROLS</b>
-       As of version 2.1, Postfix can be configured  to  delegate
-       access  policy  decisions  to an external server that runs
-       outside Postfix.  See  the  file  <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a>  for
+       As  of  version 2.1, Postfix can be configured to delegate
+       access policy decisions to an external  server  that  runs
+       outside  Postfix.   See  the  file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
        more information.
 
        <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
-              The  time  after which an idle SMTPD policy service
+              The time after which an idle SMTPD  policy  service
               connection is closed.
 
        <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
@@ -761,161 +788,161 @@ SMTPD(8)                                                              SMTPD(8)
               connection is closed.
 
        <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
-              The  time  limit  for  connecting to, writing to or
+              The time limit for connecting  to,  writing  to  or
               receiving from a delegated SMTPD policy server.
 
 <b>ACCESS CONTROLS</b>
-       The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction  to
+       The  <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
        all the SMTP server access control features.
 
        <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
-              Wait  until  the  RCPT TO command before evaluating
+              Wait until the RCPT TO  command  before  evaluating
               $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>,    $smtpd_helo_restric-
               tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until
-              the     ETRN     command     before      evaluating
+              the      ETRN     command     before     evaluating
               $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric-
               tions.
 
-       <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf  -d'  out-</b>
+       <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>  (see  'postconf -d' out-</b>
        <b>put)</b>
               What   Postfix   features   match   subdomains   of
               "domain.tld" automatically, instead of requiring an
               explicit ".domain.tld" pattern.
 
        <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
-              Optional SMTP server  access  restrictions  in  the
+              Optional  SMTP  server  access  restrictions in the
               context of a client SMTP connection request.
 
        <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
               Require that a remote SMTP client introduces itself
-              at the beginning of an SMTP session with  the  HELO
+              at  the  beginning of an SMTP session with the HELO
               or EHLO command.
 
        <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
-              Optional  restrictions that the Postfix SMTP server
+              Optional restrictions that the Postfix SMTP  server
               applies in the context of the SMTP HELO command.
 
        <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
-              Optional restrictions that the Postfix SMTP  server
+              Optional  restrictions that the Postfix SMTP server
               applies in the context of the MAIL FROM command.
 
        <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>           (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
        <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
               The  access  restrictions  that  the  Postfix  SMTP
-              server applies in the context of the RCPT  TO  com-
+              server  applies  in the context of the RCPT TO com-
               mand.
 
        <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
-              Optional  SMTP  server  access  restrictions in the
+              Optional SMTP server  access  restrictions  in  the
               context of a client ETRN request.
 
        <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
-              Forward   mail   with   sender-specified    routing
-              (user[@%!]remote[@%!]site)  from  untrusted clients
+              Forward    mail   with   sender-specified   routing
+              (user[@%!]remote[@%!]site) from  untrusted  clients
               to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
 
        <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
-              User-defined aliases for groups of access  restric-
+              User-defined  aliases for groups of access restric-
               tions.
 
        <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b>&lt;&gt;<b>)</b>
-              The  lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
+              The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a>  tables
               instead of the null sender address.
 
        <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
               Restrict  the  use  of  the  <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a>  SMTP
-              access  feature  to  only  domains whose primary MX
+              access feature to only  domains  whose  primary  MX
               hosts match the listed networks.
 
        Available in Postfix version 2.0 and later:
 
        <b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
-              Optional access restrictions that the Postfix  SMTP
+              Optional  access restrictions that the Postfix SMTP
               server applies in the context of the SMTP DATA com-
               mand.
 
        <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
-              What characters are allowed in $name expansions  of
+              What  characters are allowed in $name expansions of
               RBL reply templates.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
-              Request  that  the Postfix SMTP server rejects mail
-              from  unknown  sender  addresses,  even   when   no
-              explicit  <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
+              Request that the Postfix SMTP server  rejects  mail
+              from   unknown   sender  addresses,  even  when  no
+              explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access  restriction
               is specified.
 
        <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
-              Request that the Postfix SMTP server  rejects  mail
+              Request  that  the Postfix SMTP server rejects mail
               for  unknown  recipient  addresses,  even  when  no
-              explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access  restric-
+              explicit  <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
               tion is specified.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
-              Optional  access restrictions that the Postfix SMTP
-              server applies in the context of the  SMTP  END-OF-
+              Optional access restrictions that the Postfix  SMTP
+              server  applies  in the context of the SMTP END-OF-
               DATA command.
 
 <b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
-       Postfix   version  2.1  introduces  sender  and  recipient
-       address verification.   This  feature  is  implemented  by
-       sending  probe email messages that are not actually deliv-
-       ered.  This feature is requested  via  the  <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
-       <a href="postconf.5.html#reject_unverified_sender">fied_sender</a>    and    <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>   access
-       restrictions.  The status of verification probes is  main-
+       Postfix  version  2.1  introduces  sender  and   recipient
+       address  verification.   This  feature  is  implemented by
+       sending probe email messages that are not actually  deliv-
+       ered.   This  feature  is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
+       <a href="postconf.5.html#reject_unverified_sender">fied_sender</a>   and    <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>    access
+       restrictions.   The status of verification probes is main-
        tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server.  See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>-
-       <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about  how  to  configure
+       <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a>  for  information  about how to configure
        and operate the Postfix sender/recipient address verifica-
        tion service.
 
        <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (3)</b>
-              How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a>  service  for
-              the  completion  of an address verification request
+              How  many  times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
+              the completion of an address  verification  request
               in progress.
 
        <b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b>
-              The delay between queries for the completion of  an
+              The  delay between queries for the completion of an
               address verification request in progress.
 
        <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> (postmaster)</b>
-              The  sender  address to use in address verification
+              The sender address to use in  address  verification
               probes.
 
        <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when   a  recipient  address  is  rejected  by  the
+              The  numerical  Postfix  SMTP  server response code
+              when  a  recipient  address  is  rejected  by   the
               <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
 
        <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
-              The numerical Postfix SMTP server response  when  a
+              The  numerical  Postfix SMTP server response when a
               recipient address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unveri</a>-
               <a href="postconf.5.html#reject_unverified_recipient">fied_recipient</a> restriction.
 
 <b>ACCESS CONTROL RESPONSES</b>
-       The following  parameters  control  numerical  SMTP  reply
+       The  following  parameters  control  numerical  SMTP reply
        codes and/or text responses.
 
        <b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b>
-              The  numerical  Postfix  SMTP  server response code
-              when a client  is  rejected  by  an  <a href="access.5.html"><b>access</b>(5)</a>  map
+              The numerical Postfix  SMTP  server  response  code
+              when  a  client  is  rejected  by  an <a href="access.5.html"><b>access</b>(5)</a> map
               restriction.
 
        <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
-              The  numerical  Postfix  SMTP  server response code
-              when a remote SMTP client request  is  rejected  by
+              The numerical Postfix  SMTP  server  response  code
+              when  a  remote  SMTP client request is rejected by
               the "defer" restriction.
 
        <b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
-              The  numerical  Postfix  SMTP  server response code
-              when the client HELO or EHLO command  parameter  is
-              rejected    by   the   <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
+              The numerical Postfix  SMTP  server  response  code
+              when  the  client HELO or EHLO command parameter is
+              rejected   by   the    <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
               restriction.
 
        <b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
-              The numerical Postfix  SMTP  server  response  code
+              The  numerical  Postfix  SMTP  server response code
               when a remote SMTP client request is blocked by the
               <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>,             <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,
               <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a>    or    <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a>
@@ -923,53 +950,53 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
               The numerical Postfix SMTP server reply code when a
-              client     request     is     rejected    by    the
+              client    request    is     rejected     by     the
               <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
               <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a>
               restriction.
 
        <b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when  a  request  is  rejected by the <b>reject_plain-</b>
+              The  numerical  Postfix  SMTP  server response code
+              when a request is  rejected  by  the  <b>reject_plain-</b>
               <b>text_session</b> restriction.
 
        <b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when  a  remote  SMTP client request is rejected by
+              The  numerical  Postfix  SMTP  server response code
+              when a remote SMTP client request  is  rejected  by
               the "reject" restriction.
 
        <b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when   a   client   request   is  rejected  by  the
+              The  numerical  Postfix  SMTP  server response code
+              when  a  client  request   is   rejected   by   the
               <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction.
 
        <b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when  a  sender or recipient address is rejected by
+              The  numerical  Postfix  SMTP  server response code
+              when a sender or recipient address is  rejected  by
               the         <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>         or
               <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction.
 
        <b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
-              The  numerical  Postfix  SMTP  server response code
-              when a client without valid address &lt;=&gt;  name  map-
+              The numerical Postfix  SMTP  server  response  code
+              when  a  client without valid address &lt;=&gt; name map-
               ping is rejected by the reject_unknown_client_host-
               name restriction.
 
        <b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when  the  hostname specified with the HELO or EHLO
-              command       is       rejected       by        the
+              The  numerical  Postfix  SMTP  server response code
+              when the hostname specified with the HELO  or  EHLO
+              command        is       rejected       by       the
               <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
 
        Available in Postfix version 2.0 and later:
 
        <b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
-              The  default  SMTP  server  response template for a
-              request that is rejected by an  RBL-based  restric-
+              The default SMTP server  response  template  for  a
+              request  that  is rejected by an RBL-based restric-
               tion.
 
        <b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
-              The  numerical  Postfix  SMTP  server response code
+              The numerical Postfix  SMTP  server  response  code
               when a remote SMTP client request is blocked by the
               <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction.
 
@@ -978,16 +1005,16 @@ SMTPD(8)                                                              SMTPD(8)
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
-              The  location  of  all  postfix administrative com-
+              The location of  all  postfix  administrative  com-
               mands.
 
        <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
@@ -1008,36 +1035,36 @@ SMTPD(8)                                                              SMTPD(8)
               and most Postfix daemon processes.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits for the next service request
               before exiting.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
+              The maximal number of connection requests before  a
               Postfix daemon process terminates.
 
        <b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
               The internet hostname of this mail system.
 
        <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
-              The list of "trusted" SMTP clients that  have  more
+              The  list  of "trusted" SMTP clients that have more
               privileges than "strangers".
 
        <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
               The domain name that locally-posted mail appears to
-              come from, and that locally posted mail  is  deliv-
+              come  from,  and that locally posted mail is deliv-
               ered to.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
@@ -1045,22 +1072,22 @@ SMTPD(8)                                                              SMTPD(8)
               sions (user+foo).
 
        <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
-              The  text  that  follows the 220 status code in the
+              The text that follows the 220 status  code  in  the
               SMTP greeting banner.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
-              List of  commands  that  causes  the  Postfix  SMTP
-              server  to immediately terminate the session with a
+              List  of  commands  that  causes  the  Postfix SMTP
+              server to immediately terminate the session with  a
               221 code.
 
 <b>SEE ALSO</b>
@@ -1090,7 +1117,7 @@ SMTPD(8)                                                              SMTPD(8)
        <a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/transport.5.html b/postfix/html/transport.5.html
index 6d28a3c62..3fc1f1c04 100644
--- a/postfix/html/transport.5.html
+++ b/postfix/html/transport.5.html
@@ -243,7 +243,7 @@ TRANSPORT(5)                                                      TRANSPORT(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.2.
+       Postfix version 2.3.
 
        Each  lookup  operation  uses the entire recipient address
        once.  Thus, <i>some.domain.hierarchy</i> is not  looked  up  via
diff --git a/postfix/html/virtual.5.html b/postfix/html/virtual.5.html
index d8dfe9898..ab0649357 100644
--- a/postfix/html/virtual.5.html
+++ b/postfix/html/virtual.5.html
@@ -209,7 +209,7 @@ VIRTUAL(5)                                                          VIRTUAL(5)
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
-       Postfix version 2.2.
+       Postfix version 2.3.
 
        Each lookup operation uses the entire address once.  Thus,
        <i>user@domain</i>  mail  addresses  are not broken up into their
diff --git a/postfix/implementation-notes/DSN b/postfix/implementation-notes/DSN
new file mode 100644
index 000000000..0d8158560
--- /dev/null
+++ b/postfix/implementation-notes/DSN
@@ -0,0 +1,33 @@
+Postfix DSN support implementation notes
+========================================
+
+In delivery status reports, Postfix now properly reports remote
+LMTP/SMTP server replies with Diagnostic-Type: SMTP, with the
+Diagnostic-Code: equal to the server reply, and with Remote-MTA:
+equal to the name of the remote MTA.
+
+Of course Postfix still produces the same "informal" error descriptions
+that it produced before (for example, the error text that appears
+in the first section of a bounce report).
+
+Other error reports are not in the form of SMTP-style replies.
+
+- The Postfix LMTP/SMTP client generates Diagnostic-Type: X-Postfix
+for locally generated errors (host not found, connection timed out
+etc.).  It generates Diagnostic-Type: SMTP only for replies from
+an SMTP server.
+
+- The queue manager generates Diagnostic-Type: X-Postfix for errors
+that it detects. It also receives error information from delivery
+agents and reports that information unmodified when it decides to
+"temporarily suspend" a delivery channel.
+
+- The "pipe to command" code in local(8) and pipe(8) produces
+Diagnostic-Type: X-UNIX, and Diagnostic-Code: text that is taken
+from /usr/include/sysexits.h or from the command output.
+
+- The code that delivers to mailbox produces Diagnostic-Type:
+X-Postfix and Diagnostic-Code: text that is the same good old
+Postfix error message that we are already familiar with. Typically
+these are errno-style reports about locking a file or appending a
+file.
diff --git a/postfix/ENHANCED_STATUS_README b/postfix/implementation-notes/ENHANCED_STATUS_CODES
similarity index 98%
rename from postfix/ENHANCED_STATUS_README
rename to postfix/implementation-notes/ENHANCED_STATUS_CODES
index eaf9435bc..2b4c2af6f 100644
--- a/postfix/ENHANCED_STATUS_README
+++ b/postfix/implementation-notes/ENHANCED_STATUS_CODES
@@ -20,8 +20,6 @@ digit when reporting failure to look up or connect to a host. For
 convenience, the SMTP client top-level code automatically changes
 the initial digit into '4' or '5' as appropriate.
 
-- The above two points also apply to the LMTP client.
-
 - In the SMTP server, don't worry about the initial enhanced status
 code digit when an smtpd_mumble_restriction rejects access. For
 convenience, the smtpd_check_reject() routine automatically changes
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index 668d0c2e3..ad4f084a4 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -340,7 +340,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
 
 Each lookup operation uses the entire query string once.
 Depending on the application, that string is an entire client
diff --git a/postfix/man/man5/canonical.5 b/postfix/man/man5/canonical.5
index 5ee395108..1faefbca7 100644
--- a/postfix/man/man5/canonical.5
+++ b/postfix/man/man5/canonical.5
@@ -166,7 +166,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/man/man5/generic.5 b/postfix/man/man5/generic.5
index 5aa6172d4..e0ec31a84 100644
--- a/postfix/man/man5/generic.5
+++ b/postfix/man/man5/generic.5
@@ -150,7 +150,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/man/man5/master.5 b/postfix/man/man5/master.5
index dddb6d43a..012b1331a 100644
--- a/postfix/man/man5/master.5
+++ b/postfix/man/man5/master.5
@@ -126,16 +126,15 @@ most of the purpose of having that service in the first
 place.
 .sp
 The files in the examples/chroot-setup subdirectory of the
-Postfix source archive describe how to set up a Postfix
-chroot environment for your type of machine, and
-BASIC_CONFIGURATION_README discusses issues related to
-running daemons chrooted.
+Postfix source archive show set up a Postfix chroot environment
+on a variety of systems. See also BASIC_CONFIGURATION_README
+for issues related to running daemons chrooted.
 .IP "\fBWake up time (default: 0)\fR"
 Automatically wake up the named service after the specified
 number of seconds. The wake up is implemented by connecting
 to the service and sending a wake up request.  A ? at the
-end of the wake-up time field requests that wake up events
-be sent only to services that are actually being used.
+end of the wake-up time field requests that no wake up
+events be sent before the service is used.
 Specify 0 for no automatic wake up.
 .sp
 The \fBpickup\fR(8), \fBqmgr\fR(8) and \fBflush\fR(8)
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 4a364a45d..69f3c1824 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -559,7 +559,8 @@ $virtual_alias_domains, or $virtual_mailbox_domains.  By default,
 the Postfix SMTP client returns such mail as undeliverable.
 .PP
 Specify, for example, "best_mx_transport = local" to pass the mail
-from the SMTP client to the \fBlocal\fR(8) delivery agent. You can specify
+from the Postfix SMTP client to the \fBlocal\fR(8) delivery agent. You
+can specify
 any message delivery "transport" or "transport:nexthop" that is
 defined in the master.cf file. See the \fBtransport\fR(5) manual page
 for the syntax and meaning of "transport" or "transport:nexthop".
@@ -1525,7 +1526,8 @@ for IPv6.
 .PP
 A better solution for multi-homed firewalls is to leave inet_interfaces
 at the default value and instead use explicit IP addresses in
-the master.cf SMTP server definitions.  This preserves the SMTP client's
+the master.cf SMTP server definitions.  This preserves the Postfix
+SMTP client's
 loop detection, by ensuring that each side of the firewall knows that the
 other IP address is still the same host. Setting $inet_interfaces to a
 single IPv4 and/or IPV6 address is primarily useful with virtual
@@ -1600,6 +1602,22 @@ and via the \fBpipe\fR(8) and \fBvirtual\fR(8) delivery agents.
 .PP
 Warning: with concurrency of 1, one bad message can be enough to
 block all mail to a site.
+.SH internal_mail_filter_classes (default: empty)
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.  Specify zero or more of the following, separated
+by whitespace or comma.
+.IP "\fB bounce \fR"
+Inspect the content of delivery
+status notifications.
+.IP "\fB notify \fR"
+Inspect the content of postmaster
+notifications by the \fBsmtp\fR(8) and \fBsmtpd\fR(8) processes.
+.PP
+NOTE: It's generally not safe to enable content inspection of
+Postfix-generated email messages. The user is warned.
+.PP
+This feature is available in Postfix 2.3 and later.
 .SH invalid_hostname_reject_code (default: 501)
 The numerical Postfix SMTP server response code when the client
 HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname
@@ -1883,6 +1901,11 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
 .SH lmtp_sasl_auth_enable (default: no)
 Enable SASL authentication in the Postfix LMTP client.
+.SH lmtp_sasl_auth_enforce (default: yes)
+The LMTP-specific version of the smtp_sasl_auth_enforce
+configuration parameter.  See there for details.
+.PP
+This feature is available in Postfix 2.3 and later.
 .SH lmtp_sasl_mechanism_filter (default: empty)
 The LMTP-specific version of the smtp_sasl_mechanism_filter
 configuration parameter.  See there for details.
@@ -2227,8 +2250,8 @@ Technically, tables listed with $local_recipient_maps are used as
 lists: Postfix needs to know only if a lookup string is found or
 not, but it does not use the result from table lookup.
 .PP
-If this parameter is non-empty (the default), then the Postfix SMTP server
-will reject mail for unknown local users.
+If this parameter is non-empty (the default), then the Postfix SMTP
+server will reject mail for unknown local users.
 .PP
 To turn off local recipient checking in the Postfix SMTP server,
 specify "local_recipient_maps =" (i.e. empty).
@@ -3759,8 +3782,8 @@ With "smtp_always_send_ehlo = no", Postfix sends EHLO only when
 the word "ESMTP" appears in the server greeting banner (example:
 220 spike.porcupine.org ESMTP Postfix).
 .SH smtp_bind_address (default: empty)
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
 .PP
 This can be specified in the main.cf file for all SMTP clients, or
 it can be specified in the master.cf file for a specific client,
@@ -3784,8 +3807,8 @@ inet_interfaces documentation for more detail.
 Note 2: address information may be enclosed inside [],
 but this form is not recommended here.
 .SH smtp_bind_address6 (default: empty)
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
 .PP
 This feature is available in Postfix 2.2 and later.
 .PP
@@ -3824,7 +3847,8 @@ This feature is available in Postfix 2.2.9 and later.
 The SMTP client time limit for completing a TCP connection, or
 zero (use the operating system built-in time limit).
 .PP
-When no connection can be made within the deadline, the SMTP client
+When no connection can be made within the deadline, the Postfix
+SMTP client
 tries the next address on the mail exchanger list. Specify 0 to
 disable the time limit (i.e. use whatever timeout is implemented by
 the operating system).
@@ -3946,7 +3970,7 @@ The default time unit is s (seconds).
 .SH smtp_data_xfer_timeout (default: 180s)
 The SMTP client time limit for sending the SMTP message content.
 When the connection makes no progress for more than $smtp_data_xfer_timeout
-seconds the SMTP client terminates the transfer.
+seconds the Postfix SMTP client terminates the transfer.
 .PP
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
@@ -3978,7 +4002,7 @@ into concurrency per recipient.
 .SH smtp_discard_ehlo_keyword_address_maps (default: empty)
 Lookup tables, indexed by the remote SMTP server address, with
 case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
 remote SMTP server. See smtp_discard_ehlo_keywords for details. The
 table is not indexed by hostname for consistency with
 smtpd_discard_ehlo_keyword_address_maps.
@@ -3986,8 +4010,8 @@ smtpd_discard_ehlo_keyword_address_maps.
 This feature is available in Postfix 2.2 and later.
 .SH smtp_discard_ehlo_keywords (default: empty)
 A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server.
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server.
 .PP
 This feature is available in Postfix 2.2 and later.
 .PP
@@ -4075,7 +4099,7 @@ and for receiving the initial server response.
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
 .SH smtp_host_lookup (default: dns)
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
 address.  This parameter is ignored when DNS lookups are disabled.
 .PP
 Specify one of the following:
@@ -4194,6 +4218,13 @@ smtp_sasl_auth_enable = yes
 .fi
 .ad
 .ft R
+.SH smtp_sasl_auth_enforce (default: yes)
+If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while smtp_sasl_password_maps contains SASL login/password information
+for that server.
+.PP
+This feature is available in Postfix 2.3 and later.
 .SH smtp_sasl_mechanism_filter (default: empty)
 If non-empty, a Postfix SMTP client filter for the remote SMTP
 server's list of offered SASL mechanisms.  Different client and
@@ -4284,8 +4315,8 @@ for authentication.  The available types are listed with the
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtp_send_xforward_command (default: no)
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
 .PP
 This allows an "smtp" delivery agent, used for injecting mail into
 a content filter, to forward the name, address, protocol and HELO
@@ -4295,7 +4326,7 @@ localhost[127.0.0.1] etc.
 .PP
 This feature is available in Postfix 2.1 and later.
 .SH smtp_sender_dependent_authentication (default: no)
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
 available only with SASL authentication, and disables SMTP connection
 caching to ensure that mail from different senders will use the
 appropriate credentials.
@@ -4424,7 +4455,7 @@ smtp_tls_cert_file = /etc/postfix/client.pem
 This feature is available in Postfix 2.2 and later.
 .SH smtp_tls_cipherlist (default: empty)
 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
-cipher list. As this feature applies to all security levels, it is easy
+cipher list. As this feature applies to all TLS security levels, it is easy
 to create inter-operability problems by choosing a non-default cipher
 list. Do not use a non-default TLS cipher list on hosts that deliver email
 to the public Internet: you will be unable to send email to servers that
@@ -4463,7 +4494,7 @@ specified with $smtp_tls_cert_file.
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtp_tls_enforce_peername (default: yes)
-When TLS encryption is enforced, require that the remote SMTP
+With mandatory TLS encryption, require that the remote SMTP
 server hostname matches the information in the remote SMTP server
 certificate.  As of RFC 2487 the requirements for hostname checking
 for MTA clients are not specified.
@@ -4480,8 +4511,9 @@ CommonName of this attacker will be logged).
 This feature is available in Postfix 2.2 and later. With
 Postfix 2.3 and later use smtp_tls_security_level instead.
 .SH smtp_tls_exclude_ciphers (default: empty)
-List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels. This is not an OpenSSL cipherlist, it is
+List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels. This is not an OpenSSL cipherlist, it is
 a simple list separated by whitespace and/or commas. The elements are a
 single cipher, or one or more "+" separated cipher properties, in which
 case only ciphers matching \fBall\fR the properties are excluded.
@@ -4549,12 +4581,13 @@ loglevel 4 is strongly discouraged.
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtp_tls_mandatory_ciphers (default: medium)
-The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher.  The default
-value "medium" is suitable for most destinations with which you may
-want to enforce TLS, and is beyond the reach of today's crypt-analytic
-methods. See smtp_tls_policy_maps for information on how to configure
-ciphers on a per-destination basis.
+The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption.  The default value "medium" is suitable
+for most destinations with which you may want to enforce TLS, and
+is beyond the reach of today's crypt-analytic methods. See
+smtp_tls_policy_maps for information on how to configure ciphers
+on a per-destination basis.
 .PP
 The following cipher grades are supported:
 .IP "\fBexport\fR"
@@ -4610,16 +4643,15 @@ encryption or authentication).
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtp_tls_mandatory_exclude_ciphers (default: empty)
-List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure". See smtp_tls_exclude_ciphers for syntax details. When
-both "exclude" parameters are defined, the combined list of ciphers is
-excluded (provided the TLS security level is "encrypt" or higher).
+Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtp_tls_exclude_ciphers
+(see there for syntax details).
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtp_tls_mandatory_protocols (default: SSLv3, TLSv1)
-List of TLS protocol versions that are secure enough to be used
-with the "encrypt" security level and higher. In main.cf the values
+List of TLS protocols that the Postfix SMTP client will use
+with mandatory TLS encryption.  In main.cf the values
 are separated by whitespace, commas or colons. In the policy table
 (see smtp_tls_policy_maps) the only valid separator is colon. An
 empty value means allow all protocols. The valid protocol names,
@@ -4873,9 +4905,9 @@ example.net     secure match=example.com:.example.com
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtp_tls_security_level (default: empty)
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
 .PP
 Specify one of the following security levels:
 .IP "\fBnone\fR"
@@ -5610,19 +5642,20 @@ This feature is available in Postfix 2.2 and later.
 .PP
 See smtpd_data_restrictions for syntax details.
 .SH smtpd_enforce_tls (default: no)
-Enforcement mode: announce STARTTLS support to SMTP clients,
+Mandatory TLS: announce STARTTLS support to SMTP clients,
 and require that clients use TLS encryption.  According to RFC 2487
 this MUST NOT be applied in case of a publicly-referenced SMTP
 server.  This option is off by default and should be used only on
 dedicated servers.
 .PP
-Note 1: this mode implies "smtpd_tls_auth_only = yes".
+Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
 .PP
 Note 2: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior.
 .PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
 .SH smtpd_error_sleep_time (default: 1s)
 With Postfix version 2.1 and later: the SMTP server response delay after
 a client has made more than $smtpd_soft_error_limit errors, and
@@ -5798,7 +5831,7 @@ This list overrides any commands built into the Postfix SMTP server.
 The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the
 null sender address.
 .SH smtpd_peername_lookup (default: yes)
-Attempt to look up the SMTP client hostname, and verify that
+Attempt to look up the Postfix SMTP client hostname, and verify that
 the name matches the client IP address. A client name is set to
 "unknown" when it cannot be looked up or verified, or when name
 lookup is disabled.  Turning off name lookup reduces delays due to
@@ -6076,7 +6109,8 @@ controls the name of the SASL configuration file. The default value
 is \fBsmtpd\fR, corresponding to a SASL configuration file named
 \fBsmtpd.conf\fR.
 .PP
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to smtpd_sasl_path.
 .SH smtpd_sasl_auth_enable (default: no)
 Enable SASL authentication in the Postfix SMTP server. By default,
 the Postfix SMTP server does not use authentication.
@@ -6164,7 +6198,8 @@ the SASL plug-in implementation that is selected with
 \fBsmtpd_sasl_type\fR.  Typically this specifies the name of a
 configuration file or rendezvous point.
 .PP
-This feature is available in Postfix 2.3 and later.
+This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application.
 .SH smtpd_sasl_security_options (default: noanonymous)
 SASL security options; as of Postfix 2.3 the list of available
 features depends on the SASL server implementation that is selected
@@ -6457,15 +6492,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
 similar software, it will still insist on a server certificate.
 .PP
 For servers that are \fBnot\fR public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates.
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates.
 .PP
 Both RSA and DSA certificates are supported.  When both types
 are present, the cipher used determines which certificate will be
@@ -6516,67 +6551,7 @@ clients.
 \fBNote:\fR do not use "" quotes around the parameter value.
 .PP
 This feature is available with Postfix version 2.2. It is not used with
-Postfix 2.3 and later; use smtpd_tls_ciphers instead.
-.SH smtpd_tls_ciphers (default: export)
-The minimum acceptable SMTP server TLS cipher grade. It is easy to
-create inter-operability problems by choosing a non-default cipher grade.
-Do not use a stronger than default minimum cipher grade for MX hosts on
-the public Internet. Clients that begin the TLS handshake, but are unable
-to agree on a common cipher, may not be able to send any email to the
-SMTP server. Using a restricted cipher list may be more appropriate for a
-dedicated MSA or an internal mailhub, where one can exert some control over
-the TLS software and settings of the connecting clients. Configurations
-with no certificates are also not likely to inter-operate with most
-clients, see the notes for "smtpd_tls_cert_file".
-.PP
-The following cipher grades are supported:
-.IP "\fBexport\fR"
-Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts. The underlying
-cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_export_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBlow\fR"
-Enable the mainstream "LOW" grade or better OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_low_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBmedium\fR"
-Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the tls_medium_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_medium_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBhigh\fR"
-Enable only the mainstream "HIGH" grade OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the tls_high_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_high_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers, set
-"smtpd_tls_exclude_ciphers = aNULL".
-.IP "\fBnull\fR"
-Enable only the "NULL" OpenSSL ciphers, these provide authentication
-without encryption.  This setting is only appropriate in the rare
-case that all clients are prepared to use NULL ciphers (not normally
-enabled in TLS clients). The underlying cipherlist is specified via the
-tls_null_cipherlist configuration parameter, which you are strongly
-encouraged to not change. The default value of tls_null_cipherlist
-excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
-data integrity without encryption or authentication).
-.PP
-This feature is available in Postfix 2.3 and later.
+Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
 .SH smtpd_tls_dcert_file (default: empty)
 File with the Postfix SMTP server DSA certificate in PEM format.
 This file may also contain the server private key.
@@ -6612,7 +6587,7 @@ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
 .PP
 Your actual source for entropy may differ. Some systems have
 /dev/random; on other system you may consider using the "Entropy
-Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+Gathering Daemon EGD", available at http://egd.sourceforge.net/
 .PP
 Example:
 .PP
@@ -6654,10 +6629,12 @@ must be accessible without password.
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_tls_exclude_ciphers (default: empty)
 List of ciphers or cipher types to exclude from the SMTP server
-cipher list. This is not an OpenSSL cipherlist; it is a simple list
-separated by whitespace and/or commas. The elements are a single
-cipher, or one or more "+" separated cipher properties, in which
-case only ciphers matching \fBall\fR the properties are excluded.
+cipher list at all TLS security levels. Excluding valid ciphers
+can create interoperability problems. DO NOT exclude ciphers unless it
+is essential to do so. This is not an OpenSSL cipherlist; it is a simple
+list separated by whitespace and/or commas. The elements are a single
+cipher, or one or more "+" separated cipher properties, in which case
+only ciphers matching \fBall\fR the properties are excluded.
 .PP
 Examples (some of these will cause problems):
 .PP
@@ -6709,25 +6686,95 @@ Use "smtpd_tls_loglevel = 3" only in case of problems. Use of
 loglevel 4 is strongly discouraged.
 .PP
 This feature is available in Postfix 2.2 and later.
-.SH smtpd_tls_protocols (default: empty)
-The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive.
-.PP
-DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail.
+.SH smtpd_tls_mandatory_ciphers (default: medium)
+The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers
+or smtpd_tls_exclude_ciphers are excluded from the base definition
+of the selected cipher grade. With opportunistic TLS encryption,
+the "export" grade is used unconditionally with exclusions specified
+only via smtpd_tls_exclude_ciphers.
+.PP
+The following cipher grades are supported:
+.IP "\fBexport\fR"
+Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
+This is the most appropriate setting for public MX hosts, and is always
+used with opportunistic TLS encryption. The underlying cipherlist
+is specified via the tls_export_cipherlist configuration parameter,
+which you are strongly encouraged to not change. The default value
+of tls_export_cipherlist includes anonymous ciphers, but these are
+automatically filtered out if the server is configured to ask for
+client certificates. If you must always exclude anonymous ciphers,
+set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers
+only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
+aNULL".
+.IP "\fBlow\fR"
+Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_low_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_low_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL".
+.IP "\fBmedium\fR"
+Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These
+are essentially the 128-bit or stronger ciphers. This is the default
+minimum strength for mandatory TLS encryption. MSAs that enforce
+TLS and have clients that do not support any "MEDIUM" or "HIGH"
+grade ciphers, may need to configure a weaker ("low" or "export")
+minimum cipher grade. The underlying cipherlist is specified via the
+tls_medium_cipherlist configuration parameter, which you are strongly
+encouraged to not change. The default value of tls_medium_cipherlist
+includes anonymous ciphers, but these are automatically filtered out if
+the server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL".
+.IP "\fBhigh\fR"
+Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_high_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_high_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL".
+.IP "\fBnull\fR"
+Enable only the "NULL" OpenSSL ciphers, these provide authentication
+without encryption.  This setting is only appropriate in the rare
+case that all clients are prepared to use NULL ciphers (not normally
+enabled in TLS clients). The underlying cipherlist is specified via the
+tls_null_cipherlist configuration parameter, which you are strongly
+encouraged to not change. The default value of tls_null_cipherlist
+excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer
+data integrity without encryption or authentication).
+.PP
+This feature is available in Postfix 2.3 and later.
+.SH smtpd_tls_mandatory_exclude_ciphers (default: empty)
+Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
+(see there for syntax details).
+.PP
+This feature is available in Postfix 2.3 and later.
+.SH smtpd_tls_mandatory_protocols (default: SSLv3, TLSv1)
+The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption.  With opportunistic TLS encryption, all
+protocols are always accepted. If the list is empty, the server
+supports all available TLS protocol versions.  A non-empty value
+is a list of protocol names separated by whitespace, commas or
+colons. The supported protocol names are "SSLv2", "SSLv3" and
+"TLSv1", and are not case sensitive.
 .PP
 Example:
 .PP
 .nf
 .na
 .ft C
-smtpd_tls_protocols = SSLv3, TLSv1
+smtpd_tls_mandatory_protocols = SSLv3, TLSv1
 .fi
 .ad
 .ft R
@@ -6743,7 +6790,7 @@ that was recorded by the final destination can be trusted.
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_tls_req_ccert (default: no)
-When TLS encryption is enforced, require a remote SMTP client
+With mandatory TLS encryption, require a remote SMTP client
 certificate in order to allow TLS connections to proceed.  This
 option implies "smtpd_tls_ask_ccert = yes".
 .PP
@@ -6751,6 +6798,39 @@ When TLS encryption is optional, this setting is ignored with
 a warning written to the mail log.
 .PP
 This feature is available in Postfix 2.2 and later.
+.SH smtpd_tls_security_level (default: empty)
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes".
+.PP
+Specify one of the following security levels:
+.IP "\fBnone\fR"
+TLS will not be used.
+.IP "\fBmay\fR"
+Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+.IP "\fBencrypt\fR"
+Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers.
+.PP
+Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features.
+.PP
+Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".
+.PP
+Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.
+.PP
+This feature is available in Postfix 2.3 and later.
 .SH smtpd_tls_session_cache_database (default: empty)
 Name of the file containing the optional Postfix SMTP server
 TLS session cache. Specify a database type that supports enumeration,
@@ -6799,14 +6879,15 @@ purpose.
 .PP
 This feature is available in Postfix 2.2 and later.
 .SH smtpd_use_tls (default: no)
-Opportunistic mode: announce STARTTLS support to SMTP clients,
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
 but do not require that clients use TLS encryption.
 .PP
 Note: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior.
 .PP
-This feature is available in Postfix 2.2 and later.
+This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead.
 .SH soft_bounce (default: no)
 Safety net to keep mail queued that would otherwise be returned to
 the sender.  This parameter disables locally-generated bounces,
@@ -6933,7 +7014,7 @@ bytes (equivalent to 256 bits) is sufficient to generate a 128bit
 This feature is available in Postfix 2.2 and later.
 .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH)
 The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_ciphers,
+defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
 the cipherlist for the opportunistic ("may") TLS client security
 level and is the default cipherlist for the SMTP server. You are
@@ -6942,21 +7023,21 @@ strongly encouraged to not change this setting.
 This feature is available in Postfix 2.3 and later.
 .SH tls_high_cipherlist (default: !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)
 The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in smtpd_tls_ciphers,
+the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
 strongly encouraged to not change this setting.
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH tls_low_cipherlist (default: !EXPORT:ALL:+RC4:@STRENGTH)
 The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_ciphers,
+the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
 strongly encouraged to not change this setting.
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH tls_medium_cipherlist (default: !EXPORT:!LOW:ALL:+RC4:@STRENGTH)
 The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in smtpd_tls_ciphers,
+defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
 the default cipherlist for mandatory TLS encryption in the TLS
 client (with anonymous ciphers disabled when verifying server
@@ -6967,7 +7048,7 @@ This feature is available in Postfix 2.3 and later.
 .SH tls_null_cipherlist (default: !aNULL:eNULL+kRSA)
 The OpenSSL cipherlist for "NULL" grade ciphers that provide
 authentication without encryption. This defines the meaning of the "null"
-setting in smtpd_tls_ciphers, smtp_tls_mandatory_ciphers and
+setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
 lmtp_tls_mandatory_ciphers.  You are strongly encouraged to not
 change this setting.
 .PP
diff --git a/postfix/man/man5/relocated.5 b/postfix/man/man5/relocated.5
index 67f42ad1c..e1d65a2d6 100644
--- a/postfix/man/man5/relocated.5
+++ b/postfix/man/man5/relocated.5
@@ -98,7 +98,7 @@ directed to a TCP-based server. For a description of regular
 expression lookup table syntax, see \fBregexp_table\fR(5) or
 \fBpcre_table\fR(5). For a description of the TCP client/server
 table lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
 
 Each pattern is a regular expression that is applied to the entire
 address being looked up. Thus, \fIuser@domain\fR mail addresses are not
@@ -119,7 +119,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/man/man5/transport.5 b/postfix/man/man5/transport.5
index e9a286495..e37cfe151 100644
--- a/postfix/man/man5/transport.5
+++ b/postfix/man/man5/transport.5
@@ -249,7 +249,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
 
 Each lookup operation uses the entire recipient address once.  Thus,
 \fIsome.domain.hierarchy\fR is not looked up via its parent domains,
diff --git a/postfix/man/man5/virtual.5 b/postfix/man/man5/virtual.5
index 804ae9d62..0ea07d0af 100644
--- a/postfix/man/man5/virtual.5
+++ b/postfix/man/man5/virtual.5
@@ -221,7 +221,7 @@ pattern can be interpolated as \fB$1\fR, \fB$2\fR and so on.
 This section describes how the table lookups change when lookups
 are directed to a TCP-based server. For a description of the TCP
 client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.2.
+This feature is not available up to and including Postfix version 2.3.
 
