From: Wietse Venema <wietse@porcupine.org>
Date: Mon, 10 Dec 2012 05:00:00 +0000 (-0500)
Subject: postfix-2.10-20121210
X-Git-Tag: v2.10.0-RC1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b046cb2c8a3ac15307365a71a25804edbee87e32;p=thirdparty%2Fpostfix.git

postfix-2.10-20121210
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 485b4298f..18a553df8 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18045,7 +18045,7 @@ Apologies for any names omitted.
 	Documentation: a simpler null-client example.  File:
 	proto/STANDARD_CONFIGURATION_README.html
 
-20120113
+20121013
 
 	Cleanup: to compute the LDAP connection cache lookup key,
 	join the numeric fields with null, just like string fields.
@@ -18061,18 +18061,19 @@ Apologies for any names omitted.
 
 20121022
 
-	Bugfix (introduced 20101009) don't complain abuot stray -m
+	Bugfix (introduced 20101009) don't complain about stray -m
 	option if none of -[bhm] is specified. Ralf Hildebrandt.
 	File: postmap/postmap.c.
 
 20121029 
 
-	Strip datalink suffix from IPv6 addresses returned by the
-	system getaddrinfo() routine.  Such suffixes mess up the
-	default mynetworks value, host name/address verification
-	and possibly more. This change obsoletes the 20101108 change
-	that removes datalink suffixes in the SMTP and QMQP servers.
-	Files: util/myaddrinfo.c, smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
+	Workaround: strip datalink suffix from IPv6 addresses
+	returned by the system getaddrinfo() routine.  Such suffixes
+	mess up the default mynetworks value, host name/address
+	verification and possibly more. This change obsoletes the
+	20101108 change that removes datalink suffixes in the SMTP
+	and QMQP servers.  Files: util/myaddrinfo.c, smtpd/smtpd_peer.c,
+	qmqpd/qmqpd_peer.c.
 
 20121031
 
@@ -18087,7 +18088,7 @@ Apologies for any names omitted.
 	postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html.
 
 	Bugfix (introduced: Postfix 1.1): wrong string termination
-	when handling a MBOX From_ line at the start of a message.
+	when handling an MBOX From_ line at the start of a message.
 	File: qmqpd/qmqpd.c.
 
 20121110
@@ -18120,3 +18121,22 @@ Apologies for any names omitted.
 
 	Cleanup: consistent escaping of commands in postscreen deep
 	protocol test logging. File: postscreen/postscreen_smtpd.c.
+
+20121124
+
+	Documentation: the bounce behavior for automatically-added
+	BCC recipients has changed with Postfix 2.3 when DSN support
+	was introduced.  File: proto/postconf.proto.
+
+20121203
+
+	Documentation: added explicit example for -o name=value.
+	File: proto/master.
+
+20121210
+
+	Bugfix (introduced: Postfix 2.9) nesting count error while
+	stripping the optional [] around a DNS[BW]L address pattern.
+	This part of the code is not documented and had escaped
+	testing.  Files: util/ip_match.c, util/ip_match.in,
+	util/ip_match.ref.
diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README
index 6c59a5d14..a7253c670 100644
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@@ -13,10 +13,6 @@ process. By keeping spambots away, postscreen(8) leaves more SMTP server
 processes available for legitimate clients, and delays the onset of server
 overload conditions.
 
-postscreen(8) maintains a temporary whitelist for clients that pass its tests;
-by allowing whitelisted clients to skip tests, postscreen(8) minimizes its
-impact on legitimate email traffic.
-
 postscreen(8) should not be used on SMTP ports that receive mail from end-user
 clients (MUAs). In a typical deployment, postscreen(8) handles the MX service
 on TCP port 25, while MUA clients submit mail via the submission service on TCP
@@ -24,6 +20,10 @@ port 587 which requires client authentication. Alternatively, a site could set
 up a dedicated, non-postscreen, "port 25" server that provides submission
 service and client authentication, but no MX service.
 
+postscreen(8) maintains a temporary whitelist for clients that pass its tests;
+by allowing whitelisted clients to skip tests, postscreen(8) minimizes its
+impact on legitimate email traffic.
+
 postscreen(8) is part of a multi-layer defense.
 
   * As the first layer, postscreen(8) blocks connections from zombies and other
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index b9dd0be81..130a442d4 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -11,6 +11,9 @@ Wish list:
 	Don't forget Apple's code donation for fetching mail from
 	IMAP server.
 
