From: Wietse Venema Date: Mon, 14 Jan 2008 05:00:00 +0000 (-0500) Subject: postfix-2.5-20080114 X-Git-Tag: v2.5.0-RC1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3c54cab0702549675048acc3a5b976994ddb6ec;p=thirdparty%2Fpostfix.git postfix-2.5-20080114 --- diff --git a/postfix/.indent.pro b/postfix/.indent.pro index b54aff891..73040aa46 100644 --- a/postfix/.indent.pro +++ b/postfix/.indent.pro @@ -222,6 +222,7 @@ -TSMTP_ADDR -TSMTP_CMD -TSMTP_RESP +-TSMTP_SASL_AUTH_CACHE -TSMTP_SESSION -TSMTP_STATE -TSMTP_TLS_SITE_POLICY diff --git a/postfix/HISTORY b/postfix/HISTORY index b8302f295..b7a44cfaf 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -14231,3 +14231,24 @@ Apologies for any names omitted. Cleanup: more read-only data. Files: everything that passes around a HEADER_OPTS pointer. + +20080112 + + Safety: optional lookup table to prevent the Postfix SMTP + client from making repeated SASL login failures with the + same hostname, username and password. This introduces new + parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time. + Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c, + smtp/smtp_sasl_auth_cache.c. + + Safety: the Postfix SMTP client now by default defers mail + after the server rejects a SASL login attempt with a 535 + status code. Specify "smtp_sasl_auth_soft_bounce = no" to + get the earlier behavior. Based on code by Keean Schupke. + Files: smtp/smtp_sasl_glue.c. + +20080114 + + Safety: the smtpd_client_new_tls_session_rate_limit setting + now also limits the number of failed TLS handshakes. This + limits the impact of broken configurations. File: smtpd/smtpd.c. diff --git a/postfix/README_FILES/CDB_README b/postfix/README_FILES/CDB_README index b93993291..502b7c491 100644 --- a/postfix/README_FILES/CDB_README +++ b/postfix/README_FILES/CDB_README @@ -20,7 +20,11 @@ document has general information about Postfix databases. CDB support is available with Postfix 2.2 and later releases. This document describes how to build Postfix with CDB support. -BBuuiillddiinngg PPoossttffiixx wwiitthh CCDDBB +BBuuiillddiinngg PPoossttffiixx wwiitthh CCDDBB ssuuppppoorrtt + +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. Postfix is compatible with two CDB implementations: diff --git a/postfix/README_FILES/LDAP_README b/postfix/README_FILES/LDAP_README index fc5da6b1a..043b311a2 100644 --- a/postfix/README_FILES/LDAP_README +++ b/postfix/README_FILES/LDAP_README @@ -26,6 +26,10 @@ Topics covered in this document: BBuuiillddiinngg PPoossttffiixx wwiitthh LLDDAAPP ssuuppppoorrtt +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + Note 1: Postfix no longer supports the LDAP version 1 interface. Note 2: to use LDAP with Debian GNU/Linux's Postfix, all you need is to install diff --git a/postfix/README_FILES/MILTER_README b/postfix/README_FILES/MILTER_README index cf901786c..a67fa044d 100644 --- a/postfix/README_FILES/MILTER_README +++ b/postfix/README_FILES/MILTER_README @@ -340,8 +340,7 @@ Sendmail. See the workarounds section below for solutions. |{client_name} |Always |when lookup or | | | |verification fails | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |{client_port} |Always |Client TCP port | - | |(Postfix >=2.5) | | + |{client_port} |Always (Postfix >=2.5) |Client TCP port | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | |Client name from reverse | |{client_ptr} |CONNECT, HELO, MAIL, DATA|lookup, "unknown" when | @@ -374,7 +373,8 @@ Sendmail. See the workarounds section below for solutions. Postfix sends specific sets of macros at different SMTP protocol stages. The sets are configured with the parameters as described in the table (EOH = end of -headers; EOM = end of message). +headers; EOM = end of message). The protocol version is a number that Postfix +sends at the beginning of the Milter protocol handshake. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |PPaarraammeetteerr nnaammee |PPrroottooccooll vveerrssiioonn|PPrroottooccooll ssttaaggee | diff --git a/postfix/README_FILES/MYSQL_README b/postfix/README_FILES/MYSQL_README index 403fc736c..7639bf36e 100644 --- a/postfix/README_FILES/MYSQL_README +++ b/postfix/README_FILES/MYSQL_README @@ -17,6 +17,10 @@ service. BBuuiillddiinngg PPoossttffiixx wwiitthh MMyySSQQLL ssuuppppoorrtt +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + Note: to use mysql with Debian GNU/Linux's Postfix, all you need is to install the postfix-mysql package and you're done. There is no need to recompile Postfix. diff --git a/postfix/README_FILES/PCRE_README b/postfix/README_FILES/PCRE_README index c633ce186..f8d40d3d3 100644 --- a/postfix/README_FILES/PCRE_README +++ b/postfix/README_FILES/PCRE_README @@ -16,6 +16,10 @@ pcre_table(5) manual page. Information about PCRE itself can be found at http:/ BBuuiillddiinngg PPoossttffiixx wwiitthh PPCCRREE ssuuppppoorrtt +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + Note: to use pcre with Debian GNU/Linux's Postfix, all you need is to install the postfix-pcre package and you're done. There is no need to recompile Postfix. diff --git a/postfix/README_FILES/PGSQL_README b/postfix/README_FILES/PGSQL_README index 152d6a3f0..502b5e683 100644 --- a/postfix/README_FILES/PGSQL_README +++ b/postfix/README_FILES/PGSQL_README @@ -17,6 +17,10 @@ service. BBuuiillddiinngg PPoossttffiixx wwiitthh PPoossttggrreeSSQQLL ssuuppppoorrtt +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + Note: to use pgsql with Debian GNU/Linux's Postfix, all you need to do is to install the postfix-pgsql package and you're done. There is no need to recompile Postfix. diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README index 62cc96c64..5266e9cb4 100644 --- a/postfix/README_FILES/SASL_README +++ b/postfix/README_FILES/SASL_README @@ -62,6 +62,10 @@ Needless to say, these commands are not available in earlier Postfix versions. BBuuiillddiinngg PPoossttffiixx wwiitthh DDoovveeccoott SSAASSLL ssuuppppoorrtt +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + Support for the Dovecot version 1 SASL protocol is available in Postfix 2.3 and later. At the time of writing, only server-side SASL support is available, so you can't use it to authenticate to your network provider's server. Dovecot @@ -102,6 +106,10 @@ configure --enable-login''. BBuuiillddiinngg PPoossttffiixx wwiitthh CCyyrruuss SSAASSLL ssuuppppoorrtt +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + The following assumes that the Cyrus SASL include files are in /usr/local/ include, and that the Cyrus SASL libraries are in /usr/local/lib. diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index e11a09668..6740bf3eb 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -49,9 +49,9 @@ programs. Other colored boxes represent storage elements. that seeds the TLS engines in the smtpd(8) server and smtp(8) client processes, and maintains the TLS session key cache files. - <---seed--- ---seed---> + <---seed---- ----seed---> Network-> smtpd(8) tlsmgr(8) smtp(8) ->Network - <-session-> <-session-> + <-key/cert-> <-key/cert-> / | \ | @@ -63,6 +63,10 @@ Network-> smtpd(8) tlsmgr(8) smtp(8) ->Network BBuuiillddiinngg PPoossttffiixx wwiitthh TTLLSS ssuuppppoorrtt +These instructions assume that you build Postfix from source code as described +in the INSTALL document. Some modification may be required if you build Postfix +from a vendor-specific source package. + To build Postfix with TLS support, first we need to generate the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next. @@ -1795,16 +1799,16 @@ indicates a super-user shell. writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase:wwhhaatteevveerr - * Create an unpassworded private key for host FOO and create an unsigned - public key certificate. + * Create an unpassworded private key for host foo.porcupine.org and create an + unsigned public key certificate. - % ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt FFOOOO--kkeeyy..ppeemm --oouutt FFOOOO--rreeqq..ppeemm --ddaayyss + % ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt ffoooo--kkeeyy..ppeemm --oouutt ffoooo--rreeqq..ppeemm --ddaayyss 336655 Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ........................................++++++ ....++++++ - writing new private key to 'FOO-key.pem' + writing new private key to 'foo-key.pem' ----- You are about to be asked to enter information that will be incorporated @@ -1820,7 +1824,7 @@ indicates a super-user shell. Locality Name (eg, city) []:WWeessttcchheesstteerr Organization Name (eg, company) [Internet Widgits Pty Ltd]:PPoorrccuuppiinnee Organizational Unit Name (eg, section) []: - Common Name (eg, YOUR name) []:FFOOOO + Common Name (eg, YOUR name) []:ffoooo..ppoorrccuuppiinnee..oorrgg Email Address []:wwiieettssee@@ppoorrccuuppiinnee..oorrgg Please enter the following 'extra' attributes @@ -1828,10 +1832,10 @@ indicates a super-user shell. A challenge password []:wwhhaatteevveerr An optional company name []: - * Sign the public key certificate for host FOO with the Certification - Authority private key that we created a few steps ago. + * Sign the public key certificate for host foo.porcupine.org with the + Certification Authority private key that we created a few steps ago. - % ooppeennssssll ccaa --oouutt FFOOOO--cceerrtt..ppeemm --iinnffiilleess FFOOOO--rreeqq..ppeemm + % ooppeennssssll ccaa --oouutt ffoooo--cceerrtt..ppeemm --iinnffiilleess ffoooo--rreeqq..ppeemm Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase:wwhhaatteevveerr Check that the request matches the signature @@ -1841,7 +1845,7 @@ indicates a super-user shell. stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'Westchester' organizationName :PRINTABLE:'Porcupine' - commonName :PRINTABLE:'FOO' + commonName :PRINTABLE:'foo.porcupine.org' emailAddress :IA5STRING:'wietse@porcupine.org' Certificate is to be certified until Nov 21 19:40:56 2005 GMT (365 days) @@ -1855,9 +1859,9 @@ indicates a super-user shell. Certification Authority certificate files. This requires super-user privileges. - # ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm FFOOOO--kkeeyy..ppeemm FFOOOO--cceerrtt..ppeemm //eettcc//ppoossttffiixx - # cchhmmoodd 664444 //eettcc//ppoossttffiixx//FFOOOO--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm - # cchhmmoodd 440000 //eettcc//ppoossttffiixx//FFOOOO--kkeeyy..ppeemm + # ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm ffoooo--kkeeyy..ppeemm ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx + # cchhmmoodd 664444 //eettcc//ppoossttffiixx//ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm + # cchhmmoodd 440000 //eettcc//ppoossttffiixx//ffoooo--kkeeyy..ppeemm * Configure Postfix, by adding the following to /etc/postfix/main.cf. It is generally best to not configure client certificates, unless there are @@ -1873,8 +1877,8 @@ indicates a super-user shell. btree:/var/lib/postfix/smtp_tls_session_cache smtp_tls_security_level = may smtpd_tls_CAfile = /etc/postfix/cacert.pem - smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem - smtpd_tls_key_file = /etc/postfix/FOO-key.pem + smtpd_tls_cert_file = /etc/postfix/foo-cert.pem + smtpd_tls_key_file = /etc/postfix/foo-key.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index a1b9ec374..bee758dab 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -11,6 +11,30 @@ instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. +Incompatibility with Postfix 2.3 and earlier +============================================ + +If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4 +before proceeding. + +Incompatibility with Postfix snapshot 20080114 +============================================== + +The Postfix SMTP client now by default defers mail after a remote +SMTP server rejects a SASL authentication attempt. Specify +"smtp_sasl_auth_soft_bounce = no" for the old behavior. + +Major changes with Postfix snapshot 20080114 +============================================ + +The Postfix SMTP client can now avoid making repeated SASL login +failures with the same server, username and password. To enable +this safety feature, specify for example "smtp_sasl_auth_cache_name += proxy:btree:/var/lib/postfix/sasl_auth_cache" (access through the +proxy service is required). Instead of trying to SASL authenticate, +the Postfix SMTP client defers or bounces mail as controlled with +the new smtp_sasl_auth_soft_bounce configuration parameter. + Incompatibility with Postfix snapshot 20080109 ============================================== @@ -136,12 +160,6 @@ require ESMTP command-line parsing in the cleanup server. Unfortunately, Sendmail's documentation does not specify what ESMTP options are supported, but only discusses examples of things that don't work. -Incompatibility with Postfix 2.3 and earlier -============================================ - -If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4 -before proceeding. - Incompatibility with Postfix snapshot 20071216 ============================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index de66e9fe9..b8855e96f 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -1,5 +1,8 @@ Wish list: + See if "pickup =o content_filter=smtp:127.0.0.1" can be + made a viable alternative to the use of non_smtpd_milters. + Consolidate duplicated code *_server_accept_{pass,inet}(). Consolidate duplicated code in {inet,unix,upass}_trigger.c. @@ -11,8 +14,8 @@ Wish list: handlers unchanged, and have the smtp_loop() reader loop bail out with smtp_site_fail("server disconnected after %s", where), but only in the case that it isn't already in - the final state. Handle 421 replies in HELO/EHLO with custom - code to prevent EHLO->HELO fall-back. + the final state. But first we need to clean up the handling + of do/don't cache, expired, bad and dead sessions. Make event_drain() a proper event loop; update the zero mask, and don't ignore a non-empty timer queue. @@ -63,7 +66,9 @@ Wish list: settings? Remove defer(8) and trace(8) references and man pages. These - are services not program names. + are services not program names. On the other hand we have + man pages for lmtp(8) and smtp(8), but not for relay(8). + Likewise, retry(8) does not have a man page. Bind all deliveries to the same local delivery process, making Postfix perform as poorly as monolithic mailers, but @@ -75,13 +80,13 @@ Wish list: Need scache size limit. - Update BACKSCATTER_README to use PCRE because that's what I - am using now. - Make postcat header/body aware so people can grep headers. + What headers? primary, mime, nested? What body? Does it + include the mime and attached headers? Make postmap header/body aware so people can test multi-line - header checks. + header checks. What headers? primary, mime, nested? What + body? Does it include the mime and attached headers? REDIRECT should override original recipient info, and probably override DSN as well. @@ -266,10 +271,6 @@ Wish list: Med: separate ulimit for delivery to command? - Med: option to open queue file early, after MAIL FROM. This - would allow correlation of rejected RCPT TO requests with - accepted requests for the same mail transaction. - Med: postsuper -r should do something with recipients in bounce logfiles, to make sure the sender will be notified. To be perfectly safe, no process other than the queue manager diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index a85f71f1a..0ec4c6604 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -36,7 +36,7 @@ proxywrite unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp - -o fallback_relay= + -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error @@ -46,7 +46,7 @@ local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil -scache unix - - n - 1 scache +scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual diff --git a/postfix/html/CDB_README.html b/postfix/html/CDB_README.html index ba1c5e8d6..b0a56242a 100644 --- a/postfix/html/CDB_README.html +++ b/postfix/html/CDB_README.html @@ -37,7 +37,12 @@ information about Postfix databases.