 Each lookup operation uses the entire address once.  Thus,
 \fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/man/man8/bounce.8 b/postfix/man/man8/bounce.8
index 8d5d0e30c..0e100933b 100644
--- a/postfix/man/man8/bounce.8
+++ b/postfix/man/man8/bounce.8
@@ -41,10 +41,11 @@ themselves, and that depend on retry logic in their own client.
 .na
 .nf
 RFC 822 (ARPA Internet Text Messages)
+RFC 2045 (Format of Internet Message Bodies)
 RFC 2822 (ARPA Internet Text Messages)
 RFC 3462 (Delivery Status Notifications)
 RFC 3464 (Delivery Status Notifications)
-RFC 2045 (Format of Internet Message Bodies)
+RFC 3834 (Auto-Submitted: message header)
 .SH DIAGNOSTICS
 .ad
 .fi
@@ -94,6 +95,10 @@ file or \fBbounce\fR(8) logfile.
 .IP "\fBipc_timeout (3600s)\fR"
 The time limit for sending or receiving information over an internal
 communication channel.
+.IP "\fBinternal_mail_filter_classes (empty)\fR"
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.
 .IP "\fBmail_name (Postfix)\fR"
 The mail system name that is displayed in Received: headers, in
 the SMTP greeting banner, and in bounced mail.
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index d7ae64655..942f20c76 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -192,12 +192,12 @@ Available in Postfix version 2.2 and later:
 .IP "\fBsmtp_discard_ehlo_keyword_address_maps (empty)\fR"
 Lookup tables, indexed by the remote SMTP server address, with
 case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
 remote SMTP server.
 .IP "\fBsmtp_discard_ehlo_keywords (empty)\fR"
 A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server.
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server.
 .IP "\fBsmtp_generic_maps (empty)\fR"
 Optional lookup tables that perform address rewriting in the
 SMTP client, typically to transform a locally valid address into
@@ -238,8 +238,8 @@ The maximal recursion level that the MIME processor will handle.
 .fi
 Available in Postfix version 2.1 and later:
 .IP "\fBsmtp_send_xforward_command (no)\fR"
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
 .SH "SASL AUTHENTICATION CONTROLS"
 .na
 .nf
@@ -262,8 +262,13 @@ If non-empty, a Postfix SMTP client filter for the remote SMTP
 server's list of offered SASL mechanisms.
 .PP
 Available in Postfix version 2.3 and later:
+.IP "\fBsmtp_sasl_auth_enforce (yes)\fR"
+If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while smtp_sasl_password_maps contains SASL login/password information
+for that server.
 .IP "\fBsmtp_sender_dependent_authentication (no)\fR"
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
 available only with SASL authentication, and disables SMTP connection
 caching to ensure that mail from different senders will use the
 appropriate credentials.
@@ -282,9 +287,9 @@ for authentication.
 Detailed information about STARTTLS configuration may be found
 in the TLS_README document.
 .IP "\fBsmtp_tls_security_level (empty)\fR"
-The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
 .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
 The SASL authentication security options that the Postfix SMTP
 client uses for TLS encrypted SMTP sessions.
@@ -301,15 +306,16 @@ certificate.
 .IP "\fBsmtp_tls_cert_file (empty)\fR"
 File with the Postfix SMTP client RSA certificate in PEM format.
 .IP "\fBsmtp_tls_mandatory_ciphers (medium)\fR"
-The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher.
+The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption.
 .IP "\fBsmtp_tls_exclude_ciphers (empty)\fR"
-List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels.
+List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels.
 .IP "\fBsmtp_tls_mandatory_exclude_ciphers (empty)\fR"
-List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure".
+Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels.
 .IP "\fBsmtp_tls_dcert_file (empty)\fR"
 File with the Postfix SMTP client DSA certificate in PEM format.
 .IP "\fBsmtp_tls_dkey_file ($smtp_tls_dcert_file)\fR"
@@ -321,13 +327,6 @@ Enable additional Postfix SMTP client logging of TLS activity.
 .IP "\fBsmtp_tls_note_starttls_offer (no)\fR"
 Log the hostname of a remote SMTP server that offers STARTTLS,
 when TLS is not already enabled for that server.
-.IP "\fBsmtp_tls_policy_maps (empty)\fR"
-Optional lookup tables with the Postfix SMTP client TLS security
-policy by next-hop destination; when a non-empty value is specified,
-this overrides the obsolete smtp_tls_per_site parameter.
-.IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
-List of TLS protocol versions that are secure enough to be used
-with the "encrypt" security level and higher.
 .IP "\fBsmtp_tls_scert_verifydepth (5)\fR"
 The verification depth for remote SMTP server certificates.
 .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
@@ -378,12 +377,15 @@ STARTTLS support, otherwise send the mail in the clear.
 Enforcement mode: require that remote SMTP servers use TLS
 encryption, and never send mail in the clear.
 .IP "\fBsmtp_tls_enforce_peername (yes)\fR"
-When TLS encryption is enforced, require that the remote SMTP
+With mandatory TLS encryption, require that the remote SMTP
 server hostname matches the information in the remote SMTP server
 certificate.
 .IP "\fBsmtp_tls_per_site (empty)\fR"
 Optional lookup tables with the Postfix SMTP client TLS usage
 policy by next-hop destination and by remote SMTP server hostname.
+.IP "\fBsmtp_tls_cipherlist (empty)\fR"
+Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+cipher list.
 .SH "RESOURCE AND RATE CONTROLS"
 .na
 .nf
@@ -476,6 +478,10 @@ by the amount specified in $debug_peer_level.
 The recipient of postmaster notifications about mail delivery
 problems that are caused by policy, resource, software or protocol
 errors.
+.IP "\fBinternal_mail_filter_classes (empty)\fR"
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.
 .IP "\fBnotify_classes (resource, software)\fR"
 The list of error classes that are reported to the postmaster.
 .SH "MISCELLANEOUS CONTROLS"
@@ -522,17 +528,17 @@ The process name of a Postfix command or daemon process.
 The network interface addresses that this mail system receives mail
 on by way of a proxy or network address translation unit.
 .IP "\fBsmtp_bind_address (empty)\fR"
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
 .IP "\fBsmtp_bind_address6 (empty)\fR"
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
 .IP "\fBsmtp_helo_name ($myhostname)\fR"
 The hostname to send in the SMTP EHLO or HELO command.
 .IP "\fBlmtp_lhlo_name ($myhostname)\fR"
 The hostname to send in the LMTP LHLO command.
 .IP "\fBsmtp_host_lookup (dns)\fR"
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
 address.
 .IP "\fBsmtp_randomize_addresses (yes)\fR"
 Randomize the order of equal-preference MX host addresses.
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 4a2d1fe37..53ea25205 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -294,12 +294,10 @@ for authentication.
 .fi
 Detailed information about STARTTLS configuration may be
 found in the TLS_README document.
-.IP "\fBsmtpd_use_tls (no)\fR"
-Opportunistic mode: announce STARTTLS support to SMTP clients,
-but do not require that clients use TLS encryption.
-.IP "\fBsmtpd_enforce_tls (no)\fR"
-Enforcement mode: announce STARTTLS support to SMTP clients,
-and require that clients use TLS encryption.
+.IP "\fBsmtpd_tls_security_level (empty)\fR"
+The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls.
 .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
 The SASL authentication security options that the Postfix SMTP
 server uses for TLS encrypted SMTP sessions.
@@ -322,11 +320,9 @@ connections.
 The verification depth for remote SMTP client certificates.
 .IP "\fBsmtpd_tls_cert_file (empty)\fR"
 File with the Postfix SMTP server RSA certificate in PEM format.
-.IP "\fBsmtpd_tls_ciphers (export)\fR"
-The minimum acceptable SMTP server TLS cipher grade.
 .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
 List of ciphers or cipher types to exclude from the SMTP server
-cipher list.
+cipher list at all TLS security levels.
 .IP "\fBsmtpd_tls_dcert_file (empty)\fR"
 File with the Postfix SMTP server DSA certificate in PEM format.
 .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
@@ -341,15 +337,23 @@ File with the Postfix SMTP server DSA private key in PEM format.
 File with the Postfix SMTP server RSA private key in PEM format.
 .IP "\fBsmtpd_tls_loglevel (0)\fR"
 Enable additional Postfix SMTP server logging of TLS activity.
-.IP "\fBsmtpd_tls_protocols (empty)\fR"
-The list of TLS protocols supported by the server.
+.IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
+The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption.
+.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
+Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels.
+.IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption.
 .IP "\fBsmtpd_tls_received_header (no)\fR"
 Request that the Postfix SMTP server produces Received:  message
 headers that include information about the protocol and cipher used,
 as well as the client CommonName and client certificate issuer
 CommonName.
 .IP "\fBsmtpd_tls_req_ccert (no)\fR"
-When TLS encryption is enforced, require a remote SMTP client
+With mandatory TLS encryption, require a remote SMTP client
 certificate in order to allow TLS connections to proceed.
 .IP "\fBsmtpd_tls_session_cache_database (empty)\fR"
 Name of the file containing the optional Postfix SMTP server
@@ -375,6 +379,23 @@ The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
 .IP "\fBtls_null_cipherlist (!aNULL:eNULL+kRSA)\fR"
 The OpenSSL cipherlist for "NULL" grade ciphers that provide
 authentication without encryption.
+.SH "OBSOLETE STARTTLS CONTROLS"
+.na
+.nf
+.ad
+.fi
+The following configuration parameters exist for compatibility
+with Postfix versions before 2.3. Support for these will
+be removed in a future release.
+.IP "\fBsmtpd_use_tls (no)\fR"
+Opportunistic TLS: announce STARTTLS support to SMTP clients,
+but do not require that clients use TLS encryption.
+.IP "\fBsmtpd_enforce_tls (no)\fR"
+Mandatory TLS: announce STARTTLS support to SMTP clients,
+and require that clients use TLS encryption.
+.IP "\fBsmtpd_tls_cipherlist (empty)\fR"
+Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
+cipher list.
 .SH "VERP SUPPORT CONTROLS"
 .na
 .nf
@@ -421,6 +442,10 @@ by the amount specified in $debug_peer_level.
 The recipient of postmaster notifications about mail delivery
 problems that are caused by policy, resource, software or protocol
 errors.
+.IP "\fBinternal_mail_filter_classes (empty)\fR"
+What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.
 .IP "\fBnotify_classes (resource, software)\fR"
 The list of error classes that are reported to the postmaster.
 .IP "\fBsoft_bounce (no)\fR"
@@ -537,7 +562,7 @@ before it is flushed upon receipt of EHLO, RSET, or end of DATA.
 .PP
 Available in Postfix version 2.3 and later:
 .IP "\fBsmtpd_peername_lookup (yes)\fR"
-Attempt to look up the SMTP client hostname, and verify that
+Attempt to look up the Postfix SMTP client hostname, and verify that
 the name matches the client IP address.
 .PP
 The per SMTP client connection count and request rate limits are
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index f5b803bbd..57e3c8a43 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -182,6 +182,7 @@ while (<>) {
     s;\bhopcount_limit\b;<a href="postconf.5.html#hopcount_limit">$&</a>;g;
     s;\bhtml_direc[-</bB>]*\n*[ <bB>]*tory\b;<a href="postconf.5.html#html_directory">$&</a>;g;
     s;\bignore_mx_lookup_error\b;<a href="postconf.5.html#ignore_mx_lookup_error">$&</a>;g;
+    s;\binternal_mail_filter_classes\b;<a href="postconf.5.html#internal_mail_filter_classes">$&</a>;g;
     s;\bimport_environment\b;<a href="postconf.5.html#import_environment">$&</a>;g;
     s;\bin_flow_delay\b;<a href="postconf.5.html#in_flow_delay">$&</a>;g;
     s;\binet_inter[-</bB>]*\n*[ <bB>]*faces\b;<a href="postconf.5.html#inet_interfaces">$&</a>;g;
@@ -252,6 +253,7 @@ while (<>) {
     s;\blmtp_rcpt_timeout\b;<a href="postconf.5.html#lmtp_rcpt_timeout">$&</a>;g;
     s;\blmtp_rset_timeout\b;<a href="postconf.5.html#lmtp_rset_timeout">$&</a>;g;
     s;\blmtp_sasl_auth_enable\b;<a href="postconf.5.html#lmtp_sasl_auth_enable">$&</a>;g;
+    s;\blmtp_sasl_auth_enforce\b;<a href="postconf.5.html#lmtp_sasl_auth_enforce">$&</a>;g;
     s;\blmtp_sasl_password_maps\b;<a href="postconf.5.html#lmtp_sasl_password_maps">$&</a>;g;
     s;\blmtp_sasl_security_options\b;<a href="postconf.5.html#lmtp_sasl_security_options">$&</a>;g;
     s;\blmtp_sasl_type\b;<a href="postconf.5.html#lmtp_sasl_type">$&</a>;g;
@@ -418,7 +420,7 @@ while (<>) {
     s;\bsmtp_rset_timeout\b;<a href="postconf.5.html#smtp_rset_timeout">$&</a>;g;
     s;\bsmtp_sasl_auth_enable\b;<a href="postconf.5.html#smtp_sasl_auth_enable">$&</a>;g;
     s;\bsmtp_sasl_mechanism_filter\b;<a href="postconf.5.html#smtp_sasl_mechanism_filter">$&</a>;g;
-    s;\bsmtp_sasl_password_maps\b;<a href="postconf.5.html#smtp_sasl_password_maps">$&</a>;g;
+    s;\bsmtp_sasl_pass[-</Bb>]*\n* *[<Bb>]*word_maps\b;<a href="postconf.5.html#smtp_sasl_password_maps">$&</a>;g;
     s;\bsmtp_sasl_path\b;<a href="postconf.5.html#smtp_sasl_path">$&</a>;g;
     s;\bsmtp_sasl_secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_security_options">$&</a>;g;
     s;\bsmtp_send_xforward_command\b;<a href="postconf.5.html#smtp_send_xforward_command">$&</a>;g;
@@ -524,11 +526,13 @@ while (<>) {
     s;\bsmtp_[-</Bb>]*\n* *[<Bb>]*sasl_[-</Bb>]*\n* *[<Bb>]*tls_[-</Bb>]*\n* *[<Bb>]*secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_tls_security_options">$&</a>;g;
     s;\bsmtp_sasl_tls_verified_secu[-</Bb>]*\n* *[<Bb>]*rity_options\b;<a href="postconf.5.html#smtp_sasl_tls_verified_security_options">$&</a>;g;
     s;\bsmtp_sasl_type\b;<a href="postconf.5.html#smtp_sasl_type">$&</a>;g;
+    s;\bsmtp_sasl_auth_enforce\b;<a href="postconf.5.html#smtp_sasl_auth_enforce">$&</a>;g;
     s;\bsmtp_starttls_timeout\b;<a href="postconf.5.html#smtp_starttls_timeout">$&</a>;g;
     s;\bsmtp_tls_CAfile\b;<a href="postconf.5.html#smtp_tls_CAfile">$&</a>;g;
     s;\bsmtp_tls_CApath\b;<a href="postconf.5.html#smtp_tls_CApath">$&</a>;g;
     s;\bsmtp_tls_cert_file\b;<a href="postconf.5.html#smtp_tls_cert_file">$&</a>;g;
     s;\bsmtp_tls_mandatory_ciphers\b;<a href="postconf.5.html#smtp_tls_mandatory_ciphers">$&</a>;g;
+    s;\bsmtp_tls_cipherlist\b;<a href="postconf.5.html#smtp_tls_cipherlist">$&</a>;g;
     s;\bsmtp_tls_exclude_ciphers\b;<a href="postconf.5.html#smtp_tls_exclude_ciphers">$&</a>;g;
     s;\bsmtp_tls_mandatory_exclude_ciphers\b;<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">$&</a>;g;
     s;\bsmtp_tls_dcert_file\b;<a href="postconf.5.html#smtp_tls_dcert_file">$&</a>;g;
@@ -557,15 +561,18 @@ while (<>) {
     s;\bsmtpd_tls_auth_only\b;<a href="postconf.5.html#smtpd_tls_auth_only">$&</a>;g;
     s;\bsmtpd_tls_ccert_verifydepth\b;<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">$&</a>;g;
     s;\bsmtpd_tls_cert_file\b;<a href="postconf.5.html#smtpd_tls_cert_file">$&</a>;g;
-    s;\bsmtpd_tls_ciphers\b;<a href="postconf.5.html#smtpd_tls_ciphers">$&</a>;g;
+    s;\bsmtpd_tls_cipherlist\b;<a href="postconf.5.html#smtpd_tls_cipherlist">$&</a>;g;
     s;\bsmtpd_tls_exclude_ciphers\b;<a href="postconf.5.html#smtpd_tls_exclude_ciphers">$&</a>;g;
+    s;\bsmtpd_tls_mandatory_ciphers\b;<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">$&</a>;g;
+    s;\bsmtpd_tls_mandatory_exclude_ciphers\b;<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">$&</a>;g;
     s;\bsmtpd_tls_dcert_file\b;<a href="postconf.5.html#smtpd_tls_dcert_file">$&</a>;g;
     s;\bsmtpd_tls_dh1024_param_file\b;<a href="postconf.5.html#smtpd_tls_dh1024_param_file">$&</a>;g;
     s;\bsmtpd_tls_dh512_param_file\b;<a href="postconf.5.html#smtpd_tls_dh512_param_file">$&</a>;g;
     s;\bsmtpd_tls_dkey_file\b;<a href="postconf.5.html#smtpd_tls_dkey_file">$&</a>;g;
     s;\bsmtpd_tls_key_file\b;<a href="postconf.5.html#smtpd_tls_key_file">$&</a>;g;
+    s;\bsmtpd_tls_security_level\b;<a href="postconf.5.html#smtpd_tls_security_level">$&</a>;g;
     s;\bsmtpd_tls_loglevel\b;<a href="postconf.5.html#smtpd_tls_loglevel">$&</a>;g;
-    s;\bsmtpd_tls_protocols\b;<a href="postconf.5.html#smtpd_tls_protocols">$&</a>;g;
+    s;\bsmtpd_tls_mandatory_protocols\b;<a href="postconf.5.html#smtpd_tls_mandatory_protocols">$&</a>;g;
     s;\bsmtpd_tls_received_header\b;<a href="postconf.5.html#smtpd_tls_received_header">$&</a>;g;
     s;\bsmtpd_tls_req_ccert\b;<a href="postconf.5.html#smtpd_tls_req_ccert">$&</a>;g;
     s;\bsmtpd_tls_session_cache_database\b;<a href="postconf.5.html#smtpd_tls_session_cache_database">$&</a>;g;
diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html
index beb6c87bf..1d66b4fe9 100644
--- a/postfix/proto/ADDRESS_VERIFICATION_README.html
+++ b/postfix/proto/ADDRESS_VERIFICATION_README.html
@@ -230,6 +230,10 @@ and there are no surprises. If a recipient probe fails, then Postfix
 rejects mail for the recipient address.  If a recipient probe
 succeeds, then Postfix accepts mail for the recipient address. </p>
 
+<p> By default, address verification results are not saved. To avoid
+probing the same address repeatedly, you can store the result in a
+<a href="#caching">persistent database</a> as described later.  </p>
+
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
diff --git a/postfix/proto/FILTER_README.html b/postfix/proto/FILTER_README.html
index 7161a05f6..fb7679144 100644
--- a/postfix/proto/FILTER_README.html
+++ b/postfix/proto/FILTER_README.html
@@ -615,6 +615,7 @@ how one would set up the service in the Postfix master.cf file:
     # =============================================================
     scan      unix  -       -       n       -       10      smtp
         -o smtp_send_xforward_command=yes
+        -o disable_mime_output_conversion=yes
 </pre>
 </blockquote>
 
@@ -633,6 +634,13 @@ after-filter smtpd process, so that filtered mail is logged with
 the real client name IP address. See smtp(8) and XFORWARD_README
 for more information. </p>
 
+<li> <p> With "-o disable_mime_output_conversion=yes", the scan
+delivery agent will not convert 8BITMIME mail to quoted-printable
+form while delivering to the content filter, as that would invalidate
+domainkeys and other digital signatures.  This workaround is needed
+because some SMTP-based content filters don't announce 8BITMIME
+support, even though they can handle it just fine.  </p>
+
 </ul>
 
 <h3>Advanced content filter: running the content filter</h3>
diff --git a/postfix/proto/INSTALL.html b/postfix/proto/INSTALL.html
index 22a5e1446..02335fdb6 100644
--- a/postfix/proto/INSTALL.html
+++ b/postfix/proto/INSTALL.html
@@ -156,7 +156,7 @@ OPENSTEP 4.x <br>
 OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
 Reliant UNIX 5.x <br>
 Rhapsody 5.x <br>
-SunOS 4.1.4 (December 2005) <br>
+SunOS 4.1.4 (July 2006) <br>
 SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
 Ultrix 4.x (well, that was long ago) <br>
 </p>
diff --git a/postfix/proto/MAILDROP_README.html b/postfix/proto/MAILDROP_README.html
index e41e127f5..aaaac162c 100644
--- a/postfix/proto/MAILDROP_README.html
+++ b/postfix/proto/MAILDROP_README.html
@@ -100,10 +100,13 @@ to deliver the mail.  </p>
 <pre>
 /etc/postfix/master.cf:
     maildrop  unix  -       n       n       -       -       pipe
-      flags=DRhu user=vmail argv=/path/to/maildrop -d ${recipient}
+      flags=ODRhu user=vmail argv=/path/to/maildrop -d ${recipient}
 </pre>
 </blockquote>
 
+<p> The pipe(8) manual page gives a detailed description of the
+above command line arguments, and more. </p>
+
 <p> If you want to support user+extension@domain style addresses,
 use the following instead: </p>
 
@@ -111,7 +114,7 @@ use the following instead: </p>
 <pre>
 /etc/postfix/master.cf:
     maildrop  unix  -       n       n       -       -       pipe
-      flags=DRhu user=vmail argv=/path/to/maildrop 
+      flags=ODRhu user=vmail argv=/path/to/maildrop 
       -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
 </pre>
 </blockquote>
diff --git a/postfix/proto/MILTER_README.html b/postfix/proto/MILTER_README.html
index 8446ea642..8e56061f2 100644
--- a/postfix/proto/MILTER_README.html
+++ b/postfix/proto/MILTER_README.html
@@ -32,13 +32,14 @@ href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
 <a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
 or to digitally sign mail (example: <a
 href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
-Having yet another MTA-specific version of all that software is a
-poor use of human and system resources. </p>
+Having yet another Postfix-specific version of all that software
+is a poor use of human and system resources. </p>
 
 <p> Postfix 2.3 implements all the requests of Sendmail version 8
 Milter protocols up to version 4, except one: message body replacement.
-See, however, the <a href="#limitations">limitations</a> section
-at the end of this document. </p>
+See, however, the <a href="#workarounds">workarounds</a> and <a
+href="#limitations">limitations</a> sections at the end of this
+document. </p>
 
 <p> This document provides information on the following topics: </p>
 
@@ -257,10 +258,13 @@ for options.  A typical command looks like this:</p>
 
 <blockquote>
 <pre>
-$ <b>/some/where/dk-filter -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
+# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
 </pre>
 </blockquote>
 
+<p> Please specify a <i>userid</i> value that isn't used for other
+applications (not "postfix", not "www", etc.). </p>
+
 <h2><a name="config">Configuring Postfix</a></h2>
 
 <p> Like Sendmail, Postfix has a lot of configuration options that
@@ -295,6 +299,12 @@ unwanted mail, and to sign mail from authorized SMTP clients.  Mail
 that arrives via the Postfix smtpd(8) server is not filtered by the
 non-SMTP filters that are described in the next section. </p>
 
+<p> NOTE: Do not use the header_checks(5) IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the header_checks(5) REPLACE action to sanitize
+information. </p>
+
 <p> You specify SMTP-only Milter applications (there can be more
 than one) with the smtpd_milters parameter.  Each Milter application
 is identified by the name of its listening socket; other Milter
@@ -328,7 +338,7 @@ Connect to the specified TCP port on the specified local or remote
 host.  The host and port can be specified in numeric or symbolic
 form.</p>
 
-<p> Note: Postfix syntax differs from Milter syntax which has the
+<p> NOTE: Postfix syntax differs from Milter syntax which has the
 form <b>inet:</b><i>port</i><b>@</b><i>host</i>. </p>  </dd>
 
 </dl>
@@ -345,6 +355,12 @@ limitations as discussed later in this section.  Mail that arrives
 via the Postfix smtpd(8) server is not filtered by the non-SMTP
 filters.  </p>
 
+<p> NOTE: Do not use the header_checks(5) IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the header_checks(5) REPLACE action to sanitize
+information. </p>
+
 <p> You specify non-SMTP Milter applications with the non_smtpd_milters
 parameter. This parameter uses the same syntax as the smtpd_milters
 parameter in the previous section. As with the SMTP-only filters,
@@ -596,6 +612,13 @@ TO </td> </tr>
 
 <h2><a name="workarounds">Workarounds</a></h2>
 
+<p> Content filters may break domain key etc. signatures. If you
+use an SMTP-based filter as described in FILTER_README, then you
+should add a line to master.cf with "disable_mime_output_conversion
+= yes", as described in the <a
+href="FILTER_README.html#advanced_filter">advanced content filter</a>
+example. </p>
+
 <p> Sendmail Milter applications were originally developed for the
 Sendmail version 8 MTA, which has a different architecture than
 Postfix.  The result is that some Milter applications make assumptions
@@ -603,6 +626,10 @@ that aren't true in a Postfix environment. </p>
 
 <ul>
 
+<li> <p> Some Milter applications use the "<tt>{if_addr}</tt>" macro
+to recognize local mail; this macro does not exist in Postfix.
+Workaround: use the "<tt>{client_addr}</tt>" macro instead. </p>
+
 <li> <p> Some Milter applications log a warning that looks like
 this: </p>
 
@@ -620,13 +647,14 @@ X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com &lt;unknown-msgid&
 </pre>
 </blockquote>
 
-<p> This happens because the Milter application expects that the
+<p> This happens because some Milter applications expect that the
 queue ID is known <i>before</i> the MTA accepts the MAIL FROM
-(sender) command.  Postfix, on the other hand, does not create a
-queue file until <i>after</i> Postfix accepts the first valid RCPT
-TO (recipient) command. This queue file name must be globally unique
-across multiple queue directories, so it cannot be chosen until the
-file is actually created. </p>
+(sender) command.  Postfix, on the other hand, does not choose a
+queue file name until <i>after</i> it accepts the first valid RCPT
+TO (recipient) command. Postfix queue file names must be unique
+across multiple directories, so the name can't be chosen before the
+file is created.  If multiple messages were to use the same queue
+ID <i>simultaneously</i>, mail would be lost.  </p>
 
 <p> To work around the ugly message header from Milter applications,
 we add a little code to the Milter source to look up the queue ID
@@ -644,21 +672,32 @@ the top shown as <b>bold</b> text below: </p>
 
 <blockquote>
 <pre>
-sic = (Context) smfi_getpriv(ctx);
-assert(sic != NULL);
+dfc = cc->cctx_msg;
+assert(dfc != NULL);
 <b>
-/*
-**  Determine the job ID for logging.
-*/
-if (sic->ctx_jobid == 0 || strcmp(sic->ctx_jobid, MSGIDUNKNOWN) == 0) {
+/* Determine the job ID for logging. */
+if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
         char *jobid = smfi_getsymval(ctx, "i");
         if (jobid != 0)
-                sic->ctx_jobid = jobid;
+                dfc->mctx_jobid = jobid;
 }</b>
+
+/* get hostname; used in the X header and in new MIME boundaries */
 </pre>
 </blockquote>
 
-<p> This does not remove the WARNING message, however. </p>
+<p> NOTES: </p>
+
+<ul>
+
+<li> <p> Different mail filters use slightly different names for
+variables. If the above code does not compile, look for the code
+at the start of the <tt>mlfi_eoh()</tt> routine. </p>
+
+<li> <p> This fixes only the ugly message header, but not the WARNING
+message.  Fortunately, dk-filter logs that message only once. </p>
+
+</ul>
 
 <p> With some Milter applications we can fix both the WARNING and
 the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
@@ -699,7 +738,7 @@ will dump core when you do this. </p>
 <h2><a name="limitations">Limitations</a></h2>
 
 <p> This section lists limitations of the Postfix Milter implementation.
-Some limitations will be removed disappear as support is extended
+Some limitations will be removed as the implementation is extended
 over time. Of course the usual limitations of before-queue filtering
 will always apply. See the CONTENT_INSPECTION_README document for
 a discussion. </p>
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 29ae2843c..2c0ac06c1 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -359,7 +359,8 @@ library for configuration can be set with: </p>
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    smtpd_sasl_application_name = smtpd
+    smtpd_sasl_application_name = smtpd (Postfix &lt; 2.3)
+    smtpd_sasl_path = smtpd (Postfix 2.3 and later)
 </pre>
 </blockquote>
 
@@ -687,8 +688,9 @@ reject_sender_login_mismatch into
 reject_authenticated_sender_login_mismatch and
 reject_unauthenticated_sender_login_mismatch, and revised the docs.
 
-<li> Wietse made another iteration through the code to add
-plug-in support for multiple SASL implementations.
+<li> Wietse made another iteration through the code to add plug-in
+support for multiple SASL implementations, and changed
+smtpd_sasl_application_name into smtpd_sasl_path.
 
 <li> The Dovecot SMTP server-only plug-in was originally implemented by
 Timo Sirainen of Procontrol, Finland.
diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html
index a722f99a0..6030d6183 100644
--- a/postfix/proto/SMTPD_POLICY_README.html
+++ b/postfix/proto/SMTPD_POLICY_README.html
@@ -90,7 +90,7 @@ sasl_username=you
 sasl_sender=
 size=12345
 ccert_subject=solaris9.porcupine.org
-ccert_issuer=Wietse Venema
+ccert_issuer=Wietse+20Venema
 ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
 <b>Postfix version 2.3 and later:</b>
 encryption_protocol=TLSv1/SSLv3
@@ -161,6 +161,9 @@ etrn_domain=
     <li> <p> The "ccert_*" attributes (Postfix 2.2 and later) specify
     information about how the client was authenticated via TLS.
     These attributes are empty in case of no certificate authentication.
+    As of Postfix 2.2.11 these attribute values are encoded as
+    xtext: some characters are represented by +XX, where XX is the
+    two-digit hecadecimal representation of the character value.
     </p>
 
     <li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 461a00c30..249e3b22c 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -247,9 +247,8 @@ back to plain text after a TLS handshake failure, the server will
 be unable to receive email from most TLS enabled clients. To avoid
 accidental configurations with no certificates, Postfix 2.3 enables
 certificate-less operation only when the administrator explicitly sets
-"smtpd_tls_cert_file&nbsp;=&nbsp;none". This ensures that new Postfix
-configurations with just "smtpd_use_tls&nbsp;=&nbsp;yes" added, will
-not accidentally run with no certificates. </p>
+"smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
 
 <p> Both RSA and DSA certificates are supported. Typically you will
 only have RSA certificates issued by a commercial CA. In addition,
@@ -437,13 +436,18 @@ since the headers may be changed by intermediate servers. </p>
 
 <p> By default, TLS is disabled in the Postfix SMTP server, so no
 difference to plain Postfix is visible.  Explicitly switch it on
-using "smtpd_use_tls&nbsp;=&nbsp;yes". </p>
+with "smtpd_tls_security_level = may" (Postfix 2.3 and
+later) or "smtpd_use_tls = yes" (obsolete but still
+supported). </p>
 
 <p> Example: </p>
  
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
     smtpd_use_tls = yes
 </pre>
 </blockquote>
@@ -456,18 +460,23 @@ SMTP clients, but does not require that clients use TLS encryption.
 is never offered due to insufficient privileges to access the server
 private key. This is intended behavior. </p>
 
-<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
-the Postfix SMTP server announces STARTTLS and accepts no mail without
-TLS encryption, by setting "smtpd_enforce_tls&nbsp;=&nbsp;yes". According
-to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-Postfix SMTP server.  This option is off by default and should only
-seldom be used. </p>
+<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
+so that the Postfix SMTP server announces STARTTLS and accepts no
+mail without TLS encryption, by setting
+"smtpd_tls_security_level = encrypt" (Postfix 2.3 and
+later) or "smtpd_enforce_tls = yes" (obsolete but still
+supported). According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced Postfix SMTP server.  This option is off
+by default and should only seldom be used. </p>
 
 <p> Example: </p>
  
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
     smtpd_enforce_tls = yes
 </pre>
 </blockquote>
@@ -481,7 +490,7 @@ and OE (5.01 Mac on all ports). </p>
 
 <p> It is strictly discouraged to use this mode from main.cf. If
 you want to support this service, enable a special port in master.cf
-and specify "-o smtpd_tls_wrappermode&nbsp;=&nbsp;yes" as an smtpd(8) command
+and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
 line option.  Port 465 (smtps) was once chosen for this feature.
 </p>
 
@@ -517,16 +526,19 @@ when the server is configured to ask for client certificates. </p>
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    smtpd_use_tls = yes
     smtpd_tls_ask_ccert = yes
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
+    smtpd_use_tls = yes
 </pre>
 </blockquote>
 
 <p> When TLS is <a href="#server_enforce">enforced</a> you may also decide
 to REQUIRE a remote SMTP client certificate for all TLS connections,
-by setting "smtpd_tls_req_ccert&nbsp;=&nbsp;yes". This feature implies
-"smtpd_tls_ask_ccert&nbsp;=&nbsp;yes". When TLS is not enforced,
-"smtpd_tls_req_ccert&nbsp;=&nbsp;yes" is ignored and a warning is
+by setting "smtpd_tls_req_ccert = yes". This feature implies
+"smtpd_tls_ask_ccert = yes". When TLS is not enforced,
+"smtpd_tls_req_ccert = yes" is ignored and a warning is
 logged. </p>
 
 <p> Example: </p>
@@ -534,8 +546,11 @@ logged. </p>
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    smtpd_enforce_tls = yes
     smtpd_tls_req_ccert = yes
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
+    smtpd_enforce_tls = yes
 </pre>
 </blockquote>
 
@@ -556,15 +571,18 @@ CA issues special CA which then issues the actual certificate...)
 
 <h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
 
-<p> Sending AUTH data over an unencrypted channel poses a security risk.
-When TLS layer encryption is required (smtpd_enforce_tls&nbsp;=&nbsp;yes),
-the Postfix SMTP server will announce and accept AUTH only
-after the TLS layer has been activated with STARTTLS. When TLS
-layer encryption is optional (smtpd_enforce_tls&nbsp;=&nbsp;no), it may
-however still be useful to only offer AUTH when TLS is active. To
-maintain compatibility with non-TLS clients, the default is to
-accept AUTH without encryption. In order to change this behavior,
-set "smtpd_tls_auth_only&nbsp;=&nbsp;yes". </p>
+<p> Sending AUTH data over an unencrypted channel poses a security
+risk.  When TLS layer encryption is required
+("smtpd_tls_security_level = encrypt" or the obsolete
+"smtpd_enforce_tls = yes"), the Postfix SMTP server will
+announce and accept AUTH only after the TLS layer has been activated
+with STARTTLS. When TLS layer encryption is optional
+("smtpd_tls_security_level = may" or the obsolete
+"smtpd_enforce_tls = no"), it may however still be useful
+to only offer AUTH when TLS is active. To maintain compatibility
+with non-TLS clients, the default is to accept AUTH without encryption.
+In order to change this behavior, set
+"smtpd_tls_auth_only = yes". </p>
 
 <p> Example: </p>
  
@@ -689,38 +707,48 @@ the user or host.</p>
 
 <p> The description below is for Postfix 2.3; for Postfix &lt; 2.3 the
 smtpd_tls_cipherlist parameter specifies the acceptable ciphers as an
-explicit OpenSSL cipherlist. </p>
+explicit OpenSSL cipherlist. The obsolete setting applies even when TLS
+encryption is not enforced. Use of this control on public MX hosts is
+strongly discouraged. </p>
+
+<p> With mandatory TLS encryption, the Postfix SMTP server will by
+default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+is optional. This is controlled by the smtpd_tls_mandatory_protocols
+configuration parameter. </p>
 
 <p> The Postfix SMTP server supports 5 distinct cipher security levels
-as specified by the smtpd_tls_ciphers configuration parameter. The
-default value is "export" which is the only one appropriate for public
-MX hosts.  On private MX hosts or MSAs one can further restrict the
-OpenSSL cipherlist selection. </p>
+as specified by the smtpd_tls_mandatory_ciphers configuration parameter,
+which determines the cipher grade with mandatory TLS encryption. The
+default value is "medium" which is essentially 128-bit encryption or better.
+With opportunistic TLS encryption, the minimum accepted cipher grade is
+always "export". </p>
 
 <p> By default anonymous ciphers are allowed, and automatically disabled
 when client certificates are requested. If clients are expected to always
 verify the server certificate you may want to exclude anonymous ciphers
-by setting "smtpd_tls_exclude_ciphers&nbsp;=&nbsp;aNULL".  One can't
-force a client to check the server certificate, so excluding anonymous
-ciphers is generally unnecessary. </p>
+by setting "smtpd_tls_mandatory_exclude_ciphers = aNULL".
+One can't force a client to check the server certificate, so excluding
+anonymous ciphers is generally unnecessary. </p>
 
 <p> For a server that is not a public Internet MX host, Postfix 2.3
 supports configurations with no <a href="#server_cert_key">server
 certificates</a> that use <b>only</b> the anonymous ciphers. This is
-enabled by explicitly setting "smtpd_tls_cert_file&nbsp;=&nbsp;none"
+enabled by explicitly setting "smtpd_tls_cert_file = none"
 and not specifying an smtpd_tls_dcert_file. </p>
 
-<p> Example: (MSA that requires  TLS with reasonably secure ciphers) </p>
+<p> Example: (MSA that requires  TLS with high grade ciphers) </p>
 
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    smtpd_use_tls = yes
-    smtpd_enforce_tls = yes
     smtpd_tls_cert_file = /etc/postfix/cert.pem
     smtpd_tls_key_file = /etc/postfix/key.pem
-    smtpd_tls_ciphers = medium
-    smtpd_tls_exclude_ciphers = aNULL, MD5
+    smtpd_tls_mandatory_ciphers = high
+    smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = encrypt
+    # Obsolete, but still supported
+    smtpd_enforce_tls = yes
 </pre>
 </blockquote>
 
@@ -1166,11 +1194,11 @@ in the sections that follow.</p>
 
 <p> At the "none" TLS security level, TLS encryption is
 disabled. This is the default security level. With Postfix 2.3 and later,
-it can be configured explicitly by setting "smtp_tls_security_level&nbsp;=&nbsp;none". </p>
+it can be configured explicitly by setting "smtp_tls_security_level = none". </p>
 
 <p> With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to
 its default (backwards compatible) empty value, the appropriate configuration
-settings are "smtp_use_tls&nbsp;=&nbsp;no" and "smtp_enforce_tls&nbsp;=&nbsp;no".
+settings are "smtp_use_tls = no" and "smtp_enforce_tls = no".
 With either approach, TLS is not used even if supported by the server.
 For LMTP, use the corresponding "lmtp_" parameters. </p>
 
@@ -1191,7 +1219,7 @@ table, specify the "NONE" keyword. </p>
 The SMTP transaction is encrypted if the STARTTLS ESMTP feature
 is supported by the server. Otherwise, messages are sent in the clear.
 With Postfix 2.3 and later, opportunistic TLS can be configured by
-setting "smtp_tls_security_level&nbsp;=&nbsp;may".
+setting "smtp_tls_security_level = may".
 
