From: Wietse Venema <wietse@porcupine.org>
Date: Fri, 9 Jan 2009 05:00:00 +0000 (-0500)
Subject: postfix-2.6-20090109
X-Git-Tag: v2.6.0-RC1~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd689ed048aa606efc1795362699e19ff2591d8b;p=thirdparty%2Fpostfix.git

postfix-2.6-20090109
---

diff --git a/postfix/.indent.pro b/postfix/.indent.pro
index 6241aa22c..8d572dec4 100644
--- a/postfix/.indent.pro
+++ b/postfix/.indent.pro
@@ -95,6 +95,7 @@
 -TDSN_BUF
 -TDSN_SPLIT
 -TDSN_STAT
+-TEDIT_FILE
 -TEVENT_MASK
 -TEXPAND_ATTR
 -TFILE
@@ -139,6 +140,8 @@
 -TMASTER_PROC
 -TMASTER_SERV
 -TMASTER_STATUS
+-TMASTER_VARS_STR_WATCH
+-TMASTER_VARS_INT_WATCH
 -TMBLOCK
 -TMBOX
 -TMILTER
diff --git a/postfix/HISTORY b/postfix/HISTORY
index c0057198c..ffda0a389 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -14700,7 +14700,7 @@ Apologies for any names omitted.
 	Security: hardened the proxymap client, in case it ever
 	ends up in a set-gid program. File: global/dict_proxy.c.
 
-10081007
+20081007
 
 	Workaround: undo the proxymap client change. It broke
 	chrooted servers when they attempted to reconnect to the
@@ -14760,8 +14760,8 @@ Apologies for any names omitted.
 
 20081126
 
-	Bugfix: pcre_table(5) incorrectly claimed that the 'x' flag
-	supports #comment after text. File: proto/pcre_table.
+	Documentation: pcre_table(5) incorrectly claimed that the
+	'x' flag supports #comment after text. File: proto/pcre_table.
 
 20081202
 
@@ -14798,3 +14798,73 @@ Apologies for any names omitted.
 	Safety: add another check to "postfix check", in this case
 	for group or other writable queue_directory. File:
 	conf/postfix-script.
+
+20081217
+
+	Debugging: ad-hoc code to log the TLS error stack after
+	VSTREAM read/write error.  File: tls/tls_bio_ops.c. In a
+	better implementation, each I/O "object" would provide an
+	optional error reporting method (besides timed_read and
+	timed_write) that could be queried via the vstream module.
+
+20081222
+
+	Documentation: log the "*" pattern as the last transport
+	map lookup. File: proto/transport.
+
+20090103
+
+	Documentation: rewrote NFS_README, to clarify the support
+	status of Postfix and NFS, and to describe the NFS workarounds
+	that Postfix actually implements.
+
+20090106
+
+	Feature: "postconf -# parametername ..." to comment out
+	named parameter entries. Victor Duchovni.  File:
+	postconf/postconf.c.
+
+20090107
+
+	Library: edit_file(3) module for cooperative editing of a
+	file. Inspired by the postconf command, this creates a new
+	version under a deterministic temporary name and renames
+	it into place. The implementation uses an open/lock/stat
+	protocol before updating the new file, and rename/unlock/close
+	afterwards.  Based on pieces of code by Victor Duchovni,
+	with minor improvements by Wietse.  Files: util/edit_file.[hc].
+
+	Cleanup: the postconf command now uses the edit_file(3)
+	module to manage collisions when multiple processes attempt
+	to update the main.cf file.
+
+20090108
+
+	Feature: master_service_disable parameter (default: empty)
+	to easily turn off/on master.cf services by type or by name
+	and type. For example, to turn off the main SMTP listener
+	use "master_service_disable = smtp.inet", and to turn off
+	all TCP/IP listeners use "master_service_disable = inet".
+	This feature does not distinguish services by their privacy
+	property; some day, clients will not need to specify that
+	anymore.  Files: global/mail_params.h, master/master.c,
+	master/master_vars.c, master/master_ent.c.
+
+	Bugfix (introduced May 19, 1997): removing a parameter
+	setting from main.cf did not reset the parameter to its
+	default value. This was a problem only in the master daemon.
+	File: global/mail_params.c, master/master_vars.c.
+
+20090109
+
+	Cleanup: "defer" action in access maps, and a corresponding
+	access_map_defer_code parameter. No idea what was behind
+	this omission.  Files: global/mail_params.h, smtpd/smtpd.c,
+	smtpd/smtpd_check.c, proto/access.
+
+	Workaround: specify "tcp_windowsize = 65535" (or less) to
+	work around routers with broken TCP window scaling
+	implementations.  This is perhaps easier than collecting
+	tcpdump output and tuning kernel parameters. Changing this
+	parameter requires "postfix stop" and "postfix start".
+	Files: util/inet_connect.c, inet_listen.c, global/mail_params.[hc].
diff --git a/postfix/README_FILES/NFS_README b/postfix/README_FILES/NFS_README
index 196252de5..60d05781e 100644
--- a/postfix/README_FILES/NFS_README
+++ b/postfix/README_FILES/NFS_README
@@ -1,39 +1,102 @@
 PPoossttffiixx aanndd NNFFSS
 
 -------------------------------------------------------------------------------
-This question was asked on the postfix-users mailing list a while ago:
 
-    Also, what considerations are there for file locking or other potential
-    problems when running Postfix with a Netapp-style box for /var/mail
-    delivery? I know that FreeBSD has broken NFS file locking (both client and
-    server?) but I'm not sure if this is something Postfix can work around or
-    not.
+PPoossttffiixx ssuuppppoorrtt ssttaattuuss ffoorr NNFFSS
 
-Postfix jumps several hoops in order to deal with NFS-specific problems. Thus,
-Postfix on NFS is slightly less reliable than Postfix on a local disk. That is
-not a problem in Postfix; the problem is in NFS and affects other MTAs as well.
+What is the status of support for Postfix on NFS? The answer is that Postfix
+itself is supported when you use NFS, but there is no promise that an NFS-
+related problem will promptly receive a Postfix workaround, or that a
+workaround will even be possible.
 
-For queue locking within Postfix, NFS is not an issue because you cannot share
-Postfix queues among multiple Postfix instances.
+That said, Postfix will in many cases work very well on NFS, because Postfix
+implements a number of workarounds (see below). Good NFS implementations seldom
+if ever give problems with Postfix, so Wietse recommends that you spend your
+money wisely.
 
-In order to have mailbox locking over NFS, you have to configure everything to
-use fcntl() locks for mailbox access (or switch to maildir style, which needs
-no application-level lock controls).
+PPoossttffiixx ffiillee lloocckkiinngg aanndd NNFFSS
 
-To turn on fcntl() mailbox locks with Postfix you specify:
+For the Postfix mail queue, it does not matter how well NFS file locking works.
+The reason is that you cannot share Postfix queues among multiple running
+Postfix instances. You can use NFS to switch a Postfix mail queue from one NFS
+client to another one, but only one NFS client can access a Postfix mail queue
+at any particular point in time.
 
-    /etc/postfix/main.cf:
-        virtual_mailbox_lock = fcntl
-        mailbox_delivery_lock = fcntl
-
-Obviously, this approach is useful only if all other mailbox access software
-also uses fcntl() locks.
+For mailbox file sharing with NFS, your options are to use ffccnnttll (kernel
+locks), ddoottlloocckk (username.lock files), to use both locking methods
+simultaneously, or to switch to maildir format. The maildir format uses one
+file per message and needs no file locking support in Postfix or in other mail
+software.
 
-You can also "play safe" and throw in username.lock files:
+Many sites that use mailbox format play safe and use both locking methods
+simultaneously.
 
     /etc/postfix/main.cf:
         virtual_mailbox_lock = fcntl, dotlock
         mailbox_delivery_lock = fcntl, dotlock
 
-This is the combination that many applications end up using.
+PPoossttffiixx NNFFSS wwoorrkkaarroouunnddss
+
+The list below summarizes the workarounds that exist for running Postfix on NFS
+as of the middle of 2003. As a reminder, Postfix itself is still supported when
+it runs on NFS, but there is no promise that an NFS-related problem will
+promptly receive a Postfix workaround, or that a workaround will even be
+possible.
+
+  * Problem: when renaming a file, the operation may succeed but report an
+    error anyway[1].
+
+    Workaround: when rename(old, new) reports an error, Postfix checks if the
+    new name exists and the old name is gone. If the check succeeds, Postfix
+    assumes that the rename() operation completed normally.
+
+  * Problem: when creating a directory, the operation may succeed but report an
+    error anyway[1].
+
+    Workaround: when mkdir(new) reports an EEXIST error, Postfix checks if the
+    new name resolves to a directory. If the check succeeds, Postfix assumes
+    that the mkdir() operation completed normally.
+
+  * Problem: when creating a hardlink to a file, the operation may succeed but
+    report an error anyway[1].
+
+    Workaround: when link(old, new) fails, Postfix compares the device and
+    inode number of the old and new files. When the two files are identical,
+    Postfix assumes that the link() operation completed normally.
+
+  * Problem: when creating a dotlock (username.lock) file, the operation may
+    succeed but report an error anyway[1].
+
+    Workaround: in this case, the only safe action is to back off and try again
+    later.
+
+  * Problem: when a file server's "time of day" clock is not synchronized with
+    the client's "time of day" clock, email deliveries are delayed by a minute
+    or more.
+
+    Workaround: Postfix explicitly sets file time stamps to avoid delays with
+    new mail (Postfix uses "last modified" file time stamps to decide when a
+    queue file is ready for delivery).
+
+[1] How can an operation succeed and report an error anyway?
+
+Suppose that an NFS server executes a client request successfully, and that the
+server's reply to the client is lost. After some time the client retransmits
+the request to the server. Normally, the server remembers that it already
+completed the request (it keeps a list of recently-completed requests and
+replies), and simply retransmits the reply.
+
+However, when the server has rebooted or when it has been very busy, the server
+no longer remembers that it already completed the request, and repeats the
+operation. This causes no problems with file read/write requests (they contain
+a file offset and can therefore be repeated safely), but fails with non-
+idempotent operations. For example, when the server executes a retransmitted
+rename() request, the server reports an ENOENT error because the old name does
+not exist; and when the server executes a retransmitted link(), mkdir() or
+create() request, the server reports an EEXIST error because the name already
+exists.
+
+Thus, successful, non-idempotent, NFS operations will report false errors when
+the server reply is lost, the client retransmits the request, and the server
+does not remember that it already completed the request.
 
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 18c91c1c1..e4073049d 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -11,6 +11,22 @@ instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
+Major changes with snapshot 20090109
+====================================
+
+Support to selectively disable master(8) listener ports by service
+type or by service name + type. Specify a list of service types
+("inet", "unix", "fifo", or "pass") or "name.type" tuples, where
+"name" is the first field of a master.cf entry and "type" is a
+service type. Examples: to turn off the main SMTP listener port,
+use "master_service_disable = smtp.inet"; to turn off all TCP/IP
+listeners, use "master_service_disable = inet".
+
+Specify "tcp_windowsize = 65535" (or less) to work around routers
+with broken TCP window scaling implementations.  This is perhaps
+easier than collecting tcpdump output and tuning kernel parameters.
+Changing this parameter requires "postfix stop" and "postfix start".
+
 Major changes with snapshot 20081010
 ====================================
 