+	Make errno white/blacklist for getpwnam_r etc. and mailbox
+	write errors.
+
 	smtpd_muble_restrictions rule names are case-insensitive.
 	restriction_classes values are case-sensitive but should
 	be case-insensitive for consistency with smtpd_muble_restrictions.
diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html
index ba47369e9..ca007ed3f 100644
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@@ -28,11 +28,6 @@ talk to a Postfix SMTP server process.  By keeping spambots away,
 legitimate clients, and delays the onset of <a
 href="STRESS_README.html">server overload</a> conditions. </p>
 
-<p> <a href="postscreen.8.html">postscreen(8)</a> maintains a temporary whitelist for clients that
-pass its tests; by allowing whitelisted clients to skip tests,
-<a href="postscreen.8.html">postscreen(8)</a> minimizes its impact on legitimate email traffic.
-</p>
-
 <p> <a href="postscreen.8.html">postscreen(8)</a> should not be used on SMTP ports that receive
 mail from end-user clients (MUAs). In a typical deployment,
 <a href="postscreen.8.html">postscreen(8)</a> handles the MX service on TCP port 25, while MUA
@@ -41,6 +36,11 @@ requires client authentication. Alternatively, a site could set up
 a dedicated, non-postscreen, "port 25" server that provides submission
 service and client authentication, but no MX service.  </p>
 
+<p> <a href="postscreen.8.html">postscreen(8)</a> maintains a temporary whitelist for clients that
+pass its tests; by allowing whitelisted clients to skip tests,
+<a href="postscreen.8.html">postscreen(8)</a> minimizes its impact on legitimate email traffic.
+</p>
+
 <p> <a href="postscreen.8.html">postscreen(8)</a> is part of a multi-layer defense. <p>
 
 <ul>
diff --git a/postfix/html/master.5.html b/postfix/html/master.5.html
index b8a0bc3ed..51ad7b755 100644
--- a/postfix/html/master.5.html
+++ b/postfix/html/master.5.html
@@ -208,21 +208,27 @@ MASTER(5)                                                            MASTER(5)
                      <a href="postconf.5.html">main.cf</a>.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for syntax.
 
                      NOTE 1: do not specify whitespace around the
-                     "=".  In  parameter  values,  either   avoid
-                     whitespace altogether, use commas instead of
-                     spaces,  or  consider  overrides  like   "-o
-                     name=$override_parameter"     with    $over-
-                     ride_parameter set in <a href="postconf.5.html">main.cf</a>.
-
-                     NOTE 2: Over-zealous use of parameter  over-
-                     rides  makes  the Postfix configuration hard
-                     to understand and maintain.   At  a  certain
-                     point,  it might be easier to configure mul-
-                     tiple instances of Postfix, instead of  con-
+                     "=" or in parameter  values.  To  specify  a
+                     parameter  value  that  contains whitespace,
+                     use commas instead of spaces, or specify the
+                     value in <a href="postconf.5.html">main.cf</a>. Example:
+
+                     /etc/postfix/<a href="master.5.html">master.cf</a>:
+                         submission inet .... smtpd
+                             -o smtpd_mumble=$submission_mumble
+
+                     /etc/postfix/<a href="postconf.5.html">main.cf</a>
+                         submission_mumble = text with whitespace...
+
+                     NOTE  2: Over-zealous use of parameter over-
+                     rides makes the Postfix  configuration  hard
+                     to  understand  and  maintain.  At a certain
+                     point, it might be easier to configure  mul-
+                     tiple  instances of Postfix, instead of con-
                      figuring  multiple  personalities  via  mas-
                      ter.cf.
 
-              <b>-v</b>     Increase the verbose logging level.  Specify
+              <b>-v</b>     Increase  the verbose logging level. Specify
                      multiple <b>-v</b> options to make a Postfix daemon
                      process increasingly verbose.
 
