From: Wietse Z Venema Date: Fri, 27 Feb 2026 05:00:00 +0000 (-0500) Subject: postfix-3.12-20260227 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4f9f3690950c746bdeee17bdde1da74ae400f4e;p=thirdparty%2Fpostfix.git postfix-3.12-20260227 --- diff --git a/postfix/.indent.pro b/postfix/.indent.pro index f645854e9..3faf372e5 100644 --- a/postfix/.indent.pro +++ b/postfix/.indent.pro @@ -2,6 +2,7 @@ -TADDR_MATCH_LIST -TADDR_PATTERN -TALIAS_TOKEN +-TALLOWED_PARENT -TANVIL_CLNT -TANVIL_LOCAL -TANVIL_MAX @@ -235,6 +236,10 @@ -TMKMAP_OPEN_FN -TMKMAP_OPEN_INFO -TMKMAP_SDBM +-TMOCK_OPEN_AS_REQ +-TMOCK_SPAWN_CMD_REQ +-TMOCK_STAT_REQ +-TMSG_CAPTURE -TMSG_STATS -TMULTI_SERVER -TMVECT @@ -246,6 +251,7 @@ -TNAME_CODE -TNAME_MASK -TNBBIO +-TNBDB_PATH_SUFFIX -TNVTABLE_INFO -TOPTIONS -TOSSL_DGST @@ -444,9 +450,11 @@ -Tsize_t -Tsockaddr -Tsockaddr_storage +-Tspawn_args -Tssize_t -Tssl_cipher_stack_t -Tssl_comp_stack_t +-Tstat -Ttime_t -Ttlsa_filter -Tuint16_t diff --git a/postfix/HISTORY b/postfix/HISTORY index 75ac447dc..f59be79a6 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -58,7 +58,7 @@ Apologies for any names omitted. reflects the current status of the software. Added -d (don't disconnect) and -c (show running counter) - option to te smtp-source test program. These tools are + option to the smtp-source test program. These tools are great torture tests for the mail software, and for the system that it runs on. @@ -30404,3 +30404,145 @@ Apologies for any names omitted. that an IPv6 address needs to be enclosed in [] for the debug_peer_list and qmqpd_authorized_clients parameters. File: proto/postconf.proto. + +20260219 + + Feature: support to migrate a working Postfix configuration + that uses hash: and btree: tables, to an OS that has deleted + Berkeley DB support. Files: Makefile.in, conf/postfix-files, + conf/postfix-non-bdb-script, conf/postfix-script, + global/Makefile.in, global/allowed_prefix.c, + global/allowed_prefix.h, global/allowed_prefix_test.c, + global/mail_params.c, global/mail_params.h, global/mail_proto.h, + global/nbdb_clnt.c, global/nbdb_clnt.h, global/nbdb_redirect.c, + global/nbdb_redirect.h, global/nbdb_redirect_test.c, + global/nbdb_surrogate.c, global/nbdb_surrogate.h, + global/nbdb_surrogate_test.c, global/nbdb_util.c, + global/nbdb_util.h, global/nbdb_util_test.c, html/Makefile.in, + man/Makefile.in, mantools/postlink, proto/Makefile.in, + proto/NON_BERKELEYDB_README.html, proto/postconf.proto, + proto/stop, proto/stop.double-cc, + proto/stop.double-install-proto-text, proto/stop.spell-cc, + proto/stop.spell-history, proto/stop.spell-proto-html, + smtp/smtp_connect.c, testing/Makefile.in, testing/mock_open_as.c, + testing/mock_open_as.h, testing/mock_spawn_command.c, + testing/mock_spawn_command.h, testing/mock_stat.c, + testing/mock_stat.h, testing/msg_capture.c, testing/msg_capture.h, + util/Makefile.in, util/dict.h, util/dict_open.c, + util/dict_surrogate.c, util/open_as.c, util/open_as.h, + util/spawn_command.c, util/spawn_command.h, util/vstream.h, + util/wrap_stat.c, util/wrap_stat.h. + +20260220 + + Documentation: TESTING, proto/NON_BERKELEYDB_README.html, + proto/stop.spell-proto-html, postfix/postfix.c, conf/postfix-files, + mantools/postlink, global/nbdb_clnt.c. + + Portability: testing/msg_capture.c. + + Migration to "No Berkeley DB": update default values + for alias_maps and alias_database, and replace the + platform-dependent database type with $default_database_type. + File: src/util/sys_defs.h. + + Documentation: update obsolete references to "dbm or db" + in xxx_table(5) manpages and make text more consistent. + Files: proto/cidr_table, proto/ldap_table, proto/memcache_table, + proto/mongodb_table, proto/mysql_table, proto/nisplus_table, + proto/pcre_table, proto/pgsql_table, proto/regexp_table, + proto/socketmap_table, proto/sqlite_table, proto/tcp_table. + + Documentation: made the postmap(1) and postmap(1) manpages + more consistent in the discussion of the default_data_base, + and moved that text to a more visible location. Files: + postalias/postalias.c, postmap/postmap.c. + + Documentation: updated 'man5' manpages for changes in default + indexed file types. Files: proto/access, proto/canonical, + proto/generic, proto/relocated, proto/transport, proto/virtual. + + Incompatibility: The alias_maps and alias_database parameter + default values have changed from hash:/path/to/aliases (or + dbm:/path/to/aliases) to $default_database_type:/path/to/aliases. + This simplifies the migration away from Berkeley DB. File: + util/sys_defs.h. + +20260221 + + Testing: factored out the mock cdb and lmdb code to make + more tests independent of whether the build includes support + for cdb and lmdb. Files: global/Makefile.in, + global/nbdb_redirect_test.c, global/nbdb_util_test.c, + nbdb_reindexd/Makefile.in, nbdb_reindexd/nbdb_index_as_test.c, + nbdb_reindexd/nbdb_process_test.c, testing/Makefile.in, + testing/mock_dict.c, testing/mock_dict.h. + +20260222 + + Cleanup: migration service name word-smithing. Files: + mantools/postlink, proto/postconf.proto, global/mail_params.h. + + Documentation: missing DEF_SHLIB_DIR in INSTALL. File: + proto/install.html. + +20260225 + + Documentation: examples now use lmdb plus text about implicit + types with "postmap /path/to/file" and available explicit types. + Files: proto/INSTALL.html, proto/SASL_README.html, + proto/STANDARD_CONFIGURATION_README.html, proto/UUCP_README.html, + proto/VIRTUAL_README.html. + + Workaround: as of Postfix 3.11, the default alias_maps value + contains $default_database_type:/path/to/aliases, instead + of a hard-coded type hash. If default_database_type was + changed from hash to lmdb (or cdb), then the indexed file + /path/to/aliases.lmdb (or /path/to/aliases.cdb) will likely + not exist. + + Unfortunately, if $default_database_type has changed from + hash to lmdb (or cdb) Postfix will not try to use + hash:/path/to/aliases, and will not trigger compatibility + workarounds that are implemented with "enable-redirect" or + "enable-reindex". This would be a gap in migration coverage. + + To avoid this, synthesize a stand-alone re-indexing request. + Files: conf/postfix-script, proto/NON_BERKELEYDB_README.html. + This is needed only for databases specified in alias_maps. + + Postfix works on Linux 7.x kernels. Frank Scheiner. Files: + makedefs, util/sys_defs.h. + +20260226 + + Documentation: update postconf(5) examples: all examples + show "lmdb", and mention cdb, hash, etc. as alternatives. + File: proto/postconf.proto. + + Cleanup: wordsmithing of recently-edited README files. + proto/SASL_README.html, proto/STANDARD_CONFIGURATION_README.html, + proto/UUCP_README.html. + + Cleanup: fix HTML validator complaint. File: + proto/postconf.html.prolog + + Cleanup: make only one attempt to generate an indexed file + for $alias_maps. This creates a status file + $config_directory/check-alias-maps-migration-done. File: + conf/postfix-script. + +20260227 + + Documentation: new Appendix with Mailman migration + instructions. File: proto/NON_BERKELEYDB_README.html. + + Cleanup: missing #include , reported on Solaris 11.4. + File: nbdb_reindexd/nbdb_reindexd.c. + + Cleanup: log a fatal error instead of dereferencing a null + pointer. Fedor Vorobev. File: util/dict_db.c. + + Bitrot: patches in anticipation of OpenSSL 4. Viktor Dukhovni. + Files: posttls-finger/posttls-finger.c, tls/tls_client.c, + tls/tls.h, tls/tls_misc.c, tls/tls_verify.c. diff --git a/postfix/INSTALL b/postfix/INSTALL index 4bd762bea..58519cc9d 100644 --- a/postfix/INSTALL +++ b/postfix/INSTALL @@ -432,7 +432,7 @@ postconf.5 | less"). |_____________________|____________________| |config_directory |/etc/postfix | |_____________________|____________________| - |default_database_type|lmdb or hash | + |default_database_type|lmdb, cdb, or hash | |_____________________|____________________| |default_cache_db_type|lmdb or btree | |_____________________|____________________| @@ -486,7 +486,7 @@ postconf.5 | less"). |_________________|_____________________|____________________| |DEF_CONFIG_DIR |config_directory |/etc/postfix | |_________________|_____________________|____________________| - |DEF_DB_TYPE |default_database_type|lmdb or hash | + |DEF_DB_TYPE |default_database_type|lmdb, cdb, or hash | |_________________|_____________________|____________________| |DEF_CACHE_DB_TYPE|default_cache_db_type|lmdb or btree | |_________________|_____________________|____________________| @@ -508,9 +508,12 @@ postconf.5 | less"). |_________________|_____________________|____________________| |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail | |_________________|_____________________|____________________| + |DEF_SHLIB_DIR |shlib_directory |/usr/lib/postfix | + |_________________|_____________________|____________________| Note: the data_directory parameter (for caches and pseudo-random numbers) was -introduced with Postfix version 2.5. +introduced with Postfix version 2.5; shlib_directory (for shared-library +objects and database plugins) with Postfix version 3.0. 4.7 - Overriding other compile-time features @@ -542,8 +545,8 @@ The following is an extensive list of names and values. |_______________________________|_____________________________________________| || |Do not build with Berkeley DB support. By | || |default, Berkeley DB support is compiled in | -|| |on platforms that are known to support this | -||-DNO_DB |feature. If you override this, then you | +|| |on platforms that have historically supported| +||-DNO_DB |this feature. If you override this, then you | || |probably should also override | || |default_database_type or DEF_DB_TYPE as | || |described in section 4.6. | @@ -1080,7 +1083,7 @@ alias_maps" will tell you the exact location of the text file. First, be sure to update the text file with aliases for root, postmaster and "postfix" that forward mail to a real person. Postfix has a sample aliases file -/etc/postfix/aliases that you can adapt to local conditions. +/etc/postfix/aliases that you can copy and adapt to local conditions. /p> /etc/aliases: root: you @@ -1097,6 +1100,13 @@ Finally, build the indexed aliases file with one of the following commands: # sendmail -bi # postalias /etc/aliases (pathname is system dependent!) +The form "postalias /etc/aliases" builds a default-type indexed file. Use +"postalias type:/etc/aliases" to specify an explicit type (it should match the +type in the output from "postconf -x alias_maps"). + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "postconf -m". + 11 - To chroot or not to chroot Postfix daemon processes can be configured (via master.cf) to run in a chroot diff --git a/postfix/Makefile.in b/postfix/Makefile.in index a436f7325..8d7501ada 100644 --- a/postfix/Makefile.in +++ b/postfix/Makefile.in @@ -12,10 +12,11 @@ DIRS = src/util src/global src/dns src/tls src/xsasl src/master src/milter \ src/postsuper src/qmqpd src/spawn src/flush src/verify \ src/virtual src/proxymap src/anvil src/scache src/discard src/tlsmgr \ src/postmulti src/postscreen src/dnsblog src/tlsproxy \ - src/posttls-finger src/postlogd src/testing + src/posttls-finger src/postlogd src/nbdb_reindexd src/testing MANDIRS = proto man html LIBEXEC = libexec/post-install libexec/postfix-script libexec/postfix-wrapper \ - libexec/postmulti-script libexec/postfix-tls-script + libexec/postmulti-script libexec/postfix-non-bdb-script \ + libexec/postfix-tls-script PLUGINS = meta/dynamicmaps.cf META = meta/main.cf.proto meta/master.cf.proto meta/postfix-files \ meta/makedefs.out $(PLUGINS) @@ -86,6 +87,9 @@ meta/postfix-files: conf/postfix-files conf/makedefs.out Makefile libexec/postfix-script: conf/postfix-script rm -f $@ && ln -f $? $@ +libexec/postfix-non-bdb-script: conf/postfix-non-bdb-script + rm -f $@ && ln -f $? $@ + libexec/postfix-tls-script: conf/postfix-tls-script rm -f $@ && ln -f $? $@ diff --git a/postfix/README_FILES/AAAREADME b/postfix/README_FILES/AAAREADME index 12c1b2579..c3c83da7d 100644 --- a/postfix/README_FILES/AAAREADME +++ b/postfix/README_FILES/AAAREADME @@ -50,6 +50,7 @@ SSMMTTPP RReellaayy aanndd aacccceessss ccoonnttrrooll LLooookkuupp ttaabblleess ((ddaattaabbaasseess)) * DATABASE_README: Lookup table overview + * NON_BERKELEYDB_README: Non-Berkeley-DB migration * DB_README: Berkeley DB Howto * CDB_README: CDB Howto * LDAP_README: LDAP Howto diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL index cd175c735..3de4474cf 100644 --- a/postfix/README_FILES/INSTALL +++ b/postfix/README_FILES/INSTALL @@ -432,7 +432,7 @@ postconf.5 | less"). |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |config_directory |/etc/postfix | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |default_database_type|lmdb or hash | + |default_database_type|lmdb, cdb, or hash | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |default_cache_db_type|lmdb or btree | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | @@ -486,7 +486,7 @@ postconf.5 | less"). |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |DEF_CONFIG_DIR |config_directory |/etc/postfix | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |DEF_DB_TYPE |default_database_type|lmdb or hash | + |DEF_DB_TYPE |default_database_type|lmdb, cdb, or hash | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |DEF_CACHE_DB_TYPE|default_cache_db_type|lmdb or btree | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | @@ -508,9 +508,12 @@ postconf.5 | less"). |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |DEF_SHLIB_DIR |shlib_directory |/usr/lib/postfix | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Note: the data_directory parameter (for caches and pseudo-random numbers) was -introduced with Postfix version 2.5. +introduced with Postfix version 2.5; shlib_directory (for shared-library +objects and database plugins) with Postfix version 3.0. 44..77 -- OOvveerrrriiddiinngg ootthheerr ccoommppiillee--ttiimmee ffeeaattuurreess @@ -542,8 +545,8 @@ The following is an extensive list of names and values. |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | || |Do not build with Berkeley DB support. By | || |default, Berkeley DB support is compiled in | -|| |on platforms that are known to support this | -||-DNO_DB |feature. If you override this, then you | +|| |on platforms that have historically supported| +||-DNO_DB |this feature. If you override this, then you | || |probably should also override | || |default_database_type or DEF_DB_TYPE as | || |described in section 4.6. | @@ -1080,7 +1083,7 @@ alias_maps" will tell you the exact location of the text file. First, be sure to update the text file with aliases for root, postmaster and "postfix" that forward mail to a real person. Postfix has a sample aliases file -/etc/postfix/aliases that you can adapt to local conditions. +/etc/postfix/aliases that you can copy and adapt to local conditions. /p> /etc/aliases: root: you @@ -1097,6 +1100,13 @@ Finally, build the indexed aliases file with one of the following commands: # sendmail -bi # postalias /etc/aliases (pathname is system dependent!) +The form "postalias /etc/aliases" builds a default-type indexed file. Use +"postalias type:/etc/aliases" to specify an explicit type (it should match the +type in the output from "postconf -x alias_maps"). + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + 1111 -- TToo cchhrroooott oorr nnoott ttoo cchhrroooott Postfix daemon processes can be configured (via master.cf) to run in a chroot diff --git a/postfix/README_FILES/NON_BERKELEYDB_README b/postfix/README_FILES/NON_BERKELEYDB_README new file mode 100644 index 000000000..cad0cfe93 --- /dev/null +++ b/postfix/README_FILES/NON_BERKELEYDB_README @@ -0,0 +1,476 @@ +PPoossttffiixx NNoonn--BBeerrkkeelleeyy--DDBB mmiiggrraattiioonn + +------------------------------------------------------------------------------- + +TTaabbllee ooff ccoonntteennttss + + * Introduction + * Background + * Skip this if not building Postfix from source, or if your system still + supports Berkeley DB + * Migration support level overview + * Level 'disable': manual migration + * Level 'enable-redirect': database aliasing + * Level 'enable-reindex': redirect and automatically generate non-Berkeley-DB + indexed files + * Addressing errors with automatic indexed file generation + * Appendix: Mailman integration + +IInnttrroodduuccttiioonn + +(Please see the Appendix for Mailman integration tips.) + +After running the same Postfix configuration for a decade or more, there is a +rude awakening when you update the OS to a newer version that has deleted its +support for Berkeley DB. Postfix programs fail to open all hash: and btree: +tables with messages like this: + + Berkeley DB support for 'hash:/etc/postfix/virtual' is not available + for this build; see https://www.postfix.org/NON_BERKELEYDB_README.html + for alternatives + +This document comes to the rescue, with strategies to migrate an existing +Postfix configuration that uses Berkeley DB hash: and btree: database files, to +an OS distribution that has removed Berkeley DB support, with a Postfix +configuration that uses lmdb: (or a combination of cdb: and lmdb:). + +By the way, you don't have to wait until Berkeley DB support is removed; your +can proactively use the steps described here on a system that still has +Berkeley DB, to migrate a Postfix configuration from Berkeley DB to lmdb: (or a +combination of cdb: and lmdb:). + +BBaacckkggrroouunndd + +Historically, Postfix has used Berkeley DB hash: and btree: for key-value +stores, as indicated in the "With Berkeley DB" table column below. In a world +without Berkeley DB, good replacements are cdb: and lmdb: as indicated in the +"No Berkeley DB" column. + + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |PPuurrppoossee |WWiitthh BBeerrkkeelleeyy DDBB |NNoo BBeerrkkeelleeyy DDBB | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Mostly-static data| |default_database_type=lmdb| + |such as aliases, |default_database_type=hash |or | + |transport_maps, | |default_database_type=cdb | + |access tables | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |Dynamic caches | | | + |maintained by | | | + |postscreen(8), |default_cache_db_type=btree|default_cache_db_type=lmdb| + |verify(8), tlsmgr | | | + |(8) | | | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + +The default values for default_database_type and default_cache_db_type may be +specified at build time (see the section below, and they may be changed later +by editing main.cf, for example with the postconf(1) command.) + +The sections that follow present three migration strategies with different +levels of assistance by tooling that was developed for Postfix 3.11 and later. + +SSkkiipp tthhiiss iiff nnoott bbuuiillddiinngg PPoossttffiixx ffrroomm ssoouurrccee,, oorr iiff yyoouurr ssyysstteemm ssttiillll ssuuppppoorrttss +BBeerrkkeelleeyy DDBB.. + +Click here to skip to the next section. + +On systems that have removed Berkeley DB support, run "make makefiles" with a +CCARGS value that (also) contains "-DNO_DB", and specify appropriate values for +default_database_type (lmdb or cdb) and default_cache_db_type (lmdb). + +In the examples below, the "..." are place holders any dependencies that you +build Postfix with, such as CDB, LDAP, LMDB, MySQL/MariaDB, OpenSSL, SASL, and +so on. + +Example 1: use lmdb: for both default_database_type (read-mostly lookup tables) +and default_cache_db_type (read-write caches). Terminal input is bboolldd, output +is normal font. + + $ mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDNNOO__DDBB ......"" \\ + ddeeffaauulltt__ddaattaabbaassee__ttyyppee==llmmddbb \\ + ddeeffaauulltt__ccaacchhee__ddbb__ttyyppee==llmmddbb ...... \\ + AAUUXXLLIIBBSS...... + +Example 2: alternative form that produces the same result. + + $ eexxppoorrtt CCCCAARRGGSS==""--DDNNOO__DDBB ......"" + $ eexxppoorrtt ddeeffaauulltt__ddaattaabbaassee__ttyyppee==llmmddbb + $ eexxppoorrtt ddeeffaauulltt__ccaacchhee__ddbb__ttyyppee==llmmddbb + $ eexxppoorrtt AAUUXXLLIIBBSS...... + ... + $ mmaakkee mmaakkeeffiilleess + +Another alternative is to use cdb for default_database_type (read-mostly lookup +tables) and lmdb for default_cache_db_type (read-write caches). + +MMiiggrraattiioonn ssuuppppoorrtt lleevveell oovveerrvviieeww + +The goal of the migration is clear: stop using hash: and btree:, and use lmdb: +or cdb: instead. If your configuration is simple or if you are familiar with +Postfix configuration, a few "grep" commands will find all the problems, and a +few edits will be easy to make. + +If, on the other hand, you are not familiar with the details of your Postfix +configuration, then this document provides options where Postfix can help. + +Postfix 3.11 introduces multiple levels of migration support. You can use the +command "postfix non-bdb status" to view the migration support level. This is +what the default should look like (terminal input is bboolldd, output is normal +font): + + # ppoossttffiixx nnoonn--bbddbb ssttaattuuss + disable + +In increasing order, the support levels are: + +disable (manual migration) + You start up Postfix, watch the logging when Postfix programs fail to open + a hash: or btree: table, edit Postfix configuration files to use lmdb: or + cdb:, then run postmap(1) or postalias(1) commands to create lmdb: or cdb: + indexed database files. Use this option if you are familiar with Postfix + configuration. + + This will not fix the integration with Mailman versions from before gitlab + commit 8fa56b72 (May 2025) and other software that are broken when they + want to use "postmap hash:/path/to/file". Mailman uses this to maintain a + table with mailing list contact addresses. For that, you need to use the + next-up level. + +enable-redirect (database aliasing) + This level implicitly redirects a request to access hash:/path/to/file to + $default_database_type:/path/to/file, and redirects a request to access a + btree:/path/to/file to $default_cache_db_type:/path/to/file. + + This still requires manually running postmap(1) or postalias(1) commands, + but "fixes" the integration with Mailman versions from before gitlab commit + 8fa56b72 (May 2025) and other software when they want to use "postmap hash: + /path/to/file", and Berkeley DB support is not available. Such commands + will implicitly create a new lmdb: or cdb: indexed database file, depending + on the default_database_type value. + +enable-reindex (aliasing, plus running postmap(1) or postalias(1)) + This level implements "enable-redirect (database aliasing)", and also runs + the postmap(1) or postalias(1) command to create a new lmdb or cdb indexed + database file. This uses the nbdb_reindexd(8) daemon. + +The levels enable-redirect and enable-reindex leave some technical debt: +configurations that still say hash: or btree: (even if they use lmdb: or cdb: +behind the scene). + + * Using these levels gives you extra time to prepare for a long-term + configuration change that replaces hard-coded instances of hash: with the + value of default_database_type, and that replaces btree: with the value of + default_cache_db_type. + + * Depending on your use of other software that wants to use postmap(1) or + postalias(1) commands, you may have to permanently the leave the enable- + redirect level active. + +After this overview, the sections that follow will go into more detail. + +LLeevveell ''ddiissaabbllee'':: mmaannuuaall mmiiggrraattiioonn + +To disable all non-Berkeley-DB migration features use the "postfix non-bdb" +command: + + # ppoossttffiixx nnoonn--bbddbb ddiissaabbllee + # ppoossttffiixx rreellooaadd + +This will edit main.cf to remove a non_bdb_migration_level setting and the +level revert to its implicit default (disable), and will edit master.cf to +remove an entry for the reindex service. + +This setting will cause problems with Mailman versions from before gitlab +commit 8fa56b72 (May 2025) and other software that wants to use "postmap hash:/ +path/to/file" (or similar postalias commands), and Berkeley DB support is no +longer available. In that case, you will need the "enable-redirect" migration +support level. + +A manual migration process goes like this: + + * Stop Postfix. + + * Make lmdb: the default for both default_database_type (read-mostly lookup + tables) and default_cache_db_type (read-write caches): + + # ppoossttccoonnff ddeeffaauulltt__ddaattaabbaassee__ttyyppee==llmmddbb ddeeffaauulltt__ccaacchhee__ddbb__ttyyppee==llmmddbb + + * Alternatively, make cdb: the default for default_database_type (read-mostly + lookup tables) and lmdb: the default for default_cache_db_type (read-write + caches): + + # ppoossttccoonnff ddeeffaauulltt__ddaattaabbaassee__ttyyppee==ccddbb ddeeffaauulltt__ccaacchhee__ddbb__ttyyppee==llmmddbb + + * Look for hash: and btree: references in Postfix configuration files. + Instead of /etc/postfix use the pathname in the output from "postconf - + x config_directory". + + # ggrreepp --EE --rr ''((hhaasshh||bbttrreeee)):://'' //eettcc//ppoossttffiixx + + * For each instance in the "grep" output : + + o Edit the configuration file and replace "hash" with "lmdb" or "cdb" + (use the same value as the output from "ppoossttccoonnff --hhxx + ddeeffaauulltt__ddaattaabbaassee__ttyyppee") and replace "btree" with "lmdb". + + o If this instance has no source file (only the ".db" file exists), + proceed with the next instance of "grep" output. + + o If this instance appears in the output from "ppoossttccoonnff --hhPPPPxx ''**//**// + aalliiaass__mmaappss'' || ssoorrtt --uu", run the postalias(1) command. If this instance + is like "lmdb:/path/to/source": + + # ppoossttaalliiaass llmmddbb:://ppaatthh//ttoo//ssoouurrccee + + Instead of "lmdb:" use "cdb:" if the instance is like "cdb:/path/to/ + source". + + o Otherwise, run the postmap(1) command. If this instance is like "lmdb:/ + path/to/source": + + # ppoossttmmaapp llmmddbb:://ppaatthh//ttoo//ssoouurrccee + + Instead of "lmdb:" use "cdb:" if this instance is like "cdb:/path/to/ + source". + + * Start Postfix, watch the log for warnings about files that cannot be + opened, find the configuration file that still uses "hash" or "btree", and + repeat the steps above. + + * It is now safe to delete the unused ".db" files. + +LLeevveell ''eennaabbllee--rreeddiirreecctt'':: ddaattaabbaassee aalliiaassiinngg + +To enable this migration support level, use: + + # ppoossttffiixx nnoonn--bbddbb eennaabbllee--rreeddiirreecctt + # ppoossttffiixx rreellooaadd + +This postfix non-bdb" command edits main.cf to enable redirection (aliasing) +from Berkeley DB types "hash" and "btree" to the non-Berkeley-DB types +specified with $default_database_type and $default_cache_db_type. Custom +redirection may be configured with non_bdb_custom_mapping. This command also +edits master.cf to remove an unused nbdb_reindex service entry. + +This migration support level will not automatically create non-Berkeley-DB +indexed database files. Instead, Postfix programs will log an error as they +fail to open an indexed database file, and will leave it to the system +administrator to run postmap(1) or postalias(1) to create that file. + +For each instance of "hash:/path/to/source" or "btree:/path/to/source" that +requires manually running postmap(1) or postalias(1): + + * If this instance appears in the output from "ppoossttccoonnff --hhPPPPxx ''**//**// + aalliiaass__mmaappss'' || ssoorrtt --uu", run the postalias(1) command. If this instance is + like "lmdb:/path/to/source": + + # ppoossttaalliiaass llmmddbb:://ppaatthh//ttoo//ssoouurrccee + + Instead of "lmdb:" use "cdb:" if the instance is like "cdb:/path/to/ + source". + + * Otherwise, run the postmap(1) command. If this instance is like "lmdb:/ + path/to/source": + + # ppoossttmmaapp llmmddbb:://ppaatthh//ttoo//ssoouurrccee + + Instead of "lmdb:" use "cdb:" if this instance is like "cdb:/path/to/ + source". + +This migration support level will fix problems with Mailman versions from +before May 2025 and other software that wants to use "postmap hash:/path/to/ +file". With database redirection, such commands will implicitly create an +indexed file for $default_database_type:/path/to/file (similar aliasing happens +for postalias commands). + +The command "postfix non-bdb enable-redirect" will refuse to make any changes +when default_database_type or default_cache_db_type specify a hash: or btree: +type. + +LLeevveell ''eennaabbllee--rreeiinnddeexx'':: rreeddiirreecctt aanndd aauuttoommaattiiccaallllyy ggeenneerraattee nnoonn--BBeerrkkeelleeyy--DDBB +iinnddeexxeedd ffiilleess + +NOTE: this level should be used only temporarily to generate most of the non- +Berkeley-DB indexed files that Postfix needs. Leaving this enabled may expose +the system to privilege-escalation attacks. There are no security concerns for +using enable-redirect. + +To enable this migration support level, use: + + # ppoossttffiixx nnoonn--bbddbb eennaabbllee--rreeiinnddeexx + # ppoossttffiixx rreellooaadd + +This postfix non-bdb command edits main.cf to set the non-Berkeley-DB migration +support level, and master.cf to add or replace an nbdb-reindex service entry. + +The resulting configuration implements not only the functionality of enable- +redirect, but also automatically creates a non-Berkeley-DB indexed database +file when a daemon program wants to access a file that does not exist. This +uses the nbdb_reindexd(8) daemon to run postmap(1) or postalias(1) commands for +databases that satisfy basic requirements to block privilege-escalation +attacks. The number of requirements is large, but mainly, database files and +their parent directory must not allow write access for group or other users, +and their pathnames must match a list of trusted directory prefixes. The +complete list of requirements is documented in nbdb_reindexd(8). + +This command immediately generates non-Berkeley-DB indexed files for command- +line programs that lack privileges to send requests to the nbdb_reindexd(8) +indexing server. This applies to "hash:" and "btree:" tables that are used by +postqueue(1) and sendmail(1) as configured with authorized_flush_users and +authorized_mailq_users, and used by sendmail(1) and postdrop(1) as configured +with authorized_submit_users and local_login_sender_maps. + +The command "postfix non-bdb enable-reindex" will refuse to make any changes +when default_database_type or default_cache_db_type specify a hash: or btree: +type. + +The nbdb_reindexd(8) daemon will log when it successfully runs a postmap(1) or +postalias(1) command. Examples, for a system with "default_database_type = +lmdb": + + successfully executed 'postmap lmdb:/etc/postfix/transport' as uid 0 + successfully executed 'postalias lmdb:/etc/aliases' as uid 0 + +See the section "Addressing errors with automatic indexed file generation" for +the most likely errors that Postfix programs may log. + +Once there are no more errors from Postfix programs for about 24 hours, turn +off automatic index generation by reducing the support level to enable-redirect +with: + + # postfix non-bdb enable-redirect + # postfix reload + +AAddddrreessssiinngg eerrrroorrss wwiitthh aauuttoommaattiicc iinnddeexxeedd ffiillee ggeenneerraattiioonn + +UUnneexxppeecctteedd ppaatthhnnaammee eerrrroorrss + +Depending on the location of your Postfix lookup tables, Postfix programs may +log a request to add a trusted directory to the directories listed with +non_bdb_migration_allow_root_prefixes or non_bdb_migration_allow_user_prefixes. + +Example, with line breaks added for readability: + + could not execute command 'postmap lmdb:/path/to/file': table + /path/to/file has an unexpected pathname; + + to allow automatic indexing as root, append its parent directory + to the non_bdb_migration_allow_root_prefixes setting (current setting + is: "/etc /usr/local/etc"); + + alternatively, execute the failed command by hand + +You have two options: + + 1. If you think that the suggested change is safe, update the setting as + proposed and execute "postfix reload". + + 2. Alternatively, you can execute the failed postmap(1) or postalias(1) + command by hand, and Postfix will not log the same error again. + +A similar request may be logged when a file needs to be indexed as a non-root +user. + +UUnneexxppeecctteedd ffiillee oorr ddiirreeccttoorryy oowwnneerr oorr ppeerrmmiissssiioonnss + +Other errors may be logged when a database file or directory has an unexpected +owner, or when it is writable by group or by other users. + +Example with line breaks added for readability: + + could not execute command 'postmap lmdb:/path/to/file': legacy + indexed file '/path/to/file.db' is owned by uid '0', but parent + directory '/path/to' is owned or writable by other user; + + to allow automatic indexing, correct the ownership or permissions; + + alternatively, execute the failed command by hand + +Again, you have two options: + + 1. Fix the ownership or permission error. + + 2. Execute the failed postmap(1) or postalias(1) command by hand, and Postfix + will not log the same error again. + +Once there are no more errors from Postfix programs for about 24 hours, turn +off automatic index generation by reducing the support level to enable-redirect +with: + + # postfix non-bdb enable-redirect + # postfix reload + +AAppppeennddiixx:: MMaaiillmmaann iinntteeggrraattiioonn + +This section has instructions to migrate an existing Mailman configuration that +wants to use commands like "postmap hash:/path/to/file". Mailman uses such +commands to maintain tables with mailing list contact addresses and domain +names. This will break on systems that no longer have Berkeley DB support. + +Solutions: + + * (Not recommended) Upgrade to a Mailman version that contains gitlab commit + 8fa56b72 (May 2025). Unfortunately, this has not yet been widely adopted by + OS distributions. + + * Avoid Mailman changes, and use Postfix migration support described below. + In a nutshell, the postmap command will execute the command "postmap hash:/ + path/to/file" as if the command specifies lmdb:/path/to/file (or cdb:, + depending on Postfix configuration). + +With Mailman3 the integration with Postfix using LMTP may look like: + + /var/lib/mailman3/data/postfix_domains (domain names) + /var/lib/mailman3/data/postfix_domains.db (Berkeley DB hash file) + /var/lib/mailman3/data/postfix_lmtp (transport map) + /var/lib/mailman3/data/postfix_lmtp.db (Berkeley DB hash file) + + Caution: the data directory may contain other files with names ending in + ".db" that are not part of the Mailman-Postfix integration. Do not tamper + with the other files. + +The relevant Postfix migration levels are: + +enable-redirect (redirect hash: to lmdb: or cdb:) + Command: # ppoossttffiixx nnoonn--bbddbb eennaabbllee--rreeddiirreecctt + + This will fix the problem that Mailman wants to use commands like "postmap + hash:/path/to/postfix_domains" and "postmap hash:/path/to/postfix_lmtp". + + Instead of complaining about an unsupported database type, these postmap + commands will implicitly create ".lmdb" indexed files like (lmdb:/path/to/ + postfix_domains or lmdb:/path/to/postfix_lmtp, or their cdb: versions + depending on the Postfix default_database_type setting). + + This will not fix the problem that Postfix wants to use databases like + hash:/path/to/postfix_domains and hash::/path/to/postfix_lmtp. With enable- + redirect, these will redirect to ".lmdb" indexed files (good) but those + files do not yet exist (bad). You will need to create them by hand with + commands like: + + # ppoossttmmaapp llmmddbb:://ppaatthh//ttoo//ppoossttffiixx__ddoommaaiinnss + # ppoossttmmaapp llmmddbb:://ppaatthh//ttoo//ppoossttffiixx__llmmttpp + + After this, no further human action will be needed. When Mailman needs to + update these files, it will invoke postmap commands that will work as + promised above. Leave the Postfix migration level at enable-reindex until + you can upgrade to a newer Mailman version that supports Postfix with non- + Berkeley databases. + +enable-reindex (also automatically run postmap commands) + Command: # ppoossttffiixx nnoonn--bbddbb eennaabbllee--rreeddiirreecctt + + In addition to "enable-redirect", Postfix will also try to run commands + like "postmap lmdb:/path/to/postfix_domains" and "postmap lmdb:/path/to/ + postfix_lmtp". There will be some delay depending on the amount of mailing + list traffic; you may want to post a test message to make the postmap + commands happen sooner. + + Postfix will log the postmap commands (or will log a request to make some + configuration changes; see "Addressing errors with automatic indexed file + generation" above). + + Note: once these "postmap" commands have completed, you should reduce the + migration support level with the command "ppoossttffiixx nnoonn--bbddbb eennaabbllee--rreeddiirreecctt". + For security reasons the enable-reindex level should not be permanently + enabled. + diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README index 2eb657e60..9d0c3ccab 100644 --- a/postfix/README_FILES/SASL_README +++ b/postfix/README_FILES/SASL_README @@ -841,7 +841,8 @@ addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address: /etc/postfix/main.cf: - ssmmttppdd__sseennddeerr__llooggiinn__mmaappss == hhaasshh:://eettcc//ppoossttffiixx//ccoonnttrroolllleedd__eennvveellooppee__sseennddeerrss + ssmmttppdd__sseennddeerr__llooggiinn__mmaappss == + llmmddbb:://eettcc//ppoossttffiixx//ccoonnttrroolllleedd__eennvveellooppee__sseennddeerrss smtpd_recipient_restrictions = ... @@ -860,6 +861,16 @@ envelope address and the SASL login names that own that address: @example.net barney, fred, john@example.com, mary@example.com +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + +Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ccoonnttrroolllleedd__eennvveellooppee__sseennddeerrss" after +you change the controlled_envelope_senders file, to (re)build a default-type +indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//ccoonnttrroolllleedd__eennvveellooppee__sseennddeerrss" +to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + With this, the reject_sender_login_mismatch restriction above will reject the sender address in the MAIL FROM command if smtpd_sender_login_maps does not specify the SMTP client's login name as an owner of that address. @@ -884,7 +895,7 @@ credentials have been compromised. /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks - check_sasl_access hash:/etc/postfix/sasl_access + check_sasl_access lmdb:/etc/postfix/sasl_access permit_sasl_authenticated ... @@ -894,6 +905,15 @@ credentials have been compromised. # Use this when smtpd_sasl_local_domain=example.com. username@example.com HOLD +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + +Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__aacccceessss" after you change the +sasl_access file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp +ttyyppee:://eettcc//ppoossttffiixx//ssaassll__aacccceessss" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + DDeeffaauulltt aauutthheennttiiccaattiioonn ddoommaaiinn Postfix can append a domain name (or any other string) to a SASL login name @@ -1043,7 +1063,7 @@ username/password information. relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd * The smtp_sasl_auth_enable setting enables client-side authentication. We will configure the client's username and password information in the second @@ -1094,8 +1114,15 @@ username/password information. SASL client passwords. It opens the file as user root before it drops privileges, and before entering an optional chroot jail. - * Use the postmap command whenever you change the /etc/postfix/sasl_passwd - file. + Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + + * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" after changing the + sasl_passwd file, to (re)build a default-type indexed file. Execute + "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" to specify an explicit type. + + The default indexed file type is configured with the default_database_type + parameter. To list available explicit types, execute the command "ppoossttccoonnff + --mm". * If you specify the "[" and "]" in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file. @@ -1120,9 +1147,10 @@ final resort. /etc/postfix/main.cf: smtp_sender_dependent_authentication = yes - sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay + sender_dependent_relayhost_maps = + lmdb:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission @@ -1141,19 +1169,23 @@ final resort. user1@example.com [mail.example.com]:submission user2@example.net [mail.example.net] + Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + * If you are creative, then you can try to combine the two tables into one single MySQL database, and configure different Postfix queries to extract the appropriate information. - * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb - files. To find out what lookup tables Postfix supports, use the command - "ppoossttccoonnff --mm". + * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" after you change the + sasl_passwd file, to (re)build a default-type indexed file. Execute + "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" to specify an explicit type. - * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change - the sasl_passwd table. + The default indexed file type is configured with the default_database_type + parameter. To list available explicit types, execute the command "ppoossttccoonnff + --mm". - * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" whenever you change - the sender_relay table. + * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" after you change + the sender_relay file, to (re)build a default-type indexed file. Execute + "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" to specify an explicit type. PPoossttffiixx SSMMTTPP//LLMMTTPP cclliieenntt ppoolliiccyy -- SSAASSLL mmeecchhaanniissmm pprrooppeerrttiieess diff --git a/postfix/README_FILES/SOHO_README b/postfix/README_FILES/SOHO_README index b88e4a35b..8c5b538c4 100644 --- a/postfix/README_FILES/SOHO_README +++ b/postfix/README_FILES/SOHO_README @@ -77,7 +77,7 @@ this with basic configuration information as discussed in the first half of this document. 1 /etc/postfix/main.cf: - 2 smtp_generic_maps = hash:/etc/postfix/generic + 2 smtp_generic_maps = lmdb:/etc/postfix/generic 3 4 /etc/postfix/generic: 5 his@localdomain.local hisaccount@hisisp.example @@ -94,11 +94,14 @@ When mail is sent to a remote host via SMTP: extension of +local (this example assumes that the ISP supports "+" style address extensions). -Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. -To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ggeenneerriicc" whenever you change the -generic table. +generic file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee::// +eettcc//ppoossttffiixx//ggeenneerriicc" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". SSoolluuttiioonn 22:: PPoossttffiixx vveerrssiioonn 22..11 aanndd eeaarrlliieerr @@ -116,9 +119,9 @@ this document. 2 myhostname = hostname.localdomain 3 mydomain = localdomain 4 - 5 canonical_maps = hash:/etc/postfix/canonical + 5 canonical_maps = lmdb:/etc/postfix/canonical 6 - 7 virtual_alias_maps = hash:/etc/postfix/virtual + 7 virtual_alias_maps = lmdb:/etc/postfix/virtual 8 9 /etc/postfix/canonical: 10 your-login-name your-account@your-isp.com @@ -140,14 +143,18 @@ Translation: instead of sending it to the ISP. This part is not required but is convenient. -Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. -To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ccaannoonniiccaall" whenever you change the -canonical table. +canonical file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp +ttyyppee:://eettcc//ppoossttffiixx//ccaannoonniiccaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" whenever you change the -virtual table. +virtual file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee::// +eettcc//ppoossttffiixx//vviirrttuuaall" to specify an explicit type. EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP//LLMMTTPP cclliieenntt @@ -174,7 +181,7 @@ username/password information. relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd * The smtp_sasl_auth_enable setting enables client-side authentication. We will configure the client's username and password information in the second @@ -225,8 +232,15 @@ username/password information. SASL client passwords. It opens the file as user root before it drops privileges, and before entering an optional chroot jail. - * Use the postmap command whenever you change the /etc/postfix/sasl_passwd - file. + Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + + * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" after changing the + sasl_passwd file, to (re)build a default-type indexed file. Execute + "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" to specify an explicit type. + + The default indexed file type is configured with the default_database_type + parameter. To list available explicit types, execute the command "ppoossttccoonnff + --mm". * If you specify the "[" and "]" in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file. @@ -251,9 +265,10 @@ final resort. /etc/postfix/main.cf: smtp_sender_dependent_authentication = yes - sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay + sender_dependent_relayhost_maps = + lmdb:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission @@ -272,17 +287,21 @@ final resort. user1@example.com [mail.example.com]:submission user2@example.net [mail.example.net] + Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + * If you are creative, then you can try to combine the two tables into one single MySQL database, and configure different Postfix queries to extract the appropriate information. - * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb - files. To find out what lookup tables Postfix supports, use the command - "ppoossttccoonnff --mm". + * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" after you change the + sasl_passwd file, to (re)build a default-type indexed file. Execute + "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" to specify an explicit type. - * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change - the sasl_passwd table. + The default indexed file type is configured with the default_database_type + parameter. To list available explicit types, execute the command "ppoossttccoonnff + --mm". - * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" whenever you change - the sender_relay table. + * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" after you change + the sender_relay file, to (re)build a default-type indexed file. Execute + "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" to specify an explicit type. diff --git a/postfix/README_FILES/STANDARD_CONFIGURATION_README b/postfix/README_FILES/STANDARD_CONFIGURATION_README index 592c4a563..8f751c2c0 100644 --- a/postfix/README_FILES/STANDARD_CONFIGURATION_README +++ b/postfix/README_FILES/STANDARD_CONFIGURATION_README @@ -226,7 +226,7 @@ address] as well. All the mail to these two accounts is forwarded to an inside address. 1 /etc/postfix/main.cf: - 2 virtual_alias_maps = hash:/etc/postfix/virtual + 2 virtual_alias_maps = lmdb:/etc/postfix/virtual 3 4 /etc/postfix/virtual: 5 postmaster postmaster@example.com @@ -261,8 +261,8 @@ purpose of the firewall email function. 9b permit_mynetworks reject_unauth_destination 10b ...spam blocking rules.... - 11 relay_recipient_maps = hash:/etc/postfix/relay_recipients - 12 transport_maps = hash:/etc/postfix/transport + 11 relay_recipient_maps = lmdb:/etc/postfix/relay_recipients + 12 transport_maps = lmdb:/etc/postfix/transport 13 14 /etc/postfix/relay_recipients: 15 user1@example.com x @@ -293,14 +293,22 @@ Translation: "relay" delivery transport, instead of competing with other SMTP deliveries for SMTP clients from the default "smtp" delivery transport. -Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. -To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + +Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" whenever you change the +virtual file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee::// +eettcc//ppoossttffiixx//vviirrttuuaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//rreellaayy__rreecciippiieennttss" whenever you change -the relay_recipients table. +the relay_recipients file, to (re)build a default-type indexed file. Execute +"ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//rreellaayy__rreecciippiieennttss" to specify an explicit type. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ttrraannssppoorrtt" whenever you change the -transport table. +transport file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp +ttyyppee:://eettcc//ppoossttffiixx//ttrraannssppoorrtt" to specify an explicit type. In some installations, there may be separate instances of Postfix processing inbound and outbound mail on a multi-homed firewall. The inbound Postfix @@ -325,7 +333,7 @@ is also sent to the central mailhost. In order to deliver such accounts locally, you can set up virtual aliases as follows: 1 /etc/postfix/main.cf: - 2 virtual_alias_maps = hash:/etc/postfix/virtual + 2 virtual_alias_maps = lmdb:/etc/postfix/virtual 3 4 /etc/postfix/virtual: 5 root root@localhost @@ -338,7 +346,14 @@ Translation: listed in $mydestination, or when it matches $inet_interfaces or $proxy_interfaces. -Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" after editing the file. +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + +Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" after editing the virtual +file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc// +ppoossttffiixx//vviirrttuuaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". RRuunnnniinngg PPoossttffiixx bbeehhiinndd aa ffiirreewwaallll @@ -356,7 +371,7 @@ this with basic configuration information as discussed in the first half of this document. 1 /etc/postfix/main.cf: - 2 transport_maps = hash:/etc/postfix/transport + 2 transport_maps = lmdb:/etc/postfix/transport 3 relayhost = 4 # Optional for a machine that isn't "always on" 5 #fallback_relay = [gateway.example.com] @@ -381,11 +396,14 @@ Translation: is turned off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway. -Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. -To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ttrraannssppoorrtt" whenever you edit the -transport table. +transport file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp +ttyyppee:://eettcc//ppoossttffiixx//ttrraannssppoorrtt" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". CCoonnffiigguurriinngg PPoossttffiixx aass pprriimmaarryy oorr bbaacckkuupp MMXX hhoosstt ffoorr aa rreemmoottee ssiittee @@ -416,7 +434,7 @@ When your system is SECONDARY MX host for a remote site this is all you need: 11 # You must specify your NAT/proxy external address. 12 #proxy_interfaces = 1.2.3.4 13 - 14 relay_recipient_maps = hash:/etc/postfix/relay_recipients + 14 relay_recipient_maps = lmdb:/etc/postfix/relay_recipients 15 16 /etc/postfix/relay_recipients: 17 user1@the.backed-up.domain.tld x @@ -426,7 +444,7 @@ When your system is SECONDARY MX host for a remote site this is all you need: When your system is PRIMARY MX host for a remote site you need the above, plus: 20 /etc/postfix/main.cf: - 21 transport_maps = hash:/etc/postfix/transport + 21 transport_maps = lmdb:/etc/postfix/transport 22 23 /etc/postfix/transport: 24 the.backed-up.domain.tld relay:[their.mail.host.tld] @@ -454,11 +472,18 @@ Important notes: * Line 24: The [] forces Postfix to do no MX lookup. -Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. -To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + +Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//rreellaayy__rreecciippiieennttss" whenever you change +the relay_recipients file, to (re)build a default-type indexed file. Execute +"ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//rreellaayy__rreecciippiieennttss" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ttrraannssppoorrtt" whenever you change the -transport table. +transport file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp +ttyyppee:://eettcc//ppoossttffiixx//ttrraannssppoorrtt" to specify an explicit type. NOTE for Postfix < 2.2: Do not use the fallback_relay feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX @@ -563,7 +588,7 @@ this with basic configuration information as discussed in the first half of this document. 