diff --git a/postfix/conf/access b/postfix/conf/access
index 18930449e..2aa8f6450 100644
--- a/postfix/conf/access
+++ b/postfix/conf/access
@@ -196,21 +196,27 @@
 #               text..."  when the optional text is specified, oth-
 #               erwise reply with a generic error response message.
 # 
+#        DEFER optional text...
+#               Reject  the  address etc. that matches the pattern.
+#               Reply   with    "$access_map_defer_code    optional
+#               text..."  when the optional text is specified, oth-
+#               erwise reply with a generic error response message.
+# 
 #        DEFER_IF_REJECT optional text...
 #               Defer  the  request if some later restriction would
-#               result in a REJECT action. Reply  with  "450  4.7.1
-#               optional  text..." when the optional text is speci-
-#               fied, otherwise reply with a generic error response
-#               message.
+#               result   in   a   REJECT   action.    Reply    with
+#               "$access_map_defer_code   4.7.1  optional  text..."
+#               when the  optional  text  is  specified,  otherwise
+#               reply with a generic error response message.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        DEFER_IF_PERMIT optional text...
 #               Defer the request if some later  restriction  would
 #               result  in a an explicit or implicit PERMIT action.
-#               Reply with "450 4.7.1  optional text..."  when  the
-#               optional  text is specified, otherwise reply with a
-#               generic error response message.
+#               Reply with "$access_map_defer_code 4.7.1   optional
+#               text..."  when the optional text is specified, oth-
+#               erwise reply with a generic error response message.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
@@ -220,169 +226,169 @@
 #               reject_unauth_destination, and so on).
 # 
 #        BCC user@domain
-#               Send one copy  of  the  message  to  the  specified
+#               Send  one  copy  of  the  message  to the specified
 #               recipient.
 # 
-#               If  multiple  BCC  actions are specified within the
-#               same SMTP MAIL transaction, only  the  last  action
+#               If multiple BCC actions are  specified  within  the
+#               same  SMTP  MAIL  transaction, only the last action
 #               will be used.
 # 
-#               This  feature  is  not  part  of the stable Postfix
+#               This feature is not  part  of  the  stable  Postfix
 #               release.
 # 
 #        DISCARD optional text...
-#               Claim successful delivery and silently discard  the
-#               message.   Log the optional text if specified, oth-
+#               Claim  successful delivery and silently discard the
+#               message.  Log the optional text if specified,  oth-
 #               erwise log a generic message.
 # 
-#               Note: this action currently affects all  recipients
-#               of  the  message.   To  discard  only one recipient
-#               without discarding  the  entire  message,  use  the
+#               Note:  this action currently affects all recipients
+#               of the message.   To  discard  only  one  recipient
+#               without  discarding  the  entire  message,  use the
 #               transport(5) table to direct mail to the discard(8)
 #               service.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
-#        DUNNO  Pretend  that  the  lookup  key was not found. This
-#               prevents Postfix  from  trying  substrings  of  the
-#               lookup  key (such as a subdomain name, or a network
+#        DUNNO  Pretend that the lookup key  was  not  found.  This
+#               prevents  Postfix  from  trying  substrings  of the
+#               lookup key (such as a subdomain name, or a  network
 #               address subnetwork).
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
 #        FILTER transport:destination
-#               After  the  message is queued, send the entire mes-
+#               After the message is queued, send the  entire  mes-
 #               sage through the specified external content filter.
-#               The  transport:destination  syntax  is described in
-#               the transport(5)  manual  page.   More  information
-#               about  external  content  filters is in the Postfix
+#               The transport:destination syntax  is  described  in
+#               the  transport(5)  manual  page.   More information
+#               about external content filters is  in  the  Postfix
 #               FILTER_README file.
 # 
 #               Note: this action overrides the content_filter set-
-#               ting,  and  currently affects all recipients of the
+#               ting, and currently affects all recipients  of  the
 #               message.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
 #        HOLD optional text...
-#               Place  the message on the hold queue, where it will
-#               sit until someone either deletes it or releases  it
-#               for  delivery.  Log the optional text if specified,
+#               Place the message on the hold queue, where it  will
+#               sit  until someone either deletes it or releases it
+#               for delivery.  Log the optional text if  specified,
 #               otherwise log a generic message.
 # 
-#               Mail that is placed on hold can  be  examined  with
-#               the  postcat(1)  command,  and  can be destroyed or
+#               Mail  that  is  placed on hold can be examined with
+#               the postcat(1) command, and  can  be  destroyed  or
 #               released with the postsuper(1) command.
 # 
-#               Note: use "postsuper -r" to release mail  that  was
-#               kept  on  hold for a significant fraction of $maxi-
+#               Note:  use  "postsuper -r" to release mail that was
+#               kept on hold for a significant fraction  of  $maxi-
 #               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
-#               longer.  Use "postsuper -H" only for mail that will
+#               longer. Use "postsuper -H" only for mail that  will
 #               not expire within a few delivery attempts.
 # 
-#               Note: this action currently affects all  recipients
+#               Note:  this action currently affects all recipients
 #               of the message.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
 #        PREPEND headername: headervalue
-#               Prepend the specified message header  to  the  mes-
-#               sage.   When more than one PREPEND action executes,
-#               the first prepended header appears before the  sec-
+#               Prepend  the  specified  message header to the mes-
+#               sage.  When more than one PREPEND action  executes,
+#               the  first prepended header appears before the sec-
 #               ond etc. prepended header.
 # 
-#               Note:  this  action must execute before the message
-#               content is received; it cannot execute in the  con-
+#               Note: this action must execute before  the  message
+#               content  is received; it cannot execute in the con-
 #               text of smtpd_end_of_data_restrictions.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        REDIRECT user@domain
-#               After the message is queued, send  the  message  to
+#               After  the  message  is queued, send the message to
 #               the  specified  address  instead  of  the  intended
 #               recipient(s).
 # 
-#               Note: this action overrides the FILTER action,  and
+#               Note:  this action overrides the FILTER action, and
 #               currently affects all recipients of the message.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        WARN optional text...
 #               Log a warning with the optional text, together with
-#               client  information  and  if  available, with helo,
+#               client information and  if  available,  with  helo,
 #               sender, recipient and protocol information.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 # ENHANCED STATUS CODES
-#        Postfix  version  2.3  and  later  support enhanced status
-#        codes as defined in RFC 3463.   When  an  enhanced  status
-#        code  is  specified  in  an access table, it is subject to
-#        modification. The  following  transformations  are  needed
-#        when  the  same  access  table  is  used for client, helo,
-#        sender, or  recipient  access  restrictions;  they  happen
+#        Postfix version 2.3  and  later  support  enhanced  status
+#        codes  as  defined  in  RFC 3463.  When an enhanced status
+#        code is specified in an access table,  it  is  subject  to
+#        modification.  The  following  transformations  are needed
+#        when the same access  table  is  used  for  client,  helo,
+#        sender,  or  recipient  access  restrictions;  they happen
 #        regardless of whether Postfix replies to a MAIL FROM, RCPT
 #        TO or other SMTP command.
 # 
-#        o      When a sender address matches a REJECT action,  the
-#               Postfix  SMTP server will transform a recipient DSN
-#               status (e.g., 4.1.1-4.1.6) into  the  corresponding
+#        o      When  a sender address matches a REJECT action, the
+#               Postfix SMTP server will transform a recipient  DSN
+#               status  (e.g.,  4.1.1-4.1.6) into the corresponding
 #               sender DSN status, and vice versa.
 # 
-#        o      When   non-address  information  matches  a  REJECT
-#               action (such as the HELO command  argument  or  the
-#               client  hostname/address),  the Postfix SMTP server
-#               will transform a sender  or  recipient  DSN  status
-#               into   a  generic  non-address  DSN  status  (e.g.,
+#        o      When  non-address  information  matches  a   REJECT
+#               action  (such  as  the HELO command argument or the
+#               client hostname/address), the Postfix  SMTP  server
+#               will  transform  a  sender  or recipient DSN status
+#               into  a  generic  non-address  DSN  status   (e.g.,
 #               4.0.0).
 # 
 # REGULAR EXPRESSION TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        the table is given in the form of regular expressions. For
-#        a description of regular expression lookup  table  syntax,
+#        a  description  of regular expression lookup table syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each  pattern  is  a regular expression that is applied to
+#        Each pattern is a regular expression that  is  applied  to
 #        the entire string being looked up. Depending on the appli-
-#        cation,  that  string  is  an  entire  client hostname, an
+#        cation, that string  is  an  entire  client  hostname,  an
 #        entire client IP address, or an entire mail address. Thus,
 #        no  parent  domain  or  parent  network  search  is  done,
-#        user@domain mail addresses are not broken  up  into  their
+#        user@domain  mail  addresses  are not broken up into their
 #        user@ and domain constituent parts, nor is user+foo broken
 #        up into user and foo.
 # 
-#        Patterns are applied in the order as specified in the  ta-
-#        ble,  until  a  pattern  is  found that matches the search
+#        Patterns  are applied in the order as specified in the ta-
+#        ble, until a pattern is  found  that  matches  the  search
 #        string.
 # 
-#        Actions are the same as with indexed  file  lookups,  with
-#        the  additional feature that parenthesized substrings from
+#        Actions  are  the  same as with indexed file lookups, with
+#        the additional feature that parenthesized substrings  from
 #        the pattern can be interpolated as $1, $2 and so on.
 # 
 # TCP-BASED TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
 #        Postfix version 2.4.
 # 
-#        Each lookup operation uses the entire query  string  once.
-#        Depending  on  the  application,  that string is an entire
+#        Each  lookup  operation uses the entire query string once.
+#        Depending on the application, that  string  is  an  entire
 #        client hostname, an entire client IP address, or an entire
-#        mail  address.   Thus,  no parent domain or parent network
-#        search is done, user@domain mail addresses are not  broken
-#        up  into  their user@ and domain constituent parts, nor is
+#        mail address.  Thus, no parent domain  or  parent  network
+#        search  is done, user@domain mail addresses are not broken
+#        up into their user@ and domain constituent parts,  nor  is
 #        user+foo broken up into user and foo.
 # 
 #        Actions are the same as with indexed file lookups.
 # 
 # EXAMPLE
-#        The following example uses an indexed file,  so  that  the
-#        order  of  table entries does not matter. The example per-
-#        mits access by the client at address 1.2.3.4  but  rejects
-#        all  other  clients  in 1.2.3.0/24. Instead of hash lookup
-#        tables, some systems use dbm.  Use the  command  "postconf
-#        -m"  to  find  out  what lookup tables Postfix supports on
+#        The  following  example  uses an indexed file, so that the
+#        order of table entries does not matter. The  example  per-
+#        mits  access  by the client at address 1.2.3.4 but rejects
+#        all other clients in 1.2.3.0/24. Instead  of  hash  lookup
+#        tables,  some  systems use dbm.  Use the command "postconf
+#        -m" to find out what lookup  tables  Postfix  supports  on
 #        your system.
 # 
 #        /etc/postfix/main.cf:
@@ -393,11 +399,11 @@
 #            1.2.3   REJECT
 #            1.2.3.4 OK
 # 
-#        Execute the command  "postmap  /etc/postfix/access"  after
+#        Execute  the  command  "postmap /etc/postfix/access" after
 #        editing the file.
 # 
 # BUGS
-#        The  table format does not understand quoting conventions.
+#        The table format does not understand quoting  conventions.
 # 
 # SEE ALSO
 #        postmap(1), Postfix lookup table manager
@@ -406,13 +412,13 @@
 #        transport(5), transport:nexthop syntax
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        SMTPD_ACCESS_README, built-in SMTP server access control
 #        DATABASE_README, Postfix lookup table overview
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/conf/transport b/postfix/conf/transport
index 07d7c345d..0544b2779 100644
--- a/postfix/conf/transport
+++ b/postfix/conf/transport
@@ -121,83 +121,85 @@
 #               ting.   Otherwise, a domain name matches itself and
 #               its subdomains.
 # 
-#        Note 1: the special pattern * represents any address (i.e.
-#        it functions as the wild-card pattern).
+#        * transport:nexthop
+#               The special pattern * represents any address  (i.e.
+#               it  functions  as  the  wild-card  pattern,  and is
+#               unique to Postfix transport tables).
 # 
-#        Note  2:  the  null  recipient  address  is  looked  up as
+#        Note 1:  the  null  recipient  address  is  looked  up  as
 #        $empty_address_recipient@$myhostname (default: mailer-dae-
 #        mon@hostname).
 # 
-#        Note  3:  user@domain  or  user+extension@domain lookup is
+#        Note 2: user@domain  or  user+extension@domain  lookup  is
 #        available in Postfix 2.0 and later.
 # 
 # RESULT FORMAT
-#        The lookup result is of the form  transport:nexthop.   The
-#        transport  field  specifies a mail delivery transport such
-#        as smtp or local. The nexthop field  specifies  where  and
+#        The  lookup  result is of the form transport:nexthop.  The
+#        transport field specifies a mail delivery  transport  such
+#        as  smtp  or  local. The nexthop field specifies where and
 #        how to deliver mail.
 # 
-#        The  transport field specifies the name of a mail delivery
+#        The transport field specifies the name of a mail  delivery
 #        transport (the first name of a mail delivery service entry
 #        in the Postfix master.cf file).
 # 
-#        The  interpretation  of  the  nexthop  field  is transport
-#        dependent. In the case of SMTP, specify  a  service  on  a
-#        non-default  port  as  host:service,  and disable MX (mail
-#        exchanger) DNS lookups with [host] or [host]:port. The  []
+#        The interpretation  of  the  nexthop  field  is  transport
+#        dependent.  In  the  case  of SMTP, specify a service on a
+#        non-default port as host:service,  and  disable  MX  (mail
+#        exchanger)  DNS lookups with [host] or [host]:port. The []
 #        form is required when you specify an IP address instead of
 #        a hostname.
 # 
-#        A null transport and null nexthop  result  means  "do  not
-#        change":  use  the delivery transport and nexthop informa-
-#        tion that would be used when the  entire  transport  table
+#        A  null  transport  and  null nexthop result means "do not
+#        change": use the delivery transport and  nexthop  informa-
+#        tion  that  would  be used when the entire transport table
 #        did not exist.
 # 
-#        A  non-null  transport  field  with  a  null nexthop field
+#        A non-null transport  field  with  a  null  nexthop  field
 #        resets the nexthop information to the recipient domain.
 # 
-#        A null transport field with non-null  nexthop  field  does
+#        A  null  transport  field with non-null nexthop field does
 #        not modify the transport information.
 # 
 # EXAMPLES
-#        In  order to deliver internal mail directly, while using a
-#        mail relay for all other mail, specify a  null  entry  for
-#        internal  destinations  (do not change the delivery trans-
-#        port or the nexthop information) and  specify  a  wildcard
+#        In order to deliver internal mail directly, while using  a
+#        mail  relay  for  all other mail, specify a null entry for
+#        internal destinations (do not change the  delivery  trans-
+#        port  or  the  nexthop information) and specify a wildcard
 #        for all other destinations.
 # 
 #             my.domain    :
 #             .my.domain   :
 #             *            smtp:outbound-relay.my.domain
 # 
-#        In  order  to send mail for example.com and its subdomains
+#        In order to send mail for example.com and  its  subdomains
 #        via the uucp transport to the UUCP host named example:
 # 
 #             example.com      uucp:example
 #             .example.com     uucp:example
 # 
-#        When no nexthop host name is  specified,  the  destination
-#        domain  name  is  used instead. For example, the following
-#        directs mail for user@example.com via the  slow  transport
-#        to  a  mail exchanger for example.com.  The slow transport
+#        When  no  nexthop  host name is specified, the destination
+#        domain name is used instead. For  example,  the  following
+#        directs  mail  for user@example.com via the slow transport
+#        to a mail exchanger for example.com.  The  slow  transport
 #        could be configured to run at most one delivery process at
 #        a time:
 # 
 #             example.com      slow:
 # 
 #        When no transport is specified, Postfix uses the transport
-#        that matches the address  domain  class  (see  DESCRIPTION
-#        above).   The following sends all mail for example.com and
+#        that  matches  the  address  domain class (see DESCRIPTION
+#        above).  The following sends all mail for example.com  and
 #        its subdomains to host gateway.example.com:
 # 
 #             example.com      :[gateway.example.com]
 #             .example.com     :[gateway.example.com]
 # 
-#        In the above example, the [] suppress  MX  lookups.   This
-#        prevents  mail  routing loops when your machine is primary
+#        In  the  above  example, the [] suppress MX lookups.  This
+#        prevents mail routing loops when your machine  is  primary
 #        MX host for example.com.
 # 
-#        In the case of delivery via SMTP, one  may  specify  host-
+#        In  the  case  of delivery via SMTP, one may specify host-
 #        name:service instead of just a host:
 # 
 #             example.com      smtp:bar.example:2025
@@ -211,55 +213,55 @@
 # 
 #             .example.com     error:mail for *.example.com is not deliverable
 # 
-#        This causes all mail for user@anything.example.com  to  be
+#        This  causes  all mail for user@anything.example.com to be
 #        bounced.
 # 
 # REGULAR EXPRESSION TABLES
-#        This  section  describes how the table lookups change when
+#        This section describes how the table lookups  change  when
 #        the table is given in the form of regular expressions. For
-#        a  description  of regular expression lookup table syntax,
+#        a description of regular expression lookup  table  syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each pattern is a regular expression that  is  applied  to
-#        the    entire    address    being    looked    up.   Thus,
-#        some.domain.hierarchy is not  looked  up  via  its  parent
-#        domains,  nor is user+foo@domain looked up as user@domain.
+#        Each  pattern  is  a regular expression that is applied to
+#        the   entire    address    being    looked    up.    Thus,
+#        some.domain.hierarchy  is  not  looked  up  via its parent
+#        domains, nor is user+foo@domain looked up as  user@domain.
 # 
-#        Patterns are applied in the order as specified in the  ta-
-#        ble,  until  a  pattern  is  found that matches the search
+#        Patterns  are applied in the order as specified in the ta-
+#        ble, until a pattern is  found  that  matches  the  search
 #        string.
 # 
 #        The trivial-rewrite(8) server disallows regular expression
-#        substitution  of  $1  etc.  in  regular  expression lookup
-#        tables, because that could open a security  hole  (Postfix
+#        substitution of  $1  etc.  in  regular  expression  lookup
+#        tables,  because  that could open a security hole (Postfix
 #        version 2.3 and later).
 # 
 # TCP-BASED TABLES
-#        This  section  describes how the table lookups change when
+#        This section describes how the table lookups  change  when
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
 #        Postfix version 2.4.
 # 
-#        Each  lookup  operation  uses the entire recipient address
-#        once.  Thus, some.domain.hierarchy is not  looked  up  via
-#        its  parent  domains,  nor is user+foo@domain looked up as
+#        Each lookup operation uses the  entire  recipient  address
+#        once.   Thus,  some.domain.hierarchy  is not looked up via
+#        its parent domains, nor is user+foo@domain  looked  up  as
 #        user@domain.
 # 
 #        Results are the same as with indexed file lookups.
 # 
 # CONFIGURATION PARAMETERS
-#        The following main.cf parameters are especially  relevant.
-#        The  text  below  provides  only  a parameter summary. See
+#        The  following main.cf parameters are especially relevant.
+#        The text below provides  only  a  parameter  summary.  See
 #        postconf(5) for more details including examples.
 # 
 #        empty_address_recipient
-#               The address that is looked up instead of  the  null
+#               The  address  that is looked up instead of the null
 #               sender address.
 # 
 #        parent_domain_matches_subdomains
-#               List  of  Postfix features that use domain.tld pat-
-#               terns  to  match  sub.domain.tld  (as  opposed   to
+#               List of Postfix features that use  domain.tld  pat-
+#               terns   to  match  sub.domain.tld  (as  opposed  to
 #               requiring .domain.tld patterns).
 # 
 #        transport_maps
@@ -272,14 +274,14 @@
 #        postmap(1), Postfix lookup table manager
 # 
 # README FILES
-#        Use  "postconf  readme_directory" or "postconf html_direc-
+#        Use "postconf readme_directory" or  "postconf  html_direc-
 #        tory" to locate this information.
 #        ADDRESS_REWRITING_README, address rewriting guide
 #        DATABASE_README, Postfix lookup table overview
 #        FILTER_README, external content filter
 # 
 # LICENSE
-#        The Secure Mailer license must be  distributed  with  this
+#        The  Secure  Mailer  license must be distributed with this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/html/NFS_README.html b/postfix/html/NFS_README.html
index 318b097ad..1661541fc 100644
--- a/postfix/html/NFS_README.html
+++ b/postfix/html/NFS_README.html
@@ -17,54 +17,121 @@
 
 <hr>
 
-<p> This question was asked on the postfix-users mailing list a
-while ago: </p>
-
-<blockquote> <p> Also, what considerations are there for file
-locking or other potential problems when running Postfix with a
-Netapp-style box for /var/mail delivery?  I know that FreeBSD has
-broken NFS file locking (both client and server?) but I'm not sure
-if this is something Postfix can work around or not. </p> </blockquote>
-
-<p> Postfix jumps several hoops in order to deal with NFS-specific
-problems. Thus, Postfix on NFS is slightly less reliable than
-Postfix on a local disk. That is not a problem in Postfix; the
-problem is in NFS and affects other MTAs as well. </p>
-
-<p> For queue locking within Postfix, NFS is not an issue because
-you cannot share Postfix queues among multiple Postfix instances.
+<h2> Postfix support status for NFS </h2>
+
+<p> What is the status of support for Postfix on NFS? The answer
+is that Postfix itself is supported when you use NFS, but there is
+no promise that an NFS-related problem will promptly receive a
+Postfix workaround, or that a workaround will even be possible.
 </p>
 
-<p> In order to have mailbox locking over NFS, you have to configure
-everything to use fcntl() locks for mailbox access (or switch to
-maildir style, which needs no application-level lock controls).
+<p> That said, Postfix will in many cases work very well on NFS,
+because Postfix implements a number of workarounds (see below).
+Good NFS implementations seldom if ever give problems with Postfix,
+so Wietse recommends that you spend your money wisely.  </p>
+
+<h2> Postfix file locking and NFS </h2>
+
+<p> For the Postfix mail queue, it does not matter how well NFS
+file locking works. The reason is that you cannot share Postfix
+queues among multiple running Postfix instances. You can use NFS
+to switch a Postfix mail queue from one NFS client to another one,
+but only one NFS client can access a Postfix mail queue at any
+particular point in time. </p>
+
+<p> For mailbox file sharing with NFS, your options are to use
+<b>fcntl</b> (kernel locks), <b>dotlock</b> (<i>username</i>.lock
+files), to use both locking methods simultaneously, or to switch
+to maildir format. The maildir format uses one file per message and
+needs no file locking support in Postfix or in other mail software.
 </p>
 
-<p> To turn on fcntl() mailbox locks with Postfix you specify: </p>
+<p> Many sites that use mailbox format play safe and use both locking
+methods simultaneously. </p>
 
 <blockquote>
 <pre>
-/etc/postfix/main.cf:
-    <a href="postconf.5.html#virtual_mailbox_lock">virtual_mailbox_lock</a> = fcntl
-    <a href="postconf.5.html#mailbox_delivery_lock">mailbox_delivery_lock</a> = fcntl
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#virtual_mailbox_lock">virtual_mailbox_lock</a> = fcntl, dotlock
+    <a href="postconf.5.html#mailbox_delivery_lock">mailbox_delivery_lock</a> = fcntl, dotlock
 </pre>
 </blockquote>
+</body>
 
-<p> Obviously, this approach is useful only if all other mailbox
-access software also uses fcntl() locks. </p>
+<h2> Postfix NFS workarounds </h2>
 
-<p> You can also "play safe" and throw in <i>username</i>.lock files: </p>
+<p> The list below summarizes the workarounds that exist for running
+Postfix on NFS as of the middle of 2003. As a reminder, Postfix
+itself is still supported when it runs on NFS, but there is no
+promise that an NFS-related problem will promptly receive a Postfix
+workaround, or that a workaround will even be possible.  </p>
 
-<blockquote>
-<pre>
-/etc/postfix/main.cf:
-    <a href="postconf.5.html#virtual_mailbox_lock">virtual_mailbox_lock</a> = fcntl, dotlock
-    <a href="postconf.5.html#mailbox_delivery_lock">mailbox_delivery_lock</a> = fcntl, dotlock
-</pre>
-</blockquote>
+<ul>
 
-<p> This is the combination that many applications end up using. </p>
+<li> <p> Problem: when renaming a file, the operation may succeed
+but report an error anyway<sup>[1]</sup>. </p>
 
-</body>
+<p> Workaround: when rename(old, new) reports an error, Postfix
+checks if the new name exists and the old name is gone. If the check
+succeeds, Postfix assumes that the rename() operation completed
+normally.  </p>
+
+<li> <p> Problem: when creating a directory, the operation may succeed
+but report an error anyway<sup>[1]</sup>. </p>
+
+<p> Workaround: when mkdir(new) reports an EEXIST error, Postfix
+checks if the new name resolves to a directory. If the check succeeds,
+Postfix assumes that the mkdir() operation completed normally.  </p>
+
+<li> <p> Problem: when creating a hardlink to a file, the operation
+may succeed but report an error anyway<sup>[1]</sup>. </p>
+
+<p> Workaround: when link(old, new) fails, Postfix compares the
+device and inode number of the old and new files. When the two files
+are identical, Postfix assumes that the link() operation completed
+normally. </p>
+
+<li> <p> Problem: when creating a dotlock (<i>username</i>.lock)
+file, the operation may succeed but report an error anyway<sup>[1]</sup>.
+</p>
+
+<p> Workaround: in this case, the only safe action is to back off
+and try again later.  </p>
+
+<li> <p> Problem: when a file server's "time of day" clock is not
+synchronized with the client's "time of day" clock, email deliveries
+are delayed by a minute or more.  </p>
+
+<p> Workaround: Postfix explicitly sets file time stamps to avoid
+delays with new mail (Postfix uses "last modified" file time stamps
+to decide when a queue file is ready for delivery).  </p>
+
+</ul>
+
+<p> <sup>[1]</sup> How can an operation succeed and report an error
+anyway? </p>
+
+<p> Suppose that an NFS server executes a client request successfully,
+and that the server's reply to the client is lost.  After some time
+the client retransmits the request to the server.  Normally, the
+server remembers that it already completed the request (it keeps a
+list of recently-completed requests and replies), and simply
+retransmits the reply. </p>
+
+<p> However, when the server has rebooted or when it has been very
+busy, the server no longer remembers that it already completed the
+request, and repeats the operation.  This causes no problems with
+file read/write requests (they contain a file offset and can therefore
+be repeated safely), but fails with non-idempotent operations. For
+example, when the server executes a retransmitted rename() request,
+the server reports an ENOENT error because the old name does not
+exist; and when the server executes a retransmitted link(), mkdir()
+or create() request, the server reports an EEXIST error because the
+name already exists. </p>
+
+<p> Thus, successful, non-idempotent, NFS operations will report
+false errors when the server reply is lost, the client retransmits
+the request, and the server does not remember that it already
+completed the request.  </p>
 
 </html>
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index 7f7977df2..128006866 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -202,21 +202,27 @@ ACCESS(5)                                                            ACCESS(5)
               <i>text...</i>"  when the optional text is specified, oth-
               erwise reply with a generic error response message.
 