 <p> Since sending in the clear is acceptable, demanding stronger
 than default TLS security merely reduces inter-operability.  For
@@ -1202,9 +1230,9 @@ better ciphers are used. </p>
 
 <p> With Postfix 2.2 and earlier, or when smtp_tls_security_level is
 set to its default (backwards compatible) empty value, the appropriate
-configuration settings are "smtp_use_tls&nbsp;=&nbsp;yes" and
-"smtp_enforce_tls&nbsp;=&nbsp;no".
-For LMTP use the corresponding "lmtp" parameters. </p>
+configuration settings are "smtp_use_tls = yes" and
+"smtp_enforce_tls = no".
+For LMTP use the corresponding "lmtp_" parameters. </p>
 
 <p> With opportunistic TLS, mail delivery continues even if the
 server certificate is untrusted or bears the wrong name.  Starting
@@ -1257,12 +1285,12 @@ on TLS <a href="#client_tls_limits">limitations</a> above. </p>
 
 <p> At the "encrypt" TLS security level, messages are sent only
 over TLS encrypted sessions. The SMTP transaction is aborted unless
-the STARTTLS ESMTP feature is supported by the server. If no
-suitable servers are found, the message will be deferred. With Postfix
-2.3 and later, mandatory TLS encryption can be configured by setting
-"smtp_tls_security_level&nbsp;=&nbsp;encrypt". Even though TLS encryption
-is always used, mail delivery continues if the server certificate is
-untrusted or bears the wrong name. </p>
+the STARTTLS ESMTP feature is supported by the server. If no suitable
+servers are found, the message will be deferred. With Postfix 2.3
+and later, mandatory TLS encryption can be configured by setting
+"smtp_tls_security_level = encrypt". Even though TLS
+encryption is always used, mail delivery continues if the server
+certificate is untrusted or bears the wrong name. </p>
 
 <p> At this security level and higher, the smtp_tls_mandatory_protocols
 and smtp_tls_mandatory_ciphers configuration parameters determine
@@ -1274,9 +1302,9 @@ parameters includes useful interoperability and security guidelines.
 
 <p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
 is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "smtp_enforce_tls&nbsp;=&nbsp;yes"
-and "smtp_tls_enforce_peername&nbsp;=&nbsp;no". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "smtp_enforce_tls = yes"
+and "smtp_tls_enforce_peername = no". For LMTP use the corresponding
+"lmtp_" parameters. </p>
 
 <p> Despite the potential for eliminating passive eavesdropping attacks,
 mandatory TLS encryption is not viable as a default security level for
@@ -1382,22 +1410,22 @@ use the new <a href="#client_tls_policy">policy table</a> instead. </p>
 <h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
 </h3>
 
-<p> At the "verify" TLS security level, messages are sent only
-over TLS encrypted sessions for which server certificate verification
-succeeds. If no suitable servers are found, the message will be
-deferred. With Postfix 2.3 and later, mandatory server certificate
-verification can be configured by setting
-"smtp_tls_security_level&nbsp;=&nbsp;verify", the
+<p> At the "verify" TLS security level, messages are sent only over
+TLS encrypted sessions if the server certificate is valid (not
+expired or revoked, and signed by a trusted certificate authority)
+and if the server certificate name matches a known pattern.  Mandatory
+server certificate verification can be configured by setting
+"smtp_tls_security_level = verify".  The
 smtp_tls_verify_cert_match parameter can override the default
-"hostname" certificate match strategy. Fine-tuning the matching
-strategy is generally only appropriate for <a
+"hostname" certificate name matching strategy. Fine-tuning the
+matching strategy is generally only appropriate for <a
 href="#client_tls_secure">secure-channel</a> destinations. </p>
 
 <p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
 is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "smtp_enforce_tls&nbsp;=&nbsp;yes" and
-"smtp_tls_enforce_peername&nbsp;=&nbsp;yes". For LMTP use the corresponding
-<i>lmtp_</i> parameters. </p>
+appropriate configuration settings are "smtp_enforce_tls = yes" and
+"smtp_tls_enforce_peername = yes". For LMTP use the corresponding
+"lmtp_" parameters. </p>
 
 <p> If the server certificate chain is trusted (see smtp_tls_CAfile
 and smtp_tls_CApath), any DNS names in the SubjectAlternativeName
@@ -1471,16 +1499,16 @@ to <i>example.com</i> recipients uses "high" grade ciphers. </p>
 <i>secure-channel</i> TLS sessions where DNS forgery resistant server
 certificate verification succeeds. If no suitable servers are found, the
 message will be deferred. With Postfix 2.3 and later, secure-channels
-can be configured by setting "smtp_tls_security_level&nbsp;=&nbsp;secure".
+can be configured by setting "smtp_tls_security_level = secure".
 The smtp_tls_secure_cert_match parameter can override the default
 "nexthop, dot-nexthop" certificate match strategy. </p>
 
 <p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
 is set to its default (backwards compatible) empty value, the
-appropriate configuration settings are "smtp_enforce_tls&nbsp;=&nbsp;yes"
-and "smtp_tls_enforce_peername&nbsp;=&nbsp;yes" with additional settings to
+appropriate configuration settings are "smtp_enforce_tls = yes"
+and "smtp_tls_enforce_peername = yes" with additional settings to
 <a href="#client_tls_harden">harden</a> peer certificate verification
-against forged DNS data. For LMTP, use the corresponding <i>lmtp_</i>
+against forged DNS data. For LMTP, use the corresponding "lmtp_"
 parameters. </p>
 
 <p> If the server certificate chain is trusted (see smtp_tls_CAfile and
@@ -1636,10 +1664,10 @@ will be used. </p>
 
 <p> The new policy table is specified via the smtp_tls_policy_maps
 parameter. This lists optional lookup tables with the Postfix SMTP client
-TLS security policy by next-hop destination. It supersedes the obsolete
-smtp_tls_per_site parameter. When $smtp_tls_policy_maps is not empty,
-the smtp_tls_per_site parameter is ignored (a warning is written to the
-logs if it is also non-empty). </p>
+TLS security policy by next-hop destination. When $smtp_tls_policy_maps
+is not empty, the obsolete smtp_tls_per_site parameter is ignored
+(a warning is written to the logs if both parameter values are
+non-empty).  </p>
 
 <p> The TLS policy table is indexed by the full next-hop destination,
 which is either the recipient domain, or the verbatim next-hop
@@ -1676,33 +1704,51 @@ describe the corresponding table syntax: </p>
 <dd>Opportunistic TLS. No additional attributes are supported at this
 level. </dd>
 
-<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
-higher the optional "ciphers" attribute overrides the main.cf
-smtp_tls_mandatory_ciphers parameter and the optional "protocols"
-keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
-In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas.</dd>
-
-<dt><b>verify</b></dt>
-<dd>Mandatory server certificate verification. The optional "match"
-attribute overrides the main.cf smtp_tls_verify_cert_match parameter.
-In the policy table, multiple match patterns and strategies must
-be separated by colons. </dd>
-
-<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
-attribute overrides the main.cf smtp_tls_secure_cert_match parameter. In
-the policy table, multiple match patterns and strategies must be separated
-by colons. The match attribute is useful when additional domains are
-supported by common server, the policy entries for the additional domains
-specify matching rules for the primary domain certificate. While transport
-table overrides routing secondary domains to the primary nexthop also
-allow secure verification, they risk delivery to the wrong destination
-when domains change hands or are re-assigned to new gateways. With the
-"match" attribute approach, routing is not perturbed, and mail is deferred
-if verification of a new MX host fails. </dd>
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
+delivered only if remote SMTP server offers STARTTLS and the TLS
+handshake succeeds.  At this level and higher the optional "ciphers"
+attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter
+and the optional "protocols" keyword overrides the main.cf
+smtp_tls_mandatory_protocols parameter. </dd>
+
+<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
+Mail is delivered only if the TLS handshake succeeds, if the server
+certificate can be validated (not expired or revoked, and signed
+by a trusted certificate authority), and if the server certificate
+name matches the optional "match" attribute (or the main.cf
+smtp_tls_verify_cert_match parameter value when no optional "match"
+attribute is specified).  </dd>
+
+<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
+only if the TLS handshake succeeds, if the server certificate can
+be validated (not expired or revoked, and signed by a trusted
+certificate authority), and if the server certificate name matches
+the optional "match" attribute (or the main.cf smtp_tls_secure_cert_match
+parameter value when no optional "match" attribute is specified).
+</dd>
 
 </dl>
 
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> The "match" attribute is especially useful to verify TLS
+certificates for domains that are hosted on a shared server.  In
+that case, specify "match" rules for the shared server's name.
+While secure verification can also be achieved with manual routing
+overrides in Postfix transport(5) tables, that approach can deliver
+mail to the wrong host when domains are assigned to new gateway
+hosts.  The "match" attribute approach avoids the problems of manual
+routing overrides; mail is deferred if verification of a new MX
+host fails.  </p>
+
+<li> <p> When a policy table entry specifies multiple match patterns,
+multiple match strategies, or multiple protocols, these must be
+separated by colons.  </p>
+
+</ul>
+
 <p>
 Example:
 </p>
@@ -1816,7 +1862,7 @@ settings. </dd>
 <dt> MAY </dt> <dd> Opportunistic TLS. This has less precedence than
 a more specific result (including "NONE") from the alternate host or
 next-hop lookup key, and has less precedence than the more specific global
-"smtp_enforce_tls&nbsp;=&nbsp;yes" or "smtp_tls_enforce_peername&nbsp;=&nbsp;yes".  </dd>
+"smtp_enforce_tls = yes" or "smtp_tls_enforce_peername = yes".  </dd>
 
 <dt> MUST_NOPEERMATCH </dt> <dd> Mandatory TLS encryption. This
 overrides a less secure "NONE" or a less specific "MAY" lookup result
@@ -1842,8 +1888,8 @@ policies can be summarized as follows: </p>
 <li> <p> When neither the remote SMTP server hostname nor the
 next-hop destination are found in the smtp_tls_per_site table, the
 policy is based on smtp_use_tls, smtp_enforce_tls and
-smtp_tls_enforce_peername. Note: "smtp_enforce_tls&nbsp;=&nbsp;yes" and
-"smtp_tls_enforce_peername&nbsp;=&nbsp;yes" imply "smtp_use_tls&nbsp;=&nbsp;yes". </p>
+smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and
+"smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes". </p>
 
 <li> <p> When both hostname and next-hop destination lookups produce
 a result, the more specific per-site policy (NONE, MUST, etc)
@@ -1853,7 +1899,7 @@ policy (MUST, etc) overrides the less secure one (NONE).  </p>
 <li> <p> After the per-site policy lookups are combined, the result
 generally overrides the global policy. The exception is the less
 specific "MAY" per-site policy, which is overruled by the more
-specific global "smtp_enforce_tls&nbsp;=&nbsp;yes" with server certificate
+specific global "smtp_enforce_tls = yes" with server certificate
 verification as specified with the smtp_tls_enforce_peername
 parameter.  </p>
 
@@ -1891,7 +1937,7 @@ server hostname that is used for TLS policy lookup and server certificate
 verification. </p>
 
 <li> <p> Disallow CNAME hostname overrides. In main.cf, specify
-"smtp_cname_overrides_servername&nbsp;=&nbsp;no". This prevents false hostname
+"smtp_cname_overrides_servername = no". This prevents false hostname
 information in DNS CNAME records from changing the server hostname
 that Postfix uses for TLS policy lookup and server certificate
 verification. This feature requires Postfix 2.2.9 or later.  The
@@ -1987,14 +2033,14 @@ methods. See smtp_tls_policy_maps for information on how to configure
 ciphers on a per-destination basis. </p>
 
 <p> By default anonymous ciphers are allowed, and automatically
-disabled when server certificates are verified. If you
-want to disable even at the "encrypt" security level, set
-"smtp_tls_mandatory_exclude_ciphers&nbsp;=&nbsp;aNULL",
-to disable anonymous ciphers even with opportunistic TLS, set
-"smtp_tls_exclude_ciphers&nbsp;=&nbsp;aNULL". There is generally no
-need to take these measures. Anonymous ciphers save bandwidth and TLS
-session cache space, if certificates are ignored, there is little point
-in requesting them. </p>
+disabled when server certificates are verified. If you want to
+disable anonymous ciphers even at the "encrypt" security level, set
+"smtp_tls_mandatory_exclude_ciphers = aNULL"; and to
+disable anonymous ciphers even with opportunistic TLS, set
+"smtp_tls_exclude_ciphers = aNULL". There is generally
+no need to take these measures. Anonymous ciphers save bandwidth
+and TLS session cache space, if certificates are ignored, there is
+little point in requesting them. </p>
 
 <p> Example: </p>
  
@@ -2238,18 +2284,22 @@ but don't require them from all clients. </p>
 
 <blockquote>
 <pre>
-smtp_tls_CAfile = /etc/postfix/cacert.pem
-smtp_tls_session_cache_database =
-    btree:/var/spool/postfix/smtp_tls_session_cache
-smtp_use_tls = yes
-smtpd_tls_CAfile = /etc/postfix/cacert.pem
-smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-smtpd_tls_key_file = /etc/postfix/FOO-key.pem
-smtpd_tls_received_header = yes
-smtpd_tls_session_cache_database =
-    btree:/var/spool/postfix/smtpd_tls_session_cache
-smtpd_use_tls = yes
-tls_random_source = dev:/dev/urandom
+/etc/postfix/main.cf:
+    smtp_tls_CAfile = /etc/postfix/cacert.pem
+    smtp_tls_session_cache_database =
+	btree:/var/spool/postfix/smtp_tls_session_cache
+    smtp_use_tls = yes
+    smtpd_tls_CAfile = /etc/postfix/cacert.pem
+    smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
+    smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+    smtpd_tls_received_header = yes
+    smtpd_tls_session_cache_database =
+	btree:/var/spool/postfix/smtpd_tls_session_cache
+    tls_random_source = dev:/dev/urandom
+    # Postfix 2.3 and later
+    smtpd_tls_security_level = may
+    # Obsolete, but still supported
+    smtpd_use_tls = yes
 </pre>
 </blockquote>
 
@@ -2294,14 +2344,14 @@ generation (PRNG) pool, and in order to access the TLS session
 cache databases. Such a protocol cannot be run across fifos. </p>
 
 <li> <p> smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy
-cannot override the global "smtp_tls_enforce_peername&nbsp;=&nbsp;yes" setting.
+cannot override the global "smtp_tls_enforce_peername = yes" setting.
 </p>
 
 <li> <p> smtp_tls_per_site: a combined (NONE + MAY) lookup result
 for (hostname and next-hop destination) produces counter-intuitive
 results for different main.cf settings.  TLS is enabled with
-"smtp_tls_enforce_peername&nbsp;=&nbsp;no", but it is disabled when both
-"smtp_enforce_tls&nbsp;=&nbsp;yes" and "smtp_tls_enforce_peername&nbsp;=&nbsp;yes".
+"smtp_tls_enforce_peername = no", but it is disabled when both
+"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
 </p>
 
 </ul>
diff --git a/postfix/proto/access b/postfix/proto/access
index 7491acd62..2e2af8615 100644
--- a/postfix/proto/access
+++ b/postfix/proto/access
@@ -339,7 +339,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.2.
+#	This feature is not available up to and including Postfix version 2.3.
 #
 #	Each lookup operation uses the entire query string once.
 #	Depending on the application, that string is an entire client
diff --git a/postfix/proto/canonical b/postfix/proto/canonical
index 30d99fec3..1aeb6e752 100644
--- a/postfix/proto/canonical
+++ b/postfix/proto/canonical
@@ -146,7 +146,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.2.
+#	This feature is not available up to and including Postfix version 2.3.
 #	
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/proto/generic b/postfix/proto/generic
index 8a0e8e972..d19dfde45 100644
--- a/postfix/proto/generic
+++ b/postfix/proto/generic
@@ -130,7 +130,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.2.
+#	This feature is not available up to and including Postfix version 2.3.
 #	
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/proto/master b/postfix/proto/master
index 751026072..4720caa8a 100644
--- a/postfix/proto/master
+++ b/postfix/proto/master
@@ -120,16 +120,15 @@
 #	place.
 # .sp
 #	The files in the examples/chroot-setup subdirectory of the
-#	Postfix source archive describe how to set up a Postfix
-#	chroot environment for your type of machine, and
-#	BASIC_CONFIGURATION_README discusses issues related to
-#	running daemons chrooted.
+#	Postfix source archive show set up a Postfix chroot environment
+#	on a variety of systems. See also BASIC_CONFIGURATION_README
+#	for issues related to running daemons chrooted.
 # .IP "\fBWake up time (default: 0)\fR"
 #	Automatically wake up the named service after the specified
 #	number of seconds. The wake up is implemented by connecting
 #	to the service and sending a wake up request.  A ? at the
-#	end of the wake-up time field requests that wake up events
-#	be sent only to services that are actually being used.
+#	end of the wake-up time field requests that no wake up
+#	events be sent before the service is used.
 #	Specify 0 for no automatic wake up.
 # .sp
 #	The \fBpickup\fR(8), \fBqmgr\fR(8) and \fBflush\fR(8)
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 1e5210979..f233c4662 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -608,7 +608,8 @@ the Postfix SMTP client returns such mail as undeliverable.
 
 <p>
 Specify, for example, "best_mx_transport = local" to pass the mail
-from the SMTP client to the local(8) delivery agent. You can specify
+from the Postfix SMTP client to the local(8) delivery agent. You
+can specify
 any message delivery "transport" or "transport:nexthop" that is
 defined in the master.cf file. See the transport(5) manual page
 for the syntax and meaning of "transport" or "transport:nexthop".
@@ -1703,7 +1704,8 @@ for IPv6. </p>
 <p>
 A better solution for multi-homed firewalls is to leave inet_interfaces
 at the default value and instead use explicit IP addresses in
-the master.cf SMTP server definitions.  This preserves the SMTP client's
+the master.cf SMTP server definitions.  This preserves the Postfix
+SMTP client's
 loop detection, by ensuring that each side of the firewall knows that the
 other IP address is still the same host. Setting $inet_interfaces to a
 single IPv4 and/or IPV6 address is primarily useful with virtual
@@ -2070,8 +2072,8 @@ lists: Postfix needs to know only if a lookup string is found or
 not, but it does not use the result from table lookup.  </p>
 
 <p>
-If this parameter is non-empty (the default), then the Postfix SMTP server
-will reject mail for unknown local users.
+If this parameter is non-empty (the default), then the Postfix SMTP
+server will reject mail for unknown local users.
 </p>
 
 <p>
@@ -3498,8 +3500,8 @@ the word "ESMTP" appears in the server greeting banner (example:
 %PARAM smtp_bind_address 
 
 <p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv4 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv4 connection.
 </p>
 
 <p>
@@ -3525,8 +3527,8 @@ but this form is not recommended here. </p>
 %PARAM smtp_bind_address6 
 
 <p>
-An optional numerical network address that the SMTP client should
-bind to when making an IPv6 connection.
+An optional numerical network address that the Postfix SMTP client
+should bind to when making an IPv6 connection.
 </p>
 
 <p> This feature is available in Postfix 2.2 and later. </p>
@@ -3673,7 +3675,8 @@ zero (use the operating system built-in time limit).
 </p>
 
 <p>
-When no connection can be made within the deadline, the SMTP client
+When no connection can be made within the deadline, the Postfix
+SMTP client
 tries the next address on the mail exchanger list. Specify 0 to
 disable the time limit (i.e. use whatever timeout is implemented by
 the operating system).
@@ -3718,7 +3721,7 @@ The default time unit is s (seconds).
 <p>
 The SMTP client time limit for sending the SMTP message content.
 When the connection makes no progress for more than $smtp_data_xfer_timeout
-seconds the SMTP client terminates the transfer.
+seconds the Postfix SMTP client terminates the transfer.
 </p>
 
 <p>
@@ -3864,7 +3867,7 @@ The default time unit is s (seconds).
 %PARAM smtp_host_lookup dns
 
 <p>
-What mechanisms when the SMTP client uses to look up a host's IP
+What mechanisms when the Postfix SMTP client uses to look up a host's IP
 address.  This parameter is ignored when DNS lookups are disabled.
 </p>
 
@@ -4123,8 +4126,8 @@ smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
 %PARAM smtp_send_xforward_command no
 
 <p>
-Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-response announces XFORWARD support.
+Send the non-standard XFORWARD command when the Postfix SMTP server
+EHLO response announces XFORWARD support.
 </p>
 
 <p>
@@ -7480,7 +7483,8 @@ is <b>smtpd</b>, corresponding to a SASL configuration file named
 </p>
 
 <p>
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to smtpd_sasl_path.
 </p>
 
 %PARAM strict_7bit_headers no
@@ -7860,8 +7864,8 @@ and virtual_alias_maps. </p>
 %PARAM smtp_discard_ehlo_keywords
 
 <p> A case insensitive list of EHLO keywords (pipelining, starttls,
-auth, etc.) that the SMTP client will ignore in the EHLO response
-from a remote SMTP server. </p>
+auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+response from a remote SMTP server. </p>
 
 <p> This feature is available in Postfix 2.2 and later. </p>
 
@@ -7901,7 +7905,7 @@ to discard EHLO keywords selectively.  </p>
 
 <p> Lookup tables, indexed by the remote SMTP server address, with
 case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-etc.) that the SMTP client will ignore in the EHLO response from a
+etc.) that the Postfix SMTP client will ignore in the EHLO response from a
 remote SMTP server. See smtp_discard_ehlo_keywords for details. The
 table is not indexed by hostname for consistency with
 smtpd_discard_ehlo_keyword_address_maps. </p>
@@ -8067,15 +8071,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
 similar software, it will still insist on a server certificate. </p>
 
 <p> For servers that are <b>not</b> public Internet MX hosts, Postfix
-2.3 supports configurations with no certificates. This entails the use
-of just the anonymous TLS ciphers, which are not supported by typical
-SMTP clients. Since such clients will not, as a rule, fall back to plain
-text after a TLS handshake failure, the server will be unable to receive
-email from TLS enabled clients. To avoid accidental configurations with
-no certificates, Postfix 2.3 enables certificate-less operation only
-when the administrator explicitly sets "smtpd_tls_cert_file = none". This
-ensures that new Postfix configurations with just "smtpd_use_tls = yes"
-added, will not accidentally run with no certificates. </p>
+2.3 supports configurations with no certificates. This entails the
+use of just the anonymous TLS ciphers, which are not supported by
+typical SMTP clients. Since such clients will not, as a rule, fall
+back to plain text after a TLS handshake failure, the server will
+be unable to receive email from TLS enabled clients. To avoid
+accidental configurations with no certificates, Postfix 2.3 enables
+certificate-less operation only when the administrator explicitly
+sets "smtpd_tls_cert_file = none". This ensures that new Postfix
+configurations will not accidentally run with no certificates. </p>
 
 <p> Both RSA and DSA certificates are supported.  When both types
 are present, the cipher used determines which certificate will be
@@ -8224,30 +8228,32 @@ that was recorded by the final destination can be trusted. </p>
 
 %PARAM smtpd_use_tls no
 
-<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
+<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
 but do not require that clients use TLS encryption. </p>
 
 <p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private
 key. This is intended behavior. </p>
 
-<p> This feature is available in Postfix 2.2 and later.  </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
 
 %PARAM smtpd_enforce_tls no
 
-<p> Enforcement mode: announce STARTTLS support to SMTP clients,
+<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
 and require that clients use TLS encryption.  According to RFC 2487
 this MUST NOT be applied in case of a publicly-referenced SMTP
 server.  This option is off by default and should be used only on
 dedicated servers. </p>
 
-<p> Note 1: this mode implies "smtpd_tls_auth_only = yes". </p>
+<p> Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes". </p>
 
 <p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
 STARTTLS due to insufficient privileges to access the server private  
 key. This is intended behavior. </p>
 
-<p> This feature is available in Postfix 2.2 and later.  </p>
+<p> This feature is available in Postfix 2.2 and later. With
+Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
 
 %PARAM smtpd_tls_wrappermode no
 
@@ -8276,7 +8282,7 @@ may be annoying, so this option is "off" by default. </p>
 
 %PARAM smtpd_tls_req_ccert no
 
-<p> When TLS encryption is enforced, require a remote SMTP client
+<p> With mandatory TLS encryption, require a remote SMTP client
 certificate in order to allow TLS connections to proceed.  This
 option implies "smtpd_tls_ask_ccert = yes". </p>
 
@@ -8381,7 +8387,7 @@ clients. </p>
 <p> <b>Note:</b> do not use "" quotes around the parameter value. </p>
 
 <p>This feature is available with Postfix version 2.2. It is not used with
-Postfix 2.3 and later; use smtpd_tls_ciphers instead. </p>
+Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead. </p>
 
 %PARAM smtpd_tls_dh1024_param_file
 
@@ -8398,7 +8404,7 @@ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
 
 <p> Your actual source for entropy may differ. Some systems have
 /dev/random; on other system you may consider using the "Entropy
-Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+Gathering Daemon EGD", available at http://egd.sourceforge.net/
 </p>
 
 <p> Example: </p>
@@ -8633,7 +8639,7 @@ Postfix 2.3 and later use smtp_tls_security_level instead. </p>
 
 %PARAM smtp_tls_enforce_peername yes
 
-<p> When TLS encryption is enforced, require that the remote SMTP
+<p> With mandatory TLS encryption, require that the remote SMTP
 server hostname matches the information in the remote SMTP server
 certificate.  As of RFC 2487 the requirements for hostname checking
 for MTA clients are not specified. </p>
@@ -8750,7 +8756,7 @@ postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
 %PARAM smtp_tls_cipherlist
 
 <p> Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
-cipher list. As this feature applies to all security levels, it is easy
+cipher list. As this feature applies to all TLS security levels, it is easy
 to create inter-operability problems by choosing a non-default cipher
 list. Do not use a non-default TLS cipher list on hosts that deliver email
 to the public Internet: you will be unable to send email to servers that
@@ -8935,7 +8941,7 @@ process instance while mail is being forwarded.  </p>
 
 %PARAM smtpd_peername_lookup yes
 
-<p> Attempt to look up the SMTP client hostname, and verify that
+<p> Attempt to look up the Postfix SMTP client hostname, and verify that
 the name matches the client IP address. A client name is set to
 "unknown" when it cannot be looked up or verified, or when name
 lookup is disabled.  Turning off name lookup reduces delays due to
@@ -9012,7 +9018,7 @@ This feature is available in Postfix 2.3 and later.
 %PARAM smtp_sender_dependent_authentication no
 
 <p>
-Enable sender-dependent authentication in the SMTP client; this is
+Enable sender-dependent authentication in the Postfix SMTP client; this is
 available only with SASL authentication, and disables SMTP connection
 caching to ensure that mail from different senders will use the
 appropriate credentials.  </p>
@@ -9307,7 +9313,8 @@ the SASL plug-in implementation that is selected with
 <b>smtpd_sasl_type</b>.  Typically this specifies the name of a
 configuration file or rendezvous point. </p>
 
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application. </p>
 
 %PARAM smtp_sasl_path
 
@@ -9610,8 +9617,8 @@ configurations in environments where DNS security is not assured. </p>
 
 %PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1
 
-<p> List of TLS protocol versions that are secure enough to be used
-with the "encrypt" security level and higher. In main.cf the values
+<p> List of TLS protocols that the Postfix SMTP client will use
+with mandatory TLS encryption.  In main.cf the values
 are separated by whitespace, commas or colons. In the policy table
 (see smtp_tls_policy_maps) the only valid separator is colon. An
 empty value means allow all protocols. The valid protocol names,
@@ -9768,33 +9775,30 @@ configuration parameter. See there for details. </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM smtpd_tls_protocols
-
-<p> The list of TLS protocols supported by the server. If empty the
-default list of protocols is used (i.e. all TLS protocol versions are
-supported). Any non-empty value is interpreted as a list of protocol
-names separated by whitespace, commas or colons. The supported protocol
-names are "SSLv2", "SSLv3" and "TLSv1", and are not
-case-sensitive. </p>
+%PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1
 
-<p> DO NOT set this to a non-default value on an MX-host,
-as some clients may not support any of the narrower set of protocols,
-and may be unable to fallback to plaintext sessions. If you restrict
-the protocol list on an MX host, you may lose mail. </p>
+<p> The TLS protocols accepted by the Postfix SMTP server with
+mandatory TLS encryption.  With opportunistic TLS encryption, all
+protocols are always accepted. If the list is empty, the server
+supports all available TLS protocol versions.  A non-empty value
+is a list of protocol names separated by whitespace, commas or
+colons. The supported protocol names are "SSLv2", "SSLv3" and
+"TLSv1", and are not case sensitive. </p>
 
 <p> Example: </p>
 
 <pre>
-smtpd_tls_protocols = SSLv3, TLSv1
+smtpd_tls_mandatory_protocols = SSLv3, TLSv1
 </pre>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
 %PARAM smtp_tls_security_level
 
-<p> The default SMTP TLS security level for all destinations; when
-a non-empty value is specified, this overrides the obsolete parameters
-smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.  </p>
+<p> The default SMTP TLS security level for the Postfix SMTP client;
+when a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+</p>
 
 <p> Specify one of the following security levels: </p>
 
@@ -10067,61 +10071,68 @@ meanings.  </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM smtpd_tls_ciphers export
+%PARAM smtpd_tls_mandatory_ciphers medium
 
-<p> The minimum acceptable SMTP server TLS cipher grade. It is easy to
-create inter-operability problems by choosing a non-default cipher grade.
-Do not use a stronger than default minimum cipher grade for MX hosts on
-the public Internet. Clients that begin the TLS handshake, but are unable
-to agree on a common cipher, may not be able to send any email to the
-SMTP server. Using a restricted cipher list may be more appropriate for a
-dedicated MSA or an internal mailhub, where one can exert some control over
-the TLS software and settings of the connecting clients. Configurations
-with no certificates are also not likely to inter-operate with most
-clients, see the notes for "smtpd_tls_cert_file". </p>
+<p> The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory
+TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers
+or smtpd_tls_exclude_ciphers are excluded from the base definition
+of the selected cipher grade. With opportunistic TLS encryption,
+the "export" grade is used unconditionally with exclusions specified
+only via smtpd_tls_exclude_ciphers. </p>
 
 <p> The following cipher grades are supported: </p>
 
 <dl>
 <dt><b>export</b></dt>
 <dd> Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
-This is the most appropriate setting for public MX hosts. The underlying
-cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_export_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
+This is the most appropriate setting for public MX hosts, and is always
+used with opportunistic TLS encryption. The underlying cipherlist
+is specified via the tls_export_cipherlist configuration parameter,
+which you are strongly encouraged to not change. The default value
+of tls_export_cipherlist includes anonymous ciphers, but these are
+automatically filtered out if the server is configured to ask for
 client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL". </dd>
+set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers
+only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
+aNULL". </dd>
 
 <dt><b>low</b></dt>
-<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_low_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL". </dd>
+<dd> Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_low_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_low_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". </dd>
 
 <dt><b>medium</b></dt>
-<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the tls_medium_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_medium_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers,
-set "smtpd_tls_exclude_ciphers = aNULL". </dd>
+<dd> Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These
+are essentially the 128-bit or stronger ciphers. This is the default
+minimum strength for mandatory TLS encryption. MSAs that enforce
+TLS and have clients that do not support any "MEDIUM" or "HIGH"
+grade ciphers, may need to configure a weaker ("low" or "export")
+minimum cipher grade. The underlying cipherlist is specified via the
+tls_medium_cipherlist configuration parameter, which you are strongly
+encouraged to not change. The default value of tls_medium_cipherlist
+includes anonymous ciphers, but these are automatically filtered out if
+the server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". </dd>
 
 <dt><b>high</b></dt>
-<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers.  This
-setting is only appropriate for internal mail servers.  The underlying
-cipherlist is specified via the tls_high_cipherlist configuration
-parameter, which you are strongly encouraged to not change. The default
-value of tls_high_cipherlist includes anonymous ciphers, but these
-are automatically filtered out if the server is configured to ask for
-client certificates. If you must always exclude anonymous ciphers, set
-"smtpd_tls_exclude_ciphers = aNULL". </dd>
+<dd> Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
+underlying cipherlist is specified via the tls_high_cipherlist
+configuration parameter, which you are strongly encouraged to
+not change. The default value of tls_high_cipherlist includes
+anonymous ciphers, but these are automatically filtered out if the
+server is configured to ask for client certificates. If you must
+always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
+aNULL". To exclude anonymous ciphers only when TLS is enforced, set
+"smtpd_tls_mandatory_exclude_ciphers = aNULL". </dd>
 
 <dt><b>null</b></dt>
 <dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
@@ -10140,10 +10151,12 @@ data integrity without encryption or authentication). </dd>
 %PARAM smtpd_tls_exclude_ciphers
 
 <p> List of ciphers or cipher types to exclude from the SMTP server
-cipher list. This is not an OpenSSL cipherlist; it is a simple list
-separated by whitespace and/or commas. The elements are a single
-cipher, or one or more "+" separated cipher properties, in which
-case only ciphers matching <b>all</b> the properties are excluded. </p>
+cipher list at all TLS security levels. Excluding valid ciphers
+can create interoperability problems. DO NOT exclude ciphers unless it
+is essential to do so. This is not an OpenSSL cipherlist; it is a simple
+list separated by whitespace and/or commas. The elements are a single
+cipher, or one or more "+" separated cipher properties, in which case
+only ciphers matching <b>all</b> the properties are excluded. </p>
 
 <p> Examples (some of these will cause problems): </p>
 
@@ -10164,14 +10177,24 @@ key exchange with RSA authentication. </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
+%PARAM smtpd_tls_mandatory_exclude_ciphers
+
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP server cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtpd_tls_exclude_ciphers
+(see there for syntax details).  </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
 %PARAM smtp_tls_mandatory_ciphers medium
 
-<p> The minimum SMTP client TLS cipher grade that is strong enough to
-be used with the "encrypt" security level and higher.  The default
-value "medium" is suitable for most destinations with which you may
-want to enforce TLS, and is beyond the reach of today's crypt-analytic
-methods. See smtp_tls_policy_maps for information on how to configure
-ciphers on a per-destination basis. </p>
+<p> The minimum TLS cipher grade that the Postfix SMTP client will
+use with
+mandatory TLS encryption.  The default value "medium" is suitable
+for most destinations with which you may want to enforce TLS, and
+is beyond the reach of today's crypt-analytic methods. See
+smtp_tls_policy_maps for information on how to configure ciphers
+on a per-destination basis. </p>
 
 <p> The following cipher grades are supported: </p>
 
@@ -10237,8 +10260,9 @@ encryption or authentication). </dd>
 
 %PARAM smtp_tls_exclude_ciphers
 
-<p> List of ciphers or cipher types to exclude from the SMTP client cipher
-list at all security levels. This is not an OpenSSL cipherlist, it is
+<p> List of ciphers or cipher types to exclude from the Postfix
+SMTP client cipher
+list at all TLS security levels. This is not an OpenSSL cipherlist, it is
 a simple list separated by whitespace and/or commas. The elements are a
 single cipher, or one or more "+" separated cipher properties, in which
 case only ciphers matching <b>all</b> the properties are excluded. </p>
@@ -10264,18 +10288,17 @@ key exchange with RSA authentication. </p>
 
 %PARAM smtp_tls_mandatory_exclude_ciphers
 
-<p> List of ciphers or cipher types to exclude from the SMTP client
-cipher list at the mandatory TLS security levels: "encrypt", "verify"
-and "secure". See smtp_tls_exclude_ciphers for syntax details. When
-both "exclude" parameters are defined, the combined list of ciphers is
-excluded (provided the TLS security level is "encrypt" or higher). </p>
+<p> Additional list of ciphers or cipher types to exclude from the
+SMTP client cipher list at mandatory TLS security levels. This list
+works in addition to the exclusions listed with smtp_tls_exclude_ciphers
+(see there for syntax details).  </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
 %PARAM tls_high_cipherlist !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
 
 <p> The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
-the meaning of the "high" setting in smtpd_tls_ciphers,
+the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
 strongly encouraged to not change this setting. </p>
 
@@ -10284,7 +10307,7 @@ strongly encouraged to not change this setting. </p>
 %PARAM tls_medium_cipherlist !EXPORT:!LOW:ALL:+RC4:@STRENGTH
 
 <p> The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
-defines the meaning of the "medium" setting in smtpd_tls_ciphers,
+defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
 the default cipherlist for mandatory TLS encryption in the TLS
 client (with anonymous ciphers disabled when verifying server
@@ -10296,7 +10319,7 @@ setting. </p>
 %PARAM tls_low_cipherlist !EXPORT:ALL:+RC4:@STRENGTH
 
 <p> The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
-the meaning of the "low" setting in smtpd_tls_ciphers,
+the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
 strongly encouraged to not change this setting. </p>
 
@@ -10305,7 +10328,7 @@ strongly encouraged to not change this setting. </p>
 %PARAM tls_export_cipherlist ALL:+RC4:@STRENGTH
 
 <p> The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
-defines the meaning of the "export" setting in smtpd_tls_ciphers,
+defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
 the cipherlist for the opportunistic ("may") TLS client security
 level and is the default cipherlist for the SMTP server. You are
@@ -10317,7 +10340,7 @@ strongly encouraged to not change this setting. </p>
 
 <p> The OpenSSL cipherlist for "NULL" grade ciphers that provide
 authentication without encryption. This defines the meaning of the "null"
-setting in smtpd_tls_ciphers, smtp_tls_mandatory_ciphers and
+setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
 lmtp_tls_mandatory_ciphers.  You are strongly encouraged to not
 change this setting. </p>
 
