From: Wietse Venema <wietse@porcupine.org>
Date: Mon, 15 Sep 2003 05:00:00 +0000 (-0500)
Subject: postfix-2.0.16-20030915
X-Git-Tag: v2.1-RC1-20040331~41
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7fe5bb66968bd53c3da03bd700a75405897d0a9;p=thirdparty%2Fpostfix.git

postfix-2.0.16-20030915
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index e75da3493..07311ca92 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -8467,6 +8467,13 @@ Apologies for any names omitted.
 	networks. Based on code by Ben Rosengart, Panix. Files:
 	conf/sample-auth.cf, smtpd/smtpd.c.
 
+20030902
+
+	Portability: the Postfix master resets the file size to
+	the largest possible off_t value when the actual limit
+	appears to overflow the off_t range. Files: util/sys_defs.h,
+	util/file_limit.c. A fine sample of bit banging.
+
 20030905
 
 	Workaround: Solaris 8 select() claims that a non-blocking
@@ -8494,9 +8501,9 @@ Apologies for any names omitted.
 
 20030908
 
-	The 20030905 workaround triggers too many warnings. TCP
-	sockets are back to blocking, and keepalives are turned on
-	to kill off dead sockets, as suggested by Leandro Santi.
+	The 20030905 Solaris workaround triggers too many warnings.
+	TCP sockets are back to blocking, and keepalives are turned
+	on to kill off dead sockets, as suggested by Leandro Santi.
 	Files: master/{single,multi}_server.c, smtpd/smtpd.c,
 	util/sys_defs.h.
 
@@ -8507,6 +8514,14 @@ Apologies for any names omitted.
 	was working poorly.  Fix by Victor Duchovni, Morgan Stanley.
 	Files: lmtp/lmtp.c, lmtp/lmtp_proto.c.
 
+20030912
+
+	Workaround: besides SMTP server sockets, SMTP client sockets
+	can also hang on Solaris, as reported by Leandro Santi. In
+	order to deal with this at the root, all connection management
+	is now done by sane_accept() and sane_connect().  Both turn
+	on keepalives on Solaris.
+
 20030913
 
 	Safety: set-gid commands don't trust TZ.  File: msg_syslog.c.
@@ -8520,7 +8535,8 @@ Apologies for any names omitted.
 	Dean Gibson.
 
 	In header/body_checks, DUNNO is now the preferred action
-	instead of the now deprecated OK.
+	instead of the now deprecated OK. This may confuse fewer
+	people.
 
 	In header/body_checks, allow text after IGNORE and DUNNO,
 	suggested by Victor Duchovni, Morgan Stanley.  File:
@@ -8528,14 +8544,21 @@ Apologies for any names omitted.
 
 	Feature: reject_rhsbl_helo. File: smtpd/smtpd_check.c.
 
-	Cleanup: the LMTP and SMTP clients now send "MAIL FROM:<sender>
+	Bugfix? The LMTP and SMTP clients now send "MAIL FROM:<sender>
 	AUTH=<>" when SASL authenticated. Suggested by by Victor
 	Duchovni, Morgan Stanley. Files: smtp/smtp_proto.c,
 	lmtp/lmtp_proto.c.
 
-Open problems:
+20030915
 
-	Med: do not list myorigin in virtual_alias_maps.
+	Bugfix: mail rejected by the before-queue content filter
+	was mis-labeled as a software error; it should be labeled
+	as a policy error instead. File: smtpd/smtpd.c.
+
+	Cleanup: postcat is now null-byte transparent. File:
+	postcat/postcat.c.
+
+Open problems:
 
 	High: when virtual aliasing is turned off after content
 	filtering, local submissions may escape virtual aliasing.
@@ -8544,8 +8567,6 @@ Open problems:
 	request is in progress; this can result in multiple
 	non-delivery notifications.
 
-	Low: postcat should be null byte transparent.
-
 	Low: qmgr_move should not reset time stamps on queue files
 	without shared lock (i.e. not open by a delivery agent).
 
diff --git a/postfix/README_FILES/SMTPD_PROXY_README b/postfix/README_FILES/SMTPD_PROXY_README
index 3379a588b..04943a581 100644
--- a/postfix/README_FILES/SMTPD_PROXY_README
+++ b/postfix/README_FILES/SMTPD_PROXY_README
@@ -1,9 +1,9 @@
-Purpose of the SMTP-based before-queue proxy filter feature
-===========================================================
+Purpose of the before-queue content filter feature
+==================================================
 
 Normally, Postfix receives mail, stores it in the mail queue and
 then delivers it.  The Postfix SMTP server can be configured to
-forward all incoming mail through a proxy filter (for example, a
+forward all incoming mail to a content filter (for example, a
 real-time SPAM filter) that inspects all mail BEFORE it is stored
 in the Postfix mail queue.
 
@@ -11,7 +11,7 @@ in the Postfix mail queue.
 FILTER_README document, where all mail is inspected AFTER it is
 stored in the Postfix mail queue]
 
-The SMTP-based before-queue proxy filter is meant to be used as follows:
+The before-queue content filter is meant to be used as follows:
 
                         before                               / smtp
     Internet -> smtpd -> queue -> smtpd -> cleanup -> queue -> local
@@ -34,14 +34,14 @@ after-queue content filter:
                               queue <-
 			      filter
 
-The SMTP-based before-queue proxy filter receives unfiltered mail
-from Postfix and does one of the following:
+The before-queue content filter receives unfiltered SMTP mail from
+Postfix and does one of the following:
 
 1 - Re-inject the mail back into Postfix via SMTP, perhaps after
     changing content.
 
