From: Wietse Venema <wietse@porcupine.org>
Date: Thu, 13 Jan 2011 05:00:00 +0000 (-0500)
Subject: postfix-2.8-20110113
X-Git-Tag: v2.8.0-RC1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d04ab6f85abc22f437c620eb3f430c5747b7f41;p=thirdparty%2Fpostfix.git

postfix-2.8-20110113
---

diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README
index 6badf305a..6e93ddff4 100644
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@@ -120,7 +120,7 @@ Example:
 
 /etc/postfix/main.cf:
     postscreen_access_list = permit_mynetworks,
-        /etc/postfix/postscreen_access.cidr
+        cidr:/etc/postfix/postscreen_access.cidr
 
 /etc/postfix/postscreen_access.cidr:
    # Rules are evaluated in the order as specified.
@@ -469,8 +469,8 @@ impact of this limitation by giving deep protocol tests a long expiration time.
 
 CCoonnffiigguurriinngg tthhee ppoossttssccrreeeenn((88)) sseerrvviiccee
 
-postscreen(8) has been tested on FreeBSD [4-8] and Linux 2.[4-6] systems. It
-probably needs additional work before it can be used on Solaris.
+postscreen(8) has been tested on FreeBSD [4-8], Linux 2.[4-6] and Solaris 9
+systems.
 
   * Turning on postscreen(8) without blocking mail
   * Blocking mail with postscreen(8)
@@ -651,3 +651,8 @@ stress-adaptive behavior in September. Ralf Hildebrandt ran this code on
 several servers to collect real-world statistics. This version still used the
 embarrassing dnsblog(8) ad-hoc DNS client program.
 
+Wietse added STARTTLS support in December 2010. This makes postscreen(8) usable
+for sites that require TLS support. The implementation introduces the tlsproxy
+(8) event-driven TLS proxy that decrypts/encrypts the sessions for multiple
+SMTP clients.
+
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index b6ef68996..b11bcc083 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -4,8 +4,15 @@ Wish list:
 
 	Remove this file from the stable release.
 
+	Make tlsproxy_service and dnsblog_service configurable.
+
 	Things to do after the stable release:
 
+	When does it pay off to send domains in the active queue
+	to a DNS prefetch daemon? Could this generalize to a dynamic
+	transport map that piggy-backs domains with the same MX
+	host into the same mail delivery transaction?
+
 	inline table where the "whitespace replacement" character
 	is specified in-line. Ex: inline:XYname1Xvalue1Yname2Xvalue2
 	would instantiate a table with (name1, value1) and (name2,
diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html
index 784d12b56..11259a64a 100644
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@@ -164,7 +164,7 @@ by a CIDR table for selective white- and blacklisting. </p>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
-        /etc/postfix/postscreen_access.cidr
+        <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr
 
 /etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>:
    # Rules are evaluated in the order as specified.
@@ -649,9 +649,8 @@ time. </p>
 <h2> <a name="config"> Configuring the postscreen(8) service</a>
 </h2>
 
-<p> <a href="postscreen.8.html">postscreen(8)</a> has been tested on FreeBSD [4-8] and Linux 2.[4-6]
-systems.  It probably needs additional work before it can be used
-on Solaris. </p>
+<p> <a href="postscreen.8.html">postscreen(8)</a> has been tested on FreeBSD [4-8], Linux 2.[4-6]
+and Solaris 9 systems. </p>
 
 <ul>
 
@@ -890,7 +889,7 @@ may follow.  </p>
 
 <p> Many ideas in <a href="postscreen.8.html">postscreen(8)</a> were explored in earlier work by
 Michael Tokarev, in OpenBSD spamd, and in MailChannels Traffic
-Control.  </p>
+Control. </p>
 
 <p> Wietse threw together a crude prototype with pregreet and dnsbl
 support in June 2009, because he needed something new for a Mailserver
@@ -906,6 +905,11 @@ September. Ralf Hildebrandt ran this code on several servers to
 collect real-world statistics. This version still used the embarrassing
 <a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client program.  </p>
 