+       <b>DEFER</b> <i>optional text...</i>
+              Reject  the  address etc. that matches the pattern.
+              Reply   with    "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a></b>    <i>optional</i>
+              <i>text...</i>"  when the optional text is specified, oth-
+              erwise reply with a generic error response message.
+
        <b>DEFER_IF_REJECT</b> <i>optional text...</i>
               Defer  the  request if some later restriction would
-              result in a REJECT action. Reply  with  "<b>450  4.7.1</b>
-              <i>optional  text...</i>" when the optional text is speci-
-              fied, otherwise reply with a generic error response
-              message.
+              result   in   a   REJECT   action.    Reply    with
+              "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a>   4.7.1</b>  <i>optional  text...</i>"
+              when the  optional  text  is  specified,  otherwise
+              reply with a generic error response message.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>DEFER_IF_PERMIT</b> <i>optional text...</i>
               Defer the request if some later  restriction  would
               result  in a an explicit or implicit PERMIT action.
-              Reply with "<b>450 4.7.1</b>  <i>optional text...</i>"  when  the
-              optional  text is specified, otherwise reply with a
-              generic error response message.
+              Reply with "<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> 4.7.1</b>   <i>optional</i>
+              <i>text...</i>"  when the optional text is specified, oth-
+              erwise reply with a generic error response message.
 
               This feature is available in Postfix 2.1 and later.
 
@@ -226,169 +232,169 @@ ACCESS(5)                                                            ACCESS(5)
               <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a></b>, and so on).
 
        <b>BCC</b> <i>user@domain</i>
-              Send one copy  of  the  message  to  the  specified
+              Send  one  copy  of  the  message  to the specified
               recipient.
 
-              If  multiple  BCC  actions are specified within the
-              same SMTP MAIL transaction, only  the  last  action
+              If multiple BCC actions are  specified  within  the
+              same  SMTP  MAIL  transaction, only the last action
               will be used.
 
-              This  feature  is  not  part  of the stable Postfix
+              This feature is not  part  of  the  stable  Postfix
               release.
 
        <b>DISCARD</b> <i>optional text...</i>
-              Claim successful delivery and silently discard  the
-              message.   Log the optional text if specified, oth-
+              Claim  successful delivery and silently discard the
+              message.  Log the optional text if specified,  oth-
               erwise log a generic message.
 
-              Note: this action currently affects all  recipients
-              of  the  message.   To  discard  only one recipient
-              without discarding  the  entire  message,  use  the
+              Note:  this action currently affects all recipients
+              of the message.   To  discard  only  one  recipient
+              without  discarding  the  entire  message,  use the
               <a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a>
               service.
 
               This feature is available in Postfix 2.0 and later.
 
-       <b>DUNNO</b>  Pretend  that  the  lookup  key was not found. This
-              prevents Postfix  from  trying  substrings  of  the
-              lookup  key (such as a subdomain name, or a network
+       <b>DUNNO</b>  Pretend that the lookup key  was  not  found.  This
+              prevents  Postfix  from  trying  substrings  of the
+              lookup key (such as a subdomain name, or a  network
               address subnetwork).
 
               This feature is available in Postfix 2.0 and later.
 
        <b>FILTER</b> <i>transport:destination</i>
-              After  the  message is queued, send the entire mes-
+              After the message is queued, send the  entire  mes-
               sage through the specified external content filter.
-              The  <i>transport:destination</i>  syntax  is described in
-              the <a href="transport.5.html"><b>transport</b>(5)</a>  manual  page.   More  information
-              about  external  content  filters is in the Postfix
+              The <i>transport:destination</i> syntax  is  described  in
+              the  <a href="transport.5.html"><b>transport</b>(5)</a>  manual  page.   More information
+              about external content filters is  in  the  Postfix
               <a href="FILTER_README.html">FILTER_README</a> file.
 
               Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
-              ting,  and  currently affects all recipients of the
+              ting, and currently affects all recipients  of  the
               message.
 
               This feature is available in Postfix 2.0 and later.
 
        <b>HOLD</b> <i>optional text...</i>
-              Place  the message on the <b>hold</b> queue, where it will
-              sit until someone either deletes it or releases  it
-              for  delivery.  Log the optional text if specified,
+              Place the message on the <b>hold</b> queue, where it  will
+              sit  until someone either deletes it or releases it
+              for delivery.  Log the optional text if  specified,
               otherwise log a generic message.
 
-              Mail that is placed on hold can  be  examined  with
-              the  <a href="postcat.1.html"><b>postcat</b>(1)</a>  command,  and  can be destroyed or
+              Mail  that  is  placed on hold can be examined with
+              the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and  can  be  destroyed  or
               released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
 
-              Note: use "<b>postsuper -r</b>" to release mail  that  was
-              kept  on  hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+              Note:  use  "<b>postsuper -r</b>" to release mail that was
+              kept on hold for a significant fraction  of  <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
               <b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b>  or  <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>,  or
-              longer.  Use "<b>postsuper -H</b>" only for mail that will
+              longer. Use "<b>postsuper -H</b>" only for mail that  will
               not expire within a few delivery attempts.
 
-              Note: this action currently affects all  recipients
+              Note:  this action currently affects all recipients
               of the message.
 
               This feature is available in Postfix 2.0 and later.
 
        <b>PREPEND</b> <i>headername: headervalue</i>
-              Prepend the specified message header  to  the  mes-
-              sage.   When more than one PREPEND action executes,
-              the first prepended header appears before the  sec-
+              Prepend  the  specified  message header to the mes-
+              sage.  When more than one PREPEND action  executes,
+              the  first prepended header appears before the sec-
               ond etc. prepended header.
 
-              Note:  this  action must execute before the message
-              content is received; it cannot execute in the  con-
+              Note: this action must execute before  the  message
+              content  is received; it cannot execute in the con-
               text of <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>REDIRECT</b> <i>user@domain</i>
-              After the message is queued, send  the  message  to
+              After  the  message  is queued, send the message to
               the  specified  address  instead  of  the  intended
               recipient(s).
 
-              Note: this action overrides the FILTER action,  and
+              Note:  this action overrides the FILTER action, and
               currently affects all recipients of the message.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>WARN</b> <i>optional text...</i>
               Log a warning with the optional text, together with
-              client  information  and  if  available, with helo,
+              client information and  if  available,  with  helo,
               sender, recipient and protocol information.
 
               This feature is available in Postfix 2.1 and later.
 
 <b>ENHANCED STATUS CODES</b>
-       Postfix  version  2.3  and  later  support enhanced status
-       codes as defined in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>.   When  an  enhanced  status
-       code  is  specified  in  an access table, it is subject to
-       modification. The  following  transformations  are  needed
-       when  the  same  access  table  is  used for client, helo,
-       sender, or  recipient  access  restrictions;  they  happen
+       Postfix version 2.3  and  later  support  enhanced  status
+       codes  as  defined  in  <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>.  When an enhanced status
+       code is specified in an access table,  it  is  subject  to
+       modification.  The  following  transformations  are needed
+       when the same access  table  is  used  for  client,  helo,
+       sender,  or  recipient  access  restrictions;  they happen
        regardless of whether Postfix replies to a MAIL FROM, RCPT
        TO or other SMTP command.
 
-       <b>o</b>      When a sender address matches a REJECT action,  the
-              Postfix  SMTP server will transform a recipient DSN
-              status (e.g., 4.1.1-4.1.6) into  the  corresponding
+       <b>o</b>      When  a sender address matches a REJECT action, the
+              Postfix SMTP server will transform a recipient  DSN
+              status  (e.g.,  4.1.1-4.1.6) into the corresponding
               sender DSN status, and vice versa.
 
-       <b>o</b>      When   non-address  information  matches  a  REJECT
-              action (such as the HELO command  argument  or  the
-              client  hostname/address),  the Postfix SMTP server
-              will transform a sender  or  recipient  DSN  status
-              into   a  generic  non-address  DSN  status  (e.g.,
+       <b>o</b>      When  non-address  information  matches  a   REJECT
+              action  (such  as  the HELO command argument or the
+              client hostname/address), the Postfix  SMTP  server
+              will  transform  a  sender  or recipient DSN status
+              into  a  generic  non-address  DSN  status   (e.g.,
               4.0.0).
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        the table is given in the form of regular expressions. For
-       a description of regular expression lookup  table  syntax,
+       a  description  of regular expression lookup table syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each  pattern  is  a regular expression that is applied to
+       Each pattern is a regular expression that  is  applied  to
        the entire string being looked up. Depending on the appli-
-       cation,  that  string  is  an  entire  client hostname, an
+       cation, that string  is  an  entire  client  hostname,  an
        entire client IP address, or an entire mail address. Thus,
        no  parent  domain  or  parent  network  search  is  done,
-       <i>user@domain</i> mail addresses are not broken  up  into  their
+       <i>user@domain</i>  mail  addresses  are not broken up into their
        <i>user@</i> and <i>domain</i> constituent parts, nor is <i>user+foo</i> broken
        up into <i>user</i> and <i>foo</i>.
 
-       Patterns are applied in the order as specified in the  ta-
-       ble,  until  a  pattern  is  found that matches the search
+       Patterns  are applied in the order as specified in the ta-
+       ble, until a pattern is  found  that  matches  the  search
        string.
 
-       Actions are the same as with indexed  file  lookups,  with
-       the  additional feature that parenthesized substrings from
+       Actions  are  the  same as with indexed file lookups, with
+       the additional feature that parenthesized substrings  from
        the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
 
 <b>TCP-BASED TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
        Postfix version 2.4.
 
-       Each lookup operation uses the entire query  string  once.
-       Depending  on  the  application,  that string is an entire
+       Each  lookup  operation uses the entire query string once.
+       Depending on the application, that  string  is  an  entire
        client hostname, an entire client IP address, or an entire
-       mail  address.   Thus,  no parent domain or parent network
-       search is done, <i>user@domain</i> mail addresses are not  broken
-       up  into  their <i>user@</i> and <i>domain</i> constituent parts, nor is
+       mail address.  Thus, no parent domain  or  parent  network
+       search  is done, <i>user@domain</i> mail addresses are not broken
+       up into their <i>user@</i> and <i>domain</i> constituent parts,  nor  is
        <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
 
        Actions are the same as with indexed file lookups.
 
 <b>EXAMPLE</b>
-       The following example uses an indexed file,  so  that  the
-       order  of  table entries does not matter. The example per-
-       mits access by the client at address 1.2.3.4  but  rejects
-       all  other  clients  in 1.2.3.0/24. Instead of <b>hash</b> lookup
-       tables, some systems use <b>dbm</b>.  Use the  command  "<b>postconf</b>
-       <b>-m</b>"  to  find  out  what lookup tables Postfix supports on
+       The  following  example  uses an indexed file, so that the
+       order of table entries does not matter. The  example  per-
+       mits  access  by the client at address 1.2.3.4 but rejects
+       all other clients in 1.2.3.0/24. Instead  of  <b>hash</b>  lookup
+       tables,  some  systems use <b>dbm</b>.  Use the command "<b>postconf</b>
+       <b>-m</b>" to find out what lookup  tables  Postfix  supports  on
        your system.
 
        /etc/postfix/<a href="postconf.5.html">main.cf</a>:
@@ -399,11 +405,11 @@ ACCESS(5)                                                            ACCESS(5)
            1.2.3   REJECT
            1.2.3.4 OK
 
-       Execute the command  "<b>postmap  /etc/postfix/access</b>"  after
+       Execute  the  command  "<b>postmap /etc/postfix/access</b>" after
        editing the file.
 
 <b>BUGS</b>
-       The  table format does not understand quoting conventions.
+       The table format does not understand quoting  conventions.
 
 <b>SEE ALSO</b>
        <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
@@ -416,7 +422,7 @@ ACCESS(5)                                                            ACCESS(5)
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index e236aa016..77d062520 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -280,11 +280,17 @@ SMTP(8)                                                                SMTP(8)
               Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables  for  the  Postfix
               SMTP client.
 
+       Available in Postfix version 2.6 and later:
+
+       <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
+              An  optional  workaround for routers that break TCP
+              window scaling.
+
 <b>MIME PROCESSING CONTROLS</b>
        Available in Postfix version 2.0 and later:
 
        <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
-              Disable  the  conversion of 8BITMIME format to 7BIT
+              Disable the conversion of 8BITMIME format  to  7BIT
               format.
 
        <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
@@ -299,108 +305,108 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
-              Send the non-standard  XFORWARD  command  when  the
-              Postfix  SMTP  server EHLO response announces XFOR-
+              Send  the  non-standard  XFORWARD  command when the
+              Postfix SMTP server EHLO response  announces  XFOR-
               WARD support.
 
 <b>SASL AUTHENTICATION CONTROLS</b>
        <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
-              Enable SASL  authentication  in  the  Postfix  SMTP
+              Enable  SASL  authentication  in  the  Postfix SMTP
               client.
 
        <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
-              Optional  SMTP  client lookup tables with one user-
-              name:password entry per remote hostname or  domain,
+              Optional SMTP client lookup tables with  one  user-
+              name:password  entry per remote hostname or domain,
               or sender address when sender-dependent authentica-
               tion is enabled.
 
        <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
-              Postfix SMTP client SASL security  options;  as  of
-              Postfix  2.3 the list of available features depends
-              on the SASL client implementation that is  selected
+              Postfix  SMTP  client  SASL security options; as of
+              Postfix 2.3 the list of available features  depends
+              on  the SASL client implementation that is selected
               with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
-              If  non-empty, a Postfix SMTP client filter for the
-              remote SMTP server's list of  offered  SASL  mecha-
+              If non-empty, a Postfix SMTP client filter for  the
+              remote  SMTP  server's  list of offered SASL mecha-
               nisms.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
               Enable sender-dependent authentication in the Post-
-              fix SMTP client; this is available only  with  SASL
-              authentication,   and   disables   SMTP  connection
-              caching to ensure that mail from different  senders
+              fix  SMTP  client; this is available only with SASL
+              authentication,  and   disables   SMTP   connection
+              caching  to ensure that mail from different senders
               will use the appropriate credentials.
 
        <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
-              Implementation-specific  information that the Post-
-              fix SMTP client passes through to the SASL  plug-in
-              implementation     that     is     selected    with
+              Implementation-specific information that the  Post-
+              fix  SMTP client passes through to the SASL plug-in
+              implementation    that     is     selected     with
               <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
 
        <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
-              The SASL plug-in type that the Postfix SMTP  client
+              The  SASL plug-in type that the Postfix SMTP client
               should use for authentication.
 
        Available in Postfix version 2.5 and later:
 
        <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
-              An  optional table to prevent repeated SASL authen-
-              tication failures with the same remote SMTP  server
+              An optional table to prevent repeated SASL  authen-
+              tication  failures with the same remote SMTP server
               hostname, username and password.
 
        <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
-              The  maximal  age  of  an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
+              The maximal  age  of  an  <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
               entry before it is removed.
 
        <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
-              When a remote SMTP server rejects a SASL  authenti-
-              cation  request  with  a 535 reply code, defer mail
-              delivery instead of returning  mail  as  undeliver-
+              When  a remote SMTP server rejects a SASL authenti-
+              cation request with a 535 reply  code,  defer  mail
+              delivery  instead  of  returning mail as undeliver-
               able.
 
 <b>STARTTLS SUPPORT CONTROLS</b>
-       Detailed  information  about STARTTLS configuration may be
+       Detailed information about STARTTLS configuration  may  be
        found in the <a href="TLS_README.html">TLS_README</a> document.
 
        <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
               The default SMTP TLS security level for the Postfix
-              SMTP  client;  when a non-empty value is specified,
-              this    overrides    the    obsolete     parameters
+              SMTP client; when a non-empty value  is  specified,
+              this     overrides    the    obsolete    parameters
               <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
               <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
 
        <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
        <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
-              The SASL authentication security options  that  the
-              Postfix  SMTP  client  uses  for TLS encrypted SMTP
+              The  SASL  authentication security options that the
+              Postfix SMTP client uses  for  TLS  encrypted  SMTP
               sessions.
 
        <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
-              Time limit for Postfix SMTP client write  and  read
-              operations  during  TLS  startup and shutdown hand-
+              Time  limit  for Postfix SMTP client write and read
+              operations during TLS startup  and  shutdown  hand-
               shake procedures.
 
        <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
-              The file with the certificate of the  certification
-              authority  (CA) that issued the Postfix SMTP client
+              The  file with the certificate of the certification
+              authority (CA) that issued the Postfix SMTP  client
               certificate.
 
        <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
-              Directory with  PEM  format  certificate  authority
-              certificates  that  the Postfix SMTP client uses to
+              Directory  with  PEM  format  certificate authority
+              certificates that the Postfix SMTP client  uses  to
               verify a remote SMTP server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
-              File with the Postfix SMTP client  RSA  certificate
+              File  with  the Postfix SMTP client RSA certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
-              The  minimum TLS cipher grade that the Postfix SMTP
+              The minimum TLS cipher grade that the Postfix  SMTP
               client will use with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
@@ -409,43 +415,43 @@ SMTP(8)                                                                SMTP(8)
               levels.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
-              Additional list  of  ciphers  or  cipher  types  to
-              exclude  from the SMTP client cipher list at manda-
+              Additional  list  of  ciphers  or  cipher  types to
+              exclude from the SMTP client cipher list at  manda-
               tory TLS security levels.
 
        <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
-              File with the Postfix SMTP client  DSA  certificate
+              File  with  the Postfix SMTP client DSA certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
-              File  with  the Postfix SMTP client DSA private key
+              File with the Postfix SMTP client DSA  private  key
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
-              File with the Postfix SMTP client RSA  private  key
+              File  with  the Postfix SMTP client RSA private key
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
-              Enable  additional  Postfix  SMTP client logging of
+              Enable additional Postfix SMTP  client  logging  of
               TLS activity.
 
        <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
-              Log the hostname  of  a  remote  SMTP  server  that
-              offers  STARTTLS,  when  TLS is not already enabled
+              Log  the  hostname  of  a  remote  SMTP server that
+              offers STARTTLS, when TLS is  not  already  enabled
               for that server.
 
        <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
               Optional lookup tables with the Postfix SMTP client
               TLS security policy by next-hop destination; when a
-              non-empty value is specified,  this  overrides  the
+              non-empty  value  is  specified, this overrides the
               obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
-              List  of  SSL/TLS  protocols  that the Postfix SMTP
+              List of SSL/TLS protocols  that  the  Postfix  SMTP
               client will use with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
-              The verification depth for remote SMTP server  cer-
+              The  verification depth for remote SMTP server cer-
               tificates.
 
        <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
@@ -453,7 +459,7 @@ SMTP(8)                                                                SMTP(8)
               for the "secure" TLS security level.
 
        <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
-              Name of the file containing  the  optional  Postfix
+              Name  of  the  file containing the optional Postfix
               SMTP client TLS session cache.
 
        <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
@@ -465,9 +471,9 @@ SMTP(8)                                                                SMTP(8)
               for the "verify" TLS security level.
 
        <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
-              The  number  of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
-              or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process  requests  from  the  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
-              server  in order to seed its internal pseudo random
+              The number of pseudo-random bytes that  an  <a href="smtp.8.html"><b>smtp</b>(8)</a>
+              or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>  process  requests  from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
+              server in order to seed its internal pseudo  random
               number generator (PRNG).
 
        <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
@@ -479,7 +485,7 @@ SMTP(8)                                                                SMTP(8)
               ciphers.
 
        <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
-              The  OpenSSL  cipherlist  for "LOW" or higher grade
+              The OpenSSL cipherlist for "LOW"  or  higher  grade
               ciphers.
 
        <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
@@ -487,38 +493,38 @@ SMTP(8)                                                                SMTP(8)
               ciphers.
 