-2 - Reject the mail (by sending a suitable status code back to
-    Postfix). Postfix passes the status back to the remote SMTP
+2 - Reject the mail by sending a suitable SMTP status code back
+    to Postfix. Postfix passes the status back to the remote SMTP
     client. This way, Postfix does not have to send a bounce message.
 
 3 - Send the mail somewhere else.
@@ -49,46 +49,37 @@ from Postfix and does one of the following:
 Limitations
 ===========
 
-The SMTP-based before-queue proxy filter allows Postfix to reject
-mail before the incoming SMTP mail transfer completes, so that
-Postfix does not have to send rejected mail back to the sender.
-Mail that is not accepted remains the responsibility of the client.
-
-In all other respects this content filtering approach is inferior
-to the existing content filter (see FILTER_README) which processes
-mail AFTER it is queued, because that gives you full control over
-how many filtering processes can be run in parallel.
+The before-queue content filter allows Postfix to reject mail before
+the incoming SMTP mail transfer completes, so that Postfix does
+not have to send rejected mail back to the sender.  Mail that is
+not accepted remains the responsibility of the remote SMTP client.
 
 The problem with before-queue content filtering is that the remote
 SMTP client expects an SMTP reply within a deadline. As the system
 load increases, fewer and fewer CPU cycles remain available to
 answer within the deadline, and eventually you either have to stop
-accepting mail or you have to accept unfiltered mail.
+accepting mail or you have to stop filtering the mail.
 
-A possible workaround is to have the proxy take special action when
-the deadline is reached: add a distinctive message header that
-triggers a Postfix header_checks FILTER action, or send the mail
-into Postfix via an alternative Postfix SMTP server that always
-turns on content filtering.
-
-How Postfix talks to the before-queue proxy filter
+How Postfix talks to the before-queue content filter
 ==================================================
 
-When passing mail to the SMTP-based before-queue filter, Postfix
-generates its own EHLO, DATA and QUIT commands, and forwards
-unmodified copies of the MAIL FROM and RCPT TO commands that the
-Postfix SMTP server has approved.  All commands are sent without
-using ESMTP command pipelining. The SMTP proxy server should accept
-the same MAIL FROM and RCPT TO command syntax as the Postfix SMTP
+Postfix makes one connection per email message.  Postfix speaks
+ESMTP, but uses no command pipelining. Postfix generates its own
+EHLO, DATA and QUIT commands, and forwards unmodified copies of
+all the MAIL FROM and RCPT TO commands that the Postfix SMTP server
+didn't reject itself. The SMTP proxy server should accept the same
+MAIL FROM and RCPT TO command syntax as the Postfix SMTP server.
+Postfix sends no other SMTP commands.
+
+The content filter is expected to pass on unmodified SMTP commands
+from a before-filter Postfix SMTP server to an after-filter Postfix
+SMTP server that listens on a non-standard port.  When the filter
+rejects content, it should send a negative SMTP response back to
+the before-filter Postfix SMTP server, and it should abort any
+connection with the after-filter Postfix SMTP server without
+completing the SMTP conversation with the after-filter Postfix SMTP
 server.
 
-The before-queue proxy filter is expected literally pass on the
-SMTP commands that it receives from Postfix to an after-filter
-Postfix SMTP server that listens on a non-standard port.  When the
-filter rejects content, it should send a negative response back to
-Postfix, and it should abort any connection with the after-filter
-Postfix SMTP server without completing the SMTP dialog.
-
 Configuration parameters 
 ========================
 
@@ -96,12 +87,12 @@ Parameters that control proxying:
 
 smtpd_proxy_filter (syntax: host:port)
 
-    The host and TCP port of the before-queue proxy filter.  When
+    The host and TCP port of the before-queue content filter.  When
     no host or host:  is specified, localhost is assumed.
 
 smtpd_proxy_timeout (default: 100s)
 
-    Timeout for connecting to the before-queue proxy filter and
+    Timeout for connecting to the before-queue content filter and
     for sending and receiving commands and data.  All proxy errors
     are logged to the maillog file. For privacy reasons, all the
     remote SMTP client sees is "451 Error:  queue file write error".
@@ -109,15 +100,15 @@ smtpd_proxy_timeout (default: 100s)
 smtpd_proxy_ehlo (default: $myhostname)
 
     The hostname to use when sending an EHLO command to the
-    before-queue proxy filter.
+    before-queue content filter.
 
 Testing the SMTP pass-through proxy feature
 ===========================================
 
-The following example sets up a null proxy, that is, the Postfix
-SMTP server gives the mail directly to another Postfix SMTP server
-process without intervening content filter. This useful only for
-testing, of course.
+The following example sets up a null content filter, that is, the
+Postfix SMTP server gives the mail directly to another Postfix SMTP
+server process without intervening content filter. This useful only
+for testing, of course.
 