@@ -10343,3 +10366,81 @@ configuration parameter.  See there for details. </p>
 configuration parameter.  See there for details. </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM smtp_sasl_auth_enforce   yes
+
+<p> If sender-dependent SASL passwords are turned off, defer mail
+delivery when an SMTP server does not support SASL authentication,
+while smtp_sasl_password_maps contains SASL login/password information
+for that server.  </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM lmtp_sasl_auth_enforce   yes
+
+<p> The LMTP-specific version of the smtp_sasl_auth_enforce
+configuration parameter.  See there for details. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM smtpd_tls_security_level
+
+<p> The SMTP TLS security level for the Postfix SMTP server; when
+a non-empty value is specified, this overrides the obsolete parameters
+smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
+"smtpd_tls_wrappermode = yes".  </p>
+
+<p> Specify one of the following security levels: </p>
+
+<dl>
+
+<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
+
+<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
+to SMTP clients, but do not require that clients use TLS encryption.
+</dd>
+
+<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
+STARTTLS support to SMTP clients, and require that clients use TLS
+encryption. According to RFC 2487 this MUST NOT be applied in case
+of a publicly-referenced SMTP server. Instead, this option should
+be used only on dedicated servers. </dd>
+
+</dl>
+
+<p> Note 1: the "verify" and "secure" levels are not supported.
+The Postfix SMTP server logs a warning and uses "encrypt" instead.
+To verify SMTP client certificates, see TLS_README for a discussion
+of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
+features.  </p>
+
+<p> Note 2: The parameter setting "smtpd_tls_security_level =
+encrypt" implies "smtpd_tls_auth_only = yes".</p>
+
+<p> Note 3: when invoked via "sendmail -bs", Postfix will never
+offer STARTTLS due to insufficient privileges to access the server
+private key. This is intended behavior.</p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
+
+%PARAM internal_mail_filter_classes 
+
+<p> What categories of Postfix-generated mail are subject to
+before-queue content inspection by non_smtpd_milters, header_checks
+and body_checks.  Specify zero or more of the following, separated
+by whitespace or comma.  </p>
+
+<dl>
+
+<dt> <b> bounce </b> </dt> <dd> Inspect the content of delivery
+status notifications. </dd>
+
+<dt> <b> notify </b> </dt> <dd> Inspect the content of postmaster
+notifications by the smtp(8) and smtpd(8) processes. </dd>
+
+</dl>
+
+<p> NOTE: It's generally not safe to enable content inspection of
+Postfix-generated email messages. The user is warned. </p>
+
+<p> This feature is available in Postfix 2.3 and later. </p>
diff --git a/postfix/proto/relocated b/postfix/proto/relocated
index 49a3a2eac..f1e1fe55b 100644
--- a/postfix/proto/relocated
+++ b/postfix/proto/relocated
@@ -82,7 +82,7 @@
 #	expression lookup table syntax, see \fBregexp_table\fR(5) or
 #	\fBpcre_table\fR(5). For a description of the TCP client/server
 #	table lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.2.
+#	This feature is not available up to and including Postfix version 2.3.
 #
 #	Each pattern is a regular expression that is applied to the entire
 #	address being looked up. Thus, \fIuser@domain\fR mail addresses are not
@@ -101,7 +101,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.2.
+#	This feature is not available up to and including Postfix version 2.3.
 #
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/proto/transport b/postfix/proto/transport
index 4546a0095..0a6029f2b 100644
--- a/postfix/proto/transport
+++ b/postfix/proto/transport
@@ -229,7 +229,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.2.
+#	This feature is not available up to and including Postfix version 2.3.
 #
 #	Each lookup operation uses the entire recipient address once.  Thus,
 #	\fIsome.domain.hierarchy\fR is not looked up via its parent domains,
diff --git a/postfix/proto/virtual b/postfix/proto/virtual
index e732a1a68..7f60d562b 100644
--- a/postfix/proto/virtual
+++ b/postfix/proto/virtual
@@ -199,7 +199,7 @@
 #	This section describes how the table lookups change when lookups
 #	are directed to a TCP-based server. For a description of the TCP
 #	client/server lookup protocol, see \fBtcp_table\fR(5).
-#	This feature is not available up to and including Postfix version 2.2.
+#	This feature is not available up to and including Postfix version 2.3.
 #
 #	Each lookup operation uses the entire address once.  Thus,
 #	\fIuser@domain\fR mail addresses are not broken up into their
diff --git a/postfix/qshape-microsecond-patch b/postfix/qshape-microsecond-patch
deleted file mode 100644
index 4476907da..000000000
--- a/postfix/qshape-microsecond-patch
+++ /dev/null
@@ -1,22 +0,0 @@
-This patch adds support for microsecond time information in Postfix
-queue files.
-
-*** /var/tmp/postfix-2.3-20051103/auxiliary/qshape/qshape.pl	Fri Feb  4 19:41:14 2005
---- auxiliary/qshape/qshape.pl	Wed Nov  9 08:43:40 2005
-***************
-*** 204,210 ****
-  	$dlen = $1 if ($d =~ /^\s*(\d+)\s+\d+\s+\d+/);
-  	($r, $l, $d) = rec_get($h);
-  	return unless (defined $r && $r eq "T");
-! 	$t = $d;
-      } elsif ($r eq "S" || $r eq "F") {
-  	# For embryonic queue files in the "maildrop" directory the first
-  	# record is either a REC_TYPE_FULL (F) followed by REC_TYPE_FROM
---- 204,210 ----
-  	$dlen = $1 if ($d =~ /^\s*(\d+)\s+\d+\s+\d+/);
-  	($r, $l, $d) = rec_get($h);
-  	return unless (defined $r && $r eq "T");
-! 	($t) = split(/\s+/, $d);
-      } elsif ($r eq "S" || $r eq "F") {
-  	# For embryonic queue files in the "maildrop" directory the first
-  	# record is either a REC_TYPE_FULL (F) followed by REC_TYPE_FROM
diff --git a/postfix/src/bounce/bounce.c b/postfix/src/bounce/bounce.c
index 67042f3f6..c09d36eed 100644
--- a/postfix/src/bounce/bounce.c
+++ b/postfix/src/bounce/bounce.c
@@ -33,10 +33,11 @@
 /*	themselves, and that depend on retry logic in their own client.
 /* STANDARDS
 /*	RFC 822 (ARPA Internet Text Messages)
+/*	RFC 2045 (Format of Internet Message Bodies)
 /*	RFC 2822 (ARPA Internet Text Messages)
 /*	RFC 3462 (Delivery Status Notifications)
 /*	RFC 3464 (Delivery Status Notifications)
-/*	RFC 2045 (Format of Internet Message Bodies)
+/*	RFC 3834 (Auto-Submitted: message header)
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /* CONFIGURATION PARAMETERS
@@ -82,6 +83,10 @@
 /* .IP "\fBipc_timeout (3600s)\fR"
 /*	The time limit for sending or receiving information over an internal
 /*	communication channel.
+/* .IP "\fBinternal_mail_filter_classes (empty)\fR"
+/*	What categories of Postfix-generated mail are subject to
+/*	before-queue content inspection by non_smtpd_milters, header_checks
+/*	and body_checks.
 /* .IP "\fBmail_name (Postfix)\fR"
 /*	The mail system name that is displayed in Received: headers, in
 /*	the SMTP greeting banner, and in bounced mail.
diff --git a/postfix/src/bounce/bounce_notify_service.c b/postfix/src/bounce/bounce_notify_service.c
index 8c3550594..2f9fdb81b 100644
--- a/postfix/src/bounce/bounce_notify_service.c
+++ b/postfix/src/bounce/bounce_notify_service.c
@@ -174,7 +174,7 @@ int     bounce_notify_service(int flags, char *service, char *queue_name,
 	    postmaster = var_2bounce_rcpt;
 	    if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
 						 postmaster,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 
@@ -213,7 +213,7 @@ int     bounce_notify_service(int flags, char *service, char *queue_name,
      */
     else {
 	if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient,
-					     CLEANUP_FLAG_MASK_INTERNAL,
+					     INT_FILT_BOUNCE,
 					     NULL_TRACE_FLAGS,
 					     new_id)) != 0) {
 
@@ -267,7 +267,7 @@ int     bounce_notify_service(int flags, char *service, char *queue_name,
 	    postmaster = var_bounce_rcpt;
 	    if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
 						 postmaster,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 		count = -1;
diff --git a/postfix/src/bounce/bounce_notify_util.c b/postfix/src/bounce/bounce_notify_util.c
index 39dc887e7..44a91ab55 100644
--- a/postfix/src/bounce/bounce_notify_util.c
+++ b/postfix/src/bounce/bounce_notify_util.c
@@ -453,6 +453,12 @@ int     bounce_header(VSTREAM *bounce, BOUNCE_INFO *bounce_info,
 			    STR(quote_822_local(bounce_info->buf, dest)),
 			    postmaster_copy);
 
+    /*
+     * Auto-Submitted header, as per RFC 3834.
+     */
+    post_mail_fprintf(bounce, "Auto-Submitted: %s", postmaster_copy ?
+		      "auto-generated" : "auto-replied");
+
     /*
      * MIME header. Use 8bit encoding when either the bounced message or the
      * template requires it.
diff --git a/postfix/src/bounce/bounce_notify_verp.c b/postfix/src/bounce/bounce_notify_verp.c
index 4fcdf644c..dbc5e5613 100644
--- a/postfix/src/bounce/bounce_notify_verp.c
+++ b/postfix/src/bounce/bounce_notify_verp.c
@@ -158,7 +158,7 @@ int     bounce_notify_verp(int flags, char *service, char *queue_name,
 	} else {
 	    verp_sender(verp_buf, verp_delims, recipient, rcpt->address);
 	    if ((bounce = post_mail_fopen_nowait(NULL_SENDER, STR(verp_buf),
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 
@@ -217,7 +217,7 @@ int     bounce_notify_verp(int flags, char *service, char *queue_name,
 	    postmaster = var_bounce_rcpt;
 	    if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
 						 postmaster,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 		if (bounce_header(bounce, bounce_info, postmaster,
diff --git a/postfix/src/bounce/bounce_one_service.c b/postfix/src/bounce/bounce_one_service.c
index 6d6ca629a..5373e74e1 100644
--- a/postfix/src/bounce/bounce_one_service.c
+++ b/postfix/src/bounce/bounce_one_service.c
@@ -147,7 +147,7 @@ int     bounce_one_service(int flags, char *queue_name, char *queue_id,
 	} else {
 	    if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
 						 var_2bounce_rcpt,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 
@@ -183,7 +183,7 @@ int     bounce_one_service(int flags, char *queue_name, char *queue_id,
 	    bounce_status = 0;
 	} else {
 	    if ((bounce = post_mail_fopen_nowait(NULL_SENDER, orig_sender,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 
@@ -228,7 +228,7 @@ int     bounce_one_service(int flags, char *queue_name, char *queue_id,
 	     */
 	    if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
 						 var_bounce_rcpt,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 		if (bounce_header(bounce, bounce_info, var_bounce_rcpt,
diff --git a/postfix/src/bounce/bounce_trace_service.c b/postfix/src/bounce/bounce_trace_service.c
index 747e6f400..78d1b9362 100644
--- a/postfix/src/bounce/bounce_trace_service.c
+++ b/postfix/src/bounce/bounce_trace_service.c
@@ -140,7 +140,7 @@ int     bounce_trace_service(int flags, char *service, char *queue_name,
      * a new queue file.
      */
     if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient,
-					 CLEANUP_FLAG_MASK_INTERNAL,
+					 INT_FILT_BOUNCE,
 					 NULL_TRACE_FLAGS,
 					 new_id)) != 0) {
 	count = -1;
diff --git a/postfix/src/bounce/bounce_warn_service.c b/postfix/src/bounce/bounce_warn_service.c
index 98db272ea..cb19579a1 100644
--- a/postfix/src/bounce/bounce_warn_service.c
+++ b/postfix/src/bounce/bounce_warn_service.c
@@ -164,7 +164,7 @@ int     bounce_warn_service(int unused_flags, char *service, char *queue_name,
 	    postmaster = var_delay_rcpt;
 	    if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
 						 postmaster,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 
@@ -202,7 +202,7 @@ int     bounce_warn_service(int unused_flags, char *service, char *queue_name,
      */
     else {
 	if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient,
-					     CLEANUP_FLAG_MASK_INTERNAL,
+					     INT_FILT_BOUNCE,
 					     NULL_TRACE_FLAGS,
 					     new_id)) != 0) {
 
@@ -252,7 +252,7 @@ int     bounce_warn_service(int unused_flags, char *service, char *queue_name,
 	    postmaster = var_delay_rcpt;
 	    if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
 						 postmaster,
-						 CLEANUP_FLAG_MASK_INTERNAL,
+						 INT_FILT_BOUNCE,
 						 NULL_TRACE_FLAGS,
 						 new_id)) != 0) {
 		count = -1;
diff --git a/postfix/src/cleanup/cleanup.h b/postfix/src/cleanup/cleanup.h
index 2db16f4cf..cc0a9bd51 100644
--- a/postfix/src/cleanup/cleanup.h
+++ b/postfix/src/cleanup/cleanup.h
@@ -90,6 +90,8 @@ typedef struct CLEANUP_STATE {
     int     defer_delay;		/* deferred delivery */
 #endif
     MILTERS *milters;			/* mail filters */
+    const char *client_name;		/* real or ersatz client */
+    const char *client_addr;		/* real or ersatz client */
 } CLEANUP_STATE;
 
  /*
diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c
index 9a2d47c6c..ebd1f5ce7 100644
--- a/postfix/src/cleanup/cleanup_milter.c
+++ b/postfix/src/cleanup/cleanup_milter.c
@@ -37,34 +37,32 @@
 /*	local call-back functions for macro expansion and for queue
 /*	file modification.
 /*
-/*	cleanup_milter_inspect() subjects a message to inspection
-/*	by mail filters. Each filter can accept or reject the message
-/*	and can request changes to the recipient list, to message
-/*	headers, and to replace the message body.
+/*	cleanup_milter_inspect() sends the current message headers
+/*	and body to the mail filters that were received with
+/*	cleanup_milter_receive(), or that are specified with the
+/*	cleanup_milters configuration parameter.
 /*
 /*	cleanup_milter_emul_mail() emulates connect, helo and mail
 /*	events for mail that does not arrive via the smtpd(8) server.
-/*	This pretends that mail arrives from localhost/127.0.0.1
-/*	via ESMTP.  This code reports a server configuration error
-/*	condition when the milter rejects the emulated commands.
+/*	The emulation pretends that mail arrives from localhost/127.0.0.1
+/*	via ESMTP. Milters can reject emulated connect, helo, mail
+/*	or data events, but not emulated rcpt events as described
+/*	next.
 /*
-/*	cleanup_milter_emul_rcpt() emulates an rcpt() event for
-/*	non-SMTP mail. See cleanup_milter_emul_mail() for the
-/*	handling of reject replies.
+/*	cleanup_milter_emul_rcpt() emulates an rcpt event for mail
+/*	that does not arrive via the smtpd(8) server. This reports
+/*	a server configuration error condition when the milter
+/*	rejects an emulated rcpt event.
 /*
-/*	cleanup_milter_emul_data() emulates a data event for non-SMTP
-/*	mail.  See cleanup_milter_emul_mail() for the handling of
-/*	reject replies.
+/*	cleanup_milter_emul_data() emulates a data event for mail
+/*	that does not arrive via the smtpd(8) server.  It's OK for
+/*	milters to reject emulated data events.
 /* SEE ALSO
 /*	milter(3) generic mail filter interface
-/* BUGS
-/*	Postfix prepends its own Received: header when it receives
-/*	mail from outside, or when it forwards mail internally.
-/*	This header is seen by mail filters, and is present when
-/*	mail filters edit the queue file.
 /* DIAGNOSTICS
 /*	Fatal errors: memory allocation problem.
 /*	Panic: interface violation.
+/*	Warnings: I/O errors (state->errs is updated accordingly).
 /* LICENSE
 /* .ad
 /* .fi
@@ -81,6 +79,7 @@
 #include <sys_defs.h>
 #include <sys/socket.h>			/* AF_INET */
 #include <string.h>
+#include <errno.h>
 
 #ifdef STRCASECMP_IN_STRINGS_H
 #include <strings.h>
@@ -210,9 +209,44 @@
 #define STR(x)		vstring_str(x)
 #define LEN(x)		VSTRING_LEN(x)
 
+/* cleanup_milter_set_error - set error flag from errno */
+
+static void cleanup_milter_set_error(CLEANUP_STATE *state, int err)
+{
+    if (err == EFBIG)
+	state->errs |= CLEANUP_STAT_SIZE;
+    else
+	state->errs |= CLEANUP_STAT_WRITE;
+}
+
+/* cleanup_milter_error - return dummy error description */
+
+static const char *cleanup_milter_error(CLEANUP_STATE *state, int err)
+{
+    const char *myname = "cleanup_milter_error";
+
+    /*
+     * For consistency with error reporting within the milter infrastructure,
+     * content manipulation routines return a null pointer on success, and an
+     * SMTP-like response on error.
+     * 
+     * However, when cleanup_milter_apply() receives this error response from
+     * the milter infrastructure, it ignores the text since the appropriate
+     * cleanup error flags were already set by cleanup_milter_set_error().
+     * 
+     * Specify a null error number when the "errno to error flag" mapping was
+     * already done elsewhere, possibly outside this module.
+     */
+    if (err)
+	cleanup_milter_set_error(state, err);
+    else if (CLEANUP_OUT_OK(state))
+	msg_panic("%s: missing errno to error flag mapping", myname);
+    return ("451 4.3.0 Server internal error");
+}
+
 /* cleanup_add_header - append message header */
 
-static void cleanup_add_header(void *context, char *name, char *value)
+static const char *cleanup_add_header(void *context, char *name, char *value)
 {
     const char *myname = "cleanup_add_header";
     CLEANUP_STATE *state = (CLEANUP_STATE *) context;
@@ -237,14 +271,18 @@ static void cleanup_add_header(void *context, char *name, char *value)
      * target of the old "header append" pointer record. This reverse pointer
      * record becomes the new "header append" pointer record.
      */
-    if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+    if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	return (cleanup_milter_error(state, errno));
+    }
     buf = vstring_alloc(100);
     vstring_sprintf(buf, "%s: %s", name, value);
     cleanup_out_header(state, buf);
     vstring_free(buf);
-    if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0)
-	msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+    if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0) {
+	msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+	return (cleanup_milter_error(state, errno));
+    }
     cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
 		       (long) state->append_hdr_pt_target);
 
@@ -252,8 +290,10 @@ static void cleanup_add_header(void *context, char *name, char *value)
      * Pointer flipping: update the old "header append" pointer record value
      * with the location of the new header record.
      */
-    if (vstream_fseek(state->dst, state->append_hdr_pt_offset, SEEK_SET) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+    if (vstream_fseek(state->dst, state->append_hdr_pt_offset, SEEK_SET) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	return (cleanup_milter_error(state, errno));
+    }
     cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
 		       (long) new_hdr_offset);
 
@@ -265,6 +305,11 @@ static void cleanup_add_header(void *context, char *name, char *value)
      * written while Postfix received the message.
      */
     state->append_hdr_pt_offset = reverse_ptr_offset;
+
+    /*
+     * In case of error while doing record output.
+     */
+    return (CLEANUP_OUT_OK(state) ? 0 : cleanup_milter_error(state, 0));
 }
 
 /* cleanup_find_header - find specific header instance */
@@ -272,15 +317,17 @@ static void cleanup_add_header(void *context, char *name, char *value)
 static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
 			             const char *header_label, VSTRING *buf,
 				         int *prec_type,
-				         int allow_ptr_backup)
+				         int allow_ptr_backup,
+				         int skip_headers)
 {
     const char *myname = "cleanup_find_header";
     off_t   curr_offset;		/* offset after found record */
     off_t   ptr_offset;			/* pointer to found record */
-    VSTRING *ptr_buf;
+    VSTRING *ptr_buf = 0;
     int     rec_type;
     int     last_type;
     ssize_t len;
+    int     hdr_count = 0;
 
     if (msg_verbose)
 	msg_info("%s: index %ld name \"%s\"",
@@ -328,32 +375,75 @@ static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
      * duplicate some of its logic here and in the routines that delete or
      * modify header records. To minimize the duplication we define an ugly
      * macro that is used in all code that scans for header boundaries.
+     * 
+     * XXX Sendmail compatibility (based on Sendmail 8.13.6 measurements).
+     * 
+     * - When changing Received: header #1, we change the Received: header that
+     * follows our own one; a request to change Received: header #0 is
+     * silently treated as a request to change Received: header #1.
+     * 
+     * - When changing Date: header #1, we change the first Date: header; a
+     * request to change Date: header #0 is silently treated as a request to
+     * change Date: header #1.
+     * 
+     * Thus, header change requests are relative to the content as received,
+     * that is, the content after our own Received: header. They can affect
+     * only the headers that the MTA actually exposes to mail filter
+     * applications.
+     * 
+     * - However, when inserting a header at position 0, the new header appears
+     * before our own Received: header, and when inserting at position 1, the
+     * new header appears after our own Received: header.
+     * 
+     * Thus, header insert operations are relative to the content as delivered,
+     * that is, the content including our own Received: header.
      */
-#define GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset) \
-    if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) \
-	msg_fatal("%s: read file %s: %m", myname, cleanup_path); \
+#define CLEANUP_FIND_HEADER_NOTFOUND	(-1)
+#define CLEANUP_FIND_HEADER_IOERROR	(-2)
+
+#define CLEANUP_FIND_HEADER_RETURN(offs) do { \
+	if (ptr_buf) \
+	    vstring_free(ptr_buf); \
+	return (offs); \
+    } while (0)
+
+#define GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset, quit) \
+    if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) { \
+	msg_warn("%s: read file %s: %m", myname, cleanup_path); \
+	cleanup_milter_set_error(state, errno); \
+	do { quit; } while (0); \
+    } \
     if (msg_verbose > 1) \
 	msg_info("%s: read: %ld: %.*s", myname, (long) curr_offset, \
-		 LEN(buf) > 30 ? 30 : LEN(buf), STR(buf)); \
+		 LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf)); \
     if (rec_type == REC_TYPE_DTXT) \
 	continue; \
     if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT \
 	&& rec_type != REC_TYPE_PTR) \
 	break;
 
-    if (vstream_fseek(state->dst, state->data_offset, SEEK_SET) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
-    for (ptr_buf = 0, ptr_offset = 0, last_type = 0; /* void */ ; /* void */ ) {
-	if ((curr_offset = vstream_ftell(state->dst)) < 0)
-	    msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+    if (vstream_fseek(state->dst, state->data_offset, SEEK_SET) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	cleanup_milter_set_error(state, errno);
+	CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR);
+    }
+    for (ptr_offset = 0, last_type = 0; /* void */ ; /* void */ ) {
+	if ((curr_offset = vstream_ftell(state->dst)) < 0) {
+	    msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+	    cleanup_milter_set_error(state, errno);
+	    CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR);
+	}
 	/* Caution: this macro terminates the loop at end-of-message. */
 	/* Don't do complex processing while breaking out of this loop. */
-	GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset);
+	GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset,
+		   CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR));
 	/* Caution: don't assume ptr->header. This may be header-ptr->body. */
 	if (rec_type == REC_TYPE_PTR) {
-	    if (rec_goto(state->dst, STR(buf)) < 0)
-		msg_fatal("%s: read file %s: %m",
-			  myname, cleanup_path);
+	    if (rec_goto(state->dst, STR(buf)) < 0) {
+		msg_warn("%s: read file %s: %m", myname, cleanup_path);
+		cleanup_milter_set_error(state, errno);
+		CLEANUP_FIND_HEADER_RETURN(CLEANUP_FIND_HEADER_IOERROR);
+	    }
 	    /* Save PTR record, in case it points to the start of a header. */
 	    if (allow_ptr_backup) {
 		ptr_offset = curr_offset;
@@ -374,6 +464,8 @@ static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
 	    break;
 	}
 	/* This the start of a message header. */
+	else if (hdr_count++ < skip_headers)
+	    continue;
 	else if ((header_label == 0
 		  || (strncasecmp(header_label, STR(buf), len) == 0
 		      && (IS_SPACE_TAB(STR(buf)[len])
@@ -389,7 +481,7 @@ static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
      * In case of failure, return negative start position.
      */
     if (index > 0) {
-	curr_offset = -1;
+	curr_offset = CLEANUP_FIND_HEADER_NOTFOUND;
     }
 
     /*
@@ -405,27 +497,25 @@ static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
 	}
 	*prec_type = rec_type;
     }
-    if (ptr_buf)
-	vstring_free(ptr_buf);
 
     if (msg_verbose)
 	msg_info("%s: index %ld name %s type %d offset %ld",
 		 myname, (long) index, header_label ?
 		 header_label : "(none)", rec_type, (long) curr_offset);
 
-    return (curr_offset);
+    CLEANUP_FIND_HEADER_RETURN(curr_offset);
 }
 
 /* cleanup_patch_header - patch new header into an existing header */
 
-static void cleanup_patch_header(CLEANUP_STATE *state,
-				         const char *new_hdr_name,
-				         const char *new_hdr_value,
-				         off_t old_rec_offset,
-				         int rec_type,
-				         VSTRING *old_rec_buf,
-				         ssize_t avail_space,
-				         off_t read_offset)
+static const char *cleanup_patch_header(CLEANUP_STATE *state,
+					        const char *new_hdr_name,
+					        const char *new_hdr_value,
+					        off_t old_rec_offset,
+					        int rec_type,
+					        VSTRING *old_rec_buf,
+					        ssize_t avail_space,
+					        off_t read_offset)
 {
     const char *myname = "cleanup_patch_header";
     VSTRING *buf = vstring_alloc(100);
@@ -433,6 +523,11 @@ static void cleanup_patch_header(CLEANUP_STATE *state,
     off_t   saved_read_offset;
     off_t   write_offset;
 
+#define CLEANUP_PATCH_HEADER_RETURN(ret) do { \
+	vstring_free(buf); \
+	return (ret); \
+    } while (0)
+
     if (msg_verbose)
 	msg_info("%s: \"%s\" \"%s\" at %ld",
 		 myname, new_hdr_name, new_hdr_value, (long) old_rec_offset);
@@ -472,13 +567,15 @@ static void cleanup_patch_header(CLEANUP_STATE *state,
      * Write the new header to a new location after the end of the queue
      * file.
      */
-    if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+    if ((new_hdr_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+    }
     vstring_sprintf(buf, "%s: %s", new_hdr_name, new_hdr_value);
     cleanup_out_header(state, buf);
     if (msg_verbose > 1)
 	msg_info("%s: %ld: write %.*s", myname, (long) new_hdr_offset,
-		 LEN(buf) > 30 ? 30 : LEN(buf), STR(buf));
+		 LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf));
 
     /*
      * Optionally, save the existing text record or pointer record that will
@@ -488,7 +585,7 @@ static void cleanup_patch_header(CLEANUP_STATE *state,
 	CLEANUP_OUT_BUF(state, rec_type, old_rec_buf);
 	if (msg_verbose > 1)
 	    msg_info("%s: write %.*s", myname, LEN(old_rec_buf) > 30 ?
-		     30 : LEN(old_rec_buf), STR(old_rec_buf));
+		     30 : (int) LEN(old_rec_buf), STR(old_rec_buf));
     }
 
     /*
@@ -500,28 +597,36 @@ static void cleanup_patch_header(CLEANUP_STATE *state,
      */
     while (rec_type != REC_TYPE_PTR && avail_space < REC_TYPE_PTR_SIZE) {
 	/* Read existing text or pointer record. */
-	if (vstream_fseek(state->dst, read_offset, SEEK_SET) < 0)
-	    msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
-	if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0)
-	    msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+	if (vstream_fseek(state->dst, read_offset, SEEK_SET) < 0) {
+	    msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	    CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+	}
+	if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) {
+	    msg_warn("%s: read file %s: %m", myname, cleanup_path);
+	    CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+	}
 	if (msg_verbose > 1)
 	    msg_info("%s: %ld: read %.*s", myname, (long) read_offset,
-		     LEN(buf) > 30 ? 30 : LEN(buf), STR(buf));
+		     LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf));
 	if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT
 	    && rec_type != REC_TYPE_PTR && rec_type != REC_TYPE_DTXT)
 	    msg_panic("%s: non-text/ptr record type %d in header, file %s",
 		      myname, rec_type, cleanup_path);
 	saved_read_offset = read_offset;
-	if ((read_offset = vstream_ftell(state->dst)) < 0)
-	    msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+	if ((read_offset = vstream_ftell(state->dst)) < 0) {
+	    msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+	    CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+	}
 	avail_space += (read_offset - saved_read_offset);
 	/* Save the text or pointer record. */
-	if ((write_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
-	    msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+	if ((write_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+	    msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	    CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+	}
 	CLEANUP_OUT_BUF(state, rec_type, buf);
 	if (msg_verbose > 1)
 	    msg_info("%s: %ld: write %.*s", myname, (long) write_offset,
-		     LEN(buf) > 30 ? 30 : LEN(buf), STR(buf));
+		     LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf));
 	/* Update cached location of "append header" pointer record. */
 	if (saved_read_offset == state->append_hdr_pt_offset)
 	    state->append_hdr_pt_offset = write_offset;
@@ -544,25 +649,32 @@ static void cleanup_patch_header(CLEANUP_STATE *state,
      * the queue file before the next record. In other words, we must always
      * follow pointer records otherwise we get out of sync with the data.
      */
-    if (vstream_fseek(state->dst, old_rec_offset, SEEK_SET) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+    if (vstream_fseek(state->dst, old_rec_offset, SEEK_SET) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	CLEANUP_PATCH_HEADER_RETURN(cleanup_milter_error(state, errno));
+    }
     cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
 		       (long) new_hdr_offset);
     if (msg_verbose > 1)
 	msg_info("%s: %ld: write PTR %ld", myname, (long) old_rec_offset,
 		 (long) new_hdr_offset);
 
+    /*
+     * In case of error while doing record output.
+     */
+    CLEANUP_PATCH_HEADER_RETURN(CLEANUP_OUT_OK(state) ? 0 :
+				cleanup_milter_error(state, 0));
+
     /*
      * Note: state->append_hdr_pt_target never changes.
      */
-    vstring_free(buf);
 }
 
 /* cleanup_ins_header - insert message header */
 
-static void cleanup_ins_header(void *context, ssize_t index,
-			               char *new_hdr_name,
-			               char *new_hdr_value)
+static const char *cleanup_ins_header(void *context, ssize_t index,
+				              char *new_hdr_name,
+				              char *new_hdr_value)
 {
     const char *myname = "cleanup_ins_header";
     CLEANUP_STATE *state = (CLEANUP_STATE *) context;
@@ -571,6 +683,12 @@ static void cleanup_ins_header(void *context, ssize_t index,
     int     old_rec_type;
     off_t   read_offset;
     ssize_t avail_space;
+    const char *ret;
+
+#define CLEANUP_INS_HEADER_RETURN(ret) do { \
+	vstring_free(old_rec_buf); \
+	return (ret); \
+    } while (0)
 
     if (msg_verbose)
 	msg_info("%s: %ld \"%s\" \"%s\"",
@@ -590,35 +708,44 @@ static void cleanup_ins_header(void *context, ssize_t index,
      */
 #define NO_HEADER_NAME	((char *) 0)
 #define ALLOW_PTR_BACKUP	1
+#define SKIP_ONE_HEADER		1
+#define DONT_SKIP_HEADERS	0
 
     if (index < 1)
 	index = 1;
     old_rec_offset = cleanup_find_header(state, index, NO_HEADER_NAME,
 					 old_rec_buf, &old_rec_type,
-					 ALLOW_PTR_BACKUP);
+					 ALLOW_PTR_BACKUP,
+					 DONT_SKIP_HEADERS);
+    if (old_rec_offset == CLEANUP_FIND_HEADER_IOERROR)
+	/* Warning and errno->error mapping are done elsewhere. */
+	CLEANUP_INS_HEADER_RETURN(cleanup_milter_error(state, 0));
     if (old_rec_offset < 0) {
-	cleanup_add_header(context, new_hdr_name, new_hdr_value);
+	CLEANUP_INS_HEADER_RETURN(cleanup_add_header(context, new_hdr_name,
+						     new_hdr_value));
     } else {
 	if (old_rec_type == REC_TYPE_PTR) {
 	    read_offset = -1;
 	    avail_space = -1;
 	} else {
-	    if ((read_offset = vstream_ftell(state->dst)) < 0)
-		msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+	    if ((read_offset = vstream_ftell(state->dst)) < 0) {
+		msg_warn("%s: read file %s: %m", myname, cleanup_path);
+		CLEANUP_INS_HEADER_RETURN(cleanup_milter_error(state, errno));
+	    }
 	    avail_space = LEN(old_rec_buf);
 	}
-	cleanup_patch_header(state, new_hdr_name, new_hdr_value,
-			     old_rec_offset, old_rec_type, old_rec_buf,
-			     avail_space, read_offset);
+	ret = cleanup_patch_header(state, new_hdr_name, new_hdr_value,
+				   old_rec_offset, old_rec_type, old_rec_buf,
+				   avail_space, read_offset);
+	CLEANUP_INS_HEADER_RETURN(ret);
     }
-    vstring_free(old_rec_buf);
 }
 
 /* cleanup_upd_header - modify or append message header */
 
-static void cleanup_upd_header(void *context, ssize_t index,
-			               char *new_hdr_name,
-			               char *new_hdr_value)
+static const char *cleanup_upd_header(void *context, ssize_t index,
+				              char *new_hdr_name,
+				              char *new_hdr_value)
 {
     const char *myname = "cleanup_upd_header";
     CLEANUP_STATE *state = (CLEANUP_STATE *) context;
@@ -630,6 +757,7 @@ static void cleanup_upd_header(void *context, ssize_t index,
     int     rec_type;
     int     last_type;
     int     jumped;
+    const char *ret;
 
     if (msg_verbose)
 	msg_info("%s: %ld \"%s\" \"%s\"",
@@ -655,32 +783,54 @@ static void cleanup_upd_header(void *context, ssize_t index,
 #define DONT_SAVE_RECORD	0
 #define NO_PTR_BACKUP		0
 
+#define CLEANUP_UPD_HEADER_RETURN(ret) do { \
+	vstring_free(rec_buf); \
+	return (ret); \
+    } while (0)
+
     rec_buf = vstring_alloc(100);
     old_rec_offset = cleanup_find_header(state, index, new_hdr_name,
 					 rec_buf, &last_type,
-					 NO_PTR_BACKUP);
+					 NO_PTR_BACKUP,
+					 SKIP_ONE_HEADER);
+    if (old_rec_offset == CLEANUP_FIND_HEADER_IOERROR)
+	/* Warning and errno->error mapping are done elsewhere. */
+	CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, 0));
     if (old_rec_offset < 0) {
-	cleanup_add_header(context, new_hdr_name, new_hdr_value);
+	CLEANUP_UPD_HEADER_RETURN(cleanup_add_header(context, new_hdr_name,
+						     new_hdr_value));
     } else {
 	/* Find the end of this header. */
 	avail_space = LEN(rec_buf);
-	if ((read_offset = vstream_ftell(state->dst)) < 0)
-	    msg_fatal("%s: read file %s: %m", myname, cleanup_path);
-	for (jumped = 0; /* void */ ; /* void */ ) {
+	if ((read_offset = vstream_ftell(state->dst)) < 0) {
+	    msg_warn("%s: read file %s: %m", myname, cleanup_path);
+	    CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, errno));
+	}
+	for (jumped = 0, ret = 0; ret == 0; /* void */ ) {
+	    if (CLEANUP_OUT_OK(state) == 0)
+		/* Warning and errno->error mapping are done elsewhere. */
+		CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, 0));
 	    saved_read_offset = read_offset;
 	    /* Caution: this macro terminates the loop at end-of-message. */
 	    /* Don't do complex processing while breaking out of this loop. */
-	    GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, read_offset);
-	    if ((read_offset = vstream_ftell(state->dst)) < 0)
-		msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+	    GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, read_offset,
+	    /* Warning and errno->error mapping are done elsewhere. */
+		 CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, 0)));
+	    if ((read_offset = vstream_ftell(state->dst)) < 0) {
+		msg_warn("%s: read file %s: %m", myname, cleanup_path);
+		CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, errno));
+	    }
 	    if (rec_type == REC_TYPE_PTR) {
 		if (jumped == 0) {
 		    /* Enough contiguous space for writing a PTR record. */
 		    avail_space += read_offset - saved_read_offset;
 		    jumped = 1;
 		}
-		if (rec_goto(state->dst, STR(rec_buf)) < 0)
-		    msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+		if (rec_goto(state->dst, STR(rec_buf)) < 0) {
+		    msg_warn("%s: read file %s: %m", myname, cleanup_path);
+		    CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state,
+								   errno));
+		}
 		/* Don't update last_type; PTR may follow REC_TYPE_CONT. */
 		continue;
 	    }
@@ -691,16 +841,17 @@ static void cleanup_upd_header(void *context, ssize_t index,
 		avail_space += read_offset - saved_read_offset;
 	    last_type = rec_type;
 	}
-	cleanup_patch_header(state, new_hdr_name, new_hdr_value,
-			     old_rec_offset, DONT_SAVE_RECORD, (VSTRING *) 0,
-			     avail_space, saved_read_offset);
+	ret = cleanup_patch_header(state, new_hdr_name, new_hdr_value,
+			    old_rec_offset, DONT_SAVE_RECORD, (VSTRING *) 0,
+				   avail_space, saved_read_offset);
+	CLEANUP_UPD_HEADER_RETURN(ret);
     }
-    vstring_free(rec_buf);
 }
 
 /* cleanup_del_header - delete message header */
 
-static void cleanup_del_header(void *context, ssize_t index, char *hdr_name)
+static const char *cleanup_del_header(void *context, ssize_t index,
+				              char *hdr_name)
 {
     const char *myname = "cleanup_del_header";
     CLEANUP_STATE *state = (CLEANUP_STATE *) context;
@@ -733,7 +884,13 @@ static void cleanup_del_header(void *context, ssize_t index, char *hdr_name)
      */
     rec_buf = vstring_alloc(100);
     header_offset = cleanup_find_header(state, index, hdr_name, rec_buf,
-					&last_type, NO_PTR_BACKUP);
+					&last_type, NO_PTR_BACKUP,
+					SKIP_ONE_HEADER);
+    if (header_offset == CLEANUP_FIND_HEADER_IOERROR) {
+	vstring_free(rec_buf);
+	/* Warning and errno->error mapping are done elsewhere. */
+	return (cleanup_milter_error(state, 0));
+    }
     /* Memory usage for header offsets is limited by header_size_limit. */
     if (header_offset > 0) {
 	ssize_t off_len = 1;
@@ -741,15 +898,26 @@ static void cleanup_del_header(void *context, ssize_t index, char *hdr_name)
 	off_t  *off_list = (off_t *) mymalloc(off_len * sizeof(*off_list));
 	int     n;
 
+#define CLEANUP_DEL_HEADER_RETURN(ret) do { \
+	vstring_free(rec_buf); \
+	myfree((char *) off_list); \
+	return (ret); \
+    } while (0)
+
 	off_list[0] = header_offset;
 	for (;;) {
 	    curr_offset = vstream_ftell(state->dst);
 	    /* Caution: this macro terminates the loop at end-of-message. */
 	    /* Don't do complex processing while breaking out of this loop. */
-	    GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, curr_offset);
+	    GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, rec_buf, curr_offset,
+	    /* Warning and errno->error mapping are done elsewhere. */
+		 CLEANUP_DEL_HEADER_RETURN(cleanup_milter_error(state, 0)));
 	    if (rec_type == REC_TYPE_PTR) {
-		if (rec_goto(state->dst, STR(rec_buf)) < 0)
-		    msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+		if (rec_goto(state->dst, STR(rec_buf)) < 0) {
+		    msg_warn("%s: read file %s: %m", myname, cleanup_path);
+		    CLEANUP_DEL_HEADER_RETURN(cleanup_milter_error(state,
+								   errno));
+		}
 		/* Don't update last_type; PTR may follow REC_TYPE_CONT. */
 		continue;
 	    }
@@ -766,17 +934,25 @@ static void cleanup_del_header(void *context, ssize_t index, char *hdr_name)
 	    last_type = rec_type;
 	}
 	/* Mark the header text records as deleted. */
-	for (n = 0; n < off_used; n++)
-	    if (rec_put_type(state->dst, REC_TYPE_DTXT, off_list[n]) < 0)
-		msg_fatal("%s: write file %s: %m", myname, cleanup_path);
+	for (n = 0; n < off_used; n++) {
+	    if (rec_put_type(state->dst, REC_TYPE_DTXT, off_list[n]) < 0) {
+		msg_warn("%s: write file %s: %m", myname, cleanup_path);
+		CLEANUP_DEL_HEADER_RETURN(cleanup_milter_error(state, errno));
+	    }
+	}
 	myfree((char *) off_list);
     }
     vstring_free(rec_buf);
+
+    /*
+     * In case of error while doing record output.
+     */
+    return (CLEANUP_OUT_OK(state) ? 0 : cleanup_milter_error(state, 0));
 }
 
 /* cleanup_add_rcpt - append recipient address */
 
-static void cleanup_add_rcpt(void *context, char *rcpt)
+static const char *cleanup_add_rcpt(void *context, char *rcpt)
 {
     const char *myname = "cleanup_add_rcpt";
     CLEANUP_STATE *state = (CLEANUP_STATE *) context;
@@ -810,11 +986,15 @@ static void cleanup_add_rcpt(void *context, char *rcpt)
      */
 #define NO_DSN_ORCPT	((char *) 0)
 
-    if ((new_rcpt_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+    if ((new_rcpt_offset = vstream_fseek(state->dst, (off_t) 0, SEEK_END)) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	return (cleanup_milter_error(state, errno));
+    }
     cleanup_addr_bcc(state, rcpt);
-    if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0)
-	msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+    if ((reverse_ptr_offset = vstream_ftell(state->dst)) < 0) {
+	msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+	return (cleanup_milter_error(state, errno));
+    }
     cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
 		       (long) state->append_rcpt_pt_target);
 
@@ -822,8 +1002,10 @@ static void cleanup_add_rcpt(void *context, char *rcpt)
      * Pointer flipping: update the old "recipient append" pointer record
      * value to the location of the new recipient record.
      */
-    if (vstream_fseek(state->dst, state->append_rcpt_pt_offset, SEEK_SET) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+    if (vstream_fseek(state->dst, state->append_rcpt_pt_offset, SEEK_SET) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	return (cleanup_milter_error(state, errno));
+    }
     cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT,
 		       (long) new_rcpt_offset);
 