        <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
-              The  OpenSSL  cipherlist  for  "NULL" grade ciphers
+              The OpenSSL cipherlist  for  "NULL"  grade  ciphers
               that provide authentication without encryption.
 
        Available in Postfix version 2.4 and later:
 
        <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
        <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
-              The SASL authentication security options  that  the
-              Postfix  SMTP  client  uses  for TLS encrypted SMTP
+              The  SASL  authentication security options that the
+              Postfix SMTP client uses  for  TLS  encrypted  SMTP
               sessions with a verified server certificate.
 
        Available in Postfix version 2.5 and later:
 
        <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
-              List of acceptable remote SMTP  server  certificate
-              fingerprints  for  the  "fingerprint"  TLS security
+              List  of  acceptable remote SMTP server certificate
+              fingerprints for  the  "fingerprint"  TLS  security
               level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint).
 
        <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
-              The message  digest  algorithm  used  to  construct
+              The  message  digest  algorithm  used  to construct
               remote SMTP server certificate fingerprints.
 
        Available in Postfix version 2.6 and later:
 
        <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (empty)</b>
-              List  of TLS protocols that the Postfix SMTP client
-              will exclude  or  include  with  opportunistic  TLS
+              List of TLS protocols that the Postfix SMTP  client
+              will  exclude  or  include  with  opportunistic TLS
               encryption.
 
        <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
-              The  minimum TLS cipher grade that the Postfix SMTP
-              client will use with opportunistic TLS  encryption.
+              The minimum TLS cipher grade that the Postfix  SMTP
+              client  will use with opportunistic TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
               File with the Postfix SMTP client ECDSA certificate
@@ -529,28 +535,28 @@ SMTP(8)                                                                SMTP(8)
               in PEM format.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
-       The  following configuration parameters exist for compati-
+       The following configuration parameters exist for  compati-
        bility with Postfix versions before 2.3. Support for these
        will be removed in a future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode:  use  TLS  when  a remote SMTP
-              server announces STARTTLS support,  otherwise  send
+              Opportunistic mode: use  TLS  when  a  remote  SMTP
+              server  announces  STARTTLS support, otherwise send
               the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement  mode: require that remote SMTP servers
-              use TLS encryption, and  never  send  mail  in  the
+              Enforcement mode: require that remote SMTP  servers
+              use  TLS  encryption,  and  never  send mail in the
               clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require that the
+              With mandatory TLS  encryption,  require  that  the
               remote SMTP server hostname matches the information
               in the remote SMTP server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
               Optional lookup tables with the Postfix SMTP client
-              TLS usage policy by  next-hop  destination  and  by
+              TLS  usage  policy  by  next-hop destination and by
               remote SMTP server hostname.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
@@ -560,27 +566,27 @@ SMTP(8)                                                                SMTP(8)
 <b>RESOURCE AND RATE CONTROLS</b>
        <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
-              The maximal number of parallel  deliveries  to  the
-              same  destination  via  the  smtp  message delivery
+              The  maximal  number  of parallel deliveries to the
+              same destination  via  the  smtp  message  delivery
               transport.
 
        <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
-              The maximal number of recipients  per  message  for
+              The  maximal  number  of recipients per message for
               the smtp message delivery transport.
 
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The  SMTP  client  time  limit for completing a TCP
+              The SMTP client time limit  for  completing  a  TCP
               connection,  or  zero  (use  the  operating  system
               built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  SMTP client time limit for sending the HELO or
-              EHLO command, and for receiving the initial  server
+              The SMTP client time limit for sending the HELO  or
+              EHLO  command, and for receiving the initial server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
-              The  LMTP  client  time  limit for sending the LHLO
+              The LMTP client time limit  for  sending  the  LHLO
               command,  and  for  receiving  the  initial  server
               response.
 
@@ -589,30 +595,30 @@ SMTP(8)                                                                SMTP(8)
               command, and for receiving the server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  MAIL
-              FROM   command,   and   for  receiving  the  server
+              The  SMTP  client  time  limit for sending the MAIL
+              FROM  command,  and  for   receiving   the   server
               response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
-              RCPT  TO  command,  and  for  receiving  the server
+              The  SMTP  client  time  limit for sending the SMTP
+              RCPT TO  command,  and  for  receiving  the  server
               response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
-              DATA   command,   and   for  receiving  the  server
+              The  SMTP  client  time  limit for sending the SMTP
+              DATA  command,  and  for   receiving   the   server
               response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
+              The  SMTP  client  time  limit for sending the SMTP
               message content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
-              The  SMTP  client  time  limit for sending the SMTP
+              The SMTP client time limit  for  sending  the  SMTP
               ".", and for receiving the server response.
 
        <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  QUIT
+              The  SMTP  client  time  limit for sending the QUIT
               command, and for receiving the server response.
 
        Available in Postfix version 2.1 and later:
@@ -623,12 +629,12 @@ SMTP(8)                                                                SMTP(8)
               lookups, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal  number  of SMTP sessions per delivery
-              request before giving up or delivering to  a  fall-
+              The maximal number of SMTP  sessions  per  delivery
+              request  before  giving up or delivering to a fall-
               back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
-              The  SMTP  client  time  limit for sending the RSET
+              The SMTP client time limit  for  sending  the  RSET
               command, and for receiving the server response.
 
        Available in Postfix version 2.2 and earlier:
@@ -640,11 +646,11 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable SMTP connection caching for the
+              Permanently enable SMTP connection caching for  the
               specified destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a
+              Temporarily  enable SMTP connection caching while a
               destination has a high volume of mail in the active
               queue.
 
@@ -654,62 +660,62 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
               When SMTP connection caching is enabled, the amount
-              of time that an unused SMTP client socket  is  kept
+              of  time  that an unused SMTP client socket is kept
               open before it is closed.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit  for  connection cache connect, send or
+              Time limit for connection cache  connect,  send  or
               receive operations.
 
 <b>TROUBLE SHOOTING CONTROLS</b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment  in  verbose  logging  level  when  a
-              remote  client  or  server matches a pattern in the
+              The  increment  in  verbose  logging  level  when a
+              remote client or server matches a  pattern  in  the
               <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional list of remote client or  server  hostname
-              or  network address patterns that cause the verbose
-              logging level to increase by the  amount  specified
+              Optional  list  of remote client or server hostname
+              or network address patterns that cause the  verbose
+              logging  level  to increase by the amount specified
               in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster  notifications about
-              mail delivery problems that are caused  by  policy,
+              The recipient  of  postmaster  notifications  about
+              mail  delivery  problems that are caused by policy,
               resource, software or protocol errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What  categories of Postfix-generated mail are sub-
-              ject  to   before-queue   content   inspection   by
+              What categories of Postfix-generated mail are  sub-
+              ject   to   before-queue   content   inspection  by
               <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The  list of error classes that are reported to the
+              The list of error classes that are reported to  the
               postmaster.
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where the Postfix SMTP client should  deliver  mail
+              Where  the  Postfix SMTP client should deliver mail
               when it detects a "mail loops back to myself" error
               condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number  of  digits  after the decimal
+              The maximal number  of  digits  after  the  decimal
               point when logging sub-second delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
-              Disable DNS lookups in the Postfix  SMTP  and  LMTP
+              Disable  DNS  lookups  in the Postfix SMTP and LMTP
               clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@@ -717,7 +723,7 @@ SMTP(8)                                                                SMTP(8)
               tem receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
-              The Internet protocols Postfix will attempt to  use
+              The  Internet protocols Postfix will attempt to use
               when making or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@@ -725,75 +731,75 @@ SMTP(8)                                                                SMTP(8)
               over an internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
-              The default TCP port that the Postfix  LMTP  client
+              The  default  TCP port that the Postfix LMTP client
               connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount  of  time that an idle Postfix
-              daemon process waits  for  an  incoming  connection
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits  for  an incoming connection
               before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal  number of incoming connections that a
-              Postfix daemon process will service  before  termi-
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
               nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
               The network interface addresses that this mail sys-
-              tem receives mail on by way of a proxy  or  network
+              tem  receives  mail on by way of a proxy or network
               address translation unit.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An  optional  numerical  network  address  that the
-              Postfix SMTP client should bind to when  making  an
+              An optional  numerical  network  address  that  the
+              Postfix  SMTP  client should bind to when making an
               IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the
-              Postfix SMTP client should bind to when  making  an
+              An optional  numerical  network  address  that  the
+              Postfix  SMTP  client should bind to when making an
               IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The  hostname to send in the SMTP EHLO or HELO com-
+              The hostname to send in the SMTP EHLO or HELO  com-
               mand.
 
        <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
               The hostname to send in the LMTP LHLO command.
 
        <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
-              What mechanisms when the Postfix SMTP  client  uses
+              What  mechanisms  when the Postfix SMTP client uses
               to look up a host's IP address.
 
        <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
-              Randomize  the  order  of  equal-preference MX host
+              Randomize the order  of  equal-preference  MX  host
               addresses.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available with Postfix 2.2 and earlier:
 
        <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
-              Optional list of relay hosts for SMTP  destinations
+              Optional  list of relay hosts for SMTP destinations
               that can't be found or that are unreachable.
 
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional  list of relay hosts for SMTP destinations
+              Optional list of relay hosts for SMTP  destinations
               that can't be found or that are unreachable.
 
 <b>SEE ALSO</b>
@@ -814,7 +820,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/master.8.html b/postfix/html/master.8.html
index 2d5242ec3..d70d1d345 100644
--- a/postfix/html/master.8.html
+++ b/postfix/html/master.8.html
@@ -117,13 +117,19 @@ MASTER(8)                                                            MASTER(8)
               How long the Postfix <a href="master.8.html"><b>master</b>(8)</a> waits before forking
               a server that appears to be malfunctioning.
 
+       Available in Postfix version 2.6 and later:
+
+       <b><a href="postconf.5.html#master_service_disable">master_service_disable</a> (empty)</b>
+              Selectively disable  <a href="master.8.html"><b>master</b>(8)</a>  listener  ports  by
+              service type or by service name and type.
+
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
-              The  directory  with  Postfix  support programs and
+              The directory with  Postfix  support  programs  and
               daemon programs.
 
        <b><a href="postconf.5.html#debugger_command">debugger_command</a> (empty)</b>
@@ -135,11 +141,11 @@ MASTER(8)                                                            MASTER(8)
               tem receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
-              The Internet protocols Postfix will attempt to  use
+              The  Internet protocols Postfix will attempt to use
               when making or accepting connections.
 
        <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
-              The  list  of environment parameters that a Postfix
+              The list of environment parameters that  a  Postfix
               process  will  import  from  a  non-Postfix  parent
               process.
 
@@ -148,23 +154,23 @@ MASTER(8)                                                            MASTER(8)
               and most Postfix daemon processes.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>FILES</b>
@@ -184,7 +190,7 @@ MASTER(8)                                                            MASTER(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/postconf.1.html b/postfix/html/postconf.1.html
index cd94f7ea2..0a12cb196 100644
--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@@ -16,6 +16,8 @@ POSTCONF(1)                                                        POSTCONF(1)
 
        <b>postconf</b> [<b>-ev</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>parameter=value ...</i>]
 
+       <b>postconf</b> [<b>-#v</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>parameter ...</i>]
+
        <b>postconf</b> [<b>-btv</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>template</i><b>_</b><i>file</i>]
 
 <b>DESCRIPTION</b>
@@ -221,6 +223,17 @@ POSTCONF(1)                                                        POSTCONF(1)
               tiple  <b>-v</b>  options  make  the software increasingly
               verbose.
 
+       <b>-#</b>     Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file.  The  file  is
+              copied to a temporary file then renamed into place.
+              The parameters specified on the  command  line  are
+              commented-out, so that they revert to their default
+              values. Specify a  list  of  parameter  names,  not
+              name=value  pairs.  There is no <b>postconf</b> command to
+              perform the reverse operation.
+
+              This feature is  available  with  Postfix  2.6  and
+              later.
+
 <b>DIAGNOSTICS</b>
        Problems are reported to the standard error stream.
 
@@ -229,18 +242,18 @@ POSTCONF(1)                                                        POSTCONF(1)
               Directory with Postfix configuration files.
 
 <b>CONFIGURATION PARAMETERS</b>
-       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are  especially  relevant
+       The  following  <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
        to this program.
 
-       The  text  below  provides  only  a parameter summary. See
+       The text below provides  only  a  parameter  summary.  See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a> (empty)</b>
-              Pathname  of  a configuration file with bounce mes-
+              Pathname of a configuration file with  bounce  mes-
               sage templates.
 
 <b>FILES</b>
@@ -254,7 +267,7 @@ POSTCONF(1)                                                        POSTCONF(1)
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 99f2fd1f4..19e25f95a 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -83,14 +83,35 @@ the sender.  This feature is enabled with the <a href="postconf.5.html#notify_cl
 parameter.  </p>
 
 
+</DD>
+
+<DT><b><a name="access_map_defer_code">access_map_defer_code</a>
+(default: 450)</b></DT><DD>
+
+<p>
+The numerical Postfix SMTP server response code for
+an <a href="access.5.html">access(5)</a> map "defer" action, including "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>"
+or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>". Prior to Postfix 2.6, the response
+is hard-coded as "450".
+</p>
+
+<p>
+Do not change this unless you have a complete understanding of <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>.
+</p>
+
+<p>
+This feature is available in Postfix 2.6 and later.
+</p>
+
+
 </DD>
 
 <DT><b><a name="access_map_reject_code">access_map_reject_code</a>
 (default: 554)</b></DT><DD>
 
 <p>
-The numerical Postfix SMTP server response code when a client
-is rejected by an <a href="access.5.html">access(5)</a> map restriction.
+The numerical Postfix SMTP server response code for
+an <a href="access.5.html">access(5)</a> map "reject" action.
 </p>
 
 <p>
@@ -5313,6 +5334,35 @@ Examples:
 </pre>
 
 
+</DD>
+
+<DT><b><a name="master_service_disable">master_service_disable</a>
+(default: empty)</b></DT><DD>
+
+<p> Selectively disable <a href="master.8.html">master(8)</a> listener ports by service type
+or by service name and type.  Specify a list of service types
+("inet", "unix", "fifo", or "pass") or "name.type" tuples, where
+"name" is the first field of a <a href="master.5.html">master.cf</a> entry and "type" is a
+service type. As with other Postfix matchlists, a search stops at
+the first match.  Specify "!pattern" to exclude a service from the
+list. By default, all <a href="master.8.html">master(8)</a> listener ports are enabled.  </p>
+
+<p> Examples: </p>
+
+<pre>
+# Turn on all <a href="master.8.html">master(8)</a> listener ports (the default).
+<a href="postconf.5.html#master_service_disable">master_service_disable</a> =
+# Turn off only the main SMTP listener port.
+<a href="postconf.5.html#master_service_disable">master_service_disable</a> = smtp.inet
+# Turn off all TCP/IP listener ports.
+<a href="postconf.5.html#master_service_disable">master_service_disable</a> = inet
+# Turn off all TCP/IP listener ports except "foo".
+<a href="postconf.5.html#master_service_disable">master_service_disable</a> = !foo.inet, inet
+</pre>
+
+<p> This feature is available in Postfix 2.6 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="max_idle">max_idle</a>
@@ -13012,6 +13062,20 @@ while accessing the Postfix <a href="postconf.5.html">main.cf</a> configuration
 </p>
 
 
+</DD>
+
+<DT><b><a name="tcp_windowsize">tcp_windowsize</a>
+(default: 0)</b></DT><DD>
+
+<p> An optional workaround for routers that break TCP window scaling.
+Specify a value > 0 and < 65536 to enable this feature. </p>
+
+<p> Note: for Postfix servers, this feature is implemented by the
+Postfix <a href="master.8.html">master(8)</a> daemon, not by the servers themselves. </p>
+
+<p> This feature is available in Postfix 2.6 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index e236aa016..77d062520 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -280,11 +280,17 @@ SMTP(8)                                                                SMTP(8)
               Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables  for  the  Postfix
               SMTP client.
 
+       Available in Postfix version 2.6 and later:
+
+       <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
+              An  optional  workaround for routers that break TCP
+              window scaling.
+
 <b>MIME PROCESSING CONTROLS</b>
        Available in Postfix version 2.0 and later:
 
        <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
-              Disable  the  conversion of 8BITMIME format to 7BIT
+              Disable the conversion of 8BITMIME format  to  7BIT
               format.
 
        <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
@@ -299,108 +305,108 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
-              Send the non-standard  XFORWARD  command  when  the
-              Postfix  SMTP  server EHLO response announces XFOR-
+              Send  the  non-standard  XFORWARD  command when the
+              Postfix SMTP server EHLO response  announces  XFOR-
               WARD support.
 
 <b>SASL AUTHENTICATION CONTROLS</b>
        <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
-              Enable SASL  authentication  in  the  Postfix  SMTP
+              Enable  SASL  authentication  in  the  Postfix SMTP
               client.
 
        <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
-              Optional  SMTP  client lookup tables with one user-
-              name:password entry per remote hostname or  domain,
+              Optional SMTP client lookup tables with  one  user-
+              name:password  entry per remote hostname or domain,
               or sender address when sender-dependent authentica-
               tion is enabled.
 
        <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
-              Postfix SMTP client SASL security  options;  as  of
-              Postfix  2.3 the list of available features depends
-              on the SASL client implementation that is  selected
+              Postfix  SMTP  client  SASL security options; as of
+              Postfix 2.3 the list of available features  depends
+              on  the SASL client implementation that is selected
               with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
-              If  non-empty, a Postfix SMTP client filter for the
-              remote SMTP server's list of  offered  SASL  mecha-
+              If non-empty, a Postfix SMTP client filter for  the
+              remote  SMTP  server's  list of offered SASL mecha-
               nisms.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
               Enable sender-dependent authentication in the Post-
-              fix SMTP client; this is available only  with  SASL
-              authentication,   and   disables   SMTP  connection
-              caching to ensure that mail from different  senders
+              fix  SMTP  client; this is available only with SASL
+              authentication,  and   disables   SMTP   connection
+              caching  to ensure that mail from different senders
               will use the appropriate credentials.
 
        <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
-              Implementation-specific  information that the Post-
-              fix SMTP client passes through to the SASL  plug-in
-              implementation     that     is     selected    with
+              Implementation-specific information that the  Post-
+              fix  SMTP client passes through to the SASL plug-in
+              implementation    that     is     selected     with
               <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
 
        <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
-              The SASL plug-in type that the Postfix SMTP  client
+              The  SASL plug-in type that the Postfix SMTP client
               should use for authentication.
 
        Available in Postfix version 2.5 and later:
 
        <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
-              An  optional table to prevent repeated SASL authen-
-              tication failures with the same remote SMTP  server
+              An optional table to prevent repeated SASL  authen-
+              tication  failures with the same remote SMTP server
               hostname, username and password.
 
        <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
-              The  maximal  age  of  an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
+              The maximal  age  of  an  <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
               entry before it is removed.
 
        <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
-              When a remote SMTP server rejects a SASL  authenti-
-              cation  request  with  a 535 reply code, defer mail
-              delivery instead of returning  mail  as  undeliver-
+              When  a remote SMTP server rejects a SASL authenti-
+              cation request with a 535 reply  code,  defer  mail
+              delivery  instead  of  returning mail as undeliver-
               able.
 
 <b>STARTTLS SUPPORT CONTROLS</b>
-       Detailed  information  about STARTTLS configuration may be
+       Detailed information about STARTTLS configuration  may  be
        found in the <a href="TLS_README.html">TLS_README</a> document.
 