 /etc/postfix/master.cf
     smtp      inet  n       -       n       -       -       smtpd 
diff --git a/postfix/conf/access b/postfix/conf/access
index e95204eb9..8c82d98ec 100644
--- a/postfix/conf/access
+++ b/postfix/conf/access
@@ -66,28 +66,29 @@
 #               The pattern domain.tld also matches subdomains, but
 #               only when the string smtpd_access_maps is listed in
 #               the  Postfix  parent_domain_matches_subdomains con-
-#               figuration setting.  Otherwise, specify .domain.tld
-#               (note  the  initial  dot)  in order to match subdo-
-#               mains.
+#               figuration setting (note that this is  the  default
+#               for  some versions of Postfix).  Otherwise, specify
+#               .domain.tld (note the  initial  dot)  in  order  to
+#               match subdomains.
 # 
-#        user@  Matches all mail addresses with the specified  user
+#        user@  Matches  all mail addresses with the specified user
 #               part.
 # 
-#        Note:  lookup  of  the null sender address is not possible
-#        with some types of lookup table. By default, Postfix  uses
-#        <>  as  the  lookup  key  for such addresses. The value is
-#        specified with the smtpd_null_access_lookup_key  parameter
+#        Note: lookup of the null sender address  is  not  possible
+#        with  some types of lookup table. By default, Postfix uses
+#        <> as the lookup key for  such  addresses.  The  value  is
+#        specified  with the smtpd_null_access_lookup_key parameter
 #        in the Postfix main.cf file.
 # 
 # EMAIL ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
-#        ient delimiter (e.g., user+foo@domain), the  lookup  order
-#        becomes:  user+foo@domain, user@domain, domain, user+foo@,
+#        ient  delimiter  (e.g., user+foo@domain), the lookup order
+#        becomes: user+foo@domain, user@domain, domain,  user+foo@,
 #        and user@.
 # 
 # HOST NAME/ADDRESS PATTERNS
 #        With lookups from indexed files such as DB or DBM, or from
-#        networked  tables  such as NIS, LDAP or SQL, the following
+#        networked tables such as NIS, LDAP or SQL,  the  following
 #        lookup patterns are examined in the order as listed:
 # 
 #        domain.tld
@@ -95,9 +96,9 @@
 # 
 #               The pattern domain.tld also matches subdomains, but
 #               only when the string smtpd_access_maps is listed in
-#               the Postfix  parent_domain_matches_subdomains  con-
+#               the  Postfix  parent_domain_matches_subdomains con-
 #               figuration setting.  Otherwise, specify .domain.tld
-#               (note the initial dot) in  order  to  match  subdo-
+#               (note  the  initial  dot)  in order to match subdo-
 #               mains.
 # 
 #        net.work.addr.ess
@@ -106,88 +107,88 @@
 # 
 #        net.work
 # 
-#        net    Matches  any host address in the specified network.
-#               A network address is a  sequence  of  one  or  more
+#        net    Matches any host address in the specified  network.
+#               A  network  address  is  a  sequence of one or more
 #               octets separated by ".".
 # 
-#               NOTE:  use  the  cidr  lookup table type to specify
+#               NOTE: use the cidr lookup  table  type  to  specify
 #               network/netmask  patterns.  See  cidr_table(5)  for
 #               details.
 # 
 # ACTIONS
 #        [45]NN text
-#               Reject  the  address etc. that matches the pattern,
+#               Reject the address etc. that matches  the  pattern,
 #               and respond with the numerical code and text.
 # 
 #        REJECT optional text...
-#               Reject the address etc. that matches  the  pattern.
-#               Reply  with  $reject_code optional text... when the
-#               optional text is specified, otherwise reply with  a
+#               Reject  the  address etc. that matches the pattern.
+#               Reply with $reject_code optional text...  when  the
+#               optional  text is specified, otherwise reply with a
 #               generic error response message.
 # 
 #        DEFER_IF_REJECT optional text...
-#               Defer  the  request if some later restriction would
+#               Defer the request if some later  restriction  would
 #               result in a REJECT action. Reply with "450 optional
 #               text... when the optional text is specified, other-
 #               wise reply with a generic error response message.
 # 
 #        DEFER_IF_PERMIT optional text...
-#               Defer the request if some later  restriction  would
+#               Defer  the  request if some later restriction would
 #               result in a PERMIT action (there is an implied PER-
-#               MIT at the end of  each  restriction  list).  Reply
-#               with  "450  optional text... when the optional text
-#               is specified, otherwise reply with a generic  error
+#               MIT  at  the  end  of each restriction list). Reply
+#               with "450 optional text... when the  optional  text
+#               is  specified, otherwise reply with a generic error
 #               response message.
 # 
 #        OK     Accept the address etc. that matches the pattern.
 # 
 #        all-numerical
 #               An all-numerical result is treated as OK. This for-
-#               mat is generated by address-based relay  authoriza-
+#               mat  is generated by address-based relay authoriza-
 #               tion schemes.
 # 
-#        DUNNO  Pretend  that  the lookup key was not found in this
+#        DUNNO  Pretend that the lookup key was not found  in  this
 #               table. This prevents Postfix from trying substrings
-#               of  the  lookup key (such as a subdomain name, or a
+#               of the lookup key (such as a subdomain name,  or  a
 #               network address subnetwork).
 # 
 #        HOLD optional text...
-#               Place the message on the hold queue, where it  will
-#               sit  until someone either deletes it or releases it
-#               for delivery.  Log the optional text if  specified,
+#               Place  the message on the hold queue, where it will
+#               sit until someone either deletes it or releases  it
+#               for  delivery.  Log the optional text if specified,
 #               otherwise log a generic message.
 # 
-#               Mail  that  is  placed on hold can be examined with
-#               the postcat(1) command, and  can  be  destroyed  or
+#               Mail that is placed on hold can  be  examined  with
+#               the  postcat(1)  command,  and  can be destroyed or
 #               released with the postsuper(1) command.
 # 
-#               Note:  this action currently affects all recipients
+#               Note: this action currently affects all  recipients
 #               of the message.
 # 
 #        DISCARD optional text...
-#               Claim successful delivery and silently discard  the
-#               message.   Log the optional text if specified, oth-
+#               Claim  successful delivery and silently discard the
+#               message.  Log the optional text if specified,  oth-
 #               erwise log a generic message.
 # 
-#               Note: this action currently affects all  recipients
+#               Note:  this action currently affects all recipients
 #               of the message.
 # 
 #        FILTER transport:destination
-#               After  the  message is queued, send the entire mes-
-#               sage through a content  filter.   More  information
+#               After the message is queued, send the  entire  mes-
+#               sage  through  a  content filter.  More information
 #               about  content  filters  is  in  the  Postfix  FIL-
 #               TER_README file.
 # 
-#               Note:  this  action  overrides  the  main.cf   con-
+#               Note:   this  action  overrides  the  main.cf  con-
 #               tent_filter  setting,  and  currently  affects  all
 #               recipients of the message.
 # 
 #        REDIRECT user@domain
-#               After the message is queued, send  the  message  to
+#               After  the  message  is queued, send the message to
 #               the  specified  address  instead  of  the  intended
 #               recipient(s).
 # 
-#               Note: this action overrides the FILTER action,  and
+#               Note:  this action overrides the FILTER action, and
 #               currently affects all recipients of the message.
 # 
 #        restriction...
@@ -195,46 +196,46 @@
 #               reject_unauth_destination, and so on).
 # 
 # REGULAR EXPRESSION TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        the table is given in the form of regular expressions. For
-#        a description of regular expression lookup  table  syntax,
+#        a  description  of regular expression lookup table syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each  pattern  is  a regular expression that is applied to
+#        Each pattern is a regular expression that  is  applied  to
 #        the entire string being looked up. Depending on the appli-
-#        cation,  that  string  is  an  entire  client hostname, an
+#        cation, that string  is  an  entire  client  hostname,  an
 #        entire client IP address, or an entire mail address. Thus,
 #        no  parent  domain  or  parent  network  search  is  done,
-#        user@domain mail addresses are not broken  up  into  their
+#        user@domain  mail  addresses  are not broken up into their
 #        user@ and domain constituent parts, nor is user+foo broken
 #        up into user and foo.
 # 
-#        Patterns are applied in the  order  as  specified  in  the
-#        table,  until  a  pattern is found that matches the search
+#        Patterns  are  applied  in  the  order as specified in the
+#        table, until a pattern is found that  matches  the  search
 #        string.
 # 
-#        Actions are the same as with indexed  file  lookups,  with
-#        the  additional feature that parenthesized substrings from
+#        Actions  are  the  same as with indexed file lookups, with
+#        the additional feature that parenthesized substrings  from
 #        the pattern can be interpolated as $1, $2 and so on.
 # 
 # TCP-BASED TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        lookups are directed to a TCP-based server. For a descrip-
-#        tion  of  the  TCP  client/server  lookup  protocol,   see
+#        tion   of  the  TCP  client/server  lookup  protocol,  see
 #        tcp_table(5).
 # 
-#        Each  lookup  operation uses the entire query string once.
-#        Depending on the application, that  string  is  an  entire
+#        Each lookup operation uses the entire query  string  once.
+#        Depending  on  the  application,  that string is an entire
 #        client hostname, an entire client IP address, or an entire
-#        mail address.  Thus, no parent domain  or  parent  network
-#        search  is done, user@domain mail addresses are not broken
-#        up into their user@ and domain constituent parts,  nor  is
+#        mail  address.   Thus,  no parent domain or parent network
+#        search is done, user@domain mail addresses are not  broken
+#        up  into  their user@ and domain constituent parts, nor is
 #        user+foo broken up into user and foo.
 # 
 #        Actions are the same as with indexed file lookups.
 # 
 # BUGS
-#        The  table format does not understand quoting conventions.
+#        The table format does not understand quoting  conventions.
 # 
 # SEE ALSO
 #        postmap(1) create lookup table
@@ -245,7 +246,7 @@
 #        tcp_table(5) TCP client/server table lookup protocol
 # 
 # LICENSE
-#        The Secure Mailer license must be  distributed  with  this
+#        The  Secure  Mailer  license must be distributed with this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index fa66e44ea..05ee78708 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -1,4 +1,4 @@
-<html> <head> </head> <body> <pre>
+<html> <body> <pre>
 ACCESS(5)                                               ACCESS(5)
 