@@ -235,7 +241,7 @@ MASTER(5)                                                            MASTER(5)
        <a href="DEBUG_README.html">DEBUG_README</a>, Postfix debugging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index fc06380f3..af5878dd7 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -768,8 +768,15 @@ that is received by the Postfix mail system.
 </p>
 
 <p>
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+</p>
+
+<p>
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 </p>
 
 <p> Note: automatic BCC recipients are produced only for new mail.
@@ -8387,8 +8394,15 @@ run "<b>postmap /etc/postfix/recipient_bcc</b>".
 </p>
 
 <p>
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+</p>
+
+<p>
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 </p>
 
 <p> Note: automatic BCC recipients are produced only for new mail.
@@ -8995,8 +9009,15 @@ run "<b>postmap /etc/postfix/sender_bcc</b>".
 </p>
 
 <p>
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a>.
+</p>
+
+<p>
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 </p>
 
 <p> Note: automatic BCC recipients are produced only for new mail.
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index 5d5ec05ba..12f9b02f1 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -19,15 +19,17 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        decides which clients may talk to a  Postfix  SMTP  server
        process.   By  keeping spambots away, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> leaves
        more  SMTP  server  processes  available  for   legitimate
-       clients.
+       clients,  and  delays  the onset of server overload condi-
+       tions.
 
        This program should not be used on SMTP ports that receive
-       mail from end-user clients (MUAs). In  a  typical  deploy-
-       ment,  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  is  used  on  the "port 25" service,
-       while MUA clients submit mail via the <b>submission</b>  service,
-       or  via  a  "port  25"  server that provides no MX service
-       (i.e.  a dedicated server that provides <b>submission</b> service
-       on port 25).
+       mail  from  end-user  clients (MUAs). In a typical deploy-
+       ment, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> handles the MX service on TCP port 25,
+       while  MUA  clients submit mail via the <b>submission</b> service
+       on TCP port  587  which  requires  client  authentication.
+       Alternatively,  a  site  could  set  up  a dedicated, non-
+       postscreen, "port 25" server that provides <b>submission</b> ser-
+       vice and client authentication, but no MX service.
 
        <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  maintains a temporary whitelist for clients
        that have passed a number of tests.  When an  SMTP  client
diff --git a/postfix/man/man5/master.5 b/postfix/man/man5/master.5
index 272eb21da..efc6d55e1 100644
--- a/postfix/man/man5/master.5
+++ b/postfix/man/man5/master.5
@@ -187,11 +187,19 @@ parameter value can refer to other parameters as \fI$name\fR
 etc., just like in main.cf.  See \fBpostconf\fR(5) for
 syntax.
 .sp
-NOTE 1: do not specify whitespace around the "=". In parameter
-values, either avoid whitespace altogether, use commas
-instead of spaces, or consider overrides like "-o
-name=$override_parameter" with $override_parameter set in
-main.cf.
+NOTE 1: do not specify whitespace around the "=" or in
+parameter values. To specify a parameter value that contains
+whitespace, use commas instead of spaces, or specify the
+value in main.cf. Example:
+.sp
+.nf
+/etc/postfix/master.cf:
+    submission inet .... smtpd
+        -o smtpd_mumble=$submission_mumble
+.sp
+/etc/postfix/main.cf
+    submission_mumble = text with whitespace...
+.fi
 .sp
 NOTE 2: Over-zealous use of parameter overrides makes the
 Postfix configuration hard to understand and maintain.  At
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 94c40486d..5c0164575 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -438,8 +438,13 @@ may break DKIM signatures that cover non-existent headers.
 Optional address that receives a "blind carbon copy" of each message
 that is received by the Postfix mail system.
 .PP
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements RFC 3461.
+.PP
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 .PP
 Note: automatic BCC recipients are produced only for new mail.
 To avoid mailer loops, automatic BCC recipients are not generated
@@ -5026,8 +5031,13 @@ Look up the "@domain.tld" part.
 Specify the types and names of databases to use.  After change,
 run "\fBpostmap /etc/postfix/recipient_bcc\fR".
 .PP
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements RFC 3461.
+.PP
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 .PP
 Note: automatic BCC recipients are produced only for new mail.
 To avoid mailer loops, automatic BCC recipients are not generated
@@ -5443,8 +5453,13 @@ Look up the "@domain.tld" part.
 Specify the types and names of databases to use.  After change,
 run "\fBpostmap /etc/postfix/sender_bcc\fR".
 .PP
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements RFC 3461.
+.PP
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 .PP
 Note: automatic BCC recipients are produced only for new mail.
 To avoid mailer loops, automatic BCC recipients are not generated
diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8
index 22a61191e..821748de8 100644
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@@ -17,15 +17,17 @@ protection against mail server overload. One \fBpostscreen\fR(8)
 process handles multiple inbound SMTP connections, and decides
 which clients may talk to a Postfix SMTP server process.
 By keeping spambots away, \fBpostscreen\fR(8) leaves more
-SMTP server processes available for legitimate clients.
+SMTP server processes available for legitimate clients, and
+delays the onset of server overload conditions.
 
