From: Wietse Z Venema <wietse@porcupine.org>
Date: Sat, 22 Jun 2024 05:00:00 +0000 (-0500)
Subject: postfix-3.10-20240622
X-Git-Tag: v3.10.0~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c770c08168062d539b756a76c1bebe18570332fe;p=thirdparty%2Fpostfix.git

postfix-3.10-20240622
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 0ba4cfb5b..55a3c3e9b 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28095,3 +28095,21 @@ Apologies for any names omitted.
 	Bugfix (defect introduced: Postfix 3.10, date 20230310):
 	segfault after reading a null pointer, while responding to
 	an unknown or unimplemented command. File: smtpd/smtpd.c.
+
+20240614
+
+	Documentation: made the descriptions of command-line arguments
+	inside {} more consistent. Files: proto/master, pipe/pipe.c.
+
+20240618
+
+	Code health: factored out duplicate code for unknown and
+	unimplemented commands in the SMTP server. File: smtpd/smtpd.c.
+
+20240622
+
+	Documentation: in the rbl_reply_maps description,added text
+	how it handles reject_rbl_* or reject_rhsbl_* queries with
+	an address filter. Also added text to clarify te differences
+	between rbl_reply_maps and postscreen_dnsbl_reply_map.
+	File: proto/postconf.proto.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index b30125925..f8cb62ffa 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -16,6 +16,10 @@ Wish list:
 	using FIFOs anymore, and trigger servers could use a proper
 	(attribute, value) protocol.
 
+	The postsceen NON-SMTP test should log the command in
+	the same format as the BARE NEWLINE and PREGREET tests.
+	Consider logging the entire unadulterated command line.
+
 	"postconf -d" should not complain about a missing master.cf
 	file.
 
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index ce3b89366..c95ac8c84 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -909,7 +909,7 @@ stored as plaintext. </p>
 auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
 to query the LDAP database directly, with appropriate configuration
 in <code>saslauthd.conf</code>, <a
-href="http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD">as
+href="https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD">as
 described here</a>.  You will not be able to use any of the
 methods that require access to plaintext passwords, such as the
 shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
diff --git a/postfix/html/master.5.html b/postfix/html/master.5.html
index 67fe3f30b..48f9cec49 100644
--- a/postfix/html/master.5.html
+++ b/postfix/html/master.5.html
@@ -240,16 +240,14 @@ MASTER(5)                                                            MASTER(5)
                      verbose.
 
               <b>Command-line arguments that start with {</b>
-                     Specify "{" and "}" around command arguments  that  start
-                     with  "{"  (Postfix 3.0 and later). The outer "{" and "}"
-                     are removed from the input, together with any leading  or
-                     trailing whitespace.
-
-              <b>Other command-line arguments</b>
-                     Specify "{" and "}" around command arguments that contain
-                     whitespace (Postfix 3.0 and later). The outer "{" and "}"
-                     are  removed from the input, together with any leading or
-                     trailing whitespace.
+
+              <b>Command-line arguments that contain whitespace</b>
+
+              <b>Command-line arguments that must be empty</b>
+                     Specify "{" and "}" around such  arguments  (Postfix  3.0
+                     and  later).  The  outer  "{"  and  "}"  will be removed,
+                     together with any leading or trailing whitespace  in  the
+                     remaining text.
 
 <b>SEE ALSO</b>
        <a href="master.8.html">master(8)</a>, process manager
diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html
index d81395471..c22b91e5f 100644
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@@ -195,8 +195,10 @@ PIPE(8)                                                                PIPE(8)
               interpreter.
 
               Specify "{" and "}" around command arguments that contain white-
-              space  (Postfix 3.0 and later). Whitespace after the opening "{"
-              and before the closing "}" is ignored.
+              space,  arguments that begin with "{", or arguments that must be
+              an empty string (Postfix 3.0 and later). The outer "{"  and  "}"
+              will  be  removed,  together with any leading or trailing white-
+              space in the remaining text.
 