+<p> Wietse added STARTTLS support in December 2010. This makes
+<a href="postscreen.8.html">postscreen(8)</a> usable for sites that require TLS support.  The
+implementation introduces the <a href="tlsproxy.8.html">tlsproxy(8)</a> event-driven TLS proxy
+that decrypts/encrypts the sessions for multiple SMTP clients. </p>
+
 </body>
 
 </html>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index d9d88afb3..d6f0e969f 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -6732,7 +6732,7 @@ it passes the test, before it can talk to a real Postfix SMTP server.
 <DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a>
 (default: 30d)</b></DT><DD>
 
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
 a successful "bare newline" SMTP protocol test. During this
 time, the client IP address is excluded from this test. The default
 is long because a client must disconnect after it passes the test,
@@ -7064,7 +7064,7 @@ parameter. </p>
 <DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
 (default: 1h)</b></DT><DD>
 
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
 a successful DNS blocklist test. During this time, the client IP address
 is excluded from this test. The default is relatively short, because a
 good client can immediately talk to a real Postfix SMTP server.
@@ -7172,7 +7172,7 @@ value to disable this feature.  </p>
 <DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a>
 (default: 1d)</b></DT><DD>
 
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
 a successful PREGREET test. During this time, the client IP address
 is excluded from this test. The default is relatively short, because
 a good client can immediately talk to a real Postfix SMTP server. </p>
@@ -7268,7 +7268,7 @@ test, before it can talk to a real Postfix SMTP server. </p>
 <DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a>
 (default: 30d)</b></DT><DD>
 
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
 a successful "non_smtp_command" SMTP protocol test. During this
 time, the client IP address is excluded from this test. The default
 is long because a client must disconnect after it passes the test,
@@ -7334,7 +7334,7 @@ server. </p>
 <DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a>
 (default: 30d)</b></DT><DD>
 
-<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache results from
+<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
 a successful "pipelining" SMTP protocol test. During this time, the
 client IP address is excluded from this test. The default is
 long because a good client must disconnect after it passes the test,
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index 6775e8f4e..20c2290f8 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -59,7 +59,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
        <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
        <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
-       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
        <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
        <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
        <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
@@ -247,27 +247,27 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               removed.
 
        <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
-              results  from a successful "bare newline" SMTP pro-
-              tocol test.
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
+              result from a successful "bare newline" SMTP proto-
+              col test.
 
        <b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
-              results from a successful DNS blocklist test.
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
+              result from a successful DNS blocklist test.
 
        <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
-              The  amount  of  time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
-              results from a successful PREGREET test.
+              The  amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
+              result from a successful PREGREET test.
 
        <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
-              results  from  a successful "non_smtp_command" SMTP
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
+              result  from  a  successful "non_smtp_command" SMTP
               protocol test.
 
        <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
-              The amount of time that  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  will  cache
-              results  from a successful "pipelining" SMTP proto-
-              col test.
+              The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use  the
+              result from a successful "pipelining" SMTP protocol
+              test.
 
 <b>RESOURCE CONTROLS</b>
        <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index a7aa8245f..500c79d11 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -49,7 +49,7 @@ SMTPD(8)                                                              SMTPD(8)
        <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
        <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
        <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
-       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
+       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
        <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
        <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
        <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html
index d17480943..b945455d6 100644
--- a/postfix/html/tlsproxy.8.html
+++ b/postfix/html/tlsproxy.8.html
@@ -14,62 +14,61 @@ TLSPROXY(8)                                                        TLSPROXY(8)
 
 <b>DESCRIPTION</b>
        The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server implements a server-side TLS proxy.
-       Its  primary  use  is  to   talk   plaintext   SMTP   with
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>,  and to talk SMTP-over-TLS with remote SMTP
-       clients whose whitelist status has expired, but it  should
-       also work for non-SMTP protocols.
+       It is used by <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  to  talk  SMTP-over-TLS  with
+       remote  SMTP  clients  whose whitelist status has expired,
+       but it should also work for non-SMTP protocols.
 
-       Although  one  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process can serve multiple ses-
-       sions at the same time, it is a good  idea  to  allow  the
-       number  of  processes  to  increase with load, so that the
-       service remains available.
+       Although one <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process can serve  multiple  ses-
+       sions  at  the  same  time, it is a good idea to allow the
+       number of processes to increase with  load,  so  that  the
+       service remains responsive.
 