CDB support is available with Postfix 2.2 and later releases. This document describes how to build Postfix with CDB support.

-

Building Postfix with CDB

+

Building Postfix with CDB support

+ +

These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

Postfix is compatible with two CDB implementations:

diff --git a/postfix/html/LDAP_README.html b/postfix/html/LDAP_README.html index b3367b013..2a9483aa2 100644 --- a/postfix/html/LDAP_README.html +++ b/postfix/html/LDAP_README.html @@ -55,6 +55,11 @@ it to each.

Building Postfix with LDAP support

+

These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

+

Note 1: Postfix no longer supports the LDAP version 1 interface.

@@ -165,7 +170,7 @@ server listening at port 389 on ldap.example.com. It will bind anonymously, search for any directory entries whose mailacceptinggeneralid attribute is "ldapuser", read the "maildrop" attributes of those found, and build a list of their maildrops, which will be treated -as RFC822 addresses to which the message will be delivered.

+as RFC822 addresses to which the message will be delivered.

Example: virtual domains/addresses

@@ -555,10 +560,10 @@ contents, please include the applicable bits of some directory entries.

  • Prabhat K Singh: Wrote the initial Postfix LDAP lookups and connection caching. -
  • Keith Stevenson: RFC 2254 escaping in queries. +
  • Keith Stevenson: RFC 2254 escaping in queries.
  • Samuel Tardieu: Noticed that searches could include wildcards, prompting - the work on RFC 2254 escaping in queries. Spotted a bug + the work on RFC 2254 escaping in queries. Spotted a bug in binding.
  • Sami Haahtinen: Referral chasing and v3 support. diff --git a/postfix/html/MILTER_README.html b/postfix/html/MILTER_README.html index 4c02b8d57..ce06e5ca2 100644 --- a/postfix/html/MILTER_README.html +++ b/postfix/html/MILTER_README.html @@ -552,7 +552,7 @@ Connection concurrency for this client {client_name} Always Client hostname, "unknown" when lookup or verification fails - {client_port} Always
    (Postfix ≥2.5) + {client_port} Always (Postfix ≥2.5) Client TCP port {client_ptr} CONNECT, HELO, MAIL, DATA @@ -592,7 +592,9 @@ TLS protocol version

    Postfix sends specific sets of macros at different SMTP protocol stages. The sets are configured with the parameters as described -in the table (EOH = end of headers; EOM = end of message).

    +in the table (EOH = end of headers; EOM = end of message). The +protocol version is a number that Postfix sends at the beginning +of the Milter protocol handshake.

    diff --git a/postfix/html/MYSQL_README.html b/postfix/html/MYSQL_README.html index 933059e5f..1b50298ec 100644 --- a/postfix/html/MYSQL_README.html +++ b/postfix/html/MYSQL_README.html @@ -33,6 +33,11 @@ clients by using the Postfix proxymap(8) service.

    Building Postfix with MySQL support

    +

    These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

    +

    Note: to use mysql with Debian GNU/Linux's Postfix, all you need is to install the postfix-mysql package and you're done. There is no need to recompile Postfix.

    diff --git a/postfix/html/PCRE_README.html b/postfix/html/PCRE_README.html index f4a4e25c4..6e619c616 100644 --- a/postfix/html/PCRE_README.html +++ b/postfix/html/PCRE_README.html @@ -32,6 +32,11 @@ itself can be found at http://www.pcre.org/.

    Building Postfix with PCRE support

    +

    These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

    +

    Note: to use pcre with Debian GNU/Linux's Postfix, all you need is to install the postfix-pcre package and you're done. There is no need to recompile Postfix.

    diff --git a/postfix/html/PGSQL_README.html b/postfix/html/PGSQL_README.html index 021d64175..c7e3fed4f 100644 --- a/postfix/html/PGSQL_README.html +++ b/postfix/html/PGSQL_README.html @@ -33,6 +33,11 @@ clients by using the Postfix proxymap(8) service.

    Building Postfix with PostgreSQL support

    +

    These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

    +

    Note: to use pgsql with Debian GNU/Linux's Postfix, all you need to do is to install the postfix-pgsql package and you're done. There is no need to recompile Postfix.

    diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html index ea4a9f57a..a1a5de269 100644 --- a/postfix/html/SASL_README.html +++ b/postfix/html/SASL_README.html @@ -117,6 +117,11 @@ Postfix versions.

    Building Postfix with Dovecot SASL support

    +

    These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

    +

    Support for the Dovecot version 1 SASL protocol is available in Postfix 2.3 and later. At the time of writing, only server-side SASL support is available, so you can't @@ -173,6 +178,11 @@ authentication method, specify ``./configure --enable-login''.

    Building Postfix with Cyrus SASL support

    +

    These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

    +

    The following assumes that the Cyrus SASL include files are in /usr/local/include, and that the Cyrus SASL libraries are in /usr/local/lib.

    diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index 9d6157aec..1aa59fe48 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -95,9 +95,9 @@ cache files.

    Network->
    smtpd(8)
      - <---seed---

    <-session->     <---seed----

    <-key/cert->
    tlsmgr(8)
      - ---seed--->

    <-session-> + ----seed--->

    <-key/cert->
    smtp(8)
      ->Network @@ -122,6 +122,11 @@ align="center" bgcolor="#f0f0ff"> smtp
    session
    key cache

    Building Postfix with TLS support

    +

    These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package.

    +

    To build Postfix with TLS support, first we need to generate the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix @@ -2431,17 +2436,17 @@ Enter PEM pass phrase:whatever

    -

  • Create an unpassworded private key for host FOO and create +

  • Create an unpassworded private key for host foo.porcupine.org and create an unsigned public key certificate. 

    -% openssl req -new -nodes -keyout FOO-key.pem -out FOO-req.pem -days 365
+% openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
 Using configuration from /etc/ssl/openssl.cnf
 Generating a 1024 bit RSA private key
 ........................................++++++
 ....++++++
-writing new private key to 'FOO-key.pem'
+writing new private key to 'foo-key.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
@@ -2455,7 +2460,7 @@ State or Province Name (full name) [Some-State]:New York
 Locality Name (eg, city) []:Westchester
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Porcupine
 Organizational Unit Name (eg, section) []:
-Common Name (eg, YOUR name) []:FOO
+Common Name (eg, YOUR name) []:foo.porcupine.org
 Email Address []:wietse@porcupine.org
 
 Please enter the following 'extra' attributes
@@ -2465,13 +2470,13 @@ An optional company name []:
    -

  • Sign the public key certificate for host FOO with the +

  • Sign the public key certificate for host foo.porcupine.org with the Certification Authority private key that we created a few steps ago. 

    -% openssl ca -out FOO-cert.pem -infiles FOO-req.pem
+% openssl ca -out foo-cert.pem -infiles foo-req.pem
 Using configuration from /etc/ssl/openssl.cnf
 Enter PEM pass phrase:whatever
 Check that the request matches the signature
@@ -2481,7 +2486,7 @@ countryName           :PRINTABLE:'US'
 stateOrProvinceName   :PRINTABLE:'New York'
 localityName          :PRINTABLE:'Westchester'
 organizationName      :PRINTABLE:'Porcupine'
-commonName            :PRINTABLE:'FOO'
+commonName            :PRINTABLE:'foo.porcupine.org'
 emailAddress          :IA5STRING:'wietse@porcupine.org'
 Certificate is to be certified until Nov 21 19:40:56 2005 GMT (365 days)
 Sign the certificate? [y/n]:y
@@ -2499,9 +2504,9 @@ super-user privileges. 
    
 
 
    
 
    -# cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
-# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
-# chmod 400 /etc/postfix/FOO-key.pem
+# cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix
+# chmod 644 /etc/postfix/foo-cert.pem /etc/postfix/cacert.pem
+# chmod 400 /etc/postfix/foo-key.pem
 
    
 
    
 
@@ -2522,8 +2527,8 @@ but don't require them from all clients. 
    
 	btree:/var/lib/postfix/smtp_tls_session_cache
     smtp_tls_security_level = may
     smtpd_tls_CAfile = /etc/postfix/cacert.pem
-    smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-    smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+    smtpd_tls_cert_file = /etc/postfix/foo-cert.pem
+    smtpd_tls_key_file = /etc/postfix/foo-key.pem
     smtpd_tls_received_header = yes
     smtpd_tls_session_cache_database =
 	btree:/var/lib/postfix/smtpd_tls_session_cache
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index 949e74009..ddfc4ab1c 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -346,6 +346,23 @@ SMTP(8)                                                                SMTP(8)
               The SASL plug-in type that the Postfix SMTP  client
               should use for authentication.
 