               In the command argument vector, the following macros are  recog-
               nized and replaced with corresponding information from the Post-
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 6b926fb67..3734c5e89 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -2670,7 +2670,7 @@ Instead of $name you can also specify ${name} or $(name).
 
 <p> Note: when an enhanced status code is specified in an RBL reply
 template, it is subject to modification.  The following transformations
-are needed when the same RBL reply template is used for client,
+are needed when the same RBL response template is used for client,
 helo, sender, or recipient access restrictions.  </p>
 
 <ul>
@@ -8798,6 +8798,11 @@ the file is read). </p>
    secret.zen.spamhaus.org      zen.spamhaus.org
 </pre>
 
+<p> NOTE: This feature differs from the Postfix SMTP server's
+<a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> feature, where 1) the table search key includes the
+optional "<i>=address</i>" filter, and where 2) the lookup result
+contains free text with <i>$name</i> variables. </p>
+
 <p> This feature is available in Postfix 2.8.  </p>
 
 
@@ -9807,15 +9812,46 @@ This feature is available in Postfix 2.0 and later.
 (default: empty)</b></DT><DD>
 
 <p>
-Optional lookup tables with RBL response templates. The tables are
-indexed by the RBL domain name. By default, Postfix uses the default
+Optional lookup tables with RBL or RHSBL response templates. The
+table search key is the reject_rbl_* or reject_rhsbl_* argument,
+including any optional "<i>=address-pattern</i>" filter. </p>
+
+<p> By default, Postfix uses the
 template as specified with the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> configuration
-parameter. See there for a discussion of the syntax of RBL reply
-templates.
+parameter. See there for a discussion of the response template
+syntax.
+</p>
+
+<p> Example: </p>
+
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/rbl_reply
+    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+        <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
+        <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11],
+        ...
+<br>
+/etc/postfix/rbl_reply:
+    # See https://www.postfix.org/postconf.5.html#<a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a>
+    # for the definition of the $client_address and $rbl_class etc.
+    # variables.
+    <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11]
+        554 $rbl_class $rbl_what blocked using ZEN - see <a href="https://www.spamhaus.org/query/ip/$client_address">https://www.spamhaus.org/query/ip/$client_address</a> for details
+    <i>secret</i>.zen.dq.spamhaus.net
+        554 $rbl_class $rbl_what blocked using ZEN - see <a href="https://www.spamhaus.org/query/ip/$client_address">https://www.spamhaus.org/query/ip/$client_address</a> for details
+</pre>
+
+<p>
+NOTE: This feature differs from <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> where
+the table search key is a domain name (no "<i>=address</i>" filter,
+no "<i>*weight</i>" factor) and where the lookup result should be
+a domain name (no free text, no <i>$name</i> variables).
 </p>
 
 <p>
 This feature is available in Postfix 2.0 and later.
+The "=address-pattern" filter is available in Postfix 2.8 and later.
 </p>
 
 
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index 338a7ec8f..4466acac7 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -1316,7 +1316,7 @@ SMTPD(8)                                                              SMTPD(8)
               <a href="postconf.5.html#reject_multi_recipient_bounce">ent_bounce</a> restriction.
 
        <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b>
-              Optional lookup tables with RBL response templates.
+              Optional lookup tables with RBL or RHSBL response templates.
 
        Available in Postfix version 2.6 and later:
 