 <b>PROTOCOL EXAMPLE</b>
-       The example below  involves  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>.  However,  the
-       <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  is agnostic of the application proto-
-       col, and the example is easily adapted to  other  applica-
+       The  example  below  concerns  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>. However, the
+       <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is agnostic of the  application  proto-
+       col,  and  the example is easily adapted to other applica-
        tions.
 
        The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server sends the remote SMTP client end-
-       point  string,  the  requested  role  (server),  and   the
+       point   string,  the  requested  role  (server),  and  the
        requested  timeout  to  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>.   <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  then
-       receives a "TLS available"  indication  from  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>.
-       If  the  TLS service is available, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends the
-       remote SMTP client file  descriptor  to  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>,  and
-       sends  the  plaintext  220  greeting  to  the  remote SMTP
+       receives  a  "TLS  available" indication from <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>.
+       If the TLS service is available, <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  sends  the
+       remote  SMTP  client  file  descriptor to <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>, and
+       sends the  plaintext  220  greeting  to  the  remote  SMTP
        client.  This triggers TLS negotiations between the remote
-       SMTP  client and <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>.  Upon completion of the TLS-
-       level handshake, <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> translates between  plaintext
-       from/to  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  and  ciphertext to/from the remote
+       SMTP client and <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>.  Upon completion of the  TLS-
+       level  handshake, <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> translates between plaintext
+       from/to <a href="postscreen.8.html"><b>postscreen</b>(8)</a> and ciphertext  to/from  the  remote
        SMTP client.
 
 <b>SECURITY</b>
-       The <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server is  moderately  security-sensitive.
-       It  talks to untrusted clients on the network. The process
+       The  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server is moderately security-sensitive.
+       It talks to untrusted clients on the network. The  process
        can be run chrooted at fixed low privilege.
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8).
 
 <b>CONFIGURATION PARAMETERS</b>
-       Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not  picked  up  automatically,  as
+       Changes  to  <a href="postconf.5.html"><b>main.cf</b></a>  are  not picked up automatically, as
        <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> processes may run for a long time depending on
-       mail server load.  Use the  command  "<b>postfix  reload</b>"  to
+       mail  server  load.   Use  the command "<b>postfix reload</b>" to
        speed up a change.
 
-       The  text  below  provides  only  a parameter summary. See
+       The text below provides  only  a  parameter  summary.  See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
 <b>STARTTLS SUPPORT CONTROLS</b>
        <b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b>
-              A file containing (PEM format) CA  certificates  of
-              root  CAs trusted to sign either remote SMTP client
+              A  file  containing (PEM format) CA certificates of
+              root CAs trusted to sign either remote SMTP  client
               certificates or intermediate CA certificates.
 
        <b><a href="postconf.5.html#tlsproxy_tls_CApath">tlsproxy_tls_CApath</a> ($<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b>
               A directory containing (PEM format) CA certificates
-              of  root  CAs  trusted  to  sign either remote SMTP
-              client certificates  or  intermediate  CA  certifi-
+              of root CAs trusted  to  sign  either  remote  SMTP
+              client  certificates  or  intermediate  CA certifi-
               cates.
 
        <b><a href="postconf.5.html#tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a></b>
@@ -79,38 +78,38 @@ TLSPROXY(8)                                                        TLSPROXY(8)
               off.
 
        <b><a href="postconf.5.html#tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a> ($<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b>
-              Ask  a remote SMTP client for a client certificate.
+              Ask a remote SMTP client for a client  certificate.
 
        <b><a href="postconf.5.html#tlsproxy_tls_ccert_verifydepth">tlsproxy_tls_ccert_verifydepth</a>   ($<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verify</a>-</b>
        <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">depth</a>)</b>
-              The verification depth for remote SMTP client  cer-
+              The  verification depth for remote SMTP client cer-
               tificates.
 