1 /etc/postfix/main.cf: - 2 smtp_generic_maps = hash:/etc/postfix/generic + 2 smtp_generic_maps = lmdb:/etc/postfix/generic 3 4 /etc/postfix/generic: 5 his@localdomain.local hisaccount@hisisp.example @@ -580,11 +605,14 @@ When mail is sent to a remote host via SMTP: extension of +local (this example assumes that the ISP supports "+" style address extensions). -Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. -To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ggeenneerriicc" whenever you change the -generic table. +generic file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee::// +eettcc//ppoossttffiixx//ggeenneerriicc" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". SSoolluuttiioonn 22:: PPoossttffiixx vveerrssiioonn 22..11 aanndd eeaarrlliieerr @@ -602,9 +630,9 @@ this document. 2 myhostname = hostname.localdomain 3 mydomain = localdomain 4 - 5 canonical_maps = hash:/etc/postfix/canonical + 5 canonical_maps = lmdb:/etc/postfix/canonical 6 - 7 virtual_alias_maps = hash:/etc/postfix/virtual + 7 virtual_alias_maps = lmdb:/etc/postfix/virtual 8 9 /etc/postfix/canonical: 10 your-login-name your-account@your-isp.com @@ -626,12 +654,16 @@ Translation: instead of sending it to the ISP. This part is not required but is convenient. -Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb files. -To find out what lookup tables Postfix supports, use the command "ppoossttccoonnff --mm". +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ccaannoonniiccaall" whenever you change the -canonical table. +canonical file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp +ttyyppee:://eettcc//ppoossttffiixx//ccaannoonniiccaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" whenever you change the -virtual table. +virtual file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee::// +eettcc//ppoossttffiixx//vviirrttuuaall" to specify an explicit type. diff --git a/postfix/README_FILES/UUCP_README b/postfix/README_FILES/UUCP_README index 219ba6a93..c9c9e433e 100644 --- a/postfix/README_FILES/UUCP_README +++ b/postfix/README_FILES/UUCP_README @@ -49,6 +49,11 @@ for the other side of the story. executes the uuuuxx command without assistance from the shell, so there are no problems with shell meta characters in command-line parameters. + * Enable ttrraannssppoorrtt table lookups: + + /etc/postfix/main.cf: + transport_maps = lmdb:/etc/postfix/transport + * Specify that mail for example.com, should be delivered via UUCP, to a host named uucp-host: @@ -56,19 +61,17 @@ for the other side of the story. example.com uucp:uucp-host .example.com uucp:uucp-host + Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + See the transport(5) manual page for more details. * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ttrraannssppoorrtt" whenever you change - the ttrraannssppoorrtt file. - - * Enable ttrraannssppoorrtt table lookups: - - /etc/postfix/main.cf: - transport_maps = hash:/etc/postfix/transport + the ttrraannssppoorrtt file, to (re)build a default-type indexed file. Execute + "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx//ttrraannssppoorrtt" to specify an explicit type. - Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb - files. To find out what map types Postfix supports, use the command - "ppoossttccoonnff --mm". + The default indexed file type is configured with the default_database_type + parameter. To list available explicit types, execute the command "ppoossttccoonnff + --mm". * Add example.com to the list of domains that your site is willing to relay mail for. diff --git a/postfix/README_FILES/VIRTUAL_README b/postfix/README_FILES/VIRTUAL_README index e693a0ceb..de453bca6 100644 --- a/postfix/README_FILES/VIRTUAL_README +++ b/postfix/README_FILES/VIRTUAL_README @@ -22,8 +22,7 @@ The following topics are covered: * Postfix virtual MAILBOX example: separate domains, non-UNIX accounts * Non-Postfix mailbox store: separate domains, non-UNIX accounts * Mail forwarding domains - * Mailing lists - * Autoreplies + * Hosted mailing list domains CCaannoonniiccaall vveerrssuuss hhoosstteedd vveerrssuuss ootthheerr ddoommaaiinnss @@ -56,16 +55,25 @@ ADDRESS_CLASS_README file. LLooccaall ffiilleess vveerrssuuss nneettwwoorrkk ddaattaabbaasseess -The examples in this text use table lookups from local files such as DBM or -Berkeley DB. These are easy to debug with the ppoossttmmaapp command: +The examples in this text use table lookups from local files such as lmdb:, +cdb:, hash:, or dbm:. These are easy to debug with the ppoossttmmaapp command: - Example: postmap -q info@example.com hash:/etc/postfix/virtual + Example: postmap -q info@example.com /etc/postfix/virtual -See the documentation in LDAP_README, MYSQL_README and PGSQL_README for how to -replace local files by databases. The reader is strongly advised to make the -system work with local files before migrating to network databases, and to use -the ppoossttmmaapp command to verify that network database lookups produce the exact -same results as local file lookup. +The above example assumes that the database is configured in main.cf as +$default_database_type:/etc/postfix/virtual. Otherwise, use the command +instead: + + Example: postmap -q info@example.com type:/etc/postfix/virtual + +and specify the explicit type that this table uses in main.cf. + +You can replace local file lookups with networked (LDAP, SQL etc.) lookups. See +the documentation in LDAP_README, MYSQL_README, PGSQL_README, etc., for +examples. The reader is strongly advised to make Postfix work with local files +before migrating to network databases, and to use the ppoossttmmaapp command to verify +that network database lookups produce the exact same results as local file +lookup. Example: postmap -q info@example.com ldap:/etc/postfix/virtual.cf @@ -105,7 +113,7 @@ mechanism for the example.com domain. 1 /etc/postfix/main.cf: 2 virtual_alias_domains = example.com ...other hosted domains... - 3 virtual_alias_maps = hash:/etc/postfix/virtual + 3 virtual_alias_maps = lmdb:/etc/postfix/virtual 4 5 /etc/postfix/virtual: 6 postmaster@example.com postmaster @@ -139,8 +147,16 @@ Notes: receive many spam messages, and many bounces for spam messages that were sent in the name of anything@example.com. +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" after changing the virtual -file, and execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. +file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc// +ppoossttffiixx//vviirrttuuaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + +Execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. Note: virtual aliases can resolve to a local address or to a remote address, or both. They don't have to resolve to UNIX system accounts on your machine. @@ -179,11 +195,11 @@ Here is an example of a virtual mailbox domain "example.com": 1 /etc/postfix/main.cf: 2 virtual_mailbox_domains = example.com ...more domains... 3 virtual_mailbox_base = /var/mail/vhosts - 4 virtual_mailbox_maps = hash:/etc/postfix/vmailbox + 4 virtual_mailbox_maps = lmdb:/etc/postfix/vmailbox 5 virtual_minimum_uid = 100 6 virtual_uid_maps = static:5000 7 virtual_gid_maps = static:5000 - 8 virtual_alias_maps = hash:/etc/postfix/virtual + 8 virtual_alias_maps = lmdb:/etc/postfix/virtual 9 10 /etc/postfix/vmailbox: 11 info@example.com example.com/info @@ -242,9 +258,20 @@ Notes: explicit domain name on the right-hand side of the virtual alias table entries or else mail will go to the wrong domain. +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" after changing the virtual -file, execute "ppoossttmmaapp //eettcc//ppoossttffiixx//vvmmaaiillbbooxx" after changing the vmailbox file, -and execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. +file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc// +ppoossttffiixx//vviirrttuuaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + +Execute "ppoossttmmaapp //eettcc//ppoossttffiixx//vvmmaaiillbbooxx" after changing the vmailbox file, to +(re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc//ppoossttffiixx// +vvmmaaiillbbooxx" to specify an explicit type. + +Execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. Note: mail delivery happens with the recipient's UID/GID privileges specified with virtual_uid_maps and virtual_gid_maps. Postfix 2.0 and earlier will not @@ -279,8 +306,8 @@ Postfix delivery agent: 1 /etc/postfix/main.cf: 2 virtual_transport = ...see below... 3 virtual_mailbox_domains = example.com ...more domains... - 4 virtual_mailbox_maps = hash:/etc/postfix/vmailbox - 5 virtual_alias_maps = hash:/etc/postfix/virtual + 4 virtual_mailbox_maps = lmdb:/etc/postfix/vmailbox + 5 virtual_alias_maps = lmdb:/etc/postfix/virtual 6 7 /etc/postfix/vmailbox: 8 info@example.com whatever @@ -348,9 +375,20 @@ Notes: explicit domain name on the right-hand side of the virtual alias table entries or else mail will go to the wrong domain. +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" after changing the virtual -file, execute "ppoossttmmaapp //eettcc//ppoossttffiixx//vvmmaaiillbbooxx" after changing the vmailbox file, -and execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. +file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc// +ppoossttffiixx//vviirrttuuaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + +Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vvmmaaiillbbooxx" after changing the vmailbox +file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc// +ppoossttffiixx//vvmmaaiillbbooxx" to specify an explicit type. + +Execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. MMaaiill ffoorrwwaarrddiinngg ddoommaaiinnss @@ -360,7 +398,7 @@ example shows how to set up example.com as a mail forwarding domain: 1 /etc/postfix/main.cf: 2 virtual_alias_domains = example.com ...other hosted domains... - 3 virtual_alias_maps = hash:/etc/postfix/virtual + 3 virtual_alias_maps = lmdb:/etc/postfix/virtual 4 5 /etc/postfix/virtual: 6 postmaster@example.com postmaster @@ -394,13 +432,26 @@ Notes: receive many spam messages, and many bounces for spam messages that were sent in the name of anything@example.com. +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" after changing the virtual -file, and execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. +file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc// +ppoossttffiixx//vviirrttuuaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + +Execute the command "ppoossttffiixx rreellooaadd" after changing the main.cf file. More details about the virtual alias file are given in the virtual(5) manual page, including multiple addresses on the right-hand side. -MMaaiilliinngg lliissttss +HHoosstteedd mmaaiilliinngg lliisstt ddoommaaiinnss + +Note: this section presents a historical approach to run a mailing list based +on local aliases(5). This approach may still be useful for small mailing lists +that are managed by hand or with the software like Majordomo. For a more +contemporary and more scalable approach, see GNU Mailman. The examples that were given above already show how to direct mail for virtual postmaster addresses to a local postmaster. You can use the same method to @@ -412,18 +463,29 @@ set up virtual aliases that direct virtual addresses to the local delivery agent: /etc/postfix/main.cf: - virtual_alias_maps = hash:/etc/postfix/virtual + virtual_alias_maps = lmdb:/etc/postfix/virtual + virtual_mailbox_domains = example.com /etc/postfix/virtual: listname-request@example.com listname-request listname@example.com listname owner-listname@example.com owner-listname + postmaster@example.com postmaster /etc/aliases: listname: "|/some/where/majordomo/wrapper ..." owner-listname: ... listname-request: ... +Instead of lmdb:, some systems use cdb:, hash:, or dbm:. + +Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//vviirrttuuaall" after changing the virtual +file, to (re)build a default-type indexed file. Execute "ppoossttmmaapp ttyyppee:://eettcc// +ppoossttffiixx//vviirrttuuaall" to specify an explicit type. + +The default indexed file type is configured with the default_database_type +parameter. To list available explicit types, execute the command "ppoossttccoonnff --mm". + This example assumes that in main.cf, $myorigin is listed under the mydestination parameter setting. If that is not the case, specify an explicit domain name on the right-hand side of the virtual alias table entries or else @@ -437,47 +499,8 @@ transport mapping? The reason is that mail for the virtual mailing list would be rejected with "User unknown". In order to make the transport mapping work one would still need a bunch of virtual alias or virtual mailbox table entries. - * In case of a virtual alias domain, there would need to be one identity - mapping from each mailing list address to itself. - * In case of a virtual mailbox domain, there would need to be a dummy mailbox - for each mailing list address. - -AAuuttoorreepplliieess - -In order to set up an autoreply for virtual recipients while still delivering -mail as normal, set up a rule in a virtual alias table: - - /etc/postfix/main.cf: - virtual_alias_maps = hash:/etc/postfix/virtual - - /etc/postfix/virtual: - user@domain.tld user@domain.tld, user@domain.tld@autoreply.mydomain.tld - -This delivers mail to the recipient, and sends a copy of the mail to the -address that produces automatic replies. The address can be serviced on a -different machine, or it can be serviced locally by setting up a transport map -entry that pipes all mail for autoreply.mydomain.tld into some script that -sends an automatic reply back to the sender. - -DO NOT list autoreply.mydomain.tld in mydestination! - - /etc/postfix/main.cf: - transport_maps = hash:/etc/postfix/transport - - /etc/postfix/transport: - autoreply.mydomain.tld autoreply: - - /etc/postfix/master.cf: - # ============================================================= - # service type private unpriv chroot wakeup maxproc command - # (yes) (yes) (yes) (never) (100) - # ============================================================= - autoreply unix - n n - - pipe - flags= user=nobody argv=/path/to/autoreply $sender $mailbox - -This invokes /path/to/autoreply with the sender address and the user@domain.tld -recipient address on the command line. - -For more information, see the pipe(8) manual page, and the comments in the -Postfix master.cf file. + * In the case of a virtual alias DOMAIN, there would need to be an identity + mapping from each mailing list address to an address in a different domain. + * In the case of a virtual mailbox DOMAIN, there would need to be a dummy + virtual_mailbox_maps for each mailing list address. diff --git a/postfix/RELEASE_NOTES-3.11 b/postfix/RELEASE_NOTES-3.11 index 4bbf74e93..65baf51e3 100644 --- a/postfix/RELEASE_NOTES-3.11 +++ b/postfix/RELEASE_NOTES-3.11 @@ -29,47 +29,27 @@ IPL can continue with that license. Major changes - database ------------------------ -[Infrastructure 20251226] Tooling to help with the migration away -from Berkeley DB. - -The new parameter default_cache_db_type controls the default database -type for address_verify_map and postscreen_cache_map, and can -eliminate a few hard-coded database types in main.cf. This parameter -defaults to 'lmdb' if the default_database_type value equals 'lmdb', -otherwise it assumes the historical value 'btree'. - -Sites that build without Berkeley DB are suggested to use one of the -following commands in their build process: - -1 - Make lmdb the default for both default_database_type - and default_cache_db_type. - - make makefiles CCARGS="-DNO_DB ..." default_database_type=lmdb \ - default_cache_db_type=lmdb +[Incompat 20260220] The alias_maps and alias_database parameter +default values have changed from hash:/path/to/aliases (or +dbm:/path/to/aliases) to $default_database_type:/path/to/aliases. +This simplifies the migration away from Berkeley DB. -2 - Make cdb the default for default_database_type, and make - lmdb the default for default_cache_db_type. +[Infrastructure 20260219] Support to migrate a Postfix configuration +that uses Berkeley DB hash: or btree: tables, to a configuration +that uses lmdb: or a combination of cdb: and lmdb:. This is needed +for (Linux) OS distributions that have removed Berkeley DB support. +See NON_BERKELEYDB_README for manual and atomatic migratom support. - make makefiles CCARGS="-DNO_DB ..." default_database_type=cdb \ - default_cache_db_type=lmdb +Postfix already supports CDB and LMDB for more than 10 years. It +may be a good idea to do the migration before you need to upgrade +to an OS distribution that no longer supports Berkeley DB. -Postfix hash and btree files can easily be migrated when the source -file (without the '.db name suffix) is available. Just run - - postmap lmdb:/path/to/file - -That does not work for address_verify_map, postscreen_cache_map, -and the optional smtp_sasl_auth_cache_name. These have no source -file because they are managed by Postfix daemon processes. - -You can either ignore these files (they will be populated again -over time), or you can copy the existing entries from the existing -'.db' file to a new '.lmdb' . file. But that is possible only if -Berkeley DB support is still available. Execute as root: +[Infrastructure 20251226] Tooling to help with the migration away +from Berkeley DB. - rm -f /path/to/file.lmdb - postmap -s btree:/path/to/file | postmap -i lmdb:/path/to/file - chown postfix /path/to/file.lmdb +The new parameter default_cache_db_type controls the default database +type for address_verify_map, postscreen_cache_map, and +smtp_sasl_auth_cache_name, previously hard-coded as 'btree'. [Feature 20250321] Safety: the SQLite client now logs a warning when a query uses double quotes instead of the Postfix-recommended diff --git a/postfix/TESTING b/postfix/TESTING new file mode 100644 index 000000000..1e821ffcd --- /dev/null +++ b/postfix/TESTING @@ -0,0 +1,17 @@ +Testing is a work in progress. + +- As of Postfix 3.11 most new code is covered by tests. + +- Many Postfix tests require building with shared=yes and dynamicmaps=no. +The shared=yes is needed so that test code can overrride internal +dependencies with mocks; the dynamicmaps=no is needed until there +is an easy way way to tell dynamicmaps support to not use the system +dynamicmaps.cf file. + +- Historically, many tests in src/util, src/dns, and src/smtpd +are non-hermetic: they have dependencies on DNS or on local system +configuration. + +- The PTEST test framework needs to be integrated; this fixed many many +non-hermetic tests in src/util and src/dns. That development stalled +after postfix-3.8-20220816-nonprod. diff --git a/postfix/conf/access b/postfix/conf/access index 00ab742c3..39b1c0fb5 100644 --- a/postfix/conf/access +++ b/postfix/conf/access @@ -19,15 +19,23 @@ # messages. # # Normally, the access(5) table is specified as a text file -# that serves as input to the postmap(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast searching by the mail system. Execute the command -# "postmap /etc/postfix/access" to rebuild an indexed file -# after changing the corresponding text file. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. +# that serves as input to the postmap(1) command to create +# an indexed file for fast lookup. +# +# Execute the command "postmap /etc/postfix/access" to +# rebuild a default-type indexed file after changing the +# text file, or execute "postmap type:/etc/postfix/access" +# to specify an explicit type. +# +# The default indexed file type is configured with the +# default_database_type parameter. Depending on the platform +# this may be one of lmdb:, cdb:, hash:, or dbm: (without +# the trailing ':'). +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. Managing such databases is outside the +# scope of Postfix. # # Alternatively, the table can be provided as a regu- # lar-expression map where patterns are given as regular diff --git a/postfix/conf/aliases b/postfix/conf/aliases index f4b853c03..85dac1bbd 100644 --- a/postfix/conf/aliases +++ b/postfix/conf/aliases @@ -60,20 +60,30 @@ decode: root # (including domain). # # Normally, the aliases(5) table is specified as a text file -# that serves as input to the postalias(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast lookup by the mail system. Execute the command -# newaliases in order to rebuild the indexed file after -# changing the Postfix alias database. +# that serves as input to the postalias(1) command to create +# an indexed file for fast lookup. The location of this file +# is system-dependent. This text will use /path/to/aliases. +# +# Execute the command "newaliases to rebuild the indexed +# file after changing the text file. Execute "postalias -q +# name /path/to/aliases" to query a default-type indexed +# file, or execute "postalias -q name type:/path/to/aliases" +# to specify an explicit type. +# +# The default indexed file type is configured with the +# default_database_type parameter. Depending on the platform +# this may be one of lmdb:, cdb:, hash:, or dbm: (without +# the trailing ':'). # # When the table is provided via other means such as NIS, # LDAP or SQL, the same lookups are done as for ordinary -# indexed files. +# indexed files. Managing such databases is outside the +# scope of Postfix. # -# Alternatively, the table can be provided as a regu- -# lar-expression map where patterns are given as regular -# expressions. In this case, the lookups are done in a -# slightly different way as described below under "REGULAR +# Alternatively, the table can be provided as a regu- +# lar-expression map where patterns are given as regular +# expressions. In this case, the lookups are done in a +# slightly different way as described below under "REGULAR # EXPRESSION TABLES". # # Users can control delivery of their own mail by setting up @@ -87,63 +97,63 @@ decode: root # # name: value1, value2, ... # -# o Empty lines and whitespace-only lines are ignored, -# as are lines whose first non-whitespace character +# o Empty lines and whitespace-only lines are ignored, +# as are lines whose first non-whitespace character # is a `#'. # -# o A logical line starts with non-whitespace text. A -# line that starts with whitespace continues a logi- +# o A logical line starts with non-whitespace text. A +# line that starts with whitespace continues a logi- # cal line. # -# The name is a local address (no domain part). Use double -# quotes when the name contains any special characters such -# as whitespace, `#', `:', or `@'. The name is folded to +# The name is a local address (no domain part). Use double +# quotes when the name contains any special characters such +# as whitespace, `#', `:', or `@'. The name is folded to # lowercase, in order to make database lookups case insensi- # tive. # -# In addition, when an alias exists for owner-name, this -# will override the envelope sender address, so that deliv- +# In addition, when an alias exists for owner-name, this +# will override the envelope sender address, so that deliv- # ery diagnostics are directed to owner-name, instead of the -# originator of the message (for details, see -# owner_request_special, expand_owner_alias and -# reset_owner_alias). This is typically used to direct -# delivery errors to the maintainer of a mailing list, who +# originator of the message (for details, see +# owner_request_special, expand_owner_alias and +# reset_owner_alias). This is typically used to direct +# delivery errors to the maintainer of a mailing list, who # is in a better position to deal with mailing list delivery # problems than the originator of the undelivered mail. # # The value contains one or more of the following: # # address -# Mail is forwarded to address, which is compatible +# Mail is forwarded to address, which is compatible # with the RFC 822 standard. # # /file/name -# Mail is appended to /file/name. For details on how -# a file is written see the sections "EXTERNAL FILE -# DELIVERY" and "DELIVERY RIGHTS" in the local(8) -# documentation. Delivery is not limited to regular -# files. For example, to dispose of unwanted mail, +# Mail is appended to /file/name. For details on how +# a file is written see the sections "EXTERNAL FILE +# DELIVERY" and "DELIVERY RIGHTS" in the local(8) +# documentation. Delivery is not limited to regular +# files. For example, to dispose of unwanted mail, # deflect it to /dev/null. # # |command -# Mail is piped into command. Commands that contain -# special characters, such as whitespace, should be -# enclosed between double quotes. For details on how -# a command is executed see "EXTERNAL COMMAND DELIV- +# Mail is piped into command. Commands that contain +# special characters, such as whitespace, should be +# enclosed between double quotes. For details on how +# a command is executed see "EXTERNAL COMMAND DELIV- # ERY" and "DELIVERY RIGHTS" in the local(8) documen- # tation. # # When the command fails, a limited amount of command -# output is mailed back to the sender. The file -# /usr/include/sysexits.h defines the expected exit -# status codes. For example, use "|exit 67" to simu- -# late a "user unknown" error, and "|exit 0" to +# output is mailed back to the sender. The file +# /usr/include/sysexits.h defines the expected exit +# status codes. For example, use "|exit 67" to simu- +# late a "user unknown" error, and "|exit 0" to # implement an expensive black hole. # # :include:/file/name -# Mail is sent to the destinations listed in the +# Mail is sent to the destinations listed in the # named file. Lines in :include: files have the same -# syntax as the right-hand side of aliases(5) +# syntax as the right-hand side of aliases(5) # entries. # # A destination can be any destination that is @@ -154,12 +164,12 @@ decode: root # # ADDRESS EXTENSION # When alias database search fails, and the recipient local- -# part contains the optional recipient delimiter (e.g., -# user+foo), the search is repeated for the unextended +# part contains the optional recipient delimiter (e.g., +# user+foo), the search is repeated for the unextended # address (e.g., user). # -# The propagate_unmatched_extensions parameter controls -# whether an unmatched address extension (+foo) is propa- +# The propagate_unmatched_extensions parameter controls +# whether an unmatched address extension (+foo) is propa- # gated to the result of table lookup. # # CASE FOLDING @@ -167,88 +177,88 @@ decode: root # to lowercase before database lookup. # # REGULAR EXPRESSION TABLES -# This section describes how the table lookups change when +# This section describes how the table lookups change when # the table is given in the form of regular expressions. For -# a description of regular expression lookup table syntax, -# see regexp_table(5) or pcre_table(5). NOTE: these formats +# a description of regular expression lookup table syntax, +# see regexp_table(5) or pcre_table(5). NOTE: these formats # do not use ":" at the end of a pattern. # -# Each regular expression is applied to the entire search -# string. Thus, a search string user+foo is not broken up +# Each regular expression is applied to the entire search +# string. Thus, a search string user+foo is not broken up # into user and foo. # -# Regular expressions are applied in the order as specified -# in the table, until a regular expression is found that +# Regular expressions are applied in the order as specified +# in the table, until a regular expression is found that # matches the search string. # -# Lookup results are the same as with indexed file lookups. -# For security reasons there is no support for $1, $2 etc. +# Lookup results are the same as with indexed file lookups. +# For security reasons there is no support for $1, $2 etc. # substring interpolation. # # SECURITY -# The local(8) delivery agent disallows regular expression -# substitution of $1 etc. in alias_maps, because that would +# The local(8) delivery agent disallows regular expression +# substitution of $1 etc. in alias_maps, because that would # open a security hole. # -# The local(8) delivery agent will silently ignore requests -# to use the proxymap(8) server within alias_maps. Instead -# it will open the table directly. Before Postfix version -# 2.2, the local(8) delivery agent will terminate with a +# The local(8) delivery agent will silently ignore requests +# to use the proxymap(8) server within alias_maps. Instead +# it will open the table directly. Before Postfix version +# 2.2, the local(8) delivery agent will terminate with a # fatal error. # # CONFIGURATION PARAMETERS -# The following main.cf parameters are especially relevant. -# The text below provides only a parameter summary. See +# The following main.cf parameters are especially relevant. +# The text below provides only a parameter summary. See # postconf(5) for more details including examples. # # alias_database (see 'postconf -d' output) -# The alias databases for local(8) delivery that are +# The alias databases for local(8) delivery that are # updated with "newaliases" or with "sendmail -bi". # # alias_maps (see 'postconf -d' output) -# Optional lookup tables that are searched only with -# an email address localpart (no domain) and that -# apply only to local(8) recipients; this is unlike -# virtual_alias_maps that are often searched with a -# full email address (including domain) and that -# apply to all recipients: local(8), virtual, and +# Optional lookup tables that are searched only with +# an email address localpart (no domain) and that +# apply only to local(8) recipients; this is unlike +# virtual_alias_maps that are often searched with a +# full email address (including domain) and that +# apply to all recipients: local(8), virtual, and # remote. # # allow_mail_to_commands (alias, forward) -# Restrict local(8) mail delivery to external com- +# Restrict local(8) mail delivery to external com- # mands. # # allow_mail_to_files (alias, forward) -# Restrict local(8) mail delivery to external files. +# Restrict local(8) mail delivery to external files. # # expand_owner_alias (no) # When delivering to an alias "aliasname" that has an # "owner-aliasname" companion alias, set the envelope -# sender address to the expansion of the +# sender address to the expansion of the # "owner-aliasname" alias. # # propagate_unmatched_extensions (canonical, virtual) -# What address lookup tables copy an address exten- +# What address lookup tables copy an address exten- # sion from the lookup key to the lookup result. # # owner_request_special (yes) # Enable special treatment for owner-listname entries # in the aliases(5) file, and don't split owner-list- -# name and listname-request address localparts when +# name and listname-request address localparts when # the recipient_delimiter is set to "-". # # recipient_delimiter (empty) -# The set of characters that can separate an email -# address localpart, user name, or a .forward file +# The set of characters that can separate an email +# address localpart, user name, or a .forward file # name from its extension. # # Available in Postfix version 2.3 and later: # # frozen_delivered_to (yes) -# Update the local(8) delivery agent's idea of the -# Delivered-To: address (see prepend_deliv- -# ered_header) only once, at the start of a delivery -# attempt; do not update the Delivered-To: address +# Update the local(8) delivery agent's idea of the +# Delivered-To: address (see prepend_deliv- +# ered_header) only once, at the start of a delivery +# attempt; do not update the Delivered-To: address # while expanding aliases or .forward files. # # STANDARDS @@ -261,12 +271,12 @@ decode: root # postconf(5), configuration parameters # # README FILES -# Use "postconf readme_directory" or "postconf html_direc- +# Use "postconf readme_directory" or "postconf html_direc- # tory" to locate this information. # DATABASE_README, Postfix lookup table overview # # LICENSE -# The Secure Mailer license must be distributed with this +# The Secure Mailer license must be distributed with this # software. # # AUTHOR(S) diff --git a/postfix/conf/canonical b/postfix/conf/canonical index 894fd5bcd..5785abaa1 100644 --- a/postfix/conf/canonical +++ b/postfix/conf/canonical @@ -17,15 +17,23 @@ # the queue. The address mapping is recursive. # # Normally, the canonical(5) table is specified as a text -# file that serves as input to the postmap(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast searching by the mail system. Execute the command -# "postmap /etc/postfix/canonical" to rebuild an indexed -# file after changing the corresponding text file. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. +# file that serves as input to the postmap(1) command to +# create an indexed file for fast lookup. +# +# Execute the command "postmap /etc/postfix/canonical" to +# rebuild a default-type indexed file after changing the +# text file, or execute "postmap type:/etc/postfix/canoni- +# cal" to specify an explicit type. +# +# The default indexed file type is configured with the +# default_database_type parameter. Depending on the platform +# this may be one of lmdb:, cdb:, hash:, or dbm: (without +# the trailing ':'). +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. Managing such databases is outside the +# scope of Postfix. # # Alternatively, the table can be provided as a regu- # lar-expression map where patterns are given as regular diff --git a/postfix/conf/generic b/postfix/conf/generic index 508e44a42..4ebe3dd11 100644 --- a/postfix/conf/generic +++ b/postfix/conf/generic @@ -30,15 +30,23 @@ # that are used in SMTP protocol commands). # # Normally, the generic(5) table is specified as a text file -# that serves as input to the postmap(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast searching by the mail system. Execute the command -# "postmap /etc/postfix/generic" to rebuild an indexed file -# after changing the corresponding text file. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. +# that serves as input to the postmap(1) command to create +# an indexed file for fast lookup. +# +# Execute the command "postmap /etc/postfix/generic" to +# rebuild a default-type indexed file after changing the +# text file, or execute "postmap type:/etc/postfix/generic" +# to specify an explicit type. +# +# The default indexed file type is configured with the +# default_database_type parameter. Depending on the platform +# this may be one of lmdb:, cdb:, hash:, or dbm: (without +# the trailing ':'). +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. Managing such databases is outside the +# scope of Postfix. # # Alternatively, the table can be provided as a regu- # lar-expression map where patterns are given as regular diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files index 0d3ae7946..88c337161 100644 --- a/postfix/conf/postfix-files +++ b/postfix/conf/postfix-files @@ -99,6 +99,7 @@ $daemon_directory/local:f:root:-:755 $daemon_directory/main.cf:f:root:-:644:o $daemon_directory/master.cf:f:root:-:644:o $daemon_directory/master:f:root:-:755 +$daemon_directory/nbdb_reindexd:f:root:-:755 $daemon_directory/oqmgr:f:root:-:755 $daemon_directory/pickup:f:root:-:755 $daemon_directory/pipe:f:root:-:755 @@ -107,6 +108,7 @@ $daemon_directory/post-install:f:root:-:755 #$daemon_directory/postfix-files:f:root:-:644:o #$daemon_directory/postfix-files.d:d:root:-:755:o $daemon_directory/postfix-script:f:root:-:755 +$daemon_directory/postfix-non-bdb-script:f:root:-:755 $daemon_directory/postfix-tls-script:f:root:-:755 $daemon_directory/postfix-wrapper:f:root:-:755 $daemon_directory/postmulti-script:f:root:-:755 @@ -172,6 +174,7 @@ $manpage_directory/man1/postalias.1:f:root:-:644 $manpage_directory/man1/postcat.1:f:root:-:644 $manpage_directory/man1/postconf.1:f:root:-:644 $manpage_directory/man1/postdrop.1:f:root:-:644 +$manpage_directory/man1/postfix-non-bdb.1:f:root:-:644 $manpage_directory/man1/postfix-tls.1:f:root:-:644 $manpage_directory/man1/postfix.1:f:root:-:644 $manpage_directory/man1/postkick.1:f:root:-:644 @@ -220,6 +223,7 @@ $manpage_directory/man8/flush.8:f:root:-:644 $manpage_directory/man8/lmtp.8:f:root:-:644 $manpage_directory/man8/local.8:f:root:-:644 $manpage_directory/man8/master.8:f:root:-:644 +$manpage_directory/man8/nbdb_reindexd.8:f:root:-:644 $manpage_directory/man8/nqmgr.8:f:root:-:644:o $manpage_directory/man8/oqmgr.8:f:root:-:644: $manpage_directory/man8/pickup.8:f:root:-:644 @@ -310,6 +314,7 @@ $readme_directory/MYSQL_README:f:root:-:644 $readme_directory/SMTPUTF8_README:f:root:-:644 $readme_directory/SQLITE_README:f:root:-:644 $readme_directory/NFS_README:f:root:-:644 +$readme_directory/NON_BERKELEYDB_README:f:root:-:644 $readme_directory/OVERVIEW:f:root:-:644 $readme_directory/PACKAGE_README:f:root:-:644 $readme_directory/PCRE_README:f:root:-:644 @@ -375,6 +380,7 @@ $html_directory/MYSQL_README.html:f:root:-:644 $html_directory/SMTPUTF8_README.html:f:root:-:644 $html_directory/SQLITE_README.html:f:root:-:644 $html_directory/NFS_README.html:f:root:-:644 +$html_directory/NON_BERKELEYDB_README.html:f:root:-:644 $html_directory/OVERVIEW.html:f:root:-:644 $html_directory/PACKAGE_README.html:f:root:-:644 $html_directory/PCRE_README.html:f:root:-:644 @@ -433,6 +439,7 @@ $html_directory/mysql_table.5.html:f:root:-:644 $html_directory/sqlite_table.5.html:f:root:-:644 $html_directory/nisplus_table.5.html:f:root:-:644 $html_directory/newaliases.1.html:h:$html_directory/mailq.1.html:-:644 +$html_directory/nbdb_reindexd.8.html:f:root:-:644 $html_directory/oqmgr.8.html:f:root:-:644 $html_directory/pcre_table.5.html:f:root:-:644 $html_directory/pgsql_table.5.html:f:root:-:644 @@ -445,6 +452,7 @@ $html_directory/postconf.5.html:f:root:-:644 $html_directory/postdrop.1.html:f:root:-:644 $html_directory/postfix-logo.jpg:f:root:-:644 $html_directory/postfix-manuals.html:f:root:-:644 +$html_directory/postfix-non-bdb.1.html:f:root:-:644 $html_directory/postfix-tls.1.html:f:root:-:644 $html_directory/postfix-wrapper.5.html:f:root:-:644 $html_directory/postfix.1.html:f:root:-:644 diff --git a/postfix/conf/postfix-non-bdb-script b/postfix/conf/postfix-non-bdb-script new file mode 100644 index 000000000..f3b938c27 --- /dev/null +++ b/postfix/conf/postfix-non-bdb-script @@ -0,0 +1,237 @@ +#!/bin/sh + +#++ +# NAME +# postfix-non-bdb 1 +# SUMMARY +# Postfix non-Berkeley-DB migration +# SYNOPSIS +# \fBpostfix non-bdb\fR \fIsubcommand\fR +# DESCRIPTION +# The "\fBpostfix non-bdb \fIsubcommand\fR" feature edits main.cf +# and master.cf, to manage the migration of an existing Postfix +# configuration that uses Berkeley DB type "hash:" or "btree:" +# tables (which are no longer supported on some OS distributions), +# to supported types such as "cdb:" or "lmdb:". +# +# The following subcommands are available: +# .IP \fBstatus\fR +# Reports the non-Berkeley-DB migration status, without making +# any changes. +# .IP \fBdisable\fR +# Edits main.cf and master.cf, to turn off the \fBenable-redirect\fR +# and \fBenable-reindex\fR features. +# .sp +# This will break integration with other software such as +# mailman versions from before May 2025 when they want to +# use "postmap hash:/path/to/file", for example, to update a +# mailman-maintained table. +# .IP "\fBenable-redirect\fR (aliasing)" +# Edits main.cf and master.cf, to enable redirection (aliasing) +# from Berkeley DB types "hash" and "btree" to the non-Berkeley-DB +# types specified with $default_database_type and +# $default_cache_db_type. Custom redirection may be configured +# with non_bdb_custom_mapping. +# .sp +# This configuration will not automatically create non-Berkeley-DB +# indexed database files. Instead, Postfix programs will log an +# error as they fail to open an indexed database file, and will +# leave it to the system administrator to run postmap(1) or +# postalias(1) to create that file. +# .sp +# This will fix integration with other software such as mailman +# versions from before May 2025 when they want to use "postmap +# hash:/path/to/file", for example, to update a mailman-maintained +# table. +# .sp +# This subcommand will not make any changes when +# default_database_type or default_cache_db_type specify a hash: +# or btree: type. +# .IP \fBenable-reindex\fR +# Edits main.cf and master.cf, to implement \fBenable-redirect\fR, +# and to automatically create a non-Berkeley-DB indexed database +# file when a daemon program wants to access a file that does not +# yet exist. This uses the nbdb_reindexd(8) daemon to run postmap(1) +# or postalias(1) as described in "SECURITY" below. +# .sp +# This subcommand immediately generates non-Berkeley-DB indexed +# files for unprivileged command-line programs that cannot send +# requests to the nbdb_reindexd(8) daemon server. This involves +# "hash:" and "btree:" tables that are used by postqueue(1) and +# sendmail(1) as specified in authorized_flush_users and +# authorized_mailq_users, and by sendmail(1) and postdrop(1) +# as specified in authorized_submit_users and +# local_login_sender_maps. +# .sp +# This subcommand will not make any changes when +# default_database_type or default_cache_db_type specify a hash: +# or btree: type. +# .sp +# \fINOTE: \fBenable-reindex\fI should be used only temporarily +# to generate most of the non-Berkeley-DB indexed files that Postfix +# needs. Leaving this enabled may expose the system to +# privilege-escalation attacks. There are no security +# concerns for using \fBenable-redirect\fR. +# SECURITY +# .ad +# .fi +# The nbdb_reindexd(8) daemon automatically generates a +# non-Berkeley-DB indexed file only if the database pathname matches +# the directory prefixes specified with +# non_bdb_migration_allow_root_prefixes (for files that must be +# owned by root), or with non_bdb_migration_allow_user_prefixes +# (for files that must be owned by a non-root user). Additional +# restrictions on file and directory ownership and permissions +# are documented in nbdb_reindexd(8). +# CONFIGURATION PARAMETERS +# .ad +# .fi +# The "\fBpostfix non-bdb \fIsubcommand\fR" feature +# updates the following configuration parameter: +# .IP "\fBnon_bdb_migration_level (disable)\fR" +# The non-Berkeley-DB migration service level. +# .PP +# Other relevant parameters: +# .IP "\fBnon_bdb_custom_mapping (empty)\fR" +# When non-Berkeley-DB migration is enabled, an optional mapping +# from a hash: or btree: type to a non-Berkeley-DB type. +# .IP "\fBnon_bdb_migration_allow_root_prefixes (see 'postconf -d non_bdb_migration_allow_root_prefixes' output)\fR" +# A list of trusted pathname prefixes that must be matched when +# the non-Berkeley-DB migration service (\fBnbdb_reindexd\fR(8)) needs to +# run \fBpostmap\fR(1) or \fBpostalias\fR(1) commands with "root" privilege. +# .IP "\fBnon_bdb_migration_allow_user_prefixes (see 'postconf -d non_bdb_migration_allow_user_prefixes' output)\fR" +# A list of trusted pathname prefixes that must be matched when +# the non-Berkeley-DB migration service (\fBnbdb_reindexd\fR(8)) needs to +# run \fBpostmap\fR(1) or \fBpostalias\fR(1) commands with non-root privilege. +# SEE ALSO +# nbdb_reindexd(8) reindexing service +# README FILES +# .ad +# .fi +# Use "\fBpostconf readme_directory\fR" or +# "\fBpostconf html_directory\fR" to locate this information. +# .na +# .nf +# NON_BERKELEYDB_README, migration guide +# LICENSE +# .ad +# .fi +# The Secure Mailer license must be distributed with this software. +# HISTORY +# The "\fBpostfix non-bdb\fR" command was introduced with Postfix +# version 3.11. +# AUTHOR(S) +# Wietse Venema +# porcupine.org +#-- + +umask 022 +SHELL=/bin/sh + +case $command_directory in +"") echo This script must be run by the postfix command. 1>&2 + echo Do not run directly. 1>&2 exit 1;; esac + +cd $command_directory || { + # Let's hope there's a "postlog" somewhere on the PATH + FATAL="postlog -p fatal -t $MAIL_LOGTAG/postfix-tls-script" + msg="no Postfix command directory '${command_directory}'" + $FATAL "$msg" || { echo "$msg" >&2; sleep 1; } + exit 1 +} + +postconf=$command_directory/postconf +LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-non-bdb-script" +INFO="$LOGGER -p info" +WARN="$LOGGER -p warn" +ERROR="$LOGGER -p error" +FATAL="$LOGGER -p fatal" + +REINDEX_SVC=nbdb_reindex +REINDEX_BIN=nbdb_reindexd + +# Helper functions. + +reindex_for_non_daemons() { + # The following tables are needed by unprivileged command-line + # tools that cannot send requests to the reindexing service unless + # they are run by root. + for type_name in `$postconf -h authorized_flush_users \ + authorized_mailq_users authorized_submit_users \ + local_login_sender_maps`; \ + do + case $type_name in + hash:*|btree:*) + $INFO Proactively reindexing $type_name + postmap $type_name || exit 1;; + esac + done +} + +validate_redirect_targets() { + # By default, the Berkeley DB type 'hash' will redirect to + # $default_database_type, and type 'btree' will redirect to + # $default_cache_db_type. Require that the targets are not + # Berkeley DB types. + for param in default_database_type default_cache_db_type + do + eval type="`$postconf -h $param`" + case $type in + hash|btree) + $FATAL "parameter $param specifies a Berkeley DB type: '$type'" + exit 1;; + esac + done +} + +# Subcommand implementations. + +status() { + $postconf -h non_bdb_migration_level +} + +disable_all() { + $postconf -X non_bdb_migration_level + $postconf -MX ${REINDEX_SVC}/unix +} + +enable_redirect() { + validate_redirect_targets + $postconf -MX ${REINDEX_SVC}/unix + $postconf non_bdb_migration_level=enable-redirect || exit 1 +} + +enable_reindex() { + validate_redirect_targets + reindex_for_non_daemons + $postconf -M \ + ${REINDEX_SVC}/unix="${REINDEX_SVC} unix y n n - 1 ${REINDEX_BIN}" || exit 1 + $postconf non_bdb_migration_level=enable-reindex || exit 1 +} + +usage() { + $FATAL "usage: postfix non-bdb enable-redirect (or enable-reindex, or disable)" + exit 1 +} + +# +# Parse JCL +# +case $# in + 1) ;; + *) usage;; +esac + +case "$1" in +enable-redirect) + enable_redirect;; +enable-reindex) + enable_reindex;; +disable) + disable_all;; +status) + status;; +*) usage +esac + +exit 0 diff --git a/postfix/conf/postfix-script b/postfix/conf/postfix-script index de86d382b..e19591a4d 100755 --- a/postfix/conf/postfix-script +++ b/postfix/conf/postfix-script @@ -142,6 +142,7 @@ start|start-fg) } # Foreground this so it can be stopped. All inodes are cached. $daemon_directory/postfix-script check-warn + $daemon_directory/postfix-script check-alias-maps-migration fi $INFO starting the Postfix mail system || exit 1 case $1 in @@ -245,6 +246,7 @@ flush) check) $daemon_directory/postfix-script check-fatal || exit 1 + $daemon_directory/postfix-script check-alias-maps-migration $daemon_directory/postfix-script check-warn exit 0 ;; @@ -298,6 +300,34 @@ check-fatal) exit 0 ;; +check-alias-maps-migration) + # This command is NOT part of the public interface. + + # As of Postfix 3.11, the default alias_maps value + # contains $default_database_type:/path/to/aliases. When + # default_database_type is changed to lmdb or cdb, Postfix + # will not generate hash:/path/to/aliases requests that can + # be resolved dynamically with enable-redirect or enable-reindex. + # + # To avoid this, craft a one-time stand-alone re-indexing request. + test -f $config_directory/check-alias-maps-migration-done && exit 0 + BACKUP_IFS="$IFS" + for map in `$command_directory/postconf -hx alias_maps` + do + echo "$map" | ( + IFS=: read type path; IFS="$BACKUP_IFS" + case "$type" in + cdb|lmdb) + test ! -f "$path.$type" -a -f "$path" -a -f "$path.db" && { + $daemon_directory/nbdb_reindexd -S "hash:$path" || + $WARN "See https://www.postfix.org/NON_BERKELEYDB_README.html for suggestions" + } + esac + ) + done + touch $config_directory/check-alias-maps-migration-done + ;; + check-warn) # This command is NOT part of the public interface. @@ -408,9 +438,9 @@ post-install) $daemon_directory/post-install "$@" ;; -tls) - shift - $daemon_directory/postfix-tls-script "$@" +tls|non-bdb) + cmd=$1; shift + $daemon_directory/postfix-$cmd-script "$@" ;; /*) @@ -452,7 +482,7 @@ logrotate) ;; *) - $FATAL "unknown command: '$1'. Usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration, logrotate)" + $FATAL "unknown command: '$1'. Usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration, logrotate, tls, non-bdb)" exit 1 ;; diff --git a/postfix/conf/relocated b/postfix/conf/relocated index 891021fa6..e82225b59 100644 --- a/postfix/conf/relocated +++ b/postfix/conf/relocated @@ -12,15 +12,23 @@ # messages. # # Normally, the relocated(5) table is specified as a text -# file that serves as input to the postmap(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast searching by the mail system. Execute the command -# "postmap /etc/postfix/relocated" to rebuild an indexed -# file after changing the corresponding relocated table. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. +# file that serves as input to the postmap(1) command to +# create an indexed file for fast lookup. +# +# Execute the command "postmap /etc/postfix/relocated" to +# rebuild a default-type indexed file after changing the +# text file, or execute "postmap type:/etc/postfix/relo- +# cated" to specify an explicit type. +# +# The default indexed file type is configured with the +# default_database_type parameter. Depending on the platform +# this may be one of lmdb:, cdb:, hash:, or dbm: (without +# the trailing ':'). +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. Managing such databases is outside the +# scope of Postfix. # # Alternatively, the table can be provided as a regu- # lar-expression map where patterns are given as regular diff --git a/postfix/conf/transport b/postfix/conf/transport index f624da5e0..ea6d92556 100644 --- a/postfix/conf/transport +++ b/postfix/conf/transport @@ -59,15 +59,23 @@ # relayhost, or from the recipient domain. # # Normally, the transport(5) table is specified as a text -# file that serves as input to the postmap(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast searching by the mail system. Execute the command -# "postmap /etc/postfix/transport" to rebuild an indexed -# file after changing the corresponding transport table. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. +# file that serves as input to the postmap(1) command to +# create an indexed file for fast lookup. +# +# Execute the command "postmap /etc/postfix/transport" to +# rebuild a default-type indexed file after changing the +# text file, or execute "postmap type:/etc/postfix/trans- +# port" to specify an explicit type. +# +# The default indexed file type is configured with the +# default_database_type parameter. Depending on the platform +# this may be one of lmdb:, cdb:, hash:, or dbm: (without +# the trailing ':'). +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. Managing such databases is outside the +# scope of Postfix. # # Alternatively, the table can be provided as a regu- # lar-expression map where patterns are given as regular diff --git a/postfix/conf/virtual b/postfix/conf/virtual index 63799778c..87b46df2c 100644 --- a/postfix/conf/virtual +++ b/postfix/conf/virtual @@ -45,15 +45,23 @@ # addresses in general. # # Normally, the virtual(5) alias table is specified as a -# text file that serves as input to the postmap(1) command. -# The result, an indexed file in dbm or db format, is used -# for fast searching by the mail system. Execute the command -# "postmap /etc/postfix/virtual" to rebuild an indexed file -# after changing the corresponding text file. -# -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary -# indexed files. +# text file that serves as input to the postmap(1) command +# to create an indexed file for fast lookup. +# +# Execute the command "postmap /etc/postfix/virtual" to +# rebuild a default-type indexed file after changing the +# text file, or execute "postmap type:/etc/postfix/virtual" +# to specify an explicit type. +# +# The default indexed file type is configured with the +# default_database_type parameter. Depending on the platform +# this may be one of lmdb:, cdb:, hash:, or dbm: (without +# the trailing ':'). +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. Managing such databases is outside the +# scope of Postfix. # # Alternatively, the table can be provided as a regu- # lar-expression map where patterns are given as regular diff --git a/postfix/html/INSTALL.html b/postfix/html/INSTALL.html index 7446b7877..62f178e82 100644 --- a/postfix/html/INSTALL.html +++ b/postfix/html/INSTALL.html @@ -671,7 +671,7 @@ listed below. See the postconf(5) manpage for a de config_directory /etc/postfix - default_database_type lmdb or hash + default_database_type lmdb, cdb, or hash default_cache_db_type lmdb or btree @@ -741,7 +741,7 @@ default /etc/postfix DEF_DB_TYPE default_database_type -lmdb or hash +lmdb, cdb, or hash DEF_CACHE_DB_TYPE default_cache_db_type lmdb or btree @@ -773,12 +773,17 @@ default DEF_SENDMAIL_PATH sendmail_path /usr/sbin/sendmail + DEF_SHLIB_DIR shlib_directory +/usr/lib/postfix +