 This program should not be used on SMTP ports that receive
 mail from end-user clients (MUAs). In a typical deployment,
-\fBpostscreen\fR(8) is used on the "port 25" service, while
-MUA clients submit mail via the \fBsubmission\fR service,
-or via a "port 25" server that provides no MX service (i.e.
-a dedicated server that provides \fBsubmission\fR service
-on port 25).
+\fBpostscreen\fR(8) handles the MX service on TCP port 25,
+while MUA clients submit mail via the \fBsubmission\fR
+service on TCP port 587 which requires client authentication.
+Alternatively, a site could set up a dedicated, non-postscreen,
+"port 25" server that provides \fBsubmission\fR service and
+client authentication, but no MX service.
 
 \fBpostscreen\fR(8) maintains a temporary whitelist for
 clients that have passed a number of tests.  When an SMTP
diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html
index c7a4f020e..f91c63a96 100644
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@@ -28,11 +28,6 @@ postscreen(8) leaves more SMTP server processes available for
 legitimate clients, and delays the onset of <a
 href="STRESS_README.html">server overload</a> conditions. </p>
 
-<p> postscreen(8) maintains a temporary whitelist for clients that
-pass its tests; by allowing whitelisted clients to skip tests,
-postscreen(8) minimizes its impact on legitimate email traffic.
-</p>
-
 <p> postscreen(8) should not be used on SMTP ports that receive
 mail from end-user clients (MUAs). In a typical deployment,
 postscreen(8) handles the MX service on TCP port 25, while MUA
@@ -41,6 +36,11 @@ requires client authentication. Alternatively, a site could set up
 a dedicated, non-postscreen, "port 25" server that provides submission
 service and client authentication, but no MX service.  </p>
 
+<p> postscreen(8) maintains a temporary whitelist for clients that
+pass its tests; by allowing whitelisted clients to skip tests,
+postscreen(8) minimizes its impact on legitimate email traffic.
+</p>
+
 <p> postscreen(8) is part of a multi-layer defense. <p>
 
 <ul>
diff --git a/postfix/proto/master b/postfix/proto/master
index 9fda10188..d4f2dc297 100644
--- a/postfix/proto/master
+++ b/postfix/proto/master
@@ -181,11 +181,19 @@
 #	etc., just like in main.cf.  See \fBpostconf\fR(5) for
 #	syntax.
 # .sp
-#	NOTE 1: do not specify whitespace around the "=". In parameter
-#	values, either avoid whitespace altogether, use commas
-#	instead of spaces, or consider overrides like "-o
-#	name=$override_parameter" with $override_parameter set in
-#	main.cf.
+#	NOTE 1: do not specify whitespace around the "=" or in
+#	parameter values. To specify a parameter value that contains
+#	whitespace, use commas instead of spaces, or specify the
+#	value in main.cf. Example:
+# .sp
+# .nf
+#	/etc/postfix/master.cf:
+#	    submission inet .... smtpd
+#		-o smtpd_mumble=$submission_mumble
+# .sp
+#	/etc/postfix/main.cf
+#	    submission_mumble = text with whitespace...
+# .fi
 # .sp
 #	NOTE 2: Over-zealous use of parameter overrides makes the
 #	Postfix configuration hard to understand and maintain.  At
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index d7b5bb139..307c10d11 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -636,8 +636,15 @@ that is received by the Postfix mail system.
 </p>
 
 <p>
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements RFC 3461.
+</p>
+
+<p>
+Note: with Postfix 2.2 and earlier the sender will be notified 
+when the BCC address is undeliverable.
 </p>
 
 <p> Note: automatic BCC recipients are produced only for new mail.
@@ -3433,8 +3440,15 @@ run "<b>postmap /etc/postfix/recipient_bcc</b>".
 </p>
 
 <p>
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements RFC 3461.
+</p>
+ 
+<p>
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 </p>
 
 <p> Note: automatic BCC recipients are produced only for new mail.
@@ -3713,8 +3727,15 @@ run "<b>postmap /etc/postfix/sender_bcc</b>".
 </p>
 