        <b><a href="postconf.5.html#tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
-              File  with  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA cer-
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server  RSA  cer-
               tificate in PEM format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b>
-              The minimum  TLS  cipher  grade  that  the  Postfix
-              <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server will use with opportunistic TLS
+              The  minimum  TLS  cipher  grade  that  the Postfix
+              <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will use with opportunistic  TLS
               encryption.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
-              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server  DSA  cer-
+              File  with  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA cer-
               tificate in PEM format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a></b>
        <b>($<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b>
-              File   with   DH   parameters   that   the  Postfix
+              File  with   DH   parameters   that   the   Postfix
               <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server should use with EDH ciphers.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a></b>
        <b>($<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b>
-              File  with   DH   parameters   that   the   Postfix
+              File   with   DH   parameters   that   the  Postfix
               <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server should use with EDH ciphers.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b>
-              File  with  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA pri-
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server  DSA  pri-
               vate key in PEM format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
@@ -122,38 +121,38 @@ TLSPROXY(8)                                                        TLSPROXY(8)
               vate key in PEM format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a> ($<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b>
-              The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security  grade  for
+              The  Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security grade for
               ephemeral elliptic-curve Diffie-Hellman (EECDH) key
               exchange.
 
        <b><a href="postconf.5.html#tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b>
               List of ciphers or cipher types to exclude from the
-              <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server cipher list at all TLS security
+              <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at all TLS  security
               levels.
 
        <b><a href="postconf.5.html#tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a>        ($<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_finger</a>-</b>
        <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">print_digest</a>)</b>
-              The message  digest  algorithm  used  to  construct
+              The  message  digest  algorithm  used  to construct
               client-certificate fingerprints.
 
        <b><a href="postconf.5.html#tlsproxy_tls_key_file">tlsproxy_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b>
-              File  with  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA pri-
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server  RSA  pri-
               vate key in PEM format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a> ($<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b>
-              Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  log-
+              Enable  additional  Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server log-
               ging of TLS activity.
 
        <b><a href="postconf.5.html#tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a>          ($<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_manda</a>-</b>
        <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">tory_ciphers</a>)</b>
-              The  minimum  TLS  cipher  grade  that  the Postfix
-              <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server  will  use  with  mandatory  TLS
+              The minimum  TLS  cipher  grade  that  the  Postfix
+              <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  will  use  with  mandatory TLS
               encryption.
 
        <b><a href="postconf.5.html#tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a>  ($<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_manda</a>-</b>
        <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">tory_exclude_ciphers</a>)</b>
-              Additional  list  of  ciphers  or  cipher  types to
-              exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list  at
+              Additional list  of  ciphers  or  cipher  types  to
+              exclude  from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at
               mandatory TLS security levels.
 
        <b><a href="postconf.5.html#tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a>        ($<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_manda</a>-</b>
@@ -162,65 +161,65 @@ TLSPROXY(8)                                                        TLSPROXY(8)
               <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#tlsproxy_tls_protocols">tlsproxy_tls_protocols</a> ($<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b>
-              List of TLS protocols that the Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
-              server  will  exclude or include with opportunistic
+              List  of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
+              server will exclude or include  with  opportunistic
               TLS encryption.
 
        <b><a href="postconf.5.html#tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a> ($<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b>
-              With mandatory TLS encryption,  require  a  trusted
-              remote  SMTP  client  certificate in order to allow
+              With  mandatory  TLS  encryption, require a trusted
+              remote SMTP client certificate in  order  to  allow
               TLS connections to proceed.
 
        <b><a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
-              The  SMTP  TLS  security  level  for  the   Postfix
+              The   SMTP  TLS  security  level  for  the  Postfix
               <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server; when a non-empty value is spec-
-              ified,  this  overrides  the  obsolete   parameters
+              ified,   this  overrides  the  obsolete  parameters
               <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
 
        <b><a href="postconf.5.html#tlsproxy_tls_session_cache_timeout">tlsproxy_tls_session_cache_timeout</a>        ($<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_ses</a>-</b>
        <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">sion_cache_timeout</a>)</b>
-              The  expiration  time of Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server
+              The expiration time of Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server
               TLS session cache information.
 
 <b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
-       These parameters  are  supported  for  compatibility  with
+       These  parameters  are  supported  for  compatibility with
        <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters.
 
        <b><a href="postconf.5.html#tlsproxy_use_tls">tlsproxy_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
-              Opportunistic  TLS:  announce  STARTTLS  support to
-              SMTP clients, but do not require that  clients  use
+              Opportunistic TLS:  announce  STARTTLS  support  to
+              SMTP  clients,  but do not require that clients use
               TLS encryption.
 