@@ -835,11 +1017,16 @@ static void cleanup_add_rcpt(void *context, char *rcpt)
      * record that was written while Postfix received the message.
      */
     state->append_rcpt_pt_offset = reverse_ptr_offset;
+
+    /*
+     * In case of error while doing record output.
+     */
+    return (CLEANUP_OUT_OK(state) ? 0 : cleanup_milter_error(state, 0));
 }
 
 /* cleanup_del_rcpt - remove recipient and all its expansions */
 
-static void cleanup_del_rcpt(void *context, char *rcpt)
+static const char *cleanup_del_rcpt(void *context, char *rcpt)
 {
     const char *myname = "cleanup_del_rcpt";
     CLEANUP_STATE *state = (CLEANUP_STATE *) context;
@@ -875,28 +1062,51 @@ static void cleanup_del_rcpt(void *context, char *rcpt)
      * but to match against the expanded and rewritten recipient address.
      * 
      * XXX Remove the (dsn_orcpt, dsn_notify, orcpt, recip) tuple from the
-     * duplicate recipient filter.
+     * duplicate recipient filter. This requires that we maintain reference
+     * counts.
      */
-    if (vstream_fseek(state->dst, 0L, SEEK_SET) < 0)
-	msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+    if (vstream_fseek(state->dst, 0L, SEEK_SET) < 0) {
+	msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+	return (cleanup_milter_error(state, errno));
+    }
+#define CLEANUP_DEL_RCPT_RETURN(ret) do { \
+	if (orig_rcpt != 0)	\
+	    myfree(orig_rcpt); \
+	if (dsn_orcpt != 0) \
+	    myfree(dsn_orcpt); \
+	vstring_free(buf); \
+	return (ret); \
+    } while (0)
+
     buf = vstring_alloc(100);
-    while (CLEANUP_OUT_OK(state)) {
-	if ((curr_offset = vstream_ftell(state->dst)) < 0)
-	    msg_fatal("%s: vstream_ftell file %s: %m", myname, cleanup_path);
-	if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) <= 0)
-	    msg_fatal("%s: read file %s: %m", myname, cleanup_path);
+    for (;;) {
+	if (CLEANUP_OUT_OK(state) == 0)
+	    /* Warning and errno->error mapping are done elsewhere. */
+	    CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, 0));
+	if ((curr_offset = vstream_ftell(state->dst)) < 0) {
+	    msg_warn("%s: vstream_ftell file %s: %m", myname, cleanup_path);
+	    CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+	}
+	if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) <= 0) {
+	    msg_warn("%s: read file %s: %m", myname, cleanup_path);
+	    CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+	}
 	if (rec_type == REC_TYPE_END)
 	    break;
 	/* Skip over message content. */
 	if (rec_type == REC_TYPE_MESG) {
-	    if (vstream_fseek(state->dst, state->xtra_offset, SEEK_SET) < 0)
-		msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+	    if (vstream_fseek(state->dst, state->xtra_offset, SEEK_SET) < 0) {
+		msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+		CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+	    }
 	    continue;
 	}
 	start = STR(buf);
 	if (rec_type == REC_TYPE_PTR) {
-	    if (rec_goto(state->dst, start) < 0)
-		msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+	    if (rec_goto(state->dst, start) < 0) {
+		msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+		CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+	    }
 	    continue;
 	}
 	/* Map attribute names to pseudo record type. */
@@ -929,11 +1139,13 @@ static void cleanup_del_rcpt(void *context, char *rcpt)
 	    break;
 	case REC_TYPE_RCPT:			/* rewritten RCPT TO address */
 	    if (strcmp(orig_rcpt ? orig_rcpt : start, rcpt) == 0) {
-		if (vstream_fseek(state->dst, curr_offset, SEEK_SET) < 0)
-		    msg_fatal("%s: seek file %s: %m", myname, cleanup_path);
+		if (vstream_fseek(state->dst, curr_offset, SEEK_SET) < 0) {
+		    msg_warn("%s: seek file %s: %m", myname, cleanup_path);
+		    CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
+		}
 		if (REC_PUT_BUF(state->dst, REC_TYPE_DRCP, buf) < 0) {
 		    msg_warn("%s: write queue file: %m", state->queue_id);
-		    state->errs |= CLEANUP_STAT_WRITE;
+		    CLEANUP_DEL_RCPT_RETURN(cleanup_milter_error(state, errno));
 		}
 		count++;
 	    }
@@ -952,23 +1164,24 @@ static void cleanup_del_rcpt(void *context, char *rcpt)
 	    break;
 	}
     }
-    if (orig_rcpt != 0)				/* can't happen */
-	myfree(orig_rcpt);
-    if (dsn_orcpt != 0)				/* can't happen */
-	myfree(dsn_orcpt);
-    vstring_free(buf);
 
     if (msg_verbose)
 	msg_info("%s: deleted %d records for recipient \"%s\"",
 		 myname, count, rcpt);
+
+    CLEANUP_DEL_RCPT_RETURN(0);
 }
 
 /* cleanup_repl_body - replace message body */
 
-static void cleanup_repl_body(void *context, VSTRING *body)
+static const char *cleanup_repl_body(void *context, VSTRING *body)
 {
     const char *myname = "cleanup_repl_body";
 
+    /*
+     * XXX Sendmail compatibility: milters don't see the first body line, so
+     * don't expect they will send one.
+     */
     msg_panic("%s: message body replace operation is not implemented", myname);
 }
 
@@ -978,6 +1191,11 @@ static const char *cleanup_milter_eval(const char *name, void *ptr)
 {
     CLEANUP_STATE *state = (CLEANUP_STATE *) ptr;
 
+    /*
+     * Note: if we use XFORWARD attributes here, then consistency requires
+     * that we forward all Sendmail macros via XFORWARD.
+     */
+
     /*
      * Canonicalize the name.
      */
@@ -1047,7 +1265,8 @@ void    cleanup_milter_receive(CLEANUP_STATE *state, int count)
 
 /* cleanup_milter_apply - apply Milter reponse, non-zero if rejecting */
 
-static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp)
+static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *event,
+					        const char *resp)
 {
     const char *myname = "cleanup_milter_apply";
     const char *action;
@@ -1057,6 +1276,13 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp)
 
     if (msg_verbose)
 	msg_info("%s: %s", myname, resp);
+
+    /*
+     * We don't report errors that were already reported by the content
+     * editing call-back routines. See cleanup_milter_error() above.
+     */
+    if (CLEANUP_OUT_OK(state) == 0)
+	return (0);
     switch (resp[0]) {
     case 'H':
 	/* XXX Should log the reason here. */
@@ -1112,7 +1338,9 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp)
     default:
 	msg_panic("%s: unexpected mail filter reply: %s", myname, resp);
     }
-    vstring_sprintf(state->temp1, "%s: %s;", state->queue_id, action);
+    vstring_sprintf(state->temp1, "%s: %s: %s from %s[%s]: %s;",
+		    state->queue_id, action, event, state->client_name,
+		    state->client_addr, text);
     if (state->sender)
 	vstring_sprintf_append(state->temp1, " from=<%s>", state->sender);
     if (state->recip)
@@ -1121,7 +1349,6 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *resp)
 	vstring_sprintf_append(state->temp1, " proto=%s", attr);
     if ((attr = nvtable_find(state->attr, MAIL_ATTR_LOG_HELO_NAME)) != 0)
 	vstring_sprintf_append(state->temp1, " helo=<%s>", attr);
-    vstring_sprintf_append(state->temp1, ": %s", text);
     msg_info("%s", vstring_str(state->temp1));
 
     return (ret);
@@ -1143,7 +1370,7 @@ void    cleanup_milter_inspect(CLEANUP_STATE *state, MILTERS *milters)
      */
     if ((resp = milter_message(milters, state->handle->stream,
 			       state->data_offset)) != 0)
-	cleanup_milter_apply(state, resp);
+	cleanup_milter_apply(state, "END-OF-MESSAGE", resp);
     if (msg_verbose)
 	msg_info("leave %s", myname);
 }
@@ -1155,8 +1382,6 @@ void    cleanup_milter_emul_mail(CLEANUP_STATE *state,
 				         const char *addr)
 {
     const char *resp;
-    const char *client_name;
-    const char *client_addr;
     const char *proto_attr;
     const char *client_port;
     int     client_af;
@@ -1179,14 +1404,15 @@ void    cleanup_milter_emul_mail(CLEANUP_STATE *state,
      */
 #define NO_CLIENT_PORT	"0"
 
-    client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME);
-    client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR);
+    state->client_name = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_NAME);
+    state->client_addr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_ADDR);
+
     client_port = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_PORT);
     proto_attr = nvtable_find(state->attr, MAIL_ATTR_ACT_CLIENT_AF);
-    if (client_name == 0 || client_addr == 0 || proto_attr == 0
+    if (state->client_name == 0 || state->client_addr == 0 || proto_attr == 0
 	|| !alldig(proto_attr)) {
-	client_name = "localhost";
-	client_addr = "127.0.0.1";
+	state->client_name = "localhost";
+	state->client_addr = "127.0.0.1";
 	client_af = AF_INET;
     } else
 	client_af = atoi(proto_attr);
@@ -1196,18 +1422,18 @@ void    cleanup_milter_emul_mail(CLEANUP_STATE *state,
     /*
      * Emulate SMTP events.
      */
-    if ((resp = milter_conn_event(milters, client_name, client_addr,
+    if ((resp = milter_conn_event(milters, state->client_name, state->client_addr,
 				  client_port, client_af)) != 0) {
-	cleanup_milter_apply(state, resp);
+	cleanup_milter_apply(state, "CONNECT", resp);
 	return;
     }
 #define PRETEND_ESMTP	1
 
     if (CLEANUP_MILTER_OK(state)) {
 	if ((helo = nvtable_find(state->attr, MAIL_ATTR_ACT_HELO_NAME)) == 0)
-	    helo = client_name;
+	    helo = state->client_name;
 	if ((resp = milter_helo_event(milters, helo, PRETEND_ESMTP)) != 0) {
-	    cleanup_milter_apply(state, resp);
+	    cleanup_milter_apply(state, "EHLO", resp);
 	    return;
 	}
     }
@@ -1215,7 +1441,7 @@ void    cleanup_milter_emul_mail(CLEANUP_STATE *state,
 	argv[0] = addr;
 	argv[1] = 0;
 	if ((resp = milter_mail_event(milters, argv)) != 0) {
-	    cleanup_milter_apply(state, resp);
+	    cleanup_milter_apply(state, "MAIL", resp);
 	    return;
 	}
     }
@@ -1238,7 +1464,7 @@ void    cleanup_milter_emul_rcpt(CLEANUP_STATE *state,
     argv[0] = addr;
     argv[1] = 0;
     if ((resp = milter_rcpt_event(milters, argv)) != 0
-	&& cleanup_milter_apply(state, resp) != 0) {
+	&& cleanup_milter_apply(state, "RCPT", resp) != 0) {
 	msg_warn("%s: milter configuration error: can't reject recipient "
 		 "in non-smtpd(8) submission", state->queue_id);
 	msg_warn("%s: deferring delivery of this message", state->queue_id);
@@ -1256,13 +1482,14 @@ void    cleanup_milter_emul_data(CLEANUP_STATE *state, MILTERS *milters)
     const char *resp;
 
     if ((resp = milter_data_event(milters)) != 0)
-	cleanup_milter_apply(state, resp);
+	cleanup_milter_apply(state, "DATA", resp);
 }
 
 #ifdef TEST
 
  /*
-  * Queue file editing driver for regression tests.
+  * Queue file editing driver for regression tests. In this case it is OK to
+  * report fatal errors after I/O errors.
   */
 #include <stdio.h>
 #include <msg_vstream.h>
diff --git a/postfix/src/cleanup/cleanup_state.c b/postfix/src/cleanup/cleanup_state.c
index 495ece4b3..fae7fdd58 100644
--- a/postfix/src/cleanup/cleanup_state.c
+++ b/postfix/src/cleanup/cleanup_state.c
@@ -108,6 +108,8 @@ CLEANUP_STATE *cleanup_state_alloc(VSTREAM *src)
     state->dsn_orcpt = 0;
     state->verp_delims = 0;
     state->milters = 0;
+    state->client_name = 0;
+    state->client_addr = 0;
     return (state);
 }
 
diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in
index 21ec0d22d..ab9162360 100644
--- a/postfix/src/global/Makefile.in
+++ b/postfix/src/global/Makefile.in
@@ -1,88 +1,85 @@
 SHELL	= /bin/sh
 SRCS	= abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \
 	canon_addr.c cfg_parser.c cleanup_strerror.c cleanup_strflags.c \
-	clnt_stream.c debug_peer.c debug_process.c defer.c db_common.c \
-	deliver_completed.c deliver_flock.c deliver_pass.c deliver_request.c \
-	dict_ldap.c dict_mysql.c dict_pgsql.c dict_proxy.c domain_list.c \
-	dot_lockfile.c dot_lockfile_as.c ext_prop.c file_id.c flush_clnt.c \
-	header_opts.c header_token.c input_transp.c \
-	is_header.c log_adhoc.c mail_addr.c mail_addr_crunch.c \
-	mail_addr_find.c mail_addr_map.c mail_command_client.c \
-	mail_command_server.c mail_conf.c mail_conf_bool.c mail_conf_int.c \
-	mail_conf_raw.c mail_conf_str.c mail_conf_time.c mail_connect.c \
-	mail_copy.c mail_date.c mail_dict.c mail_error.c mail_flush.c \
-	mail_open_ok.c mail_params.c mail_pathname.c mail_queue.c \
-	mail_run.c mail_scan_dir.c mail_stream.c mail_task.c mail_trigger.c \
-	maps.c mark_corrupt.c match_parent_style.c mbox_conf.c \
-	mbox_open.c mime_state.c mkmap_db.c mkmap_dbm.c mkmap_open.c \
-	mynetworks.c mypwd.c namadr_list.c off_cvt.c opened.c \
-	own_inet_addr.c pipe_command.c post_mail.c quote_821_local.c \
-	quote_822_local.c rec_streamlf.c rec_type.c recipient_list.c \
-	record.c remove.c resolve_clnt.c resolve_local.c rewrite_clnt.c \
+	clnt_stream.c conv_time.c db_common.c debug_peer.c debug_process.c \
+	defer.c deliver_completed.c deliver_flock.c deliver_pass.c \
+	deliver_request.c dict_ldap.c dict_mysql.c dict_pgsql.c \
+	dict_proxy.c domain_list.c dot_lockfile.c dot_lockfile_as.c \
+	dsb_scan.c dsn.c dsn_buf.c dsn_mask.c dsn_print.c dsn_util.c \
+	ehlo_mask.c ext_prop.c file_id.c flush_clnt.c header_opts.c \
+	header_token.c input_transp.c int_filt.c is_header.c log_adhoc.c \
+	mail_addr.c mail_addr_crunch.c mail_addr_find.c mail_addr_map.c \
+	mail_command_client.c mail_command_server.c mail_conf.c \
+	mail_conf_bool.c mail_conf_int.c mail_conf_long.c mail_conf_raw.c \
+	mail_conf_str.c mail_conf_time.c mail_connect.c mail_copy.c \
+	mail_date.c mail_dict.c mail_error.c mail_flush.c mail_open_ok.c \
+	mail_params.c mail_pathname.c mail_queue.c mail_run.c \
+	mail_scan_dir.c mail_stream.c mail_task.c mail_trigger.c maps.c \
+	mark_corrupt.c match_parent_style.c mbox_conf.c mbox_open.c \
+	mime_state.c mkmap_cdb.c mkmap_db.c mkmap_dbm.c mkmap_open.c \
+	mkmap_sdbm.c msg_stats_print.c msg_stats_scan.c mynetworks.c \
+	mypwd.c namadr_list.c off_cvt.c opened.c own_inet_addr.c \
+	pipe_command.c post_mail.c quote_821_local.c quote_822_local.c \
+	rcpt_buf.c rcpt_print.c rec_attr_map.c rec_streamlf.c rec_type.c \
+	recipient_list.c record.c remove.c resolve_clnt.c resolve_local.c \
+	rewrite_clnt.c scache_clnt.c scache_multi.c scache_single.c \
 	sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
 	sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
-	tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
-	verify_clnt.c verp_sender.c xtext.c scache_single.c \
-	scache_clnt.c scache_multi.c user_acl.c mkmap_cdb.c mkmap_sdbm.c \
-	ehlo_mask.c \
-	wildcard_inet_addr.c valid_mailhost_addr.c dsn_util.c dsn_mask.c \
-	rec_attr_map.c dsn.c dsn_buf.c rcpt_buf.c rcpt_print.c dsn_print.c \
-	dsb_scan.c mail_conf_long.c msg_stats_print.c msg_stats_scan.c \
-	conv_time.c
+	tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c \
+	user_acl.c valid_mailhost_addr.c verify.c verify_clnt.c \
+	verp_sender.c wildcard_inet_addr.c xtext.c
 OBJS	= abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
 	canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
-	clnt_stream.o debug_peer.o debug_process.o defer.o db_common.o \
-	deliver_completed.o deliver_flock.o deliver_pass.o deliver_request.o \
-	dict_ldap.o dict_mysql.o dict_pgsql.o dict_proxy.o domain_list.o \
-	dot_lockfile.o dot_lockfile_as.o ext_prop.o file_id.o flush_clnt.o \
-	header_opts.o header_token.o input_transp.o \
-	is_header.o log_adhoc.o mail_addr.o mail_addr_crunch.o \
-	mail_addr_find.o mail_addr_map.o mail_command_client.o \
-	mail_command_server.o mail_conf.o mail_conf_bool.o mail_conf_int.o \
-	mail_conf_raw.o mail_conf_str.o mail_conf_time.o mail_connect.o \
-	mail_copy.o mail_date.o mail_dict.o mail_error.o mail_flush.o \
-	mail_open_ok.o mail_params.o mail_pathname.o mail_queue.o \
-	mail_run.o mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o \
-	maps.o mark_corrupt.o match_parent_style.o mbox_conf.o \
-	mbox_open.o mime_state.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
-	mynetworks.o mypwd.o namadr_list.o off_cvt.o opened.o \
-	own_inet_addr.o pipe_command.o post_mail.o quote_821_local.o \
-	quote_822_local.o rec_streamlf.o rec_type.o recipient_list.o \
-	record.o remove.o resolve_clnt.o resolve_local.o rewrite_clnt.o \
+	clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \
+	defer.o deliver_completed.o deliver_flock.o deliver_pass.o \
+	deliver_request.o dict_ldap.o dict_mysql.o dict_pgsql.o \
+	dict_proxy.o domain_list.o dot_lockfile.o dot_lockfile_as.o \
+	dsb_scan.o dsn.o dsn_buf.o dsn_mask.o dsn_print.o dsn_util.o \
+	ehlo_mask.o ext_prop.o file_id.o flush_clnt.o header_opts.o \
+	header_token.o input_transp.o int_filt.o is_header.o log_adhoc.o \
+	mail_addr.o mail_addr_crunch.o mail_addr_find.o mail_addr_map.o \
+	mail_command_client.o mail_command_server.o mail_conf.o \
+	mail_conf_bool.o mail_conf_int.o mail_conf_long.o mail_conf_raw.o \
+	mail_conf_str.o mail_conf_time.o mail_connect.o mail_copy.o \
+	mail_date.o mail_dict.o mail_error.o mail_flush.o mail_open_ok.o \
+	mail_params.o mail_pathname.o mail_queue.o mail_run.o \
+	mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o maps.o \
+	mark_corrupt.o match_parent_style.o mbox_conf.o mbox_open.o \
+	mime_state.o mkmap_cdb.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
+	mkmap_sdbm.o msg_stats_print.o msg_stats_scan.o mynetworks.o \
+	mypwd.o namadr_list.o off_cvt.o opened.o own_inet_addr.o \
+	pipe_command.o post_mail.o quote_821_local.o quote_822_local.o \
+	rcpt_buf.o rcpt_print.o rec_attr_map.o rec_streamlf.o rec_type.o \
+	recipient_list.o record.o remove.o resolve_clnt.o resolve_local.o \
+	rewrite_clnt.o scache_clnt.o scache_multi.o scache_single.o \
 	sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
 	sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
-	tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
-	verify_clnt.o verp_sender.o xtext.o scache_single.o \
-	scache_clnt.o scache_multi.o user_acl.o mkmap_cdb.o mkmap_sdbm.o \
-	ehlo_mask.o \
-	wildcard_inet_addr.o valid_mailhost_addr.o dsn_util.o dsn_mask.o \
-	rec_attr_map.o dsn.o dsn_buf.o rcpt_buf.o rcpt_print.o dsn_print.o \
-	dsb_scan.o mail_conf_long.o msg_stats_print.o msg_stats_scan.o \
-	conv_time.o
+	tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o \
+	user_acl.o valid_mailhost_addr.o verify.o verify_clnt.o \
+	verp_sender.o wildcard_inet_addr.o xtext.o
 HDRS	= abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
 	canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
-	debug_peer.h debug_process.h defer.h deliver_completed.h \
-	deliver_flock.h deliver_pass.h deliver_request.h dict_ldap.h \
-	dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h dot_lockfile.h \
-	dot_lockfile_as.h ext_prop.h file_id.h flush_clnt.h header_opts.h \
-	header_token.h input_transp.h is_header.h \
-	lex_822.h log_adhoc.h mail_addr.h mail_addr_crunch.h \
-	mail_addr_find.h mail_addr_map.h mail_conf.h mail_copy.h \
-	mail_date.h mail_dict.h mail_error.h mail_flush.h mail_open_ok.h \
-	mail_params.h mail_proto.h mail_queue.h mail_run.h mail_scan_dir.h \
-	mail_stream.h mail_task.h mail_version.h maps.h mark_corrupt.h \
-	match_parent_style.h mbox_conf.h mbox_open.h mime_state.h \
-	mkmap.h mynetworks.h mypwd.h namadr_list.h off_cvt.h opened.h \
-	own_inet_addr.h pipe_command.h post_mail.h qmgr_user.h \
-	qmqp_proto.h quote_821_local.h quote_822_local.h quote_flags.h \
-	rec_streamlf.h rec_type.h recipient_list.h record.h resolve_clnt.h \
-	resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
+	conv_time.h db_common.h debug_peer.h debug_process.h defer.h \
+	deliver_completed.h deliver_flock.h deliver_pass.h deliver_request.h \
+	dict_ldap.h dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h \
+	dot_lockfile.h dot_lockfile_as.h dsb_scan.h dsn.h dsn_buf.h \
+	dsn_mask.h dsn_print.h dsn_util.h ehlo_mask.h ext_prop.h \
+	file_id.h flush_clnt.h header_opts.h header_token.h input_transp.h \
+	int_filt.h is_header.h lex_822.h log_adhoc.h mail_addr.h \
+	mail_addr_crunch.h mail_addr_find.h mail_addr_map.h mail_conf.h \
+	mail_copy.h mail_date.h mail_dict.h mail_error.h mail_flush.h \
+	mail_open_ok.h mail_params.h mail_proto.h mail_queue.h mail_run.h \
+	mail_scan_dir.h mail_stream.h mail_task.h mail_version.h maps.h \
+	mark_corrupt.h match_parent_style.h mbox_conf.h mbox_open.h \
+	mime_state.h mkmap.h msg_stats.h mynetworks.h mypwd.h namadr_list.h \
+	off_cvt.h opened.h own_inet_addr.h pipe_command.h post_mail.h \
+	qmgr_user.h qmqp_proto.h quote_821_local.h quote_822_local.h \
+	quote_flags.h rcpt_buf.h rcpt_print.h rec_attr_map.h rec_streamlf.h \
+	rec_type.h recipient_list.h record.h resolve_clnt.h resolve_local.h \
+	rewrite_clnt.h scache.h sent.h smtp_stream.h split_addr.h \
 	string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
-	trace.h verify.h verify_clnt.h verp_sender.h \
-	xtext.h scache.h user_acl.h ehlo_mask.h db_common.h \
-	wildcard_inet_addr.h valid_mailhost_addr.h dsn_util.h dsn_mask.h \
-	rec_attr_map.h dsn.h dsn_buf.h rcpt_buf.h rcpt_print.h dsn_print.h \
-	dsb_scan.h msg_stats.h conv_time.h
+	trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \
+	verp_sender.h wildcard_inet_addr.h xtext.h
 TESTSRC	= rec2stream.c stream2rec.c recdump.c
 DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
 CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
@@ -871,6 +868,13 @@ input_transp.o: cleanup_user.h
 input_transp.o: input_transp.c
 input_transp.o: input_transp.h
 input_transp.o: mail_params.h
+int_filt.o: ../../include/name_mask.h
+int_filt.o: ../../include/sys_defs.h
+int_filt.o: ../../include/vbuf.h
+int_filt.o: ../../include/vstring.h
+int_filt.o: int_filt.c
+int_filt.o: int_filt.h
+int_filt.o: mail_params.h
 is_header.o: ../../include/sys_defs.h
 is_header.o: is_header.c
 is_header.o: is_header.h
diff --git a/postfix/src/global/ext_prop.c b/postfix/src/global/ext_prop.c
index c6860cf2b..9ae7cc493 100644
--- a/postfix/src/global/ext_prop.c
+++ b/postfix/src/global/ext_prop.c
@@ -1,16 +1,16 @@
 /*++
 /* NAME
-/*	exp_prop 3
+/*	ext_prop 3
 /* SUMMARY
 /*	address extension propagation control
 /* SYNOPSIS
-/*	#include <exp_prop.h>
+/*	#include <ext_prop.h>
 /*
 /*	int	ext_prop_mask(param_name, pattern)
 /*	const char *param_name;
 /*	const char *pattern;
 /* DESCRIPTION
-/*	This module controld address extension propagation.
+/*	This module controls address extension propagation.
 /*
 /*	ext_prop_mask() takes a comma-separated list of names and
 /*	computes the corresponding mask. The following names are
diff --git a/postfix/src/global/input_transp.h b/postfix/src/global/input_transp.h
index 74f5a4124..c98c83680 100644
--- a/postfix/src/global/input_transp.h
+++ b/postfix/src/global/input_transp.h
@@ -1,13 +1,13 @@
-#ifndef _EXT_PROP_INCLUDED_
-#define _EXT_PROP_INCLUDED_
+#ifndef _INPUT_TRANSP_INCLUDED_
+#define _INPUT_TRANSP_INCLUDED_
 
 /*++
 /* NAME
-/*	ext_prop 3h
+/*	input_transp 3h
 /* SUMMARY
-/*	address extension propagation control
+/*	receive transparency control
 /* SYNOPSIS
-/*	#include <ext_prop.h>
+/*	#include <input_transp.h>
 /* DESCRIPTION
 /* .nf
 
diff --git a/postfix/src/global/int_filt.c b/postfix/src/global/int_filt.c
new file mode 100644
index 000000000..1071b10d6
--- /dev/null
+++ b/postfix/src/global/int_filt.c
@@ -0,0 +1,73 @@
+/*++
+/* NAME
+/*	int_filt 3
+/* SUMMARY
+/*	internal mail filter control
+/* SYNOPSIS
+/*	#include <int_filt.h>
+/*
+/*	int	int_filt_flags(class)
+/*	int	class;
+/* DESCRIPTION
+/*	int_filt_flags() determines the appropriate mail filtering
+/*	flags for the cleanup server, depending on the setting of
+/*	the internal_mail_filter_classes configuration parameter.
+/*
+/*	Specify one of the following:
+/* .IP INT_FILT_NONE
+/*	Mail that must be excluded from inspection (address probes, etc.).
+/* .IP INT_FILT_NOTIFY
+/*	Postmaster notifications from the smtpd(8) and smtp(8)
+/*	protocol adapters.
+/* .IP INT_FILT_BOUNCE
+/*	Delivery status notifications from the bounce(8) server.
+/* DIAGNOSTICS
+/*	Fatal: invalid mail category name.
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+
+/* Utility library. */
+
+#include <name_mask.h>
+#include <msg.h>
+
+/* Global library. */
+
+#include <mail_params.h>
+#include <cleanup_user.h>
+#include <int_filt.h>
+
+/* int_filt_flags - map mail class to submission flags */
+
+int     int_filt_flags(int class)
+{
+    static NAME_MASK table[] = {
+	"notify", INT_FILT_NOTIFY,
+	"bounce", INT_FILT_BOUNCE,
+	0,
+    };
+    int     filtered_classes = 0;
+
+    if (class && *var_int_filt_classes) {
+	filtered_classes =
+	    name_mask(VAR_INT_FILT_CLASSES, table, var_int_filt_classes);
+	if (filtered_classes == 0)
+	    msg_warn("%s: bad input: %s", VAR_INT_FILT_CLASSES,
+		     var_int_filt_classes);
+	if (filtered_classes & class)
+	    return (CLEANUP_FLAG_FILTER | CLEANUP_FLAG_MILTER);
+    }
+    return (0);
+}
diff --git a/postfix/src/global/int_filt.h b/postfix/src/global/int_filt.h
new file mode 100644
index 000000000..932fe3c3b
--- /dev/null
+++ b/postfix/src/global/int_filt.h
@@ -0,0 +1,34 @@
+#ifndef _INT_FILT_INCLUDED_
+#define _INT_FILT_INCLUDED_
+
+/*++
+/* NAME
+/*	int_filt 3h
+/* SUMMARY
+/*	internal mail classification
+/* SYNOPSIS
+/*	#include <int_filt.h>
+/* DESCRIPTION
+/* .nf
+
+ /*
+  * External interface.
+  */
+#define INT_FILT_NONE		(0)
+#define INT_FILT_NOTIFY		(1<<1)
+#define INT_FILT_BOUNCE		(1<<2)
+
+extern int int_filt_flags(int);
+
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+#endif
diff --git a/postfix/src/global/is_header.c b/postfix/src/global/is_header.c
index 1bf93a4c6..891e1372e 100644
--- a/postfix/src/global/is_header.c
+++ b/postfix/src/global/is_header.c
@@ -87,5 +87,6 @@ ssize_t is_header_buf(const char *str, ssize_t str_len)
 	    return ((state == IN_CHAR || state == IN_CHAR_SPACE) ? len : 0);
 	}
     }
+    /* Redundant return for future proofing. */
     return (0);
 }
diff --git a/postfix/src/global/log_adhoc.c b/postfix/src/global/log_adhoc.c
index b32c1bf12..43b3f01fd 100644
--- a/postfix/src/global/log_adhoc.c
+++ b/postfix/src/global/log_adhoc.c
@@ -133,15 +133,22 @@ void    log_adhoc(const char *id, MSG_STATS *stats, RECIPIENT *recipient,
      * 
      * Don't compute the sdelay (connection setup latency) if there is no time
      * stamp for connection setup completion.
+     * 
+     * XXX Apparently, Solaris gettimeofday() can return out-of-range
+     * microsecond values.
      */
 #define DELTA(x, y, z) \
     do { \
 	(x).dt_sec = (y).tv_sec - (z).tv_sec; \
 	(x).dt_usec = (y).tv_usec - (z).tv_usec; \
-	if ((x).dt_usec < 0) { \
+	while ((x).dt_usec < 0) { \
 	    (x).dt_usec += 1000000; \
 	    (x).dt_sec -= 1; \
 	} \
+	while ((x).dt_usec >= 1000000) { \
+	    (x).dt_usec -= 1000000; \
+	    (x).dt_sec += 1; \
+	} \
 	if ((x).dt_sec < 0) \
 	    (x).dt_sec = (x).dt_usec = 0; \
     } while (0)
diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c
index 047045353..85fadf3e9 100644
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@@ -105,6 +105,7 @@
 /*	int     var_verify_neg_cache;
 /*	int	var_oldlog_compat;
 /*	int	var_delay_max_res;
+/*	char	*var_int_filt_classes;
 /*
 /*	void	mail_params_init()
 /*
@@ -273,6 +274,7 @@ int     var_strict_encoding;
 int     var_verify_neg_cache;
 int     var_oldlog_compat;
 int     var_delay_max_res;
+char   *var_int_filt_classes;
 
 const char null_format_string[1] = "";
 
@@ -488,6 +490,7 @@ void    mail_params_init()
 	VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
 	VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
 	VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
+	VAR_INT_FILT_CLASSES, DEF_INT_FILT_CLASSES, &var_int_filt_classes, 0, 0,
 	0,
     };
     static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 443fe52e9..5ab4dbf55 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1091,6 +1091,10 @@ extern char *var_smtpd_forbid_cmds;
 #define DEF_SMTPD_TLS_WRAPPER	0
 extern bool var_smtpd_tls_wrappermode;
 
+#define VAR_SMTPD_TLS_LEVEL	"smtpd_tls_security_level"
+#define DEF_SMTPD_TLS_LEVEL	""
+extern char *var_smtpd_tls_level;
+
 #define VAR_SMTPD_USE_TLS	"smtpd_use_tls"
 #define DEF_SMTPD_USE_TLS	0
 extern bool var_smtpd_use_tls;
@@ -1139,18 +1143,22 @@ extern char *var_smtpd_tls_CAfile;
 #define DEF_SMTPD_TLS_CA_PATH	""
 extern char *var_smtpd_tls_CApath;
 
-#define VAR_SMTPD_TLS_PROTO	"smtpd_tls_protocols"
-#define DEF_SMTPD_TLS_PROTO	""
-extern char *var_smtpd_tls_protocols;
+#define VAR_SMTPD_TLS_MAND_PROTO	"smtpd_tls_mandatory_protocols"
+#define DEF_SMTPD_TLS_MAND_PROTO	"SSLv3, TLSv1"
+extern char *var_smtpd_tls_mand_proto;
 
-#define VAR_SMTPD_TLS_CIPHERS	"smtpd_tls_ciphers"
-#define DEF_SMTPD_TLS_CIPHERS	"export"
-extern char *var_smtpd_tls_ciphers;
+#define VAR_SMTPD_TLS_MAND_CIPH	"smtpd_tls_mandatory_ciphers"
+#define DEF_SMTPD_TLS_MAND_CIPH	"medium"
+extern char *var_smtpd_tls_mand_ciph;
 
 #define VAR_SMTPD_TLS_EXCL_CIPH  "smtpd_tls_exclude_ciphers"
 #define DEF_SMTPD_TLS_EXCL_CIPH  ""
 extern char *var_smtpd_tls_excl_ciph;
 
+#define VAR_SMTPD_TLS_MAND_EXCL  "smtpd_tls_mandatory_exclude_ciphers"
+#define DEF_SMTPD_TLS_MAND_EXCL  ""
+extern char *var_smtpd_tls_mand_excl;
+
 #define VAR_SMTPD_TLS_512_FILE	"smtpd_tls_dh512_param_file"
 #define DEF_SMTPD_TLS_512_FILE	""
 extern char *var_smtpd_tls_dh512_param_file;
@@ -1251,11 +1259,11 @@ extern char *var_smtp_tls_CAfile;
 #define DEF_LMTP_TLS_CA_PATH	""
 extern char *var_smtp_tls_CApath;
 
-#define VAR_SMTP_TLS_CIPHERS	"smtp_tls_mandatory_ciphers"
-#define DEF_SMTP_TLS_CIPHERS	"medium"
-#define VAR_LMTP_TLS_CIPHERS	"lmtp_tls_mandatory_ciphers"
-#define DEF_LMTP_TLS_CIPHERS	"medium"
-extern char *var_smtp_tls_ciphers;
+#define VAR_SMTP_TLS_MAND_CIPH	"smtp_tls_mandatory_ciphers"
+#define DEF_SMTP_TLS_MAND_CIPH	"medium"
+#define VAR_LMTP_TLS_MAND_CIPH	"lmtp_tls_mandatory_ciphers"
+#define DEF_LMTP_TLS_MAND_CIPH	"medium"
+extern char *var_smtp_tls_mand_ciph;
 
 #define VAR_SMTP_TLS_EXCL_CIPH  "smtp_tls_exclude_ciphers"
 #define DEF_SMTP_TLS_EXCL_CIPH  ""
@@ -1302,11 +1310,11 @@ extern int var_lmtp_tls_scache_timeout;
 #define DEF_LMTP_TLS_POLICY	""
 extern char *var_smtp_tls_policy;
 
-#define VAR_SMTP_TLS_PROTO	"smtp_tls_mandatory_protocols"
-#define DEF_SMTP_TLS_PROTO	"SSLv3, TLSv1"
-#define VAR_LMTP_TLS_PROTO	"lmtp_tls_mandatory_protocols"
-#define DEF_LMTP_TLS_PROTO	"SSLv3, TLSv1"
-extern char *var_smtp_tls_protocols;
+#define VAR_SMTP_TLS_MAND_PROTO	"smtp_tls_mandatory_protocols"
+#define DEF_SMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
+#define VAR_LMTP_TLS_MAND_PROTO	"lmtp_tls_mandatory_protocols"
+#define DEF_LMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
+extern char *var_smtp_tls_mand_proto;
 
 #define VAR_SMTP_TLS_VFY_CMATCH	"smtp_tls_verify_cert_match"
 #define DEF_SMTP_TLS_VFY_CMATCH	"hostname"
@@ -1384,6 +1392,10 @@ extern bool var_smtp_sasl_enable;
 #define DEF_SMTP_SASL_PASSWD	""
 extern char *var_smtp_sasl_passwd;
 
+#define VAR_SMTP_SASL_ENFORCE	"smtp_sasl_auth_enforce"
+#define DEF_SMTP_SASL_ENFORCE	1
+extern bool var_smtp_sasl_enforce;
+
 #define VAR_SMTP_SASL_OPTS	"smtp_sasl_security_options"
 #define DEF_SMTP_SASL_OPTS	"noplaintext, noanonymous"
 extern char *var_smtp_sasl_opts;
@@ -1414,15 +1426,12 @@ extern char *var_smtp_sasl_type;
 #define DEF_LMTP_SASL_TLS_OPTS	"$" VAR_LMTP_SASL_OPTS
 extern char *var_smtp_sasl_tls_opts;
 
-#ifdef SNAPSHOT				/* XXX: Not yet */
 #define VAR_SMTP_SASL_TLSV_OPTS	"smtp_sasl_tls_verified_security_options"
 #define DEF_SMTP_SASL_TLSV_OPTS	"$" VAR_SMTP_SASL_TLS_OPTS
 #define VAR_LMTP_SASL_TLSV_OPTS	"lmtp_sasl_tls_verified_security_options"
 #define DEF_LMTP_SASL_TLSV_OPTS	"$" VAR_LMTP_SASL_TLS_OPTS
 extern char *var_smtp_sasl_tlsv_opts;
 
-#endif
-
  /*
   * LMTP server. The soft error limit determines how many errors an LMTP
   * client may make before we start to slow down; the hard error limit
@@ -1482,6 +1491,9 @@ extern bool var_lmtp_sasl_enable;
 #define DEF_LMTP_SASL_PASSWD	""
 extern char *var_lmtp_sasl_passwd;
 
+#define VAR_LMTP_SASL_ENFORCE	"lmtp_sasl_auth_enforce"
+#define DEF_LMTP_SASL_ENFORCE	1
+
 #define VAR_LMTP_SASL_OPTS	"lmtp_sasl_security_options"
 #define DEF_LMTP_SASL_OPTS	"noplaintext, noanonymous"
 extern char *var_lmtp_sasl_opts;
@@ -2731,6 +2743,14 @@ extern char *var_milt_daemon_name;
 #define DEF_MILT_V			"$" VAR_MAIL_NAME " $" VAR_MAIL_VERSION
 extern char *var_milt_v;
 