 <b>NAME</b>
@@ -67,28 +67,29 @@ ACCESS(5)                                               ACCESS(5)
               The pattern <i>domain.tld</i> also matches subdomains, but
               only when the string <b>smtpd_access_maps</b> is listed in
               the  Postfix  <b>parent_domain_matches_subdomains</b> con-
-              figuration setting.  Otherwise, specify <i>.domain.tld</i>
-              (note  the  initial  dot)  in order to match subdo-
-              mains.
+              figuration setting (note that this is  the  default
+              for  some versions of Postfix).  Otherwise, specify
+              <i>.domain.tld</i> (note the  initial  dot)  in  order  to
+              match subdomains.
 
-       <i>user</i>@  Matches all mail addresses with the specified  user
+       <i>user</i>@  Matches  all mail addresses with the specified user
               part.
 
-       Note:  lookup  of  the null sender address is not possible
-       with some types of lookup table. By default, Postfix  uses
-       &lt;&gt;  as  the  lookup  key  for such addresses. The value is
-       specified with the <b>smtpd_null_access_lookup_key</b>  parameter
+       Note: lookup of the null sender address  is  not  possible
+       with  some types of lookup table. By default, Postfix uses
+       &lt;&gt; as the lookup key for  such  addresses.  The  value  is
+       specified  with the <b>smtpd_null_access_lookup_key</b> parameter
        in the Postfix <b>main.cf</b> file.
 
 <b>EMAIL ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
-       ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the  lookup  order
-       becomes:  <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@,
+       ient  delimiter  (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
+       becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>,  <i>user+foo</i>@,
        and <i>user</i>@.
 