        <b><a href="postconf.5.html#tlsproxy_enforce_tls">tlsproxy_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
-              Mandatory  TLS:  announce  STARTTLS support to SMTP
-              clients, and require that clients use  TLS  encryp-
+              Mandatory TLS: announce STARTTLS  support  to  SMTP
+              clients,  and  require that clients use TLS encryp-
               tion.
 
 <b>RESOURCE CONTROLS</b>
        <b><a href="postconf.5.html#tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a> (10s)</b>
-              How  much  time  a  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process may take to
+              How much time a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  process  may  take  to
               process local or remote I/O before it is terminated
               by a built-in watchdog timer.
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
+              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -230,7 +229,7 @@ TLSPROXY(8)                                                        TLSPROXY(8)
        syslogd(5), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>HISTORY</b>
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index d82229a3c..4cc706928 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -3809,7 +3809,7 @@ it passes the test, before it can talk to a real Postfix SMTP server.
 .PP
 This feature is available in Postfix 2.8.
 .SH postscreen_bare_newline_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful "bare newline" SMTP protocol test. During this
 time, the client IP address is excluded from this test. The default
 is long because a client must disconnect after it passes the test,
@@ -4034,7 +4034,7 @@ parameter.
 .PP
 This feature is available in Postfix 2.8.
 .SH postscreen_dnsbl_ttl (default: 1h)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful DNS blocklist test. During this time, the client IP address
 is excluded from this test. The default is relatively short, because a
 good client can immediately talk to a real Postfix SMTP server.
@@ -4094,7 +4094,7 @@ value to disable this feature.
 .PP
 This feature is available in Postfix 2.8.
 .SH postscreen_greet_ttl (default: 1d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful PREGREET test. During this time, the client IP address
 is excluded from this test. The default is relatively short, because
 a good client can immediately talk to a real Postfix SMTP server.
@@ -4150,7 +4150,7 @@ test, before it can talk to a real Postfix SMTP server.
 .PP
 This feature is available in Postfix 2.8.
 .SH postscreen_non_smtp_command_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful "non_smtp_command" SMTP protocol test. During this
 time, the client IP address is excluded from this test. The default
 is long because a client must disconnect after it passes the test,
@@ -4188,7 +4188,7 @@ server.
 .PP
 This feature is available in Postfix 2.8.
 .SH postscreen_pipelining_ttl (default: 30d)
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful "pipelining" SMTP protocol test. During this time, the
 client IP address is excluded from this test. The default is
 long because a good client must disconnect after it passes the test,
diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8
index 8888237b6..ee057c474 100644
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@@ -62,7 +62,7 @@ RFC 1652 (8bit-MIME transport)
 RFC 1869 (SMTP service extensions)
 RFC 1870 (Message Size Declaration)
 RFC 1985 (ETRN command)
-RFC 2034 (SMTP Enhanced Error Codes)
+RFC 2034 (SMTP Enhanced Status Codes)
 RFC 2821 (SMTP protocol)
 RFC 2920 (SMTP Pipelining)
 RFC 3207 (STARTTLS command)
@@ -236,19 +236,19 @@ Persistent storage for the \fBpostscreen\fR(8) server decisions.
 The amount of time that \fBpostscreen\fR(8) will cache an expired
 temporary whitelist entry before it is removed.
 .IP "\fBpostscreen_bare_newline_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful "bare newline" SMTP protocol test.
 .IP "\fBpostscreen_dnsbl_ttl (1h)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful DNS blocklist test.
 .IP "\fBpostscreen_greet_ttl (1d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful PREGREET test.
 .IP "\fBpostscreen_non_smtp_command_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful "non_smtp_command" SMTP protocol test.
 .IP "\fBpostscreen_pipelining_ttl (30d)\fR"
-The amount of time that \fBpostscreen\fR(8) will cache results from
+The amount of time that \fBpostscreen\fR(8) will use the result from
 a successful "pipelining" SMTP protocol test.
 .SH "RESOURCE CONTROLS"
 .na
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 005495efd..cad1acf5d 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -52,7 +52,7 @@ RFC 1652 (8bit-MIME transport)
 RFC 1869 (SMTP service extensions)
 RFC 1870 (Message Size Declaration)
 RFC 1985 (ETRN command)
-RFC 2034 (SMTP Enhanced Error Codes)
+RFC 2034 (SMTP Enhanced Status Codes)
 RFC 2554 (AUTH command)
 RFC 2821 (SMTP protocol)
 RFC 2920 (SMTP Pipelining)
diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8
index aaf65762d..675a2a5ca 100644
--- a/postfix/man/man8/tlsproxy.8
+++ b/postfix/man/man8/tlsproxy.8
@@ -13,21 +13,20 @@ Postfix TLS proxy
 .ad
 .fi
 The \fBtlsproxy\fR(8) server implements a server-side TLS
-proxy. Its primary use is to talk plaintext SMTP with
-\fBpostscreen\fR(8), and to talk SMTP-over-TLS with remote
-SMTP clients whose whitelist status has expired, but it
-should also work for non-SMTP protocols.
+proxy. It is used by \fBpostscreen\fR(8) to talk SMTP-over-TLS
+with remote SMTP clients whose whitelist status has expired,
+but it should also work for non-SMTP protocols.
 