+       Available in Postfix version 2.5 and later:
+
+       smtp_sasl_auth_cache_name (empty)
+              An  optional table to prevent repeated SASL authen-
+              tication failures with the same remote SMTP  server
+              hostname, username and password.
+
+       smtp_sasl_auth_cache_time (90d)
+              The  maximal  age  of  an smtp_sasl_auth_cache_name
+              entry before it is removed.
+
+       smtp_sasl_auth_soft_bounce (yes)
+              When a remote SMTP server rejects a SASL  authenti-
+              cation  request  with  a 535 reply code, defer mail
+              delivery instead of returning  mail  as  undeliver-
+              able.
+
 STARTTLS SUPPORT CONTROLS
        Detailed  information  about STARTTLS configuration may be
        found in the TLS_README document.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 180c320b9..a6fc25003 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -3901,6 +3901,28 @@ The default time unit is s (seconds).
 
    
 
 
+
+
+
    lmtp_sasl_auth_cache_name
+(default: empty)
    
+
+
     The LMTP-specific version of the smtp_sasl_auth_cache_name
+configuration parameter.  See there for details. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+
+
    
+
+
    lmtp_sasl_auth_cache_time
+(default: 90d)
    
+
+
     The LMTP-specific version of the smtp_sasl_auth_cache_time
+configuration parameter.  See there for details. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+
 
    
 
 
    lmtp_sasl_auth_enable
@@ -3911,6 +3933,17 @@ Enable SASL authentication in the Postfix LMTP client.
 
    
 
 
+
+
+
    lmtp_sasl_auth_soft_bounce
+(default: yes)
    
+
+
     The LMTP-specific version of the smtp_sasl_auth_soft_bounce
+configuration parameter.  See there for details. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+
 
    
 
 
    lmtp_sasl_mechanism_filter
@@ -7764,8 +7797,9 @@ host, host:port, [host]:port, [address] or [address]:port; the form
 destinations, Postfix will try them in the specified order.  
    
 
 
     To prevent mailer loops between MX hosts and fall-back hosts,
-Postfix version 2.3 and later will not use the smtp_fallback_relay
-feature for destinations that it is MX host for. 
    
+Postfix version 2.2 and later will not use the fallback relays for
+destinations that it is MX host for (and DSN lookup is turned on).
+
    
 
 
 
@@ -8153,6 +8187,52 @@ cached session is still usable.  
    
 
     This feature is available in Postfix 2.1 and later.  
    
 
 
+
+
+
    smtp_sasl_auth_cache_name
+(default: empty)
    
+
+
     An optional table to prevent repeated SASL authentication
+failures with the same remote SMTP server hostname, username and
+password. Each table (key, value) pair contains a server name, a
+username and password, and the full server response. This information
+is stored when a remote SMTP server rejects an authentication attempt
+with a 535 reply code.  As long as the smtp_sasl_password_maps
+information does no change, and as long as the smtp_sasl_auth_cache_name
+information does not expire (see smtp_sasl_auth_cache_time) the
+Postfix SMTP client avoids SASL authentication attempts with the
+same server, username and password, and instead bounces or defers
+mail as controlled with the smtp_sasl_auth_soft_bounce configuration
+parameter.  
    
+
+
     The table must be accessed via the proxywrite service, i.e. the
+map name must start with "proxy:". The table should be stored under
+the directory specified with the data_directory parameter. 
    
+
+
     This feature uses cryptographic hashing to protect plain-text
+passwords, and requires that Postfix is compiled with TLS support.
+
    
+
+
     Example: 
    
+
+
    +smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
+
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+
+
    
+
+
    smtp_sasl_auth_cache_time
+(default: 90d)
    
+
+
     The maximal age of an smtp_sasl_auth_cache_name entry before it
+is removed. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+
 
    
 
 
    smtp_sasl_auth_enable
@@ -8172,6 +8252,31 @@ Example:
    + + +
    smtp_sasl_auth_soft_bounce +(default: yes)
    + +

    When a remote SMTP server rejects a SASL authentication request +with a 535 reply code, defer mail delivery instead of returning +mail as undeliverable. The latter behavior was hard-coded prior to +Postfix version 2.5.

    + +

    Note: the setting "yes" overrides the global soft_bounce +parameter, but the setting "no" does not.

    + +

    Example:

    + +
    +# Default as of Postfix 2.5
+smtp_sasl_auth_soft_bounce = yes
+# The old hard-coded default
+smtp_sasl_auth_soft_bounce = no
+
    + +

    This feature is available in Postfix 2.5 and later.

    + +
    smtp_sasl_mechanism_filter @@ -8676,6 +8781,9 @@ As in the example above, we show two matching fingerprints:

    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = md5 +
    + +
     /etc/postfix/tls_policy:
     example.com	fingerprint
diff --git a/postfix/html/proxymap.8.html b/postfix/html/proxymap.8.html
index a11b312aa..abdcf4ea8 100644
--- a/postfix/html/proxymap.8.html
+++ b/postfix/html/proxymap.8.html
@@ -155,9 +155,13 @@ PROXYMAP(8)                                                        PROXYMAP(8)
               The default location of  the  Postfix  main.cf  and
               master.cf configuration files.
 
+       data_directory (see 'postconf -d' output)
+              The directory with Postfix-writable data files (for
+              example: caches, pseudo-random numbers).
+
        daemon_timeout (18000s)
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        ipc_timeout (3600s)
@@ -165,25 +169,25 @@ PROXYMAP(8)                                                        PROXYMAP(8)
               over an internal communication channel.
 
        max_idle (100s)
-              The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits  for  an incoming connection
+              The  maximum  amount  of  time that an idle Postfix
+              daemon process waits  for  an  incoming  connection
               before terminating voluntarily.
 
        max_use (100)
-              The maximal number of incoming connections  that  a
-              Postfix  daemon  process will service before termi-
+              The  maximal  number of incoming connections that a
+              Postfix daemon process will service  before  termi-
               nating voluntarily.
 
        process_id (read-only)
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        process_name (read-only)
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        proxy_read_maps (see 'postconf -d' output)
-              The lookup tables that the  proxymap(8)  server  is
+              The  lookup  tables  that the proxymap(8) server is
               allowed to access for the read-only service.
 
        Available in Postfix 2.5 and later:
@@ -193,7 +197,7 @@ PROXYMAP(8)                                                        PROXYMAP(8)
               example: caches, pseudo-random numbers).
 
        proxy_write_maps (see 'postconf -d' output)
-              The lookup tables that the  proxymap(8)  server  is
+              The  lookup  tables  that the proxymap(8) server is
               allowed to access for the read-write service.
 
 SEE ALSO
@@ -204,7 +208,7 @@ PROXYMAP(8)                                                        PROXYMAP(8)
        DATABASE_README, Postfix lookup table overview
 
 LICENSE
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 HISTORY
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index 949e74009..ddfc4ab1c 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -346,6 +346,23 @@ SMTP(8)                                                                SMTP(8)
               The SASL plug-in type that the Postfix SMTP  client
               should use for authentication.
 
+       Available in Postfix version 2.5 and later:
+
+       smtp_sasl_auth_cache_name (empty)
+              An  optional table to prevent repeated SASL authen-
+              tication failures with the same remote SMTP  server
+              hostname, username and password.
+
+       smtp_sasl_auth_cache_time (90d)
+              The  maximal  age  of  an smtp_sasl_auth_cache_name
+              entry before it is removed.
+
+       smtp_sasl_auth_soft_bounce (yes)
+              When a remote SMTP server rejects a SASL  authenti-
+              cation  request  with  a 535 reply code, defer mail
+              delivery instead of returning  mail  as  undeliver-
+              able.
+
 STARTTLS SUPPORT CONTROLS
        Detailed  information  about STARTTLS configuration may be
        found in the TLS_README document.
diff --git a/postfix/html/tlsmgr.8.html b/postfix/html/tlsmgr.8.html
index 509ee8b06..473edb021 100644
--- a/postfix/html/tlsmgr.8.html
+++ b/postfix/html/tlsmgr.8.html
@@ -138,25 +138,29 @@ TLSMGR(8)                                                            TLSMGR(8)
               The  default  location  of  the Postfix main.cf and
               master.cf configuration files.
 
+       data_directory (see 'postconf -d' output)
+              The directory with Postfix-writable data files (for
+              example: caches, pseudo-random numbers).
+
        daemon_timeout (18000s)
-              How much time a Postfix daemon process may take  to
-              handle  a  request  before  it  is  terminated by a
+              How  much time a Postfix daemon process may take to
+              handle a request  before  it  is  terminated  by  a
               built-in watchdog timer.
 
        process_id (read-only)
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        process_name (read-only)
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        syslog_facility (mail)
               The syslog facility of Postfix logging.
 
        syslog_name (postfix)
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 SEE ALSO
@@ -171,7 +175,7 @@ TLSMGR(8)                                                            TLSMGR(8)
        TLS_README, Postfix TLS configuration and operation
 