Note: the data_directory parameter (for caches and pseudo-random -numbers) was introduced with Postfix version 2.5.

+numbers) was introduced with Postfix version 2.5; shlib_directory +(for shared-library objects and database plugins) with Postfix +version 3.0.

4.7 - Overriding other compile-time features

@@ -816,7 +821,7 @@ off Postfix features at compile time: -DNO_DB Do not build with Berkeley DB support. By default, Berkeley DB support is compiled in on -platforms that are known to support this feature. If you override +platforms that have historically supported this feature. If you override this, then you probably should also override default_database_type or DEF_DB_TYPE as described in section 4.6. @@ -1550,8 +1555,8 @@ the exact location of the text file.

First, be sure to update the text file with aliases for root, postmaster and "postfix" that forward mail to a real person. Postfix -has a sample aliases file /etc/postfix/aliases that you can adapt -to local conditions.

+has a sample aliases file /etc/postfix/aliases that you can copy +and adapt to local conditions. /p> 
@@ -1577,6 +1582,15 @@ following commands:
+

The form "postalias /etc/aliases" builds a default-type indexed +file. Use "postalias type:/etc/aliases" to specify an explicit +type (it should match the type in the output from "postconf -x +alias_maps").

+ +

The default indexed file type is configured with the +default_database_type parameter. To list available explicit types, +execute the command "postconf -m".

+

11 - To chroot or not to chroot

Postfix daemon processes can be configured (via master.cf) to diff --git a/postfix/html/Makefile.in b/postfix/html/Makefile.in index af931119e..d84b4da07 100644 --- a/postfix/html/Makefile.in +++ b/postfix/html/Makefile.in @@ -8,14 +8,14 @@ DAEMONS = bounce.8.html cleanup.8.html defer.8.html error.8.html local.8.html \ oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \ trace.8.html verify.8.html proxymap.8.html anvil.8.html \ scache.8.html discard.8.html tlsmgr.8.html postscreen.8.html \ - dnsblog.8.html tlsproxy.8.html postlogd.8.html + dnsblog.8.html tlsproxy.8.html postlogd.8.html nbdb_reindexd.8.html COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \ postconf.1.html postfix.1.html postkick.1.html postlock.1.html \ postlog.1.html postdrop.1.html postmap.1.html postmulti.1.html \ postqueue.1.html postsuper.1.html sendmail.1.html \ smtp-source.1.html smtp-sink.1.html posttls-finger.1.html \ qmqp-source.1.html qmqp-sink.1.html \ - qshape.1.html postfix-tls.1.html makedefs.1.html + qshape.1.html postfix-tls.1.html makedefs.1.html postfix-non-bdb.1.html CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \ transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \ cidr_table.5.html tcp_table.5.html header_checks.5.html \ @@ -92,6 +92,10 @@ master.8.html: ../src/master/master.c PATH=../mantools:$$PATH; \ srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ +nbdb_reindexd.8.html: ../src/nbdb_reindexd/nbdb_reindexd.c + PATH=../mantools:$$PATH; \ + srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ + oqmgr.8.html: ../src/oqmgr/qmgr.c PATH=../mantools:$$PATH; \ srctoman $? | sed -e 's/qmgr[^_]/o&/' \ @@ -187,6 +191,10 @@ postfix.1.html: ../src/postfix/postfix.c PATH=../mantools:$$PATH; \ srctoman $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ +postfix-non-bdb.1.html: ../conf/postfix-non-bdb-script + PATH=../mantools:$$PATH; \ + srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ + postfix-tls.1.html: ../conf/postfix-tls-script PATH=../mantools:$$PATH; \ srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ diff --git a/postfix/html/NON_BERKELEYDB_README.html b/postfix/html/NON_BERKELEYDB_README.html new file mode 100644 index 000000000..655caf901 --- /dev/null +++ b/postfix/html/NON_BERKELEYDB_README.html @@ -0,0 +1,684 @@ + + + + + + +Postfix Non-Berkeley-DB migration + + + + + + + + +

Postfix +Non-Berkeley-DB migration

+ +
+ +

Table of contents

+ + + +

Introduction

+ +

(Please see the Appendix for Mailman +integration tips.)