 Although one \fBtlsproxy\fR(8) process can serve multiple
 sessions at the same time, it is a good idea to allow the
 number of processes to increase with load, so that the
-service remains available.
+service remains responsive.
 .SH "PROTOCOL EXAMPLE"
 .na
 .nf
 .ad
 .fi
-The example below involves \fBpostscreen\fR(8). However,
+The example below concerns \fBpostscreen\fR(8). However,
 the \fBtlsproxy\fR(8) server is agnostic of the application
 protocol, and the example is easily adapted to other
 applications.
diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html
index 9231bef79..b23070891 100644
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@@ -164,7 +164,7 @@ by a CIDR table for selective white- and blacklisting. </p>
 <pre>
 /etc/postfix/main.cf:
     postscreen_access_list = permit_mynetworks,
-        /etc/postfix/postscreen_access.cidr
+        cidr:/etc/postfix/postscreen_access.cidr
 
 /etc/postfix/postscreen_access.cidr:
    # Rules are evaluated in the order as specified.
@@ -649,9 +649,8 @@ time. </p>
 <h2> <a name="config"> Configuring the postscreen(8) service</a>
 </h2>
 
-<p> postscreen(8) has been tested on FreeBSD [4-8] and Linux 2.[4-6]
-systems.  It probably needs additional work before it can be used
-on Solaris. </p>
+<p> postscreen(8) has been tested on FreeBSD [4-8], Linux 2.[4-6]
+and Solaris 9 systems. </p>
 
 <ul>
 
@@ -890,7 +889,7 @@ may follow.  </p>
 
 <p> Many ideas in postscreen(8) were explored in earlier work by
 Michael Tokarev, in OpenBSD spamd, and in MailChannels Traffic
-Control.  </p>
+Control. </p>
 
 <p> Wietse threw together a crude prototype with pregreet and dnsbl
 support in June 2009, because he needed something new for a Mailserver
@@ -906,6 +905,11 @@ September. Ralf Hildebrandt ran this code on several servers to
 collect real-world statistics. This version still used the embarrassing
 dnsblog(8) ad-hoc DNS client program.  </p>
 
+<p> Wietse added STARTTLS support in December 2010. This makes
+postscreen(8) usable for sites that require TLS support.  The
+implementation introduces the tlsproxy(8) event-driven TLS proxy
+that decrypts/encrypts the sessions for multiple SMTP clients. </p>
+
 </body>
 
 </html>
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index c48412f07..e04ad3553 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -12630,7 +12630,7 @@ receive a 421 reponse. </p>
 
 %PARAM postscreen_greet_ttl 1d
 
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
 a successful PREGREET test. During this time, the client IP address
 is excluded from this test. The default is relatively short, because
 a good client can immediately talk to a real Postfix SMTP server. </p>
@@ -13186,7 +13186,7 @@ protocol engine. This bounds the time to receive an entire command.
 