 <b>HOST NAME/ADDRESS PATTERNS</b>
        With lookups from indexed files such as DB or DBM, or from
-       networked  tables  such as NIS, LDAP or SQL, the following
+       networked tables such as NIS, LDAP or SQL,  the  following
        lookup patterns are examined in the order as listed:
 
        <i>domain.tld</i>
@@ -96,9 +97,9 @@ ACCESS(5)                                               ACCESS(5)
 
               The pattern <i>domain.tld</i> also matches subdomains, but
               only when the string <b>smtpd_access_maps</b> is listed in
-              the Postfix  <b>parent_domain_matches_subdomains</b>  con-
+              the  Postfix  <b>parent_domain_matches_subdomains</b> con-
               figuration setting.  Otherwise, specify <i>.domain.tld</i>
-              (note the initial dot) in  order  to  match  subdo-
+              (note  the  initial  dot)  in order to match subdo-
               mains.
 
        <i>net.work.addr.ess</i>
@@ -107,88 +108,88 @@ ACCESS(5)                                               ACCESS(5)
 
        <i>net.work</i>
 
-       <i>net</i>    Matches  any host address in the specified network.
-              A network address is a  sequence  of  one  or  more
+       <i>net</i>    Matches any host address in the specified  network.
+              A  network  address  is  a  sequence of one or more
               octets separated by ".".
 
-              NOTE:  use  the  <b>cidr</b>  lookup table type to specify
+              NOTE: use the <b>cidr</b> lookup  table  type  to  specify
               network/netmask  patterns.  See  <a href="cidr_table.5.html">cidr_table(5)</a>  for
               details.
 
 <b>ACTIONS</b>
        [<b>45</b>]<i>NN text</i>
-              Reject  the  address etc. that matches the pattern,
+              Reject the address etc. that matches  the  pattern,
               and respond with the numerical code and text.
 
        <b>REJECT</b> <i>optional text...</i>
-              Reject the address etc. that matches  the  pattern.
-              Reply  with  <i>$reject</i><b>_</b><i>code optional text...</i> when the
-              optional text is specified, otherwise reply with  a
+              Reject  the  address etc. that matches the pattern.
+              Reply with <i>$reject</i><b>_</b><i>code optional text...</i>  when  the
+              optional  text is specified, otherwise reply with a
               generic error response message.
 
        <b>DEFER_IF_REJECT</b> <i>optional text...</i>
-              Defer  the  request if some later restriction would
+              Defer the request if some later  restriction  would
               result in a REJECT action. Reply with "<b>450</b> <i>optional</i>
               <i>text...</i> when the optional text is specified, other-
               wise reply with a generic error response message.
 
        <b>DEFER_IF_PERMIT</b> <i>optional text...</i>
-              Defer the request if some later  restriction  would
+              Defer  the  request if some later restriction would
               result in a PERMIT action (there is an implied PER-
-              MIT at the end of  each  restriction  list).  Reply
-              with  "<b>450</b>  <i>optional text...</i> when the optional text
-              is specified, otherwise reply with a generic  error
+              MIT  at  the  end  of each restriction list). Reply
+              with "<b>450</b> <i>optional text...</i> when the  optional  text
+              is  specified, otherwise reply with a generic error
               response message.
 
        <b>OK</b>     Accept the address etc. that matches the pattern.
 
        <i>all-numerical</i>
               An all-numerical result is treated as OK. This for-
-              mat is generated by address-based relay  authoriza-
+              mat  is generated by address-based relay authoriza-
               tion schemes.
 
-       <b>DUNNO</b>  Pretend  that  the lookup key was not found in this
+       <b>DUNNO</b>  Pretend that the lookup key was not found  in  this
               table. This prevents Postfix from trying substrings
-              of  the  lookup key (such as a subdomain name, or a
+              of the lookup key (such as a subdomain name,  or  a
               network address subnetwork).
 
        <b>HOLD</b> <i>optional text...</i>
-              Place the message on the <b>hold</b> queue, where it  will
-              sit  until someone either deletes it or releases it
-              for delivery.  Log the optional text if  specified,
+              Place  the message on the <b>hold</b> queue, where it will
+              sit until someone either deletes it or releases  it
+              for  delivery.  Log the optional text if specified,
               otherwise log a generic message.
 
-              Mail  that  is  placed on hold can be examined with
-              the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and  can  be  destroyed  or
+              Mail that is placed on hold can  be  examined  with
+              the  <a href="postcat.1.html"><b>postcat</b>(1)</a>  command,  and  can be destroyed or
               released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
 
-              Note:  this action currently affects all recipients
+              Note: this action currently affects all  recipients
               of the message.
 
        <b>DISCARD</b> <i>optional text...</i>
-              Claim successful delivery and silently discard  the
-              message.   Log the optional text if specified, oth-
+              Claim  successful delivery and silently discard the
+              message.  Log the optional text if specified,  oth-
               erwise log a generic message.
 
-              Note: this action currently affects all  recipients
+              Note:  this action currently affects all recipients
               of the message.
 
        <b>FILTER</b> <i>transport:destination</i>
-              After  the  message is queued, send the entire mes-
-              sage through a content  filter.   More  information
+              After the message is queued, send the  entire  mes-
+              sage  through  a  content filter.  More information
               about  content  filters  is  in  the  Postfix  FIL-
               TER_README file.
 
-              Note:  this  action  overrides  the  <b>main.cf   con-</b>
+              Note:   this  action  overrides  the  <b>main.cf  con-</b>
               <b>tent_filter</b>  setting,  and  currently  affects  all
               recipients of the message.
 
        <b>REDIRECT</b> <i>user@domain</i>
-              After the message is queued, send  the  message  to
+              After  the  message  is queued, send the message to
               the  specified  address  instead  of  the  intended
               recipient(s).
 
-              Note: this action overrides the FILTER action,  and
+              Note:  this action overrides the FILTER action, and
               currently affects all recipients of the message.
 