+ +

After running the same Postfix configuration for a decade or +more, there is a rude awakening when you update the OS to a newer +version that has deleted its support for Berkeley DB. Postfix +programs fail to open all hash: and btree: tables with messages +like this:

+ +
+
+Berkeley DB support for 'hash:/etc/postfix/virtual' is not available
+for this build; see https://www.postfix.org/NON_BERKELEYDB_README.html
+for alternatives
+
+
+ +

This document comes to the rescue, with strategies to migrate +an existing Postfix configuration that uses Berkeley DB hash: and +btree: database files, to an OS distribution that has removed +Berkeley DB support, with a Postfix configuration that uses lmdb: (or +a combination of cdb: and lmdb:).

+ +

By the way, you don't have to wait until Berkeley DB support +is removed; your can proactively use the steps described here on a +system that still has Berkeley DB, to migrate a Postfix configuration +from Berkeley DB to lmdb: (or a combination of cdb: and lmdb:). + +

Background

+ +

Historically, Postfix has used Berkeley DB hash: and btree: for +key-value stores, as indicated in the "With Berkeley DB" table +column below. In a world without Berkeley DB, good replacements are +cdb: and lmdb: as indicated in the "No Berkeley DB" column.

+ +
+ + + + + + + + + + +
Purpose With Berkeley DB No Berkeley +DB
Mostly-static data such as aliases, transport_maps, +access tables default_database_type=hash +default_database_type=lmdb or default_database_type=cdb
Dynamic caches maintained by postscreen(8), verify(8), +tlsmgr(8) default_cache_db_type=btree +default_cache_db_type=lmdb
+ +
+ +

The default values for default_database_type and default_cache_db_type +may be specified at build time (see the section +below, and they may be changed later by editing main.cf, for +example with the postconf(1) command.)

+ +

The sections that follow present three migration strategies +with different levels of assistance by tooling that was developed +for Postfix 3.11 and later.

+ +

Skip this if not building Postfix from +source, or if your system still supports Berkeley DB.

+ +

Click here to skip to the next section. + +

On systems that have removed Berkeley DB support, run "make +makefiles" with a CCARGS value that (also) contains "-DNO_DB", +and specify appropriate values for default_database_type (lmdb or cdb) +and default_cache_db_type (lmdb).

+ +

In the examples below, the "..." are place holders any +dependencies that you build Postfix with, such as CDB, LDAP, LMDB, +MySQL/MariaDB, OpenSSL, SASL, and so on. + +

Example 1: use lmdb: for both default_database_type (read-mostly +lookup tables) and default_cache_db_type (read-write caches). Terminal +input is bold, output is normal font.

+ +
+$ make makefiles CCARGS="-DNO_DB ..." \
+    default_database_type=lmdb \
+    default_cache_db_type=lmdb ... \
+    AUXLIBS...
+
+
+ +

Example 2: alternative form that produces the same result. +

+ +
+
+$ export CCARGS="-DNO_DB ..."
+$ export default_database_type=lmdb
+$ export default_cache_db_type=lmdb
+$ export AUXLIBS...
+...
+$ make makefiles
+
+
+ +

Another alternative is to use cdb for default_database_type +(read-mostly lookup tables) and lmdb for default_cache_db_type +(read-write caches).

+ +

Migration support level overview

+ +

The goal of the migration is clear: stop using hash: and btree:, +and use lmdb: or cdb: instead. If your configuration is simple or +if you are familiar with Postfix configuration, a few "grep" +commands will find all the problems, and a few edits will be easy +to make.

+ +

If, on the other hand, you are not familiar with the details of your +Postfix configuration, then this document provides options where Postfix +can help.

+ +

Postfix 3.11 introduces multiple levels of migration support. +You can use the command "postfix non-bdb status" to view +the migration support level. This is what the default should look +like (terminal input is bold, output is normal +font):

+ +
+
+# postfix non-bdb status
+disable
+
+
+ +

In increasing order, the support levels are:

+ +
+ +
disable (manual migration)
+ +

You start up Postfix, watch the logging when Postfix +programs fail to open a hash: or btree: table, edit Postfix +configuration files to use lmdb: or cdb:, then run postmap(1) or +postalias(1) commands to create lmdb: or cdb: indexed database +files. Use this option if you are familiar with Postfix configuration. +

+ +

This will not fix the integration with Mailman versions from +before gitlab +commit 8fa56b72 (May 2025) and other software that are broken +when they want to use "postmap hash:/path/to/file". +Mailman uses this to maintain a table with mailing list contact +addresses. For that, you need to use the next-up level.

+ +
enable-redirect (database +aliasing)
+ +

This level implicitly redirects a request to access +hash:/path/to/file to $default_database_type:/path/to/file, +and redirects a request to access a btree:/path/to/file to +$default_cache_db_type:/path/to/file.

+ +

This still requires manually running postmap(1) or postalias(1) +commands, but "fixes" the integration with Mailman versions from +before gitlab +commit 8fa56b72 (May 2025) and other software when they want +to use "postmap hash:/path/to/file", and Berkeley +DB support is not available. Such commands will implicitly create +a new lmdb: or cdb: indexed database file, depending on the +default_database_type value.

+ +
enable-reindex (aliasing, plus +running postmap(1) or postalias(1))
+ +

This level implements "enable-redirect (database +aliasing)", and also runs the postmap(1) or postalias(1) command to create +a new lmdb or cdb indexed database file. This uses the nbdb_reindexd(8) +daemon.

+ +
+ +

The levels enable-redirect and + enable-reindex leave some technical +debt: configurations that still say hash: or btree: (even if +they use lmdb: or cdb: behind the scene).

+ + + +

After this overview, the sections that follow will go into more +detail.

+ +

Level 'disable': manual migration

+ +

To disable all non-Berkeley-DB migration features use +the "postfix non-bdb" command: + +

+
+# postfix non-bdb disable
+# postfix reload
+
+
+ +

This will edit main.cf to remove a non_bdb_migration_level setting +and the level revert to its implicit default (disable), and will edit +master.cf to remove an entry for the reindex service.

+ +

This setting will cause problems with Mailman versions from +before gitlab +commit 8fa56b72 (May 2025) and other software that wants to use +"postmap hash:/path/to/file" (or similar postalias +commands), and Berkeley DB support is no longer available. In that +case, you will need the "enable-redirect" migration support +level. + +

A manual migration process goes like this:

+ + + +

Level 'enable-redirect': database +aliasing

+ +

To enable this migration support level, use:

+ +
+
+# postfix non-bdb enable-redirect
+# postfix reload
+
+
+ +

This postfix non-bdb" command edits main.cf to enable +redirection (aliasing) from Berkeley DB types "hash" and "btree" +to the non-Berkeley-DB types specified with $default_database_type +and $default_cache_db_type. Custom redirection may be configured +with non_bdb_custom_mapping. This command also edits master.cf to +remove an unused nbdb_reindex service entry.

+ +

This migration support level will not automatically create +non-Berkeley-DB indexed database files. Instead, Postfix programs +will log an error as they fail to open an indexed database file, +and will leave it to the system administrator to run postmap(1) or +postalias(1) to create that file.

+ +

For each instance of "hash:/path/to/source" or +"btree:/path/to/source" that requires manually running +postmap(1) or postalias(1):

+ + + +

This migration support level will fix problems with Mailman +versions from before May 2025 and other software that wants to use +"postmap hash:/path/to/file". With database +redirection, such commands will implicitly create an indexed file +for $default_database_type:/path/to/file (similar aliasing +happens for postalias commands).

+ +

The command "postfix non-bdb enable-redirect" will +refuse to make any changes when default_database_type or +default_cache_db_type specify a hash: or btree: type. + +

Level 'enable-reindex': redirect and +automatically generate non-Berkeley-DB indexed files

+ +

NOTE: this level should be used only temporarily to generate +most of the non-Berkeley-DB indexed files that Postfix needs. +Leaving this enabled may expose the system to privilege-escalation +attacks. There are no security concerns for using enable-redirect. +

+ +

To enable this migration support level, use:

+ +
+
+# postfix non-bdb enable-reindex
+# postfix reload
+
+
+ +

This postfix non-bdb command edits main.cf to set the non-Berkeley-DB +migration support level, and master.cf to add or replace an +nbdb-reindex service entry.

+ +

The resulting configuration implements not only the functionality +of enable-redirect, but also +automatically creates a non-Berkeley-DB indexed database file when +a daemon program wants to access a file that does not exist. This +uses the nbdb_reindexd(8) daemon to run postmap(1) or postalias(1) +commands for databases that satisfy basic requirements to block +privilege-escalation attacks. The number of requirements is large, +but mainly, database files and their parent directory must not allow +write access for group or other users, and their pathnames must +match a list of trusted directory prefixes. The complete list of +requirements is documented in nbdb_reindexd(8).

+ +This command immediately generates non-Berkeley-DB indexed files +for command-line programs that lack privileges to send requests to +the nbdb_reindexd(8) indexing server. This applies to "hash:" and +"btree:" tables that are used by postqueue(1) and sendmail(1) as +configured with authorized_flush_users and authorized_mailq_users, +and used by sendmail(1) and postdrop(1) as configured with +authorized_submit_users and local_login_sender_maps.

+ +

The command "postfix non-bdb enable-reindex" will +refuse to make any changes when default_database_type or +default_cache_db_type specify a hash: or btree: type. + +

The nbdb_reindexd(8) daemon will log when it successfully runs +a postmap(1) or postalias(1) command. Examples, for a system with +"default_database_type = lmdb":

+ +
+
+successfully executed 'postmap lmdb:/etc/postfix/transport' as uid 0
+successfully executed 'postalias lmdb:/etc/aliases' as uid 0
+
+
+ +

See the section "Addressing errors +with automatic indexed file generation" for the most likely +errors that Postfix programs may log.

+ +

Once there are no more errors from Postfix programs for about +24 hours, turn off automatic index generation by reducing the support +level to enable-redirect with:

+ +
+
+# postfix non-bdb enable-redirect
+# postfix reload
+
+
+ +

Addressing errors with automatic +indexed file generation

+ +

Unexpected pathname errors

+ +

Depending on the location of your Postfix lookup tables, Postfix +programs may log a request to add a trusted directory to the +directories listed with non_bdb_migration_allow_root_prefixes or +non_bdb_migration_allow_user_prefixes.

+ +

Example, with line breaks added for readability:

+ +
+
+could not execute command 'postmap lmdb:/path/to/file': table
+/path/to/file has an unexpected pathname;
+
+to allow automatic indexing as root, append its parent directory
+to the non_bdb_migration_allow_root_prefixes setting (current setting
+is: "/etc /usr/local/etc");
+
+alternatively, execute the failed command by hand
+
+
+ +

You have two options:

+ +
    + +

  1. If you think that the suggested change is safe, update the +setting as proposed and execute "postfix reload".

    + +

  2. Alternatively, you can execute the failed postmap(1) or +postalias(1) command by hand, and Postfix will not log the same error +again.

    + +
+ +

A similar request may be logged when a file needs to be indexed as +a non-root user.

+ +

Unexpected file or directory owner or permissions

+ +

Other errors may be logged when a database file or directory +has an unexpected owner, or when it is writable by group or by other +users.

+ +

Example with line breaks added for readability:

+ +
+
+could not execute command 'postmap lmdb:/path/to/file': legacy
+indexed file '/path/to/file.db' is owned by uid '0', but parent
+directory '/path/to' is owned or writable by other user;
+
+to allow automatic indexing, correct the ownership or permissions;
+
+alternatively, execute the failed command by hand
+
+
+ +

Again, you have two options:

+ +
    + +

  1. Fix the ownership or permission error.

    + +

  2. Execute the failed postmap(1) or postalias(1) command by +hand, and Postfix will not log the same error again.

    + +
+ +

Once there are no more errors from Postfix programs for about +24 hours, turn off automatic index generation by reducing the +support level to enable-redirect with:

+ +
+
+# postfix non-bdb enable-redirect
+# postfix reload
+
+
+ +

Appendix: Mailman integration

+ +

This section has instructions to migrate an existing Mailman +configuration that wants to use commands like "postmap +hash:/path/to/file". Mailman uses such commands to maintain +tables with mailing list contact addresses and domain names. This +will break on systems that no longer have Berkeley DB support.

+ +

Solutions:

+ + + +

With Mailman3 the integration with Postfix using LMTP may look +like:

+ +
+
+/var/lib/mailman3/data/postfix_domains      (domain names)
+/var/lib/mailman3/data/postfix_domains.db   (Berkeley DB hash file)
+/var/lib/mailman3/data/postfix_lmtp         (transport map)
+/var/lib/mailman3/data/postfix_lmtp.db      (Berkeley DB hash file)
+
+
+ +
Caution: the data directory may contain other files +with names ending in ".db" that are not part of the +Mailman-Postfix integration. Do not tamper with the other files. +
+ +

The relevant Postfix migration levels are:

+ +
enable-redirect (redirect hash: +to lmdb: or cdb:)
+ +

Command: # postfix non-bdb enable-redirect

+ +

This will fix the problem that Mailman wants to use commands like +"postmap hash:/path/to/postfix_domains" and "postmap +hash:/path/to/postfix_lmtp".

+ +

Instead of complaining about an unsupported database type, these +postmap commands will implicitly create ".lmdb" indexed +files like (lmdb:/path/to/postfix_domains or +lmdb:/path/to/postfix_lmtp, or their cdb: versions depending +on the Postfix default_database_type setting).

+ +

This will not fix the problem that Postfix wants to +use databases like hash:/path/to/postfix_domains +and hash::/path/to/postfix_lmtp. With enable-redirect, these will redirect to +".lmdb" indexed files (good) but those files do not yet exist +(bad). You will need to create them by hand with commands like:

+ +
+# postmap lmdb:/path/to/postfix_domains
+# postmap lmdb:/path/to/postfix_lmtp
+
+ +

After this, no further human action will be needed. When Mailman +needs to update these files, it will invoke postmap commands that +will work as promised above. Leave the Postfix migration level at enable-reindex until you can upgrade to a +newer Mailman version that supports Postfix with non-Berkeley +databases.

+ +
+ +
enable-reindex (also automatically +run postmap commands)
+ +

Command: # postfix non-bdb enable-redirect

+ +

In addition to "enable-redirect", +Postfix will also try to run commands like "postmap +lmdb:/path/to/postfix_domains" and "postmap +lmdb:/path/to/postfix_lmtp". There will be some delay +depending on the amount of mailing list traffic; you may want to post +a test message to make the postmap commands happen sooner.

+ +

Postfix will log the postmap commands (or will log a request to make +some configuration changes; see "Addressing errors +with automatic indexed file generation" above).

+ +

Note: once these "postmap" commands have completed, +you should reduce the migration support level with the command +"postfix non-bdb enable-redirect". For security reasons the enable-reindex level should not be permanently +enabled.

+ +
+ + + + diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html index c47672a50..30dd58f11 100644 --- a/postfix/html/SASL_README.html +++ b/postfix/html/SASL_README.html @@ -1377,7 +1377,8 @@ use a particular envelope sender address: 

 /etc/postfix/main.cf:
-    smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
+    smtpd_sender_login_maps = 
+        lmdb:/etc/postfix/controlled_envelope_senders
 
     smtpd_recipient_restrictions =
         ...
@@ -1402,6 +1403,19 @@ names that own that address:
+

Instead of lmdb:, some systems use cdb:, hash:, or dbm:.

+ +

Execute the command "postmap +/etc/postfix/controlled_envelope_senders" after you change the +controlled_envelope_senders file, to (re)build a default-type indexed +file. Execute "postmap +type:/etc/postfix/controlled_envelope_senders" to specify +an explicit type.

+ +

The default indexed file type is configured with the +default_database_type parameter. To list available explicit types, +execute the command "postconf -m".

+

With this, the reject_sender_login_mismatch restriction above will reject the sender address in the MAIL FROM command if smtpd_sender_login_maps does not specify @@ -1430,7 +1444,7 @@ REJECT mail from accounts whose credentials have been compromised. /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks - check_sasl_access hash:/etc/postfix/sasl_access + check_sasl_access lmdb:/etc/postfix/sasl_access permit_sasl_authenticated ... @@ -1442,6 +1456,17 @@ REJECT mail from accounts whose credentials have been compromised. +

Instead of lmdb:, some systems use cdb:, hash:, or dbm:.

+ +

Execute the command "postmap /etc/postfix/sasl_access" +after you change the sasl_access file, to (re)build a default-type +indexed file. Execute "postmap type:/etc/postfix/sasl_access" +to specify an explicit type.

+ +

The default indexed file type is configured with the +default_database_type parameter. To list available explicit types, +execute the command "postconf -m".

+

Default authentication domain

Postfix can append a domain name (or any other string) to a @@ -1675,7 +1700,7 @@ second part sets up the username/password information.

relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd @@ -1749,8 +1774,16 @@ and before entering an optional chroot jail.

-

Specify dbm instead of hash if your system uses -dbm files instead of db files. To find out what lookup -tables Postfix supports, use the command "postconf -m".

+

Instead of lmdb:, some systems use cdb:, hash:, or dbm:.

Execute the command "postmap /etc/postfix/generic" -whenever you change the generic table.

+whenever you change the generic file, to (re)build a default-type +indexed file. Execute "postmap type:/etc/postfix/generic" +to specify an explicit type.

+ +

The default indexed file type is configured with the +default_database_type parameter. To list available explicit types, +execute the command "postconf -m".

Solution 2: Postfix version 2.1 and earlier

@@ -174,9 +178,9 @@ discussed in the first half of this document.

2 myhostname = hostname.localdomain 3 mydomain = localdomain 4 - 5 canonical_maps = hash:/etc/postfix/canonical + 5 canonical_maps = lmdb:/etc/postfix/canonical 6 - 7 virtual_alias_maps = hash:/etc/postfix/virtual + 7 virtual_alias_maps = lmdb:/etc/postfix/virtual 8 9 /etc/postfix/canonical: 10 your-login-name your-account@your-isp.com @@ -205,15 +209,21 @@ but is convenient. -

Specify dbm instead of hash if your system uses -dbm files instead of db files. To find out what lookup -tables Postfix supports, use the command "postconf -m".

+

Instead of lmdb:, some systems use cdb:, hash:, or dbm:.

Execute the command "postmap /etc/postfix/canonical" -whenever you change the canonical table.

+whenever you change the canonical file, to (re)build a default-type +indexed file. Execute "postmap type:/etc/postfix/canonical" +to specify an explicit type.

+ +

The default indexed file type is configured with the +default_database_type parameter. To list available explicit types, +execute the command "postconf -m".

Execute the command "postmap /etc/postfix/virtual" -whenever you change the virtual table.

+whenever you change the virtual file, to (re)build a default-type +indexed file. Execute "postmap type:/etc/postfix/virtual" +to specify an explicit type.

Enabling SASL authentication in the Postfix SMTP/LMTP client

@@ -254,7 +264,7 @@ second part sets up the username/password information.

relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd @@ -328,8 +338,16 @@ and before entering an optional chroot jail.

-

Specify dbm instead of hash if your system uses -dbm files instead of db files. To find out what lookup -tables Postfix supports, use the command "postconf -m".

+

Instead of lmdb:, some systems use cdb:, hash:, or dbm:.

+ +

Execute the command "postmap /etc/postfix/virtual" +whenever you change the virtual file, to (re)build a default-type +indexed file. Execute "postmap type:/etc/postfix/virtual" +to specify an explicit type.

+ +

The default indexed file type is configured with the +default_database_type parameter. To list available explicit types, +execute the command "postconf -m".

Execute the command "postmap /etc/postfix/relay_recipients" -whenever you change the relay_recipients table.

+whenever you change the relay_recipients file, to (re)build a +default-type indexed file. Execute "postmap +type:/etc/postfix/relay_recipients" to specify an explicit +type.

Execute the command "postmap /etc/postfix/transport" -whenever you change the transport table.

+whenever you change the transport file, to (re)build a default-type +indexed file. Execute "postmap type:/etc/postfix/transport" +to specify an explicit type.

In some installations, there may be separate instances of Postfix processing inbound and outbound mail on a multi-homed firewall. The @@ -447,7 +459,7 @@ follows: 

 1 /etc/postfix/main.cf:
-2     virtual_alias_maps = hash:/etc/postfix/virtual
+2     virtual_alias_maps = lmdb:/etc/postfix/virtual
 3 
 4 /etc/postfix/virtual:
 5     root     root@localhost
@@ -466,8 +478,16 @@ matches $inet_interfaces or $
 
+
 Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 

+
 
 Execute the command "postmap /etc/postfix/virtual" after
-editing the file. 

+editing the virtual file, to (re)build a default-type indexed file.
+Execute "postmap type:/etc/postfix/virtual" to specify
+an explicit type. 

+
+
 The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types, 
+execute the command "postconf -m".

 
 
Running Postfix behind a firewall

 
@@ -489,7 +509,7 @@ discussed in the first half of this document. 

 

 
  1 /etc/postfix/main.cf:
- 2     transport_maps = hash:/etc/postfix/transport
+ 2     transport_maps = lmdb:/etc/postfix/transport
  3     relayhost =
  4     # Optional for a machine that isn't "always on"
  5     #fallback_relay = [gateway.example.com]
@@ -522,12 +542,17 @@ directly, and gives undeliverable mail to a gateway.  

 
 
 
-
 Specify dbm instead of hash if your system uses
-dbm files instead of db files. To find out what lookup
-tables Postfix supports, use the command "postconf -m". 

+
 Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 

+
+
 Execute the command "postmap /etc/postfix/transport"
+whenever you edit the transport file, to (re)build a default-type
+indexed file. Execute "postmap type:/etc/postfix/transport"
+to specify an explicit type. 

+
+
 The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types, 
+execute the command "postconf -m".

 
-
 Execute the command "postmap /etc/postfix/transport" whenever
-you edit the transport table. 

 
 
Configuring Postfix as primary or backup MX host for a remote site

 
@@ -561,7 +586,7 @@ is all you need: 

 11     # You must specify your NAT/proxy external address.
 12     #proxy_interfaces = 1.2.3.4
 13 
-14     relay_recipient_maps = hash:/etc/postfix/relay_recipients
+14     relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
 15 
 16 /etc/postfix/relay_recipients:
 17     user1@the.backed-up.domain.tld   x
@@ -576,7 +601,7 @@ need the above, plus: 

 

 
 20 /etc/postfix/main.cf:
-21     transport_maps = hash:/etc/postfix/transport
+21     transport_maps = lmdb:/etc/postfix/transport
 22 
 23 /etc/postfix/transport:
 24     the.backed-up.domain.tld       relay:[their.mail.host.tld]
@@ -613,12 +638,22 @@ relay_recipients table. 

 
 
 
-
 Specify dbm instead of hash if your system uses
-dbm files instead of db files. To find out what lookup
-tables Postfix supports, use the command "postconf -m". 

+
 Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 

+
+
 Execute the command "postmap /etc/postfix/relay_recipients"
+whenever you change the relay_recipients file, to (re)build a
+default-type indexed file. Execute "postmap
+type:/etc/postfix/relay_recipients" to specify an explicit
+type. 

+
+
 The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types, 
+execute the command "postconf -m".

 
 
 Execute the command "postmap /etc/postfix/transport"
-whenever you change the transport table. 

+whenever you change the transport file, to (re)build a default-type
+indexed file. Execute "postmap type:/etc/postfix/transport"
+to specify an explicit type. 

 
 
 NOTE for Postfix < 2.2: Do not use the fallback_relay feature
 when relaying mail
@@ -760,7 +795,7 @@ discussed in the first half of this document. 

 

 
 1 /etc/postfix/main.cf:
-2     smtp_generic_maps = hash:/etc/postfix/generic
+2     smtp_generic_maps = lmdb:/etc/postfix/generic
 3 
 4 /etc/postfix/generic:
 5     his@localdomain.local             hisaccount@hisisp.example
@@ -785,12 +820,16 @@ that the ISP supports "+" style address extensions). 

 
 
 
-
Specify dbm instead of hash if your system uses
-dbm files instead of db files. To find out what lookup
-tables Postfix supports, use the command "postconf -m".  

+
 Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 

 
 
 Execute the command "postmap /etc/postfix/generic"
-whenever you change the generic table. 

+whenever you change the generic file, to (re)build a default-type
+indexed file. Execute  "postmap type:/etc/postfix/generic"
+to specify an explicit type.

+
+
 The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types, 
+execute the command "postconf -m".

 
 
Solution 2: Postfix version 2.1 and earlier 

 
@@ -811,9 +850,9 @@ discussed in the first half of this document. 

  2     myhostname = hostname.localdomain
  3     mydomain = localdomain
  4 
- 5     canonical_maps = hash:/etc/postfix/canonical
+ 5     canonical_maps = lmdb:/etc/postfix/canonical
  6 
- 7     virtual_alias_maps = hash:/etc/postfix/virtual
+ 7     virtual_alias_maps = lmdb:/etc/postfix/virtual
  8 
  9 /etc/postfix/canonical:
 10     your-login-name    your-account@your-isp.com
@@ -842,15 +881,21 @@ but is convenient.
 
 
 
-
Specify dbm instead of hash if your system uses
-dbm files instead of db files. To find out what lookup
-tables Postfix supports, use the command "postconf -m".  

+
 Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 

 
 
 Execute the command "postmap /etc/postfix/canonical"
-whenever you change the canonical table. 

+whenever you change the canonical file, to (re)build a default-type
+indexed file. Execute "postmap type:/etc/postfix/canonical"
+to specify an explicit type. 

+
+
 The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types, 
+execute the command "postconf -m".

 
 
 Execute the command "postmap /etc/postfix/virtual"
-whenever you change the virtual table. 

+whenever you change the virtual file, to (re)build a default-type
+indexed file. Execute "postmap type:/etc/postfix/virtual"
+to specify an explicit type. 

 
 
 
diff --git a/postfix/html/UUCP_README.html b/postfix/html/UUCP_README.html
index 4e3c2d216..729e93e51 100644
--- a/postfix/html/UUCP_README.html
+++ b/postfix/html/UUCP_README.html
@@ -102,6 +102,13 @@ recipients.  The pipe(8) delivery agent executes the <
 command without assistance from the shell, so there are no problems
 with shell meta characters in command-line parameters.  

 
+
  •  
     Enable transport table lookups: 
    
+
+
    +/etc/postfix/main.cf:
+    transport_maps = lmdb:/etc/postfix/transport
+
    
+
 
  •  
     Specify that mail for example.com, should be
 delivered via UUCP, to a host named uucp-host: 
    
 
@@ -111,21 +118,19 @@ delivered via UUCP, to a host named uucp-host: 
    
     .example.com    uucp:uucp-host
 
    • 
 
+
     Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 
    
+
 
     See the transport(5) manual page for more details. 
    
 
 
  •  
     Execute the command "postmap /etc/postfix/transport"
-whenever you change the transport file. 
    
-
-
  •  
     Enable transport table lookups: 
    
-
-
    -/etc/postfix/main.cf:
-    transport_maps = hash:/etc/postfix/transport
-
    
+whenever you change the transport file, to (re)build a
+default-type indexed file. Execute "postmap
+type:/etc/postfix/transport" to specify an explicit type.
+
    
 
-
     Specify dbm instead of hash if your system uses
-dbm files instead of db files. To find out what map
-types Postfix supports, use the command "postconf -m". 
    
+
     The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types, 
+execute the command "postconf -m".
    
 
 
  •  
     Add example.com to the list of domains that your site
 is willing to relay mail for. 
    
diff --git a/postfix/html/VIRTUAL_README.html b/postfix/html/VIRTUAL_README.html
index 900b07a37..56360ae69 100644
--- a/postfix/html/VIRTUAL_README.html
+++ b/postfix/html/VIRTUAL_README.html
@@ -54,9 +54,7 @@ domains, non-UNIX accounts
 
 
  •  Mail forwarding domains
 
-
  •  Mailing lists
-
-
  •  Autoreplies
+
  •  Hosted mailing list domains
 
 
 
@@ -96,19 +94,31 @@ address class, as defined in the ADDRESS_CLA
 
    Local files versus network databases
    
 
 
     The examples in this text use table lookups from local files
-such as DBM or Berkeley DB.  These are easy to debug with the
+such as lmdb:, cdb:, hash:, or dbm:. These are easy to debug with the
 postmap command: 
    
 
 
    
-Example: postmap -q info@example.com hash:/etc/postfix/virtual
+Example: postmap -q info@example.com /etc/postfix/virtual
 
    
 
-
     See the documentation in LDAP_README, MYSQL_README and PGSQL_README
-for how to replace local files by databases. The reader is strongly
-advised to make the system work with local files before migrating
-to network databases, and to use the postmap command to verify
-that network database lookups produce the exact same results as
-local file lookup. 
    
+
     The above example assumes that the database is configured in
+main.cf as $default_database_type:/etc/postfix/virtual. Otherwise,
+use the command instead: 
    
+
+
    
+Example: postmap -q info@example.com
+type:/etc/postfix/virtual
+
    
+
+
     and specify the explicit type that this table uses in main.cf. 
    
+
+
     You can replace local file lookups with networked (LDAP, SQL
+etc.) lookups. See the documentation in LDAP_README, MYSQL_README,
+PGSQL_README, etc., for examples.  The reader is strongly advised
+to make Postfix work with local files before migrating to network
+databases, and to use the postmap command to verify that
+network database lookups produce the exact same results as local
+file lookup. 
    
 
 
    
 Example: postmap -q info@example.com ldap:/etc/postfix/virtual.cf
@@ -166,7 +176,7 @@ below shows how to use this mechanism for the example.com domain.
 
      1 /etc/postfix/main.cf:
  2     virtual_alias_domains = example.com ...other hosted domains...
- 3     virtual_alias_maps = hash:/etc/postfix/virtual
+ 3     virtual_alias_maps = lmdb:/etc/postfix/virtual
  4 
  5 /etc/postfix/virtual:
  6     postmaster@example.com postmaster
@@ -209,8 +219,18 @@ for spam messages that were sent in the name of anything@example.com.
 
 
 
+
     Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 
    
+
 
    Execute the command "postmap /etc/postfix/virtual" after
-changing the virtual file, and execute the command "postfix
+changing the virtual file, to (re)build a default-type indexed file.
+Execute "postmap type:/etc/postfix/virtual" to specify
+an explicit type.
    
+
+
     The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types,
+execute the command "postconf -m".
    
+
+
    Execute the command "postfix
 reload" after changing the main.cf file. 
    
 
 
     Note: virtual aliases can resolve to a local address or to a
@@ -259,11 +279,11 @@ section at the top of this document.
    
  1 /etc/postfix/main.cf:
  2     virtual_mailbox_domains = example.com ...more domains...
  3     virtual_mailbox_base = /var/mail/vhosts
- 4     virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+ 4     virtual_mailbox_maps = lmdb:/etc/postfix/vmailbox
  5     virtual_minimum_uid = 100
  6     virtual_uid_maps = static:5000
  7     virtual_gid_maps = static:5000
- 8     virtual_alias_maps = hash:/etc/postfix/virtual
+ 8     virtual_alias_maps = lmdb:/etc/postfix/virtual
  9 
 10 /etc/postfix/vmailbox:
 11     info@example.com    example.com/info
@@ -338,10 +358,24 @@ the wrong domain. 
    
 
 
 
+
     Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 
    
+
 
     Execute the command "postmap /etc/postfix/virtual" after
-changing the virtual file, execute "postmap /etc/postfix/vmailbox"
-after changing the vmailbox file, and execute the command "postfix
-reload" after changing the main.cf file. 
    
+changing the virtual file, to (re)build a default-type indexed file.
+Execute "postmap type:/etc/postfix/virtual" to specify
+an explicit type. 
    
+
+
     The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types,
+execute the command "postconf -m".
    
+
+
     Execute "postmap /etc/postfix/vmailbox" after changing
+the vmailbox file, to (re)build a default-type indexed file. Execute
+"postmap type:/etc/postfix/vmailbox" to specify an
+explicit type. 
    
+
+
     Execute the command "postfix reload" after changing the
+main.cf file. 
    
 
 
     Note: mail delivery happens with the recipient's UID/GID
 privileges specified with virtual_uid_maps and virtual_gid_maps.
@@ -383,8 +417,8 @@ to a non-Postfix delivery agent: 
    
  1 /etc/postfix/main.cf:
  2     virtual_transport = ...see below...
  3     virtual_mailbox_domains = example.com ...more domains...
- 4     virtual_mailbox_maps = hash:/etc/postfix/vmailbox
- 5     virtual_alias_maps = hash:/etc/postfix/virtual
+ 4     virtual_mailbox_maps = lmdb:/etc/postfix/vmailbox
+ 5     virtual_alias_maps = lmdb:/etc/postfix/virtual
  6 
  7 /etc/postfix/vmailbox:
  8     info@example.com    whatever
@@ -473,10 +507,24 @@ the wrong domain. 
    
 
 
 
+
     Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 
    
+
 
     Execute the command "postmap /etc/postfix/virtual" after
-changing the virtual file, execute "postmap /etc/postfix/vmailbox"
-after changing the vmailbox file, and execute the command "postfix
-reload" after changing the main.cf file. 
    
+changing the virtual file, to (re)build a default-type indexed file.
+Execute "postmap type:/etc/postfix/virtual" to specify
+an explicit type. 
    