 LICENSE
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 AUTHOR(S)
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index b842e89a6..141e5e04d 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -2141,8 +2141,23 @@ cached connection is still alive.
 .PP
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
+.SH lmtp_sasl_auth_cache_name (default: empty)
+The LMTP-specific version of the smtp_sasl_auth_cache_name
+configuration parameter.  See there for details.
+.PP
+This feature is available in Postfix 2.5 and later.
+.SH lmtp_sasl_auth_cache_time (default: 90d)
+The LMTP-specific version of the smtp_sasl_auth_cache_time
+configuration parameter.  See there for details.
+.PP
+This feature is available in Postfix 2.5 and later.
 .SH lmtp_sasl_auth_enable (default: no)
 Enable SASL authentication in the Postfix LMTP client.
+.SH lmtp_sasl_auth_soft_bounce (default: yes)
+The LMTP-specific version of the smtp_sasl_auth_soft_bounce
+configuration parameter.  See there for details.
+.PP
+This feature is available in Postfix 2.5 and later.
 .SH lmtp_sasl_mechanism_filter (default: empty)
 The LMTP-specific version of the smtp_sasl_mechanism_filter
 configuration parameter.  See there for details.
@@ -4390,8 +4405,8 @@ host, host:port, [host]:port, [address] or [address]:port; the form
 destinations, Postfix will try them in the specified order.
 .PP
 To prevent mailer loops between MX hosts and fall-back hosts,
-Postfix version 2.3 and later will not use the smtp_fallback_relay
-feature for destinations that it is MX host for.
+Postfix version 2.2 and later will not use the fallback relays for
+destinations that it is MX host for (and DSN lookup is turned on).
 .SH smtp_generic_maps (default: empty)
 Optional lookup tables that perform address rewriting in the
 SMTP client, typically to transform a locally valid address into
@@ -4587,6 +4602,43 @@ order to finish a recipient address probe, or to verify that a
 cached session is still usable.
 .PP
 This feature is available in Postfix 2.1 and later.
+.SH smtp_sasl_auth_cache_name (default: empty)
+An optional table to prevent repeated SASL authentication
+failures with the same remote SMTP server hostname, username and
+password. Each table (key, value) pair contains a server name, a
+username and password, and the full server response. This information
+is stored when a remote SMTP server rejects an authentication attempt
+with a 535 reply code.  As long as the smtp_sasl_password_maps
+information does no change, and as long as the smtp_sasl_auth_cache_name
+information does not expire (see smtp_sasl_auth_cache_time) the
+Postfix SMTP client avoids SASL authentication attempts with the
+same server, username and password, and instead bounces or defers
+mail as controlled with the smtp_sasl_auth_soft_bounce configuration
+parameter.
+.PP
+The table must be accessed via the proxywrite service, i.e. the
+map name must start with "proxy:". The table should be stored under
+the directory specified with the data_directory parameter.
+.PP
+This feature uses cryptographic hashing to protect plain-text
+passwords, and requires that Postfix is compiled with TLS support.
+.PP
+Example:
+.PP
+.nf
+.na
+.ft C
+smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
+.fi
+.ad
+.ft R
+.PP
+This feature is available in Postfix 2.5 and later.
+.SH smtp_sasl_auth_cache_time (default: 90d)
+The maximal age of an smtp_sasl_auth_cache_name entry before it
+is removed.
+.PP
+This feature is available in Postfix 2.5 and later.
 .SH smtp_sasl_auth_enable (default: no)
 Enable SASL authentication in the Postfix SMTP client.  By default,
 the Postfix SMTP client uses no authentication.
@@ -4600,6 +4652,29 @@ smtp_sasl_auth_enable = yes
 .fi
 .ad
 .ft R
+.SH smtp_sasl_auth_soft_bounce (default: yes)
+When a remote SMTP server rejects a SASL authentication request
+with a 535 reply code, defer mail delivery instead of returning
+mail as undeliverable. The latter behavior was hard-coded prior to
+Postfix version 2.5.
+.PP
+Note: the setting "yes" overrides the global soft_bounce
+parameter, but the setting "no" does not.
+.PP
+Example:
+.PP
+.nf
+.na
+.ft C
+# Default as of Postfix 2.5
+smtp_sasl_auth_soft_bounce = yes
+# The old hard-coded default
+smtp_sasl_auth_soft_bounce = no
+.fi
+.ad
+.ft R
+.PP
+This feature is available in Postfix 2.5 and later.
 .SH smtp_sasl_mechanism_filter (default: empty)
 If non-empty, a Postfix SMTP client filter for the remote SMTP
 server's list of offered SASL mechanisms.  Different client and
@@ -4969,6 +5044,9 @@ As in the example above, we show two matching fingerprints:
 .fi
 .ad
 .ft R
+.in -4
+.sp
+.in +4
 .nf
 .na
 .ft C
diff --git a/postfix/man/man8/proxymap.8 b/postfix/man/man8/proxymap.8
index 025b30726..225dc3db4 100644
--- a/postfix/man/man8/proxymap.8
+++ b/postfix/man/man8/proxymap.8
@@ -160,6 +160,9 @@ The text below provides only a parameter summary. See
 .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
 The default location of the Postfix main.cf and master.cf
 configuration files.
+.IP "\fBdata_directory (see 'postconf -d' output)\fR"
+The directory with Postfix-writable data files (for example:
+caches, pseudo-random numbers).
 .IP "\fBdaemon_timeout (18000s)\fR"
 How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built-in watchdog timer.
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index 873c5658c..830b72625 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -302,6 +302,19 @@ the SASL plug-in implementation that is selected with
 .IP "\fBsmtp_sasl_type (cyrus)\fR"
 The SASL plug-in type that the Postfix SMTP client should use
 for authentication.
+.PP
+Available in Postfix version 2.5 and later:
+.IP "\fBsmtp_sasl_auth_cache_name (empty)\fR"
+An optional table to prevent repeated SASL authentication
+failures with the same remote SMTP server hostname, username and
+password.
+.IP "\fBsmtp_sasl_auth_cache_time (90d)\fR"
+The maximal age of an smtp_sasl_auth_cache_name entry before it
+is removed.
+.IP "\fBsmtp_sasl_auth_soft_bounce (yes)\fR"
+When a remote SMTP server rejects a SASL authentication request
+with a 535 reply code, defer mail delivery instead of returning
+mail as undeliverable.
 .SH "STARTTLS SUPPORT CONTROLS"
 .na
 .nf
diff --git a/postfix/man/man8/tlsmgr.8 b/postfix/man/man8/tlsmgr.8
index 5765ea391..665f8f99c 100644
--- a/postfix/man/man8/tlsmgr.8
+++ b/postfix/man/man8/tlsmgr.8
@@ -137,6 +137,9 @@ sources.
 .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
 The default location of the Postfix main.cf and master.cf
 configuration files.
+.IP "\fBdata_directory (see 'postconf -d' output)\fR"
+The directory with Postfix-writable data files (for example:
+caches, pseudo-random numbers).
 .IP "\fBdaemon_timeout (18000s)\fR"
 How much time a Postfix daemon process may take to handle a
 request before it is terminated by a built-in watchdog timer.
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index be7948d38..15ea44218 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -264,7 +264,10 @@ while (<>) {
     s;\blmtp_quit_timeout\b;$&;g;
     s;\blmtp_rcpt_timeout\b;$&;g;
     s;\blmtp_rset_timeout\b;$&;g;
+    s;\blmtp_sasl_auth_cache_name\b;$&;g;
+    s;\blmtp_sasl_auth_cache_time\b;$&;g;
     s;\blmtp_sasl_auth_enable\b;$&;g;
+    s;\blmtp_sasl_auth_soft_bounce\b;$&;g;
     s;\blmtp_sasl_password_maps\b;$&;g;
     s;\blmtp_sasl_security_options\b;$&;g;
     s;\blmtp_sasl_type\b;$&;g;
@@ -441,7 +444,10 @@ while (<>) {
     s;\bsmtp_randomize_addresses\b;$&;g;
     s;\bsmtp_rcpt_timeout\b;$&;g;
     s;\bsmtp_rset_timeout\b;$&;g;
+    s;\bsmtp_sasl_auth_cache_name\b;$&;g;
+    s;\bsmtp_sasl_auth_cache_time\b;$&;g;
     s;\bsmtp_sasl_auth_enable\b;$&;g;
+    s;\bsmtp_sasl_auth_soft_bounce\b;$&;g;
     s;\bsmtp_sasl_mechanism_filter\b;$&;g;
     s;\bsmtp_sasl_pass[-]*\n* *[]*word_maps\b;$&;g;
     s;\bsmtp_sasl_path\b;$&;g;
diff --git a/postfix/proto/CDB_README.html b/postfix/proto/CDB_README.html
index a025cd3e5..afe8a82ee 100644
--- a/postfix/proto/CDB_README.html
+++ b/postfix/proto/CDB_README.html
@@ -37,7 +37,12 @@ information about Postfix databases.  
    
 
     CDB support is available with Postfix 2.2 and later releases.
 This document describes how to build Postfix with CDB support. 
    
 
-
    Building Postfix with CDB
    
+
    Building Postfix with CDB support
    
+
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may
+be required if you build Postfix from a vendor-specific source
+package.  
    
 
 
     Postfix is compatible with two CDB implementations: 
    
 
diff --git a/postfix/proto/LDAP_README.html b/postfix/proto/LDAP_README.html
index 0fcdc646f..8cf9998d0 100644
--- a/postfix/proto/LDAP_README.html
+++ b/postfix/proto/LDAP_README.html
@@ -55,6 +55,11 @@ it to each. 
    
 
 
    Building Postfix with LDAP support
    
 
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may   
+be required if you build Postfix from a vendor-specific source
+package.  
    
+
 
     Note 1: Postfix no longer supports the LDAP version 1 interface.
 
    
 
diff --git a/postfix/proto/MILTER_README.html b/postfix/proto/MILTER_README.html
index 7176fc970..5085ed8a0 100644
--- a/postfix/proto/MILTER_README.html
+++ b/postfix/proto/MILTER_README.html
@@ -552,7 +552,7 @@ Connection concurrency for this client  
   {client_name}   Always   Client hostname,
 "unknown" when lookup or verification fails  
 
-  {client_port}   Always 
     (Postfix ≥2.5) 
+  {client_port}   Always (Postfix ≥2.5) 
  Client TCP port  
 
   {client_ptr}   CONNECT, HELO, MAIL, DATA 
@@ -592,7 +592,9 @@ TLS protocol version  
 
 
     Postfix sends specific sets of macros at different SMTP protocol
 stages.  The sets are configured with the parameters as described
-in the table (EOH = end of headers; EOM = end of message). 
    
+in the table (EOH = end of headers; EOM = end of message). The
+protocol version is a number that Postfix sends at the beginning
+of the Milter protocol handshake. 
    
 
 
    
 
diff --git a/postfix/proto/MYSQL_README.html b/postfix/proto/MYSQL_README.html
index 7f56cf04f..5ec69fccb 100644
--- a/postfix/proto/MYSQL_README.html
+++ b/postfix/proto/MYSQL_README.html
@@ -33,6 +33,11 @@ clients by using the Postfix proxymap(8) service. 
    
 
 
    Building Postfix with MySQL support
    
 
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may
+be required if you build Postfix from a vendor-specific source
+package.  
    
+
 
     Note: to use mysql with Debian GNU/Linux's Postfix, all you
 need is to install the postfix-mysql package and you're done.
 There is no need to recompile Postfix. 
    
diff --git a/postfix/proto/PCRE_README.html b/postfix/proto/PCRE_README.html
index e00af3ed2..f48a82dce 100644
--- a/postfix/proto/PCRE_README.html
+++ b/postfix/proto/PCRE_README.html
@@ -32,6 +32,11 @@ itself can be found at http://www.pcre.org/. 
    
 
 
    Building Postfix with PCRE support
    
 
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may
+be required if you build Postfix from a vendor-specific source
+package.  
    
+
 
     Note: to use pcre with Debian GNU/Linux's Postfix, all you
 need is to install the postfix-pcre package and you're done.  There
 is no need to recompile Postfix. 
    
diff --git a/postfix/proto/PGSQL_README.html b/postfix/proto/PGSQL_README.html
index 60929e6b0..eb31a9826 100644
--- a/postfix/proto/PGSQL_README.html
+++ b/postfix/proto/PGSQL_README.html
@@ -33,6 +33,11 @@ clients by using the Postfix proxymap(8) service. 
    
 
 
    Building Postfix with PostgreSQL support
    
 
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may
+be required if you build Postfix from a vendor-specific source
+package.  
    
+
 
     Note: to use pgsql with Debian GNU/Linux's Postfix, all you
 need to do is to install the postfix-pgsql package and you're done.
 There is no need to recompile Postfix. 
    
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 3839d813d..b0a88534f 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -117,6 +117,11 @@ Postfix versions. 
    
 
    Building Postfix with Dovecot SASL
 support
    
 
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may   
+be required if you build Postfix from a vendor-specific source
+package.  
    
+
 
     Support for the Dovecot version 1 SASL protocol is available
 in Postfix 2.3 and later.  At the time
 of writing, only server-side SASL support is available, so you can't
@@ -173,6 +178,11 @@ authentication method, specify ``./configure --enable-login''. 
    
 
 
    Building Postfix with Cyrus SASL support
    
 
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may   
+be required if you build Postfix from a vendor-specific source
+package.  
    
+
 
     The following
 assumes that the Cyrus SASL include files are in /usr/local/include,
 and that the Cyrus SASL libraries are in /usr/local/lib. 
    
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 92889bc50..d171dfe17 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -95,9 +95,9 @@ cache files. 
    
  Network->    
     smtpd(8) 
        
 
- <---seed---

    <-session->        <---seed----

    <-key/cert->        
     tlsmgr(8) 
       
-  ---seed--->
     
    <-session->
+  ----seed--->
     
    <-key/cert->
 
        
     smtp(8) 
    
      ->Network  
@@ -122,6 +122,11 @@ align="center" bgcolor="#f0f0ff"> smtp
     session
     key cache
 
 
    Building Postfix with TLS support
    
 
+
     These instructions assume that you build Postfix from source
+code as described in the INSTALL document. Some modification may   
+be required if you build Postfix from a vendor-specific source
+package.  
    