        <i>restriction...</i>
@@ -196,46 +197,46 @@ ACCESS(5)                                               ACCESS(5)
               <b>reject_unauth_destination</b>, and so on).
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        the table is given in the form of regular expressions. For
-       a description of regular expression lookup  table  syntax,
+       a  description  of regular expression lookup table syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each  pattern  is  a regular expression that is applied to
+       Each pattern is a regular expression that  is  applied  to
        the entire string being looked up. Depending on the appli-
-       cation,  that  string  is  an  entire  client hostname, an
+       cation, that string  is  an  entire  client  hostname,  an
        entire client IP address, or an entire mail address. Thus,
        no  parent  domain  or  parent  network  search  is  done,
-       <i>user@domain</i> mail addresses are not broken  up  into  their
+       <i>user@domain</i>  mail  addresses  are not broken up into their
        <i>user@</i> and <i>domain</i> constituent parts, nor is <i>user+foo</i> broken
        up into <i>user</i> and <i>foo</i>.
 
-       Patterns are applied in the  order  as  specified  in  the
-       table,  until  a  pattern is found that matches the search
+       Patterns  are  applied  in  the  order as specified in the
+       table, until a pattern is found that  matches  the  search
        string.
 
-       Actions are the same as with indexed  file  lookups,  with
-       the  additional feature that parenthesized substrings from
+       Actions  are  the  same as with indexed file lookups, with
+       the additional feature that parenthesized substrings  from
        the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
 
 <b>TCP-BASED TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        lookups are directed to a TCP-based server. For a descrip-
-       tion  of  the  TCP  client/server  lookup  protocol,   see
+       tion   of  the  TCP  client/server  lookup  protocol,  see
        <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
 
-       Each  lookup  operation uses the entire query string once.
-       Depending on the application, that  string  is  an  entire
+       Each lookup operation uses the entire query  string  once.
+       Depending  on  the  application,  that string is an entire
        client hostname, an entire client IP address, or an entire
-       mail address.  Thus, no parent domain  or  parent  network
-       search  is done, <i>user@domain</i> mail addresses are not broken
-       up into their <i>user@</i> and <i>domain</i> constituent parts,  nor  is
+       mail  address.   Thus,  no parent domain or parent network
+       search is done, <i>user@domain</i> mail addresses are not  broken
+       up  into  their <i>user@</i> and <i>domain</i> constituent parts, nor is
        <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
 
        Actions are the same as with indexed file lookups.
 
 <b>BUGS</b>
-       The  table format does not understand quoting conventions.
+       The table format does not understand quoting  conventions.
 
 <b>SEE ALSO</b>
        <a href="postmap.1.html">postmap(1)</a> create lookup table
@@ -246,7 +247,7 @@ ACCESS(5)                                               ACCESS(5)
        <a href="tcp_table.5.html">tcp_table(5)</a> TCP client/server table lookup protocol
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/postcat.1.html b/postfix/html/postcat.1.html
index e601eccb0..c9a5157f6 100644
--- a/postfix/html/postcat.1.html
+++ b/postfix/html/postcat.1.html
@@ -1,11 +1,11 @@
-<html> <head> </head> <body> <pre>
+<html> <body> <pre>
 POSTCAT(1)                                             POSTCAT(1)
 
 <b>NAME</b>
        postcat - show Postfix queue file contents
 
 <b>SYNOPSIS</b>
-       <b>postcat</b> [<b>-vq</b>] [<b>-c</b> <i>config_dir</i>] [<i>files</i>...]
+       <b>postcat</b> [<b>-vq</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>files</i>...]
 
 <b>DESCRIPTION</b>
        The <b>postcat</b> command prints the contents of the named <i>files</i>
@@ -15,7 +15,7 @@ POSTCAT(1)                                             POSTCAT(1)
 
        Options:
 
-       <b>-c</b> <i>config_dir</i>
+       <b>-c</b> <i>config</i><b>_</b><i>dir</i>
               The <b>main.cf</b> configuration  file  is  in  the  named
               directory  instead  of  the  default  configuration
               directory.
@@ -31,7 +31,7 @@ POSTCAT(1)                                             POSTCAT(1)
        Problems are reported to the standard error stream.
 
 <b>ENVIRONMENT</b>
-       <b>MAIL</b><i>_</i><b>CONFIG</b>
+       <b>MAIL_CONFIG</b>
               Directory with Postfix configuration files.
 
 <b>CONFIGURATION PARAMETERS</b>
@@ -39,7 +39,7 @@ POSTCAT(1)                                             POSTCAT(1)
        default values. Use the <b>postfix  reload</b>  command  after  a
        configuration change.
 
-       <b>queue</b><i>_</i><b>directory</b>
+       <b>queue_directory</b>
               Top-level  directory  of the Postfix queue. This is
               also the root directory of Postfix daemons that run
               chrooted.
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index 9cb501d4a..6bb7b1a4e 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -66,7 +66,8 @@ Matches \fIdomain.tld\fR as the domain part of an email address.
 .sp
 The pattern \fIdomain.tld\fR also matches subdomains, but only
 when the string \fBsmtpd_access_maps\fR is listed in the Postfix
-\fBparent_domain_matches_subdomains\fR configuration setting.
+\fBparent_domain_matches_subdomains\fR configuration setting
+(note that this is the default for some versions of Postfix).
 Otherwise, specify \fI.domain.tld\fR (note the initial dot) in
 order to match subdomains.
 .IP \fIuser\fR@
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 344cba796..f64592d5b 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only, unless they include the same bugfix as a patch release.
   */
-#define MAIL_RELEASE_DATE	"20030812"
+#define MAIL_RELEASE_DATE	"20030915"
 