+
+
     The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types,
+execute the command "postconf -m".
    
+
+
     Execute the command "postmap /etc/postfix/vmailbox" after
+changing the vmailbox file, to (re)build a default-type indexed file.
+Execute "postmap type:/etc/postfix/vmailbox" to
+specify an explicit type.
    
+
+
     Execute the command "postfix reload" after changing the
+main.cf file. 
    
 
 
    Mail forwarding domains
    
 
@@ -489,7 +537,7 @@ as a mail forwarding domain: 
    
 
      1 /etc/postfix/main.cf:
  2     virtual_alias_domains = example.com ...other hosted domains...
- 3     virtual_alias_maps = hash:/etc/postfix/virtual
+ 3     virtual_alias_maps = lmdb:/etc/postfix/virtual
  4 
  5 /etc/postfix/virtual:
  6     postmaster@example.com postmaster
@@ -533,17 +581,34 @@ for spam messages that were sent in the name of anything@example.com.
 
 
 
+
     Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 
    
+
 
     Execute the command "postmap /etc/postfix/virtual" after
-changing the virtual file, and execute the command "postfix
-reload" after changing the main.cf file. 
    
+changing the virtual file, to (re)build a default-type indexed file.
+Execute "postmap type:/etc/postfix/virtual" to specify
+an explicit type.
    
+
+
     The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types,
+execute the command "postconf -m".
    
+
+
     Execute the command "postfix reload" after changing the
+main.cf file. 
    
 
 
     More details about the virtual alias file are given in the
 virtual(5) manual page, including multiple addresses on the right-hand
 side. 
    
 
-
    Mailing lists
    
+
    Hosted mailing list domains
    
+
+
      Note: this section presents a historical approach to run a
+mailing list based on local aliases(5). This approach may still be
+useful for small mailing lists that are managed by hand or with the
+software like Majordomo. For a more contemporary and more scalable
+approach, see  GNU Mailman. 
+
    
 
-
     The examples that were given above already show how to direct
+
    The examples that were given above already show how to direct
 mail for virtual postmaster addresses to a local postmaster. You
 can use the same method to direct mail for any address to a local
 or remote address. 
    
@@ -556,12 +621,14 @@ virtual addresses to the local delivery agent: 
    
 
    
 
     /etc/postfix/main.cf:
-    virtual_alias_maps = hash:/etc/postfix/virtual
+    virtual_alias_maps = lmdb:/etc/postfix/virtual
+    virtual_mailbox_domains = example.com
 
 /etc/postfix/virtual:
     listname-request@example.com listname-request
     listname@example.com         listname
     owner-listname@example.com   owner-listname
+    postmaster@example.com       postmaster
 
 /etc/aliases:
     listname: "|/some/where/majordomo/wrapper ..."
@@ -570,6 +637,17 @@ virtual addresses to the local delivery agent: 
    
 
    
 
    
 
+
     Instead of lmdb:, some systems use cdb:, hash:, or dbm:. 
    
+
+
    Execute the command "postmap /etc/postfix/virtual" after
+changing the virtual file, to (re)build a default-type indexed file.
+Execute "postmap type:/etc/postfix/virtual" to specify
+an explicit type.
    
+
+
     The default indexed file type is configured with the
+default_database_type parameter. To list available explicit types,
+execute the command "postconf -m".
    
+
 
     This example assumes that in main.cf, $myorigin is listed under
 the mydestination parameter setting.  If that is not the case,
 specify an explicit domain name on the right-hand side of the
@@ -587,63 +665,15 @@ bunch of virtual alias or virtual mailbox table entries. 
    
 
 
      
 
-
    •  In case of a virtual alias domain, there would need to be one
-identity mapping from each mailing list address to itself.
+
    •  In the case of a virtual alias DOMAIN, there would need to be
+an identity mapping from each mailing list address to an address in a
+different domain.
 
-
    •  In case of a virtual mailbox domain, there would need to be
-a dummy mailbox for each mailing list address.
+
    •  In the case of a virtual mailbox DOMAIN, there would need to
+be a dummy virtual_mailbox_maps for each mailing list address.
 
 
    
 
-
    Autoreplies
    
-
-
     In order to set up an autoreply for virtual recipients while
-still delivering mail as normal, set up a rule in a virtual alias
-table: 
    
-
-
    
-
    -/etc/postfix/main.cf:
-    virtual_alias_maps = hash:/etc/postfix/virtual
-
-/etc/postfix/virtual:
-    user@domain.tld user@domain.tld, user@domain.tld@autoreply.mydomain.tld
-
    
-
    
-
-
     This delivers mail to the recipient, and sends a copy of the
-mail to the address that produces automatic replies. The address
-can be serviced on a different machine, or it can be serviced
-locally by setting up a transport map entry that pipes all mail
-for autoreply.mydomain.tld into some script that sends an automatic
-reply back to the sender. 
    
-
-
     DO NOT list autoreply.mydomain.tld in mydestination! 
    
-
-
    
-
    -/etc/postfix/main.cf:
-    transport_maps = hash:/etc/postfix/transport
-
-/etc/postfix/transport:
-    autoreply.mydomain.tld  autoreply:
-
-/etc/postfix/master.cf:
-    # =============================================================
-    # service type  private unpriv  chroot  wakeup  maxproc command
-    #               (yes)   (yes)   (yes)   (never) (100)
-    # =============================================================
-    autoreply unix  -       n       n       -       -       pipe
-        flags= user=nobody argv=/path/to/autoreply $sender $mailbox
-
    
-
    
-
-
     This invokes /path/to/autoreply with the sender address and
-the user@domain.tld recipient address on the command line. 
    
-
-
     For more information, see the pipe(8) manual page, and the
-comments in the Postfix master.cf file. 
    
-
 
 
 
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index a349c0e4b..c8c58728b 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -25,44 +25,51 @@ ACCESS(5)                                                            ACCESS(5)
        email messages.
 
        Normally,  the  access(5) table is specified as a text file that serves
-       as input to the postmap(1) command.  The result, an indexed file in dbm
-       or  db  format,  is used for fast searching by the mail system. Execute
-       the command "postmap /etc/postfix/access" to rebuild  an  indexed  file
-       after changing the corresponding text file.
+       as input to the postmap(1) command to create an indexed file  for  fast
+       lookup.
+
+       Execute   the   command  "postmap  /etc/postfix/access"  to  rebuild  a
+       default-type indexed file after changing  the  text  file,  or  execute
+       "postmap type:/etc/postfix/access" to specify an explicit type.
+
+       The  default  indexed  file  type  is configured with the default_data-
+       base_type parameter. Depending on the  platform  this  may  be  one  of
+       lmdb:, cdb:, hash:, or dbm: (without the trailing ':').
 
        When  the  table  is provided via other means such as NIS, LDAP or SQL,
-       the same lookups are done as for ordinary indexed files.
+       the same lookups are done as for ordinary indexed files.  Managing such
+       databases is outside the scope of Postfix.
 
-       Alternatively, the table can be provided as  a  regular-expression  map
-       where  patterns  are  given  as  regular expressions, or lookups can be
+       Alternatively,  the  table  can be provided as a regular-expression map
+       where patterns are given as regular  expressions,  or  lookups  can  be
        directed to a TCP-based server. In those cases, the lookups are done in
-       a  slightly  different way as described below under "REGULAR EXPRESSION
+       a slightly different way as described below under  "REGULAR  EXPRESSION
        TABLES" or "TCP-BASED TABLES".
 
 CASE FOLDING
-       The search string is folded to lowercase before database lookup. As  of
-       Postfix  2.3,  the search string is not case folded with database types
-       such as regexp: or pcre: whose lookup fields can match both  upper  and
+       The  search string is folded to lowercase before database lookup. As of
+       Postfix 2.3, the search string is not case folded with  database  types
+       such  as  regexp: or pcre: whose lookup fields can match both upper and
        lower case.
 
 TABLE FORMAT
        The input format for the postmap(1) command is as follows:
 
        pattern action
-              When  pattern  matches  a  mail address, domain or host address,
+              When pattern matches a mail address,  domain  or  host  address,
               perform the corresponding action.
 
        blank lines and comments
-              Empty lines and whitespace-only lines are ignored, as are  lines
+              Empty  lines and whitespace-only lines are ignored, as are lines
               whose first non-whitespace character is a `#'.
 
        multi-line text
-              A  logical  line  starts  with  non-whitespace text. A line that
+              A logical line starts with  non-whitespace  text.  A  line  that
               starts with whitespace continues a logical line.
 
 EMAIL ADDRESS PATTERNS IN INDEXED TABLES
-       With lookups from indexed files such as DB or DBM,  or  from  networked
-       tables  such  as  NIS,  LDAP or SQL, patterns are tried in the order as
+       With  lookups  from  indexed files such as DB or DBM, or from networked
+       tables such as NIS, LDAP or SQL, patterns are tried  in  the  order  as
        listed below:
 
        user@domain
@@ -71,13 +78,13 @@ ACCESS(5)                                                            ACCESS(5)
        domain.tld
               Matches domain.tld as the domain part of an email address.
 
-              The pattern domain.tld also matches subdomains,  but  only  when
-              the  string  smtpd_access_maps  is  listed  in  the Postfix par-
+              The  pattern  domain.tld  also matches subdomains, but only when
+              the string smtpd_access_maps  is  listed  in  the  Postfix  par-
               ent_domain_matches_subdomains configuration setting.
 
        .domain.tld
-              Matches subdomains of  domain.tld,  but  only  when  the  string
-              smtpd_access_maps   is   not   listed   in   the   Postfix  par-
+              Matches  subdomains  of  domain.tld,  but  only  when the string
+              smtpd_access_maps  is   not   listed   in   the   Postfix   par-
               ent_domain_matches_subdomains configuration setting.
 
        user@  Matches all mail addresses with the specified user part.
@@ -89,24 +96,24 @@ ACCESS(5)                                                            ACCESS(5)
 
 EMAIL ADDRESS EXTENSION
        When a mail address localpart contains the optional recipient delimiter
-       (e.g., user+foo@domain), the  lookup  order  becomes:  user+foo@domain,
+       (e.g.,  user+foo@domain),  the  lookup  order becomes: user+foo@domain,
        user@domain, domain, user+foo@, and user@.
 
 HOST NAME/ADDRESS PATTERNS IN INDEXED TABLES
-       With  lookups  from  indexed files such as DB or DBM, or from networked
-       tables such as NIS, LDAP or SQL,  the  following  lookup  patterns  are
+       With lookups from indexed files such as DB or DBM,  or  from  networked
+       tables  such  as  NIS,  LDAP  or SQL, the following lookup patterns are
        examined in the order as listed:
 
        domain.tld
               Matches domain.tld.
 
-              The  pattern  domain.tld  also matches subdomains, but only when
-              the string smtpd_access_maps  is  listed  in  the  Postfix  par-
+              The pattern domain.tld also matches subdomains,  but  only  when
+              the  string  smtpd_access_maps  is  listed  in  the Postfix par-
               ent_domain_matches_subdomains configuration setting.
 
        .domain.tld
-              Matches  subdomains  of  domain.tld,  but  only  when the string
-              smtpd_access_maps  is   not   listed   in   the   Postfix   par-
+              Matches subdomains of  domain.tld,  but  only  when  the  string
+              smtpd_access_maps   is   not   listed   in   the   Postfix  par-
               ent_domain_matches_subdomains configuration setting.
 
        net.work.addr.ess
@@ -115,16 +122,16 @@ ACCESS(5)                                                            ACCESS(5)
 
        net.work
 
-       net    Matches  a  remote  IPv4  host address or network address range.
-              Specify one to four decimal octets  separated  by  ".".  Do  not
+       net    Matches a remote IPv4 host address  or  network  address  range.
+              Specify  one  to  four  decimal  octets separated by ".". Do not
               specify "[]" , "/", leading zeros, or hexadecimal forms.
 
-              Network  ranges  are  matched  by repeatedly truncating the last
-              ".octet" from a remote IPv4 host address string, until  a  match
+              Network ranges are matched by  repeatedly  truncating  the  last
+              ".octet"  from  a remote IPv4 host address string, until a match
               is found in the access table, or until further truncation is not
               possible.
 
-              NOTE: use the cidr lookup table type to specify  network/netmask
+              NOTE:  use the cidr lookup table type to specify network/netmask
               patterns. See cidr_table(5) for details.
 
        net:work:addr:ess
@@ -133,18 +140,18 @@ ACCESS(5)                                                            ACCESS(5)
 
        net:work
 
-       net    Matches  a  remote  IPv6  host address or network address range.
+       net    Matches a remote IPv6 host address  or  network  address  range.
               Specify three to eight hexadecimal octet pairs separated by ":",
-              using  the  compressed  form  "::" for a sequence of zero-valued
-              octet pairs.  Do  not  specify  "[]",  "/",  leading  zeros,  or
+              using the compressed form "::" for  a  sequence  of  zero-valued
+              octet  pairs.  Do  not  specify  "[]",  "/",  leading  zeros, or
               non-compressed forms.
 
-              A  network  range  is  matched by repeatedly truncating the last
-              ":octetpair" from the compressed-form remote IPv6  host  address
-              string,  until  a  match  is found in the access table, or until
+              A network range is matched by  repeatedly  truncating  the  last
+              ":octetpair"  from  the compressed-form remote IPv6 host address
+              string, until a match is found in the  access  table,  or  until
               further truncation is not possible.
 
-              NOTE: use the cidr lookup table type to specify  network/netmask
+              NOTE:  use the cidr lookup table type to specify network/netmask
               patterns. See cidr_table(5) for details.
 
               IPv6 support is available in Postfix 2.2 and later.
@@ -153,50 +160,50 @@ ACCESS(5)                                                            ACCESS(5)
        OK     Accept the address etc. that matches the pattern.
 
        all-numerical
-              An  all-numerical result is treated as OK. This format is gener-
+              An all-numerical result is treated as OK. This format is  gener-
               ated  by  address-based  relay  authorization  schemes  such  as
               pop-before-smtp.
 
        For other accept actions, see "OTHER ACTIONS" below.
 
 REJECT ACTIONS
-       Postfix  version 2.3 and later support enhanced status codes as defined
-       in RFC 3463.  When no code is specified at the beginning  of  the  text
+       Postfix version 2.3 and later support enhanced status codes as  defined
+       in  RFC  3463.   When no code is specified at the beginning of the text
        below, Postfix inserts a default enhanced status code of "5.7.1" in the
-       case of reject actions, and "4.7.1" in the case of defer  actions.  See
+       case  of  reject actions, and "4.7.1" in the case of defer actions. See
        "ENHANCED STATUS CODES" below.
 
        4NN text
 
        5NN text
-              Reject  the  address  etc. that matches the pattern, and respond
-              with the numerical three-digit code and  text.  4NN  means  "try
+              Reject the address etc. that matches the  pattern,  and  respond
+              with  the  numerical  three-digit  code and text. 4NN means "try
               again later", while 5NN means "do not try again".
 
-              The  following  responses  have  special meaning for the Postfix
+              The following responses have special  meaning  for  the  Postfix
               SMTP server:
 
               421 text (Postfix 2.3 and later)
 
               521 text (Postfix 2.6 and later)
-                     After responding with the numerical three-digit code  and
-                     text,  disconnect immediately from the SMTP client.  This
-                     frees up SMTP server resources so that they can  be  made
+                     After  responding with the numerical three-digit code and
+                     text, disconnect immediately from the SMTP client.   This
+                     frees  up  SMTP server resources so that they can be made
                      available to another SMTP client.
 
                      Note: The "521" response should be used only with botnets
-                     and other malware where interoperability is  of  no  con-
-                     cern.   The  "send  521  and  disconnect" behavior is NOT
+                     and  other  malware  where interoperability is of no con-
+                     cern.  The "send 521  and  disconnect"  behavior  is  NOT
                      defined in the SMTP standard.
 
        REJECT optional text...
-              Reject the address etc. that matches  the  pattern.  Reply  with
-              "$access_map_reject_code  optional  text..."  when  the optional
+              Reject  the  address  etc.  that matches the pattern. Reply with
+              "$access_map_reject_code optional  text..."  when  the  optional
               text is specified, otherwise reply with a generic error response
               message.
 
        DEFER optional text...
-              Reject  the  address  etc.  that matches the pattern. Reply with
+              Reject the address etc. that matches  the  pattern.  Reply  with
               "$access_map_defer_code optional text..." when the optional text
               is specified, otherwise reply with a generic error response mes-
               sage.
@@ -204,9 +211,9 @@ ACCESS(5)                                                            ACCESS(5)
               This feature is available in Postfix 2.6 and later.
 
        DEFER_IF_REJECT optional text...
-              Defer the request if some later restriction would  result  in  a
+              Defer  the  request  if some later restriction would result in a
               REJECT action. Reply with "$access_map_defer_code 4.7.1 optional
-              text..." when the optional text is  specified,  otherwise  reply
+              text..."  when  the  optional text is specified, otherwise reply
               with a generic error response message.
 
               Prior to Postfix 2.6, the SMTP reply code is 450.
@@ -214,9 +221,9 @@ ACCESS(5)                                                            ACCESS(5)
               This feature is available in Postfix 2.1 and later.
 
        DEFER_IF_PERMIT optional text...
-              Defer  the  request if some later restriction would result in an
-              explicit   or    implicit    PERMIT    action.     Reply    with
-              "$access_map_defer_code   4.7.1    optional  text..."  when  the
+              Defer the request if some later restriction would result  in  an
+              explicit    or    implicit    PERMIT    action.     Reply   with
+              "$access_map_defer_code  4.7.1   optional  text..."   when   the
               optional text is specified, otherwise reply with a generic error
               response message.
 
@@ -228,13 +235,13 @@ ACCESS(5)                                                            ACCESS(5)
 
 OTHER ACTIONS
        restriction...
-              Apply    the   named   UCE   restriction(s)   (permit,   reject,
+              Apply   the   named   UCE   restriction(s)   (permit,    reject,
               reject_unauth_destination, and so on).
 
        BCC user@domain
               Send one copy of the message to the specified recipient.
 
-              If multiple BCC actions are specified within the same SMTP  MAIL
+              If  multiple BCC actions are specified within the same SMTP MAIL
               transaction, with Postfix 3.0 only the last action will be used.
 
               This feature is available in Postfix 3.0 and later.
@@ -243,162 +250,162 @@ ACCESS(5)                                                            ACCESS(5)
               Claim successful delivery and silently discard the message.  Log
               the optional text if specified, otherwise log a generic message.
 
-              Note: this action currently affects all recipients of  the  mes-
-              sage.   To  discard  only  one  recipient without discarding the
+              Note:  this  action currently affects all recipients of the mes-
+              sage.  To discard only  one  recipient  without  discarding  the
               entire message, use the transport(5) table to direct mail to the
               discard(8) service.
 
               This feature is available in Postfix 2.0 and later.
 
        DUNNO  Pretend that the lookup key was not found. This prevents Postfix
-              from trying substrings of the lookup key (such  as  a  subdomain
+              from  trying  substrings  of the lookup key (such as a subdomain
               name, or a network address subnetwork).
 
               This feature is available in Postfix 2.0 and later.
 
        FILTER transport:destination
               After the message is queued, send the entire message through the
-              specified external content filter. The transport name  specifies
-              the  first  field  of  a  mail delivery agent definition in mas-
-              ter.cf; the syntax of the next-hop destination is  described  in
-              the  manual  page  of  the  corresponding  delivery agent.  More
-              information about external content filters  is  in  the  Postfix
+              specified  external content filter. The transport name specifies
+              the first field of a mail  delivery  agent  definition  in  mas-
+              ter.cf;  the  syntax of the next-hop destination is described in
+              the manual page  of  the  corresponding  delivery  agent.   More
+              information  about  external  content  filters is in the Postfix
               FILTER_README file.
 
-              Note  1: do not use $number regular expression substitutions for
-              transport or destination unless you know  that  the  information
+              Note 1: do not use $number regular expression substitutions  for
+              transport  or  destination  unless you know that the information
               has a trusted origin.
 
-              Note  2:  this  action overrides the main.cf content_filter set-
-              ting, and affects all recipients of the  message.  In  the  case
-              that  multiple  FILTER  actions  fire, only the last one is exe-
+              Note 2: this action overrides the  main.cf  content_filter  set-
+              ting,  and  affects  all  recipients of the message. In the case
+              that multiple FILTER actions fire, only the  last  one  is  exe-
               cuted.
 
               Note 3: the purpose of the FILTER command is to override message
-              routing.   To  override  the  recipient's  transport but not the
+              routing.  To override the  recipient's  transport  but  not  the
               next-hop destination, specify an empty filter destination (Post-
-              fix  2.7  and  later),  or  specify a transport:destination that
-              delivers through a different Postfix instance (Postfix  2.6  and
+              fix 2.7 and later),  or  specify  a  transport:destination  that
+              delivers  through  a different Postfix instance (Postfix 2.6 and
               earlier). Other options are using the recipient-dependent trans-
-              port_maps  or  the  sender-dependent   sender_dependent_default-
+              port_maps   or  the  sender-dependent  sender_dependent_default-
               _transport_maps features.
 
               This feature is available in Postfix 2.0 and later.
 
        HOLD optional text...
-              Place  the  message  on  the hold queue, where it will sit until
-              someone either deletes it or releases it for delivery.  Log  the
+              Place the message on the hold queue, where  it  will  sit  until
+              someone  either deletes it or releases it for delivery.  Log the
               optional text if specified, otherwise log a generic message.
 
-              Mail  that is placed on hold can be examined with the postcat(1)
-              command, and can be destroyed or released with the  postsuper(1)
+              Mail that is placed on hold can be examined with the  postcat(1)
+              command,  and can be destroyed or released with the postsuper(1)
               command.
 
-              Note:  use  "postsuper -r" to release mail that was kept on hold
-              for  a  significant  fraction  of   $maximal_queue_lifetime   or
-              $bounce_queue_lifetime,  or  longer. Use "postsuper -H" only for
+              Note: use "postsuper -r" to release mail that was kept  on  hold
+              for   a   significant  fraction  of  $maximal_queue_lifetime  or
+              $bounce_queue_lifetime, or longer. Use "postsuper -H"  only  for
               mail that will not expire within a few delivery attempts.
 
-              Note: this action currently affects all recipients of  the  mes-
+              Note:  this  action currently affects all recipients of the mes-
               sage.
 
               This feature is available in Postfix 2.0 and later.
 
        PREPEND headername: headervalue
-              Prepend  the specified message header to the message.  When more
-              than one PREPEND action executes,  the  first  prepended  header
+              Prepend the specified message header to the message.  When  more
+              than  one  PREPEND  action  executes, the first prepended header
               appears before the second etc. prepended header.
 
-              Note:  this  action  must  execute before the message content is
-              received;   it   cannot    execute    in    the    context    of
+              Note: this action must execute before  the  message  content  is
+              received;    it    cannot    execute    in    the   context   of
               smtpd_end_of_data_restrictions.
 
               This feature is available in Postfix 2.1 and later.
 
        REDIRECT user@domain
-              After  the  message is queued, send the message to the specified
+              After the message is queued, send the message to  the  specified
               address instead of the intended recipient(s).  When multiple RE-
               DIRECT actions fire, only the last one takes effect.
 
-              Note  1:  this action overrides the FILTER action, and currently
+              Note 1: this action overrides the FILTER action,  and  currently
               overrides all recipients of the message.
 
-              Note 2: a REDIRECT address is subject to  canonicalization  (add
-              missing  domain)  but NOT subject to canonical, masquerade, bcc,
+              Note  2:  a REDIRECT address is subject to canonicalization (add
+              missing domain) but NOT subject to canonical,  masquerade,  bcc,
               or virtual alias mapping.
 
               This feature is available in Postfix 2.1 and later.
 
        INFO optional text...
-              Log an informational record with  the  optional  text,  together
-              with  client  information  and  if available, with helo, sender,
+              Log  an  informational  record  with the optional text, together
+              with client information and if  available,  with  helo,  sender,
               recipient and protocol information.
 
               This feature is available in Postfix 3.0 and later.
 
        WARN optional text...
-              Log a warning with  the  optional  text,  together  with  client
-              information  and  if available, with helo, sender, recipient and
+              Log  a  warning  with  the  optional  text, together with client
+              information and if available, with helo, sender,  recipient  and
               protocol information.
 
               This feature is available in Postfix 2.1 and later.
 
 ENHANCED STATUS CODES
-       Postfix version 2.3 and later support enhanced status codes as  defined
-       in  RFC  3463.   When an enhanced status code is specified in an access
+       Postfix  version 2.3 and later support enhanced status codes as defined
+       in RFC 3463.  When an enhanced status code is specified  in  an  access
        table, it is subject to modification. The following transformations are
-       needed  when the same access table is used for client, helo, sender, or
-       recipient access restrictions; they happen regardless of whether  Post-
+       needed when the same access table is used for client, helo, sender,  or
+       recipient  access restrictions; they happen regardless of whether Post-
        fix replies to a MAIL FROM, RCPT TO or other SMTP command.
 
-       o      When  a sender address matches a REJECT action, the Postfix SMTP
+       o      When a sender address matches a REJECT action, the Postfix  SMTP
               server will transform a recipient DSN status (e.g., 4.1.1-4.1.6)
               into the corresponding sender DSN status, and vice versa.
 
-       o      When  non-address  information  matches a REJECT action (such as
-              the HELO command argument or the client  hostname/address),  the
-              Postfix  SMTP  server  will  transform a sender or recipient DSN
+       o      When non-address information matches a REJECT  action  (such  as
+              the  HELO  command argument or the client hostname/address), the
+              Postfix SMTP server will transform a  sender  or  recipient  DSN
               status into a generic non-address DSN status (e.g., 4.0.0).
 
 REGULAR EXPRESSION TABLES
-       This section describes how the table lookups change when the  table  is
-       given  in the form of regular expressions. For a description of regular
+       This  section  describes how the table lookups change when the table is
+       given in the form of regular expressions. For a description of  regular
        expression lookup table syntax, see regexp_table(5) or pcre_table(5).
 
-       Each pattern is a regular expression that  is  applied  to  the  entire
+       Each  pattern  is  a  regular  expression that is applied to the entire
        string being looked up. Depending on the application, that string is an
-       entire client hostname, an entire client IP address, or an entire  mail
-       address.  Thus,  no  parent  domain  or  parent network search is done,
-       user@domain mail addresses are not  broken  up  into  their  user@  and
-       domain  constituent parts, nor is user+foo broken up into user and foo.
+       entire  client hostname, an entire client IP address, or an entire mail
+       address. Thus, no parent domain  or  parent  network  search  is  done,
+       user@domain  mail  addresses  are  not  broken  up into their user@ and
+       domain constituent parts, nor is user+foo broken up into user and  foo.
 
-       Patterns are applied in the order as specified in the  table,  until  a
+       Patterns  are  applied  in the order as specified in the table, until a
        pattern is found that matches the search string.
 
-       Actions  are the same as with indexed file lookups, with the additional
-       feature that parenthesized substrings from the pattern can be  interpo-
+       Actions are the same as with indexed file lookups, with the  additional
+       feature  that parenthesized substrings from the pattern can be interpo-
        lated as $1, $2 and so on.
 
 TCP-BASED TABLES
-       This  section  describes  how the table lookups change when lookups are
-       directed  to  a  TCP-based  server.  For  a  description  of  the   TCP
-       client/server  lookup  protocol, see tcp_table(5).  This feature is not
+       This section describes how the table lookups change  when  lookups  are
+       directed   to  a  TCP-based  server.  For  a  description  of  the  TCP
+       client/server lookup protocol, see tcp_table(5).  This feature  is  not
        available up to and including Postfix version 2.4.
 
-       Each lookup operation uses the entire query string once.  Depending  on
-       the  application,  that  string is an entire client hostname, an entire
-       client IP address, or an entire mail address.  Thus, no  parent  domain
-       or  parent  network  search is done, user@domain mail addresses are not
-       broken up into  their  user@  and  domain  constituent  parts,  nor  is
+       Each  lookup operation uses the entire query string once.  Depending on
+       the application, that string is an entire client  hostname,  an  entire
+       client  IP  address, or an entire mail address.  Thus, no parent domain
+       or parent network search is done, user@domain mail  addresses  are  not
+       broken  up  into  their  user@  and  domain  constituent  parts, nor is
        user+foo broken up into user and foo.
 
        Actions are the same as with indexed file lookups.
 
 EXAMPLE
-       The  following example uses an indexed file, so that the order of table
-       entries does not matter. The example permits access by  the  client  at
+       The following example uses an indexed file, so that the order of  table
+       entries  does  not  matter. The example permits access by the client at
        address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of
-       hash lookup tables, some systems use dbm.  Use  the  command  "postconf
+       hash  lookup  tables,  some systems use dbm.  Use the command "postconf
        -m" to find out what lookup tables Postfix supports on your system.
 
        /etc/postfix/main.cf:
@@ -409,7 +416,7 @@ ACCESS(5)                                                            ACCESS(5)
            1.2.3   REJECT
            1.2.3.4 OK
 
-       Execute  the  command  "postmap  /etc/postfix/access" after editing the
+       Execute the command "postmap  /etc/postfix/access"  after  editing  the
        file.
 
 BUGS
diff --git a/postfix/html/aliases.5.html b/postfix/html/aliases.5.html
index 181dc9e3b..f80933190 100644
--- a/postfix/html/aliases.5.html
+++ b/postfix/html/aliases.5.html
@@ -27,21 +27,30 @@ ALIASES(5)                                                          ALIASES(5)
        full email address (including domain).
 
        Normally,  the aliases(5) table is specified as a text file that serves
-       as input to the postalias(1) command. The result, an  indexed  file  in
-       dbm  or  db format, is used for fast lookup by the mail system. Execute
-       the command newaliases in order  to  rebuild  the  indexed  file  after
-       changing the Postfix alias database.
+       as input to the postalias(1) command to create an indexed file for fast
+       lookup.  The  location of this file is system-dependent. This text will
+       use /path/to/aliases.
+
+       Execute the command "newaliases  to  rebuild  the  indexed  file  after
+       changing the text file. Execute "postalias -q name /path/to/aliases" to
+       query a default-type  indexed  file,  or  execute  "postalias  -q  name
+       type:/path/to/aliases" to specify an explicit type.
+
+       The  default  indexed  file  type  is configured with the default_data-
+       base_type parameter. Depending on the  platform  this  may  be  one  of
+       lmdb:, cdb:, hash:, or dbm: (without the trailing ':').
 
        When  the  table  is provided via other means such as NIS, LDAP or SQL,
-       the same lookups are done as for ordinary indexed files.
+       the same lookups are done as for ordinary indexed files.  Managing such
+       databases is outside the scope of Postfix.
 
-       Alternatively, the table can be provided as  a  regular-expression  map
-       where  patterns  are  given  as  regular expressions. In this case, the
-       lookups are done in a slightly different way as described  below  under
+       Alternatively,  the  table  can be provided as a regular-expression map
+       where patterns are given as regular  expressions.  In  this  case,  the
+       lookups  are  done in a slightly different way as described below under
        "REGULAR EXPRESSION TABLES".
 
-       Users  can  control  delivery  of their own mail by setting up .forward
-       files in their home directory.  Lines in per-user .forward  files  have
+       Users can control delivery of their own mail  by  setting  up  .forward
+       files  in  their home directory.  Lines in per-user .forward files have
        the same syntax as the right-hand side of aliases(5) entries.
 
        The format of the alias database input file is as follows:
@@ -50,67 +59,67 @@ ALIASES(5)                                                          ALIASES(5)
 
                    name: value1, value2, ...
 
-       o      Empty  lines and whitespace-only lines are ignored, as are lines
+       o      Empty lines and whitespace-only lines are ignored, as are  lines
               whose first non-whitespace character is a `#'.
 
-       o      A logical line starts with  non-whitespace  text.  A  line  that
+       o      A  logical  line  starts  with  non-whitespace text. A line that
               starts with whitespace continues a logical line.
 
-       The  name  is a local address (no domain part).  Use double quotes when
-       the name contains any special characters such as whitespace, `#',  `:',
-       or  `@'.  The  name  is  folded to lowercase, in order to make database
+       The name is a local address (no domain part).  Use double  quotes  when
+       the  name contains any special characters such as whitespace, `#', `:',
+       or `@'. The name is folded to lowercase,  in  order  to  make  database
        lookups case insensitive.
 
-       In addition, when an alias exists for owner-name,  this  will  override
-       the  envelope sender address, so that delivery diagnostics are directed
-       to owner-name, instead of the originator of the message  (for  details,
-       see  owner_request_special,  expand_owner_alias and reset_owner_alias).
+       In  addition,  when  an alias exists for owner-name, this will override
+       the envelope sender address, so that delivery diagnostics are  directed
+       to  owner-name,  instead of the originator of the message (for details,
+       see owner_request_special, expand_owner_alias  and  reset_owner_alias).
        This is typically used to direct delivery errors to the maintainer of a
-       mailing  list,  who  is  in a better position to deal with mailing list
+       mailing list, who is in a better position to  deal  with  mailing  list
        delivery problems than the originator of the undelivered mail.
 
        The value contains one or more of the following:
 
        address
-              Mail is forwarded to address, which is compatible with  the  RFC
+              Mail  is  forwarded to address, which is compatible with the RFC
               822 standard.
 
        /file/name
-              Mail  is  appended  to  /file/name. For details on how a file is
-              written see the sections "EXTERNAL FILE DELIVERY" and  "DELIVERY
-              RIGHTS"  in the local(8) documentation.  Delivery is not limited
-              to regular files.  For example, to  dispose  of  unwanted  mail,
+              Mail is appended to /file/name. For details on  how  a  file  is
+              written  see the sections "EXTERNAL FILE DELIVERY" and "DELIVERY
+              RIGHTS" in the local(8) documentation.  Delivery is not  limited
+              to  regular  files.   For  example, to dispose of unwanted mail,
               deflect it to /dev/null.
 
        |command
-              Mail  is piped into command. Commands that contain special char-
-              acters, such as whitespace, should be  enclosed  between  double
-              quotes.  For  details on how a command is executed see "EXTERNAL
+              Mail is piped into command. Commands that contain special  char-
+              acters,  such  as  whitespace, should be enclosed between double
+              quotes. For details on how a command is executed  see  "EXTERNAL
               COMMAND DELIVERY" and "DELIVERY RIGHTS" in the local(8) documen-
               tation.
 