+ /*
+  * What internal mail do we inspect/stamp/etc.? This is not yet safe enough
+  * to enable world-wide.
+  */
+#define VAR_INT_FILT_CLASSES		"internal_mail_filter_classes"
+#define DEF_INT_FILT_CLASSES		""
+extern char *var_int_filt_classes;
+
 /* LICENSE
 /* .ad
 /* .fi
diff --git a/postfix/src/global/mail_proto.h b/postfix/src/global/mail_proto.h
index 5ca8c8cb1..de83b6cc6 100644
--- a/postfix/src/global/mail_proto.h
+++ b/postfix/src/global/mail_proto.h
@@ -135,7 +135,7 @@ extern char *mail_pathname(const char *, const char *);
 #define MAIL_ATTR_LABEL		"label"
 #define MAIL_ATTR_PROP		"property"
 #define MAIL_ATTR_CCERT_SUBJECT	"ccert_subject"
-#define MAIL_ATTR_CCERT_ISSSUER	"ccert_issuer"
+#define MAIL_ATTR_CCERT_ISSUER	"ccert_issuer"
 #define MAIL_ATTR_CCERT_FINGERPRINT "ccert_fingerprint"
 #define MAIL_ATTR_CRYPTO_PROTOCOL "encryption_protocol"
 #define MAIL_ATTR_CRYPTO_CIPHER	"encryption_cipher"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 219859fb9..99c4bfc5a 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,20 +20,18 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20060629"
-#define MAIL_VERSION_NUMBER	"2.3"
+#define MAIL_RELEASE_DATE	"20060711"
+#define MAIL_VERSION_NUMBER	"2.4"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
 #else
-# define MAIL_VERSION_DATE
+# define MAIL_VERSION_DATE	""
 #endif
 
 #ifdef NONPROD
 # define MAIL_VERSION_PROD	"-nonprod"
-#endif
-
-#ifndef MAIL_VERSION_PROD
+#else
 # define MAIL_VERSION_PROD	""
 #endif
 
diff --git a/postfix/src/global/post_mail.c b/postfix/src/global/post_mail.c
index 15618eb1b..56a94654c 100644
--- a/postfix/src/global/post_mail.c
+++ b/postfix/src/global/post_mail.c
@@ -6,28 +6,28 @@
 /* SYNOPSIS
 /*	#include <post_mail.h>
 /*
-/*	VSTREAM	*post_mail_fopen(sender, recipient, cleanup_flags, trace_flags,
+/*	VSTREAM	*post_mail_fopen(sender, recipient, filter_class, trace_flags,
 /*		queue_id)
 /*	const char *sender;
 /*	const char *recipient;
-/*	int	cleanup_flags;
+/*	int	filter_class;
 /*	int	trace_flags;
 /*	VSTRING *queue_id;
 /*
 /*	VSTREAM	*post_mail_fopen_nowait(sender, recipient,
-/*					cleanup_flags, trace_flags, queue_id)
+/*					filter_class, trace_flags, queue_id)
 /*	const char *sender;
 /*	const char *recipient;
-/*	int	cleanup_flags;
+/*	int	filter_class;
 /*	int	trace_flags;
 /*	VSTRING *queue_id;
 /*
 /*	void	post_mail_fopen_async(sender, recipient,
-/*					cleanup_flags, trace_flags,
+/*					filter_class, trace_flags,
 /*					queue_id, notify, context)
 /*	const char *sender;
 /*	const char *recipient;
-/*	int	cleanup_flags;
+/*	int	filter_class;
 /*	int	trace_flags;
 /*	VSTRING *queue_id;
 /*	void	(*notify)(VSTREAM *stream, char *context);
@@ -95,9 +95,11 @@
 /* .IP recipient
 /*	The recipient envelope address. It is up to the application
 /*	to produce To: headers.
-/* .IP cleanup_flags
-/*	The binary OR of zero or more of the options defined in
-/*	\fB<cleanup_user.h>\fR.
+/* .IP filter_class
+/*	The internal mail filtering class, as defined in
+/*	\fB<int_filt.h>\fR.  Depending on the setting of the
+/*	internal_mail_filter_classes parameter the message will or
+/*	won't be subject to content inspection.
 /* .IP trace_flags
 /*	Message tracing flags as specified in \fB<deliver_request.h>\fR.
 /* .IP queue_id
@@ -169,7 +171,7 @@
 typedef struct {
     char   *sender;
     char   *recipient;
-    int     cleanup_flags;
+    int     filter_class;
     int     trace_flags;
     POST_MAIL_NOTIFY notify;
     void   *context;
@@ -181,12 +183,14 @@ typedef struct {
 
 static void post_mail_init(VSTREAM *stream, const char *sender,
 			           const char *recipient,
-			           int cleanup_flags, int trace_flags,
+			           int filter_class, int trace_flags,
 			           VSTRING *queue_id)
 {
     VSTRING *id = queue_id ? queue_id : vstring_alloc(100);
     struct timeval now;
     const char *date;
+    int cleanup_flags =
+	int_filt_flags(filter_class) | CLEANUP_FLAG_MASK_INTERNAL;
 
     GETTIMEOFDAY(&now);
     date = mail_date(now.tv_sec);
@@ -231,13 +235,13 @@ static void post_mail_init(VSTREAM *stream, const char *sender,
 /* post_mail_fopen - prepare for posting a message */
 
 VSTREAM *post_mail_fopen(const char *sender, const char *recipient,
-			         int cleanup_flags, int trace_flags,
+			         int filter_class, int trace_flags,
 			         VSTRING *queue_id)
 {
     VSTREAM *stream;
 
     stream = mail_connect_wait(MAIL_CLASS_PUBLIC, var_cleanup_service);
-    post_mail_init(stream, sender, recipient, cleanup_flags, trace_flags,
+    post_mail_init(stream, sender, recipient, filter_class, trace_flags,
 		   queue_id);
     return (stream);
 }
@@ -245,14 +249,14 @@ VSTREAM *post_mail_fopen(const char *sender, const char *recipient,
 /* post_mail_fopen_nowait - prepare for posting a message */
 
 VSTREAM *post_mail_fopen_nowait(const char *sender, const char *recipient,
-				        int cleanup_flags, int trace_flags,
+				        int filter_class, int trace_flags,
 				        VSTRING *queue_id)
 {
     VSTREAM *stream;
 
     if ((stream = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service,
 			       BLOCKING)) != 0)
-	post_mail_init(stream, sender, recipient, cleanup_flags, trace_flags,
+	post_mail_init(stream, sender, recipient, filter_class, trace_flags,
 		       queue_id);
     return (stream);
 }
@@ -292,7 +296,7 @@ static void post_mail_open_event(int event, char *context)
 	event_cancel_timer(post_mail_open_event, context);
 	event_disable_readwrite(vstream_fileno(state->stream));
 	post_mail_init(state->stream, state->sender,
-		       state->recipient, state->cleanup_flags,
+		       state->recipient, state->filter_class,
 		       state->trace_flags, state->queue_id);
 	myfree(state->sender);
 	myfree(state->recipient);
@@ -343,7 +347,7 @@ static void post_mail_open_event(int event, char *context)
 /* post_mail_fopen_async - prepare for posting a message */
 
 void    post_mail_fopen_async(const char *sender, const char *recipient,
-			              int cleanup_flags, int trace_flags,
+			              int filter_class, int trace_flags,
 			              VSTRING *queue_id,
 			              void (*notify) (VSTREAM *, void *),
 			              void *context)
@@ -355,7 +359,7 @@ void    post_mail_fopen_async(const char *sender, const char *recipient,
     state = (POST_MAIL_STATE *) mymalloc(sizeof(*state));
     state->sender = mystrdup(sender);
     state->recipient = mystrdup(recipient);
-    state->cleanup_flags = cleanup_flags;
+    state->filter_class = filter_class;
     state->trace_flags = trace_flags;
     state->notify = notify;
     state->context = context;
diff --git a/postfix/src/global/post_mail.h b/postfix/src/global/post_mail.h
index e55a8d166..b76a2510e 100644
--- a/postfix/src/global/post_mail.h
+++ b/postfix/src/global/post_mail.h
@@ -21,6 +21,7 @@
   * Global library.
   */
 #include <cleanup_user.h>
+#include <int_filt.h>
 
  /*
   * External interface.
diff --git a/postfix/src/master/multi_server.c b/postfix/src/master/multi_server.c
index 34bfac507..1330b23e6 100644
--- a/postfix/src/master/multi_server.c
+++ b/postfix/src/master/multi_server.c
@@ -755,9 +755,7 @@ NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...)
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
-#ifdef SNAPSHOT
     tzset();
-#endif
     chroot_uid(root_dir, user_name);
 
     /*
diff --git a/postfix/src/master/single_server.c b/postfix/src/master/single_server.c
index 2b0c92675..82fec73d1 100644
--- a/postfix/src/master/single_server.c
+++ b/postfix/src/master/single_server.c
@@ -658,9 +658,7 @@ NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...)
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
-#ifdef SNAPSHOT
     tzset();
-#endif
     chroot_uid(root_dir, user_name);
 
     /*
diff --git a/postfix/src/master/trigger_server.c b/postfix/src/master/trigger_server.c
index 471a44c79..bdf042d61 100644
--- a/postfix/src/master/trigger_server.c
+++ b/postfix/src/master/trigger_server.c
@@ -678,9 +678,7 @@ NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,..
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
-#ifdef SNAPSHOT
     tzset();
-#endif
     chroot_uid(root_dir, user_name);
 
     /*
diff --git a/postfix/src/milter/Makefile.in b/postfix/src/milter/Makefile.in
index 755ecf5c9..fb507c9cf 100644
--- a/postfix/src/milter/Makefile.in
+++ b/postfix/src/milter/Makefile.in
@@ -67,7 +67,7 @@ milter:	milter.c $(LIB) $(LIBS)
 	mv junk $@.o
 
 test-milter: test-milter.c
-	cc -o $@ $? -lmilter -lpthread
+	cc -g -o $@ $? -lmilter -lpthread
 
 depend: $(MAKES)
 	(sed '1,/^# do not edit/!d' Makefile.in; \
diff --git a/postfix/src/milter/milter.c b/postfix/src/milter/milter.c
index 94bfa0142..fef14721e 100644
--- a/postfix/src/milter/milter.c
+++ b/postfix/src/milter/milter.c
@@ -37,15 +37,15 @@
 /*					ins_header, del_header, add_rcpt,
 /*					del_rcpt, repl_body, context)
 /*	MILTERS	*milters;
-/*	void	(*add_header) (void *context, char *name, char *value);
-/*	void	(*upd_header) (void *context, ssize_t index,
+/*	const char *(*add_header) (void *context, char *name, char *value);
+/*	const char *(*upd_header) (void *context, ssize_t index,
 /*				char *name, char *value);
-/*	void	(*ins_header) (void *context, ssize_t index,
+/*	const char *(*ins_header) (void *context, ssize_t index,
 /*				char *name, char *value);
-/*	void	(*del_header) (void *context, ssize_t index, char *name);
-/*	void	(*add_rcpt) (void *context, char *rcpt);
-/*	void	(*del_rcpt) (void *context, char *rcpt);
-/*	void	(*repl_body) (void *context, VSTRING *body);
+/*	const char *(*del_header) (void *context, ssize_t index, char *name);
+/*	const char *(*add_rcpt) (void *context, char *rcpt);
+/*	const char *(*del_rcpt) (void *context, char *rcpt);
+/*	const char *(*repl_body) (void *context, VSTRING *body);
 /*	void	*context;
 /*
 /*	const char *milter_conn_event(milters, client_name, client_addr,
@@ -272,13 +272,13 @@ void    milter_macro_callback(MILTERS *milters,
 /* milter_edit_callback - specify queue file edit call-back information */
 
 void    milter_edit_callback(MILTERS *milters,
-			        void (*add_header) (void *, char *, char *),
-	               void (*upd_header) (void *, ssize_t, char *, char *),
-	               void (*ins_header) (void *, ssize_t, char *, char *),
-		               void (*del_header) (void *, ssize_t, char *),
-			             void (*add_rcpt) (void *, char *),
-			             void (*del_rcpt) (void *, char *),
-			             void (*repl_body) (void *, VSTRING *),
+		         const char *(*add_header) (void *, char *, char *),
+	        const char *(*upd_header) (void *, ssize_t, char *, char *),
+	        const char *(*ins_header) (void *, ssize_t, char *, char *),
+		        const char *(*del_header) (void *, ssize_t, char *),
+			           const char *(*add_rcpt) (void *, char *),
+			           const char *(*del_rcpt) (void *, char *),
+		               const char *(*repl_body) (void *, VSTRING *),
 			             void *chg_context)
 {
     milters->add_header = add_header;
@@ -709,13 +709,13 @@ MILTERS *milter_receive(VSTREAM *stream, int count)
 	    return (0);
 	}
 	if (head == 0) {
-	    head = milter;
+	    /* Coverity: milter_free() depends on milters->milter_list. */
+	    milters->milter_list = head = milter;
 	} else {
 	    tail->next = milter;
 	}
 	tail = milter;
     }
-    milters->milter_list = head;
 
     (void) attr_print(stream, ATTR_FLAG_NONE,
 		      ATTR_TYPE_INT, MAIL_ATTR_STATUS, 0,
@@ -838,9 +838,9 @@ int     main(int argc, char **argv)
 		msg_warn("deleting existing milters");
 		milter_free(milters);
 	    }
-	    milters = milter_create(args[0], var_milt_conn_time, 
-				var_milt_cmd_time, var_milt_msg_time, 
-				var_milt_protocol, var_milt_def_action,
+	    milters = milter_create(args[0], var_milt_conn_time,
+				    var_milt_cmd_time, var_milt_msg_time,
+				    var_milt_protocol, var_milt_def_action,
 				    conn_macros, helo_macros, mail_macros,
 				    rcpt_macros, data_macros, eod_macros,
 				    unk_macros);
diff --git a/postfix/src/milter/milter.h b/postfix/src/milter/milter.h
index 2cf63e5e3..9e480193a 100644
--- a/postfix/src/milter/milter.h
+++ b/postfix/src/milter/milter.h
@@ -61,21 +61,21 @@ typedef struct MILTERS {
     char   *eod_macros;			/* macros for END-OF-DATA command */
     char   *unk_macros;			/* macros for unknown command */
     void   *chg_context;		/* context for queue file changes */
-    void    (*add_header) (void *, char *, char *);
-    void    (*upd_header) (void *, ssize_t, char *, char *);
-    void    (*del_header) (void *, ssize_t, char *);
-    void    (*ins_header) (void *, ssize_t, char *, char *);
-    void    (*add_rcpt) (void *, char *);
-    void    (*del_rcpt) (void *, char *);
-    void    (*repl_body) (void *, VSTRING *);
+    const char *(*add_header) (void *, char *, char *);
+    const char *(*upd_header) (void *, ssize_t, char *, char *);
+    const char *(*del_header) (void *, ssize_t, char *);
+    const char *(*ins_header) (void *, ssize_t, char *, char *);
+    const char *(*add_rcpt) (void *, char *);
+    const char *(*del_rcpt) (void *, char *);
+    const char *(*repl_body) (void *, VSTRING *);
 } MILTERS;
 
 typedef const char *(*MILTER_MAC_LOOKUP_FN) (const char *, void *);
-typedef void (*MILTER_ADD_HEADER_FN) (void *, char *, char *);
-typedef void (*MILTER_EDIT_HEADER_FN) (void *, ssize_t, char *, char *);
-typedef void (*MILTER_DEL_HEADER_FN) (void *, ssize_t, char *);
-typedef void (*MILTER_EDIT_RCPT_FN) (void *, char *);
-typedef void (*MILTER_EDIT_BODY_FN) (void *, VSTRING *);
+typedef const char *(*MILTER_ADD_HEADER_FN) (void *, char *, char *);
+typedef const char *(*MILTER_EDIT_HEADER_FN) (void *, ssize_t, char *, char *);
+typedef const char *(*MILTER_DEL_HEADER_FN) (void *, ssize_t, char *);
+typedef const char *(*MILTER_EDIT_RCPT_FN) (void *, char *);
+typedef const char *(*MILTER_EDIT_BODY_FN) (void *, VSTRING *);
 
 extern MILTERS *milter_create(const char *, int, int, int,
 			              const char *, const char *,
diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c
index f2bbebdba..8566d882e 100644
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@@ -19,7 +19,7 @@
 /*	MILTER	*milter8_receive(stream)
 /*	VSTREAM	*stream;
 /* DESCRIPTION
-/*	This modulde implements the MTA side of the Sendmail 8 mail
+/*	This module implements the MTA side of the Sendmail 8 mail
 /*	filter protocol.
 /*
 /*	milter8_create() creates a MILTER data structure with virtual
@@ -485,13 +485,14 @@ static void milter8_close_stream(MILTER8 *milter)
     milter->state = MILTER8_STAT_CLOSED;
 }
 
-/* milter8_read_cmd - receive command code now, receive data later */
+/* milter8_read_resp - receive command code now, receive data later */
 
-static int milter8_read_cmd(MILTER8 *milter, unsigned char *command,
+static int milter8_read_resp(MILTER8 *milter, int event, unsigned char *command,
 			            ssize_t *data_len)
 {
     UINT32_TYPE len;
     ssize_t pkt_len;
+    const char *smfic_name;
     int     cmd;
 
     /*
@@ -499,7 +500,10 @@ static int milter8_read_cmd(MILTER8 *milter, unsigned char *command,
      */
     if ((vstream_fread(milter->fp, (char *) &len, UINT32_SIZE))
 	!= UINT32_SIZE) {
-	msg_warn("milter %s: can't read packet header: %m", milter->m.name);
+	smfic_name = str_name_code(smfic_table, event);
+	msg_warn("milter %s: can't read %s reply packet header: %m",
+		 milter->m.name, smfic_name != 0 ?
+		 smfic_name : "(unknown MTA event)");
 	return (milter8_comm_error(milter));
     } else if ((pkt_len = ntohl(len)) < 1) {
 	msg_warn("milter %s: bad packet length: %ld",
@@ -625,7 +629,7 @@ static int vmilter8_read_data(MILTER8 *milter, ssize_t data_len, va_list ap)
 
     /*
      * Sanity checks. We may have excess data when the sender is confused. We
-     * may have a negative count when we're confused outselves.
+     * may have a negative count when we're confused ourselves.
      */
     if (data_left > 0) {
 	msg_warn("%s: left-over data %ld bytes", myname, (long) data_left);
@@ -740,7 +744,7 @@ static int vmilter8_write_cmd(MILTER8 *milter, int command, ssize_t data_len,
     VSTRING *buf;
     const char *str;
     const char **cpp;
-    unsigned char ch;
+    char    ch;
 
     /*
      * Deliver the packet.
@@ -863,11 +867,12 @@ static const char *milter8_event(MILTER8 *milter, int event,
     const char *smfir_name;
     MILTERS *parent;
     UINT32_TYPE index;
+    const char *edit_resp;
 
 #define DONT_SKIP_REPLY	0
 
     /*
-     * Skip this event if it is not defined for my protocol version.
+     * Skip this event if it doesn't exist in the protocol that I announced.
      */
 #ifndef USE_LIBMILTER_INCLUDES
     if ((skip_event_flag & milter->np_mask) != 0) {
@@ -880,9 +885,9 @@ static const char *milter8_event(MILTER8 *milter, int event,
 #endif
 
     /*
-     * Send the macros even when the corresponding list is empty. This is not
-     * a problem because we're sending macros and event parameters in one
-     * transaction.
+     * Send the macros for this event, even when we're not reporting the
+     * event itself. This does not introduce a performance problem because
+     * we're sending macros and event parameters in one VSTREAM transaction.
      */
     if (msg_verbose) {
 	VSTRING *buf = vstring_alloc(100);
@@ -921,7 +926,8 @@ static const char *milter8_event(MILTER8 *milter, int event,
     }
 
     /*
-     * Size the command data.
+     * Compute the command data size. This is necessary because the protocol
+     * sends length before content.
      */
     va_start(ap, macros);
     data_len = vmilter8_size_data(ap);
@@ -938,8 +944,8 @@ static const char *milter8_event(MILTER8 *milter, int event,
 
     /*
      * Special feature: don't wait for one reply per header. This allows us
-     * to send multiple headers in one transaction, and improves over-all
-     * performance.
+     * to send multiple headers in one VSTREAM transaction, and improves
+     * over-all performance.
      */
     if (skip_reply) {
 	if (msg_verbose)
@@ -957,12 +963,12 @@ static const char *milter8_event(MILTER8 *milter, int event,
 #define IN_CONNECT_EVENT(e) ((e) == SMFIC_CONNECT || (e) == SMFIC_HELO)
 
     for (;;) {
-	if (milter8_read_cmd(milter, &cmd, &data_size) != 0)
+	if (milter8_read_resp(milter, event, &cmd, &data_size) != 0)
 	    return (milter->def_reply);
 	if (msg_verbose)
-	    msg_info("reply: %s %d",
+	    msg_info("reply: %s data %ld bytes",
 		     (smfir_name = str_name_code(smfir_table, cmd)) != 0 ?
-		     smfir_name : "unknown", data_size);
+		     smfir_name : "unknown", (long) data_size);
 	switch (cmd) {
 
 	    /*
@@ -1051,7 +1057,7 @@ static const char *milter8_event(MILTER8 *milter, int event,
 #endif
 		milter->state = MILTER8_STAT_REJECT_CON;
 		return (milter8_def_reply(milter,
-		       "451 4.7.1 Service unavailable - try again later"));
+			"451 4.7.1 Service unavailable - try again later"));
 	    } else {
 		return ("451 4.7.1 Service unavailable - try again later");
 	    }
@@ -1136,6 +1142,9 @@ static const char *milter8_event(MILTER8 *milter, int event,
 					  MILTER8_DATA_END) != 0)
 			return (milter->def_reply);
 		    parent = milter->m.parent;
+		    /* XXX Sendmail 8 compatibility. */
+		    if (index == 0)
+			index = 1;
 		    if ((ssize_t) index < 1) {
 			msg_warn("milter %s: bad change header index: %ld",
 				 milter->m.name, (long) index);
@@ -1149,12 +1158,16 @@ static const char *milter8_event(MILTER8 *milter, int event,
 			return (milter->def_reply);
 		    }
 		    if (STR(milter->body)[0])
-			parent->upd_header(parent->chg_context, (ssize_t) index,
-					   STR(milter->buf),
-					   STR(milter->body));
+			edit_resp = parent->upd_header(parent->chg_context,
+						       (ssize_t) index,
+						       STR(milter->buf),
+						       STR(milter->body));
 		    else
-			parent->del_header(parent->chg_context, (ssize_t) index,
-					   STR(milter->buf));
+			edit_resp = parent->del_header(parent->chg_context,
+						       (ssize_t) index,
+						       STR(milter->buf));
+		    if (edit_resp)
+			return (milter8_def_reply(milter, edit_resp));
 		    continue;
 #endif
 
@@ -1168,8 +1181,11 @@ static const char *milter8_event(MILTER8 *milter, int event,
 					  MILTER8_DATA_END) != 0)
 			return (milter->def_reply);
 		    parent = milter->m.parent;
-		    parent->add_header(parent->chg_context, STR(milter->buf),
-				       STR(milter->body));
+		    edit_resp = parent->add_header(parent->chg_context,
+						   STR(milter->buf),
+						   STR(milter->body));
+		    if (edit_resp)
+			return (milter8_def_reply(milter, edit_resp));
 		    continue;
 
 		    /*
@@ -1193,8 +1209,12 @@ static const char *milter8_event(MILTER8 *milter, int event,
 			return (milter->def_reply);
 		    }
 		    parent = milter->m.parent;
-		    parent->ins_header(parent->chg_context, (ssize_t) index + 1,
-				       STR(milter->buf), STR(milter->body));
+		    edit_resp = parent->ins_header(parent->chg_context,
+						   (ssize_t) index + 1,
+						   STR(milter->buf),
+						   STR(milter->body));
+		    if (edit_resp)
+			return (milter8_def_reply(milter, edit_resp));
 		    continue;
 #endif
 
@@ -1207,7 +1227,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 					  MILTER8_DATA_END) != 0)
 			return (milter->def_reply);
 		    parent = milter->m.parent;
-		    parent->add_rcpt(parent->chg_context, STR(milter->buf));
+		    edit_resp = parent->add_rcpt(parent->chg_context,
+						 STR(milter->buf));
+		    if (edit_resp)
+			return (milter8_def_reply(milter, edit_resp));
 		    continue;
 
 		    /*
@@ -1219,7 +1242,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 					  MILTER8_DATA_END) != 0)
 			return (milter->def_reply);
 		    parent = milter->m.parent;
-		    parent->del_rcpt(parent->chg_context, STR(milter->buf));
+		    edit_resp = parent->del_rcpt(parent->chg_context,
+						 STR(milter->buf));
+		    if (edit_resp)
+			return (milter8_def_reply(milter, edit_resp));
 		    continue;
 
 		    /*
@@ -1233,7 +1259,10 @@ static const char *milter8_event(MILTER8 *milter, int event,
 					  MILTER8_DATA_END) != 0)
 			return (milter->def_reply);
 		    parent = milter->m.parent;
-		    parent->repl_body(parent->chg_context, milter->body);
+		    edit_resp = parent->repl_body(parent->chg_context,
+						  milter->body);
+		    if (edit_resp)
+			return (milter8_def_reply(milter, edit_resp));
 		    continue;
 #endif
 		}
@@ -1252,9 +1281,9 @@ static const char *milter8_event(MILTER8 *milter, int event,
 	 * Get here when the reply was followed by data bytes that weren't
 	 * supposed to be there.
 	 */
-	msg_warn("milter %s: reply %s was followed by %d data bytes",
+	msg_warn("milter %s: reply %s was followed by %ld data bytes",
 	milter->m.name, (smfir_name = str_name_code(smfir_table, cmd)) != 0 ?
-		 smfir_name : "unknown", data_len);
+		 smfir_name : "unknown", (long) data_len);
 	milter8_comm_error(milter);
 	return (milter->def_reply);
     }
@@ -1439,9 +1468,9 @@ static void milter8_connect(MILTER8 *milter)
     /*
      * Receive the filter's response and verify that we are compatible.
      */
-    else if (milter8_read_cmd(milter, &cmd, &data_len) != 0) {
+    else if (milter8_read_resp(milter, SMFIC_OPTNEG, &cmd, &data_len) != 0) {
 	msg_warn("milter %s: read error in initial handshake", milter->m.name);
-	/* milter8_read_cmd() called milter8_comm_error() */
+	/* milter8_read_resp() called milter8_comm_error() */
     } else if (cmd != SMFIC_OPTNEG) {
 	msg_warn("milter %s: unexpected reply \"%c\" in initial handshake",
 		 milter->m.name, cmd);
@@ -1857,6 +1886,8 @@ static void milter8_disc_event(MILTER *m)
 typedef struct {
     MILTER8 *milter;			/* milter client */
     ARGV   *macros;			/* end-of-body macros */
+    int     first_header;		/* first header */
+    int     first_body;			/* first body line */
     const char *resp;			/* milter application response */
 } MILTER_MSG_CONTEXT;
 
@@ -1872,6 +1903,28 @@ static void milter8_header(void *ptr, int unused_header_class,
     char   *cp;
     int     skip_reply;
 
+    /*
+     * XXX Sendmail compatibility. Don't expose our first (received) header
+     * to mail filter applications. See also cleanup_milter.c for code to
+     * ensure that header replace requests are relative to the message
+     * content as received, that is, without our own first (received) header,
+     * while header insert requests are relative to the message as delivered,
+     * that is, including our own first (received) header.
+     * 
+     * XXX But this breaks when they delete our own Received: header with
+     * header_checks before it reaches the queue file. Even then we must not
+     * expose the first header to mail filter applications, otherwise the
+     * dk-filter signature will be inserted at the wrong position. It should
+     * precede the headers that it signs.
+     * 
+     * XXX Sendmail compatibility. It eats the first space (not tab) after the
+     * header label and ":".
+     */
+    if (msg_ctx->first_header) {
+	msg_ctx->first_header = 0;
+	return;
+    }
+
     /*
      * Sendmail 8 sends multi-line headers as text separated by newline.
      * 
@@ -1889,8 +1942,8 @@ static void milter8_header(void *ptr, int unused_header_class,
     if (*cp != ':')
 	msg_panic("%s: header label not followed by ':'", myname);
     *cp++ = 0;
-    /* XXX Following matches mime_state.c */
-    while (*cp == ' ' || *cp == '\t')
+    /* XXX Sendmail 8.13.6 eats one space (not tab) after colon. */
+    if (*cp == ' ')
 	cp++;
 #ifdef SMFIP_NOHREPL
     skip_reply = ((milter->ev_mask & SMFIP_NOHREPL) != 0);
@@ -1935,6 +1988,14 @@ static void milter8_body(void *ptr, int rec_type,
     ssize_t space;
     ssize_t count;
 
+    /*
+     * XXX Sendmail compatibility: don't expose our first body line.
+     */
+    if (msg_ctx->first_body) {
+	msg_ctx->first_body = 0;
+	return;
+    }
+
     /*
      * XXX I thought I was going to delegate all the on-the-wire formatting
      * to a common lower layer, but unfortunately it's not practical. If we
@@ -1950,6 +2011,12 @@ static void milter8_body(void *ptr, int rec_type,
      */
     if (msg_verbose > 1)
 	msg_info("%s: body milter %s: %.100s", myname, milter->m.name, buf);
+    /* To append \r\n, simply redirect input to another buffer. */
+    if (rec_type == REC_TYPE_NORM && todo == 0) {
+	bp = "\r\n";
+	todo = 2;
+	rec_type = REC_TYPE_EOF;
+    }
     while (todo > 0) {
 	/* Append one REC_TYPE_NORM or REC_TYPE_CONT to body chunk buffer. */
 	space = MILTER_CHUNK_SIZE - LEN(milter->body);
@@ -2029,6 +2096,8 @@ static const char *milter8_message(MILTER *m, VSTREAM *qfile,
 	}
 	msg_ctx.milter = milter;
 	msg_ctx.macros = macros;
+	msg_ctx.first_header = 1;
+	msg_ctx.first_body = 1;
 	msg_ctx.resp = 0;
 	mime_state =
 	    mime_state_alloc(MIME_OPT_DISABLE_MIME,
diff --git a/postfix/src/milter/test-milter.c b/postfix/src/milter/test-milter.c
index 60df98a34..f11962a44 100644
--- a/postfix/src/milter/test-milter.c
+++ b/postfix/src/milter/test-milter.c
@@ -7,14 +7,24 @@
   * 
   * Specifies a non-default reply. The default is to always continue.
   * 
+  * -d Enable libmilter debugging.
+  * 
   * -c connect|helo|mail|rcpt|data|header|eoh|body|eom|unknown|close|abort
   * 
   * When to send the non-default reply. The default is "connect".
   * 
+  * -i "index header-label header-value"
+  * 
+  * Insert header at specified position.
+  * 
   * -p inet:port@host|unix:/path/name
   * 
   * The mail filter listen endpoint.
   * 
+  * -r "index header-label header-value"
+  * 
+  * Replace header at specified position.
+  * 
   * -C count
   * 
   * Terminate after count connections.
@@ -86,8 +96,18 @@ static char *reply_code;
 static char *reply_dsn;
 static char *reply_message;
 
+static char *ins_hdr;
+static int ins_idx;
+static char *ins_val;
+
+static char *chg_hdr;
+static int chg_idx;
+static char *chg_val;
+
 static int test_reply(SMFICTX *ctx, int code)
 {
+    (void) fflush(stdout);			/* In case output redirected. */
+
     if (code == SMFIR_REPLYCODE) {
 	if (smfi_setreply(ctx, reply_code, reply_dsn, reply_message) != MI_SUCCESS)
 	    fprintf(stderr, "smfi_setreply failed\n");
@@ -184,13 +204,20 @@ static sfsistat test_eoh(SMFICTX *ctx)
 
 static sfsistat test_body(SMFICTX *ctx, unsigned char *data, size_t data_len)
 {
-    printf("test_body %ld bytes\n", (long) data_len);
+    if (verbose == 0)
+	printf("test_body %ld bytes\n", (long) data_len);
+    else
+	printf("%.*s", (int) data_len, data);
     return (test_reply(ctx, test_body_reply));
 }
 
 static sfsistat test_eom(SMFICTX *ctx)
 {
     printf("test_eom\n");
+    if (ins_hdr && smfi_insheader(ctx, ins_idx, ins_hdr, ins_val) == MI_FAILURE)
+	fprintf(stderr, "smfi_insheader failed");
+    if (chg_hdr && smfi_chgheader(ctx, chg_hdr, chg_idx, chg_val) == MI_FAILURE)
+	fprintf(stderr, "smfi_chgheader failed");
     return (test_reply(ctx, test_eom_reply));
 }
 
@@ -234,7 +261,7 @@ static struct smfiDesc smfilter =
 {
     "test-milter",
     SMFI_VERSION,
-    SMFIF_ADDRCPT | SMFIF_DELRCPT | SMFIF_CHGHDRS,
+    SMFIF_ADDRCPT | SMFIF_DELRCPT | SMFIF_ADDHDRS | SMFIF_CHGHDRS,
     test_connect,
     test_helo,
     test_mail,
@@ -253,6 +280,22 @@ static struct smfiDesc smfilter =
 #endif
 };
 
+static void parse_hdr_info(const char *optarg, int *idx,
+			           char **hdr, char **value)
+{
+    int     len;
+
+    len = strlen(optarg) + 1;
+    if ((*hdr = malloc(len)) == 0 || (*value = malloc(len)) == 0) {
+	fprintf(stderr, "out of memory\n");
+	exit(1);
+    }
+    if (sscanf(optarg, "%d %s %[^\n]", idx, *hdr, *value) != 3) {
+	fprintf(stderr, "bad header info: %s\n", optarg);
+	exit(1);
+    }
+}
+
 int     main(int argc, char **argv)
 {
     char   *action = 0;
@@ -261,7 +304,7 @@ int     main(int argc, char **argv)
     int     ch;
     int     code;
 