        <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
               The default SMTP TLS security level for the Postfix
-              SMTP  client;  when a non-empty value is specified,
-              this    overrides    the    obsolete     parameters
+              SMTP client; when a non-empty value  is  specified,
+              this     overrides    the    obsolete    parameters
               <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
               <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
 
        <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
        <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
-              The SASL authentication security options  that  the
-              Postfix  SMTP  client  uses  for TLS encrypted SMTP
+              The  SASL  authentication security options that the
+              Postfix SMTP client uses  for  TLS  encrypted  SMTP
               sessions.
 
        <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
-              Time limit for Postfix SMTP client write  and  read
-              operations  during  TLS  startup and shutdown hand-
+              Time  limit  for Postfix SMTP client write and read
+              operations during TLS startup  and  shutdown  hand-
               shake procedures.
 
        <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
-              The file with the certificate of the  certification
-              authority  (CA) that issued the Postfix SMTP client
+              The  file with the certificate of the certification
+              authority (CA) that issued the Postfix SMTP  client
               certificate.
 
        <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
-              Directory with  PEM  format  certificate  authority
-              certificates  that  the Postfix SMTP client uses to
+              Directory  with  PEM  format  certificate authority
+              certificates that the Postfix SMTP client  uses  to
               verify a remote SMTP server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
-              File with the Postfix SMTP client  RSA  certificate
+              File  with  the Postfix SMTP client RSA certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
-              The  minimum TLS cipher grade that the Postfix SMTP
+              The minimum TLS cipher grade that the Postfix  SMTP
               client will use with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
@@ -409,43 +415,43 @@ SMTP(8)                                                                SMTP(8)
               levels.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
-              Additional list  of  ciphers  or  cipher  types  to
-              exclude  from the SMTP client cipher list at manda-
+              Additional  list  of  ciphers  or  cipher  types to
+              exclude from the SMTP client cipher list at  manda-
               tory TLS security levels.
 
        <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
-              File with the Postfix SMTP client  DSA  certificate
+              File  with  the Postfix SMTP client DSA certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
-              File  with  the Postfix SMTP client DSA private key
+              File with the Postfix SMTP client DSA  private  key
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
-              File with the Postfix SMTP client RSA  private  key
+              File  with  the Postfix SMTP client RSA private key
               in PEM format.
 
        <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
-              Enable  additional  Postfix  SMTP client logging of
+              Enable additional Postfix SMTP  client  logging  of
               TLS activity.
 
        <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
-              Log the hostname  of  a  remote  SMTP  server  that
-              offers  STARTTLS,  when  TLS is not already enabled
+              Log  the  hostname  of  a  remote  SMTP server that
+              offers STARTTLS, when TLS is  not  already  enabled
               for that server.
 
        <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
               Optional lookup tables with the Postfix SMTP client
               TLS security policy by next-hop destination; when a
-              non-empty value is specified,  this  overrides  the
+              non-empty  value  is  specified, this overrides the
               obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
 
        <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
-              List  of  SSL/TLS  protocols  that the Postfix SMTP
+              List of SSL/TLS protocols  that  the  Postfix  SMTP
               client will use with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
-              The verification depth for remote SMTP server  cer-
+              The  verification depth for remote SMTP server cer-
               tificates.
 
        <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
@@ -453,7 +459,7 @@ SMTP(8)                                                                SMTP(8)
               for the "secure" TLS security level.
 
        <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
-              Name of the file containing  the  optional  Postfix
+              Name  of  the  file containing the optional Postfix
               SMTP client TLS session cache.
 
        <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
@@ -465,9 +471,9 @@ SMTP(8)                                                                SMTP(8)
               for the "verify" TLS security level.
 
        <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
-              The  number  of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
-              or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process  requests  from  the  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
-              server  in order to seed its internal pseudo random
+              The number of pseudo-random bytes that  an  <a href="smtp.8.html"><b>smtp</b>(8)</a>
+              or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>  process  requests  from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
+              server in order to seed its internal pseudo  random
               number generator (PRNG).
 
        <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
@@ -479,7 +485,7 @@ SMTP(8)                                                                SMTP(8)
               ciphers.
 
        <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
-              The  OpenSSL  cipherlist  for "LOW" or higher grade
+              The OpenSSL cipherlist for "LOW"  or  higher  grade
               ciphers.
 
        <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
@@ -487,38 +493,38 @@ SMTP(8)                                                                SMTP(8)
               ciphers.
 
        <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
-              The  OpenSSL  cipherlist  for  "NULL" grade ciphers
+              The OpenSSL cipherlist  for  "NULL"  grade  ciphers
               that provide authentication without encryption.
 
        Available in Postfix version 2.4 and later:
 
        <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
        <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
-              The SASL authentication security options  that  the
-              Postfix  SMTP  client  uses  for TLS encrypted SMTP
+              The  SASL  authentication security options that the
+              Postfix SMTP client uses  for  TLS  encrypted  SMTP
               sessions with a verified server certificate.
 
        Available in Postfix version 2.5 and later:
 
        <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
-              List of acceptable remote SMTP  server  certificate
-              fingerprints  for  the  "fingerprint"  TLS security
+              List  of  acceptable remote SMTP server certificate
+              fingerprints for  the  "fingerprint"  TLS  security
               level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint).
 
        <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
-              The message  digest  algorithm  used  to  construct
+              The  message  digest  algorithm  used  to construct
               remote SMTP server certificate fingerprints.
 
        Available in Postfix version 2.6 and later:
 
        <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (empty)</b>
-              List  of TLS protocols that the Postfix SMTP client
-              will exclude  or  include  with  opportunistic  TLS
+              List of TLS protocols that the Postfix SMTP  client
+              will  exclude  or  include  with  opportunistic TLS
               encryption.
 
        <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
-              The  minimum TLS cipher grade that the Postfix SMTP
-              client will use with opportunistic TLS  encryption.
+              The minimum TLS cipher grade that the Postfix  SMTP
+              client  will use with opportunistic TLS encryption.
 
        <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
               File with the Postfix SMTP client ECDSA certificate
@@ -529,28 +535,28 @@ SMTP(8)                                                                SMTP(8)
               in PEM format.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
-       The  following configuration parameters exist for compati-
+       The following configuration parameters exist for  compati-
        bility with Postfix versions before 2.3. Support for these
        will be removed in a future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode:  use  TLS  when  a remote SMTP
-              server announces STARTTLS support,  otherwise  send
+              Opportunistic mode: use  TLS  when  a  remote  SMTP
+              server  announces  STARTTLS support, otherwise send
               the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement  mode: require that remote SMTP servers
-              use TLS encryption, and  never  send  mail  in  the
+              Enforcement mode: require that remote SMTP  servers
+              use  TLS  encryption,  and  never  send mail in the
               clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require that the
+              With mandatory TLS  encryption,  require  that  the
               remote SMTP server hostname matches the information
               in the remote SMTP server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
               Optional lookup tables with the Postfix SMTP client
-              TLS usage policy by  next-hop  destination  and  by
+              TLS  usage  policy  by  next-hop destination and by
               remote SMTP server hostname.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
@@ -560,27 +566,27 @@ SMTP(8)                                                                SMTP(8)
 <b>RESOURCE AND RATE CONTROLS</b>
        <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
-              The maximal number of parallel  deliveries  to  the
-              same  destination  via  the  smtp  message delivery
+              The  maximal  number  of parallel deliveries to the
+              same destination  via  the  smtp  message  delivery
               transport.
 
        <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
-              The maximal number of recipients  per  message  for
+              The  maximal  number  of recipients per message for
               the smtp message delivery transport.
 
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The  SMTP  client  time  limit for completing a TCP
+              The SMTP client time limit  for  completing  a  TCP
               connection,  or  zero  (use  the  operating  system
               built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  SMTP client time limit for sending the HELO or
-              EHLO command, and for receiving the initial  server
+              The SMTP client time limit for sending the HELO  or
+              EHLO  command, and for receiving the initial server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
-              The  LMTP  client  time  limit for sending the LHLO
+              The LMTP client time limit  for  sending  the  LHLO
               command,  and  for  receiving  the  initial  server
               response.
 
@@ -589,30 +595,30 @@ SMTP(8)                                                                SMTP(8)
               command, and for receiving the server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  MAIL
-              FROM   command,   and   for  receiving  the  server
+              The  SMTP  client  time  limit for sending the MAIL
+              FROM  command,  and  for   receiving   the   server
               response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
-              RCPT  TO  command,  and  for  receiving  the server
+              The  SMTP  client  time  limit for sending the SMTP
+              RCPT TO  command,  and  for  receiving  the  server
               response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
-              DATA   command,   and   for  receiving  the  server
+              The  SMTP  client  time  limit for sending the SMTP
+              DATA  command,  and  for   receiving   the   server
               response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The SMTP client time limit  for  sending  the  SMTP
+              The  SMTP  client  time  limit for sending the SMTP
               message content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
-              The  SMTP  client  time  limit for sending the SMTP
+              The SMTP client time limit  for  sending  the  SMTP
               ".", and for receiving the server response.
 
        <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
-              The SMTP client time limit  for  sending  the  QUIT
+              The  SMTP  client  time  limit for sending the QUIT
               command, and for receiving the server response.
 
        Available in Postfix version 2.1 and later:
@@ -623,12 +629,12 @@ SMTP(8)                                                                SMTP(8)
               lookups, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal  number  of SMTP sessions per delivery
-              request before giving up or delivering to  a  fall-
+              The maximal number of SMTP  sessions  per  delivery
+              request  before  giving up or delivering to a fall-
               back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
-              The  SMTP  client  time  limit for sending the RSET
+              The SMTP client time limit  for  sending  the  RSET
               command, and for receiving the server response.
 
        Available in Postfix version 2.2 and earlier:
@@ -640,11 +646,11 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable SMTP connection caching for the
+              Permanently enable SMTP connection caching for  the
               specified destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a
+              Temporarily  enable SMTP connection caching while a
               destination has a high volume of mail in the active
               queue.
 
@@ -654,62 +660,62 @@ SMTP(8)                                                                SMTP(8)
 
        <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
               When SMTP connection caching is enabled, the amount
-              of time that an unused SMTP client socket  is  kept
+              of  time  that an unused SMTP client socket is kept
               open before it is closed.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit  for  connection cache connect, send or
+              Time limit for connection cache  connect,  send  or
               receive operations.
 
 <b>TROUBLE SHOOTING CONTROLS</b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment  in  verbose  logging  level  when  a
-              remote  client  or  server matches a pattern in the
+              The  increment  in  verbose  logging  level  when a
+              remote client or server matches a  pattern  in  the
               <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional list of remote client or  server  hostname
-              or  network address patterns that cause the verbose
-              logging level to increase by the  amount  specified
+              Optional  list  of remote client or server hostname
+              or network address patterns that cause the  verbose
+              logging  level  to increase by the amount specified
               in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster  notifications about
-              mail delivery problems that are caused  by  policy,
+              The recipient  of  postmaster  notifications  about
+              mail  delivery  problems that are caused by policy,
               resource, software or protocol errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What  categories of Postfix-generated mail are sub-
-              ject  to   before-queue   content   inspection   by
+              What categories of Postfix-generated mail are  sub-
+              ject   to   before-queue   content   inspection  by
               <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The  list of error classes that are reported to the
+              The list of error classes that are reported to  the
               postmaster.
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where the Postfix SMTP client should  deliver  mail
+              Where  the  Postfix SMTP client should deliver mail
               when it detects a "mail loops back to myself" error
               condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number  of  digits  after the decimal
+              The maximal number  of  digits  after  the  decimal
               point when logging sub-second delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
-              Disable DNS lookups in the Postfix  SMTP  and  LMTP
+              Disable  DNS  lookups  in the Postfix SMTP and LMTP
               clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@@ -717,7 +723,7 @@ SMTP(8)                                                                SMTP(8)
               tem receives mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
-              The Internet protocols Postfix will attempt to  use
+              The  Internet protocols Postfix will attempt to use
               when making or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@@ -725,75 +731,75 @@ SMTP(8)                                                                SMTP(8)
               over an internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
-              The default TCP port that the Postfix  LMTP  client
+              The  default  TCP port that the Postfix LMTP client
               connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount  of  time that an idle Postfix
-              daemon process waits  for  an  incoming  connection
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits  for  an incoming connection
               before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal  number of incoming connections that a
-              Postfix daemon process will service  before  termi-
+              The maximal number of incoming connections  that  a
+              Postfix  daemon  process will service before termi-
               nating voluntarily.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
               The network interface addresses that this mail sys-
-              tem receives mail on by way of a proxy  or  network
+              tem  receives  mail on by way of a proxy or network
               address translation unit.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An  optional  numerical  network  address  that the
-              Postfix SMTP client should bind to when  making  an
+              An optional  numerical  network  address  that  the
+              Postfix  SMTP  client should bind to when making an
               IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the
-              Postfix SMTP client should bind to when  making  an
+              An optional  numerical  network  address  that  the
+              Postfix  SMTP  client should bind to when making an
               IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
-              The  hostname to send in the SMTP EHLO or HELO com-
+              The hostname to send in the SMTP EHLO or HELO  com-
               mand.
 
        <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
               The hostname to send in the LMTP LHLO command.
 
        <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
-              What mechanisms when the Postfix SMTP  client  uses
+              What  mechanisms  when the Postfix SMTP client uses
               to look up a host's IP address.
 
        <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
-              Randomize  the  order  of  equal-preference MX host
+              Randomize the order  of  equal-preference  MX  host
               addresses.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
        Available with Postfix 2.2 and earlier:
 
        <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
-              Optional list of relay hosts for SMTP  destinations
+              Optional  list of relay hosts for SMTP destinations
               that can't be found or that are unreachable.
 
        Available with Postfix 2.3 and later:
 
        <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
-              Optional  list of relay hosts for SMTP destinations
+              Optional list of relay hosts for SMTP  destinations
               that can't be found or that are unreachable.
 
 <b>SEE ALSO</b>
@@ -814,7 +820,7 @@ SMTP(8)                                                                SMTP(8)
        <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index e6e316746..0877fe278 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -141,46 +141,52 @@ SMTPD(8)                                                              SMTPD(8)
               sion id, even when TLS session  caching  is  turned
               off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
 
+       Available in Postfix version 2.6 and later:
+
+       <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
+              An  optional  workaround for routers that break TCP
+              window scaling.
+
 <b>ADDRESS REWRITING CONTROLS</b>
-       See  the  <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed
+       See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for  a  detailed
        discussion of Postfix address rewriting.
 
        <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
-              Enable or disable  recipient  validation,  built-in
+              Enable  or  disable  recipient validation, built-in
               content filtering, or address mapping.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b>
               Rewrite message header addresses in mail from these
-              clients and update incomplete  addresses  with  the
+              clients  and  update  incomplete addresses with the
               domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a>; either don't
-              rewrite message headers from other clients at  all,
-              or  rewrite  message  headers and update incomplete
-              addresses  with  the  domain   specified   in   the
+              rewrite  message headers from other clients at all,
+              or rewrite message headers  and  update  incomplete
+              addresses   with   the   domain  specified  in  the
               <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter.
 
 <b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
-       As  of  version 1.0, Postfix can be configured to send new
-       mail to an external  content  filter  AFTER  the  mail  is
-       queued.  This  content  filter  is expected to inject mail
-       back into a (Postfix or other) MTA for  further  delivery.
+       As of version 1.0, Postfix can be configured to  send  new
+       mail  to  an  external  content  filter  AFTER the mail is
+       queued. This content filter is  expected  to  inject  mail
+       back  into  a (Postfix or other) MTA for further delivery.
        See the <a href="FILTER_README.html">FILTER_README</a> document for details.
 
        <b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b>
-              The  name of a mail delivery transport that filters
+              The name of a mail delivery transport that  filters
               mail after it is queued.
 
 <b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
-       As of version 2.1, the Postfix SMTP server can be  config-
-       ured  to send incoming mail to a real-time SMTP-based con-
+       As  of version 2.1, the Postfix SMTP server can be config-
+       ured to send incoming mail to a real-time SMTP-based  con-
        tent filter BEFORE mail is queued.  This content filter is
-       expected  to  inject  mail  back  into  Postfix.   See the
-       <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to  config-
+       expected to  inject  mail  back  into  Postfix.   See  the
+       <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>  document for details on how to config-
        ure and operate this feature.
 
        <b><a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> (empty)</b>
-              The  hostname  and  TCP  port of the mail filtering
+              The hostname and TCP port  of  the  mail  filtering
               proxy server.
 
        <b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -193,23 +199,23 @@ SMTPD(8)                                                              SMTPD(8)
 
 <b>BEFORE QUEUE MILTER CONTROLS</b>
        As of version 2.3, Postfix supports the Sendmail version 8
-       Milter  (mail  filter) protocol. These content filters run
-       outside Postfix. They can inspect the SMTP command  stream
-       and  the  message  content,  and can request modifications
-       before mail is queued. For details see  the  <a href="MILTER_README.html">MILTER_README</a>
+       Milter (mail filter) protocol. These content  filters  run
+       outside  Postfix. They can inspect the SMTP command stream
+       and the message content,  and  can  request  modifications
+       before  mail  is queued. For details see the <a href="MILTER_README.html">MILTER_README</a>
        document.
 
        <b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b>
               A list of Milter (mail filter) applications for new
-              mail that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a>  server.
+              mail  that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server.
 
        <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (2)</b>
-              The  mail filter protocol version and optional pro-
-              tocol extensions for communication  with  a  Milter
+              The mail filter protocol version and optional  pro-
+              tocol  extensions  for  communication with a Milter
               (mail filter) application.
 
        <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b>
-              The  default  action  when  a  Milter (mail filter)
+              The default action  when  a  Milter  (mail  filter)
               application is unavailable or mis-configured.
 
        <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -221,189 +227,189 @@ SMTPD(8)                                                              SMTPD(8)
               cations.
 
        <b><a href="postconf.5.html#milter_connect_timeout">milter_connect_timeout</a> (30s)</b>
-              The time limit for connecting  to  a  Milter  (mail
-              filter)  application,  and for negotiating protocol
+              The  time  limit  for  connecting to a Milter (mail
+              filter) application, and for  negotiating  protocol
               options.
 
        <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b>
-              The time limit for sending an  SMTP  command  to  a
+              The  time  limit  for  sending an SMTP command to a
               Milter (mail filter) application, and for receiving
               the response.
 
        <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b>
-              The time limit for sending  message  content  to  a
+              The  time  limit  for  sending message content to a
               Milter (mail filter) application, and for receiving
               the response.
 
        <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see postconf -n output)</b>
-              The macros that are sent to  Milter  (mail  filter)
-              applications  after  completion  of an SMTP connec-
+              The  macros  that  are sent to Milter (mail filter)
+              applications after completion of  an  SMTP  connec-
               tion.
 
        <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see postconf -n output)</b>
-              The macros that are sent to  Milter  (mail  filter)
+              The  macros  that  are sent to Milter (mail filter)
               applications after the SMTP HELO or EHLO command.
 
        <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see postconf -n output)</b>
-              The  macros  that  are sent to Milter (mail filter)
+              The macros that are sent to  Milter  (mail  filter)
               applications after the SMTP MAIL FROM command.
 
        <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see postconf -n output)</b>
-              The macros that are sent to  Milter  (mail  filter)
+              The  macros  that  are sent to Milter (mail filter)
               applications after the SMTP RCPT TO command.
 