+
 
     To build Postfix with TLS support, first we need to generate
 the make(1) files with the necessary definitions. This is
 done by invoking the command "make makefiles" in the Postfix
@@ -2431,17 +2436,17 @@ Enter PEM pass phrase:whatever
    -

  • Create an unpassworded private key for host FOO and create +

  • Create an unpassworded private key for host foo.porcupine.org and create an unsigned public key certificate. 

    -% openssl req -new -nodes -keyout FOO-key.pem -out FOO-req.pem -days 365
+% openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
 Using configuration from /etc/ssl/openssl.cnf
 Generating a 1024 bit RSA private key
 ........................................++++++
 ....++++++
-writing new private key to 'FOO-key.pem'
+writing new private key to 'foo-key.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
@@ -2455,7 +2460,7 @@ State or Province Name (full name) [Some-State]:New York
 Locality Name (eg, city) []:Westchester
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Porcupine
 Organizational Unit Name (eg, section) []:
-Common Name (eg, YOUR name) []:FOO
+Common Name (eg, YOUR name) []:foo.porcupine.org
 Email Address []:wietse@porcupine.org
 
 Please enter the following 'extra' attributes
@@ -2465,13 +2470,13 @@ An optional company name []:
    -

  • Sign the public key certificate for host FOO with the +

  • Sign the public key certificate for host foo.porcupine.org with the Certification Authority private key that we created a few steps ago. 

    -% openssl ca -out FOO-cert.pem -infiles FOO-req.pem
+% openssl ca -out foo-cert.pem -infiles foo-req.pem
 Using configuration from /etc/ssl/openssl.cnf
 Enter PEM pass phrase:whatever
 Check that the request matches the signature
@@ -2481,7 +2486,7 @@ countryName           :PRINTABLE:'US'
 stateOrProvinceName   :PRINTABLE:'New York'
 localityName          :PRINTABLE:'Westchester'
 organizationName      :PRINTABLE:'Porcupine'
-commonName            :PRINTABLE:'FOO'
+commonName            :PRINTABLE:'foo.porcupine.org'
 emailAddress          :IA5STRING:'wietse@porcupine.org'
 Certificate is to be certified until Nov 21 19:40:56 2005 GMT (365 days)
 Sign the certificate? [y/n]:y
@@ -2499,9 +2504,9 @@ super-user privileges. 
    
 
 
    
 
    -# cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
-# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
-# chmod 400 /etc/postfix/FOO-key.pem
+# cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix
+# chmod 644 /etc/postfix/foo-cert.pem /etc/postfix/cacert.pem
+# chmod 400 /etc/postfix/foo-key.pem
 
    
 
    
 
@@ -2522,8 +2527,8 @@ but don't require them from all clients. 
    
 	btree:/var/lib/postfix/smtp_tls_session_cache
     smtp_tls_security_level = may
     smtpd_tls_CAfile = /etc/postfix/cacert.pem
-    smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
-    smtpd_tls_key_file = /etc/postfix/FOO-key.pem
+    smtpd_tls_cert_file = /etc/postfix/foo-cert.pem
+    smtpd_tls_key_file = /etc/postfix/foo-key.pem
     smtpd_tls_received_header = yes
     smtpd_tls_session_cache_database =
 	btree:/var/lib/postfix/smtpd_tls_session_cache
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 038a7e84a..2289fb2cd 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -26,7 +26,8 @@
 # tool:
 #
 #   * Supported HTML elements are: blockquote, ul, li, dl, dt, dd,
-#     p, pre, b, i, h, and the escapes for < and >. Sorry, no tables.
+#     p, pre, b, i, h, and the escapes for < <= >= >. Sorry, no
+#     tables.
 #
 #   * HTML elements must be specified in lower case.
 #
@@ -38,6 +39,11 @@
 #   * Text between  is stripped out. The 
 #     must appear on separate lines.
 #
+#   * Blank lines are special for postconf2man: it replaces them by
+#     a "new paragraph" command. Don't put any blank lines inside
+#     
     text. Instead, put those blank lines between
+#     
     and 
    .
+#
 #   * Text after a blank line must start with an HTML element.
 #
 #   Also:
@@ -1346,8 +1352,9 @@ host, host:port, [host]:port, [address] or [address]:port; the form
 destinations, Postfix will try them in the specified order.  
    
 
 
     To prevent mailer loops between MX hosts and fall-back hosts,
-Postfix version 2.3 and later will not use the smtp_fallback_relay
-feature for destinations that it is MX host for. 
    
+Postfix version 2.2 and later will not use the fallback relays for
+destinations that it is MX host for (and DSN lookup is turned on).
+
    
 
 %PARAM fallback_relay 
 
@@ -10960,6 +10967,9 @@ As in the example above, we show two matching fingerprints: 
    
     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
     smtp_tls_fingerprint_digest = md5
    +
    + +
     /etc/postfix/tls_policy:
     example.com	fingerprint
@@ -11420,3 +11430,83 @@ software.  
    
 
 
     This feature is available in Postfix 2.5 and later. 
    
 
+%PARAM smtp_sasl_auth_soft_bounce yes
+
+
     When a remote SMTP server rejects a SASL authentication request
+with a 535 reply code, defer mail delivery instead of returning
+mail as undeliverable. The latter behavior was hard-coded prior to
+Postfix version 2.5. 
    
+
+
     Note: the setting "yes" overrides the global soft_bounce
+parameter, but the setting "no" does not. 
    
+
+
     Example: 
    
+
+
    +# Default as of Postfix 2.5
+smtp_sasl_auth_soft_bounce = yes
+# The old hard-coded default
+smtp_sasl_auth_soft_bounce = no
+
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+%PARAM smtp_sasl_auth_cache_name
+
+
     An optional table to prevent repeated SASL authentication
+failures with the same remote SMTP server hostname, username and
+password. Each table (key, value) pair contains a server name, a
+username and password, and the full server response. This information
+is stored when a remote SMTP server rejects an authentication attempt
+with a 535 reply code.  As long as the smtp_sasl_password_maps
+information does no change, and as long as the smtp_sasl_auth_cache_name
+information does not expire (see smtp_sasl_auth_cache_time) the
+Postfix SMTP client avoids SASL authentication attempts with the
+same server, username and password, and instead bounces or defers
+mail as controlled with the smtp_sasl_auth_soft_bounce configuration
+parameter.  
    
+
+
     The table must be accessed via the proxywrite service, i.e. the
+map name must start with "proxy:". The table should be stored under
+the directory specified with the data_directory parameter. 
    
+
+
     This feature uses cryptographic hashing to protect plain-text
+passwords, and requires that Postfix is compiled with TLS support.
+
    
+
+
     Example: 
    
+
+
    +smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
+
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+%PARAM smtp_sasl_auth_cache_time 90d
+
+
     The maximal age of an smtp_sasl_auth_cache_name entry before it
+is removed. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+%PARAM lmtp_sasl_auth_soft_bounce yes
+
+
     The LMTP-specific version of the smtp_sasl_auth_soft_bounce
+configuration parameter.  See there for details. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+%PARAM lmtp_sasl_auth_cache_name
+
+
     The LMTP-specific version of the smtp_sasl_auth_cache_name
+configuration parameter.  See there for details. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
+%PARAM lmtp_sasl_auth_cache_time 90d
+
+
     The LMTP-specific version of the smtp_sasl_auth_cache_time
+configuration parameter.  See there for details. 
    
+
+
     This feature is available in Postfix 2.5 and later. 
    
+
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 078d15b82..55cecc7dd 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1574,6 +1574,27 @@ extern char *var_lmtp_sasl_path;
 #define DEF_CYRUS_SASL_AUTHZID	0
 extern int var_cyrus_sasl_authzid;
 
+ /*
+  * Special handling of AUTH 535 failures.
+  */
+#define VAR_SMTP_SASL_AUTH_SOFT_BOUNCE	"smtp_sasl_auth_soft_bounce"
+#define DEF_SMTP_SASL_AUTH_SOFT_BOUNCE	1
+#define VAR_LMTP_SASL_AUTH_SOFT_BOUNCE	"lmtp_sasl_auth_soft_bounce"
+#define DEF_LMTP_SASL_AUTH_SOFT_BOUNCE	1
+extern bool var_smtp_sasl_auth_soft_bounce;
+
+#define VAR_SMTP_SASL_AUTH_CACHE_NAME	"smtp_sasl_auth_cache_name"
+#define DEF_SMTP_SASL_AUTH_CACHE_NAME	""
+#define VAR_LMTP_SASL_AUTH_CACHE_NAME	"lmtp_sasl_auth_cache_name"
+#define DEF_LMTP_SASL_AUTH_CACHE_NAME	""
+extern char *var_smtp_sasl_auth_cache_name;
+
+#define VAR_SMTP_SASL_AUTH_CACHE_TIME	"smtp_sasl_auth_cache_time"
+#define DEF_SMTP_SASL_AUTH_CACHE_TIME	"90d"
+#define VAR_LMTP_SASL_AUTH_CACHE_TIME	"lmtp_sasl_auth_cache_time"
+#define DEF_LMTP_SASL_AUTH_CACHE_TIME	"90d"
+extern int var_smtp_sasl_auth_cache_time;
+
  /*
   * LMTP client. Timeouts inspired by RFC 1123. The LMTP recipient limit
   * determines how many recipient addresses the LMTP client sends along with
@@ -2040,7 +2061,8 @@ extern int var_local_rcpt_code;
 extern char *var_proxy_read_maps;
 
 #define VAR_PROXY_WRITE_MAPS	"proxy_write_maps"
-#define DEF_PROXY_WRITE_MAPS	""	/* Add here: "$" VAR_AUTH_FAIL_MAP */
+#define DEF_PROXY_WRITE_MAPS	"$" VAR_SMTP_SASL_AUTH_CACHE_NAME \
+				" $" VAR_LMTP_SASL_AUTH_CACHE_NAME
 extern char *var_proxy_write_maps;
 
  /*
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index d8e7ab37f..32550eb9d 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20080109"
+#define MAIL_RELEASE_DATE	"20080114"
 #define MAIL_VERSION_NUMBER	"2.5"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c
index 6247b601a..238c1d107 100644
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@@ -295,7 +295,7 @@ static const NAME_MASK smfif_table[] = {
 #define SMFIA_INET6		'6'	/* inet6 */
 
  /*
-  * External macro set numbers, to identify the optional macro name lists
+  * External macro class numbers, to identify the optional macro name lists
   * that may be sent after the initial negotiation header.
   */
 #define SMFIM_CONNECT	0		/* macros for connect */
@@ -318,7 +318,7 @@ static const NAME_CODE smfim_table[] = {
 };
 
  /*
-  * Mapping from external macro set numbers to our internal MILTER_MACROS
+  * Mapping from external macro class numbers to our internal MILTER_MACROS
   * structure members, without using a switch statement.
   */
 static const size_t milter8_macro_offsets[] = {
@@ -331,8 +331,8 @@ static const size_t milter8_macro_offsets[] = {
     offsetof(MILTER_MACROS, eoh_macros),/* Note: SMFIM_EOH > SMFIM_EOM */
 };
 
-#define MILTER8_MACRO_PTR(__macros, __type) \
-	((char **) (((char *) (__macros)) + milter8_macro_offsets[(__type)]))
+#define MILTER8_MACRO_PTR(__macros, __class) \
+	((char **) (((char *) (__macros)) + milter8_macro_offsets[(__class)]))
 