-              When  the  command  fails, a limited amount of command output is
-              mailed back to the  sender.   The  file  /usr/include/sysexits.h
-              defines  the expected exit status codes. For example, use "|exit
-              67" to simulate a "user unknown" error, and "|exit 0" to  imple-
+              When the command fails, a limited amount of  command  output  is
+              mailed  back  to  the  sender.  The file /usr/include/sysexits.h
+              defines the expected exit status codes. For example, use  "|exit
+              67"  to simulate a "user unknown" error, and "|exit 0" to imple-
               ment an expensive black hole.
 
        :include:/file/name
-              Mail  is  sent  to  the  destinations  listed in the named file.
-              Lines in :include: files have the same syntax as the  right-hand
+              Mail is sent to the  destinations  listed  in  the  named  file.
+              Lines  in :include: files have the same syntax as the right-hand
               side of aliases(5) entries.
 
-              A  destination  can be any destination that is described in this
-              manual page. However, delivery to "|command" and  /file/name  is
-              disallowed  by  default.  To enable, edit the allow_mail_to_com-
+              A destination can be any destination that is described  in  this
+              manual  page.  However, delivery to "|command" and /file/name is
+              disallowed by default. To enable,  edit  the  allow_mail_to_com-
               mands and allow_mail_to_files configuration parameters.
 
 ADDRESS EXTENSION
-       When alias database search fails, and the recipient localpart  contains
-       the  optional  recipient  delimiter  (e.g.,  user+foo),  the  search is
+       When  alias database search fails, and the recipient localpart contains
+       the optional  recipient  delimiter  (e.g.,  user+foo),  the  search  is
        repeated for the unextended address (e.g., user).
 
-       The  propagate_unmatched_extensions  parameter  controls   whether   an
+       The   propagate_unmatched_extensions   parameter  controls  whether  an
        unmatched address extension (+foo) is propagated to the result of table
        lookup.
 
@@ -119,9 +128,9 @@ ALIASES(5)                                                          ALIASES(5)
        before database lookup.
 
 REGULAR EXPRESSION TABLES
-       This  section  describes how the table lookups change when the table is
-       given in the form of regular expressions. For a description of  regular
-       expression  lookup  table syntax, see regexp_table(5) or pcre_table(5).
+       This section describes how the table lookups change when the  table  is
+       given  in the form of regular expressions. For a description of regular
+       expression lookup table syntax, see regexp_table(5)  or  pcre_table(5).
        NOTE: these formats do not use ":" at the end of a pattern.
 
        Each regular expression is applied to the entire search string. Thus, a
@@ -134,28 +143,28 @@ ALIASES(5)                                                          ALIASES(5)
        reasons there is no support for $1, $2 etc. substring interpolation.
 
 SECURITY
-       The  local(8)  delivery agent disallows regular expression substitution
+       The local(8) delivery agent disallows regular  expression  substitution
        of $1 etc. in alias_maps, because that would open a security hole.
 
-       The local(8) delivery agent will silently ignore requests  to  use  the
-       proxymap(8)  server  within  alias_maps. Instead it will open the table
+       The  local(8)  delivery  agent will silently ignore requests to use the
+       proxymap(8) server within alias_maps. Instead it will  open  the  table
        directly.  Before Postfix version 2.2, the local(8) delivery agent will
        terminate with a fatal error.
 
 CONFIGURATION PARAMETERS
-       The  following  main.cf  parameters  are especially relevant.  The text
-       below provides only a  parameter  summary.  See  postconf(5)  for  more
+       The following main.cf parameters are  especially  relevant.   The  text
+       below  provides  only  a  parameter  summary.  See postconf(5) for more
        details including examples.
 
        alias_database (see 'postconf -d' output)
-              The  alias databases for local(8) delivery that are updated with
+              The alias databases for local(8) delivery that are updated  with
               "newaliases" or with "sendmail -bi".
 
        alias_maps (see 'postconf -d' output)
-              Optional lookup tables that are  searched  only  with  an  email
-              address  localpart  (no  domain) and that apply only to local(8)
-              recipients; this is unlike  virtual_alias_maps  that  are  often
-              searched  with  a full email address (including domain) and that
+              Optional  lookup  tables  that  are  searched only with an email
+              address localpart (no domain) and that apply  only  to  local(8)
+              recipients;  this  is  unlike  virtual_alias_maps that are often
+              searched with a full email address (including domain)  and  that
               apply to all recipients: local(8), virtual, and remote.
 
        allow_mail_to_commands (alias, forward)
@@ -165,30 +174,30 @@ ALIASES(5)                                                          ALIASES(5)
               Restrict local(8) mail delivery to external files.
 
        expand_owner_alias (no)
-              When  delivering  to  an   alias   "aliasname"   that   has   an
+              When   delivering   to   an   alias   "aliasname"  that  has  an
               "owner-aliasname"  companion  alias,  set  the  envelope  sender
               address to the expansion of the "owner-aliasname" alias.
 
        propagate_unmatched_extensions (canonical, virtual)
-              What address lookup tables copy an address  extension  from  the
+              What  address  lookup  tables copy an address extension from the
               lookup key to the lookup result.
 
        owner_request_special (yes)
-              Enable  special  treatment  for  owner-listname  entries  in the
+              Enable special  treatment  for  owner-listname  entries  in  the
               aliases(5)  file,  and  don't  split  owner-listname  and  list-
-              name-request  address localparts when the recipient_delimiter is
+              name-request address localparts when the recipient_delimiter  is
               set to "-".
 
        recipient_delimiter (empty)
-              The set of characters that can separate an email address  local-
+              The  set of characters that can separate an email address local-
               part, user name, or a .forward file name from its extension.
 
        Available in Postfix version 2.3 and later:
 
        frozen_delivered_to (yes)
-              Update  the  local(8) delivery agent's idea of the Delivered-To:
-              address (see prepend_delivered_header) only once, at  the  start
-              of  a  delivery attempt; do not update the Delivered-To: address
+              Update the local(8) delivery agent's idea of  the  Delivered-To:
+              address  (see  prepend_delivered_header) only once, at the start
+              of a delivery attempt; do not update the  Delivered-To:  address
               while expanding aliases or .forward files.
 
 STANDARDS
diff --git a/postfix/html/canonical.5.html b/postfix/html/canonical.5.html
index 6cef44e8d..561e4998f 100644
--- a/postfix/html/canonical.5.html
+++ b/postfix/html/canonical.5.html
@@ -24,65 +24,72 @@ CANONICAL(5)                                                      CANONICAL(5)
        sive.
 
        Normally, the canonical(5) table is  specified  as  a  text  file  that
-       serves as input to the postmap(1) command.  The result, an indexed file
-       in dbm or db format, is used for fast searching  by  the  mail  system.
-       Execute  the  command  "postmap  /etc/postfix/canonical"  to rebuild an
-       indexed file after changing the corresponding text file.
+       serves as input to the postmap(1) command to create an indexed file for
+       fast lookup.
+
+       Execute the  command  "postmap  /etc/postfix/canonical"  to  rebuild  a
+       default-type  indexed  file  after  changing  the text file, or execute
+       "postmap type:/etc/postfix/canonical" to specify an explicit type.
+
+       The default indexed file type  is  configured  with  the  default_data-
+       base_type  parameter.  Depending  on  the  platform  this may be one of
+       lmdb:, cdb:, hash:, or dbm: (without the trailing ':').
 
        When the table is provided via other means such as NIS,  LDAP  or  SQL,
-       the same lookups are done as for ordinary indexed files.
+       the same lookups are done as for ordinary indexed files.  Managing such
+       databases is outside the scope of Postfix.
 
-       Alternatively,  the  table  can be provided as a regular-expression map
-       where patterns are given as regular  expressions,  or  lookups  can  be
+       Alternatively, the table can be provided as  a  regular-expression  map
+       where  patterns  are  given  as  regular expressions, or lookups can be
        directed to a TCP-based server. In those cases, the lookups are done in
-       a slightly different way as described below under  "REGULAR  EXPRESSION
+       a  slightly  different way as described below under "REGULAR EXPRESSION
        TABLES" or "TCP-BASED TABLES".
 
        By  default  the  canonical(5)  mapping  affects  both  message  header
-       addresses (i.e. addresses that  appear  inside  messages)  and  message
-       envelope  addresses  (for  example, the addresses that are used in SMTP
-       protocol commands).  This  is  controlled  with  the  canonical_classes
+       addresses  (i.e.  addresses  that  appear  inside messages) and message
+       envelope addresses (for example, the addresses that are  used  in  SMTP
+       protocol  commands).  This  is  controlled  with  the canonical_classes
        parameter.
 
-       NOTE:  Postfix  versions  2.2  and  later  rewrite message headers from
-       remote SMTP clients only if the  client  matches  the  local_header_re-
+       NOTE: Postfix versions 2.2  and  later  rewrite  message  headers  from
+       remote  SMTP  clients  only  if the client matches the local_header_re-
        write_clients parameter, or if the remote_header_rewrite_domain config-
-       uration parameter specifies a non-empty  value.  To  get  the  behavior
-       before    Postfix    2.2,   specify   "local_header_rewrite_clients   =
+       uration  parameter  specifies  a  non-empty  value. To get the behavior
+       before   Postfix   2.2,   specify    "local_header_rewrite_clients    =
        static:all".
 
-       Typically, one would use the canonical(5) table to replace login  names
+       Typically,  one would use the canonical(5) table to replace login names
        by Firstname.Lastname, or to clean up addresses produced by legacy mail
        systems.
 
-       The canonical(5) mapping is not to be confused with virtual alias  sup-
-       port  or  with  local  aliasing.  To change the destination but not the
+       The  canonical(5) mapping is not to be confused with virtual alias sup-
+       port or with local aliasing. To change  the  destination  but  not  the
        headers, use the virtual(5) or aliases(5) map instead.
 
 CASE FOLDING
-       The search string is folded to lowercase before database lookup. As  of
-       Postfix  2.3,  the search string is not case folded with database types
-       such as regexp: or pcre: whose lookup fields can match both  upper  and
+       The  search string is folded to lowercase before database lookup. As of
+       Postfix 2.3, the search string is not case folded with  database  types
+       such  as  regexp: or pcre: whose lookup fields can match both upper and
        lower case.
 
 TABLE FORMAT
        The input format for the postmap(1) command is as follows:
 
        pattern address
-              When  pattern  matches  a mail address, replace it by the corre-
+              When pattern matches a mail address, replace it  by  the  corre-
               sponding address.
 
        blank lines and comments
-              Empty lines and whitespace-only lines are ignored, as are  lines
+              Empty  lines and whitespace-only lines are ignored, as are lines
               whose first non-whitespace character is a `#'.
 
        multi-line text
-              A  logical  line  starts  with  non-whitespace text. A line that
+              A logical line starts with  non-whitespace  text.  A  line  that
               starts with whitespace continues a logical line.
 
 TABLE SEARCH ORDER
-       With lookups from indexed files such as DB or DBM,  or  from  networked
-       tables  such  as  NIS,  LDAP  or SQL, each user@domain query produces a
+       With  lookups  from  indexed files such as DB or DBM, or from networked
+       tables such as NIS, LDAP or SQL,  each  user@domain  query  produces  a
        sequence of query patterns as described below.
 
        Each query pattern is sent to each specified lookup table before trying
@@ -92,13 +99,13 @@ CANONICAL(5)                                                      CANONICAL(5)
               Replace user@domain by address. This form has the highest prece-
               dence.
 
-              This is useful to clean up addresses  produced  by  legacy  mail
-              systems.   It  can  also  be  used to produce Firstname.Lastname
+              This  is  useful  to  clean up addresses produced by legacy mail
+              systems.  It can also  be  used  to  produce  Firstname.Lastname
               style addresses, but see below for a simpler solution.
 
        user address
-              Replace user@site by address when site is  equal  to  $myorigin,
-              when  site  is listed in $mydestination, or when it is listed in
+              Replace  user@site  by  address when site is equal to $myorigin,
+              when site is listed in $mydestination, or when it is  listed  in
               $inet_interfaces or $proxy_interfaces.
 
               This form is useful for replacing login names by Firstname.Last-
@@ -108,16 +115,16 @@ CANONICAL(5)                                                      CANONICAL(5)
               Replace other addresses in domain by address.  This form has the
               lowest precedence.
 
-              Note: @domain is a wild-card.  When  this  form  is  applied  to
-              recipient  addresses,  the  Postfix SMTP server accepts mail for
-              any recipient in domain, regardless of  whether  that  recipient
-              exists.   This  may  turn  your  mail  system into a backscatter
-              source: Postfix first accepts mail for  non-existent  recipients
-              and  then  tries  to  return that mail as "undeliverable" to the
+              Note:  @domain  is  a  wild-card.  When  this form is applied to
+              recipient addresses, the Postfix SMTP server  accepts  mail  for
+              any  recipient  in  domain, regardless of whether that recipient
+              exists.  This may turn  your  mail  system  into  a  backscatter
+              source:  Postfix  first accepts mail for non-existent recipients
+              and then tries to return that mail  as  "undeliverable"  to  the
               often forged sender address.
 
-              To avoid backscatter with mail for a wild-card  domain,  replace
-              the  wild-card  mapping  with  explicit  1:1  mappings, or add a
+              To  avoid  backscatter with mail for a wild-card domain, replace
+              the wild-card mapping with  explicit  1:1  mappings,  or  add  a
               reject_unverified_recipient restriction for that domain:
 
                   smtpd_recipient_restrictions =
@@ -133,10 +140,10 @@ CANONICAL(5)                                                      CANONICAL(5)
 RESULT ADDRESS REWRITING
        The lookup result is subject to address rewriting:
 
-       o      When  the  result  has the form @otherdomain, the result becomes
+       o      When the result has the form @otherdomain,  the  result  becomes
               the same user in otherdomain.
 
-       o      When "append_at_myorigin=yes", append "@$myorigin" to  addresses
+       o      When  "append_at_myorigin=yes", append "@$myorigin" to addresses
               without "@domain".
 
        o      When "append_dot_mydomain=yes", append ".$mydomain" to addresses
@@ -144,38 +151,38 @@ CANONICAL(5)                                                      CANONICAL(5)
 
 ADDRESS EXTENSION
        When a mail address localpart contains the optional recipient delimiter
-       (e.g.,  user+foo@domain),  the  lookup  order becomes: user+foo@domain,
+       (e.g., user+foo@domain), the  lookup  order  becomes:  user+foo@domain,
        user@domain, user+foo, user, and @domain.
 
-       The  propagate_unmatched_extensions  parameter  controls   whether   an
+       The   propagate_unmatched_extensions   parameter  controls  whether  an
        unmatched address extension (+foo) is propagated to the result of table
        lookup.
 
 REGULAR EXPRESSION TABLES
-       This section describes how the table lookups change when the  table  is
-       given  in the form of regular expressions. For a description of regular
+       This  section  describes how the table lookups change when the table is
+       given in the form of regular expressions. For a description of  regular
        expression lookup table syntax, see regexp_table(5) or pcre_table(5).
 
-       Each pattern is a regular expression that  is  applied  to  the  entire
-       address  being looked up. Thus, user@domain mail addresses are not bro-
-       ken up into their user and @domain constituent parts, nor  is  user+foo
+       Each  pattern  is  a  regular  expression that is applied to the entire
+       address being looked up. Thus, user@domain mail addresses are not  bro-
+       ken  up  into their user and @domain constituent parts, nor is user+foo
        broken up into user and foo.
 
-       Patterns  are  applied  in the order as specified in the table, until a
+       Patterns are applied in the order as specified in the  table,  until  a
        pattern is found that matches the search string.
 
-       Results are the same as with indexed file lookups, with the  additional
-       feature  that parenthesized substrings from the pattern can be interpo-
+       Results  are the same as with indexed file lookups, with the additional
+       feature that parenthesized substrings from the pattern can be  interpo-
        lated as $1, $2 and so on.
 
 TCP-BASED TABLES
-       This section describes how the table lookups change  when  lookups  are
-       directed   to  a  TCP-based  server.  For  a  description  of  the  TCP
-       client/server lookup protocol, see tcp_table(5).  This feature  is  not
+       This  section  describes  how the table lookups change when lookups are
+       directed  to  a  TCP-based  server.  For  a  description  of  the   TCP
+       client/server  lookup  protocol, see tcp_table(5).  This feature is not
        available up to and including Postfix version 2.4.
 
-       Each  lookup operation uses the entire address once.  Thus, user@domain
-       mail addresses are not broken up  into  their  user  and  @domain  con-
+       Each lookup operation uses the entire address once.  Thus,  user@domain
+       mail  addresses  are  not  broken  up  into their user and @domain con-
        stituent parts, nor is user+foo broken up into user and foo.
 
        Results are the same as with indexed file lookups.
@@ -184,76 +191,76 @@ CANONICAL(5)                                                      CANONICAL(5)
        The table format does not understand quoting conventions.
 
 CONFIGURATION PARAMETERS
-       The  following  main.cf  parameters  are especially relevant.  The text
-       below provides only a  parameter  summary.  See  postconf(5)  for  more
+       The following main.cf parameters are  especially  relevant.   The  text
+       below  provides  only  a  parameter  summary.  See postconf(5) for more
        details including examples.
 
-       canonical_classes  (envelope_sender, envelope_recipient, header_sender,
+       canonical_classes (envelope_sender, envelope_recipient,  header_sender,
        header_recipient)
               What addresses are subject to canonical_maps address mapping.
 
        canonical_maps (empty)
-              Optional  address  mapping lookup tables for message headers and
+              Optional address mapping lookup tables for message  headers  and
               envelopes.
 
        recipient_canonical_maps (empty)
-              Optional address mapping lookup tables for envelope  and  header
+              Optional  address  mapping lookup tables for envelope and header
               recipient addresses.
 
        sender_canonical_maps (empty)
-              Optional  address  mapping lookup tables for envelope and header
+              Optional address mapping lookup tables for envelope  and  header
               sender addresses.
 
        propagate_unmatched_extensions (canonical, virtual)
-              What address lookup tables copy an address  extension  from  the
+              What  address  lookup  tables copy an address extension from the
               lookup key to the lookup result.
 
        Other parameters of interest:
 
        inet_interfaces (all)
-              The  local  network  interface  addresses  that this mail system
+              The local network interface  addresses  that  this  mail  system
               receives mail on.
 
        local_header_rewrite_clients (permit_inet_interfaces)
-              Rewrite or add message  headers  in  mail  from  these  clients,
-              updating  incomplete addresses with the domain name in $myorigin
+              Rewrite  or  add  message  headers  in  mail from these clients,
+              updating incomplete addresses with the domain name in  $myorigin
               or $mydomain, and adding missing headers.
 
        proxy_interfaces (empty)
-              The remote network interface addresses  that  this  mail  system
-              receives  mail  on by way of a proxy or network address transla-
+              The  remote  network  interface  addresses that this mail system
+              receives mail on by way of a proxy or network  address  transla-
               tion unit.
 
        masquerade_classes (envelope_sender, header_sender, header_recipient)
               What addresses are subject to address masquerading.
 
        masquerade_domains (empty)
-              Optional list of  domains  whose  subdomain  structure  will  be
+              Optional  list  of  domains  whose  subdomain  structure will be
               stripped off in email addresses.
 
        masquerade_exceptions (empty)
-              Optional  list  of  user names that are not subjected to address
-              masquerading,  even  when  their   addresses   match   $masquer-
+              Optional list of user names that are not  subjected  to  address
+              masquerading,   even   when   their  addresses  match  $masquer-
               ade_domains.
 
        mydestination ($myhostname, localhost.$mydomain, localhost)
-              The  list of domains that are delivered via the $local_transport
+              The list of domains that are delivered via the  $local_transport
               mail delivery transport.
 
        myorigin ($myhostname)
-              The domain name that locally-posted mail appears to  come  from,
+              The  domain  name that locally-posted mail appears to come from,
               and that locally posted mail is delivered to.
 
        owner_request_special (yes)
-              Enable  special  treatment  for  owner-listname  entries  in the
+              Enable special  treatment  for  owner-listname  entries  in  the
               aliases(5)  file,  and  don't  split  owner-listname  and  list-
-              name-request  address localparts when the recipient_delimiter is
+              name-request address localparts when the recipient_delimiter  is
               set to "-".
 
        remote_header_rewrite_domain (empty)
-              Rewrite or add message headers in mail from  remote  clients  if
-              the  remote_header_rewrite_domain  parameter value is non-empty,
-              updating incomplete addresses with the domain specified  in  the
+              Rewrite  or  add  message headers in mail from remote clients if
+              the remote_header_rewrite_domain parameter value  is  non-empty,
+              updating  incomplete  addresses with the domain specified in the
               remote_header_rewrite_domain parameter, and adding missing head-
               ers.
 
diff --git a/postfix/html/cidr_table.5.html b/postfix/html/cidr_table.5.html
index b754c5a90..6d51238d9 100644
--- a/postfix/html/cidr_table.5.html
+++ b/postfix/html/cidr_table.5.html
@@ -17,10 +17,12 @@ CIDR_TABLE(5)                                                    CIDR_TABLE(5)
 
 DESCRIPTION
        The  Postfix mail system uses optional lookup tables.  These tables are
-       usually in dbm or db format.  Alternatively, lookup tables can be spec-
-       ified in CIDR (Classless Inter-Domain Routing) form. In this case, each
-       input is compared against a list of patterns. When a  match  is  found,
-       the corresponding result is returned and the search is terminated.
+       usually in lmdb:, cdb:, hash:, or dbm: format.
+
+       Alternatively, lookup  tables  can  be  specified  in  CIDR  (Classless
+       Inter-Domain  Routing)  form.  In  this  case,  each  input is compared
+       against a list of patterns. When a match is  found,  the  corresponding
+       result is returned and the search is terminated.
 
        To  find  out  what types of lookup tables your Postfix system supports
        use the "postconf -m" command.
diff --git a/postfix/html/generic.5.html b/postfix/html/generic.5.html
index b9a4e0991..e24e383b0 100644
--- a/postfix/html/generic.5.html
+++ b/postfix/html/generic.5.html
@@ -34,44 +34,51 @@ GENERIC(5)                                                          GENERIC(5)
        (for example, the addresses that are used in SMTP protocol commands).
 
        Normally, the generic(5) table is specified as a text file that  serves
-       as input to the postmap(1) command.  The result, an indexed file in dbm
-       or db format, is used for fast searching by the  mail  system.  Execute
-       the  command  "postmap /etc/postfix/generic" to rebuild an indexed file
-       after changing the corresponding text file.
+       as  input  to the postmap(1) command to create an indexed file for fast
+       lookup.
+
+       Execute  the  command  "postmap  /etc/postfix/generic"  to  rebuild   a
+       default-type  indexed  file  after  changing  the text file, or execute
+       "postmap type:/etc/postfix/generic" to specify an explicit type.
+
+       The default indexed file type  is  configured  with  the  default_data-
+       base_type  parameter.  Depending  on  the  platform  this may be one of
+       lmdb:, cdb:, hash:, or dbm: (without the trailing ':').
 
        When the table is provided via other means such as NIS,  LDAP  or  SQL,
-       the same lookups are done as for ordinary indexed files.
+       the same lookups are done as for ordinary indexed files.  Managing such
+       databases is outside the scope of Postfix.
 
-       Alternatively,  the  table  can be provided as a regular-expression map
-       where patterns are given as regular  expressions,  or  lookups  can  be
+       Alternatively, the table can be provided as  a  regular-expression  map
+       where  patterns  are  given  as  regular expressions, or lookups can be
        directed to a TCP-based server. In those cases, the lookups are done in
-       a slightly different way as described below under  "REGULAR  EXPRESSION
+       a  slightly  different way as described below under "REGULAR EXPRESSION
        TABLES" or "TCP-BASED TABLES".
 
 CASE FOLDING
-       The  search string is folded to lowercase before database lookup. As of
-       Postfix 2.3, the search string is not case folded with  database  types
-       such  as  regexp: or pcre: whose lookup fields can match both upper and
+       The search string is folded to lowercase before database lookup. As  of
+       Postfix  2.3,  the search string is not case folded with database types
+       such as regexp: or pcre: whose lookup fields can match both  upper  and
        lower case.
 
 TABLE FORMAT
        The input format for the postmap(1) command is as follows:
 
        pattern result
-              When pattern matches a mail address, replace it  by  the  corre-
+              When  pattern  matches  a mail address, replace it by the corre-
               sponding result.
 
        blank lines and comments
-              Empty  lines and whitespace-only lines are ignored, as are lines
+              Empty lines and whitespace-only lines are ignored, as are  lines
               whose first non-whitespace character is a `#'.
 
        multi-line text
-              A logical line starts with  non-whitespace  text.  A  line  that
+              A  logical  line  starts  with  non-whitespace text. A line that
               starts with whitespace continues a logical line.
 
 TABLE SEARCH ORDER
-       With  lookups  from  indexed files such as DB or DBM, or from networked
-       tables such as NIS, LDAP or SQL,  each  user@domain  query  produces  a
+       With lookups from indexed files such as DB or DBM,  or  from  networked
+       tables  such  as  NIS,  LDAP  or SQL, each user@domain query produces a
        sequence of query patterns as described below.
 
        Each query pattern is sent to each specified lookup table before trying
@@ -82,8 +89,8 @@ GENERIC(5)                                                          GENERIC(5)
               dence.
 
        user address
-              Replace  user@site  by  address when site is equal to $myorigin,
-              when site is listed in $mydestination, or when it is  listed  in
+              Replace user@site by address when site is  equal  to  $myorigin,
+              when  site  is listed in $mydestination, or when it is listed in
               $inet_interfaces or $proxy_interfaces.
 
        @domain address
@@ -93,10 +100,10 @@ GENERIC(5)                                                          GENERIC(5)
 RESULT ADDRESS REWRITING
        The lookup result is subject to address rewriting:
 
-       o      When the result has the form @otherdomain,  the  result  becomes
+       o      When  the  result  has the form @otherdomain, the result becomes
               the same user in otherdomain.
 
-       o      When  "append_at_myorigin=yes", append "@$myorigin" to addresses
+       o      When "append_at_myorigin=yes", append "@$myorigin" to  addresses
               without "@domain".
 
        o      When "append_dot_mydomain=yes", append ".$mydomain" to addresses
@@ -104,45 +111,45 @@ GENERIC(5)                                                          GENERIC(5)
 
 ADDRESS EXTENSION
        When a mail address localpart contains the optional recipient delimiter
-       (e.g., user+foo@domain), the  lookup  order  becomes:  user+foo@domain,
+       (e.g.,  user+foo@domain),  the  lookup  order becomes: user+foo@domain,
        user@domain, user+foo, user, and @domain.
 
-       The   propagate_unmatched_extensions   parameter  controls  whether  an
+       The  propagate_unmatched_extensions  parameter  controls   whether   an
        unmatched address extension (+foo) is propagated to the result of table
        lookup.
 
 REGULAR EXPRESSION TABLES
-       This  section  describes how the table lookups change when the table is
-       given in the form of regular expressions. For a description of  regular
+       This section describes how the table lookups change when the  table  is
+       given  in the form of regular expressions. For a description of regular
        expression lookup table syntax, see regexp_table(5) or pcre_table(5).
 
-       Each  pattern  is  a  regular  expression that is applied to the entire
-       address being looked up. Thus, user@domain mail addresses are not  bro-
-       ken  up  into their user and @domain constituent parts, nor is user+foo
+       Each pattern is a regular expression that  is  applied  to  the  entire
+       address  being looked up. Thus, user@domain mail addresses are not bro-
+       ken up into their user and @domain constituent parts, nor  is  user+foo
        broken up into user and foo.
 
-       Patterns are applied in the order as specified in the  table,  until  a
+       Patterns  are  applied  in the order as specified in the table, until a
        pattern is found that matches the search string.
 
-       Results  are the same as with indexed file lookups, with the additional
-       feature that parenthesized substrings from the pattern can be  interpo-
+       Results are the same as with indexed file lookups, with the  additional
+       feature  that parenthesized substrings from the pattern can be interpo-
        lated as $1, $2 and so on.
 
 TCP-BASED TABLES
-       This  section  describes  how the table lookups change when lookups are
-       directed  to  a  TCP-based  server.  For  a  description  of  the   TCP
-       client/server  lookup  protocol,  see  tcp_table(5).   This  feature is
+       This section describes how the table lookups change  when  lookups  are
+       directed   to  a  TCP-based  server.  For  a  description  of  the  TCP
+       client/server lookup  protocol,  see  tcp_table(5).   This  feature  is
        available in Postfix 2.5 and later.
 
-       Each lookup operation uses the entire address once.  Thus,  user@domain
-       mail  addresses  are  not  broken  up  into their user and @domain con-
+       Each  lookup operation uses the entire address once.  Thus, user@domain
+       mail addresses are not broken up  into  their  user  and  @domain  con-
        stituent parts, nor is user+foo broken up into user and foo.
 
        Results are the same as with indexed file lookups.
 
 EXAMPLE
-       The following shows a generic mapping with an indexed file.  When  mail
-       is  sent to a remote host via SMTP, this replaces his@localdomain.local
+       The  following shows a generic mapping with an indexed file.  When mail
+       is sent to a remote host via SMTP, this replaces  his@localdomain.local
        by his ISP mail address, replaces her@localdomain.local by her ISP mail
        address, and replaces other local addresses by his ISP account, with an
        address extension of +local (this example assumes that the ISP supports
@@ -156,52 +163,52 @@ GENERIC(5)                                                          GENERIC(5)
            her@localdomain.local   heraccount@herisp.example
            @localdomain.local      hisaccount+local@hisisp.example
 
-       Execute  the  command "postmap /etc/postfix/generic" whenever the table
-       is changed.  Instead of hash, some systems use dbm database  files.  To
-       find  out  what  tables  your system supports use the command "postconf
+       Execute the command "postmap /etc/postfix/generic" whenever  the  table
+       is  changed.   Instead of hash, some systems use dbm database files. To
+       find out what tables your system supports  use  the  command  "postconf
        -m".
 
 BUGS
        The table format does not understand quoting conventions.
 
 CONFIGURATION PARAMETERS
-       The following main.cf parameters are  especially  relevant.   The  text
-       below  provides  only  a  parameter  summary.  See postconf(5) for more
+       The  following  main.cf  parameters  are especially relevant.  The text
+       below provides only a  parameter  summary.  See  postconf(5)  for  more
        details including examples.
 
        smtp_generic_maps (empty)
-              Optional lookup tables that perform  address  rewriting  in  the
-              Postfix  SMTP  client,  typically  to  transform a locally valid
-              address into a globally valid address when sending  mail  across
+              Optional  lookup  tables  that  perform address rewriting in the
+              Postfix SMTP client, typically  to  transform  a  locally  valid
+              address  into  a globally valid address when sending mail across
               the Internet.
 
        propagate_unmatched_extensions (canonical, virtual)
-              What  address  lookup  tables copy an address extension from the
+              What address lookup tables copy an address  extension  from  the
               lookup key to the lookup result.
 
        Other parameters of interest:
 
        inet_interfaces (all)
-              The local network interface  addresses  that  this  mail  system
+              The  local  network  interface  addresses  that this mail system
               receives mail on.
 
        proxy_interfaces (empty)
-              The  remote  network  interface  addresses that this mail system
-              receives mail on by way of a proxy or network  address  transla-
+              The remote network interface addresses  that  this  mail  system
+              receives  mail  on by way of a proxy or network address transla-
               tion unit.
 
        mydestination ($myhostname, localhost.$mydomain, localhost)
-              The  list of domains that are delivered via the $local_transport
+              The list of domains that are delivered via the  $local_transport
               mail delivery transport.
 
        myorigin ($myhostname)
-              The domain name that locally-posted mail appears to  come  from,
+              The  domain  name that locally-posted mail appears to come from,
               and that locally posted mail is delivered to.
 
        owner_request_special (yes)
-              Enable  special  treatment  for  owner-listname  entries  in the
+              Enable special  treatment  for  owner-listname  entries  in  the
               aliases(5)  file,  and  don't  split  owner-listname  and  list-
-              name-request  address localparts when the recipient_delimiter is
+              name-request address localparts when the recipient_delimiter  is
               set to "-".
 
 SEE ALSO
diff --git a/postfix/html/index.html b/postfix/html/index.html
index c9d07330a..00a7d0404 100644
--- a/postfix/html/index.html
+++ b/postfix/html/index.html
@@ -137,6 +137,8 @@ Per-client/user/etc. access 
 
 
  •   Lookup table overview 
 
+
  •   Non-Berkeley-DB migration 
+
 
  •   Berkeley DB Howto  
 
 
  •   CDB Howto  
diff --git a/postfix/html/ldap_table.5.html b/postfix/html/ldap_table.5.html
index 38875eb5f..77a455e37 100644
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@@ -17,34 +17,37 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
 DESCRIPTION
        The  Postfix  mail system uses optional tables for address rewriting or
-       mail routing. These tables are usually in dbm or db format.
+       mail routing. These tables are usually in lmdb:, cdb:, hash:,  or  dbm:
+       format.
 
-       Alternatively, lookup tables can be specified as LDAP databases.
+       Alternatively,  lookup  tables  can be specified as LDAP databases.  To
+       find out what types of lookup tables your Postfix system  supports  use
+       the "postconf -m" command.
 