        <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see postconf -n output)</b>
-              The  macros  that  are  sent to version 4 or higher
-              Milter (mail filter) applications  after  the  SMTP
+              The macros that are sent to  version  4  or  higher
+              Milter  (mail  filter)  applications after the SMTP
               DATA command.
 
        <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see postconf -n output)</b>
-              The  macros  that  are  sent to version 3 or higher
-              Milter (mail filter) applications after an  unknown
+              The macros that are sent to  version  3  or  higher
+              Milter  (mail filter) applications after an unknown
               SMTP command.
 
        <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see postconf -n output)</b>
-              The  macros  that  are sent to Milter (mail filter)
+              The macros that are sent to  Milter  (mail  filter)
               applications after the end of the message header.
 
        <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see postconf -n output)</b>
-              The macros that are sent to  Milter  (mail  filter)
+              The  macros  that  are sent to Milter (mail filter)
               applications after the message end-of-data.
 
 <b>GENERAL CONTENT INSPECTION CONTROLS</b>
-       The  following parameters are applicable for both built-in
+       The following parameters are applicable for both  built-in
        and external content filters.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
-              Enable or disable  recipient  validation,  built-in
+              Enable  or  disable  recipient validation, built-in
               content filtering, or address mapping.
 
 <b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
-       The  following  parameters are applicable for both before-
+       The following parameters are applicable for  both  before-
        queue and after-queue content filtering.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b>
-              What SMTP clients are allowed to use  the  XFORWARD
+              What  SMTP  clients are allowed to use the XFORWARD
               feature.
 
 <b>SASL AUTHENTICATION CONTROLS</b>
-       Postfix  SASL  support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenti-
-       cate remote SMTP clients to the Postfix SMTP  server,  and
-       to  authenticate  the Postfix SMTP client to a remote SMTP
+       Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used  to  authenti-
+       cate  remote  SMTP clients to the Postfix SMTP server, and
+       to authenticate the Postfix SMTP client to a  remote  SMTP
        server.  See the <a href="SASL_README.html">SASL_README</a> document for details.
 
        <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
-              Enable inter-operability  with  SMTP  clients  that
-              implement  an  obsolete version of the AUTH command
+              Enable  inter-operability  with  SMTP  clients that
+              implement an obsolete version of the  AUTH  command
               (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
 
        <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b>
-              Enable SASL  authentication  in  the  Postfix  SMTP
+              Enable  SASL  authentication  in  the  Postfix SMTP
               server.
 
        <b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b>
-              The  name  of  the Postfix SMTP server's local SASL
+              The name of the Postfix SMTP  server's  local  SASL
               authentication realm.
 
        <b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b>
-              Postfix SMTP server SASL security  options;  as  of
-              Postfix  2.3 the list of available features depends
-              on the SASL server implementation that is  selected
+              Postfix  SMTP  server  SASL security options; as of
+              Postfix 2.3 the list of available features  depends
+              on  the SASL server implementation that is selected
               with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
 
        <b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b>
-              Optional  lookup  table  with  the SASL login names
+              Optional lookup table with  the  SASL  login  names
               that own sender (MAIL FROM) addresses.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b>
-              What remote SMTP clients the  Postfix  SMTP  server
+              What  remote  SMTP  clients the Postfix SMTP server
               will not offer AUTH support to.
 
        Available in Postfix version 2.1 and 2.2:
 
        <b>smtpd_sasl_application_name (smtpd)</b>
-              The  application  name that the Postfix SMTP server
+              The application name that the Postfix  SMTP  server
               uses for SASL server initialization.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b>
-              Report the SASL  authenticated  user  name  in  the
+              Report  the  SASL  authenticated  user  name in the
               <a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header.
 
        <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b>
-              Implementation-specific  information that the Post-
-              fix SMTP server passes through to the SASL  plug-in
-              implementation     that     is     selected    with
+              Implementation-specific information that the  Post-
+              fix  SMTP server passes through to the SASL plug-in
+              implementation    that     is     selected     with
               <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
 
        <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b>
-              The SASL plug-in type that the Postfix SMTP  server
+              The  SASL plug-in type that the Postfix SMTP server
               should use for authentication.
 
        Available in Postfix version 2.5 and later:
 
        <b><a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a> (empty)</b>
-              Search  path  for Cyrus SASL application configura-
-              tion files,  currently  used  only  to  locate  the
+              Search path for Cyrus SASL  application  configura-
+              tion  files,  currently  used  only  to  locate the
               $<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file.
 
 <b>STARTTLS SUPPORT CONTROLS</b>
-       Detailed  information  about STARTTLS configuration may be
+       Detailed information about STARTTLS configuration  may  be
        found in the <a href="TLS_README.html">TLS_README</a> document.
 
        <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
-              The SMTP TLS security level for  the  Postfix  SMTP
-              server;  when  a non-empty value is specified, this
+              The  SMTP  TLS  security level for the Postfix SMTP
+              server; when a non-empty value is  specified,  this
               overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
               <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
 
        <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a>         ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b>
        <b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b>
-              The  SASL  authentication security options that the
-              Postfix SMTP server uses  for  TLS  encrypted  SMTP
+              The SASL authentication security options  that  the
+              Postfix  SMTP  server  uses  for TLS encrypted SMTP
               sessions.
 
        <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (300s)</b>
-              The  time  limit  for Postfix SMTP server write and
-              read operations during  TLS  startup  and  shutdown
+              The time limit for Postfix SMTP  server  write  and
+              read  operations  during  TLS  startup and shutdown
               handshake procedures.
 
        <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
-              The  file with the certificate of the certification
-              authority (CA) that issued the Postfix SMTP  server
+              The file with the certificate of the  certification
+              authority  (CA) that issued the Postfix SMTP server
               certificate.
 
        <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
-              The  file with the certificate of the certification
-              authority (CA) that issued the Postfix SMTP  server
+              The file with the certificate of the  certification
+              authority  (CA) that issued the Postfix SMTP server
               certificate.
 
        <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
-              Force  the  Postfix SMTP server to issue a TLS ses-
-              sion id, even when TLS session  caching  is  turned
+              Force the Postfix SMTP server to issue a  TLS  ses-
+              sion  id,  even  when TLS session caching is turned
               off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
 
        <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
-              Ask  a remote SMTP client for a client certificate.
+              Ask a remote SMTP client for a client  certificate.
 
        <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
               When TLS encryption is optional in the Postfix SMTP
-              server,  do not announce or accept SASL authentica-
+              server, do not announce or accept SASL  authentica-
               tion over unencrypted connections.
 
        <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (9)</b>
-              The verification depth for remote SMTP client  cer-
+              The  verification depth for remote SMTP client cer-
               tificates.
 
        <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
-              File  with  the Postfix SMTP server RSA certificate
+              File with the Postfix SMTP server  RSA  certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b>
@@ -411,56 +417,56 @@ SMTPD(8)                                                              SMTPD(8)
               SMTP server cipher list at all TLS security levels.
 
        <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
-              File with the Postfix SMTP server  DSA  certificate
+              File  with  the Postfix SMTP server DSA certificate
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
-              File  with  DH  parameters  that  the  Postfix SMTP
+              File with  DH  parameters  that  the  Postfix  SMTP
               server should use with EDH ciphers.
 
        <b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
-              File with  DH  parameters  that  the  Postfix  SMTP
+              File  with  DH  parameters  that  the  Postfix SMTP
               server should use with EDH ciphers.
 
        <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
-              File  with  the Postfix SMTP server DSA private key
+              File with the Postfix SMTP server DSA  private  key
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
-              File with the Postfix SMTP server RSA  private  key
+              File  with  the Postfix SMTP server RSA private key
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
-              Enable  additional  Postfix  SMTP server logging of
+              Enable additional Postfix SMTP  server  logging  of
               TLS activity.
 
        <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b>
-              The minimum TLS cipher grade that the Postfix  SMTP
+              The  minimum TLS cipher grade that the Postfix SMTP
               server will use with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b>
-              Additional  list  of  ciphers  or  cipher  types to
-              exclude from the SMTP server cipher list at  manda-
+              Additional list  of  ciphers  or  cipher  types  to
+              exclude  from the SMTP server cipher list at manda-
               tory TLS security levels.
 
        <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
-              The  SSL/TLS protocols accepted by the Postfix SMTP
+              The SSL/TLS protocols accepted by the Postfix  SMTP
               server with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
               Request  that  the  Postfix  SMTP  server  produces
               Received:  message headers that include information
-              about the protocol and cipher used, as well as  the
-              client  CommonName  and  client  certificate issuer
+              about  the protocol and cipher used, as well as the
+              client CommonName  and  client  certificate  issuer
               CommonName.
 
        <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
-              With mandatory TLS encryption,  require  a  trusted
-              remote  SMTP  client  certificate in order to allow
+              With  mandatory  TLS  encryption, require a trusted
+              remote SMTP client certificate in  order  to  allow
               TLS connections to proceed.
 
        <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b>
-              Name of the file containing  the  optional  Postfix
+              Name  of  the  file containing the optional Postfix
               SMTP server TLS session cache.
 
        <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b>
@@ -468,14 +474,14 @@ SMTPD(8)                                                              SMTPD(8)
               sion cache information.
 
        <b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b>
-              Run the Postfix SMTP  server  in  the  non-standard
-              "wrapper"  mode, instead of using the STARTTLS com-
+              Run  the  Postfix  SMTP  server in the non-standard
+              "wrapper" mode, instead of using the STARTTLS  com-
               mand.
 
        <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
-              The number of pseudo-random bytes that  an  <a href="smtp.8.html"><b>smtp</b>(8)</a>
-              or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>  process  requests  from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
-              server in order to seed its internal pseudo  random
+              The  number  of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
+              or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process  requests  from  the  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
+              server  in order to seed its internal pseudo random
               number generator (PRNG).
 
        <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
@@ -487,7 +493,7 @@ SMTPD(8)                                                              SMTPD(8)
               ciphers.
 
        <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
-              The OpenSSL cipherlist for "LOW"  or  higher  grade
+              The  OpenSSL  cipherlist  for "LOW" or higher grade
               ciphers.
 
        <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
@@ -495,26 +501,26 @@ SMTPD(8)                                                              SMTPD(8)
               ciphers.
 
        <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
-              The OpenSSL cipherlist  for  "NULL"  grade  ciphers
+              The  OpenSSL  cipherlist  for  "NULL" grade ciphers
               that provide authentication without encryption.
 
        Available in Postfix version 2.5 and later:
 
        <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (md5)</b>
-              The  message  digest  algorithm  used  to construct
+              The message  digest  algorithm  used  to  construct
               client-certificate         fingerprints         for
               <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>.
 
        Available in Postfix version 2.6 and later:
 
        <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
-              List  of TLS protocols that the Postfix SMTP server
-              will exclude  or  include  with  opportunistic  TLS
+              List of TLS protocols that the Postfix SMTP  server
+              will  exclude  or  include  with  opportunistic TLS
               encryption.
 
        <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b>
-              The  minimum TLS cipher grade that the Postfix SMTP
-              server will use with opportunistic TLS  encryption.
+              The minimum TLS cipher grade that the Postfix  SMTP
+              server  will use with opportunistic TLS encryption.
 
        <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
               File with the Postfix SMTP server ECDSA certificate
@@ -525,7 +531,7 @@ SMTPD(8)                                                              SMTPD(8)
               in PEM format.
 
        <b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b>
-              The   Postfix   SMTP   server  security  grade  for
+              The  Postfix  SMTP  server   security   grade   for
               ephemeral elliptic-curve Diffie-Hellman (EECDH) key
               exchange.
 
@@ -538,18 +544,18 @@ SMTPD(8)                                                              SMTPD(8)
               imally strong ephemeral ECDH key exchange.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
-       The  following configuration parameters exist for compati-
+       The following configuration parameters exist for  compati-
        bility with Postfix versions before 2.3. Support for these
        will be removed in a future release.
 
        <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
-              Opportunistic  TLS:  announce  STARTTLS  support to
-              SMTP clients, but do not require that  clients  use
+              Opportunistic TLS:  announce  STARTTLS  support  to
+              SMTP  clients,  but do not require that clients use
               TLS encryption.
 
        <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
-              Mandatory  TLS:  announce  STARTTLS support to SMTP
-              clients, and require that clients use  TLS  encryp-
+              Mandatory TLS: announce STARTTLS  support  to  SMTP
+              clients,  and  require that clients use TLS encryp-
               tion.
 
        <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
@@ -557,64 +563,64 @@ SMTPD(8)                                                              SMTPD(8)
               server TLS cipher list.
 
 <b>VERP SUPPORT CONTROLS</b>
-       With VERP style delivery,  each  recipient  of  a  message
+       With  VERP  style  delivery,  each  recipient of a message
        receives a customized copy of the message with his/her own
-       recipient address encoded in the envelope sender  address.
+       recipient  address encoded in the envelope sender address.
        The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
-       details of Postfix support for  variable  envelope  return
+       details  of  Postfix  support for variable envelope return
        path addresses.  VERP style delivery is requested with the
-       SMTP XVERP command or with the "sendmail -V"  command-line
-       option  and is available in Postfix version 1.1 and later.
+       SMTP  XVERP command or with the "sendmail -V" command-line
+       option and is available in Postfix version 1.1 and  later.
 
        <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
               The two default VERP delimiter characters.
 
        <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
-              The characters Postfix accepts  as  VERP  delimiter
-              characters  on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+              The  characters  Postfix  accepts as VERP delimiter
+              characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command  line
               and in SMTP commands.
 
        Available in Postfix version 1.1 and 2.0:
 
        <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
-              What SMTP clients are allowed to specify the  XVERP
+              What  SMTP clients are allowed to specify the XVERP
               command.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
-              What  SMTP clients are allowed to specify the XVERP
+              What SMTP clients are allowed to specify the  XVERP
               command.
 
 <b>TROUBLE SHOOTING CONTROLS</b>
-       The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts  of
-       the  Postfix mail system. The methods vary from making the
-       software log a lot of detail, to running some daemon  pro-
+       The  <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
+       the Postfix mail system. The methods vary from making  the
+       software  log a lot of detail, to running some daemon pro-
        cesses under control of a call tracer or debugger.
 
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The  increment  in  verbose  logging  level  when a
-              remote client or server matches a  pattern  in  the
+              The increment  in  verbose  logging  level  when  a
+              remote  client  or  server matches a pattern in the
               <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional  list  of remote client or server hostname
-              or network address patterns that cause the  verbose
-              logging  level  to increase by the amount specified
+              Optional list of remote client or  server  hostname
+              or  network address patterns that cause the verbose
+              logging level to increase by the  amount  specified
               in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The recipient  of  postmaster  notifications  about
-              mail  delivery  problems that are caused by policy,
+              The  recipient  of  postmaster  notifications about
+              mail delivery problems that are caused  by  policy,
               resource, software or protocol errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What categories of Postfix-generated mail are  sub-
-              ject   to   before-queue   content   inspection  by
+              What  categories of Postfix-generated mail are sub-
+              ject  to   before-queue   content   inspection   by
               <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
-              The list of error classes that are reported to  the
+              The  list of error classes that are reported to the
               postmaster.
 
        <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@@ -624,22 +630,22 @@ SMTPD(8)                                                              SMTPD(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
-              What SMTP clients are allowed to  use  the  XCLIENT
+              What  SMTP  clients  are allowed to use the XCLIENT
               feature.
 
 <b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
-       As  of  Postfix  version 2.0, the SMTP server rejects mail
-       for unknown recipients. This prevents the mail queue  from
-       clogging  up  with  undeliverable  MAILER-DAEMON messages.
-       Additional  information  on   this   topic   is   in   the
+       As of Postfix version 2.0, the SMTP  server  rejects  mail
+       for  unknown recipients. This prevents the mail queue from
+       clogging up  with  undeliverable  MAILER-DAEMON  messages.
+       Additional   information   on   this   topic   is  in  the
        <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
 
        <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
-              Display the name of  the  recipient  table  in  the
+              Display  the  name  of  the  recipient table in the
               "User unknown" responses.
 
        <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
-              Optional  address mapping lookup tables for message
+              Optional address mapping lookup tables for  message
               headers and envelopes.
 
        <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
@@ -650,7 +656,7 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#mydestination">mydestination</a>  ($<a href="postconf.5.html#myhostname">myhostname</a>,  localhost.$<a href="postconf.5.html#mydomain">mydomain</a>,  local-</b>
        <b>host)</b>
-              The  list  of  domains  that  are delivered via the
+              The list of domains  that  are  delivered  via  the
               $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@@ -659,146 +665,146 @@ SMTPD(8)                                                              SMTPD(8)
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
               The network interface addresses that this mail sys-
-              tem receives mail on by way of a proxy  or  network
+              tem  receives  mail on by way of a proxy or network
               address translation unit.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
-              The  Internet protocols Postfix will attempt to use
+              The Internet protocols Postfix will attempt to  use
               when making or accepting connections.
 
        <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>             (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
        <b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
-              Lookup tables with all names or addresses of  local
-              recipients:  a  recipient address is local when its
-              domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>  or
+              Lookup  tables with all names or addresses of local
+              recipients: a recipient address is local  when  its
+              domain  matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
               $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
 
        <b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
-              The  numerical  Postfix  SMTP  server response code
-              when   a   recipient   address   is   local,    and
-              $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>  specifies  a  list of lookup
+              The numerical Postfix  SMTP  server  response  code
+              when    a   recipient   address   is   local,   and
+              $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a  list  of  lookup
               tables that does not match the recipient.
 
-       Parameters concerning known/unknown  recipients  of  relay
+       Parameters  concerning  known/unknown  recipients of relay
        destinations:
 
        <b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
-              What  destination  domains (and subdomains thereof)
+              What destination domains (and  subdomains  thereof)
               this system will relay mail to.
 
        <b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
-              Optional lookup tables with all valid addresses  in
+              Optional  lookup tables with all valid addresses in
               the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
 
        <b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
               The numerical Postfix SMTP server reply code when a
-              recipient  address  matches   $<a href="postconf.5.html#relay_domains">relay_domains</a>,   and
-              <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a>  specifies  a  list  of lookup
+              recipient   address   matches  $<a href="postconf.5.html#relay_domains">relay_domains</a>,  and
+              <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies  a  list  of  lookup
               tables that does not match the recipient address.
 
-       Parameters concerning known/unknown recipients in  virtual
+       Parameters  concerning known/unknown recipients in virtual
        alias domains:
 
        <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
               Postfix is final destination for the specified list
-              of virtual alias  domains,  that  is,  domains  for
-              which  all  addresses  are  aliased to addresses in
+              of  virtual  alias  domains,  that  is, domains for
+              which all addresses are  aliased  to  addresses  in
               other local or remote domains.
 
        <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
-              Optional lookup tables  that  alias  specific  mail
-              addresses  or  domains  to  other  local  or remote
+              Optional  lookup  tables  that  alias specific mail
+              addresses or  domains  to  other  local  or  remote
               address.
 
        <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
               The SMTP server reply code when a recipient address
-              matches     $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>,    and    $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
-              <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of  lookup  tables
+              matches    $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>,    and     $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
+              <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a>  specifies  a list of lookup tables
               that does not match the recipient address.
 
-       Parameters  concerning known/unknown recipients in virtual
+       Parameters concerning known/unknown recipients in  virtual
        mailbox domains:
 
        <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
               Postfix is final destination for the specified list
-              of   domains;  mail  is  delivered  via  the  $<a href="postconf.5.html#virtual_transport">vir</a>-
+              of  domains;  mail  is  delivered  via  the   $<a href="postconf.5.html#virtual_transport">vir</a>-
               <a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
 
        <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
-              Optional lookup tables with all valid addresses  in
+              Optional  lookup tables with all valid addresses in
               the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
 
        <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
               The SMTP server reply code when a recipient address
-              matches   $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,    and    $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
+              matches    $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,    and   $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
               <a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
               that does not match the recipient address.
 