diff --git a/postfix/man/man5/master.5 b/postfix/man/man5/master.5
index 9c517ecd0..5dda48f26 100644
--- a/postfix/man/man5/master.5
+++ b/postfix/man/man5/master.5
@@ -243,15 +243,12 @@ personalities via master.cf.
 Increase the verbose logging level. Specify multiple \fB\-v\fR
 options to make a Postfix daemon process increasingly verbose.
 .IP "\fBCommand\-line arguments that start with {\fR"
-Specify "{" and "}" around command arguments that start
-with "{" (Postfix 3.0 and later). The outer "{" and "}" are
-removed from the input, together with any leading or trailing
-whitespace.
-.IP "\fBOther command\-line arguments\fR"
-Specify "{" and "}" around command arguments that contain
-whitespace (Postfix 3.0 and later). The outer "{" and "}"
-are removed from the input, together with any leading or
-trailing whitespace.
+.IP "\fBCommand\-line arguments that contain whitespace\fR"
+.IP "\fBCommand\-line arguments that must be empty\fR"
+Specify "{" and "}" around such arguments (Postfix 3.0 and
+later). The outer "{" and "}" will be removed, together
+with any leading or trailing whitespace in the remaining
+text.
 .SH "SEE ALSO"
 .na
 .nf
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 02a3e0083..04bba9d91 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -1732,7 +1732,7 @@ Instead of $name you can also specify ${name} or $(name).
 .PP
 Note: when an enhanced status code is specified in an RBL reply
 template, it is subject to modification.  The following transformations
-are needed when the same RBL reply template is used for client,
+are needed when the same RBL response template is used for client,
 helo, sender, or recipient access restrictions.
 .IP \(bu
 When rejecting a sender address, the Postfix SMTP server
@@ -5570,6 +5570,11 @@ Example:
 .ad
 .ft R
 .PP
+NOTE: This feature differs from the Postfix SMTP server's
+rbl_reply_maps feature, where 1) the table search key includes the
+optional "\fI=address\fR" filter, and where 2) the lookup result
+contains free text with \fI$name\fR variables.
+.PP
 This feature is available in Postfix 2.8.
 .SH postscreen_dnsbl_sites (default: empty)
 Optional list of patterns with DNS allow/denylist domains, filters
@@ -6160,13 +6165,46 @@ queue and schedules delivery requests.
 .PP
 This feature is available in Postfix 2.0 and later.
 .SH rbl_reply_maps (default: empty)
-Optional lookup tables with RBL response templates. The tables are
-indexed by the RBL domain name. By default, Postfix uses the default
+Optional lookup tables with RBL or RHSBL response templates. The
+table search key is the reject_rbl_* or reject_rhsbl_* argument,
+including any optional "\fI=address\-pattern\fR" filter.
+.PP
+By default, Postfix uses the
 template as specified with the default_rbl_reply configuration
-parameter. See there for a discussion of the syntax of RBL reply
-templates.
+parameter. See there for a discussion of the response template
+syntax.
+.PP
+Example:
+.PP
+.nf
+.na
+.ft C
+/etc/postfix/main.cf:
+    rbl_reply_maps = hash:/etc/postfix/rbl_reply
+    smtpd_recipient_restrictions =
+        permit_mynetworks,
+        reject_rbl_client \fIsecret\fR.zen.dq.spamhaus.net=127.0.0.[2..11],
+        ...
+.br
+/etc/postfix/rbl_reply:
+    # See https://www.postfix.org/postconf.5.html#default_rbl_reply
+    # for the definition of the $client_address and $rbl_class etc.
+    # variables.
+    \fIsecret\fR.zen.dq.spamhaus.net=127.0.0.[2..11]
+        554 $rbl_class $rbl_what blocked using ZEN \- see https://www.spamhaus.org/query/ip/$client_address for details
+    \fIsecret\fR.zen.dq.spamhaus.net
+        554 $rbl_class $rbl_what blocked using ZEN \- see https://www.spamhaus.org/query/ip/$client_address for details
+.fi
+.ad
+.ft R
+.PP
+NOTE: This feature differs from postscreen_dnsbl_reply_map where
+the table search key is a domain name (no "\fI=address\fR" filter,