  /*
   * How much buffer space is available for sending body content.
diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c
index 13a0da53f..ad68d6e1b 100644
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@@ -920,7 +920,7 @@ static void get_service_attr(PIPE_ATTR *attr, char **argv)
 	/*
 	 * null_sender=string
 	 */
-	else if (strncasecmp("null_sender=", *argv, sizeof("eol=") - 1) == 0) {
+	else if (strncasecmp("null_sender=", *argv, sizeof("null_sender=") - 1) == 0) {
 	    vstring_strcpy(attr->null_sender, *argv + sizeof("null_sender=") - 1);
 	}
 
diff --git a/postfix/src/proxymap/proxymap.c b/postfix/src/proxymap/proxymap.c
index 937f370df..593986978 100644
--- a/postfix/src/proxymap/proxymap.c
+++ b/postfix/src/proxymap/proxymap.c
@@ -144,6 +144,9 @@
 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
 /*	The default location of the Postfix main.cf and master.cf
 /*	configuration files.
+/* .IP "\fBdata_directory (see 'postconf -d' output)\fR"
+/*	The directory with Postfix-writable data files (for example:
+/*	caches, pseudo-random numbers).
 /* .IP "\fBdaemon_timeout (18000s)\fR"
 /*	How much time a Postfix daemon process may take to handle a
 /*	request before it is terminated by a built-in watchdog timer.
diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in
index 48c9f8b5b..f5ae8f07f 100644
--- a/postfix/src/smtp/Makefile.in
+++ b/postfix/src/smtp/Makefile.in
@@ -1,11 +1,13 @@
 SHELL	= /bin/sh
 SRCS	= smtp.c smtp_connect.c smtp_proto.c smtp_chat.c smtp_session.c \
 	smtp_addr.c smtp_trouble.c smtp_state.c smtp_rcpt.c \
-	smtp_sasl_proto.c smtp_sasl_glue.c smtp_reuse.c smtp_map11.c
+	smtp_sasl_proto.c smtp_sasl_glue.c smtp_reuse.c smtp_map11.c \
+	smtp_sasl_auth_cache.c
 OBJS	= smtp.o smtp_connect.o smtp_proto.o smtp_chat.o smtp_session.o \
 	smtp_addr.o smtp_trouble.o smtp_state.o smtp_rcpt.o \
-	smtp_sasl_proto.o smtp_sasl_glue.o smtp_reuse.o smtp_map11.o
-HDRS	= smtp.h smtp_sasl.h smtp_addr.h smtp_reuse.h
+	smtp_sasl_proto.o smtp_sasl_glue.o smtp_reuse.o smtp_map11.o \
+	smtp_sasl_auth_cache.o
+HDRS	= smtp.h smtp_sasl.h smtp_addr.h smtp_reuse.h smtp_sasl_auth_cache.h
 TESTSRC	= 
 DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
 CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
@@ -149,7 +151,6 @@ smtp_addr.o: ../../include/msg_stats.h
 smtp_addr.o: ../../include/myaddrinfo.h
 smtp_addr.o: ../../include/mymalloc.h
 smtp_addr.o: ../../include/name_code.h
-smtp_addr.o: ../../include/name_mask.h
 smtp_addr.o: ../../include/own_inet_addr.h
 smtp_addr.o: ../../include/recipient_list.h
 smtp_addr.o: ../../include/resolve_clnt.h
@@ -270,7 +271,6 @@ smtp_map11.o: ../../include/mime_state.h
 smtp_map11.o: ../../include/msg.h
 smtp_map11.o: ../../include/msg_stats.h
 smtp_map11.o: ../../include/name_code.h
-smtp_map11.o: ../../include/name_mask.h
 smtp_map11.o: ../../include/quote_822_local.h
 smtp_map11.o: ../../include/quote_flags.h
 smtp_map11.o: ../../include/recipient_list.h
@@ -361,7 +361,6 @@ smtp_rcpt.o: ../../include/msg.h
 smtp_rcpt.o: ../../include/msg_stats.h
 smtp_rcpt.o: ../../include/mymalloc.h
 smtp_rcpt.o: ../../include/name_code.h
-smtp_rcpt.o: ../../include/name_mask.h
 smtp_rcpt.o: ../../include/recipient_list.h
 smtp_rcpt.o: ../../include/resolve_clnt.h
 smtp_rcpt.o: ../../include/scache.h
@@ -394,7 +393,6 @@ smtp_reuse.o: ../../include/msg.h
 smtp_reuse.o: ../../include/msg_stats.h
 smtp_reuse.o: ../../include/mymalloc.h
 smtp_reuse.o: ../../include/name_code.h
-smtp_reuse.o: ../../include/name_mask.h
 smtp_reuse.o: ../../include/recipient_list.h
 smtp_reuse.o: ../../include/resolve_clnt.h
 smtp_reuse.o: ../../include/scache.h
@@ -409,6 +407,40 @@ smtp_reuse.o: ../../include/vstring.h
 smtp_reuse.o: smtp.h
 smtp_reuse.o: smtp_reuse.c
 smtp_reuse.o: smtp_reuse.h
+smtp_sasl_auth_cache.o: ../../include/argv.h
+smtp_sasl_auth_cache.o: ../../include/attr.h
+smtp_sasl_auth_cache.o: ../../include/base64_code.h
+smtp_sasl_auth_cache.o: ../../include/deliver_request.h
+smtp_sasl_auth_cache.o: ../../include/dict.h
+smtp_sasl_auth_cache.o: ../../include/dict_proxy.h
+smtp_sasl_auth_cache.o: ../../include/dsn.h
+smtp_sasl_auth_cache.o: ../../include/dsn_buf.h
+smtp_sasl_auth_cache.o: ../../include/dsn_util.h
+smtp_sasl_auth_cache.o: ../../include/header_body_checks.h
+smtp_sasl_auth_cache.o: ../../include/header_opts.h
+smtp_sasl_auth_cache.o: ../../include/htable.h
+smtp_sasl_auth_cache.o: ../../include/maps.h
+smtp_sasl_auth_cache.o: ../../include/match_list.h
+smtp_sasl_auth_cache.o: ../../include/match_ops.h
+smtp_sasl_auth_cache.o: ../../include/mime_state.h
+smtp_sasl_auth_cache.o: ../../include/msg.h
+smtp_sasl_auth_cache.o: ../../include/msg_stats.h
+smtp_sasl_auth_cache.o: ../../include/mymalloc.h
+smtp_sasl_auth_cache.o: ../../include/name_code.h
+smtp_sasl_auth_cache.o: ../../include/recipient_list.h
+smtp_sasl_auth_cache.o: ../../include/resolve_clnt.h
+smtp_sasl_auth_cache.o: ../../include/scache.h
+smtp_sasl_auth_cache.o: ../../include/string_list.h
+smtp_sasl_auth_cache.o: ../../include/stringops.h
+smtp_sasl_auth_cache.o: ../../include/sys_defs.h
+smtp_sasl_auth_cache.o: ../../include/tls.h
+smtp_sasl_auth_cache.o: ../../include/tok822.h
+smtp_sasl_auth_cache.o: ../../include/vbuf.h
+smtp_sasl_auth_cache.o: ../../include/vstream.h
+smtp_sasl_auth_cache.o: ../../include/vstring.h
+smtp_sasl_auth_cache.o: smtp.h
+smtp_sasl_auth_cache.o: smtp_sasl_auth_cache.c
+smtp_sasl_auth_cache.o: smtp_sasl_auth_cache.h
 smtp_sasl_glue.o: ../../include/argv.h
 smtp_sasl_glue.o: ../../include/attr.h
 smtp_sasl_glue.o: ../../include/deliver_request.h
@@ -428,7 +460,6 @@ smtp_sasl_glue.o: ../../include/msg.h
 smtp_sasl_glue.o: ../../include/msg_stats.h
 smtp_sasl_glue.o: ../../include/mymalloc.h
 smtp_sasl_glue.o: ../../include/name_code.h
-smtp_sasl_glue.o: ../../include/name_mask.h
 smtp_sasl_glue.o: ../../include/recipient_list.h
 smtp_sasl_glue.o: ../../include/resolve_clnt.h
 smtp_sasl_glue.o: ../../include/scache.h
@@ -444,6 +475,7 @@ smtp_sasl_glue.o: ../../include/vstring.h
 smtp_sasl_glue.o: ../../include/xsasl.h
 smtp_sasl_glue.o: smtp.h
 smtp_sasl_glue.o: smtp_sasl.h
+smtp_sasl_glue.o: smtp_sasl_auth_cache.h
 smtp_sasl_glue.o: smtp_sasl_glue.c
 smtp_sasl_proto.o: ../../include/argv.h
 smtp_sasl_proto.o: ../../include/attr.h
@@ -463,7 +495,6 @@ smtp_sasl_proto.o: ../../include/msg.h
 smtp_sasl_proto.o: ../../include/msg_stats.h
 smtp_sasl_proto.o: ../../include/mymalloc.h
 smtp_sasl_proto.o: ../../include/name_code.h
-smtp_sasl_proto.o: ../../include/name_mask.h
 smtp_sasl_proto.o: ../../include/recipient_list.h
 smtp_sasl_proto.o: ../../include/resolve_clnt.h
 smtp_sasl_proto.o: ../../include/scache.h
@@ -497,7 +528,6 @@ smtp_session.o: ../../include/msg.h
 smtp_session.o: ../../include/msg_stats.h
 smtp_session.o: ../../include/mymalloc.h
 smtp_session.o: ../../include/name_code.h
-smtp_session.o: ../../include/name_mask.h
 smtp_session.o: ../../include/recipient_list.h
 smtp_session.o: ../../include/resolve_clnt.h
 smtp_session.o: ../../include/scache.h
@@ -531,7 +561,6 @@ smtp_state.o: ../../include/msg.h
 smtp_state.o: ../../include/msg_stats.h
 smtp_state.o: ../../include/mymalloc.h
 smtp_state.o: ../../include/name_code.h
-smtp_state.o: ../../include/name_mask.h
 smtp_state.o: ../../include/recipient_list.h
 smtp_state.o: ../../include/resolve_clnt.h
 smtp_state.o: ../../include/scache.h
@@ -598,7 +627,6 @@ smtp_unalias.o: ../../include/msg.h
 smtp_unalias.o: ../../include/msg_stats.h
 smtp_unalias.o: ../../include/myaddrinfo.h
 smtp_unalias.o: ../../include/name_code.h
-smtp_unalias.o: ../../include/name_mask.h
 smtp_unalias.o: ../../include/recipient_list.h
 smtp_unalias.o: ../../include/resolve_clnt.h
 smtp_unalias.o: ../../include/scache.h
diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c
index 7ab5241e9..5f7c41b5a 100644
--- a/postfix/src/smtp/lmtp_params.c
+++ b/postfix/src/smtp/lmtp_params.c
@@ -43,6 +43,7 @@
 	VAR_LMTP_TCP_PORT, DEF_LMTP_TCP_PORT, &var_lmtp_tcp_port, 0, 0,
 	VAR_LMTP_PIX_BUG_WORDS, DEF_LMTP_PIX_BUG_WORDS, &var_smtp_pix_bug_words, 0, 0,
 	VAR_LMTP_PIX_BUG_MAPS, DEF_LMTP_PIX_BUG_MAPS, &var_smtp_pix_bug_maps, 0, 0,
+	VAR_LMTP_SASL_AUTH_CACHE_NAME, DEF_LMTP_SASL_AUTH_CACHE_NAME, &var_smtp_sasl_auth_cache_name, 0, 0,
 	VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0,
 	VAR_LMTP_HEAD_CHKS, DEF_LMTP_HEAD_CHKS, &var_smtp_head_chks, 0, 0,
 	VAR_LMTP_MIME_CHKS, DEF_LMTP_MIME_CHKS, &var_smtp_mime_chks, 0, 0,
@@ -69,6 +70,7 @@
 	VAR_LMTP_STARTTLS_TMOUT, DEF_LMTP_STARTTLS_TMOUT, &var_smtp_starttls_tmout, 1, 0,
 #endif
 	VAR_SCACHE_PROTO_TMOUT, DEF_SCACHE_PROTO_TMOUT, &var_scache_proto_tmout, 1, 0,
+	VAR_LMTP_SASL_AUTH_CACHE_TIME, DEF_LMTP_SASL_AUTH_CACHE_TIME, &var_smtp_sasl_auth_cache_time, 0, 0,
 	0,
     };
     static const CONFIG_INT_TABLE lmtp_int_table[] = {
@@ -98,5 +100,6 @@
 #endif
 	VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
+	VAR_LMTP_SASL_AUTH_SOFT_BOUNCE, DEF_LMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
 	0,
     };
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 963256c96..487178781 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -274,6 +274,19 @@
 /* .IP "\fBsmtp_sasl_type (cyrus)\fR"
 /*	The SASL plug-in type that the Postfix SMTP client should use
 /*	for authentication.
+/* .PP
+/*	Available in Postfix version 2.5 and later:
+/* .IP "\fBsmtp_sasl_auth_cache_name (empty)\fR"
+/*	An optional table to prevent repeated SASL authentication
+/*	failures with the same remote SMTP server hostname, username and
+/*	password.
+/* .IP "\fBsmtp_sasl_auth_cache_time (90d)\fR"
+/*	The maximal age of an smtp_sasl_auth_cache_name entry before it
+/*	is removed.
+/* .IP "\fBsmtp_sasl_auth_soft_bounce (yes)\fR"
+/*	When a remote SMTP server rejects a SASL authentication request
+/*	with a 535 reply code, defer mail delivery instead of returning
+/*	mail as undeliverable.
 /* STARTTLS SUPPORT CONTROLS
 /* .ad
 /* .fi
@@ -749,6 +762,11 @@ char   *var_smtp_mime_chks;
 char   *var_smtp_nest_chks;
 char   *var_smtp_body_chks;
 