 %PARAM postscreen_dnsbl_ttl 1h
 
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
 a successful DNS blocklist test. During this time, the client IP address
 is excluded from this test. The default is relatively short, because a
 good client can immediately talk to a real Postfix SMTP server.
@@ -13231,7 +13231,7 @@ this test the next time the client connects. </dd>
 
 %PARAM postscreen_pipelining_ttl 30d
 
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
 a successful "pipelining" SMTP protocol test. During this time, the
 client IP address is excluded from this test. The default is
 long because a good client must disconnect after it passes the test,
@@ -13326,7 +13326,7 @@ feature.  </dd>
 
 %PARAM postscreen_non_smtp_command_ttl 30d
 
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
 a successful "non_smtp_command" SMTP protocol test. During this
 time, the client IP address is excluded from this test. The default
 is long because a client must disconnect after it passes the test,
@@ -13406,7 +13406,7 @@ this test the next time the client connects.  </dd>
 
 %PARAM postscreen_bare_newline_ttl 30d
 
-<p> The amount of time that postscreen(8) will cache results from
+<p> The amount of time that postscreen(8) will use the result from
 a successful "bare newline" SMTP protocol test. During this
 time, the client IP address is excluded from this test. The default
 is long because a client must disconnect after it passes the test,
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index ac90cf17f..a12201f69 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110112"
+#define MAIL_RELEASE_DATE	"20110113"
 #define MAIL_VERSION_NUMBER	"2.8"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index 3d4f30f48..7e97b329b 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -52,7 +52,7 @@
 /*	RFC 1869 (SMTP service extensions)
 /*	RFC 1870 (Message Size Declaration)
 /*	RFC 1985 (ETRN command)
-/*	RFC 2034 (SMTP Enhanced Error Codes)
+/*	RFC 2034 (SMTP Enhanced Status Codes)
 /*	RFC 2821 (SMTP protocol)
 /*	RFC 2920 (SMTP Pipelining)
 /*	RFC 3207 (STARTTLS command)
@@ -210,19 +210,19 @@
 /*	The amount of time that \fBpostscreen\fR(8) will cache an expired
 /*	temporary whitelist entry before it is removed.
 /* .IP "\fBpostscreen_bare_newline_ttl (30d)\fR"
-/*	The amount of time that \fBpostscreen\fR(8) will cache results from
+/*	The amount of time that \fBpostscreen\fR(8) will use the result from
 /*	a successful "bare newline" SMTP protocol test.
 /* .IP "\fBpostscreen_dnsbl_ttl (1h)\fR"
-/*	The amount of time that \fBpostscreen\fR(8) will cache results from
+/*	The amount of time that \fBpostscreen\fR(8) will use the result from
 /*	a successful DNS blocklist test.
 /* .IP "\fBpostscreen_greet_ttl (1d)\fR"
-/*	The amount of time that \fBpostscreen\fR(8) will cache results from
+/*	The amount of time that \fBpostscreen\fR(8) will use the result from
 /*	a successful PREGREET test.
 /* .IP "\fBpostscreen_non_smtp_command_ttl (30d)\fR"
-/*	The amount of time that \fBpostscreen\fR(8) will cache results from
+/*	The amount of time that \fBpostscreen\fR(8) will use the result from
 /*	a successful "non_smtp_command" SMTP protocol test.
 /* .IP "\fBpostscreen_pipelining_ttl (30d)\fR"
-/*	The amount of time that \fBpostscreen\fR(8) will cache results from
+/*	The amount of time that \fBpostscreen\fR(8) will use the result from
 /*	a successful "pipelining" SMTP protocol test.
 /* RESOURCE CONTROLS
 /* .ad
diff --git a/postfix/src/postscreen/postscreen_access.c b/postfix/src/postscreen/postscreen_access.c
index 52a320872..5c67495f7 100644
--- a/postfix/src/postscreen/postscreen_access.c
+++ b/postfix/src/postscreen/postscreen_access.c
@@ -76,7 +76,7 @@
 