+no "\fI*weight\fR" factor) and where the lookup result should be
+a domain name (no free text, no \fI$name\fR variables).
 .PP
 This feature is available in Postfix 2.0 and later.
+The "=address\-pattern" filter is available in Postfix 2.8 and later.
 .SH readme_directory (default: see "postconf \-d" output)
 The location of Postfix README files that describe how to build,
 configure or operate a specific Postfix subsystem or feature.
diff --git a/postfix/man/man8/pipe.8 b/postfix/man/man8/pipe.8
index efb9e0e5f..566cf89c8 100644
--- a/postfix/man/man8/pipe.8
+++ b/postfix/man/man8/pipe.8
@@ -201,8 +201,10 @@ The command is executed directly, i.e. without interpretation of
 shell meta characters by a shell command interpreter.
 .sp
 Specify "{" and "}" around command arguments that contain
-whitespace (Postfix 3.0 and later). Whitespace
-after the opening "{" and before the closing "}" is ignored.
+whitespace, arguments that begin with "{", or arguments
+that must be an empty string (Postfix 3.0 and later). The
+outer "{" and "}" will be removed, together with any leading
+or trailing whitespace in the remaining text.
 .sp
 In the command argument vector, the following macros are recognized
 and replaced with corresponding information from the Postfix queue
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 0c0bc2e0b..fdfe4862d 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -1140,7 +1140,7 @@ The numerical Postfix SMTP server response code when a remote SMTP
 client request is blocked by the reject_multi_recipient_bounce
 restriction.
 .IP "\fBrbl_reply_maps (empty)\fR"
-Optional lookup tables with RBL response templates.
+Optional lookup tables with RBL or RHSBL response templates.
 .PP
 Available in Postfix version 2.6 and later:
 .IP "\fBaccess_map_defer_code (450)\fR"
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 14d959b4c..2af2e7bfb 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -909,7 +909,7 @@ stored as plaintext. </p>
 auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
 to query the LDAP database directly, with appropriate configuration
 in <code>saslauthd.conf</code>, <a
-href="http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD">as
+href="https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD">as
 described here</a>.  You will not be able to use any of the
 methods that require access to plaintext passwords, such as the
 shared-secret methods CRAM-MD5 and DIGEST-MD5.  </p>
diff --git a/postfix/proto/master b/postfix/proto/master
index efd88e55d..3b3bd3ea1 100644
--- a/postfix/proto/master
+++ b/postfix/proto/master
@@ -237,15 +237,12 @@
 #	Increase the verbose logging level. Specify multiple \fB-v\fR
 #	options to make a Postfix daemon process increasingly verbose.
 # .IP "\fBCommand-line arguments that start with {\fR"
-#	Specify "{" and "}" around command arguments that start
-#	with "{" (Postfix 3.0 and later). The outer "{" and "}" are
-#	removed from the input, together with any leading or trailing
-#	whitespace.
-# .IP "\fBOther command-line arguments\fR"
-	Specify "{" and "}" around command arguments that contain
-#	whitespace (Postfix 3.0 and later). The outer "{" and "}"
-#	are removed from the input, together with any leading or
-#	trailing whitespace.
+# .IP "\fBCommand-line arguments that contain whitespace\fR"
+# .IP "\fBCommand-line arguments that must be empty\fR"
+#	Specify "{" and "}" around such arguments (Postfix 3.0 and
+#	later). The outer "{" and "}" will be removed, together
+#	with any leading or trailing whitespace in the remaining
+#	text.
 # SEE ALSO
 #	master(8), process manager
 #	postconf(5), configuration parameters
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 9dda8f29e..36aab443e 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -1254,7 +1254,7 @@ Instead of $name you can also specify ${name} or $(name).
 