+ /* Special handling of 535 AUTH errors. */
+char   *var_smtp_sasl_auth_cache_name;
+int     var_smtp_sasl_auth_cache_time;
+bool    var_smtp_sasl_auth_soft_bounce;
+
  /*
   * Global variables.
   */
diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c
index e8e7887e9..61cf8b33c 100644
--- a/postfix/src/smtp/smtp_params.c
+++ b/postfix/src/smtp/smtp_params.c
@@ -44,6 +44,7 @@
 	VAR_LMTP_TCP_PORT, DEF_LMTP_TCP_PORT, &var_lmtp_tcp_port, 0, 0,
 	VAR_SMTP_PIX_BUG_WORDS, DEF_SMTP_PIX_BUG_WORDS, &var_smtp_pix_bug_words, 0, 0,
 	VAR_SMTP_PIX_BUG_MAPS, DEF_SMTP_PIX_BUG_MAPS, &var_smtp_pix_bug_maps, 0, 0,
+	VAR_SMTP_SASL_AUTH_CACHE_NAME, DEF_SMTP_SASL_AUTH_CACHE_NAME, &var_smtp_sasl_auth_cache_name, 0, 0,
 	VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0,
 	VAR_SMTP_HEAD_CHKS, DEF_SMTP_HEAD_CHKS, &var_smtp_head_chks, 0, 0,
 	VAR_SMTP_MIME_CHKS, DEF_SMTP_MIME_CHKS, &var_smtp_mime_chks, 0, 0,
@@ -70,6 +71,7 @@
 	VAR_SMTP_STARTTLS_TMOUT, DEF_SMTP_STARTTLS_TMOUT, &var_smtp_starttls_tmout, 1, 0,
 #endif
 	VAR_SCACHE_PROTO_TMOUT, DEF_SCACHE_PROTO_TMOUT, &var_scache_proto_tmout, 1, 0,
+	VAR_SMTP_SASL_AUTH_CACHE_TIME, DEF_SMTP_SASL_AUTH_CACHE_TIME, &var_smtp_sasl_auth_cache_time, 0, 0,
 	0,
     };
     static const CONFIG_INT_TABLE smtp_int_table[] = {
@@ -102,5 +104,6 @@
 #endif
 	VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
+	VAR_SMTP_SASL_AUTH_SOFT_BOUNCE, DEF_SMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
 	0,
     };
diff --git a/postfix/src/smtp/smtp_sasl_auth_cache.c b/postfix/src/smtp/smtp_sasl_auth_cache.c
new file mode 100644
index 000000000..ed9821756
--- /dev/null
+++ b/postfix/src/smtp/smtp_sasl_auth_cache.c
@@ -0,0 +1,266 @@
+/*++
+/* NAME
+/*	smtp_sasl_auth_cache 3
+/* SUMMARY
+/*	Postfix SASL authentication reply cache
+/* SYNOPSIS
+/*	#include "smtp.h"
+/*	#include "smtp_sasl_auth_cache.h"
+/*
+/*	SMTP_SASL_AUTH_CACHE *smtp_sasl_auth_cache_init(map, ttl)
+/*	const char *map
+/*	int	ttl;
+/*
+/*	void	smtp_sasl_auth_cache_store(auth_cache, session, resp)
+/*	SMTP_SASL_AUTH_CACHE *auth_cache;
+/*	const SMTP_SESSION *session;
+/*	const SMTP_RESP *resp;
+/*
+/*	int	smtp_sasl_auth_cache_find(auth_cache, session)
+/*	SMTP_SASL_AUTH_CACHE *auth_cache;
+/*	const SMTP_SESSION *session;
+/*
+/*	char	*smtp_sasl_auth_cache_dsn(auth_cache)
+/*	SMTP_SASL_AUTH_CACHE *auth_cache;
+/*
+/*	char	*smtp_sasl_auth_cache_text(auth_cache)
+/*	SMTP_SASL_AUTH_CACHE *auth_cache;
+/* DESCRIPTION
+/*	This module maintains a cache of SASL authentication server replies.
+/*	This can be used to avoid repeated login failure errors.
+/*
+/*	smtp_sasl_auth_cache_init() opens or creates the named cache.
+/*
+/*	smtp_sasl_auth_cache_store() stores information about a
+/*	SASL login attempt together with the server status and
+/*	complete response.
+/*
+/*	smtp_sasl_auth_cache_find() returns non-zero when a cache
+/*	entry exists for the given host, username and password.
+/*
+/*	smtp_sasl_auth_cache_dsn() and smtp_sasl_auth_cache_text()
+/*	return the status and complete server response as found
+/*	with smtp_sasl_auth_cache_find().
+/*
+/*	Arguments:
+/* .IP map
+/*	Lookup table name. The name must be singular and must start
+/*	with "proxy:".
+/* .IP ttl
+/*	The time after which a cache entry is considered expired.
+/* .IP session
+/*	Session context.
+/* .IP resp
+/*	Remote SMTP server response, to be stored into the cache.
+/* DIAGNOSTICS
+/*	All errors are fatal.
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Original author:
+/*	Keean Schupke
+/*	Fry-IT Ltd.
+/*
+/*	Updated by:
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+ /*
+  * System library.
+  */
+#include 
+
+ /*
+  * Utility library
+  */
+#include 
+#include 
+#include 
+#include 
+#include 
+
+ /*
+  * Global library
+  */
+#include 
+#include 
+
+ /*
+  * Application-specific
+  */
+#include "smtp.h"
+#include "smtp_sasl_auth_cache.h"
+
+ /*
+  * XXX This feature stores passwords, so we must mask them with a strong
+  * cryptographic hash. This requires OpenSSL support.
+  * 
+  * XXX It would be even better if the stored hash were salted.
+  */
+#ifdef HAVE_SASL_AUTH_CACHE
+
+/* smtp_sasl_auth_cache_init - per-process initialization (pre jail) */
+
+SMTP_SASL_AUTH_CACHE *smtp_sasl_auth_cache_init(const char *map, int ttl)
+{
+    const char *myname = "smtp_sasl_auth_cache_init";
+    SMTP_SASL_AUTH_CACHE *auth_cache;
+
+    /*
+     * Sanity checks.
+     */
+#define HAS_MULTIPLE_VALUES(s) ((s)[strcspn((s),  ", \t\r\n")] != 0)
+
+    if (*map == 0)
+	msg_panic("%s: empty SASL authentication cache name", myname);
+    if (ttl < 0)
+	msg_panic("%s: bad SASL authentication cache ttl: %d", myname, ttl);
+    if (HAS_MULTIPLE_VALUES(map))
+	msg_fatal("SASL authentication cache name \"%s\" "
+		  "contains multiple values", map);
+
+    /*
+     * XXX To avoid multiple writers the map needs to be maintained by the
+     * proxywrite service. We would like to have a DICT_FLAG_REQ_PROXY flag
+     * so that the library can enforce this, but that requires moving the
+     * dict_proxy module one level down in the build dependency hierachy.
+     */
+#define CACHE_DICT_OPEN_FLAGS \
+	(DICT_FLAG_DUP_REPLACE | DICT_FLAG_SYNC_UPDATE)
+
+    if (strncmp(map, DICT_TYPE_PROXY, sizeof(DICT_TYPE_PROXY)) - 1 != 0
+	&& map[sizeof(DICT_TYPE_PROXY) - 1] != ':')
+	msg_fatal("SASL authentication cache name \"%s\" must start with \""
+		  DICT_TYPE_PROXY "\":", map);
+
+    auth_cache = (SMTP_SASL_AUTH_CACHE *) mymalloc(sizeof(*auth_cache));
+    auth_cache->dict = dict_open(map, O_CREAT | O_RDWR, CACHE_DICT_OPEN_FLAGS);
+    auth_cache->ttl = ttl;
+    auth_cache->dsn = mymalloc(100);
+    auth_cache->text = mymalloc(100);
+    return (auth_cache);
+}
+
+ /*
+  * Each cache lookup key contains a server host name and user name. Each
+  * cache value contains a time stamp, a hashed password, and the server
+  * response. With this organization, we don't have to worry about cache
+  * pollution, because we can detect if a cache entry has expired, or if the
+  * password has changed.
+  */
+
+/* smtp_sasl_make_auth_cache_key - format auth failure cache lookup key */
+
+static char *smtp_sasl_make_auth_cache_key(const char *host, const char *user)
+{
+    VSTRING *buf = vstring_alloc(100);
+
+    vstring_sprintf(buf, "%s;%s", host, user);
+    return (vstring_export(buf));
+}
+
+/* smtp_sasl_make_auth_cache_pass - hash the auth failure cache password */
+
+static char *smtp_sasl_make_auth_cache_pass(const char *password)
+{
+    VSTRING *buf = vstring_alloc(2 * SHA_DIGEST_LENGTH);
+
+    base64_encode(buf, (const char *) SHA1((const unsigned char *) password,
+					   strlen(password), 0),
+		  SHA_DIGEST_LENGTH);
+    return (vstring_export(buf));
+}
+
+/* smtp_sasl_make_auth_cache_value - format auth failure cache value */
+
+static char *smtp_sasl_make_auth_cache_value(const char *password,
+					             const char *dsn,
+					             const char *rep_str)
+{
+    VSTRING *val_buf = vstring_alloc(100);
+    char   *pwd_hash;
+    unsigned long now = (unsigned long) time((time_t *) 0);
+
+    pwd_hash = smtp_sasl_make_auth_cache_pass(password);
+    vstring_sprintf(val_buf, "%lu;%s;%s;%s", now, pwd_hash, dsn, rep_str);
+    myfree(pwd_hash);
+    return (vstring_export(val_buf));
+}
+
+/* smtp_sasl_auth_cache_valid - validate auth failure cache value */
+
+static int smtp_sasl_auth_cache_valid(SMTP_SASL_AUTH_CACHE *auth_cache,
+				              const char *entry,
+				              const char *password)
+{
+    ssize_t len = strlen(entry);
+    char   *cache_hash = mymalloc(len);
+    char   *curr_hash;
+    unsigned long now = (unsigned long) time((time_t *) 0);
+    unsigned long time_stamp;
+    int     valid;
+
+    auth_cache->dsn = myrealloc(auth_cache->dsn, len);
+    auth_cache->text = myrealloc(auth_cache->text, len);
+
+    if (sscanf(entry, "%lu;%[^;];%[^;];%[^\n]", &time_stamp, cache_hash,
+	       auth_cache->dsn, auth_cache->text) != 4
+	|| !dsn_valid(auth_cache->dsn)) {
+	msg_warn("bad smtp_sasl_auth_cache entry: %.100s", entry);
+	valid = 0;
+    } else if (time_stamp + auth_cache->ttl < now) {
+	valid = 0;
+    } else {
+	curr_hash = smtp_sasl_make_auth_cache_pass(password);
+	valid = (strcmp(cache_hash, curr_hash) == 0);
+	myfree(curr_hash);
+    }
+    myfree(cache_hash);
+    return (valid);
+}
+
+/* smtp_sasl_auth_cache_find - search auth failure cache */
+
+int     smtp_sasl_auth_cache_find(SMTP_SASL_AUTH_CACHE *auth_cache,
+				          const SMTP_SESSION *session)
+{
+    char   *key;
+    const char *entry;
+    int     valid = 0;
+
+    key = smtp_sasl_make_auth_cache_key(session->host, session->sasl_username);
+    if ((entry = dict_get(auth_cache->dict, key)) != 0)
+	if ((valid = smtp_sasl_auth_cache_valid(auth_cache, entry,
+						session->sasl_passwd)) == 0)
+	    /* Remove expired, password changed, or malformed cache entry. */
+	    if (dict_del(auth_cache->dict, key) == 0)
+		msg_warn("SASL auth failure map %s: entry not deleted: %s",
+			 auth_cache->dict->name, key);
+    myfree(key);
+    return (valid);
+}
+
+/* smtp_sasl_auth_cache_store - update auth failure cache */
+
+void    smtp_sasl_auth_cache_store(SMTP_SASL_AUTH_CACHE *auth_cache,
+				           const SMTP_SESSION *session,
+				           const SMTP_RESP *resp)
+{
+    char   *key;
+    char   *value;
+
+    key = smtp_sasl_make_auth_cache_key(session->host, session->sasl_username);
+    value = smtp_sasl_make_auth_cache_value(session->sasl_passwd,
+					    resp->dsn, resp->str);
+    dict_put(auth_cache->dict, key, value);
+
+    myfree(value);
+    myfree(key);
+}
+
+#endif
diff --git a/postfix/src/smtp/smtp_sasl_auth_cache.h b/postfix/src/smtp/smtp_sasl_auth_cache.h
new file mode 100644
index 000000000..71271a21e
--- /dev/null
+++ b/postfix/src/smtp/smtp_sasl_auth_cache.h
@@ -0,0 +1,62 @@
+#ifndef _SMTP_SASL_AUTH_CACHE_H_INCLUDED_
+#define _SMTP_SASL_AUTH_CACHE_H_INCLUDED_
+
+/*++
+/* NAME
+/*	smtp_sasl_auth_cache 3h
+/* SUMMARY
+/*	Postfix SASL authentication failure cache
+/* SYNOPSIS
+/*	#include "smtp.h"
+/*	#include "smtp_sasl_auth_cache.h"
+/* DESCRIPTION
+/* .nf
+
+ /*
+  * Utility library.
+  */
+#include 
+
+ /*
+  * This code stores hashed passwords which requires OpenSSL.
+  */
+#ifdef USE_TLS
+#define HAVE_SASL_AUTH_CACHE
+
+ /*
+  * External interface.
+  */
+typedef struct {
+    DICT   *dict;
+    int     ttl;
+    char   *dsn;
+    char   *text;
+} SMTP_SASL_AUTH_CACHE;
+
+extern SMTP_SASL_AUTH_CACHE *smtp_sasl_auth_cache_init(const char *, int);
+extern void smtp_sasl_auth_cache_store(SMTP_SASL_AUTH_CACHE *, const SMTP_SESSION *, const SMTP_RESP *);
+extern int smtp_sasl_auth_cache_find(SMTP_SASL_AUTH_CACHE *, const SMTP_SESSION *);
+
+#define smtp_sasl_auth_cache_dsn(cp)	((cp)->dsn)
+#define smtp_sasl_auth_cache_text(cp)	((cp)->text)
+
+#endif
+
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Initial implementation by:
+/*	Till Franke
+/*	SuSE Rhein/Main AG
+/*	65760 Eschborn, Germany
+/*
+/*	Adopted by:
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+#endif
diff --git a/postfix/src/smtp/smtp_sasl_glue.c b/postfix/src/smtp/smtp_sasl_glue.c
index 7b225c3ee..41d150e3c 100644
--- a/postfix/src/smtp/smtp_sasl_glue.c
+++ b/postfix/src/smtp/smtp_sasl_glue.c
@@ -124,6 +124,7 @@
   */
 #include "smtp.h"
 #include "smtp_sasl.h"
+#include "smtp_sasl_auth_cache.h"
 