 <p>
-Note: if mail to the BCC address bounces it will be returned to
-the sender.
+Note: with Postfix 2.3 and later the BCC address is added as if it
+was specified with NOTIFY=NONE. The sender will not be notified
+when the BCC address is undeliverable, as long as all down-stream
+software implements RFC 3461.
+</p>
+ 
+<p>
+Note: with Postfix 2.2 and earlier the sender will be notified
+when the BCC address is undeliverable.
 </p>
 
 <p> Note: automatic BCC recipients are produced only for new mail.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 09466a4dd..b747bb7ab 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20121123"
+#define MAIL_RELEASE_DATE	"20121210"
 #define MAIL_VERSION_NUMBER	"2.10"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index 6ab4a2ef0..0149b59ad 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -11,15 +11,17 @@
 /*	process handles multiple inbound SMTP connections, and decides
 /*	which clients may talk to a Postfix SMTP server process.
 /*	By keeping spambots away, \fBpostscreen\fR(8) leaves more
-/*	SMTP server processes available for legitimate clients.
+/*	SMTP server processes available for legitimate clients, and
+/*	delays the onset of server overload conditions.
 /*
 /*	This program should not be used on SMTP ports that receive
 /*	mail from end-user clients (MUAs). In a typical deployment,
-/*	\fBpostscreen\fR(8) is used on the "port 25" service, while
-/*	MUA clients submit mail via the \fBsubmission\fR service,
-/*	or via a "port 25" server that provides no MX service (i.e.
-/*	a dedicated server that provides \fBsubmission\fR service
-/*	on port 25).
+/*	\fBpostscreen\fR(8) handles the MX service on TCP port 25,
+/*	while MUA clients submit mail via the \fBsubmission\fR
+/*	service on TCP port 587 which requires client authentication.
+/*	Alternatively, a site could set up a dedicated, non-postscreen,
+/*	"port 25" server that provides \fBsubmission\fR service and
+/*	client authentication, but no MX service.
 /*
 /*	\fBpostscreen\fR(8) maintains a temporary whitelist for
 /*	clients that have passed a number of tests.  When an SMTP
diff --git a/postfix/src/util/ip_match.c b/postfix/src/util/ip_match.c
index 1cf1b78d8..aeea799f4 100644
--- a/postfix/src/util/ip_match.c
+++ b/postfix/src/util/ip_match.c
@@ -445,7 +445,7 @@ char   *ip_match_parse(VSTRING *byte_codes, char *pattern)
      * Simplify this if we change to {} for wildcard notation.
      */
 #define FIND_TERMINATOR(start, cp) do { \
-	int _level = 1; \
+	int _level = 0; \
 	for (cp = (start) ; *cp; cp++) { \
 	    if (*cp == '[') _level++; \
 	    if (*cp != ']') continue; \
diff --git a/postfix/src/util/ip_match.in b/postfix/src/util/ip_match.in
index bca0d6e67..072657bd9 100644
--- a/postfix/src/util/ip_match.in
+++ b/postfix/src/util/ip_match.in
@@ -20,3 +20,5 @@ a
 1.2.3.4x
 1.2.[3..11].5	1.2.3.5	1.2.2.5	1.2.11.5 1.2.12.5  1.2.11.6
 1.2.[3;5;7;9;11].5	1.2.3.5	1.2.2.5	1.2.4.5 1.2.11.5 1.2.12.5  1.2.11.6
+[1;2].3.4.5 1.3.4.5 2.3.4.5 3.3.4.5
+[[1;2].3.4.5] 1.3.4.5 2.3.4.5 3.3.4.5
diff --git a/postfix/src/util/ip_match.ref b/postfix/src/util/ip_match.ref
index 22c823edf..da06ca959 100644
--- a/postfix/src/util/ip_match.ref
+++ b/postfix/src/util/ip_match.ref
@@ -53,3 +53,13 @@ Match 1.2.4.5: no
 Match 1.2.11.5: yes
 Match 1.2.12.5: no
 Match 1.2.11.6: no
+> [1;2].3.4.5 1.3.4.5 2.3.4.5 3.3.4.5
+Code: [1;2].3.4.5
+Match 1.3.4.5: yes
+Match 2.3.4.5: yes
+Match 3.3.4.5: no
+> [[1;2].3.4.5] 1.3.4.5 2.3.4.5 3.3.4.5
+Code: [1;2].3.4.5
+Match 1.3.4.5: yes
+Match 2.3.4.5: yes
+Match 3.3.4.5: no