-       In order to use LDAP lookups, define an LDAP source as a  lookup  table
+       In  order  to use LDAP lookups, define an LDAP source as a lookup table
        in main.cf, for example:
 
            alias_maps = ldap:/etc/postfix/ldap-aliases.cf
 
-       The  file /etc/postfix/ldap-aliases.cf has the same format as the Post-
-       fix main.cf file, and can specify the parameters  described  below.  An
+       The file /etc/postfix/ldap-aliases.cf has the same format as the  Post-
+       fix  main.cf  file,  and can specify the parameters described below. An
        example is given at the end of this manual.
 
-       This  configuration  method  is  available with Postfix version 2.1 and
-       later.  See the section "OBSOLETE MAIN.CF PARAMETERS" below  for  older
+       This configuration method is available with  Postfix  version  2.1  and
+       later.   See  the section "OBSOLETE MAIN.CF PARAMETERS" below for older
        Postfix versions.
 
-       For  details  about  LDAP  SSL and STARTTLS, see the section on SSL and
+       For details about LDAP SSL and STARTTLS, see the  section  on  SSL  and
        STARTTLS below.
 
 LIST MEMBERSHIP
-       When using LDAP to store lists  such  as  $mynetworks,  $mydestination,
-       $relay_domains,  $local_recipient_maps, etc., it is important to under-
+       When  using  LDAP  to  store lists such as $mynetworks, $mydestination,
+       $relay_domains, $local_recipient_maps, etc., it is important to  under-
        stand that the table must store each list member as a separate key. The
-       table  lookup  verifies  the *existence* of the key. See "Postfix lists
+       table lookup verifies the *existence* of the key.  See  "Postfix  lists
        versus tables" in the DATABASE_README document for a discussion.
 
-       Do NOT create tables that return the full list of domains in  $mydesti-
+       Do  NOT create tables that return the full list of domains in $mydesti-
        nation or $relay_domains etc., or IP addresses in $mynetworks.
 
        DO create tables with each matching item as a key and with an arbitrary
@@ -61,8 +64,8 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
            result_attribute = domain
 
 GENERAL LDAP PARAMETERS
-       In  the  text  below,  default  values are given in parentheses.  Note:
-       don't use quotes in these variables; at least, not  until  the  Postfix
+       In the text below, default values  are  given  in  parentheses.   Note:
+       don't  use  quotes  in these variables; at least, not until the Postfix
        configuration routines understand how to deal with quoted strings.
 
        server_host (default: localhost)
@@ -70,16 +73,16 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
                   server_host = ldap.example.com
 
-              Depending  on the LDAP client library you're using, it should be
+              Depending on the LDAP client library you're using, it should  be
               possible to specify multiple servers here, with the library try-
-              ing  them  in order should the first one fail. It should also be
+              ing them in order should the first one fail. It should  also  be
               possible to give each server in the list a different port (over-
               riding server_port below), by naming them like
 
                   server_host = ldap.example.com:1444
 
-              NOTE:  this  client  will  reconnect  immediately after a single
-              failure, and will fail a lookup request after a  second  attempt
+              NOTE: this client will  reconnect  immediately  after  a  single
+              failure,  and  will fail a lookup request after a second attempt
               also fails.
 
               With OpenLDAP, a (list of) LDAP URLs can be used to specify both
@@ -88,9 +91,9 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
                   server_host = ldap://ldap.example.com:1444
                               ldap://ldap2.example.com:1444
 
-              All LDAP URLs accepted by the OpenLDAP  library  are  supported,
-              including  connections  over  UNIX  domain sockets, and LDAP SSL
-              (the last one provided that OpenLDAP was compiled  with  support
+              All  LDAP  URLs  accepted by the OpenLDAP library are supported,
+              including connections over UNIX domain  sockets,  and  LDAP  SSL
+              (the  last  one provided that OpenLDAP was compiled with support
               for SSL):
 
                   server_host = ldapi://%2Fsome%2Fpath
@@ -102,7 +105,7 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
                   server_port = 778
 
        timeout (default: 10 seconds)
-              The  number of seconds a search can take before timing out, e.g.
+              The number of seconds a search can take before timing out,  e.g.
 
                   timeout = 5
 
@@ -116,39 +119,39 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
               %%     This is replaced by a literal '%' character.
 
-              %s     This  is  replaced by the input key.  RFC 2253 quoting is
-                     used to make sure that the input key does not  add  unex-
+              %s     This is replaced by the input key.  RFC 2253  quoting  is
+                     used  to  make sure that the input key does not add unex-
                      pected metacharacters.
 
               %u     When the input key is an address of the form user@domain,
                      %u is replaced by the (RFC 2253) quoted local part of the
-                     address.   Otherwise, %u is replaced by the entire search
-                     string.  If the localpart is empty, the  search  is  sup-
+                     address.  Otherwise, %u is replaced by the entire  search
+                     string.   If  the  localpart is empty, the search is sup-
                      pressed and returns no results.
 
               %d     When the input key is an address of the form user@domain,
-                     %d is replaced by the (RFC 2253) quoted  domain  part  of
-                     the  address.   Otherwise,  the  search is suppressed and
+                     %d  is  replaced  by the (RFC 2253) quoted domain part of
+                     the address.  Otherwise, the  search  is  suppressed  and
                      returns no results.
 
               %[SUD] For the search_base parameter, the upper-case equivalents
-                     of  the  above  expansions  behave  identically  to their
-                     lower-case counter-parts. With the result_format  parame-
-                     ter  (previously called result_filter see the OTHER OBSO-
+                     of the  above  expansions  behave  identically  to  their
+                     lower-case  counter-parts. With the result_format parame-
+                     ter (previously called result_filter see the OTHER  OBSO-
                      LETE FEATURES section and below), they expand to the cor-
                      responding components of input key rather than the result
                      value.
 
-              %[1-9] The patterns %1, %2, ... %9 are replaced  by  the  corre-
-                     sponding  most  significant  component of the input key's
-                     domain. If the input key is  user@mail.example.com,  then
+              %[1-9] The  patterns  %1,  %2, ... %9 are replaced by the corre-
+                     sponding most significant component of  the  input  key's
+                     domain.  If  the input key is user@mail.example.com, then
                      %1 is com, %2 is example and %3 is mail. If the input key
-                     is unqualified or does not have enough domain  components
+                     is  unqualified or does not have enough domain components
                      to satisfy all the specified patterns, the search is sup-
                      pressed and returns no results.
 
        query_filter (default: mailacceptinggeneralid=%s)
-              The RFC2254 filter used to search the directory, where %s  is  a
+              The  RFC2254  filter used to search the directory, where %s is a
               substitute for the address Postfix is trying to resolve, e.g.
 
                   query_filter = (&(mail=%s)(paid_up=true))
@@ -158,114 +161,114 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               %%     This is replaced by a literal '%' character. (Postfix 2.2
                      and later).
 
-              %s     This is replaced by the input key.  RFC 2254  quoting  is
-                     used  to  make sure that the input key does not add unex-
+              %s     This  is  replaced by the input key.  RFC 2254 quoting is
+                     used to make sure that the input key does not  add  unex-
                      pected metacharacters.
 
               %u     When the input key is an address of the form user@domain,
                      %u is replaced by the (RFC 2254) quoted local part of the
-                     address.  Otherwise, %u is replaced by the entire  search
-                     string.   If  the  localpart is empty, the search is sup-
+                     address.   Otherwise, %u is replaced by the entire search
+                     string.  If the localpart is empty, the  search  is  sup-
                      pressed and returns no results.
 
               %d     When the input key is an address of the form user@domain,
-                     %d  is  replaced  by the (RFC 2254) quoted domain part of
-                     the address.  Otherwise, the  search  is  suppressed  and
+                     %d is replaced by the (RFC 2254) quoted  domain  part  of
+                     the  address.   Otherwise,  the  search is suppressed and
                      returns no results.
 
               %[SUD] The upper-case equivalents of the above expansions behave
-                     in  the  query_filter  parameter  identically  to   their
-                     lower-case  counter-parts. With the result_format parame-
-                     ter (previously called result_filter see the OTHER  OBSO-
+                     in   the  query_filter  parameter  identically  to  their
+                     lower-case counter-parts. With the result_format  parame-
+                     ter  (previously called result_filter see the OTHER OBSO-
                      LETE FEATURES section and below), they expand to the cor-
                      responding components of input key rather than the result
                      value.
 
-                     The  above  %S,  %U  and %D expansions are available with
+                     The above %S, %U and %D  expansions  are  available  with
                      Postfix 2.2 and later.
 
-              %[1-9] The patterns %1, %2, ... %9 are replaced  by  the  corre-
-                     sponding  most  significant  component of the input key's
-                     domain. If the input key is  user@mail.example.com,  then
+              %[1-9] The  patterns  %1,  %2, ... %9 are replaced by the corre-
+                     sponding most significant component of  the  input  key's
+                     domain.  If  the input key is user@mail.example.com, then
                      %1 is com, %2 is example and %3 is mail. If the input key
-                     is unqualified or does not have enough domain  components
+                     is  unqualified or does not have enough domain components
                      to satisfy all the specified patterns, the search is sup-
                      pressed and returns no results.
 
                      The above %1, ..., %9 expansions are available with Post-
                      fix 2.2 and later.
 
-              The  "domain" parameter described below limits the input keys to
-              addresses in matching domains. When the  "domain"  parameter  is
-              non-empty,  LDAP  queries for unqualified addresses or addresses
+              The "domain" parameter described below limits the input keys  to
+              addresses  in  matching  domains. When the "domain" parameter is
+              non-empty, LDAP queries for unqualified addresses  or  addresses
               in non-matching domains are suppressed and return no results.
 
               NOTE: DO NOT put quotes around the query_filter parameter.
 
        result_format (default: %s)
-              Called result_filter in Postfix releases prior to  2.2.   Format
-              template  applied  to  result  attributes. Most commonly used to
-              append (or prepend) text to the result. This parameter  supports
+              Called  result_filter  in Postfix releases prior to 2.2.  Format
+              template applied to result attributes.  Most  commonly  used  to
+              append  (or prepend) text to the result. This parameter supports
               the following '%' expansions:
 
               %%     This is replaced by a literal '%' character. (Postfix 2.2
                      and later).
 
-              %s     This is replaced by the value of  the  result  attribute.
+              %s     This  is  replaced  by the value of the result attribute.
                      When result is empty it is skipped.
 
               %u     When the result attribute value is an address of the form
-                     user@domain, %u is replaced by  the  local  part  of  the
-                     address.  When  the  result  has an empty localpart it is
+                     user@domain,  %u  is  replaced  by  the local part of the
+                     address. When the result has an  empty  localpart  it  is
                      skipped.
 
-              %d     When a result attribute value is an address of  the  form
-                     user@domain,  %d  is  replaced  by the domain part of the
-                     attribute value. When the result  is  unqualified  it  is
+              %d     When  a  result attribute value is an address of the form
+                     user@domain, %d is replaced by the  domain  part  of  the
+                     attribute  value.  When  the  result is unqualified it is
                      skipped.
 
               %[SUD1-9]
-                     The  upper-case  and decimal digit expansions interpolate
-                     the parts of the input key rather than the result.  Their
-                     behavior  is  identical to that described with query_fil-
-                     ter, and in fact  because  the  input  key  is  known  in
-                     advance,  lookups  whose  key  does  not  contain all the
-                     information specified in the  result  template  are  sup-
+                     The upper-case and decimal digit  expansions  interpolate
+                     the  parts of the input key rather than the result. Their
+                     behavior is identical to that described  with  query_fil-
+                     ter,  and  in  fact  because  the  input  key is known in
+                     advance, lookups whose  key  does  not  contain  all  the
+                     information  specified  in  the  result template are sup-
                      pressed and return no results.
 
-                     The  above  %S,  %U,  %D  and  %1, ..., %9 expansions are
+                     The above %S, %U, %D  and  %1,  ...,  %9  expansions  are
                      available with Postfix 2.2 and later.
 
               For example, using "result_format = smtp:[%s]" allows one to use
               a mailHost attribute as the basis of a transport(5) table. After
-              applying the result format, multiple values are concatenated  as
-              comma  separated  strings.  The  expansion_limit  and size_limit
-              parameters explained below allow one to restrict the  number  of
-              values  in  the result, which is especially useful for maps that
+              applying  the result format, multiple values are concatenated as
+              comma separated  strings.  The  expansion_limit  and  size_limit
+              parameters  explained  below allow one to restrict the number of
+              values in the result, which is especially useful for  maps  that
               should return a single value.
 
-              The default value %s specifies that each attribute value  should
+              The  default value %s specifies that each attribute value should
               be used as is.
 
-              This  parameter  was  called  result_filter  in Postfix releases
-              prior to 2.2. If no "result_format" is specified, the  value  of
-              "result_filter"  will  be  used  instead before resorting to the
-              default value. This provides compatibility with  old  configura-
+              This parameter was  called  result_filter  in  Postfix  releases
+              prior  to  2.2. If no "result_format" is specified, the value of
+              "result_filter" will be used instead  before  resorting  to  the
+              default  value.  This provides compatibility with old configura-
               tion files.
 
               NOTE: DO NOT put quotes around the result format!
 
        domain (default: no domain list)
-              This  is a list of domain names, paths to files, or "type:table"
+              This is a list of domain names, paths to files, or  "type:table"
               databases. When specified, only fully qualified search keys with
-              a  *non-empty*  localpart and a matching domain are eligible for
+              a *non-empty* localpart and a matching domain are  eligible  for
               lookup:  'user'  lookups,  bare  domain  lookups  and  "@domain"
-              lookups  are  not  performed.  This can significantly reduce the
+              lookups are not performed. This  can  significantly  reduce  the
               query load on the LDAP server.
 
                   domain = postfix.org, hash:/etc/postfix/searchdomains
 
-              It is best not to use LDAP to store  the  domains  eligible  for
+              It  is  best  not  to use LDAP to store the domains eligible for
               LDAP lookups.
 
               NOTE: DO NOT define this parameter for local(8) aliases.
@@ -273,87 +276,87 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               This feature is available in Postfix 1.0 and later.
 
        result_attribute (default: maildrop)
-              The  attribute(s)  Postfix  will read from any directory entries
+              The attribute(s) Postfix will read from  any  directory  entries
               returned by the lookup, to be resolved to an email address.
 
                   result_attribute = mailbox, maildrop
 
-              Don't  rely  on  the  default  value   ("maildrop").   Set   the
-              result_attribute  explicitly  in  all  ldap  table configuration
+              Don't   rely   on   the  default  value  ("maildrop").  Set  the
+              result_attribute explicitly  in  all  ldap  table  configuration
               files. This is particularly relevant when no result_attribute is
-              applicable,  e.g.  cases  in  which leaf_result_attribute and/or
+              applicable, e.g. cases  in  which  leaf_result_attribute  and/or
               terminal_result_attribute are used instead. The default value is
-              harmless  if  "maildrop"  is  also  listed as a leaf or terminal
+              harmless if "maildrop" is also listed  as  a  leaf  or  terminal
               result attribute, but it is best to not leave this to chance.
 
        special_result_attribute (default: empty)
-              The attribute(s) of directory entries that can  contain  DNs  or
+              The  attribute(s)  of  directory entries that can contain DNs or
               RFC 2255 LDAP URLs. If found, a recursive search is performed to
-              retrieve the entry referenced by the DN, or the entries  matched
+              retrieve  the entry referenced by the DN, or the entries matched
               by the URL query.
 
                   special_result_attribute = memberdn
 
-              DN  recursion  retrieves  the same result_attributes as the main
+              DN recursion retrieves the same result_attributes  as  the  main
               query, including the special attributes for further recursion.
 
               URL processing retrieves only those attributes that are included
-              in  both  the URL definition and as result attributes (ordinary,
-              special, leaf or terminal) in the Postfix table definition.   If
-              the  URL  lists  any  of  the table's special result attributes,
-              these are retrieved and used recursively. A URL  that  does  not
-              specify  any  attribute selection, is equivalent (RFC 2255) to a
-              URL that selects all attributes,  in  which  case  the  selected
-              attributes  will  be  the  full  set of result attributes in the
+              in both the URL definition and as result  attributes  (ordinary,
+              special,  leaf or terminal) in the Postfix table definition.  If
+              the URL lists any of  the  table's  special  result  attributes,
+              these  are  retrieved  and used recursively. A URL that does not
+              specify any attribute selection, is equivalent (RFC 2255)  to  a
+              URL  that  selects  all  attributes,  in which case the selected
+              attributes will be the full set  of  result  attributes  in  the
               Postfix table.
 
               If an LDAP URL attribute-descriptor or the corresponding Postfix
-              LDAP  table  result  attribute  (but  not  both)  uses  RFC 2255
-              sub-type options ("attr;option"), the attribute  requested  from
-              the  LDAP  server will include the sub-type option. In all other
-              cases, the URL attribute and  the  table  attribute  must  match
+              LDAP table  result  attribute  (but  not  both)  uses  RFC  2255
+              sub-type  options  ("attr;option"), the attribute requested from
+              the LDAP server will include the sub-type option. In  all  other
+              cases,  the  URL  attribute  and  the table attribute must match
               exactly. Attributes with options in both the URL and the Postfix
-              table are requested only when the options  are  identical.  LDAP
-              attribute-descriptor  options  are  very  rarely used, most LDAP
-              users will not need to concern themselves  with  this  level  of
+              table  are  requested  only when the options are identical. LDAP
+              attribute-descriptor options are very  rarely  used,  most  LDAP
+              users  will  not  need  to concern themselves with this level of
               nuanced detail.
 
        terminal_result_attribute (default: empty)
               When one or more terminal result attributes are found in an LDAP
               entry, all other result attributes are ignored and only the ter-
-              minal  result  attributes are returned. This is useful for dele-
+              minal result attributes are returned. This is useful  for  dele-
               gating expansion of group members to a particular host, by using
               an optional "maildrop" attribute on selected groups to route the
-              group to a specific host, where the group is expanded,  possibly
+              group  to a specific host, where the group is expanded, possibly
               via mailing-list manager or other special processing.
 
                   result_attribute =
                   terminal_result_attribute = maildrop
 
-              When   using   terminal   and/or  leaf  result  attributes,  the
-              result_attribute is best set to an empty value when  it  is  not
+              When  using  terminal  and/or  leaf   result   attributes,   the
+              result_attribute  is  best  set to an empty value when it is not
               used, or else explicitly set to the desired value, even if it is
               the default value "maildrop".
 
               This feature is available with Postfix 2.4 or later.
 
        leaf_result_attribute (default: empty)
-              When one or more  special  result  attributes  are  found  in  a
-              non-terminal  (see above) LDAP entry, leaf result attributes are
-              excluded from the expansion of that entry. This is  useful  when
-              expanding  groups  and  the desired mail address attribute(s) of
-              the member objects obtained via DN or  URI  recursion  are  also
+              When  one  or  more  special  result  attributes  are found in a
+              non-terminal (see above) LDAP entry, leaf result attributes  are
+              excluded  from  the expansion of that entry. This is useful when
+              expanding groups and the desired mail  address  attribute(s)  of
+              the  member  objects  obtained  via DN or URI recursion are also
               present in the group object. To only return the attribute values
-              from the leaf objects and not  the  containing  group,  add  the
-              attribute   to  the  leaf_result_attribute  list,  and  not  the
-              result_attribute list,  which  is  always  expanded.  Note,  the
-              default  value  of "result_attribute" is not empty, you may want
+              from  the  leaf  objects  and  not the containing group, add the
+              attribute  to  the  leaf_result_attribute  list,  and  not   the
+              result_attribute  list,  which  is  always  expanded.  Note, the
+              default value of "result_attribute" is not empty, you  may  want
               to set it explicitly empty when using "leaf_result_attribute" to
-              expand  the  group  to  a list of member DN addresses. If groups
+              expand the group to a list of member  DN  addresses.  If  groups
               have both member DN references AND attributes that hold multiple
               string valued rfc822 addresses, then the string attributes go in
-              "result_attribute".  The attributes  that  represent  the  email
-              addresses  of  objects  referenced  via a DN (or LDAP URI) go in
+              "result_attribute".   The  attributes  that  represent the email
+              addresses of objects referenced via a DN (or  LDAP  URI)  go  in
               "leaf_result_attribute".
 
                   result_attribute = memberaddr
@@ -361,20 +364,20 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
                   terminal_result_attribute = maildrop
                   leaf_result_attribute = mail
 
-              When  using  terminal  and/or  leaf   result   attributes,   the
-              result_attribute  is  best  set to an empty value when it is not
+              When   using   terminal   and/or  leaf  result  attributes,  the
+              result_attribute is best set to an empty value when  it  is  not
               used, or else explicitly set to the desired value, even if it is
               the default value "maildrop".
 
               This feature is available with Postfix 2.4 or later.
 
        scope (default: sub)
-              The  LDAP search scope: sub, base, or one.  These translate into
+              The LDAP search scope: sub, base, or one.  These translate  into
               LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, and LDAP_SCOPE_ONELEVEL.
 
        bind (default: yes)
-              Whether or how to bind to the LDAP server. Newer LDAP  implemen-
-              tations  don't  require clients to bind, which saves time. Exam-
+              Whether  or how to bind to the LDAP server. Newer LDAP implemen-
+              tations don't require clients to bind, which saves  time.  Exam-
               ple:
 
                   # Don't bind
@@ -384,40 +387,40 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
                   # Use SASL bind
                   bind = sasl
 
-              Postfix versions prior to 2.8 only support  "bind  =  no"  which
+              Postfix  versions  prior  to  2.8 only support "bind = no" which
               means don't bind, and "bind = yes" which means do a SIMPLE bind.
-              Postfix 2.8 and later also supports "bind = SASL" when  compiled
+              Postfix  2.8 and later also supports "bind = SASL" when compiled
               with LDAP SASL support as described in LDAP_README, it also adds
-              the synonyms "bind = none" and "bind = simple" for "bind  =  no"
-              and  "bind  =  yes" respectively. See the SASL section below for
+              the  synonyms  "bind = none" and "bind = simple" for "bind = no"
+              and "bind = yes" respectively. See the SASL  section  below  for
               additional parameters available with "bind = sasl".
 
-              If you do need to bind, you might consider  configuring  Postfix
-              to  connect  to the local machine on a port that's an SSL tunnel
-              to your LDAP server. If your LDAP server doesn't  natively  sup-
-              port  SSL,  put  a  tunnel (wrapper, proxy, whatever you want to
-              call it) on that system too. This should  prevent  the  password
+              If  you  do need to bind, you might consider configuring Postfix
+              to connect to the local machine on a port that's an  SSL  tunnel
+              to  your  LDAP server. If your LDAP server doesn't natively sup-
+              port SSL, put a tunnel (wrapper, proxy,  whatever  you  want  to
+              call  it)  on  that system too. This should prevent the password
               from traversing the network in the clear.
 
        bind_dn (default: empty)
-              If  you  do  have  to  bind, do it with this distinguished name.
+              If you do have to bind, do  it  with  this  distinguished  name.
               Example:
 
                   bind_dn = uid=postfix, dc=your, dc=com
-              With "bind = sasl" (see above) the DN may be optional  for  some
+              With  "bind  = sasl" (see above) the DN may be optional for some
               SASL mechanisms, don't specify a DN if not needed.
 
        bind_pw (default: empty)
-              The  password  for  the distinguished name above. If you have to
-              use this, you probably want to make the map  configuration  file
-              readable  only  by  the  Postfix  user.  When using the obsolete
-              ldap:ldapsource syntax, with map parameters in  main.cf,  it  is
-              not  possible  to  securely  store  the  bind  password. This is
-              because main.cf needs  to  be  world  readable  to  allow  local
+              The password for the distinguished name above. If  you  have  to
+              use  this,  you probably want to make the map configuration file
+              readable only by the  Postfix  user.  When  using  the  obsolete
+              ldap:ldapsource  syntax,  with  map parameters in main.cf, it is
+              not possible to  securely  store  the  bind  password.  This  is
+              because  main.cf  needs  to  be  world  readable  to allow local
               accounts to submit mail via the sendmail command. Example:
 
                   bind_pw = postfixpw
-              With  "bind = sasl" (see above) the password may be optional for
+              With "bind = sasl" (see above) the password may be optional  for
               some SASL mechanisms, don't specify a password if not needed.
 
        cache (IGNORED with a warning)
@@ -425,38 +428,38 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
        cache_expiry (IGNORED with a warning)
 
        cache_size (IGNORED with a warning)
-              The above parameters are NO LONGER SUPPORTED by Postfix.   Cache
+              The  above parameters are NO LONGER SUPPORTED by Postfix.  Cache
               support has been dropped from OpenLDAP as of release 2.1.13.
 
        recursion_limit (default: 1000)
-              A  limit  on  the  nesting  depth  of  DN and URL special result
+              A limit on the nesting  depth  of  DN  and  URL  special  result
               attribute evaluation. The limit must be a non-zero positive num-
               ber.
 
        expansion_limit (default: 0)
-              A  limit  on  the total number of result elements returned (as a
+              A limit on the total number of result elements  returned  (as  a
               comma separated list) by a lookup against the map.  A setting of
-              zero  disables the limit. Lookups fail with a temporary error if
-              the limit is exceeded.  Setting the  limit  to  1  ensures  that
+              zero disables the limit. Lookups fail with a temporary error  if
+              the  limit  is  exceeded.   Setting  the limit to 1 ensures that
               lookups do not return multiple values.
 
        size_limit (default: $expansion_limit)
-              A  limit  on  the  number of LDAP entries returned by any single
+              A limit on the number of LDAP entries  returned  by  any  single
               LDAP search performed as part of the lookup. A setting of 0 dis-
-              ables  the  limit.   Expansion of DN and URL references involves
-              nested LDAP queries, each of which is  separately  subjected  to
+              ables the limit.  Expansion of DN and  URL  references  involves
+              nested  LDAP  queries,  each of which is separately subjected to
               this limit.
 
-              Note:  even  a  single  LDAP  entry can generate multiple lookup
-              results, via  multiple  result  attributes  and/or  multi-valued
-              result  attributes. This limit caps the per search resource uti-
-              lization on the LDAP server, not the final multiplicity  of  the
-              lookup   result.   It   is  analogous  to  the  "-z"  option  of
+              Note: even a single LDAP  entry  can  generate  multiple  lookup
+              results,  via  multiple  result  attributes  and/or multi-valued
+              result attributes. This limit caps the per search resource  uti-
+              lization  on  the LDAP server, not the final multiplicity of the
+              lookup  result.  It  is  analogous  to  the   "-z"   option   of
               "ldapsearch".
 
        dereference (default: 0)
               When to dereference LDAP aliases. (Note that this has nothing do
-              with  Postfix aliases.) The permitted values are those legal for
+              with Postfix aliases.) The permitted values are those legal  for
               the OpenLDAP/UM LDAP implementations:
 
               0      never
@@ -467,13 +470,13 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
               3      always
 
-              See ldap.h or the ldap_open(3) or ldapsearch(1)  man  pages  for
-              more  information.  And if you're using an LDAP package that has
-              other possible values, please bring it to the attention  of  the
+              See  ldap.h  or  the ldap_open(3) or ldapsearch(1) man pages for
+              more information. And if you're using an LDAP package  that  has
+              other  possible  values, please bring it to the attention of the
               postfix-users@postfix.org mailing list.
 
        chase_referrals (default: 0)
-              Sets  (or  clears)  LDAP_OPT_REFERRALS  (requires LDAP version 3
+              Sets (or clears) LDAP_OPT_REFERRALS  (requires  LDAP  version  3
               support).
 
        version (default: 2)
@@ -483,28 +486,28 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               What level to set for debugging in the OpenLDAP libraries.
 
 LDAP SASL PARAMETERS
-       If you're using the OpenLDAP  libraries  compiled  with  SASL  support,
-       Postfix  2.8  and  later  built  with LDAP SASL support as described in
+       If  you're  using  the  OpenLDAP  libraries compiled with SASL support,
+       Postfix 2.8 and later built with LDAP  SASL  support  as  described  in
        LDAP_README can authenticate to LDAP servers via SASL.
 
-       This enables authentication to the LDAP  server  via  mechanisms  other
-       than  a  simple  password.  The  added flexibility has a cost: it is no
-       longer practical to set an explicit timeout on the duration of an  LDAP
-       bind  operation.  Under  adverse  conditions, whether a SASL bind times
-       out, or if it does, the duration of the timeout is  determined  by  the
+       This  enables  authentication  to  the LDAP server via mechanisms other
+       than a simple password. The added flexibility has  a  cost:  it  is  no
+       longer  practical to set an explicit timeout on the duration of an LDAP
+       bind operation. Under adverse conditions, whether  a  SASL  bind  times
+       out,  or  if  it does, the duration of the timeout is determined by the
        LDAP and SASL libraries.
 
-       It  is best to use tables that use SASL binds via proxymap(8), this way
-       the requesting process can time-out the  proxymap  request.  This  also
-       lets  you  tailer the process environment by overriding the proxymap(8)
-       import_environment setting in master.cf(5).  Special  environment  set-
+       It is best to use tables that use SASL binds via proxymap(8), this  way
+       the  requesting  process  can  time-out the proxymap request. This also
+       lets you tailer the process environment by overriding  the  proxymap(8)
+       import_environment  setting  in  master.cf(5). Special environment set-
        tings may be needed to configure GSSAPI credential caches or other SASL
-       mechanism specific  options.  The  GSSAPI  credentials  used  for  LDAP
-       lookups  may  need  to be different than say those used for the Postfix
+       mechanism  specific  options.  The  GSSAPI  credentials  used  for LDAP
+       lookups may need to be different than say those used  for  the  Postfix
        SMTP client to authenticate to remote servers.
 
-       Using SASL mechanisms requires LDAP protocol  version  3,  the  default
-       protocol  version  is 2 for backwards compatibility. You must set "ver-
+       Using  SASL  mechanisms  requires  LDAP protocol version 3, the default
+       protocol version is 2 for backwards compatibility. You must  set  "ver-
        sion = 3" in addition to "bind = sasl".
 
        The following parameters are relevant to using LDAP with SASL
@@ -519,14 +522,14 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
               The SASL authorization identity to assert, if applicable.
 
        sasl_minssf (default: 0)
-              The minimum required sasl security factor required to  establish
+              The  minimum required sasl security factor required to establish
               a connection.
 
 LDAP SSL AND STARTTLS PARAMETERS
        If you're using the OpenLDAP libraries compiled with SSL support, Post-
        fix can connect to LDAP SSL servers and can issue the STARTTLS command.
 
-       LDAP  SSL  service  can  be  requested  by  using a LDAP SSL URL in the
+       LDAP SSL service can be requested by  using  a  LDAP  SSL  URL  in  the
        server_host parameter:
 
            server_host = ldaps://ldap.example.com:636
@@ -540,87 +543,87 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
 
            version = 3
 
-       If  any  of the Postfix programs querying the map is configured in mas-
-       ter.cf to run chrooted, all the certificates and keys involved have  to
-       be  copied  to the chroot jail. Of course, the private keys should only
+       If any of the Postfix programs querying the map is configured  in  mas-
+       ter.cf  to run chrooted, all the certificates and keys involved have to
+       be copied to the chroot jail. Of course, the private keys  should  only
        be readable by the user "postfix".
 
        The following parameters are relevant to LDAP SSL and STARTTLS:
 
        start_tls (default: no)
-              Whether or not to issue STARTTLS upon connection to the  server.
+              Whether  or not to issue STARTTLS upon connection to the server.
               Don't set this with LDAP SSL (the SSL session is setup automati-
               cally when the TCP connection is opened).
 
        tls_ca_cert_dir (No default; set either this or tls_ca_cert_file)
-              Directory containing X509 Certification  Authority  certificates
-              in  PEM  format  which  are  to  be  recognized by the client in
-              SSL/TLS connections. The files each contain one CA  certificate.
+              Directory  containing  X509 Certification Authority certificates
+              in PEM format which are  to  be  recognized  by  the  client  in
+              SSL/TLS  connections. The files each contain one CA certificate.
               The files are looked up by the CA subject name hash value, which
-              must hence be available. If more than one  CA  certificate  with
-              the  same name hash value exist, the extension must be different
-              (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search  is  performed  in
-              the  ordering of the extension number, regardless of other prop-
-              erties of the certificates. Use the c_rehash utility  (from  the
+              must  hence  be  available. If more than one CA certificate with
+              the same name hash value exist, the extension must be  different
+              (e.g.  9d66eef0.0,  9d66eef0.1  etc). The search is performed in
+              the ordering of the extension number, regardless of other  prop-
+              erties  of  the certificates. Use the c_rehash utility (from the
               OpenSSL distribution) to create the necessary links.
 
        tls_ca_cert_file (No default; set either this or tls_ca_cert_dir)
               File containing the X509 Certification Authority certificates in
-              PEM format which are to be recognized by the client  in  SSL/TLS
+              PEM  format  which are to be recognized by the client in SSL/TLS
               connections. This setting takes precedence over tls_ca_cert_dir.
 
        tls_cert (No default; you must set this)
-              File containing client's X509 certificate  to  be  used  by  the
+              File  containing  client's  X509  certificate  to be used by the
               client in SSL/ TLS connections.
 
        tls_key (No default; you must set this)
-              File  containing  the  private  key  corresponding  to the above
+              File containing the  private  key  corresponding  to  the  above
               tls_cert.
 
        tls_require_cert (default: no)
-              Whether or not to request server's X509  certificate  and  check
-              its  validity  when  establishing SSL/TLS connections.  The sup-
+              Whether  or  not  to request server's X509 certificate and check
+              its validity when establishing SSL/TLS  connections.   The  sup-
               ported values are no and yes.
 