 #define VAR_MAIL_VERSION	"mail_version"
 #define DEF_MAIL_VERSION	"2.0.14-" MAIL_RELEASE_DATE
diff --git a/postfix/src/global/post_mail.c b/postfix/src/global/post_mail.c
index bff950cf3..b79967dd1 100644
--- a/postfix/src/global/post_mail.c
+++ b/postfix/src/global/post_mail.c
@@ -294,7 +294,6 @@ static void post_mail_open_event(int event, char *context)
 	    event_disable_readwrite(vstream_fileno(state->stream));
 	    vstream_fclose(state->stream);
 	} else {
-    case EVENT_XCPT:
 	    msg_warn("connect to service: %s: %m", var_cleanup_service);
 	}
 	myfree(state->sender);
@@ -303,6 +302,20 @@ static void post_mail_open_event(int event, char *context)
 	myfree((char *) state);
 	return;
 
+	/*
+	 * Some exception.
+	 */
+    case EVENT_XCPT:
+	msg_warn("error connecting to service: %s", var_cleanup_service);
+	event_cancel_timer(post_mail_open_event, context);
+	event_disable_readwrite(vstream_fileno(state->stream));
+	vstream_fclose(state->stream);
+	myfree(state->sender);
+	myfree(state->recipient);
+	state->notify((VSTREAM *) 0, state->context);
+	myfree((char *) state);
+	return;
+
 	/*
 	 * Broken software or hardware.
 	 */
diff --git a/postfix/src/lmtp/lmtp_proto.c b/postfix/src/lmtp/lmtp_proto.c
index ccf905e60..e89de87f9 100644
--- a/postfix/src/lmtp/lmtp_proto.c
+++ b/postfix/src/lmtp/lmtp_proto.c
@@ -385,7 +385,7 @@ static int lmtp_loop(LMTP_STATE *state, int send_state, int recv_state)
 	    }
 
 	    /*
-	     * We authenticate the client, not the sender.
+	     * We authenticate the local MTA only, but not the sender.
 	     */
 #ifdef USE_SASL_AUTH
 	    if (var_lmtp_sasl_enable
diff --git a/postfix/src/postcat/postcat.c b/postfix/src/postcat/postcat.c
index 7e1204a01..d63ef8fde 100644
--- a/postfix/src/postcat/postcat.c
+++ b/postfix/src/postcat/postcat.c
@@ -80,6 +80,7 @@
 #define PC_FLAG_QUEUE	(1<<0)		/* search queue */
 
 #define STR	vstring_str
+#define LEN	VSTRING_LEN
 
 /* postcat - visualize Postfix queue file contents */
 
@@ -129,17 +130,16 @@ static void postcat(VSTREAM *fp, VSTRING *buffer)
 	    break;
 	case REC_TYPE_CONT:
 	    if (msg_verbose)
-		vstream_printf("%s: %s\n", rec_type_name(rec_type),
-			       STR(buffer));
-	    else
-		vstream_printf("%s", STR(buffer));
+		vstream_printf("%s: ", rec_type_name(rec_type));
+	    vstream_fwrite(VSTREAM_OUT, STR(buffer), LEN(buffer));
+	    if (msg_verbose)
+		VSTREAM_PUTCHAR('\n');
 	    break;
 	case REC_TYPE_NORM:
 	    if (msg_verbose)
-		vstream_printf("%s: %s\n", rec_type_name(rec_type),
-			       STR(buffer));
-	    else
-		vstream_printf("%s\n", STR(buffer));
+		vstream_printf("%s: ", rec_type_name(rec_type));
+	    vstream_fwrite(VSTREAM_OUT, STR(buffer), LEN(buffer));
+	    VSTREAM_PUTCHAR('\n');
 	    break;
 	case REC_TYPE_MESG:
 	    vstream_printf("*** MESSAGE CONTENTS %s ***\n", VSTREAM_PATH(fp));
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index 943720b7c..58811a350 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -506,7 +506,7 @@ int     smtp_xfer(SMTP_STATE *state)
 	    }
 
 	    /*
-	     * We authenticate the client, not the sender.
+	     * We authenticate the local MTA only, but not the sender.
 	     */
 #ifdef USE_SASL_AUTH
 	    if (var_smtp_sasl_enable
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index ad0640f3b..df570de89 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -555,6 +555,8 @@ static void mail_reset(SMTPD_STATE *);
 static void rcpt_reset(SMTPD_STATE *);
 static void chat_reset(SMTPD_STATE *, int);
 
+#ifdef USE_SASL_AUTH
+
  /*
   * SASL exceptions.
   */
@@ -584,6 +586,8 @@ static int sasl_client_exception(SMTPD_STATE *state)
     return (match);
 }
 