 <b>RESOURCE AND RATE CONTROLS</b>
-       The following parameters limit resource usage by the  SMTP
+       The  following parameters limit resource usage by the SMTP
        server and/or control client request rates.
 
        <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
-              Upon  input,  long lines are chopped up into pieces
-              of at most this length; upon delivery,  long  lines
+              Upon input, long lines are chopped up  into  pieces
+              of  at  most this length; upon delivery, long lines
               are reconstructed.
 
        <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
-              The  minimal  amount  of free space in bytes in the
+              The minimal amount of free space in  bytes  in  the
               queue file system that is needed to receive mail.
 
        <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
-              The maximal size in bytes of a  message,  including
+              The  maximal  size in bytes of a message, including
               envelope information.
 
        <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
-              The  maximal  number of recipients that the Postfix
+              The maximal number of recipients that  the  Postfix
               SMTP server accepts per message delivery request.
 
        <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (300s)</b>
-              The time limit for sending a  Postfix  SMTP  server
-              response  and  for  receiving  a remote SMTP client
+              The  time  limit  for sending a Postfix SMTP server
+              response and for receiving  a  remote  SMTP  client
               request.
 
        <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
-              The maximal number of lines  in  the  Postfix  SMTP
-              server  command  history  before it is flushed upon
+              The  maximal  number  of  lines in the Postfix SMTP
+              server command history before it  is  flushed  upon
               receipt of EHLO, RSET, or end of DATA.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
               Attempt to look up the remote SMTP client hostname,
-              and  verify  that  the  name  matches the client IP
+              and verify that the  name  matches  the  client  IP
               address.
 
        The per SMTP client connection count and request rate lim-
        its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
-       vice, and are available in Postfix version 2.2 and  later.
+       vice,  and are available in Postfix version 2.2 and later.
 
        <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
-              How  many  simultaneous  connections  any client is
+              How many simultaneous  connections  any  client  is
               allowed to make to this service.
 
        <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
               The  maximal  number  of  connection  attempts  any
-              client  is allowed to make to this service per time
+              client is allowed to make to this service per  time
               unit.
 
        <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
-              The maximal number  of  message  delivery  requests
-              that  any client is allowed to make to this service
+              The  maximal  number  of  message delivery requests
+              that any client is allowed to make to this  service
               per time unit, regardless of whether or not Postfix
               actually accepts those messages.
 
        <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
-              The  maximal number of recipient addresses that any
-              client is allowed to send to this service per  time
+              The maximal number of recipient addresses that  any
+              client  is allowed to send to this service per time
               unit, regardless of whether or not Postfix actually
               accepts those recipients.
 
        <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
-              Clients that are excluded  from  connection  count,
+              Clients  that  are  excluded from connection count,
               connection rate, or SMTP request rate restrictions.
 
        Available in Postfix version 2.3 and later:
@@ -809,52 +815,52 @@ SMTPD(8)                                                              SMTPD(8)
               tiate with this service per time unit.
 
 <b>TARPIT CONTROLS</b>
-       When a remote SMTP client makes errors, the  Postfix  SMTP
-       server  can insert delays before responding. This can help
-       to slow down run-away  software.   The  behavior  is  con-
-       trolled  by  an  error  counter  that counts the number of
-       errors within an SMTP session that a client makes  without
+       When  a  remote SMTP client makes errors, the Postfix SMTP
+       server can insert delays before responding. This can  help
+       to  slow  down  run-away  software.   The behavior is con-
+       trolled by an error counter  that  counts  the  number  of
+       errors  within an SMTP session that a client makes without
        delivering mail.
 
        <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
               With Postfix version 2.1 and later: the SMTP server
-              response delay after a client has  made  more  than
-              $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>   errors,  and  fewer  than
-              $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without  delivering
+              response  delay  after  a client has made more than
+              $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>  errors,  and  fewer   than
+              $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a>  errors, without delivering
               mail.
 
        <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
-              The  number  of  errors  a  remote  SMTP  client is
-              allowed to make without delivering mail before  the
+              The number  of  errors  a  remote  SMTP  client  is
+              allowed  to make without delivering mail before the
               Postfix SMTP server slows down all its responses.
 
        <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (20)</b>
-              The  maximal  number of errors a remote SMTP client
+              The maximal number of errors a remote  SMTP  client
               is allowed to make without delivering mail.
 
        <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (100)</b>
-              The number of junk commands (NOOP,  VRFY,  ETRN  or
+              The  number  of  junk commands (NOOP, VRFY, ETRN or
               RSET) that a remote SMTP client can send before the
-              Postfix SMTP server starts to increment  the  error
+              Postfix  SMTP  server starts to increment the error
               counter with each junk command.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
-              The  number of recipients that a remote SMTP client
-              can send in excess  of  the  limit  specified  with
+              The number of recipients that a remote SMTP  client
+              can  send  in  excess  of  the limit specified with
               $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>,  before  the  Postfix  SMTP
-              server increments the per-session error  count  for
+              server  increments  the per-session error count for
               each excess recipient.
 
 <b>ACCESS POLICY DELEGATION CONTROLS</b>
-       As  of  version 2.1, Postfix can be configured to delegate
-       access policy decisions to an external  server  that  runs
-       outside  Postfix.   See  the  file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
+       As of version 2.1, Postfix can be configured  to  delegate
+       access  policy  decisions  to an external server that runs
+       outside Postfix.  See  the  file  <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a>  for
        more information.
 
        <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
-              The time after which an idle SMTPD  policy  service
+              The  time  after which an idle SMTPD policy service
               connection is closed.
 
        <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
@@ -862,170 +868,169 @@ SMTPD(8)                                                              SMTPD(8)
               connection is closed.
 
        <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
-              The time limit for connecting  to,  writing  to  or
+              The  time  limit  for  connecting to, writing to or
               receiving from a delegated SMTPD policy server.
 
 <b>ACCESS CONTROLS</b>
-       The  <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
+       The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction  to
        all the SMTP server access control features.
 
        <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
-              Wait until the RCPT TO  command  before  evaluating
+              Wait  until  the  RCPT TO command before evaluating
               $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>,    $smtpd_helo_restric-
               tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until
-              the      ETRN     command     before     evaluating
+              the     ETRN     command     before      evaluating
               $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric-
               tions.
 
-       <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>  (see  'postconf -d' out-</b>
+       <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf  -d'  out-</b>
        <b>put)</b>
               What   Postfix   features   match   subdomains   of
               "domain.tld" automatically, instead of requiring an
               explicit ".domain.tld" pattern.
 
        <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
-              Optional  SMTP  server  access  restrictions in the
+              Optional SMTP server  access  restrictions  in  the
               context of a client SMTP connection request.
 
        <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
               Require that a remote SMTP client introduces itself
-              at  the  beginning of an SMTP session with the HELO
+              at the beginning of an SMTP session with  the  HELO
               or EHLO command.
 
        <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
-              Optional restrictions that the Postfix SMTP  server
+              Optional  restrictions that the Postfix SMTP server
               applies in the context of the SMTP HELO command.
 
        <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
-              Optional  restrictions that the Postfix SMTP server
+              Optional restrictions that the Postfix SMTP  server
               applies in the context of the MAIL FROM command.
 
        <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>           (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
        <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
               The  access  restrictions  that  the  Postfix  SMTP
-              server  applies  in the context of the RCPT TO com-
+              server applies in the context of the RCPT  TO  com-
               mand.
 
        <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
-              Optional SMTP server  access  restrictions  in  the
+              Optional  SMTP  server  access  restrictions in the
               context of a client ETRN request.
 
        <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
-              Forward    mail   with   sender-specified   routing
-              (user[@%!]remote[@%!]site) from  untrusted  clients
+              Forward   mail   with   sender-specified    routing
+              (user[@%!]remote[@%!]site)  from  untrusted clients
               to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
 
        <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
-              User-defined  aliases for groups of access restric-
+              User-defined aliases for groups of access  restric-
               tions.
 
        <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b>&lt;&gt;<b>)</b>
-              The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a>  tables
+              The  lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
               instead of the null sender address.
 
        <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
               Restrict  the  use  of  the  <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a>  SMTP
-              access feature to only  domains  whose  primary  MX
+              access  feature  to  only  domains whose primary MX
               hosts match the listed networks.
 
        Available in Postfix version 2.0 and later:
 
        <b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
-              Optional  access restrictions that the Postfix SMTP
+              Optional access restrictions that the Postfix  SMTP
               server applies in the context of the SMTP DATA com-
               mand.
 
        <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
-              What  characters are allowed in $name expansions of
+              What characters are allowed in $name expansions  of
               RBL reply templates.
 
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
-              Request that the Postfix SMTP server  rejects  mail
-              from   unknown   sender  addresses,  even  when  no
-              explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access  restriction
+              Request  that  the Postfix SMTP server rejects mail
+              from  unknown  sender  addresses,  even   when   no
+              explicit  <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
               is specified.
 
        <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
-              Request  that  the Postfix SMTP server rejects mail
+              Request that the Postfix SMTP server  rejects  mail
               for  unknown  recipient  addresses,  even  when  no
-              explicit  <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
+              explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access  restric-
               tion is specified.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
-              Optional access restrictions that the Postfix  SMTP
-              server  applies  in the context of the SMTP END-OF-
+              Optional  access restrictions that the Postfix SMTP
+              server applies in the context of the  SMTP  END-OF-
               DATA command.
 
 <b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
-       Postfix  version  2.1  introduces  sender  and   recipient
-       address  verification.   This  feature  is  implemented by
-       sending probe email messages that are not actually  deliv-
-       ered.   This  feature  is requested via the <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
-       <a href="postconf.5.html#reject_unverified_sender">fied_sender</a>   and    <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>    access
-       restrictions.   The status of verification probes is main-
+       Postfix   version  2.1  introduces  sender  and  recipient
+       address verification.   This  feature  is  implemented  by
+       sending  probe email messages that are not actually deliv-
+       ered.  This feature is requested  via  the  <a href="postconf.5.html#reject_unverified_sender">reject_unveri</a>-
+       <a href="postconf.5.html#reject_unverified_sender">fied_sender</a>    and    <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>   access
+       restrictions.  The status of verification probes is  main-
        tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server.  See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>-
-       <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a>  for  information  about how to configure
+       <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about  how  to  configure
        and operate the Postfix sender/recipient address verifica-
        tion service.
 
        <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (3)</b>
-              How  many  times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
-              the completion of an address  verification  request
+              How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a>  service  for
+              the  completion  of an address verification request
               in progress.
 
        <b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b>
-              The  delay between queries for the completion of an
+              The delay between queries for the completion of  an
               address verification request in progress.
 
        <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b>
-              The sender address to use in  address  verification
+              The  sender  address to use in address verification
               probes; prior to Postfix 2.5 the default was "post-
               master".
 
        <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when   a  recipient  address  is  rejected  by  the
+              The  numerical  Postfix  SMTP  server response code
+              when  a  recipient  address  is  rejected  by   the
               <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
 
        <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
-              The numerical Postfix SMTP server response  when  a
+              The  numerical  Postfix SMTP server response when a
               recipient address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unveri</a>-
               <a href="postconf.5.html#reject_unverified_recipient">fied_recipient</a> restriction.
 
        Available in Postfix version 2.6 and later:
 
        <b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b>
-              The numerical Postfix  SMTP  server  response  code
-              when  a  sender address probe fails due to a tempo-
+              The  numerical  Postfix  SMTP  server response code
+              when a sender address probe fails due to  a  tempo-
               rary error condition.
 
        <b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b>
-              The numerical Postfix SMTP server response  when  a
-              recipient  address  probe  fails due to a temporary
+              The  numerical  Postfix SMTP server response when a
+              recipient address probe fails due  to  a  temporary
               error condition.
 
        <b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b>
-              When rejecting mail with  <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>,
-              reply  with  this  text  as  the reason, instead of
+              When  rejecting mail with <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>,
+              reply with this text  as  the  reason,  instead  of
               actual address verification details.
 
        <b><a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> (empty)</b>
-              When rejecting mail with  reject_unverified_recipi-
+              When  rejecting mail with reject_unverified_recipi-
               ent, reply with this text as the reason, instead of
               actual address verification details.
 
 <b>ACCESS CONTROL RESPONSES</b>
-       The following  parameters  control  numerical  SMTP  reply
+       The  following  parameters  control  numerical  SMTP reply
        codes and/or text responses.
 
        <b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b>
-              The  numerical  Postfix  SMTP  server response code
-              when a client  is  rejected  by  an  <a href="access.5.html"><b>access</b>(5)</a>  map
-              restriction.
+              The numerical Postfix SMTP server response code for
+              an <a href="access.5.html"><b>access</b>(5)</a> map "reject" action.
 
        <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
               The  numerical  Postfix  SMTP  server response code
@@ -1100,6 +1105,13 @@ SMTPD(8)                                                              SMTPD(8)
        <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b>
               Optional lookup tables with RBL response templates.
 
+       Available in Postfix version 2.6 and later:
+
+       <b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b>
+              The numerical Postfix SMTP server response code for
+              an   <a href="access.5.html"><b>access</b>(5)</a>   map   "defer"   action,  including
+              "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>".
+
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
               The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
diff --git a/postfix/html/transport.5.html b/postfix/html/transport.5.html
index 35abc32c5..749c6c1db 100644
--- a/postfix/html/transport.5.html
+++ b/postfix/html/transport.5.html
@@ -127,83 +127,85 @@ TRANSPORT(5)                                                      TRANSPORT(5)
               ting.   Otherwise, a domain name matches itself and
               its subdomains.
 
-       Note 1: the special pattern <b>*</b> represents any address (i.e.
-       it functions as the wild-card pattern).
+       <b>*</b> <i>transport</i>:<i>nexthop</i>
+              The special pattern <b>*</b> represents any address  (i.e.
+              it  functions  as  the  wild-card  pattern,  and is
+              unique to Postfix transport tables).
 
-       Note  2:  the  null  recipient  address  is  looked  up as
+       Note 1:  the  null  recipient  address  is  looked  up  as
        <b>$<a href="postconf.5.html#empty_address_recipient">empty_address_recipient</a></b>@<b>$<a href="postconf.5.html#myhostname">myhostname</a></b> (default: mailer-dae-
        mon@hostname).
 
-       Note  3:  <i>user@domain</i>  or  <i>user+extension@domain</i> lookup is
+       Note 2: <i>user@domain</i>  or  <i>user+extension@domain</i>  lookup  is
        available in Postfix 2.0 and later.
 
 <b>RESULT FORMAT</b>
-       The lookup result is of the form  <i>transport</i><b>:</b><i>nexthop</i>.   The
-       <i>transport</i>  field  specifies a mail delivery transport such
-       as <b>smtp</b> or <b>local</b>. The <i>nexthop</i> field  specifies  where  and
+       The  lookup  result is of the form <i>transport</i><b>:</b><i>nexthop</i>.  The
+       <i>transport</i> field specifies a mail delivery  transport  such
+       as  <b>smtp</b>  or  <b>local</b>. The <i>nexthop</i> field specifies where and
        how to deliver mail.
 
-       The  transport field specifies the name of a mail delivery
+       The transport field specifies the name of a mail  delivery
        transport (the first name of a mail delivery service entry
        in the Postfix <a href="master.5.html"><b>master.cf</b></a> file).
 
-       The  interpretation  of  the  nexthop  field  is transport
-       dependent. In the case of SMTP, specify  a  service  on  a
-       non-default  port  as  <i>host</i>:<i>service</i>,  and disable MX (mail
-       exchanger) DNS lookups with [<i>host</i>] or [<i>host</i>]:<i>port</i>. The  []
+       The interpretation  of  the  nexthop  field  is  transport
+       dependent.  In  the  case  of SMTP, specify a service on a
+       non-default port as <i>host</i>:<i>service</i>,  and  disable  MX  (mail
+       exchanger)  DNS lookups with [<i>host</i>] or [<i>host</i>]:<i>port</i>. The []
        form is required when you specify an IP address instead of
        a hostname.
 
-       A null <i>transport</i> and null <i>nexthop</i>  result  means  "do  not
-       change":  use  the delivery transport and nexthop informa-
-       tion that would be used when the  entire  transport  table
+       A  null  <i>transport</i>  and  null <i>nexthop</i> result means "do not
+       change": use the delivery transport and  nexthop  informa-
+       tion  that  would  be used when the entire transport table
        did not exist.
 
-       A  non-null  <i>transport</i>  field  with  a  null <i>nexthop</i> field
+       A non-null <i>transport</i>  field  with  a  null  <i>nexthop</i>  field
        resets the nexthop information to the recipient domain.
 
-       A null <i>transport</i> field with non-null  <i>nexthop</i>  field  does
+       A  null  <i>transport</i>  field with non-null <i>nexthop</i> field does
        not modify the transport information.
 
 <b>EXAMPLES</b>
-       In  order to deliver internal mail directly, while using a
-       mail relay for all other mail, specify a  null  entry  for
-       internal  destinations  (do not change the delivery trans-
-       port or the nexthop information) and  specify  a  wildcard
+       In order to deliver internal mail directly, while using  a
+       mail  relay  for  all other mail, specify a null entry for
+       internal destinations (do not change the  delivery  trans-
+       port  or  the  nexthop information) and specify a wildcard
        for all other destinations.
 
             <b>my.domain    :</b>
             <b>.my.domain   :</b>
             <b>*            <a href="smtp.8.html">smtp</a>:outbound-relay.my.domain</b>
 
-       In  order  to send mail for <b>example.com</b> and its subdomains
+       In order to send mail for <b>example.com</b> and  its  subdomains
        via the <b>uucp</b> transport to the UUCP host named <b>example</b>:
 
             <b>example.com      uucp:example</b>
             <b>.example.com     uucp:example</b>
 
-       When no nexthop host name is  specified,  the  destination
-       domain  name  is  used instead. For example, the following
-       directs mail for <i>user</i>@<b>example.com</b> via the  <b>slow</b>  transport
-       to  a  mail exchanger for <b>example.com</b>.  The <b>slow</b> transport
+       When  no  nexthop  host name is specified, the destination
+       domain name is used instead. For  example,  the  following
+       directs  mail  for <i>user</i>@<b>example.com</b> via the <b>slow</b> transport
+       to a mail exchanger for <b>example.com</b>.  The  <b>slow</b>  transport
        could be configured to run at most one delivery process at
        a time:
 
             <b>example.com      slow:</b>
 
        When no transport is specified, Postfix uses the transport
-       that matches the address  domain  class  (see  DESCRIPTION
-       above).   The following sends all mail for <b>example.com</b> and
+       that  matches  the  address  domain class (see DESCRIPTION
+       above).  The following sends all mail for <b>example.com</b>  and
        its subdomains to host <b>gateway.example.com</b>:
 
             <b>example.com      :[gateway.example.com]</b>
             <b>.example.com     :[gateway.example.com]</b>
 
-       In the above example, the [] suppress  MX  lookups.   This
-       prevents  mail  routing loops when your machine is primary
+       In  the  above  example, the [] suppress MX lookups.  This
+       prevents mail routing loops when your machine  is  primary
        MX host for <b>example.com</b>.
 