 #ifdef USE_SASL_AUTH
 
@@ -142,6 +143,14 @@ STRING_LIST *smtp_sasl_mechs;
   */
 static XSASL_CLIENT_IMPL *smtp_sasl_impl;
 
+ /*
+  * The 535 SASL authentication failure cache.
+  */
+#ifdef HAVE_SASL_AUTH_CACHE
+static SMTP_SASL_AUTH_CACHE *smtp_sasl_auth_cache;
+
+#endif
+
 /* smtp_sasl_passwd_lookup - password lookup routine */
 
 int     smtp_sasl_passwd_lookup(SMTP_SESSION *session)
@@ -227,6 +236,20 @@ void    smtp_sasl_initialize(void)
     if (*var_smtp_sasl_mechs)
 	smtp_sasl_mechs = string_list_init(MATCH_FLAG_NONE,
 					   var_smtp_sasl_mechs);
+
+    /*
+     * Initialize the 535 SASL authentication failure cache.
+     */
+    if (*var_smtp_sasl_auth_cache_name) {
+#ifdef HAVE_SASL_AUTH_CACHE
+	smtp_sasl_auth_cache =
+	    smtp_sasl_auth_cache_init(var_smtp_sasl_auth_cache_name,
+				      var_smtp_sasl_auth_cache_time);
+#else
+	msg_warn("not compiled with TLS support -- "
+		 "ignoring the " VAR_SMTP_SASL_AUTH_CACHE_NAME " setting");
+#endif
+    }
 }
 
 /* smtp_sasl_connect - per-session client initialization */
@@ -279,6 +302,25 @@ int     smtp_sasl_authenticate(SMTP_SESSION *session, DSN_BUF *why)
 	msg_info("%s: %s: SASL mechanisms %s",
 		 myname, session->namaddrport, session->sasl_mechanism_list);
 
+    /*
+     * Avoid repeated login failures after a recent 535 error.
+     */
+#ifdef HAVE_SASL_AUTH_CACHE
+    if (smtp_sasl_auth_cache
+	&& smtp_sasl_auth_cache_find(smtp_sasl_auth_cache, session)) {
+	char   *resp_dsn = smtp_sasl_auth_cache_dsn(smtp_sasl_auth_cache);
+	char   *resp_str = smtp_sasl_auth_cache_text(smtp_sasl_auth_cache);
+
+	if (var_smtp_sasl_auth_soft_bounce && resp_dsn[0] == '5')
+	    resp_dsn[0] = '4';
+	dsb_update(why, resp_dsn, DSB_DEF_ACTION, DSB_MTYPE_DNS,
+		   session->host, var_procname, resp_str,
+		   "SASL [CACHED] authentication failed; server %s said: %s",
+		   session->host, resp_str);
+	return (0);
+    }
+#endif
+
     /*
      * Start the client side authentication protocol.
      */
@@ -340,6 +382,13 @@ int     smtp_sasl_authenticate(SMTP_SESSION *session, DSN_BUF *why)
      * We completed the authentication protocol.
      */
     if (resp->code / 100 != 2) {
+#ifdef HAVE_SASL_AUTH_CACHE
+	/* Update the 535 authentication failure cache. */
+	if (smtp_sasl_auth_cache && resp->code == 535)
+	    smtp_sasl_auth_cache_store(smtp_sasl_auth_cache, session, resp);
+#endif
+	if (var_smtp_sasl_auth_soft_bounce && resp->code / 100 == 5)
+	    STR(resp->dsn_buf)[0] = '4';
 	dsb_update(why, resp->dsn, DSB_DEF_ACTION,
 		   DSB_MTYPE_DNS, session->host,
 		   var_procname, resp->str,
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 68775495a..7588ea913 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -3766,8 +3766,7 @@ static void smtpd_start_tls(SMTPD_STATE *state)
      * we exclude xclient authorized hosts from event count/rate control.
      */
     if (var_smtpd_cntls_limit > 0
-	&& state->tls_context
-	&& state->tls_context->session_reused == 0
+	&& (state->tls_context == 0 || state->tls_context->session_reused == 0)
 	&& SMTPD_STAND_ALONE(state) == 0
 	&& !xclient_allowed
 	&& anvil_clnt
@@ -3778,9 +3777,10 @@ static void smtpd_start_tls(SMTPD_STATE *state)
 	state->error_mask |= MAIL_ERROR_POLICY;
 	msg_warn("New TLS session rate limit exceeded: %d from %s for service %s",
 		 rate, state->namaddr, state->service);
-	smtpd_chat_reply(state,
-		    "421 4.7.0 %s Error: too many new TLS sessions from %s",
-			 var_myhostname, state->namaddr);
+	if (state->tls_context)
+	    smtpd_chat_reply(state,
+			"421 4.7.0 %s Error: too many new TLS sessions from %s",
+			     var_myhostname, state->namaddr);
 	/* XXX Use regular return to signal end of session. */
 	vstream_longjmp(state->client, SMTP_ERR_QUIET);
     }
diff --git a/postfix/src/tlsmgr/tlsmgr.c b/postfix/src/tlsmgr/tlsmgr.c
index acf2fa959..906f5b808 100644
--- a/postfix/src/tlsmgr/tlsmgr.c
+++ b/postfix/src/tlsmgr/tlsmgr.c
@@ -117,6 +117,9 @@
 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
 /*	The default location of the Postfix main.cf and master.cf
 /*	configuration files.
+/* .IP "\fBdata_directory (see 'postconf -d' output)\fR"
+/*	The directory with Postfix-writable data files (for example:
+/*	caches, pseudo-random numbers).
 /* .IP "\fBdaemon_timeout (18000s)\fR"
 /*	How much time a Postfix daemon process may take to handle a
 /*	request before it is terminated by a built-in watchdog timer.
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index a43098de3..0c8f4d986 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -92,10 +92,6 @@
 
 /* __FreeBSD_version version is major+minor */
 
-#if __FreeBSD_version >= 200000
-#define HAS_DUPLEX_PIPE
-#endif
-
 #if __FreeBSD_version >= 220000
 #define HAS_DEV_URANDOM			/* introduced in 2.1.5 */
 #endif
@@ -110,6 +106,10 @@
 #define SOCKOPT_SIZE	socklen_t
 #endif
 
+#if __FreeBSD_version >= 420000
+#define HAS_DUPLEX_PIPE			/* 4.1 breaks with kqueue(2) */
+#endif
+
 /* OpenBSD version is year+month */
 
 #if OpenBSD >= 199805			/* XXX */