 #include <postscreen.h>
 
-#define PSC_ACL_SEPARATORS	" \t\r"
+#define PSC_ACL_SEPARATORS	", \t\r"
 
 static ADDR_MATCH_LIST *psc_mynetworks;
 
diff --git a/postfix/src/postscreen/postscreen_smtpd.c b/postfix/src/postscreen/postscreen_smtpd.c
index e3cc92712..bed1d6661 100644
--- a/postfix/src/postscreen/postscreen_smtpd.c
+++ b/postfix/src/postscreen/postscreen_smtpd.c
@@ -190,10 +190,13 @@ static void psc_smtpd_read_event(int, char *);
   * resume SMTP command events after receiving the asynchrounous proxy
   * response.
   */
-#define PSC_RESUME_SMTP_CMD_EVENTS(state) \
-    PSC_READ_EVENT_REQUEST2(vstream_fileno((state)->smtp_client_stream), \
-			   psc_smtpd_read_event, psc_smtpd_time_event, \
-			   (char *) (state), PSC_EFF_CMD_TIME_LIMIT)
+#define PSC_RESUME_SMTP_CMD_EVENTS(state) do { \
+	PSC_READ_EVENT_REQUEST2(vstream_fileno((state)->smtp_client_stream), \
+			       psc_smtpd_read_event, psc_smtpd_time_event, \
+			       (char *) (state), PSC_EFF_CMD_TIME_LIMIT); \
+	if (!PSC_SMTPD_BUFFER_EMPTY(state)) \
+	    psc_smtpd_read_event(EVENT_READ, (char *) state); \
+    } while (0)
 
 #define PSC_SUSPEND_SMTP_CMD_EVENTS(state) \
     PSC_CLEAR_EVENT_REQUEST(vstream_fileno((state)->smtp_client_stream), \
@@ -374,8 +377,6 @@ static void psc_starttls_resume(int unused_event, char *context)
      * command processor immediately.
      */
     PSC_RESUME_SMTP_CMD_EVENTS(state);
-    if (!PSC_SMTPD_BUFFER_EMPTY(state))
-	psc_smtpd_read_event(EVENT_READ, (char *) state);
 }
 
 /* psc_starttls_cmd - activate the tlsproxy server */
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 0ce3d8580..f9a525e08 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -42,7 +42,7 @@
 /*	RFC 1869 (SMTP service extensions)
 /*	RFC 1870 (Message Size Declaration)
 /*	RFC 1985 (ETRN command)
-/*	RFC 2034 (SMTP Enhanced Error Codes)
+/*	RFC 2034 (SMTP Enhanced Status Codes)
 /*	RFC 2554 (AUTH command)
 /*	RFC 2821 (SMTP protocol)
 /*	RFC 2920 (SMTP Pipelining)
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index aefe43872..f55cfe9f1 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -7,19 +7,18 @@
 /*	\fBtlsproxy\fR [generic Postfix daemon options]
 /* DESCRIPTION
 /*	The \fBtlsproxy\fR(8) server implements a server-side TLS
-/*	proxy. Its primary use is to talk plaintext SMTP with
-/*	\fBpostscreen\fR(8), and to talk SMTP-over-TLS with remote
-/*	SMTP clients whose whitelist status has expired, but it
-/*	should also work for non-SMTP protocols.
+/*	proxy. It is used by \fBpostscreen\fR(8) to talk SMTP-over-TLS
+/*	with remote SMTP clients whose whitelist status has expired,
+/*	but it should also work for non-SMTP protocols.
 /*
 /*	Although one \fBtlsproxy\fR(8) process can serve multiple
 /*	sessions at the same time, it is a good idea to allow the
 /*	number of processes to increase with load, so that the
-/*	service remains available.
+/*	service remains responsive.
 /* PROTOCOL EXAMPLE
 /* .ad
 /* .fi
-/*	The example below involves \fBpostscreen\fR(8). However,
+/*	The example below concerns \fBpostscreen\fR(8). However,
 /*	the \fBtlsproxy\fR(8) server is agnostic of the application
 /*	protocol, and the example is easily adapted to other
 /*	applications.
diff --git a/postfix/src/tlsproxy/tlsproxy_state.c b/postfix/src/tlsproxy/tlsproxy_state.c
index 8924a99ee..1dcf5b889 100644
--- a/postfix/src/tlsproxy/tlsproxy_state.c
+++ b/postfix/src/tlsproxy/tlsproxy_state.c
@@ -1,6 +1,6 @@
 /*++
 /* NAME
-/*	tlsp_state 3
+/*	tlsproxy_state 3
 /* SUMMARY
 /*	Postfix SMTP server
 /* SYNOPSIS