-    while ((ch = getopt(argc, argv, "a:c:d:p:vC:")) > 0) {
+    while ((ch = getopt(argc, argv, "a:c:d:i:p:r:vC:")) > 0) {
 	switch (ch) {
 	case 'a':
 	    action = optarg;
@@ -275,12 +318,26 @@ int     main(int argc, char **argv)
 		exit(1);
 	    }
 	    break;
+	case 'i':
+	    if (ins_hdr) {
+		fprintf(stderr, "too many -i options\n");
+		exit(1);
+	    }
+	    parse_hdr_info(optarg, &ins_idx, &ins_hdr, &ins_val);
+	    break;
 	case 'p':
 	    if (smfi_setconn(optarg) == MI_FAILURE) {
 		fprintf(stderr, "smfi_setconn failed\n");
 		exit(1);
 	    }
 	    break;
+	case 'r':
+	    if (chg_hdr) {
+		fprintf(stderr, "too many -r options\n");
+		exit(1);
+	    }
+	    parse_hdr_info(optarg, &chg_idx, &chg_hdr, &chg_val);
+	    break;
 	case 'v':
 	    verbose++;
 	    break;
@@ -289,7 +346,13 @@ int     main(int argc, char **argv)
 	    break;
 	default:
 	    fprintf(stderr,
-		    "usage: %s [-a action] [-c command] [-C conn_count] [-d debug] -p port [-v]\n",
+		    "usage: %s [-dv] \n"
+		    "\t[-a action]              non-default action\n"
+		    "\t[-c command]             non-default action trigger\n"
+		    "\t[-i 'index label value'] insert header\n"
+		    "\t-p port                  milter application\n"
+		    "\t[-r 'index label value'] replace header\n"
+		    "\t[-C conn_count]          when to exit\n",
 		    argv[0]);
 	    exit(1);
 	}
diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in
index 8b781b4a1..dad89aae9 100644
--- a/postfix/src/smtp/Makefile.in
+++ b/postfix/src/smtp/Makefile.in
@@ -111,6 +111,7 @@ levels.o: ../../include/match_list.h
 levels.o: ../../include/match_ops.h
 levels.o: ../../include/msg.h
 levels.o: ../../include/msg_stats.h
+levels.o: ../../include/name_code.h
 levels.o: ../../include/name_mask.h
 levels.o: ../../include/recipient_list.h
 levels.o: ../../include/resolve_clnt.h
@@ -182,6 +183,7 @@ smtp_addr.o: ../../include/msg.h
 smtp_addr.o: ../../include/msg_stats.h
 smtp_addr.o: ../../include/myaddrinfo.h
 smtp_addr.o: ../../include/mymalloc.h
+smtp_addr.o: ../../include/name_code.h
 smtp_addr.o: ../../include/name_mask.h
 smtp_addr.o: ../../include/own_inet_addr.h
 smtp_addr.o: ../../include/recipient_list.h
@@ -218,6 +220,7 @@ smtp_chat.o: ../../include/match_ops.h
 smtp_chat.o: ../../include/msg.h
 smtp_chat.o: ../../include/msg_stats.h
 smtp_chat.o: ../../include/mymalloc.h
+smtp_chat.o: ../../include/name_code.h
 smtp_chat.o: ../../include/name_mask.h
 smtp_chat.o: ../../include/post_mail.h
 smtp_chat.o: ../../include/recipient_list.h
@@ -256,6 +259,7 @@ smtp_connect.o: ../../include/msg.h
 smtp_connect.o: ../../include/msg_stats.h
 smtp_connect.o: ../../include/myaddrinfo.h
 smtp_connect.o: ../../include/mymalloc.h
+smtp_connect.o: ../../include/name_code.h
 smtp_connect.o: ../../include/name_mask.h
 smtp_connect.o: ../../include/own_inet_addr.h
 smtp_connect.o: ../../include/recipient_list.h
@@ -290,6 +294,7 @@ smtp_map11.o: ../../include/match_list.h
 smtp_map11.o: ../../include/match_ops.h
 smtp_map11.o: ../../include/msg.h
 smtp_map11.o: ../../include/msg_stats.h
+smtp_map11.o: ../../include/name_code.h
 smtp_map11.o: ../../include/name_mask.h
 smtp_map11.o: ../../include/quote_822_local.h
 smtp_map11.o: ../../include/quote_flags.h
@@ -376,6 +381,7 @@ smtp_rcpt.o: ../../include/match_ops.h
 smtp_rcpt.o: ../../include/msg.h
 smtp_rcpt.o: ../../include/msg_stats.h
 smtp_rcpt.o: ../../include/mymalloc.h
+smtp_rcpt.o: ../../include/name_code.h
 smtp_rcpt.o: ../../include/name_mask.h
 smtp_rcpt.o: ../../include/recipient_list.h
 smtp_rcpt.o: ../../include/resolve_clnt.h
@@ -405,6 +411,7 @@ smtp_reuse.o: ../../include/match_ops.h
 smtp_reuse.o: ../../include/msg.h
 smtp_reuse.o: ../../include/msg_stats.h
 smtp_reuse.o: ../../include/mymalloc.h
+smtp_reuse.o: ../../include/name_code.h
 smtp_reuse.o: ../../include/name_mask.h
 smtp_reuse.o: ../../include/recipient_list.h
 smtp_reuse.o: ../../include/resolve_clnt.h
@@ -435,6 +442,7 @@ smtp_sasl_glue.o: ../../include/match_ops.h
 smtp_sasl_glue.o: ../../include/msg.h
 smtp_sasl_glue.o: ../../include/msg_stats.h
 smtp_sasl_glue.o: ../../include/mymalloc.h
+smtp_sasl_glue.o: ../../include/name_code.h
 smtp_sasl_glue.o: ../../include/name_mask.h
 smtp_sasl_glue.o: ../../include/recipient_list.h
 smtp_sasl_glue.o: ../../include/resolve_clnt.h
@@ -466,6 +474,7 @@ smtp_sasl_proto.o: ../../include/match_ops.h
 smtp_sasl_proto.o: ../../include/msg.h
 smtp_sasl_proto.o: ../../include/msg_stats.h
 smtp_sasl_proto.o: ../../include/mymalloc.h
+smtp_sasl_proto.o: ../../include/name_code.h
 smtp_sasl_proto.o: ../../include/name_mask.h
 smtp_sasl_proto.o: ../../include/recipient_list.h
 smtp_sasl_proto.o: ../../include/resolve_clnt.h
@@ -529,6 +538,7 @@ smtp_state.o: ../../include/match_ops.h
 smtp_state.o: ../../include/msg.h
 smtp_state.o: ../../include/msg_stats.h
 smtp_state.o: ../../include/mymalloc.h
+smtp_state.o: ../../include/name_code.h
 smtp_state.o: ../../include/name_mask.h
 smtp_state.o: ../../include/recipient_list.h
 smtp_state.o: ../../include/resolve_clnt.h
@@ -559,6 +569,7 @@ smtp_trouble.o: ../../include/match_list.h
 smtp_trouble.o: ../../include/match_ops.h
 smtp_trouble.o: ../../include/msg.h
 smtp_trouble.o: ../../include/msg_stats.h
+smtp_trouble.o: ../../include/name_code.h
 smtp_trouble.o: ../../include/name_mask.h
 smtp_trouble.o: ../../include/recipient_list.h
 smtp_trouble.o: ../../include/resolve_clnt.h
@@ -588,6 +599,7 @@ smtp_unalias.o: ../../include/match_ops.h
 smtp_unalias.o: ../../include/msg.h
 smtp_unalias.o: ../../include/msg_stats.h
 smtp_unalias.o: ../../include/myaddrinfo.h
+smtp_unalias.o: ../../include/name_code.h
 smtp_unalias.o: ../../include/name_mask.h
 smtp_unalias.o: ../../include/recipient_list.h
 smtp_unalias.o: ../../include/resolve_clnt.h
diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c
index b6e04f66d..fa488781e 100644
--- a/postfix/src/smtp/lmtp_params.c
+++ b/postfix/src/smtp/lmtp_params.c
@@ -16,7 +16,7 @@
 	VAR_LMTP_TLS_DKEY_FILE, DEF_LMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
 	VAR_LMTP_TLS_CA_FILE, DEF_LMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
 	VAR_LMTP_TLS_CA_PATH, DEF_LMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
-	VAR_LMTP_TLS_CIPHERS, DEF_LMTP_TLS_CIPHERS, &var_smtp_tls_ciphers, 1, 0,
+	VAR_LMTP_TLS_MAND_CIPH, DEF_LMTP_TLS_MAND_CIPH, &var_smtp_tls_mand_ciph, 1, 0,
 	VAR_LMTP_TLS_EXCL_CIPH, DEF_LMTP_TLS_EXCL_CIPH, &var_smtp_tls_excl_ciph, 0, 0,
 	VAR_LMTP_TLS_MAND_EXCL, DEF_LMTP_TLS_MAND_EXCL, &var_smtp_tls_mand_excl, 0, 0,
 	VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
@@ -24,7 +24,7 @@
 	VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
 	VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
 	VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
-	VAR_LMTP_TLS_PROTO, DEF_LMTP_TLS_PROTO, &var_smtp_tls_protocols, 0, 0,
+	VAR_LMTP_TLS_MAND_PROTO, DEF_LMTP_TLS_MAND_PROTO, &var_smtp_tls_mand_proto, 0, 0,
 	VAR_LMTP_TLS_VFY_CMATCH, DEF_LMTP_TLS_VFY_CMATCH, &var_smtp_tls_vfy_cmatch, 1, 0,
 	VAR_LMTP_TLS_SEC_CMATCH, DEF_LMTP_TLS_SEC_CMATCH, &var_smtp_tls_sec_cmatch, 1, 0,
 #endif
@@ -95,5 +95,6 @@
 #endif
 	VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
+	VAR_LMTP_SASL_ENFORCE, DEF_LMTP_SASL_ENFORCE, &var_smtp_sasl_enforce,
 	0,
     };
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 22a5cd3f5..7fdbf780d 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -170,12 +170,12 @@
 /* .IP "\fBsmtp_discard_ehlo_keyword_address_maps (empty)\fR"
 /*	Lookup tables, indexed by the remote SMTP server address, with
 /*	case insensitive lists of EHLO keywords (pipelining, starttls, auth,
-/*	etc.) that the SMTP client will ignore in the EHLO response from a
+/*	etc.) that the Postfix SMTP client will ignore in the EHLO response from a
 /*	remote SMTP server.
 /* .IP "\fBsmtp_discard_ehlo_keywords (empty)\fR"
 /*	A case insensitive list of EHLO keywords (pipelining, starttls,
-/*	auth, etc.) that the SMTP client will ignore in the EHLO response
-/*	from a remote SMTP server.
+/*	auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+/*	response from a remote SMTP server.
 /* .IP "\fBsmtp_generic_maps (empty)\fR"
 /*	Optional lookup tables that perform address rewriting in the
 /*	SMTP client, typically to transform a locally valid address into
@@ -212,8 +212,8 @@
 /* .fi
 /*	Available in Postfix version 2.1 and later:
 /* .IP "\fBsmtp_send_xforward_command (no)\fR"
-/*	Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
-/*	response announces XFORWARD support.
+/*	Send the non-standard XFORWARD command when the Postfix SMTP server
+/*	EHLO response announces XFORWARD support.
 /* SASL AUTHENTICATION CONTROLS
 /* .ad
 /* .fi
@@ -234,8 +234,13 @@
 /*	server's list of offered SASL mechanisms.
 /* .PP
 /*	Available in Postfix version 2.3 and later:
+/* .IP "\fBsmtp_sasl_auth_enforce (yes)\fR"
+/*	If sender-dependent SASL passwords are turned off, defer mail
+/*	delivery when an SMTP server does not support SASL authentication,
+/*	while smtp_sasl_password_maps contains SASL login/password information
+/*	for that server.
 /* .IP "\fBsmtp_sender_dependent_authentication (no)\fR"
-/*	Enable sender-dependent authentication in the SMTP client; this is
+/*	Enable sender-dependent authentication in the Postfix SMTP client; this is
 /*	available only with SASL authentication, and disables SMTP connection
 /*	caching to ensure that mail from different senders will use the
 /*	appropriate credentials.
@@ -252,9 +257,9 @@
 /*	Detailed information about STARTTLS configuration may be found
 /*	in the TLS_README document.
 /* .IP "\fBsmtp_tls_security_level (empty)\fR"
-/*	The default SMTP TLS security level for all destinations; when
-/*	a non-empty value is specified, this overrides the obsolete parameters
-/*	smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+/*	The default SMTP TLS security level for the Postfix SMTP client;
+/*	when a non-empty value is specified, this overrides the obsolete
+/*	parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
 /* .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
 /*	The SASL authentication security options that the Postfix SMTP
 /*	client uses for TLS encrypted SMTP sessions.
@@ -271,15 +276,16 @@
 /* .IP "\fBsmtp_tls_cert_file (empty)\fR"
 /*	File with the Postfix SMTP client RSA certificate in PEM format.
 /* .IP "\fBsmtp_tls_mandatory_ciphers (medium)\fR"
-/*	The minimum SMTP client TLS cipher grade that is strong enough to
-/*	be used with the "encrypt" security level and higher.
+/*	The minimum TLS cipher grade that the Postfix SMTP client will
+/*	use with
+/*	mandatory TLS encryption.
 /* .IP "\fBsmtp_tls_exclude_ciphers (empty)\fR"
-/*	List of ciphers or cipher types to exclude from the SMTP client cipher
-/*	list at all security levels.
+/*	List of ciphers or cipher types to exclude from the Postfix
+/*	SMTP client cipher
+/*	list at all TLS security levels.
 /* .IP "\fBsmtp_tls_mandatory_exclude_ciphers (empty)\fR"
-/*	List of ciphers or cipher types to exclude from the SMTP client
-/*	cipher list at the mandatory TLS security levels: "encrypt", "verify"
-/*	and "secure".
+/*	Additional list of ciphers or cipher types to exclude from the
+/*	SMTP client cipher list at mandatory TLS security levels.
 /* .IP "\fBsmtp_tls_dcert_file (empty)\fR"
 /*	File with the Postfix SMTP client DSA certificate in PEM format.
 /* .IP "\fBsmtp_tls_dkey_file ($smtp_tls_dcert_file)\fR"
@@ -291,13 +297,6 @@
 /* .IP "\fBsmtp_tls_note_starttls_offer (no)\fR"
 /*	Log the hostname of a remote SMTP server that offers STARTTLS,
 /*	when TLS is not already enabled for that server.
-/* .IP "\fBsmtp_tls_policy_maps (empty)\fR"
-/*	Optional lookup tables with the Postfix SMTP client TLS security
-/*	policy by next-hop destination; when a non-empty value is specified,
-/*	this overrides the obsolete smtp_tls_per_site parameter.
-/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
-/*	List of TLS protocol versions that are secure enough to be used
-/*	with the "encrypt" security level and higher.
 /* .IP "\fBsmtp_tls_scert_verifydepth (5)\fR"
 /*	The verification depth for remote SMTP server certificates.
 /* .IP "\fBsmtp_tls_secure_cert_match (nexthop, dot-nexthop)\fR"
@@ -346,12 +345,15 @@
 /*	Enforcement mode: require that remote SMTP servers use TLS
 /*	encryption, and never send mail in the clear.
 /* .IP "\fBsmtp_tls_enforce_peername (yes)\fR"
-/*	When TLS encryption is enforced, require that the remote SMTP
+/*	With mandatory TLS encryption, require that the remote SMTP
 /*	server hostname matches the information in the remote SMTP server
 /*	certificate.
 /* .IP "\fBsmtp_tls_per_site (empty)\fR"
 /*	Optional lookup tables with the Postfix SMTP client TLS usage
 /*	policy by next-hop destination and by remote SMTP server hostname.
+/* .IP "\fBsmtp_tls_cipherlist (empty)\fR"
+/*	Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+/*	cipher list.
 /* RESOURCE AND RATE CONTROLS
 /* .ad
 /* .fi
@@ -440,6 +442,10 @@
 /*	The recipient of postmaster notifications about mail delivery
 /*	problems that are caused by policy, resource, software or protocol
 /*	errors.
+/* .IP "\fBinternal_mail_filter_classes (empty)\fR"
+/*	What categories of Postfix-generated mail are subject to
+/*	before-queue content inspection by non_smtpd_milters, header_checks
+/*	and body_checks.
 /* .IP "\fBnotify_classes (resource, software)\fR"
 /*	The list of error classes that are reported to the postmaster.
 /* MISCELLANEOUS CONTROLS
@@ -484,17 +490,17 @@
 /*	The network interface addresses that this mail system receives mail
 /*	on by way of a proxy or network address translation unit.
 /* .IP "\fBsmtp_bind_address (empty)\fR"
-/*	An optional numerical network address that the SMTP client should
-/*	bind to when making an IPv4 connection.
+/*	An optional numerical network address that the Postfix SMTP client
+/*	should bind to when making an IPv4 connection.
 /* .IP "\fBsmtp_bind_address6 (empty)\fR"
-/*	An optional numerical network address that the SMTP client should
-/*	bind to when making an IPv6 connection.
+/*	An optional numerical network address that the Postfix SMTP client
+/*	should bind to when making an IPv6 connection.
 /* .IP "\fBsmtp_helo_name ($myhostname)\fR"
 /*	The hostname to send in the SMTP EHLO or HELO command.
 /* .IP "\fBlmtp_lhlo_name ($myhostname)\fR"
 /*	The hostname to send in the LMTP LHLO command.
 /* .IP "\fBsmtp_host_lookup (dns)\fR"
-/*	What mechanisms when the SMTP client uses to look up a host's IP
+/*	What mechanisms when the Postfix SMTP client uses to look up a host's IP
 /*	address.
 /* .IP "\fBsmtp_randomize_addresses (yes)\fR"
 /*	Randomize the order of equal-preference MX host addresses.
@@ -668,7 +674,7 @@ int     var_smtp_starttls_tmout;
 char   *var_smtp_tls_CAfile;
 char   *var_smtp_tls_CApath;
 char   *var_smtp_tls_cert_file;
-char   *var_smtp_tls_ciphers;
+char   *var_smtp_tls_mand_ciph;
 char   *var_smtp_tls_excl_ciph;
 char   *var_smtp_tls_mand_excl;
 char   *var_smtp_tls_dcert_file;
@@ -677,7 +683,7 @@ bool    var_smtp_tls_enforce_peername;
 char   *var_smtp_tls_key_file;
 int     var_smtp_tls_loglevel;
 bool    var_smtp_tls_note_starttls_offer;
-char   *var_smtp_tls_protocols;
+char   *var_smtp_tls_mand_proto;
 char   *var_smtp_tls_sec_cmatch;
 int     var_smtp_tls_scert_vd;
 char   *var_smtp_tls_vfy_cmatch;
@@ -691,6 +697,7 @@ bool    var_smtp_sender_auth;
 char   *var_lmtp_tcp_port;
 int     var_scache_proto_tmout;
 bool    var_smtp_cname_overr;
+bool    var_smtp_sasl_enforce;
 
  /*
   * Global variables.
@@ -711,8 +718,6 @@ SSL_CTX *smtp_tls_ctx;
 
 #endif
 
-extern NAME_CODE smtp_tls_levels[];	/* smtp_session.c name_code table */
-
 /* deliver_message - deliver message with extreme prejudice */
 
 static int deliver_message(const char *service, DELIVER_REQUEST *request)
@@ -828,6 +833,7 @@ static void post_init(char *unused_name, char **unused_argv)
 
 static void pre_init(char *unused_name, char **unused_argv)
 {
+    int     use_tls;
 
     /*
      * Turn on per-peer debugging.
@@ -845,13 +851,15 @@ static void pre_init(char *unused_name, char **unused_argv)
 		 VAR_SMTP_SASL_ENABLE);
 #endif
 
+    if (*var_smtp_tls_level)
+	use_tls = tls_level_lookup(var_smtp_tls_level) > TLS_LEV_NONE;
+    else
+	use_tls = var_smtp_enforce_tls || var_smtp_use_tls;
+
     /*
      * Initialize the TLS data before entering the chroot jail
      */
-    if (name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
-		  var_smtp_tls_level) > TLS_LEV_NONE ||
-	var_smtp_use_tls || var_smtp_enforce_tls ||
-	var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
+    if (use_tls || var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
 #ifdef USE_TLS
 	tls_client_init_props props;
 
diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h
index 648737377..af397d711 100644
--- a/postfix/src/smtp/smtp.h
+++ b/postfix/src/smtp/smtp.h
@@ -330,6 +330,15 @@ extern int smtp_quit(SMTP_STATE *);
 #define CACHE_THIS_SESSION_UNTIL(when) \
 	(session->expire_time = (when))
 
+ /*
+  * Encapsulate the following so that we don't expose details of of
+  * connection management and error handling to the SMTP protocol engine.
+  */
+#define RETRY_AS_PLAINTEXT do { \
+	session->tls_retry_plain = 1; \
+	state->misc_flags &= ~SMTP_MISC_FLAG_FINAL_SERVER; \
+    } while (0)
+
  /*
   * smtp_chat.c
   */
diff --git a/postfix/src/smtp/smtp_chat.c b/postfix/src/smtp/smtp_chat.c
index e5ce59185..82ea27564 100644
--- a/postfix/src/smtp/smtp_chat.c
+++ b/postfix/src/smtp/smtp_chat.c
@@ -406,7 +406,7 @@ void    smtp_chat_notify(SMTP_SESSION *session)
 
     notice = post_mail_fopen_nowait(mail_addr_double_bounce(),
 				    var_error_rcpt,
-				    CLEANUP_FLAG_MASK_INTERNAL,
+				    INT_FILT_NOTIFY,
 				    NULL_TRACE_FLAGS, NO_QUEUE_ID);
     if (notice == 0) {
 	msg_warn("postmaster notify: %m");
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index 41880cffb..b8fbde19f 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -856,7 +856,8 @@ static void smtp_connect_remote(SMTP_STATE *state, const char *nexthop,
 
 		    /*
 		     * When an opportunistic TLS handshake fails, try the
-		     * same address again, with TLS disabled.
+		     * same address again, with TLS disabled. See also the
+		     * RETRY_AS_PLAINTEXT macro.
 		     */
 		    if ((retry_plain = session->tls_retry_plain) != 0) {
 			--addr_count;
diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c
index c8e756e2f..540da3781 100644
--- a/postfix/src/smtp/smtp_params.c
+++ b/postfix/src/smtp/smtp_params.c
@@ -17,7 +17,7 @@
 	VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
 	VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
 	VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
-	VAR_SMTP_TLS_CIPHERS, DEF_SMTP_TLS_CIPHERS, &var_smtp_tls_ciphers, 1, 0,
+	VAR_SMTP_TLS_MAND_CIPH, DEF_SMTP_TLS_MAND_CIPH, &var_smtp_tls_mand_ciph, 1, 0,
 	VAR_SMTP_TLS_EXCL_CIPH, DEF_SMTP_TLS_EXCL_CIPH, &var_smtp_tls_excl_ciph, 0, 0,
 	VAR_SMTP_TLS_MAND_EXCL, DEF_SMTP_TLS_MAND_EXCL, &var_smtp_tls_mand_excl, 0, 0,
 	VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
@@ -25,7 +25,7 @@
 	VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
 	VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
 	VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
-	VAR_SMTP_TLS_PROTO, DEF_SMTP_TLS_PROTO, &var_smtp_tls_protocols, 0, 0,
+	VAR_SMTP_TLS_MAND_PROTO, DEF_SMTP_TLS_MAND_PROTO, &var_smtp_tls_mand_proto, 0, 0,
 	VAR_SMTP_TLS_VFY_CMATCH, DEF_SMTP_TLS_VFY_CMATCH, &var_smtp_tls_vfy_cmatch, 1, 0,
 	VAR_SMTP_TLS_SEC_CMATCH, DEF_SMTP_TLS_SEC_CMATCH, &var_smtp_tls_sec_cmatch, 1, 0,
 #endif
@@ -99,5 +99,6 @@
 #endif
 	VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
+	VAR_SMTP_SASL_ENFORCE, DEF_SMTP_SASL_ENFORCE, &var_smtp_sasl_enforce,
 	0,
     };
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index e42825164..b66d91a9f 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -600,6 +600,16 @@ int     smtp_helo(SMTP_STATE *state)
 #ifdef USE_SASL_AUTH
     if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH))
 	return (smtp_sasl_helo_login(state));
+    else if (var_smtp_sasl_enable
+	     && *var_smtp_sasl_passwd
+	     && !var_smtp_sender_auth
+	     && var_smtp_sasl_enforce
+	     && smtp_sasl_passwd_lookup(session) != 0)
+	return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
+			       SMTP_RESP_FAKE(&fake, "4.7.0"),
+			       "SASL login/password exists, but host %s "
+			       "does not announce SASL authentication support",
+			       session->namaddr));
 #endif
 
     return (0);
@@ -679,22 +689,22 @@ static int smtp_start_tls(SMTP_STATE *state)
      * 
      * - Expiration code would need to selectively delete sessions from a list -
      * Re-use code would need to decode many sessions and choose the best -
-     * Store code would needs to choose between replace and append.
+     * Store code would need to choose between replace and append.
      * 
      * Note: checking the compatibility of re-activated sessions against the
      * cipher requirements of the session under construction requires us to
      * store the cipher name in the session cache with the passivated session
-     * object, the name is not available when the session is revived until
-     * the handshake is complete, which is too late.
+     * object. But the name is not available when the session is revived
+     * until the handshake is complete, which is too late.
      * 
-     * XXX: When cached ciphers are reloaded, their cipher is not available via
+     * XXX: When a cached session is reloaded, its cipher is not available via
      * documented APIs until the handshake completes. We need to filter out
      * sessions that use the wrong ciphers, but may not peek at the
      * undocumented session->cipher_id and cipher->id structure members.
      * 
      * Since cipherlists are typically shared by many domains, we include the
      * cipherlist in the session cache lookup key. This avoids false
-     * positives results from the session cache.
+     * positives from the TLS session cache.
      * 
      * To support mutually incompatible protocol/cipher combinations, our
      * session key must include both the protocol and the cipherlist.
@@ -706,7 +716,7 @@ static int smtp_start_tls(SMTP_STATE *state)
 	&& session->tls_protocols != 0
 	&& session->tls_protocols != TLS_ALL_PROTOCOLS)
 	vstring_sprintf_append(serverid, "&p=%s",
-			       tls_protocol_names(VAR_SMTP_TLS_PROTO,
+			       tls_protocol_names(VAR_SMTP_TLS_MAND_PROTO,
 						  session->tls_protocols));
     if (session->tls_level >= TLS_LEV_ENCRYPT && session->tls_cipherlist)
 	vstring_sprintf_append(serverid, "&c=%s", session->tls_cipherlist);
@@ -738,10 +748,8 @@ static int smtp_start_tls(SMTP_STATE *state)
 	 * Specifically, this session is not final, don't defer any
 	 * recipients yet.
 	 */
-	if (session->tls_level == TLS_LEV_MAY) {
-	    session->tls_retry_plain = 1;
-	    state->misc_flags &= ~SMTP_MISC_FLAG_FINAL_SERVER;
-	}
+	if (session->tls_level == TLS_LEV_MAY)
+	    RETRY_AS_PLAINTEXT;
 	return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
 			       SMTP_RESP_FAKE(&fake, "4.7.5"),
 			       "Cannot start TLS: handshake failure"));
diff --git a/postfix/src/smtp/smtp_reuse.c b/postfix/src/smtp/smtp_reuse.c
index 8c0f75c68..361e4366e 100644
--- a/postfix/src/smtp/smtp_reuse.c
+++ b/postfix/src/smtp/smtp_reuse.c
@@ -176,12 +176,23 @@ static SMTP_SESSION *smtp_reuse_common(SMTP_STATE *state, int fd,
     }
     state->session = session;
 
-#ifdef USE_TLS
-
     /*
-     * Cached sessions are never TLS encrypted, so they must not be reused
-     * when TLS encryption is required.
+     * XXX Temporary fix.
+     * 
+     * Cached connections are always plaintext. They must never be reused when
+     * TLS encryption is required.
+     * 
+     * As long as we support the legacy smtp_tls_per_site feature, we must
+     * search the connection cache before making TLS policy decisions. This
+     * is because the policy can depend on the server name. For example, a
+     * site could have a global policy that requires encryption, with
+     * per-server exceptions that allow plaintext.
+     * 
+     * With the newer smtp_tls_policy_maps feature, the policy depends on the
+     * next-hop destination only. We can avoid unnecessary connection cache
+     * lookups, because we can compute the TLS policy much earlier.
      */
+#ifdef USE_TLS
     if (session->tls_level >= TLS_LEV_ENCRYPT) {
 	if (msg_verbose)
 	    msg_info("%s: skipping plain-text cached session to %s",
diff --git a/postfix/src/smtp/smtp_session.c b/postfix/src/smtp/smtp_session.c
index b01c99cdc..abb32789b 100644
--- a/postfix/src/smtp/smtp_session.c
+++ b/postfix/src/smtp/smtp_session.c
@@ -67,7 +67,7 @@
 /*	Zero or more of the following:
 /* .RS
 /* .IP SMTP_MISC_FLAG_CONN_CACHE
-/*	Enable session caching.
+/*	Enable SMTP or LMTP connection caching.
 /* .RE
 /* .IP dest_prop
 /*	Destination specific session properties: the server is the
@@ -126,15 +126,6 @@
 #include "smtp.h"
 #include "smtp_sasl.h"
 
-NAME_CODE smtp_tls_levels[] = {
-    "none", TLS_LEV_NONE,
-    "may", TLS_LEV_MAY,
-    "encrypt", TLS_LEV_ENCRYPT,
-    "verify", TLS_LEV_VERIFY,
-    "secure", TLS_LEV_SECURE,
-    0, TLS_LEV_NOTFOUND,
-};
-
 #ifdef USE_TLS
 
 static MAPS *tls_policy;		/* lookup table(s) */
@@ -160,9 +151,9 @@ void    smtp_tls_list_init(void)
 
 /* policy_name - printable tls policy level */
 
-static const char *policy_name(int level)
+static const char *policy_name(int tls_level)
 {
-    const char *name = str_name_code(smtp_tls_levels, level);
+    const char *name = str_tls_level(tls_level);
 
     if (name == 0)
 	name = "unknown";
@@ -208,7 +199,7 @@ static void tls_site_lookup(int *site_level, const char *site_name,
 /* tls_policy_lookup_one - look up destination TLS policy */
 
 static int tls_policy_lookup_one(SMTP_SESSION *session,
-				         int *site_level, int *cipherlev,
+				         int *site_level, int *cipher_level,
 				         const char *site_name,
 				         const char *site_class)
 {
@@ -241,7 +232,7 @@ static int tls_policy_lookup_one(SMTP_SESSION *session,
 	msg_warn("ignoring empty tls policy for %s", site_name);
 	FREE_RETURN(1);				/* No further lookups */
     }
-    *site_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE, tok);
+    *site_level = tls_level_lookup(tok);
     if (*site_level == TLS_LEV_NOTFOUND) {
 	msg_warn("%s: unknown security level '%s' ignored",
 		 str_context(cbuf, site_class, site_name), tok);
@@ -260,8 +251,8 @@ static int tls_policy_lookup_one(SMTP_SESSION *session,
 			 name, policy_name(*site_level));
 		continue;
 	    }
-	    *cipherlev = tls_cipher_level(val);
-	    if (*cipherlev == TLS_CIPHER_NONE) {
+	    *cipher_level = tls_cipher_level(val);
+	    if (*cipher_level == TLS_CIPHER_NONE) {
 		msg_warn("%s: invalid %s value '%s' ignored",
 			 str_context(cbuf, site_class, site_name),
 			 name, val);
@@ -310,7 +301,7 @@ static int tls_policy_lookup_one(SMTP_SESSION *session,
 /* tls_policy_lookup - look up destination TLS policy */
 
 static void tls_policy_lookup(SMTP_SESSION *session,
-			              int *site_level, int *cipherlev,
+			              int *site_level, int *cipher_level,
 			              const char *site_name,
 			              const char *site_class)
 {
@@ -323,13 +314,13 @@ static void tls_policy_lookup(SMTP_SESSION *session,
      * sub-domains of the recipient domain.
      */
     if (!valid_hostname(site_name, DONT_GRIPE)) {
-	tls_policy_lookup_one(session, site_level, cipherlev,
+	tls_policy_lookup_one(session, site_level, cipher_level,
 			      site_name, site_class);
 	return;
     }
     while (1) {
 	/* Try the given domain */
-	if (tls_policy_lookup_one(session, site_level, cipherlev,
+	if (tls_policy_lookup_one(session, site_level, cipher_level,
 				  site_name, site_class))
 	    return;
 	/* Re-try with parent domain */
@@ -340,7 +331,7 @@ static void tls_policy_lookup(SMTP_SESSION *session,
 
 /* set_cipherlist - Choose cipherlist per security level and cipher suite */
 
-static void set_cipherlist(SMTP_SESSION *session, int level, int lmtp)
+static void set_cipherlist(SMTP_SESSION *session, int cipher_level, int lmtp)
 {
     const char *cipherlist = 0;
     const char *exclude = var_smtp_tls_excl_ciph;
@@ -358,31 +349,31 @@ static void set_cipherlist(SMTP_SESSION *session, int level, int lmtp)
 	return;
 
     case TLS_LEV_MAY:
-	level = TLS_CIPHER_EXPORT;		/* Interoperate! */
+	cipher_level = TLS_CIPHER_EXPORT;	/* Interoperate! */
 	break;
 
     case TLS_LEV_ENCRYPT:
 	also_exclude = "eNULL";
-	if (level == TLS_CIPHER_NONE)
-	    level = tls_cipher_level(var_smtp_tls_ciphers);
+	if (cipher_level == TLS_CIPHER_NONE)
+	    cipher_level = tls_cipher_level(var_smtp_tls_mand_ciph);
 	mand_exclude = var_smtp_tls_mand_excl;
 	break;
 
     case TLS_LEV_VERIFY:
     case TLS_LEV_SECURE:
 	also_exclude = "aNULL";
-	if (level == TLS_CIPHER_NONE)
-	    level = tls_cipher_level(var_smtp_tls_ciphers);
+	if (cipher_level == TLS_CIPHER_NONE)
+	    cipher_level = tls_cipher_level(var_smtp_tls_mand_ciph);
 	mand_exclude = var_smtp_tls_mand_excl;
 	break;
     }
 
-    cipherlist = tls_cipher_list(level, exclude, mand_exclude, also_exclude,
-				 TLS_END_EXCLUDE);
+    cipherlist = tls_cipher_list(cipher_level, exclude, mand_exclude,
+				 also_exclude, TLS_END_EXCLUDE);
     if (cipherlist == 0) {
 	msg_warn("unknown '%s' value '%s' ignored, using 'medium'",
-		 lmtp ? VAR_LMTP_TLS_CIPHERS : VAR_SMTP_TLS_CIPHERS,
-		 var_smtp_tls_ciphers);
+		 lmtp ? VAR_LMTP_TLS_MAND_CIPH : VAR_SMTP_TLS_MAND_CIPH,
+		 var_smtp_tls_mand_ciph);
 	cipherlist = tls_cipher_list(TLS_CIPHER_MEDIUM, exclude, mand_exclude,
 				     also_exclude, TLS_END_EXCLUDE);
 	if (cipherlist == 0)
@@ -399,7 +390,7 @@ static void session_tls_init(SMTP_SESSION *session, const char *dest,
     int     global_level;
     int     site_level;
     int     lmtp = flags & SMTP_MISC_FLAG_USE_LMTP;
-    int     cipherlev = TLS_CIPHER_NONE;
+    int     cipher_level = TLS_CIPHER_NONE;
 
     /*
      * Initialize all TLS related session properties.
@@ -418,8 +409,7 @@ static void session_tls_init(SMTP_SESSION *session, const char *dest,
      * per-site policy.
      */
     if (*var_smtp_tls_level) {
-	global_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
-				 var_smtp_tls_level);
+	global_level = tls_level_lookup(var_smtp_tls_level);
 	if (global_level == TLS_LEV_NOTFOUND) {
 	    msg_fatal("%s: unknown TLS security level '%s'",
 		      lmtp ? VAR_LMTP_TLS_LEVEL : VAR_SMTP_TLS_LEVEL,
@@ -443,7 +433,7 @@ static void session_tls_init(SMTP_SESSION *session, const char *dest,
     site_level = TLS_LEV_NOTFOUND;
 
     if (tls_policy) {
-	tls_policy_lookup(session, &site_level, &cipherlev,
+	tls_policy_lookup(session, &site_level, &cipher_level,
 			  dest, "next-hop destination");
     } else if (tls_per_site) {
 	tls_site_lookup(&site_level, dest, "next-hop destination");
@@ -481,16 +471,16 @@ static void session_tls_init(SMTP_SESSION *session, const char *dest,
      */
     if (session->tls_level >= TLS_LEV_ENCRYPT
 	&& session->tls_protocols == 0
-	&& *var_smtp_tls_protocols)
+	&& *var_smtp_tls_mand_proto)
 	session->tls_protocols =
-	    tls_protocol_mask(VAR_SMTP_TLS_PROTO, var_smtp_tls_protocols);
+	    tls_protocol_mask(VAR_SMTP_TLS_MAND_PROTO, var_smtp_tls_mand_proto);
 
     /*
      * Convert cipher level (if set in per-destination table, else
      * set_cipherlist uses main.cf settings) to an OpenSSL cipherlist. The
      * "lmtp" vs. "smtp" identity is used for error reporting.
      */
-    set_cipherlist(session, cipherlev, lmtp);
+    set_cipherlist(session, cipher_level, lmtp);
 
     /*
      * Use main.cf cert_match setting if not set in per-destination table
diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in
index 84d57fdb9..a6ee5150d 100644
--- a/postfix/src/smtpd/Makefile.in
+++ b/postfix/src/smtpd/Makefile.in
@@ -211,6 +211,7 @@ smtpd_chat.o: ../../include/milter.h
 smtpd_chat.o: ../../include/msg.h
 smtpd_chat.o: ../../include/myaddrinfo.h
 smtpd_chat.o: ../../include/mymalloc.h
+smtpd_chat.o: ../../include/name_code.h
 smtpd_chat.o: ../../include/name_mask.h
 smtpd_chat.o: ../../include/post_mail.h
 smtpd_chat.o: ../../include/rec_type.h
@@ -263,6 +264,7 @@ smtpd_check.o: ../../include/msg_stats.h
 smtpd_check.o: ../../include/myaddrinfo.h
 smtpd_check.o: ../../include/mymalloc.h
 smtpd_check.o: ../../include/namadr_list.h
+smtpd_check.o: ../../include/name_code.h
 smtpd_check.o: ../../include/name_mask.h
 smtpd_check.o: ../../include/own_inet_addr.h
 smtpd_check.o: ../../include/rec_type.h
@@ -284,6 +286,7 @@ smtpd_check.o: ../../include/vbuf.h
 smtpd_check.o: ../../include/verify_clnt.h
 smtpd_check.o: ../../include/vstream.h
 smtpd_check.o: ../../include/vstring.h
+smtpd_check.o: ../../include/xtext.h
 smtpd_check.o: smtpd.h
 smtpd_check.o: smtpd_check.c
 smtpd_check.o: smtpd_check.h
@@ -298,6 +301,7 @@ smtpd_milter.o: ../../include/mail_params.h
 smtpd_milter.o: ../../include/mail_stream.h
 smtpd_milter.o: ../../include/milter.h
 smtpd_milter.o: ../../include/myaddrinfo.h
+smtpd_milter.o: ../../include/name_code.h
 smtpd_milter.o: ../../include/name_mask.h
 smtpd_milter.o: ../../include/sys_defs.h
 smtpd_milter.o: ../../include/tls.h
@@ -318,6 +322,7 @@ smtpd_peer.o: ../../include/milter.h
 smtpd_peer.o: ../../include/msg.h
 smtpd_peer.o: ../../include/myaddrinfo.h
 smtpd_peer.o: ../../include/mymalloc.h
+smtpd_peer.o: ../../include/name_code.h
 smtpd_peer.o: ../../include/name_mask.h
 smtpd_peer.o: ../../include/sock_addr.h
 smtpd_peer.o: ../../include/stringops.h
@@ -363,6 +368,7 @@ smtpd_sasl_glue.o: ../../include/milter.h
 smtpd_sasl_glue.o: ../../include/msg.h
 smtpd_sasl_glue.o: ../../include/myaddrinfo.h
 smtpd_sasl_glue.o: ../../include/mymalloc.h
+smtpd_sasl_glue.o: ../../include/name_code.h
 smtpd_sasl_glue.o: ../../include/name_mask.h
 smtpd_sasl_glue.o: ../../include/stringops.h
 smtpd_sasl_glue.o: ../../include/sys_defs.h
@@ -387,6 +393,7 @@ smtpd_sasl_proto.o: ../../include/milter.h
 smtpd_sasl_proto.o: ../../include/msg.h
 smtpd_sasl_proto.o: ../../include/myaddrinfo.h
 smtpd_sasl_proto.o: ../../include/mymalloc.h
+smtpd_sasl_proto.o: ../../include/name_code.h
 smtpd_sasl_proto.o: ../../include/name_mask.h
 smtpd_sasl_proto.o: ../../include/stringops.h
 smtpd_sasl_proto.o: ../../include/sys_defs.h
@@ -413,6 +420,7 @@ smtpd_state.o: ../../include/milter.h
 smtpd_state.o: ../../include/msg.h
 smtpd_state.o: ../../include/myaddrinfo.h
 smtpd_state.o: ../../include/mymalloc.h
+smtpd_state.o: ../../include/name_code.h
 smtpd_state.o: ../../include/name_mask.h
 smtpd_state.o: ../../include/sys_defs.h
 smtpd_state.o: ../../include/tls.h
@@ -439,6 +447,7 @@ smtpd_xforward.o: ../../include/milter.h
 smtpd_xforward.o: ../../include/msg.h
 smtpd_xforward.o: ../../include/myaddrinfo.h
 smtpd_xforward.o: ../../include/mymalloc.h
+smtpd_xforward.o: ../../include/name_code.h
 smtpd_xforward.o: ../../include/name_mask.h
 smtpd_xforward.o: ../../include/sys_defs.h
 smtpd_xforward.o: ../../include/tls.h
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 1e47ae720..8425f1d3b 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -262,12 +262,10 @@
 /* .fi
 /*	Detailed information about STARTTLS configuration may be
 /*	found in the TLS_README document.
-/* .IP "\fBsmtpd_use_tls (no)\fR"
-/*	Opportunistic mode: announce STARTTLS support to SMTP clients,
-/*	but do not require that clients use TLS encryption.
-/* .IP "\fBsmtpd_enforce_tls (no)\fR"
-/*	Enforcement mode: announce STARTTLS support to SMTP clients,
-/*	and require that clients use TLS encryption.
+/* .IP "\fBsmtpd_tls_security_level (empty)\fR"
+/*	The SMTP TLS security level for the Postfix SMTP server; when
+/*	a non-empty value is specified, this overrides the obsolete parameters
+/*	smtpd_use_tls and smtpd_enforce_tls.
 /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
 /*	The SASL authentication security options that the Postfix SMTP
 /*	server uses for TLS encrypted SMTP sessions.
@@ -290,11 +288,9 @@
 /*	The verification depth for remote SMTP client certificates.
 /* .IP "\fBsmtpd_tls_cert_file (empty)\fR"
 /*	File with the Postfix SMTP server RSA certificate in PEM format.
-/* .IP "\fBsmtpd_tls_ciphers (export)\fR"
-/*	The minimum acceptable SMTP server TLS cipher grade.
 /* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
 /*	List of ciphers or cipher types to exclude from the SMTP server
-/*	cipher list.
+/*	cipher list at all TLS security levels.
 /* .IP "\fBsmtpd_tls_dcert_file (empty)\fR"
 /*	File with the Postfix SMTP server DSA certificate in PEM format.
 /* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
@@ -309,15 +305,23 @@
 /*	File with the Postfix SMTP server RSA private key in PEM format.
 /* .IP "\fBsmtpd_tls_loglevel (0)\fR"
 /*	Enable additional Postfix SMTP server logging of TLS activity.
-/* .IP "\fBsmtpd_tls_protocols (empty)\fR"
-/*	The list of TLS protocols supported by the server.
+/* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
+/*	The minimum TLS cipher grade that the Postfix SMTP server will
+/*	use with mandatory
+/*	TLS encryption.
+/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
+/*	Additional list of ciphers or cipher types to exclude from the
+/*	SMTP server cipher list at mandatory TLS security levels.
+/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
+/*	The TLS protocols accepted by the Postfix SMTP server with
+/*	mandatory TLS encryption.
 /* .IP "\fBsmtpd_tls_received_header (no)\fR"
 /*	Request that the Postfix SMTP server produces Received:  message
 /*	headers that include information about the protocol and cipher used,
 /*	as well as the client CommonName and client certificate issuer
 /*	CommonName.
 /* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
-/*	When TLS encryption is enforced, require a remote SMTP client
+/*	With mandatory TLS encryption, require a remote SMTP client
 /*	certificate in order to allow TLS connections to proceed.
 /* .IP "\fBsmtpd_tls_session_cache_database (empty)\fR"
 /*	Name of the file containing the optional Postfix SMTP server
@@ -343,6 +347,21 @@
 /* .IP "\fBtls_null_cipherlist (!aNULL:eNULL+kRSA)\fR"
 /*	The OpenSSL cipherlist for "NULL" grade ciphers that provide
 /*	authentication without encryption.
+/* OBSOLETE STARTTLS CONTROLS
+/* .ad
+/* .fi
+/*	The following configuration parameters exist for compatibility
+/*	with Postfix versions before 2.3. Support for these will
+/*	be removed in a future release.
+/* .IP "\fBsmtpd_use_tls (no)\fR"
+/*	Opportunistic TLS: announce STARTTLS support to SMTP clients,
+/*	but do not require that clients use TLS encryption.
+/* .IP "\fBsmtpd_enforce_tls (no)\fR"
+/*	Mandatory TLS: announce STARTTLS support to SMTP clients,
+/*	and require that clients use TLS encryption.
+/* .IP "\fBsmtpd_tls_cipherlist (empty)\fR"
+/*	Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
+/*	cipher list.
 /* VERP SUPPORT CONTROLS
 /* .ad
 /* .fi
@@ -385,6 +404,10 @@
 /*	The recipient of postmaster notifications about mail delivery
 /*	problems that are caused by policy, resource, software or protocol
 /*	errors.
+/* .IP "\fBinternal_mail_filter_classes (empty)\fR"
+/*	What categories of Postfix-generated mail are subject to
+/*	before-queue content inspection by non_smtpd_milters, header_checks
+/*	and body_checks.
 /* .IP "\fBnotify_classes (resource, software)\fR"
 /*	The list of error classes that are reported to the postmaster.
 /* .IP "\fBsoft_bounce (no)\fR"
@@ -497,7 +520,7 @@
 /* .PP
 /*	Available in Postfix version 2.3 and later:
 /* .IP "\fBsmtpd_peername_lookup (yes)\fR"
-/*	Attempt to look up the SMTP client hostname, and verify that
+/*	Attempt to look up the Postfix SMTP client hostname, and verify that
 /*	the name matches the client IP address.
 /* .PP
 /*	The per SMTP client connection count and request rate limits are
@@ -1019,6 +1042,7 @@ char   *var_local_rwr_clients;
 char   *var_smtpd_ehlo_dis_words;
 char   *var_smtpd_ehlo_dis_maps;
 