 <p> Note: when an enhanced status code is specified in an RBL reply
 template, it is subject to modification.  The following transformations
-are needed when the same RBL reply template is used for client,
+are needed when the same RBL response template is used for client,
 helo, sender, or recipient access restrictions.  </p>
 
 <ul>
@@ -3586,15 +3586,46 @@ The default time unit is s (seconds).  </p>
 %PARAM rbl_reply_maps 
 
 <p>
-Optional lookup tables with RBL response templates. The tables are
-indexed by the RBL domain name. By default, Postfix uses the default
+Optional lookup tables with RBL or RHSBL response templates. The
+table search key is the reject_rbl_* or reject_rhsbl_* argument,
+including any optional "<i>=address-pattern</i>" filter. </p>
+
+<p> By default, Postfix uses the
 template as specified with the default_rbl_reply configuration
-parameter. See there for a discussion of the syntax of RBL reply
-templates.
+parameter. See there for a discussion of the response template
+syntax.
+</p>
+
+<p> Example: </p>
+
+<pre>
+/etc/postfix/main.cf:
+    rbl_reply_maps = hash:/etc/postfix/rbl_reply
+    smtpd_recipient_restrictions =
+        permit_mynetworks, 
+        reject_rbl_client <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11],
+	...
+<br>
+/etc/postfix/rbl_reply:
+    # See https://www.postfix.org/postconf.5.html#default_rbl_reply
+    # for the definition of the $client_address and $rbl_class etc.
+    # variables.
+    <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11]
+        554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details
+    <i>secret</i>.zen.dq.spamhaus.net
+        554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details 
+</pre>
+
+<p>
+NOTE: This feature differs from postscreen_dnsbl_reply_map where
+the table search key is a domain name (no "<i>=address</i>" filter,
+no "<i>*weight</i>" factor) and where the lookup result should be
+a domain name (no free text, no <i>$name</i> variables).
 </p>
 
 <p>
 This feature is available in Postfix 2.0 and later.
+The "=address-pattern" filter is available in Postfix 2.8 and later.
 </p>
 
 %PARAM receive_override_options 
@@ -15418,6 +15449,11 @@ the file is read). </p>
    secret.zen.spamhaus.org	zen.spamhaus.org
 </pre>
 
+<p> NOTE: This feature differs from the Postfix SMTP server's
+rbl_reply_maps feature, where 1) the table search key includes the
+optional "<i>=address</i>" filter, and where 2) the lookup result
+contains free text with <i>$name</i> variables. </p>
+
 <p> This feature is available in Postfix 2.8.  </p>
 
 %PARAM postscreen_dnsbl_timeout 10s
diff --git a/postfix/proto/stop b/postfix/proto/stop
index 52f34ab43..fb1da4859 100644
--- a/postfix/proto/stop
+++ b/postfix/proto/stop
@@ -1604,3 +1604,5 @@ LLC
 Maadani
 GTEST
 javascript
+SMFI
+RHSBL
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index 1122e5e61..843e59ede 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -126,3 +126,5 @@ proto  proto mysql_table proto pgsql_table proto ldap_table
  a domain File postalias postalias c 
  File spawn spawn c 
  an unknown or unimplemented command File smtpd smtpd c 
+ inside more consistent Files proto master pipe pipe c 
+ unimplemented commands in the SMTP server File smtpd smtpd c 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 7f926fb12..d23ed6640 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240612"
+#define MAIL_RELEASE_DATE	"20240622"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c
index 301793743..eceae2b3d 100644
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@@ -191,8 +191,10 @@
 /*	shell meta characters by a shell command interpreter.
 /* .sp
 /*	Specify "{" and "}" around command arguments that contain
-/*	whitespace (Postfix 3.0 and later). Whitespace
-/*	after the opening "{" and before the closing "}" is ignored.
+/*	whitespace, arguments that begin with "{", or arguments
+/*	that must be an empty string (Postfix 3.0 and later). The
+/*	outer "{" and "}" will be removed, together with any leading
+/*	or trailing whitespace in the remaining text.
 /* .sp
 /*	In the command argument vector, the following macros are recognized
 /*	and replaced with corresponding information from the Postfix queue
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 9b8cbbe85..8c5ce4717 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -1084,7 +1084,7 @@
 /*	client request is blocked by the reject_multi_recipient_bounce
 /*	restriction.
 /* .IP "\fBrbl_reply_maps (empty)\fR"
-/*	Optional lookup tables with RBL response templates.
+/*	Optional lookup tables with RBL or RHSBL response templates.
 /* .PP
 /*	Available in Postfix version 2.6 and later:
 /* .IP "\fBaccess_map_defer_code (450)\fR"
@@ -5501,11 +5501,43 @@ static void tls_reset(SMTPD_STATE *state)
 