+#endif
+
 /* collapse_args - put arguments together again */
 
 static void collapse_args(int argc, SMTPD_TOKEN *argv)
@@ -1299,8 +1303,9 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
     if (state->proxy) {
 	if (state->err == CLEANUP_STAT_OK) {
 	    (void) smtpd_proxy_cmd(state, SMTPD_PROX_WANT_ANY, ".");
-	    if (*STR(state->proxy_buffer) != '2')
-		state->err = CLEANUP_STAT_PROXY;
+	    if (state->err == CLEANUP_STAT_OK &&
+		*STR(state->proxy_buffer) != '2')
+		state->err = CLEANUP_STAT_CONT;
 	}
 	smtpd_proxy_close(state);
     }
@@ -1350,8 +1355,11 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	smtpd_chat_reply(state, "554 Error: too many hops");
     } else if ((state->err & CLEANUP_STAT_CONT) != 0) {
 	state->error_mask |= MAIL_ERROR_POLICY;
-	smtpd_chat_reply(state, "550 Error: %s", LEN(why) ?
-			 STR(why) : "content rejected");
+	if (state->proxy_buffer)
+	    smtpd_chat_reply(state, "%s", STR(state->proxy_buffer));
+	else
+	    smtpd_chat_reply(state, "550 Error: %s", LEN(why) ?
+			     STR(why) : "content rejected");
     } else if ((state->err & CLEANUP_STAT_WRITE) != 0) {
 	state->error_mask |= MAIL_ERROR_RESOURCE;
 	smtpd_chat_reply(state, "451 Error: queue file write error");
diff --git a/postfix/src/smtpd/smtpd_check.in4 b/postfix/src/smtpd/smtpd_check.in4
index abffa1ff0..d401de907 100644
--- a/postfix/src/smtpd/smtpd_check.in4
+++ b/postfix/src/smtpd/smtpd_check.in4
@@ -5,7 +5,7 @@
 #msg_verbose 1
 smtpd_delay_reject 0
 #
-# Test the nex access map features
+# Test the new access map features
 #
 sender_restrictions hash:./smtpd_check_access
 mail rejecttext@bad.domain
diff --git a/postfix/src/smtpd/smtpd_exp.in b/postfix/src/smtpd/smtpd_exp.in
index 50aa0e18f..8c05d1069 100644
--- a/postfix/src/smtpd/smtpd_exp.in
+++ b/postfix/src/smtpd/smtpd_exp.in
@@ -53,3 +53,10 @@ client spike.porcupine.org 168.100.189.2
 mail sname@sdomain
 rcpt rname@rdomain
 rcpt rname@example.tld
+#
+# RHSBL helo domain name
+#
+recipient_restrictions reject_rhsbl_helo,abuse.rfc-ignorant.org
+helo example.tld
+mail sname@sdomain
+rcpt rname@rdomain
diff --git a/postfix/src/smtpd/smtpd_exp.ref b/postfix/src/smtpd/smtpd_exp.ref
index 36e2cf519..950349874 100644
--- a/postfix/src/smtpd/smtpd_exp.ref
+++ b/postfix/src/smtpd/smtpd_exp.ref
@@ -97,3 +97,15 @@ OK
 >>> rcpt rname@example.tld
 ./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 client=spike.porcupine.org[168.100.189.2] client_address=168.100.189.2 client_name=spike.porcupine.org helo_name=foobar  sender=sname@sdomain sender_name=sname  sender_domain=sdomain recipient=rname@example.tld recipient_name=rname recipient_domain=example.tld rbl_code=554 rbl_domain=dsn.rfc-ignorant.org rbl_txt=Not supporting null originator (DSN) rbl_what=rname@example.tld rbl_class=Recipient address; from=<sname@sdomain> to=<rname@example.tld> proto=SMTP helo=<foobar>
 554 client=spike.porcupine.org[168.100.189.2] client_address=168.100.189.2 client_name=spike.porcupine.org helo_name=foobar  sender=sname@sdomain sender_name=sname  sender_domain=sdomain recipient=rname@example.tld recipient_name=rname recipient_domain=example.tld rbl_code=554 rbl_domain=dsn.rfc-ignorant.org rbl_txt=Not supporting null originator (DSN) rbl_what=rname@example.tld rbl_class=Recipient address
+>>> #
+>>> # RHSBL helo domain name
+>>> #
+>>> recipient_restrictions reject_rhsbl_helo,abuse.rfc-ignorant.org
+OK
+>>> helo example.tld
+OK
+>>> mail sname@sdomain
+OK
+>>> rcpt rname@rdomain
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
+554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain
diff --git a/postfix/src/smtpstone/smtp-sink.c b/postfix/src/smtpstone/smtp-sink.c
index 6d305e23b..035e66467 100644
--- a/postfix/src/smtpstone/smtp-sink.c
+++ b/postfix/src/smtpstone/smtp-sink.c
@@ -434,13 +434,13 @@ static int command_read(SINK_STATE *state)
      * Got a complete command line. Parse it.
      */
     ptr = vstring_str(state->buffer);
+    if (msg_verbose)
+	msg_info("%s", ptr);
     if ((command = mystrtok(&ptr, " \t")) == 0) {
 	smtp_printf(state->stream, "500 Error: unknown command");
 	smtp_flush(state->stream);
 	return (0);
     }
-    if (msg_verbose)
-	msg_info("%s", command);
     for (cmdp = command_table; cmdp->name != 0; cmdp++)
 	if (strcasecmp(command, cmdp->name) == 0)
 	    break;
diff --git a/postfix/src/trivial-rewrite/resolve.c b/postfix/src/trivial-rewrite/resolve.c
index a8fa58d71..0ea2b3698 100644
--- a/postfix/src/trivial-rewrite/resolve.c
+++ b/postfix/src/trivial-rewrite/resolve.c
@@ -410,8 +410,8 @@ static void resolve_addr(RES_CONTEXT *rp, char *addr,
 			     rcpt_domain, VAR_VIRT_ALIAS_DOMS,
 			     VAR_RELAY_DOMAINS);
 		if (strcasecmp(rcpt_domain, var_myorigin) == 0)
-		    msg_warn("do not list $%s in %s",
-			     VAR_MYORIGIN, VAR_VIRT_ALIAS_DOMS);
+		    msg_warn("do not list $%s (%s) in %s",
+			     VAR_MYORIGIN, var_myorigin, VAR_VIRT_ALIAS_DOMS);
 	    }
 	    vstring_strcpy(channel, MAIL_SERVICE_ERROR);
 	    vstring_sprintf(nexthop, "User unknown%s",