+char   *var_smtpd_tls_level;
 bool    var_smtpd_use_tls;
 bool    var_smtpd_enforce_tls;
 bool    var_smtpd_tls_wrappermode;
@@ -1033,15 +1057,16 @@ bool    var_smtpd_tls_ask_ccert;
 bool    var_smtpd_tls_auth_only;
 int     var_smtpd_tls_ccert_vd;
 char   *var_smtpd_tls_cert_file;
-char   *var_smtpd_tls_ciphers;
+char   *var_smtpd_tls_mand_ciph;
 char   *var_smtpd_tls_excl_ciph;
+char   *var_smtpd_tls_mand_excl;
 char   *var_smtpd_tls_dcert_file;
 char   *var_smtpd_tls_dh1024_param_file;
 char   *var_smtpd_tls_dh512_param_file;
 char   *var_smtpd_tls_dkey_file;
 char   *var_smtpd_tls_key_file;
 int     var_smtpd_tls_loglevel;
-char   *var_smtpd_tls_protocols;
+char   *var_smtpd_tls_mand_proto;
 bool    var_smtpd_tls_received_header;
 bool    var_smtpd_tls_req_ccert;
 int     var_smtpd_tls_scache_timeout;
@@ -4109,8 +4134,8 @@ static void pre_accept(char *unused_name, char **unused_argv)
 
 static void pre_jail_init(char *unused_name, char **unused_argv)
 {
-    int     enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
-    int     use_tls = var_smtpd_use_tls || enforce_tls;
+    int     enforce_tls;
+    int     use_tls;
 
     /*
      * Initialize blacklist/etc. patterns before entering the chroot jail, in
@@ -4139,10 +4164,42 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 		 VAR_SMTPD_SASL_ENABLE);
 #endif
 
+    /*
+     * XXX Temporary fix to pretend that we consistently implement TLS
+     * security levels. We implement only a subset for now. If we implement
+     * more levels, wrappermode should override only weaker TLS security
+     * levels.
+     */
+    if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
+	switch (tls_level_lookup(var_smtpd_tls_level)) {
+	default:
+	    msg_warn("%s: ignoring unknown TLS level \"%s\"",
+		     VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+	    break;
+	case TLS_LEV_SECURE:
+	case TLS_LEV_VERIFY:
+	    msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
+		     VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
+	    /* FALLTHROUGH */
+	case TLS_LEV_ENCRYPT:
+	    var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
+	    break;
+	case TLS_LEV_MAY:
+	    var_smtpd_enforce_tls = 0;
+	    var_smtpd_use_tls = 1;
+	    break;
+	case TLS_LEV_NONE:
+	    var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
+	    break;
+	}
+    }
+    enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
+    use_tls = var_smtpd_use_tls || enforce_tls;
+
     /*
      * Keys can only be loaded when running with suitable permissions. When
-     * called from "sendmail -bs" this is not the case, but STARTTLS is not
-     * used in this scenario anyhow.
+     * called from "sendmail -bs" this is not the case, so we must not
+     * announce STARTTLS support.
      */
     if (getuid() == 0 || getuid() == var_owner_uid) {
 	if (use_tls) {
@@ -4169,9 +4226,9 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 	    props.CApath = var_smtpd_tls_CApath;
 	    props.dh1024_param_file = var_smtpd_tls_dh1024_param_file;
 	    props.dh512_param_file = var_smtpd_tls_dh512_param_file;
-	    props.protocols = *var_smtpd_tls_protocols ?
-		tls_protocol_mask(VAR_SMTPD_TLS_PROTO,
-				  var_smtpd_tls_protocols) : 0;
+	    props.protocols = enforce_tls && *var_smtpd_tls_mand_proto ?
+		tls_protocol_mask(VAR_SMTPD_TLS_MAND_PROTO,
+				  var_smtpd_tls_mand_proto) : 0;
 	    props.ask_ccert = var_smtpd_tls_ask_ccert;
 
 	    /*
@@ -4193,19 +4250,26 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 		msg_warn("Can't require client certs unless TLS is required");
 
 	    props.cipherlist =
-		tls_cipher_list(tls_cipher_level(var_smtpd_tls_ciphers),
+	    	tls_cipher_list(enforce_tls ?
+				    tls_cipher_level(var_smtpd_tls_mand_ciph) :
+				    TLS_CIPHER_EXPORT,
 				var_smtpd_tls_excl_ciph,
 				havecert ? "" : "aRSA aDSS",
 				wantcert ? "aNULL" : "",
+				enforce_tls ?  var_smtpd_tls_mand_excl :
+				    TLS_END_EXCLUDE,
 				TLS_END_EXCLUDE);
+
 	    if (props.cipherlist == 0) {
 		msg_warn("unknown '%s' value '%s' ignored, using 'export'",
-			 VAR_SMTPD_TLS_CIPHERS, var_smtpd_tls_ciphers);
+			 VAR_SMTPD_TLS_MAND_CIPH, var_smtpd_tls_mand_ciph);
 		props.cipherlist =
 		    tls_cipher_list(TLS_CIPHER_EXPORT,
 				    var_smtpd_tls_excl_ciph,
 				    havecert ? "" : "aRSA aDSS",
 				    wantcert ? "aNULL" : "",
+				    enforce_tls ?  var_smtpd_tls_mand_excl :
+					TLS_END_EXCLUDE,
 				    TLS_END_EXCLUDE);
 	    }
 	    if (havecert || oknocert)
@@ -4431,17 +4495,19 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
 	VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
 	VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
-	VAR_SMTPD_TLS_CIPHERS, DEF_SMTPD_TLS_CIPHERS, &var_smtpd_tls_ciphers, 1, 0,
+	VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0,
 	VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0,
+	VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0,
 	VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
 	VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
 	VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
 	VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
 	VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
-	VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_protocols, 0, 0,
+	VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0,
 	VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
 	VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
 #endif
+	VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
 	VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
 	VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
 	VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,
diff --git a/postfix/src/smtpd/smtpd.h b/postfix/src/smtpd/smtpd.h
index 262f73819..6f3f324d2 100644
--- a/postfix/src/smtpd/smtpd.h
+++ b/postfix/src/smtpd/smtpd.h
@@ -30,9 +30,7 @@
  /*
   * Postfix TLS library.
   */
-#ifdef USE_TLS
 #include <tls.h>
-#endif
 
  /*
   * Milter library.
diff --git a/postfix/src/smtpd/smtpd_chat.c b/postfix/src/smtpd/smtpd_chat.c
index 6239d50b1..d37efd99c 100644
--- a/postfix/src/smtpd/smtpd_chat.c
+++ b/postfix/src/smtpd/smtpd_chat.c
@@ -227,7 +227,7 @@ void    smtpd_chat_notify(SMTPD_STATE *state)
 
     notice = post_mail_fopen_nowait(mail_addr_double_bounce(),
 				    var_error_rcpt,
-				    CLEANUP_FLAG_MASK_INTERNAL,
+				    INT_FILT_NOTIFY,
 				    NULL_TRACE_FLAGS, NO_QUEUE_ID);
     if (notice == 0) {
 	msg_warn("postmaster notify: %m");
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index a07c3a847..865930d24 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -236,6 +236,7 @@
 #include <valid_mailhost_addr.h>
 #include <dsn_util.h>
 #include <conv_time.h>
+#include <xtext.h>
 
 /* Application-specific. */
 
@@ -3251,6 +3252,15 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
     static VSTRING *action = 0;
     ATTR_CLNT *policy_clnt;
 
+#ifdef USE_TLS
+    VSTRING *subject_buf;
+    VSTRING *issuer_buf;
+    const char *subject;
+    const char *issuer;
+
+#endif
+    int     ret;
+
     /*
      * Sanity check.
      */
@@ -3265,6 +3275,23 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
     if (action == 0)
 	action = vstring_alloc(10);
 
+#ifdef USE_TLS
+#define ENCODE_CN(coded_CN, coded_CN_buf, CN) do { \
+	if (state->tls_context == 0 \
+	    || state->tls_context->peer_verified == 0 || (CN) == 0) { \
+	    coded_CN_buf = 0; \
+	    coded_CN = ""; \
+	} else { \
+	    coded_CN_buf = vstring_alloc(strlen(CN)); \
+	    xtext_quote(coded_CN_buf, CN, ""); \
+	    coded_CN = STR(coded_CN_buf); \
+	} \
+    } while (0);
+
+    ENCODE_CN(subject, subject_buf, state->tls_context->peer_CN);
+    ENCODE_CN(issuer, issuer_buf, state->tls_context->issuer_CN);
+#endif
+
     if (attr_clnt_request(policy_clnt,
 			  ATTR_FLAG_NONE,	/* Query attributes. */
 			ATTR_TYPE_STR, MAIL_ATTR_REQ, "smtpd_access_policy",
@@ -3308,10 +3335,8 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
 #define IF_VERIFIED(x) \
     ((state->tls_context && \
       state->tls_context->peer_verified && ((x) != 0)) ? (x) : "")
-			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_SUBJECT,
-			  IF_VERIFIED(state->tls_context->peer_CN),
-			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_ISSSUER,
-			  IF_VERIFIED(state->tls_context->issuer_CN),
+			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_SUBJECT, subject,
+			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_ISSUER, issuer,
 			  ATTR_TYPE_STR, MAIL_ATTR_CCERT_FINGERPRINT,
 			  IF_VERIFIED(state->tls_context->peer_fingerprint),
 #define IF_ENCRYPTED(x, y) ((state->tls_context && ((x) != 0)) ? (x) : (y))
@@ -3326,19 +3351,26 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
 			  ATTR_FLAG_MISSING,	/* Reply attributes. */
 			  ATTR_TYPE_STR, MAIL_ATTR_ACTION, action,
 			  ATTR_TYPE_END) != 1) {
-	return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
-				   451, "4.3.5",
-				   "Server configuration problem"));
+	ret = smtpd_check_reject(state, MAIL_ERROR_POLICY,
+				 451, "4.3.5",
+				 "Server configuration problem");
     } else {
 
 	/*
 	 * XXX This produces bogus error messages when the reply is
 	 * malformed.
 	 */
-	return (check_table_result(state, server, STR(action),
-				   "policy query", reply_name,
-				   reply_class, def_acl));
+	ret = check_table_result(state, server, STR(action),
+				 "policy query", reply_name,
+				 reply_class, def_acl);
     }
+#ifdef USE_TLS
+    if (subject_buf)
+	vstring_free(subject_buf);
+    if (issuer_buf)
+	vstring_free(issuer_buf);
+#endif
+    return (ret);
 }
 
 /* is_map_command - restriction has form: check_xxx_access type:name */
@@ -3484,7 +3516,6 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			     450, "4.7.0",
 			     "<%s>: %s rejected: defer_if_reject requested",
 			     reply_name, reply_class);
-#ifdef SNAPSHOT
 	} else if (strcasecmp(name, SLEEP) == 0) {
 	    if (cpp[1] == 0 || alldig(cpp[1]) == 0) {
 		msg_warn("restriction %s must be followed by number", SLEEP);
@@ -3494,7 +3525,6 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					   "Server configuration error"));
 	    } else
 		sleep(atoi(*++cpp));
-#endif
 	} else if (strcasecmp(name, REJECT_PLAINTEXT_SESSION) == 0) {
 	    status = reject_plaintext_session(state);
 	}
diff --git a/postfix/src/smtpd/smtpd_peer.c b/postfix/src/smtpd/smtpd_peer.c
index 269d0565b..8dacecffb 100644
--- a/postfix/src/smtpd/smtpd_peer.c
+++ b/postfix/src/smtpd/smtpd_peer.c
@@ -138,6 +138,15 @@ void    smtpd_peer_init(SMTPD_STATE *state)
 
     /*
      * Look up the peer address information.
+     * 
+     * XXX If we make local endpoint (getsockname) information available to
+     * Milter applications as {if_name} and {if_addr}, then we also must be
+     * able to provide this via the XCLIENT command for Milter testing.
+     * 
+     * XXX If support were to be added for Milter applications in down-stream
+     * MTAs, then consistency demands that we propagate a lot of Sendmail
+     * macro information via the XFORWARD command. Otherwise we could end up
+     * with a very confusing situation.
      */
     if (getpeername(vstream_fileno(state->client), sa, &sa_length) >= 0) {
 	errno = 0;
diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in
index 0a1695f60..8b8d254bf 100644
--- a/postfix/src/tls/Makefile.in
+++ b/postfix/src/tls/Makefile.in
@@ -2,11 +2,13 @@ SHELL	= /bin/sh
 SRCS	= tls_prng_dev.c tls_prng_egd.c tls_prng_file.c \
 	tls_prng_exch.c tls_stream.c tls_bio_ops.c tls_misc.c tls_dh.c \
 	tls_rsa.c tls_verify.c tls_certkey.c tls_session.c \
-	tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c
+	tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c \
+	tls_level.c
 OBJS	= tls_prng_dev.o tls_prng_egd.o tls_prng_file.o \
 	tls_prng_exch.o tls_stream.o tls_bio_ops.o tls_misc.o tls_dh.o \
 	tls_rsa.o tls_verify.o tls_certkey.o tls_session.o \
-	tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o
+	tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o \
+	tls_level.o
 HDRS	= tls.h tls_prng.h tls_scache.h tls_mgr.h
 TESTSRC	= 
 DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
@@ -89,6 +91,7 @@ depend: $(MAKES)
 # do not edit below this line - it is generated by 'make depend'
 tls_bio_ops.o: ../../include/iostuff.h
 tls_bio_ops.o: ../../include/msg.h
+tls_bio_ops.o: ../../include/name_code.h
 tls_bio_ops.o: ../../include/name_mask.h
 tls_bio_ops.o: ../../include/sys_defs.h
 tls_bio_ops.o: ../../include/vbuf.h
@@ -97,6 +100,7 @@ tls_bio_ops.o: ../../include/vstring.h
 tls_bio_ops.o: tls.h
 tls_bio_ops.o: tls_bio_ops.c
 tls_certkey.o: ../../include/msg.h
+tls_certkey.o: ../../include/name_code.h
 tls_certkey.o: ../../include/name_mask.h
 tls_certkey.o: ../../include/sys_defs.h
 tls_certkey.o: ../../include/vbuf.h
@@ -108,6 +112,7 @@ tls_client.o: ../../include/argv.h
 tls_client.o: ../../include/mail_params.h
 tls_client.o: ../../include/msg.h
 tls_client.o: ../../include/mymalloc.h
+tls_client.o: ../../include/name_code.h
 tls_client.o: ../../include/name_mask.h
 tls_client.o: ../../include/stringops.h
 tls_client.o: ../../include/sys_defs.h
@@ -118,6 +123,7 @@ tls_client.o: tls.h
 tls_client.o: tls_client.c
 tls_client.o: tls_mgr.h
 tls_dh.o: ../../include/msg.h
+tls_dh.o: ../../include/name_code.h
 tls_dh.o: ../../include/name_mask.h
 tls_dh.o: ../../include/sys_defs.h
 tls_dh.o: ../../include/vbuf.h
@@ -125,6 +131,14 @@ tls_dh.o: ../../include/vstream.h
 tls_dh.o: ../../include/vstring.h
 tls_dh.o: tls.h
 tls_dh.o: tls_dh.c
+tls_level.o: ../../include/name_code.h
+tls_level.o: ../../include/name_mask.h
+tls_level.o: ../../include/sys_defs.h
+tls_level.o: ../../include/vbuf.h
+tls_level.o: ../../include/vstream.h
+tls_level.o: ../../include/vstring.h
+tls_level.o: tls.h
+tls_level.o: tls_level.c
 tls_mgr.o: ../../include/attr.h
 tls_mgr.o: ../../include/attr_clnt.h
 tls_mgr.o: ../../include/iostuff.h
@@ -139,6 +153,7 @@ tls_mgr.o: tls_mgr.c
 tls_mgr.o: tls_mgr.h
 tls_misc.o: ../../include/msg.h
 tls_misc.o: ../../include/mymalloc.h
+tls_misc.o: ../../include/name_code.h
 tls_misc.o: ../../include/name_mask.h
 tls_misc.o: ../../include/stringops.h
 tls_misc.o: ../../include/sys_defs.h
@@ -175,6 +190,7 @@ tls_prng_file.o: ../../include/mymalloc.h
 tls_prng_file.o: ../../include/sys_defs.h
 tls_prng_file.o: tls_prng.h
 tls_prng_file.o: tls_prng_file.c
+tls_rsa.o: ../../include/name_code.h
 tls_rsa.o: ../../include/name_mask.h
 tls_rsa.o: ../../include/sys_defs.h
 tls_rsa.o: ../../include/vbuf.h
@@ -196,6 +212,7 @@ tls_scache.o: ../../include/vstring.h
 tls_scache.o: tls_scache.c
 tls_scache.o: tls_scache.h
 tls_seed.o: ../../include/msg.h
+tls_seed.o: ../../include/name_code.h
 tls_seed.o: ../../include/name_mask.h
 tls_seed.o: ../../include/sys_defs.h
 tls_seed.o: ../../include/vbuf.h
@@ -210,6 +227,7 @@ tls_server.o: ../../include/hex_code.h
 tls_server.o: ../../include/mail_params.h
 tls_server.o: ../../include/msg.h
 tls_server.o: ../../include/mymalloc.h
+tls_server.o: ../../include/name_code.h
 tls_server.o: ../../include/name_mask.h
 tls_server.o: ../../include/stringops.h
 tls_server.o: ../../include/sys_defs.h
@@ -221,6 +239,7 @@ tls_server.o: tls_mgr.h
 tls_server.o: tls_server.c
 tls_session.o: ../../include/msg.h
 tls_session.o: ../../include/mymalloc.h
+tls_session.o: ../../include/name_code.h
 tls_session.o: ../../include/name_mask.h
 tls_session.o: ../../include/sys_defs.h
 tls_session.o: ../../include/vbuf.h
@@ -230,6 +249,7 @@ tls_session.o: tls.h
 tls_session.o: tls_session.c
 tls_stream.o: ../../include/iostuff.h
 tls_stream.o: ../../include/msg.h
+tls_stream.o: ../../include/name_code.h
 tls_stream.o: ../../include/name_mask.h
 tls_stream.o: ../../include/sys_defs.h
 tls_stream.o: ../../include/vbuf.h
@@ -239,6 +259,7 @@ tls_stream.o: tls.h
 tls_stream.o: tls_stream.c
 tls_verify.o: ../../include/msg.h
 tls_verify.o: ../../include/mymalloc.h
+tls_verify.o: ../../include/name_code.h
 tls_verify.o: ../../include/name_mask.h
 tls_verify.o: ../../include/sys_defs.h
 tls_verify.o: ../../include/vbuf.h
diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index d69e3479b..8bee86f5d 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -11,6 +11,11 @@
 /* DESCRIPTION
 /* .nf
 
+ /*
+  * Utility library.
+  */
+#include <name_code.h>
+
  /*
   * TLS enforcement levels. Non-sentinel values also be used to indicate
   * the actual security level of a session.
@@ -22,6 +27,11 @@
 #define TLS_LEV_VERIFY		3	/* certificate verified */
 #define TLS_LEV_SECURE		4	/* "secure" verification */
 
+extern NAME_CODE tls_level_table[];
+
+#define tls_level_lookup(s) name_code(tls_level_table, NAME_CODE_FLAG_NONE, (s))
+#define str_tls_level(l) str_name_code(tls_level_table, (l))
+
 #ifdef USE_TLS
 
  /*
@@ -119,7 +129,7 @@ extern NAME_CODE tls_cipher_level_table[];
     name_code(tls_cipher_level_table, NAME_CODE_FLAG_NONE, (str))
 
 #define TLS_END_EXCLUDE ((char *)0)
-extern char *tls_cipher_list(int,...);
+extern const char *tls_cipher_list(int,...);
 
  /*
   * tls_client.c
diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index 4b9f9942e..e5c19c76b 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -6,11 +6,11 @@
 /* SYNOPSIS
 /*	#include <tls.h>
 /*
-/*	SSL_CTX	*tls_client_init(props)
-/*	const tls_client_init_props *props;
+/*	SSL_CTX	*tls_client_init(init_props)
+/*	const tls_client_init_props *init_props;
 /*
-/*	TLScontext_t *tls_client_start(props)
-/*	const tls_client_start_props *props;
+/*	TLScontext_t *tls_client_start(start_props)
+/*	const tls_client_start_props *start_props;
 /*
 /*	void	tls_client_stop(client_ctx, stream, failure, TLScontext)
 /*	SSL_CTX	*client_ctx;
@@ -151,6 +151,7 @@
 
 static SSL_SESSION *load_clnt_session(TLScontext_t *TLScontext)
 {
+    const char *myname = "load_clnt_session";
     SSL_SESSION *session = 0;
     VSTRING *session_data = vstring_alloc(2048);
 
@@ -167,7 +168,8 @@ static SSL_SESSION *load_clnt_session(TLScontext_t *TLScontext)
      * server SSL context.
      */
     if (TLScontext->cache_type == 0)
-	msg_panic("null client session cache type in session lookup");
+	msg_panic("%s: null client session cache type in session lookup",
+		  myname);
 
     /*
      * Look up and activate the SSL_SESSION object. Errors are non-fatal,
@@ -195,6 +197,7 @@ static SSL_SESSION *load_clnt_session(TLScontext_t *TLScontext)
 
 static int new_client_session_cb(SSL *ssl, SSL_SESSION *session)
 {
+    const char *myname = "new_client_session_cb";
     TLScontext_t *TLScontext;
     VSTRING *session_data;
 
@@ -204,7 +207,7 @@ static int new_client_session_cb(SSL *ssl, SSL_SESSION *session)
      * null at this point.
      */
     if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
-	msg_panic("null TLScontext in new session callback");
+	msg_panic("%s: null TLScontext in new session callback", myname);
 
     /*
      * We only get here if the cache_type is not empty. This callback is not
@@ -212,7 +215,8 @@ static int new_client_session_cb(SSL *ssl, SSL_SESSION *session)
      * server SSL context.
      */
     if (TLScontext->cache_type == 0)
-	msg_panic("null session cache type in new session callback");
+	msg_panic("%s: null session cache type in new session callback",
+		  myname);
 
     if (TLScontext->log_level >= 2)
 	msg_info("save session %s to %s cache",
@@ -465,6 +469,9 @@ static int match_hostname(const char *peerid, ARGV *cmatch_argv,
     int     idlen;
     int     patlen;
 
+    /*
+     * Match the peerid against each pattern until we find a match.
+     */
     for (i = 0; i < cmatch_argv->argc; ++i) {
 	sub = 0;
 	if (!strcasecmp(cmatch_argv->argv[i], "nexthop"))
@@ -483,19 +490,21 @@ static int match_hostname(const char *peerid, ARGV *cmatch_argv,
 	}
 
 	/*
-	 * Sub-domain match, peerid is any sub-domain of pattern.
+	 * Sub-domain match: peerid is any sub-domain of pattern.
 	 */
-	if (sub)
+	if (sub) {
 	    if ((idlen = strlen(peerid)) > (patlen = strlen(pattern)) + 1
 		&& peerid[idlen - patlen - 1] == '.'
 		&& !strcasecmp(peerid + (idlen - patlen), pattern))
 		return (1);
 	    else
 		continue;
+	}
 
 	/*
-	 * NOT sub-domain match, but "*.domain.tld" in peerid matches any
-	 * host.domain.tld in the pattern.
+	 * Exact match and initial "*" match. The initial "*" in a peerid
+	 * matches exactly one hostname component, under the condition that
+	 * the peerid contains multiple hostname components.
 	 */
 	if (!strcasecmp(peerid, pattern)
 	    || (peerid[0] == '*' && peerid[1] == '.' && peerid[2] != 0
@@ -509,7 +518,7 @@ static int match_hostname(const char *peerid, ARGV *cmatch_argv,
 /* verify_extract_peer - verify peer name and extract peer information */
 
 static void verify_extract_peer(const char *nexthop, const char *hname,
-				        char *certmatch, X509 *peercert,
+			              const char *certmatch, X509 *peercert,
 				        TLScontext_t *TLScontext)
 {
     int     i;
@@ -666,7 +675,7 @@ TLScontext_t *tls_client_start(const tls_client_start_props *props)
      */
     if (!BIO_new_bio_pair(&TLScontext->internal_bio, TLS_BIO_BUFSIZE,
 			  &TLScontext->network_bio, TLS_BIO_BUFSIZE)) {
-	msg_info("Could not obtain BIO_pair");
+	msg_warn("Could not obtain BIO_pair");
 	tls_print_errors();
 	tls_free_context(TLScontext);
 	return (0);
diff --git a/postfix/src/tls/tls_level.c b/postfix/src/tls/tls_level.c
new file mode 100644
index 000000000..03affcfdc
--- /dev/null
+++ b/postfix/src/tls/tls_level.c
@@ -0,0 +1,60 @@
+/*++
+/* NAME
+/*	tls_level 3
+/* SUMMARY
+/*	TLS security level conversion
+/* SYNOPSIS
+/*	#include <tls.h>
+/*
+/*	int	tls_level_lookup(name)
+/*	const char *name;
+/*
+/*	const char *str_tls_level(level)
+/*	int	level;
+/* DESCRIPTION
+/*	The macros in this module convert TLS levels from symbolic
+/*	name to internal form and vice versa. The macros are safe
+/*	because they evaluate their arguments only once.
+/*
+/*	tls_level_lookup() converts a TLS level from symbolic name
+/*	to internal form. The result is TLS_NOTFOUND for an unknown
+/*	level.
+/*
+/*	str_tls_level() converts a TLS level from internal form to
+/*	symbolic name. The result is a null pointer for an unknown
+/*	level.
+/* SEE ALSO
+/*	name_code(3) name to number mapping
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+
+/* Utility library. */
+
+#include <name_code.h>
+
+/* TLS library. */
+
+#include <tls.h>
+
+/* Application-specific. */
+
+NAME_CODE tls_level_table[] = {
+    "none", TLS_LEV_NONE,
+    "may", TLS_LEV_MAY,
+    "encrypt", TLS_LEV_ENCRYPT,
+    "verify", TLS_LEV_VERIFY,
+    "secure", TLS_LEV_SECURE,
+    0, TLS_LEV_NOTFOUND,
+};
diff --git a/postfix/src/tls/tls_mgr.c b/postfix/src/tls/tls_mgr.c
index 84cd77561..a0b089488 100644
--- a/postfix/src/tls/tls_mgr.c
+++ b/postfix/src/tls/tls_mgr.c
@@ -327,8 +327,10 @@ int     main(int unused_ac, char **av)
 
     while (vstring_fgets_nonl(inbuf, VSTREAM_IN)) {
 	argv = argv_split(STR(inbuf), " \t\r\n");
-	if (argv->argc == 0)
+	if (argv->argc == 0) {
+	    argv_free(argv);
 	    continue;
+	}
 
 #define COMMAND(argv, str, len) \
     (strcasecmp(argv->argv[0], str) == 0 && argv->argc == len)
@@ -336,7 +338,7 @@ int     main(int unused_ac, char **av)
 	if (COMMAND(argv, "policy", 2)) {
 	    int     cachable;
 
-	    status = tls_mgr_policy(argv[2], &cachable);
+	    status = tls_mgr_policy(argv->argv[1], &cachable);
 	    vstream_printf("status=%d cachable=%d\n", status, cachable);
 	} else if (COMMAND(argv, "seed", 2)) {
 	    VSTRING *buf = vstring_alloc(10);
@@ -351,15 +353,16 @@ int     main(int unused_ac, char **av)
 	} else if (COMMAND(argv, "lookup", 3)) {
 	    VSTRING *buf = vstring_alloc(10);
 
-	    status = tls_mgr_lookup(argv[1], argv->argv[2], buf);
+	    status = tls_mgr_lookup(argv->argv[1], argv->argv[2], buf);
 	    vstream_printf("status=%d session=%.*s\n",
 			   status, LEN(buf), STR(buf));
+	    vstring_free(buf);
 	} else if (COMMAND(argv, "update", 4)) {
-	    status = tls_mgr_update(argv[1], argv->argv[2],
+	    status = tls_mgr_update(argv->argv[1], argv->argv[2],
 				    argv->argv[3], strlen(argv->argv[3]));
 	    vstream_printf("status=%d\n", status);
 	} else if (COMMAND(argv, "delete", 3)) {
-	    status = tls_mgr_delete(argv[1], argv->argv[2]);
+	    status = tls_mgr_delete(argv->argv[1], argv->argv[2]);
 	    vstream_printf("status=%d\n", status);
 	} else {
 	    vstream_printf("usage:\n"
@@ -370,9 +373,8 @@ int     main(int unused_ac, char **av)
 			   "delete smtpd|smtp|lmtp cache_id\n");
 	}
 	vstream_fflush(VSTREAM_OUT);
-    }
-    if (argv)
 	argv_free(argv);
+    }
 
     vstring_free(inbuf);
     return (0);
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 456651161..f87389819 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -18,6 +18,9 @@
 /*
 /*	long	tls_bug_bits()
 /*
+/*	const char *tls_cipher_list(cipher_level, ...)
+/*	int	cipher_level;
+/*
 /*	void	tls_print_errors()
 /*
 /*	void    tls_info_callback(ssl, where, ret)
@@ -50,6 +53,11 @@
 /*	for the run-time library. Some of the bug work-arounds are
 /*	not appropriate for some library versions.
 /*
+/*	tls_cipher_list() generates a cipher list from the specified
+/*	grade, minus any ciphers specified via a null-terminated
+/*	list of string-valued exclusions. The result is overwritten
+/*	upon each call.
+/*
 /*	tls_print_errors() queries the OpenSSL error stack,
 /*	logs the error messages, and clears the error stack.
 /*
@@ -156,7 +164,7 @@ typedef struct {
 
 /* tls_cipher_list - Cipherlist for given grade, less exclusions */
 
-char   *tls_cipher_list(int level,...)
+const char *tls_cipher_list(int cipher_level,...)
 {
     const char *myname = "tls_cipher_list";
     static VSTRING *buf;
@@ -169,7 +177,7 @@ char   *tls_cipher_list(int level,...)
     buf = buf ? buf : vstring_alloc(10);
     VSTRING_RESET(buf);
 
-    switch (level) {
+    switch (cipher_level) {
     case TLS_CIPHER_HIGH:
 	vstring_strcpy(buf, var_tls_high_clist);
 	break;
@@ -188,13 +196,13 @@ char   *tls_cipher_list(int level,...)
     case TLS_CIPHER_NONE:
 	return 0;
     default:
-	msg_panic("%s: invalid cipher level: %d", myname, level);
+	msg_panic("%s: invalid cipher grade: %d", myname, cipher_level);
     }
 
     if (VSTRING_LEN(buf) == 0)
 	msg_panic("%s: empty cipherlist", myname);
 
-    va_start(ap, level);
+    va_start(ap, cipher_level);
     while ((exclude = va_arg(ap, char *)) != 0) {
 	if (*exclude == '\0')
 	    continue;
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 76e90efce..bc7e8aefa 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -145,13 +145,14 @@ static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id,
 					          int session_id_length,
 					          int *unused_copy)
 {
+    const char *myname = "get_server_session_cb";
     TLScontext_t *TLScontext;
     VSTRING *cache_id;
     VSTRING *session_data = vstring_alloc(2048);
     SSL_SESSION *session = 0;
 
     if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
-	msg_panic("null TLScontext in session lookup callback");
+	msg_panic("%s: null TLScontext in session lookup callback", myname);
 
 #define HEX_CACHE_ID(id, len) \
     hex_encode(vstring_alloc(2 * (len) + 1), (char *) (id), (len))
@@ -207,12 +208,13 @@ static void uncache_session(SSL_CTX *ctx, TLScontext_t *TLScontext)
 
 static int new_server_session_cb(SSL *ssl, SSL_SESSION *session)
 {
+    const char *myname = "new_server_session_cb";
     VSTRING *cache_id;
     TLScontext_t *TLScontext;
     VSTRING *session_data;
 
     if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0)
-	msg_panic("null TLScontext in new session callback");
+	msg_panic("%s: null TLScontext in new session callback", myname);
 
     cache_id = HEX_CACHE_ID(session->session_id, session->session_id_length);
 
@@ -476,16 +478,16 @@ SSL_CTX *tls_server_init(const tls_server_props *props)
 	SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
 
 	/*
-	 * OpenSSL ignores timed-out sessions, we need to set the internal
-	 * cache timeut at least as high as the external cache timeout. This
+	 * OpenSSL ignores timed-out sessions. We need to set the internal
+	 * cache timeout at least as high as the external cache timeout. This
 	 * applies even if no internal cache is used.
 	 */
 	SSL_CTX_set_timeout(server_ctx, props->scache_timeout);
     } else {
 
 	/*
-	 * If we have no external cache, disable all caching, no use wasting
-	 * client memory resources with sessions they are unlikely to be able
+	 * If we have no external cache, disable all caching. No use wasting
+	 * server memory resources with sessions they are unlikely to be able
 	 * to reuse.
 	 */
 	SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
@@ -535,13 +537,13 @@ TLScontext_t *tls_server_start(SSL_CTX *server_ctx, VSTREAM *stream,
     TLScontext->cache_type = SSL_CTX_get_ex_data(server_ctx, TLSscache_index);
 
     if ((TLScontext->con = (SSL *) SSL_new(server_ctx)) == NULL) {
-	msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
+	msg_warn("Could not allocate 'TLScontext->con' with SSL_new()");
 	tls_print_errors();
 	tls_free_context(TLScontext);
 	return (0);
     }
     if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
-	msg_info("Could not set application data for 'TLScontext->con'");
+	msg_warn("Could not set application data for 'TLScontext->con'");
 	tls_print_errors();
 	tls_free_context(TLScontext);
 	return (0);
@@ -572,7 +574,7 @@ TLScontext_t *tls_server_start(SSL_CTX *server_ctx, VSTREAM *stream,
      */
     if (!BIO_new_bio_pair(&TLScontext->internal_bio, TLS_BIO_BUFSIZE,
 			  &TLScontext->network_bio, TLS_BIO_BUFSIZE)) {
-	msg_info("Could not obtain BIO_pair");
+	msg_warn("Could not obtain BIO_pair");
 	tls_print_errors();
 	tls_free_context(TLScontext);
 	return (0);
diff --git a/postfix/src/tlsmgr/Makefile.in b/postfix/src/tlsmgr/Makefile.in
index 4ee4ddd88..68cbe886c 100644
--- a/postfix/src/tlsmgr/Makefile.in
+++ b/postfix/src/tlsmgr/Makefile.in
@@ -71,6 +71,7 @@ tlsmgr.o: ../../include/mail_server.h
 tlsmgr.o: ../../include/master_proto.h
 tlsmgr.o: ../../include/msg.h
 tlsmgr.o: ../../include/mymalloc.h
+tlsmgr.o: ../../include/name_code.h
 tlsmgr.o: ../../include/name_mask.h
 tlsmgr.o: ../../include/stringops.h
 tlsmgr.o: ../../include/sys_defs.h
diff --git a/postfix/src/tlsmgr/tlsmgr.c b/postfix/src/tlsmgr/tlsmgr.c
index dd2d6e8bc..bb483fa4d 100644
--- a/postfix/src/tlsmgr/tlsmgr.c
+++ b/postfix/src/tlsmgr/tlsmgr.c
@@ -739,12 +739,15 @@ static void tlsmgr_pre_init(char *unused_name, char **unused_argv)
     /*
      * If nothing else works then at least this will get us a few bits of
      * entropy.
+     * 
+     * XXX This is our first call into the OpenSSL library. We should find out
+     * if this can be moved to the post-jail initialization phase, without
+     * breaking compatibility with existing installations.
      */
     GETTIMEOFDAY(&tv);
     tv.tv_sec ^= getpid();
     RAND_seed(&tv, sizeof(struct timeval));
 
-
     /*
      * Open the external entropy source. We will not be able to open it again
      * after we are sent to chroot jail, so we keep it open. Errors are not
diff --git a/postfix/src/trivial-rewrite/trivial-rewrite.c b/postfix/src/trivial-rewrite/trivial-rewrite.c
index 0f2e17ea5..406c6c6f6 100644
--- a/postfix/src/trivial-rewrite/trivial-rewrite.c
+++ b/postfix/src/trivial-rewrite/trivial-rewrite.c
@@ -473,8 +473,6 @@ static void pre_accept(char *unused_name, char **unused_argv)
 
 #endif
 
-#ifdef SNAPSHOT
-
 static void check_table_stats(int unused_event, char *unused_context)
 {
     const char *table;
@@ -486,8 +484,6 @@ static void check_table_stats(int unused_event, char *unused_context)
     event_request_timer(check_table_stats, (char *) 0, 10);
 }
 
-#endif
-
 /* pre_jail_init - initialize before entering chroot jail */
 
 static void pre_jail_init(char *unused_name, char **unused_argv)
@@ -525,9 +521,7 @@ static void post_jail_init(char *unused_name, char **unused_argv)
 	transport_post_init(resolve_regular.transport_info);
     if (resolve_verify.transport_info)
 	transport_post_init(resolve_verify.transport_info);
-#ifdef SNAPSHOT
     check_table_stats(0, (char *) 0);
-#endif
 
     /*
      * This process is called by clients that already enforce the max_idle
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index 56fcdabea..efb0b3b02 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -47,6 +47,9 @@
 #if (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 104250000)
 #define ALIAS_DB_MAP   "hash:/etc/mail/aliases"	/* sendmail 8.10 */
 #endif
+#if (defined(OpenBSD) && OpenBSD >= 200006)
+#define ALIAS_DB_MAP   "hash:/etc/mail/aliases"	/* OpenBSD 2.7 */
+#endif
 #ifndef ALIAS_DB_MAP
 #define ALIAS_DB_MAP	"hash:/etc/aliases"
 #endif
diff --git a/postfix/src/verify/verify.c b/postfix/src/verify/verify.c
index b656a17d1..c1771fa56 100644
--- a/postfix/src/verify/verify.c
+++ b/postfix/src/verify/verify.c
@@ -459,7 +459,7 @@ static void verify_query_service(VSTREAM *client_stream)
 			 STR(addr), addr_status, now, updated);
 	    post_mail_fopen_async(strcmp(var_verify_sender, "<>") == 0 ?
 				  "" : var_verify_sender, STR(addr),
-				  CLEANUP_FLAG_MASK_INTERNAL,
+				  INT_FILT_NONE,
 				  DEL_REQ_FLAG_MTA_VRFY,
 				  (VSTRING *) 0,
 				  verify_post_mail_action,