 #endif
 
+/* milter_unknown_reply_override - common code for unknown/unimplemented case */
+
+static int milter_unknown_reply_override(SMTPD_STATE *state)
+{
+    const char *err;
+
+    /*
+     * XXX The Postfix libmilter implementation does not indicate whether it
+     * returns:
+     * 
+     * 1) A generic "command rejected" etc. reply text that is generated by the
+     * Postfix milter library, when the Sendmail milter library replies with
+     * SMFI_REJECT or SMFI_TEMPFAIL.
+     * 
+     * 2) A custom reply text that is generated by a milter application, when
+     * the Sendmail milter library replies with SMFI_REPLY.
+     * 
+     * As a compromise, we will not override the Postfix SMTP server's specific
+     * "5XX Unknown command" etc. reply.
+     */
+    if (state->milters != 0
+	&& (err = milter_unknown_event(state->milters,
+				       STR(state->buffer))) != 0) {
+	if (err[0] == '4') {
+	    smtpd_chat_reply(state, "%s", err);
+	    return (1);
+	} else if (err[0] != '5') {
+	    msg_warn("unexpected SMFIC_UNKNOWN response: %s", err);
+	}
+    }
+    return (0);
+}
+
 /* unimpl_cmd - dummy for functionality that is not compiled in */
 
 static int unimpl_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 {
-    const char *err = 0;
 
     /*
      * When a connection is closed we want to log the request counts for
@@ -5516,16 +5548,8 @@ static int unimpl_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
      * it must either tempfail or reject.
      */
     state->error_mask |= MAIL_ERROR_PROTOCOL;
-    if (state->milters != 0
-	&& (err = milter_unknown_event(state->milters,
-				       STR(state->buffer))) != 0
-	&& err[0] == '4') {
-	smtpd_chat_reply(state, "%s", err);
-    } else {
-	if (err && err[0] != '5')
-	    msg_warn("unexpected SMFIC_UNKNOWN response: %s", err);
+    if (milter_unknown_reply_override(state) == 0)
 	smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
-    }
     return (-1);
 }
 
@@ -5553,7 +5577,7 @@ typedef struct SMTPD_CMD {
 #define SMTPD_CMD_FLAG_PRE_TLS	(1<<1)	/* allow before STARTTLS */
 #define SMTPD_CMD_FLAG_LAST	(1<<2)	/* last in PIPELINING command group */
 
-static int  help_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *);
+static int help_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *);
 
 static SMTPD_CMD smtpd_cmd_table[] = {
     {SMTPD_CMD_HELO, helo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,},
@@ -6021,19 +6045,9 @@ static void smtpd_proto(SMTPD_STATE *state)
 	    }
 	    /* state->access_denied == 0 || cmdp->action == quit_cmd */
 	    if (cmdp->name == 0) {
-		/* See unimpl_cmd() for valid xxfi_unknown() return values. */
-		err = 0;
-		if (state->milters != 0
-		    && (err = milter_unknown_event(state->milters,
-						   STR(state->buffer))) != 0
-		    && err[0] == '4') {
-		    smtpd_chat_reply(state, "%s", err);
-		} else {
-		    if (err && err[0] != '5')
-			msg_warn("unexpected SMFIC_UNKNOWN response: %s", err);
+		if (milter_unknown_reply_override(state) == 0)
 		    smtpd_chat_reply(state,
 				 "500 5.5.2 Error: command not recognized");
-		}
 		state->error_mask |= MAIL_ERROR_PROTOCOL;
 		state->error_count++;
 		continue;