-              With no, the server certificate trust chain is not checked,  but
-              with  OpenLDAP  prior to 2.1.13, the name in the server certifi-
-              cate must still match the LDAP server name. With OpenLDAP  2.0.0
+              With  no, the server certificate trust chain is not checked, but
+              with OpenLDAP prior to 2.1.13, the name in the  server  certifi-
+              cate  must still match the LDAP server name. With OpenLDAP 2.0.0
               to 2.0.11 the server name is not necessarily what you specified,
-              rather it is determined (by reverse lookup) from the IP  address
-              of  the  LDAP  server connection. With OpenLDAP prior to 2.0.13,
+              rather  it is determined (by reverse lookup) from the IP address
+              of the LDAP server connection. With OpenLDAP  prior  to  2.0.13,
               subjectAlternativeName extensions in the LDAP server certificate
-              are  ignored: the server name must match the subject CommonName.
-              The no setting corresponds to the never value of TLS_REQCERT  in
+              are ignored: the server name must match the subject  CommonName.
+              The  no setting corresponds to the never value of TLS_REQCERT in
               LDAP client configuration files.
 
-              Don't  use TLS with OpenLDAP 2.0.x (and especially with x <= 11)
+              Don't use TLS with OpenLDAP 2.0.x (and especially with x <=  11)
               if you can avoid it.
 
               With yes, the server certificate must be issued by a trusted CA,
-              and  not  be expired. The LDAP server name must match one of the
+              and not be expired. The LDAP server name must match one  of  the
               name(s) found in the certificate (see above for OpenLDAP library
-              version  dependent behavior). The yes setting corresponds to the
-              demand value of TLS_REQCERT in LDAP client configuration  files.
+              version dependent behavior). The yes setting corresponds to  the
+              demand  value of TLS_REQCERT in LDAP client configuration files.
 
-              The  "try" and "allow" values of TLS_REQCERT have no equivalents
-              here. They are not available with OpenLDAP 2.0, and in any  case
+              The "try" and "allow" values of TLS_REQCERT have no  equivalents
+              here.  They are not available with OpenLDAP 2.0, and in any case
               have questionable security properties. Either you want TLS veri-
               fied LDAP connections, or you don't.
 
-              The yes value only works correctly with Postfix 2.5  and  later,
+              The  yes  value only works correctly with Postfix 2.5 and later,
               or with OpenLDAP 2.0. Earlier Postfix releases or later OpenLDAP
               releases don't work together with this setting. Support for LDAP
               over TLS was added to Postfix based on the OpenLDAP 2.0 API.
 
        tls_random_file (No default)
               Path of a file to obtain random bits from when /dev/[u]random is
-              not available, to be used by the client in SSL/TLS  connections.
+              not  available, to be used by the client in SSL/TLS connections.
 
        tls_cipher_suite (No default)
               Cipher suite to use in SSL/TLS negotiations.
 
 EXAMPLE
-       Here's  a  basic  example  for  using LDAP to look up local(8) aliases.
+       Here's a basic example for using LDAP  to  look  up  local(8)  aliases.
        Assume that in main.cf, you have:
 
            alias_maps = hash:/etc/aliases,
@@ -631,33 +634,33 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
            server_host = ldap.example.com
            search_base = dc=example, dc=com
 
-       Upon receiving mail for a local address "ldapuser" that isn't found  in
-       the  /etc/aliases database, Postfix will search the LDAP server listen-
-       ing at port 389 on ldap.example.com.  It will bind anonymously,  search
-       for  any  directory  entries  whose mailacceptinggeneralid attribute is
-       "ldapuser", read the "maildrop" attributes of those found, and build  a
-       list  of  their maildrops, which will be treated as RFC822 addresses to
+       Upon  receiving mail for a local address "ldapuser" that isn't found in
+       the /etc/aliases database, Postfix will search the LDAP server  listen-
+       ing  at port 389 on ldap.example.com.  It will bind anonymously, search
+       for any directory entries  whose  mailacceptinggeneralid  attribute  is
+       "ldapuser",  read the "maildrop" attributes of those found, and build a
+       list of their maildrops, which will be treated as RFC822  addresses  to
        which the message will be delivered.
 
 OBSOLETE MAIN.CF PARAMETERS
-       For backwards compatibility with Postfix version 2.0 and earlier,  LDAP
-       parameters  can  also  be defined in main.cf.  Specify as LDAP source a
-       name that doesn't begin with a slash or a  dot.   The  LDAP  parameters
+       For  backwards compatibility with Postfix version 2.0 and earlier, LDAP
+       parameters can also be defined in main.cf.  Specify as  LDAP  source  a
+       name  that  doesn't  begin  with a slash or a dot.  The LDAP parameters
        will then be accessible as the name you've given the source in its def-
        inition, an underscore, and the name of the parameter.  For example, if
-       the  map is specified as "ldap:ldapsource", the "server_host" parameter
+       the map is specified as "ldap:ldapsource", the "server_host"  parameter
        below would be defined in main.cf as "ldapsource_server_host".
 
        Note: with this form, the passwords for the LDAP sources are written in
-       main.cf,  which is normally world-readable.  Support for this form will
+       main.cf, which is normally world-readable.  Support for this form  will
        be removed in a future Postfix version.
 
 OTHER OBSOLETE FEATURES
        result_filter (No default)
-              For backwards compatibility  with  the  pre  2.2  LDAP  clients,
+              For  backwards  compatibility  with  the  pre  2.2 LDAP clients,
               result_filter can for now be used instead of result_format, when
-              the latter parameter is not  also  set.   The  new  name  better
-              reflects  the  function  of  the  parameter.  This compatibility
+              the  latter  parameter  is  not  also  set.  The new name better
+              reflects the  function  of  the  parameter.  This  compatibility
               interface may be removed in a future release.
 
 SEE ALSO
@@ -674,8 +677,8 @@ LDAP_TABLE(5)                                                    LDAP_TABLE(5)
        The Secure Mailer license must be distributed with this software.
 
 AUTHOR(S)
-       Carsten  Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson, LaM-
-       ont Jones, Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat  K  Singh,
+       Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith Stevenson,  LaM-
+       ont  Jones,  Liviu Daia, Manuel Guesdon, Mike Mattice, Prabhat K Singh,
        Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others.
 
                                                                  LDAP_TABLE(5)
diff --git a/postfix/html/memcache_table.5.html b/postfix/html/memcache_table.5.html
index 47c9aa396..570753fef 100644
--- a/postfix/html/memcache_table.5.html
+++ b/postfix/html/memcache_table.5.html
@@ -17,27 +17,28 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
 
 DESCRIPTION
        The  Postfix  mail system uses optional tables for address rewriting or
-       mail routing. These tables are usually in dbm or db format.
+       mail routing. These tables are usually in lmdb:, cdb:, hash:,  or  dbm:
+       format.
 
-       Alternatively, lookup tables can be specified  as  memcache  instances.
-       To  use memcache lookups, define a memcache source as a lookup table in
+       Alternatively, lookup tables can be specified as memcache instances. To
+       use memcache lookups, define a memcache source as  a  lookup  table  in
        main.cf, for example:
 
            virtual_alias_maps = memcache:/etc/postfix/memcache-aliases.cf
 
-       The file /etc/postfix/memcache-aliases.cf has the same  format  as  the
+       The  file  /etc/postfix/memcache-aliases.cf  has the same format as the
        Postfix main.cf file, and specifies the parameters described below.
 
-       The  Postfix  memcache  client  supports the lookup, update, delete and
-       sequence (first/next) operations. The  sequence  operation  requires  a
+       The Postfix memcache client supports the  lookup,  update,  delete  and
+       sequence  (first/next)  operations.  The  sequence operation requires a
        backup database that supports the operation.
 
 MEMCACHE MAIN PARAMETERS
        memcache (default: inet:localhost:11211)
-              The  memcache  server  (note: singular) that Postfix will try to
-              connect to.  For a TCP server  specify  "inet:"  followed  by  a
+              The memcache server (note: singular) that Postfix  will  try  to
+              connect  to.   For  a  TCP  server specify "inet:" followed by a
               hostname or address, ":", and a port name or number.  Specify an
-              IPv6 address inside "[]".   For  a  UNIX-domain  server  specify
+              IPv6  address  inside  "[]".   For  a UNIX-domain server specify
               "unix:" followed by the socket pathname. Examples:
 
                   memcache = inet:memcache.example.com:11211
@@ -45,15 +46,15 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
                   memcache = inet:[fc00:8d00:189::3]:11211
                   memcache = unix:/path/to/socket
 
-              NOTE:  to  access  a  UNIX-domain  socket  with  the proxymap(8)
-              server, the socket must be accessible by the unprivileged  post-
+              NOTE: to  access  a  UNIX-domain  socket  with  the  proxymap(8)
+              server,  the socket must be accessible by the unprivileged post-
               fix user.
 
        backup (default: undefined)
               An optional Postfix database that provides persistent backup for
-              the memcache database. The Postfix memcache client  will  update
-              the  memcache  database whenever it looks up or changes informa-
-              tion in the persistent database. Specify a Postfix  "type:table"
+              the  memcache  database. The Postfix memcache client will update
+              the memcache database whenever it looks up or  changes  informa-
+              tion  in the persistent database. Specify a Postfix "type:table"
               database. Examples:
 
                   # Non-shared postscreen cache.
@@ -64,65 +65,65 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
 
               Access to remote proxymap servers is under development.
 
-              NOTE  1:  When  sharing  a persistent postscreen(8) or verify(8)
-              cache,     disable     automatic     cache     cleanup      (set
-              *_cache_cleanup_interval  =  0) except with one Postfix instance
+              NOTE 1: When sharing a  persistent  postscreen(8)  or  verify(8)
+              cache,      disable     automatic     cache     cleanup     (set
+              *_cache_cleanup_interval = 0) except with one  Postfix  instance
               that will be responsible for cache cleanup.
 
-              NOTE 2: When multiple tables share the same  memcache  database,
-              each  table  should  use  the  key_format feature (see below) to
-              prepend its own unique string to  the  lookup  key.   Otherwise,
+              NOTE  2:  When multiple tables share the same memcache database,
+              each table should use the  key_format  feature  (see  below)  to
+              prepend  its  own  unique  string to the lookup key.  Otherwise,
               automatic postscreen(8) or verify(8) cache cleanup may not work.
 
-              NOTE 3: When the  backup  database  is  accessed  with  "proxy:"
-              lookups,  the  full backup database name (including the "proxy:"
+              NOTE  3:  When  the  backup  database  is accessed with "proxy:"
+              lookups, the full backup database name (including  the  "proxy:"
               prefix)   must   be   specified   in   the   proxymap   server's
-              proxy_read_maps   or   proxy_write_maps  setting  (depending  on
+              proxy_read_maps  or  proxy_write_maps  setting   (depending   on
               whether the access is read-only or read-write).
 
        flags (default: 0)
-              Optional flags that should  be  stored  along  with  a  memcache
+              Optional  flags  that  should  be  stored  along with a memcache
               update. The flags are ignored when looking up information.
 
        ttl (default: 3600)
               The expiration time in seconds of memcache updates.
 
-              NOTE  1:  When  using  a memcache table as postscreen(8) or ver-
-              ify(8)  cache  without  persistent  backup,   specify   a   zero
-              *_cache_cleanup_interval  value  with all Postfix instances that
-              use the memcache, and specify the  largest  postscreen(8)  *_ttl
-              value  or  verify(8) *_expire_time value as the memcache table's
+              NOTE 1: When using a memcache table  as  postscreen(8)  or  ver-
+              ify(8)   cache   without   persistent  backup,  specify  a  zero
+              *_cache_cleanup_interval value with all Postfix  instances  that
+              use  the  memcache,  and specify the largest postscreen(8) *_ttl
+              value or verify(8) *_expire_time value as the  memcache  table's
               ttl value.
 
-              NOTE 2: According to memcache protocol  documentation,  a  value
-              greater  than  30 days (2592000 seconds) specifies absolute UNIX
+              NOTE  2:  According  to memcache protocol documentation, a value
+              greater than 30 days (2592000 seconds) specifies  absolute  UNIX
               time. Smaller values are relative to the time of the update.
 
 MEMCACHE KEY PARAMETERS
        key_digest (default: empty)
-              After processing the key_format setting, and  before  sending  a
-              request  to  the  memcache server, run the key through the named
-              message digest algorithm and convert  the  result  to  lowercase
-              hexadecimal  characters.  This  prevents a database access error
-              when keys may exceed the  memcache  server's  key  length  limit
+              After  processing  the  key_format setting, and before sending a
+              request to the memcache server, run the key  through  the  named
+              message  digest  algorithm  and  convert the result to lowercase
+              hexadecimal characters. This prevents a  database  access  error
+              when  keys  may  exceed  the  memcache server's key length limit
               (usually, 250 bytes). Specify the name of a message digest algo-
               rithm that is supported by OpenSSL, for example, sha256.
 
-              This feature  is  available  in  Postfix  3.11  and  later,  and
+              This  feature  is  available  in  Postfix  3.11  and  later, and
               requires that Postfix is built with TLS support.
 
        key_format (default: %s)
-              Format  of  the lookup and update keys that the Postfix memcache
-              client sends to the memcache server.  By default, these are  the
-              same  as  the  lookup  and  update keys that the memcache client
+              Format of the lookup and update keys that the  Postfix  memcache
+              client  sends to the memcache server.  By default, these are the
+              same as the lookup and update  keys  that  the  memcache  client
               receives from Postfix applications.
 
-              NOTE 1: The key_format feature is not used for  backup  database
+              NOTE  1:  The key_format feature is not used for backup database
               requests.
 
-              NOTE  2:  When multiple tables share the same memcache database,
-              each table should prepend its own unique string  to  the  lookup
-              key.   Otherwise,  automatic  postscreen(8)  or  verify(8) cache
+              NOTE 2: When multiple tables share the same  memcache  database,
+              each  table  should  prepend its own unique string to the lookup
+              key.  Otherwise,  automatic  postscreen(8)  or  verify(8)  cache
               cleanup may not work.
 
               Examples:
@@ -138,37 +139,37 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               %s     This is replaced by the memcache client input key.
 
               %u     When the input key is an address of the form user@domain,
-                     %u  is  replaced  by  the  SQL  quoted  local part of the
-                     address.  Otherwise, %u is replaced by the entire  search
-                     string.   If the localpart is empty, a lookup is silently
-                     suppressed and returns no results (an update  is  skipped
+                     %u is replaced by  the  SQL  quoted  local  part  of  the
+                     address.   Otherwise, %u is replaced by the entire search
+                     string.  If the localpart is empty, a lookup is  silently
+                     suppressed  and  returns no results (an update is skipped
                      with a warning).
 
               %d     When the input key is an address of the form user@domain,
                      %d is replaced by the domain part of the address.  Other-
-                     wise,  a  lookup  is  silently  suppressed and returns no
+                     wise, a lookup is  silently  suppressed  and  returns  no
                      results (an update is skipped with a warning).
 
               %[SUD] The upper-case equivalents of the above expansions behave
-                     in   the   key_format   parameter  identically  to  their
+                     in  the  key_format  parameter   identically   to   their
                      lower-case counter-parts.
 
-              %[1-9] The patterns %1, %2, ... %9 are replaced  by  the  corre-
-                     sponding  most  significant  component of the input key's
-                     domain. If the input key is  user@mail.example.com,  then
+              %[1-9] The  patterns  %1,  %2, ... %9 are replaced by the corre-
+                     sponding most significant component of  the  input  key's
+                     domain.  If  the input key is user@mail.example.com, then
                      %1 is com, %2 is example and %3 is mail. If the input key
-                     is unqualified or does not have enough domain  components
-                     to  satisfy  all  the  specified  patterns,  a  lookup is
-                     silently suppressed and returns no results (an update  is
+                     is  unqualified or does not have enough domain components
+                     to satisfy  all  the  specified  patterns,  a  lookup  is
+                     silently  suppressed and returns no results (an update is
                      skipped with a warning).
 
        domain (default: no domain list)
-              This  feature  can  significantly  reduce  database server load.
-              Specify a list of domain names, paths to files, or  "type:table"
-              databases.   When  specified,  only  fully qualified search keys
-              with a *non-empty* localpart and a matching domain are  eligible
-              for  lookup  or update: bare 'user' lookups, bare domain lookups
-              and "@domain" lookups are silently skipped (updates are  skipped
+              This feature can  significantly  reduce  database  server  load.
+              Specify  a list of domain names, paths to files, or "type:table"
+              databases.  When specified, only  fully  qualified  search  keys
+              with  a *non-empty* localpart and a matching domain are eligible
+              for lookup or update: bare 'user' lookups, bare  domain  lookups
+              and  "@domain" lookups are silently skipped (updates are skipped
               with a warning).  Example:
 
                   domain = example.com, hash:/etc/postfix/searchdomains
@@ -181,30 +182,30 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               The maximal memcache reply line length in bytes.
 
        max_try (default: 2)
-              The  number of times to try a memcache command before giving up.
-              The memcache client does not retry a command when  the  memcache
+              The number of times to try a memcache command before giving  up.
+              The  memcache  client does not retry a command when the memcache
               server accepts no connection.
 
        retry_pause (default: 1)
               The time in seconds before retrying a failed memcache command.
 
        timeout (default: 2)
-              The  time limit for sending a memcache command and for receiving
+              The time limit for sending a memcache command and for  receiving
               a memcache reply.
 
 BUGS
-       The Postfix memcache  client  cannot  be  used  for  security-sensitive
+       The  Postfix  memcache  client  cannot  be  used for security-sensitive
        tables such as alias_maps (these may contain "|command and "/file/name"
-       destinations), or virtual_uid_maps, virtual_gid_maps and  virtual_mail-
+       destinations),  or virtual_uid_maps, virtual_gid_maps and virtual_mail-
        box_maps (these specify UNIX process privileges for "/file/name" desti-
-       nations).  In a typical deployment a memcache database is  writable  by
-       any  process  that  can talk to the memcache server; in contrast, secu-
-       rity-sensitive tables must never be writable by the unprivileged  Post-
+       nations).   In  a typical deployment a memcache database is writable by
+       any process that can talk to the memcache server;  in  contrast,  secu-
+       rity-sensitive  tables must never be writable by the unprivileged Post-
        fix user.
 
        The Postfix memcache client requires additional configuration when used
-       as postscreen(8) or verify(8) cache.  For details see  the  backup  and
-       ttl  parameter  discussions  in  the  MEMCACHE  MAIN PARAMETERS section
+       as  postscreen(8)  or  verify(8) cache.  For details see the backup and
+       ttl parameter discussions  in  the  MEMCACHE  MAIN  PARAMETERS  section
        above.
 
 SEE ALSO
diff --git a/postfix/html/mongodb_table.5.html b/postfix/html/mongodb_table.5.html
index 88f5a4d4c..f323d1048 100644
--- a/postfix/html/mongodb_table.5.html
+++ b/postfix/html/mongodb_table.5.html
@@ -17,11 +17,15 @@ MONGODB_TABLE(5)                                              MONGODB_TABLE(5)
 
 DESCRIPTION
        The  Postfix  mail system uses optional tables for address rewriting or
-       mail routing. These tables are usually in dbm or db format.
+       mail routing. These tables are usually in lmdb:, cdb:, hash:,  or  dbm:
+       format.
 
-       Alternatively, lookup tables can be specified as MongoDB databases.  In
-       order to use MongoDB lookups, define a MongoDB source as a lookup table
-       in main.cf, for example:
+       Alternatively, lookup tables can be specified as MongoDB databases.  To
+       find out what types of lookup tables your Postfix system  supports  use
+       the "postconf -m" command.
+
+       In  order  to  use MongoDB lookups, define a MongoDB source as a lookup
+       table in main.cf, for example:
            alias_maps = mongodb:/etc/postfix/mongodb-aliases.cf
 
        In this example, the file /etc/postfix/mongodb-aliases.cf has the  same
diff --git a/postfix/html/mysql_table.5.html b/postfix/html/mysql_table.5.html
index 5fecce71e..136679c38 100644
--- a/postfix/html/mysql_table.5.html
+++ b/postfix/html/mysql_table.5.html
@@ -17,11 +17,15 @@ MYSQL_TABLE(5)                                                  MYSQL_TABLE(5)
 
 DESCRIPTION
        The  Postfix  mail system uses optional tables for address rewriting or
-       mail routing. These tables are usually in dbm or db format.
+       mail routing. These tables are usually in lmdb:, cdb:, hash:,  or  dbm:
+       format.
 
-       Alternatively, lookup tables can be specified as MySQL  databases.   In
-       order  to use MySQL lookups, define a MySQL source as a lookup table in
-       main.cf, for example:
+       Alternatively,  lookup  tables can be specified as MySQL databases.  To
+       find out what types of lookup tables your Postfix system  supports  use
+       the "postconf -m" command.
+
+       In  order to use MySQL lookups, define a MySQL source as a lookup table
+       in main.cf, for example:
            alias_maps = mysql:/etc/postfix/mysql-aliases.cf
 
        The file /etc/postfix/mysql-aliases.cf has the same format as the Post-
diff --git a/postfix/html/nbdb_reindexd.8.html b/postfix/html/nbdb_reindexd.8.html
new file mode 100644
index 000000000..36529a280
--- /dev/null
+++ b/postfix/html/nbdb_reindexd.8.html
@@ -0,0 +1,151 @@
+
+ 
+
+
+ Postfix manual - nbdb_reindexd(8) 
+  
    +NBDB_REINDEXD(8)                                              NBDB_REINDEXD(8)
+
+NAME
+       nbdb_reindexd - Postfix non-Berkeley-DB migration
+
+SYNOPSIS
+       nbdb_reindexd [generic Postfix daemon options]
+
+DESCRIPTION
+       NOTE:  This service should be enabled only temporarily to generate most
+       of the non-Berkeley-DB indexed files that Postfix needs.  Leaving  this
+       service  enabled may expose the system to privilege-escalation attacks.
+
+       The nbdb_reindexd(8) server handles requests to generate  a  non-Berke-
+       ley-DB  indexed  database  file  for  an  existing Berkeley DB database
+       (example: "hash:/path/to/file" or "btree:/path/to/file"). It implements
+       the  service  by  running  the  postmap(1) or postalias(1) command with
+       appropriate privileges.
+
+       The service reports a success status when the  non-Berkeley-DB  indexed
+       file  already  exists.  This  can happen when multiple clients make the
+       same request. When one request is completed successfully,  the  service
+       also reports success for the other requests.
+
+       This service enforces the following safety policy:
+
+       o      The  legacy  Berkeley DB indexed file must exist (file name ends
+              in ".db"). The nbdb_reindexd(8) service  will  use  the  owner"s
+              (uid,  gid)  of  this  file,  when it runs postmap(1) or postal-
+              ias(1). It also uses the (uid,gid) for a number of safety checks
+              as described next.
+
+       o      The  non-indexed source file must exist (file name without ".db"
+              suffix). This file is needed as input for postmap(1) or  postal-
+              ias(1).  The  file  must be owned by "root" or by the above uid,
+              and must not allow "group" or "other" write access.
+
+       o      The parent directory must be owned by "root"  or  by  the  above
+              uid, and it must not allow "group" or "other" write access.
+
+       o      Additionally, the "non_bdb_migration_allow_root_prefixes" param-
+              eter limits the source file directory prefixes that are  allowed
+              when  this  service needs to run postmap(1) or postalias(1) with
+              "root" privileges.
+
+       o      A  similar  parameter,  "non_bdb_migration_allow_user_prefixes",
+              limits  the source file directory prefixes that are allowed when
+              this service needs to  run  postmap(1)  or  postalias(1)  as  an
+              unprivileged user.
+
+SECURITY
+       The nbdb_reindexd(8) server is security sensitive.  It accepts requests
+       only from processes that can access sockets under $queue_directory/pri-
+       vate  (i.e.,  processes  that run with "root" or "mail_owner" (usually,
+       postfix) privileges).
+
+       The threat is therefore a corrupted Postfix daemon process  that  wants
+       to  elevate privileges, by sending requests with crafted pathnames, and
+       racing against the service by quickly swapping  files  or  directories,
+       hoping  that Postfix will be tricked to overwrite a sensitive file with
+       attacker-controlled data.
+
+       When the service runs postmap(1) or postalias(1) as "root", such racing
+       attacks should not be possible if non_bdb_migration_allow_root_prefixes
+       specifies only prefixes that are already trusted.
+
+       This service could block all requests with crafted pathnames, if  given
+       complete  information  about  all  lookup  tables  that  are referenced
+       through Postfix configuration files. Unfortunately that information was
+       not available at the time that this program was needed.
+
+DIAGNOSTICS
+       Problems  and  transactions are logged to syslogd(8) or postlogd(8). If
+       an attempt to create an index file fails, this service will attempt  to
+       delete the incomplete file.
+
+CONFIGURATION PARAMETERS
+       Changes to main.cf are not picked up automatically, as nbdb_reindexd(8)
+       processes are long-lived. Use the command "postfix reload" after a con-
+       figuration change.
+
+       The  text  below provides only a parameter summary. See postconf(5) for
+       more details including examples.
+
+SERVICE-SPECIFIC CONTROLS
+       non_bdb_migration_level (disable)
+              The non-Berkeley-DB migration service level.
+
+       non_bdb_migration_allow_root_prefixes (see 'postconf -d  non_bdb_migra-
+       tion_allow_root_prefixes' output)
+              A list of trusted pathname prefixes that must  be  matched  when
+              the  non-Berkeley-DB  migration service (nbdb_reindexd(8)) needs
+              to run postmap(1) or postalias(1) commands  with  "root"  privi-
+              lege.
+
+       non_bdb_migration_allow_user_prefixes  (see 'postconf -d non_bdb_migra-
+       tion_allow_user_prefixes' output)
+              A  list  of  trusted pathname prefixes that must be matched when
+              the non-Berkeley-DB migration service  (nbdb_reindexd(8))  needs
+              to  run postmap(1) or postalias(1) commands with non-root privi-
+              lege.
+
+MISCELLANEOUS CONTROLS
+       config_directory (see 'postconf -d' output)
+              The default location of the Postfix main.cf and  master.cf  con-
+              figuration files.
+
+       process_id (read-only)
+              The process ID of a Postfix command or daemon process.
+
+       process_name (read-only)
+              The process name of a Postfix command or daemon process.
+
+       syslog_facility (mail)
+              The syslog facility of Postfix logging.
+
+       syslog_name (see 'postconf -d' output)
+              A  prefix  that  is  prepended  to  the  process  name in syslog
+              records, so that, for example, "smtpd" becomes "prefix/smtpd".
+
+       service_name (read-only)
+              The master.cf service name of a Postfix daemon process.
+
+SEE ALSO
+       postfix-non-bdb(1), migration management
+       postconf(5), configuration parameters
+       postlogd(8), Postfix logging
+       syslogd(8), system logging
+
+README FILES
+       NON_BERKELEYDB_README, Non-Berkeley-DB migration guide
+
+LICENSE
+       The Secure Mailer license must be distributed with this software.
+
+HISTORY
+       This service was introduced with Postfix version 3.11.
+
+AUTHOR(S)
+       Wietse Venema
+       porcupine.org
+
+                                                              NBDB_REINDEXD(8)
+
      
diff --git a/postfix/html/nisplus_table.5.html b/postfix/html/nisplus_table.5.html
index 302915bb8..e06b69c61 100644
--- a/postfix/html/nisplus_table.5.html
+++ b/postfix/html/nisplus_table.5.html
@@ -16,37 +16,38 @@ NISPLUS_TABLE(5)                                              NISPLUS_TABLE(5)
        postmap -q - "nisplus:[name=%s];name.name." <inputfile
 
 DESCRIPTION
-       The  Postfix mail system uses optional lookup tables.  These tables are
-       usually in dbm or db format.  Alternatively, lookup tables can be spec-
-       ified as NIS+ databases.
+       The Postfix mail system uses optional lookup tables.  rewriting or mail
+       routing. These tables are usually in lmdb:, cdb:, hash:, or  dbm:  for-
+       mat.
 
-       To  find  out  what types of lookup tables your Postfix system supports
-       use the "postconf -m" command.
+       Alternatively,  lookup  tables  can be specified as NIS+ databases.  To
+       find out what types of lookup tables your Postfix system  supports  use
+       the "postconf -m" command.
 
-       To test Postfix NIS+ lookup tables, use the  "postmap  -q"  command  as
+       To  test  Postfix  NIS+  lookup tables, use the "postmap -q" command as
        described in the SYNOPSIS above.
 
 QUERY SYNTAX
-       Most  of the NIS+ query is specified via the NIS+ map name. The general
+       Most of the NIS+ query is specified via the NIS+ map name. The  general
        format of a Postfix NIS+ map name is as follows:
 
            nisplus:[name=%s];name.name.name.:column
 
-       Postfix NIS+ map names differ from what one  normally  would  use  with
+       Postfix  NIS+  map  names  differ from what one normally would use with
        commands such as niscat:
 
-       o      With  each  NIS+  table lookup, "%s" is replaced by a version of
-              the lookup string.  There can be only one  "%s"  instance  in  a
+       o      With each NIS+ table lookup, "%s" is replaced by  a  version  of
+              the  lookup  string.   There  can be only one "%s" instance in a
               Postfix NIS+ map name.
 
-       o      Postfix  NIS+ map names use ";" instead of ",", because the lat-
-              ter character is special in the Postfix main.cf  file.   Postfix
-              replaces  ";"  characters  in  the map name by "," before making
+       o      Postfix NIS+ map names use ";" instead of ",", because the  lat-
+              ter  character  is special in the Postfix main.cf file.  Postfix
+              replaces ";" characters in the map name  by  ","  before  making
               NIS+ queries.
 
-       o      The ":column" part in the NIS+ map  name  is  not  part  of  the
+       o      The  ":column"  part  in  the  NIS+  map name is not part of the
               actual NIS+ query. Instead, it specifies the number of the table
-              column that provides the lookup result.  When  no  ":column"  is
+              column  that  provides  the  lookup result. When no ":column" is
               specified the first column (1) is used.
 
 EXAMPLE
diff --git a/postfix/html/pcre_table.5.html b/postfix/html/pcre_table.5.html
index 887ccd7ba..d66c90974 100644
--- a/postfix/html/pcre_table.5.html
+++ b/postfix/html/pcre_table.5.html
@@ -20,8 +20,8 @@ PCRE_TABLE(5)                                                    PCRE_TABLE(5)
        postmap -bmq - pcre:/etc/postfix/filename <inputfile
 
 DESCRIPTION
-       The  Postfix  mail  system  uses optional tables for address rewriting,
-       mail routing, or access control. These tables are usually in dbm or  db
+       The  Postfix  mail system uses optional tables for address rewriting or
+       mail routing. These tables are usually in lmdb:, cdb:, hash:,  or  dbm:
        format.
 
        Alternatively,  lookup tables can be specified in Perl Compatible Regu-
diff --git a/postfix/html/pgsql_table.5.html b/postfix/html/pgsql_table.5.html
index cab95ff89..09b5adc1b 100644
--- a/postfix/html/pgsql_table.5.html
+++ b/postfix/html/pgsql_table.5.html
@@ -17,9 +17,13 @@ PGSQL_TABLE(5)                                                  PGSQL_TABLE(5)
 
 DESCRIPTION
        The  Postfix  mail system uses optional tables for address rewriting or
-       mail routing. These tables are usually in dbm or db format.
+       mail routing. These tables are usually in lmdb:, cdb:, hash:,  or  dbm:
+       format.
+
+       Alternatively,  lookup tables can be specified as PostgreSQL databases.
+       To find out what types of lookup tables your  Postfix  system  supports
+       use the "postconf -m" command.
 
-       Alternatively, lookup tables can be specified as PostgreSQL  databases.
        In  order  to  use  PostgreSQL lookups, define a PostgreSQL source as a
        lookup table in main.cf, for example:
            alias_maps = pgsql:/etc/postfix/pgsql-aliases.cf
diff --git a/postfix/html/postalias.1.html b/postfix/html/postalias.1.html
index b6ba86167..9892c1506 100644
--- a/postfix/html/postalias.1.html
+++ b/postfix/html/postalias.1.html
@@ -121,41 +121,41 @@ POSTALIAS(1)                                                      POSTALIAS(1)
               The database type. To find out what types are supported, use the
               "postconf -m" command.
 
-              The  postalias(1) command can query any supported file type, but
+              When  no  file_type is specified, the software uses the database
+              type  specified  via  the  default_database_type   configuration
+              parameter.   The default value for this parameter depends on the
+              host environment.
+
+              The postalias(1) command can query any supported file type,  but
               it can create only the following file types:
 
-              btree  The output is a btree file, named file_name.db.  This  is
+              btree  The  output is a btree file, named file_name.db.  This is
                      available on systems with support for db databases.
 
-              cdb    The  output  is  one  file  named file_name.cdb.  This is
+              cdb    The output is one  file  named  file_name.cdb.   This  is
                      available on systems with support for cdb databases.
 
               dbm    The output consists of two files, named file_name.pag and
                      file_name.dir.  This is available on systems with support
                      for dbm databases.
 
-              fail   A table that reliably fails all requests. The lookup  ta-
-                     ble  name  is used for logging only. This table exists to
+              fail   A  table that reliably fails all requests. The lookup ta-
+                     ble name is used for logging only. This table  exists  to
                      simplify Postfix error tests.
 
               hash   The output is a hashed file, named file_name.db.  This is
                      available on systems with support for db databases.
 
-              lmdb   The  output  is a btree-based file, named file_name.lmdb.
-                     lmdb supports concurrent writes and reads from  different
+              lmdb   The output is a btree-based file,  named  file_name.lmdb.
+                     lmdb  supports concurrent writes and reads from different
                      processes,  unlike  other  supported  file-based  tables.
-                     This is available on systems with support for lmdb  data-
+                     This  is available on systems with support for lmdb data-
                      bases.
 
               sdbm   The output consists of two files, named file_name.pag and
                      file_name.dir.  This is available on systems with support
                      for sdbm databases.
 
-              When  no  file_type is specified, the software uses the database
-              type  specified  via  the  default_database_type   configuration
-              parameter.   The default value for this parameter depends on the
-              host environment.
-
        file_name
               The name of the alias database source file when creating a data-
               base.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index f9558ccee..43e11a8dc 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -12,7 +12,7 @@