-       In the case of delivery via SMTP, one  may  specify  <i>host-</i>
+       In  the  case  of delivery via SMTP, one may specify <i>host-</i>
        <i>name</i>:<i>service</i> instead of just a host:
 
             <b>example.com      <a href="smtp.8.html">smtp</a>:bar.example:2025</b>
@@ -217,55 +219,55 @@ TRANSPORT(5)                                                      TRANSPORT(5)
 
             <b>.example.com     <a href="error.8.html">error</a>:mail for *.example.com is not deliverable</b>
 
-       This causes all mail for <i>user</i>@<i>anything</i><b>.example.com</b>  to  be
+       This  causes  all mail for <i>user</i>@<i>anything</i><b>.example.com</b> to be
        bounced.
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This  section  describes how the table lookups change when
+       This section describes how the table lookups  change  when
        the table is given in the form of regular expressions. For
-       a  description  of regular expression lookup table syntax,
+       a description of regular expression lookup  table  syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each pattern is a regular expression that  is  applied  to
-       the    entire    address    being    looked    up.   Thus,
-       <i>some.domain.hierarchy</i> is not  looked  up  via  its  parent
-       domains,  nor is <i>user+foo@domain</i> looked up as <i>user@domain</i>.
+       Each  pattern  is  a regular expression that is applied to
+       the   entire    address    being    looked    up.    Thus,
+       <i>some.domain.hierarchy</i>  is  not  looked  up  via its parent
+       domains, nor is <i>user+foo@domain</i> looked up as  <i>user@domain</i>.
 
-       Patterns are applied in the order as specified in the  ta-
-       ble,  until  a  pattern  is  found that matches the search
+       Patterns  are applied in the order as specified in the ta-
+       ble, until a pattern is  found  that  matches  the  search
        string.
 
        The <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> server disallows regular expression
-       substitution  of  $1  etc.  in  regular  expression lookup
-       tables, because that could open a security  hole  (Postfix
+       substitution of  $1  etc.  in  regular  expression  lookup
+       tables,  because  that could open a security hole (Postfix
        version 2.3 and later).
 
 <b>TCP-BASED TABLES</b>
-       This  section  describes how the table lookups change when
+       This section describes how the table lookups  change  when
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
        Postfix version 2.4.
 
-       Each  lookup  operation  uses the entire recipient address
-       once.  Thus, <i>some.domain.hierarchy</i> is not  looked  up  via
-       its  parent  domains,  nor is <i>user+foo@domain</i> looked up as
+       Each lookup operation uses the  entire  recipient  address
+       once.   Thus,  <i>some.domain.hierarchy</i>  is not looked up via
+       its parent domains, nor is <i>user+foo@domain</i>  looked  up  as
        <i>user@domain</i>.
 
        Results are the same as with indexed file lookups.
 
 <b>CONFIGURATION PARAMETERS</b>
-       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially  relevant.
-       The  text  below  provides  only  a parameter summary. See
+       The  following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant.
+       The text below provides  only  a  parameter  summary.  See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
        <b><a href="postconf.5.html#empty_address_recipient">empty_address_recipient</a></b>
-              The address that is looked up instead of  the  null
+              The  address  that is looked up instead of the null
               sender address.
 
        <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b>
-              List  of  Postfix features that use <i>domain.tld</i> pat-
-              terns  to  match  <i>sub.domain.tld</i>  (as  opposed   to
+              List of Postfix features that use  <i>domain.tld</i>  pat-
+              terns   to  match  <i>sub.domain.tld</i>  (as  opposed  to
               requiring <i>.domain.tld</i> patterns).
 
        <b><a href="postconf.5.html#transport_maps">transport_maps</a></b>
@@ -283,7 +285,7 @@ TRANSPORT(5)                                                      TRANSPORT(5)
        <a href="FILTER_README.html">FILTER_README</a>, external content filter
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/man/man1/postconf.1 b/postfix/man/man1/postconf.1
index 32a4fc014..2468a03b4 100644
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@@ -17,6 +17,9 @@ Postfix configuration utility
 \fBpostconf\fR [\fB-ev\fR] [\fB-c \fIconfig_dir\fR]
 [\fIparameter=value ...\fR]
 
+\fBpostconf\fR [\fB-#v\fR] [\fB-c \fIconfig_dir\fR]
+[\fIparameter ...\fR]
+
 \fBpostconf\fR [\fB-btv\fR] [\fB-c \fIconfig_dir\fR] [\fItemplate_file\fR]
 .SH DESCRIPTION
 .ad
@@ -184,6 +187,15 @@ This feature is available with Postfix 2.3 and later.
 .IP \fB-v\fR
 Enable verbose logging for debugging purposes. Multiple \fB-v\fR
 options make the software increasingly verbose.
+.IP \fB-#\fR
+Edit the \fBmain.cf\fR configuration file. The file is copied
+to a temporary file then renamed into place. The parameters
+specified on the command line are commented-out, so that they
+revert to their default values. Specify a list of parameter
+names, not name=value pairs.  There is no \fBpostconf\fR command
+to perform the reverse operation.
+
+This feature is available with Postfix 2.6 and later.
 .SH DIAGNOSTICS
 .ad
 .fi
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index a35383b7c..73a0be473 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -193,10 +193,15 @@ Reject the address etc. that matches the pattern. Reply with
 "\fB$access_map_reject_code \fIoptional text...\fR" when the
 optional text is
 specified, otherwise reply with a generic error response message.
+.IP "\fBDEFER \fIoptional text...\fR
+Reject the address etc. that matches the pattern. Reply with
+"\fB$access_map_defer_code \fIoptional text...\fR" when the
+optional text is
+specified, otherwise reply with a generic error response message.
 .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
 Defer the request if some later restriction would result in a
-REJECT action. Reply with "\fB450 4.7.1 \fI optional
-text...\fR" when the
+REJECT action. Reply with "\fB$access_map_defer_code 4.7.1
+\fIoptional text...\fR" when the
 optional text is specified, otherwise reply with a generic error
 response message.
 .sp
@@ -204,7 +209,8 @@ This feature is available in Postfix 2.1 and later.
 .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
 Defer the request if some later restriction would result in a
 an explicit or implicit PERMIT action.
-Reply with "\fB450 4.7.1 \fI optional text...\fR" when the
+Reply with "\fB$access_map_defer_code 4.7.1 \fI optional
+text...\fR" when the
 optional text is specified, otherwise reply with a generic error
 response message.
 .sp
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index c10e38a7d..0f43bbc5f 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -63,9 +63,18 @@ operation of the mail system.
 The recipient of undeliverable mail that cannot be returned to
 the sender.  This feature is enabled with the notify_classes
 parameter.
+.SH access_map_defer_code (default: 450)
+The numerical Postfix SMTP server response code for
+an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
+or "defer_if_reject". Prior to Postfix 2.6, the response
+is hard-coded as "450".
+.PP
+Do not change this unless you have a complete understanding of RFC 2821.
+.PP
+This feature is available in Postfix 2.6 and later.
 .SH access_map_reject_code (default: 554)
-The numerical Postfix SMTP server response code when a client
-is rejected by an \fBaccess\fR(5) map restriction.
+The numerical Postfix SMTP server response code for
+an \fBaccess\fR(5) map "reject" action.
 .PP
 Do not change this unless you have a complete understanding of RFC 2821.
 .SH address_verify_default_transport (default: $default_transport)
@@ -2939,6 +2948,33 @@ masquerade_exceptions = root
 .fi
 .ad
 .ft R
+.SH master_service_disable (default: empty)
+Selectively disable \fBmaster\fR(8) listener ports by service type
+or by service name and type.  Specify a list of service types
+("inet", "unix", "fifo", or "pass") or "name.type" tuples, where
+"name" is the first field of a master.cf entry and "type" is a
+service type. As with other Postfix matchlists, a search stops at
+the first match.  Specify "!pattern" to exclude a service from the
+list. By default, all \fBmaster\fR(8) listener ports are enabled.
+.PP
+Examples:
+.PP
+.nf
+.na
+.ft C
+# Turn on all \fBmaster\fR(8) listener ports (the default).
+master_service_disable =
+# Turn off only the main SMTP listener port.
+master_service_disable = smtp.inet
+# Turn off all TCP/IP listener ports.
+master_service_disable = inet
+# Turn off all TCP/IP listener ports except "foo".
+master_service_disable = !foo.inet, inet
+.fi
+.ad
+.ft R
+.PP
+This feature is available in Postfix 2.6 and later.
 .SH max_idle (default: 100s)
 The maximum amount of time that an idle Postfix daemon process waits
 for an incoming connection before terminating voluntarily.  This
@@ -8142,6 +8178,14 @@ a Postfix process has completed initialization. Errors during
 process initialization will be logged with the default name. Examples
 are errors while parsing the command line arguments, and errors
 while accessing the Postfix main.cf configuration file.
+.SH tcp_windowsize (default: 0)
+An optional workaround for routers that break TCP window scaling.
+Specify a value > 0 and < 65536 to enable this feature.
+.PP
+Note: for Postfix servers, this feature is implemented by the
+Postfix \fBmaster\fR(8) daemon, not by the servers themselves.
+.PP
+This feature is available in Postfix 2.6 and later.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff --git a/postfix/man/man5/transport.5 b/postfix/man/man5/transport.5
index 24a211808..9f76856b0 100644
--- a/postfix/man/man5/transport.5
+++ b/postfix/man/man5/transport.5
@@ -118,15 +118,16 @@ Deliver mail for any subdomain of \fIdomain\fR through
 string \fBtransport_maps\fR is not listed in the
 \fBparent_domain_matches_subdomains\fR configuration setting.
 Otherwise, a domain name matches itself and its subdomains.
+.IP "\fB*\fI transport\fR:\fInexthop\fR"
+The special pattern \fB*\fR represents any address (i.e. it
+functions as the wild-card pattern, and is unique to Postfix
+transport tables).
 .PP
-Note 1: the special pattern \fB*\fR represents any address (i.e. it
-functions as the wild-card pattern).
-
-Note 2: the null recipient address is looked up as
+Note 1: the null recipient address is looked up as
 \fB$empty_address_recipient\fR@\fB$myhostname\fR (default:
 mailer-daemon@hostname).
 
-Note 3: \fIuser@domain\fR or \fIuser+extension@domain\fR
+Note 2: \fIuser@domain\fR or \fIuser+extension@domain\fR
 lookup is available in Postfix 2.0 and later.
 .SH "RESULT FORMAT"
 .na
diff --git a/postfix/man/man8/master.8 b/postfix/man/man8/master.8
index 3c50f9889..b688f93ae 100644
--- a/postfix/man/man8/master.8
+++ b/postfix/man/man8/master.8
@@ -109,6 +109,11 @@ process will service before terminating voluntarily.
 .IP "\fBservice_throttle_time (60s)\fR"
 How long the Postfix \fBmaster\fR(8) waits before forking a server that
 appears to be malfunctioning.
+.PP
+Available in Postfix version 2.6 and later:
+.IP "\fBmaster_service_disable (empty)\fR"
+Selectively disable \fBmaster\fR(8) listener ports by service type
+or by service name and type.
 .SH "MISCELLANEOUS CONTROLS"
 .na
 .nf
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index ba6bd71f8..720f55859 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -245,6 +245,10 @@ Restricted \fBnested_header_checks\fR(5) tables for the Postfix SMTP
 client.
 .IP "\fBsmtp_body_checks (empty)\fR"
 Restricted \fBbody_checks\fR(5) tables for the Postfix SMTP client.
+.PP
+Available in Postfix version 2.6 and later:
+.IP "\fBtcp_windowsize (0)\fR"
+An optional workaround for routers that break TCP window scaling.
 .SH "MIME PROCESSING CONTROLS"
 .na
 .nf
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index e6fcd0f57..8468574cf 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -135,6 +135,10 @@ Available in Postfix version 2.3 and later:
 Force the Postfix SMTP server to issue a TLS session id, even
 when TLS session caching is turned off (smtpd_tls_session_cache_database
 is empty).
+.PP
+Available in Postfix version 2.6 and later:
+.IP "\fBtcp_windowsize (0)\fR"
+An optional workaround for routers that break TCP window scaling.
 .SH "ADDRESS REWRITING CONTROLS"
 .na
 .nf
@@ -818,8 +822,8 @@ details.
 The following parameters control numerical SMTP reply codes
 and/or text responses.
 .IP "\fBaccess_map_reject_code (554)\fR"
-The numerical Postfix SMTP server response code when a client
-is rejected by an \fBaccess\fR(5) map restriction.
+The numerical Postfix SMTP server response code for
+an \fBaccess\fR(5) map "reject" action.
 .IP "\fBdefer_code (450)\fR"
 The numerical Postfix SMTP server response code when a remote SMTP
 client request is rejected by the "defer" restriction.
@@ -868,6 +872,12 @@ client request is blocked by the reject_multi_recipient_bounce
 restriction.
 .IP "\fBrbl_reply_maps (empty)\fR"
 Optional lookup tables with RBL response templates.
+.PP
+Available in Postfix version 2.6 and later:
+.IP "\fBaccess_map_defer_code (450)\fR"
+The numerical Postfix SMTP server response code for
+an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
+or "defer_if_reject".
 .SH "MISCELLANEOUS CONTROLS"
 .na
 .nf
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 6697d8918..31aeb03f9 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -68,6 +68,7 @@ while (<>) {
     s;\bdebugger_command\b;<a href="postconf.5.html#debugger_command">$&</a>;g;
     s;\b2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent\b;<a href="postconf.5.html#2bounce_notice_recipient">$&</a>;g;
     s;\baccess_map_reject_code\b;<a href="postconf.5.html#access_map_reject_code">$&</a>;g;
+    s;\baccess_map_defer_code\b;<a href="postconf.5.html#access_map_defer_code">$&</a>;g;
     s;\baddress_verify_default_transport\b;<a href="postconf.5.html#address_verify_default_transport">$&</a>;g;
     s;\baddress_verify_local_transport\b;<a href="postconf.5.html#address_verify_local_transport">$&</a>;g;
     s;\baddress_verify_map\b;<a href="postconf.5.html#address_verify_map">$&</a>;g;
@@ -304,6 +305,7 @@ while (<>) {
     s;\bmasquerade_classes\b;<a href="postconf.5.html#masquerade_classes">$&</a>;g;
     s;\bmasquerade_domains\b;<a href="postconf.5.html#masquerade_domains">$&</a>;g;
     s;\bmasquerade_exceptions\b;<a href="postconf.5.html#masquerade_exceptions">$&</a>;g;
+    s;\bmaster_service_disable\b;<a href="postconf.5.html#master_service_disable">$&</a>;g;
     s;\bmax_idle\b;<a href="postconf.5.html#max_idle">$&</a>;g;
     s;\bmax_use\b;<a href="postconf.5.html#max_use">$&</a>;g;
     s;\bmaxi[-</bB>]*\n*[ <bB>]*mal_backoff_time\b;<a href="postconf.5.html#maximal_backoff_time">$&</a>;g;
@@ -533,6 +535,7 @@ while (<>) {
     s;\btransport_maps\b;<a href="postconf.5.html#transport_maps">$&</a>;g;
     s;\btransport_retry_time\b;<a href="postconf.5.html#transport_retry_time">$&</a>;g;
     s;\btrigger_timeout\b;<a href="postconf.5.html#trigger_timeout">$&</a>;g;
+    s;\btcp_windowsize\b;<a href="postconf.5.html#tcp_windowsize">$&</a>;g;
     s;\bundisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header\b;<a href="postconf.5.html#undisclosed_recipients_header">$&</a>;g;
     s;\bunknown_address_reject_code\b;<a href="postconf.5.html#unknown_address_reject_code">$&</a>;g;
     s;\bunknown_client_reject_code\b;<a href="postconf.5.html#unknown_client_reject_code">$&</a>;g;
diff --git a/postfix/proto/NFS_README.html b/postfix/proto/NFS_README.html
index 0e4fb5588..7816f57b6 100644
--- a/postfix/proto/NFS_README.html
+++ b/postfix/proto/NFS_README.html
@@ -17,54 +17,121 @@
 
 <hr>
 
-<p> This question was asked on the postfix-users mailing list a
-while ago: </p>
-
-<blockquote> <p> Also, what considerations are there for file
-locking or other potential problems when running Postfix with a
-Netapp-style box for /var/mail delivery?  I know that FreeBSD has
-broken NFS file locking (both client and server?) but I'm not sure
-if this is something Postfix can work around or not. </p> </blockquote>
-
-<p> Postfix jumps several hoops in order to deal with NFS-specific
-problems. Thus, Postfix on NFS is slightly less reliable than
-Postfix on a local disk. That is not a problem in Postfix; the
-problem is in NFS and affects other MTAs as well. </p>
-
-<p> For queue locking within Postfix, NFS is not an issue because
-you cannot share Postfix queues among multiple Postfix instances.
+<h2> Postfix support status for NFS </h2>
+
+<p> What is the status of support for Postfix on NFS? The answer
+is that Postfix itself is supported when you use NFS, but there is
+no promise that an NFS-related problem will promptly receive a
+Postfix workaround, or that a workaround will even be possible.
 </p>
 
-<p> In order to have mailbox locking over NFS, you have to configure
-everything to use fcntl() locks for mailbox access (or switch to
-maildir style, which needs no application-level lock controls).
+<p> That said, Postfix will in many cases work very well on NFS,
+because Postfix implements a number of workarounds (see below).
+Good NFS implementations seldom if ever give problems with Postfix,
+so Wietse recommends that you spend your money wisely.  </p>
+
+<h2> Postfix file locking and NFS </h2>
+
+<p> For the Postfix mail queue, it does not matter how well NFS
+file locking works. The reason is that you cannot share Postfix
+queues among multiple running Postfix instances. You can use NFS
+to switch a Postfix mail queue from one NFS client to another one,
+but only one NFS client can access a Postfix mail queue at any
+particular point in time. </p>
+
+<p> For mailbox file sharing with NFS, your options are to use
+<b>fcntl</b> (kernel locks), <b>dotlock</b> (<i>username</i>.lock
+files), to use both locking methods simultaneously, or to switch
+to maildir format. The maildir format uses one file per message and
+needs no file locking support in Postfix or in other mail software.
 </p>
 
-<p> To turn on fcntl() mailbox locks with Postfix you specify: </p>
+<p> Many sites that use mailbox format play safe and use both locking
+methods simultaneously. </p>
 
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    virtual_mailbox_lock = fcntl
-    mailbox_delivery_lock = fcntl
+    virtual_mailbox_lock = fcntl, dotlock
+    mailbox_delivery_lock = fcntl, dotlock
 </pre>
 </blockquote>
+</body>
 
-<p> Obviously, this approach is useful only if all other mailbox
-access software also uses fcntl() locks. </p>
+<h2> Postfix NFS workarounds </h2>
 
-<p> You can also "play safe" and throw in <i>username</i>.lock files: </p>
+<p> The list below summarizes the workarounds that exist for running
+Postfix on NFS as of the middle of 2003. As a reminder, Postfix
+itself is still supported when it runs on NFS, but there is no
+promise that an NFS-related problem will promptly receive a Postfix
+workaround, or that a workaround will even be possible.  </p>
 
-<blockquote>
-<pre>
-/etc/postfix/main.cf:
-    virtual_mailbox_lock = fcntl, dotlock
-    mailbox_delivery_lock = fcntl, dotlock
-</pre>
-</blockquote>
+<ul>
 
-<p> This is the combination that many applications end up using. </p>
+<li> <p> Problem: when renaming a file, the operation may succeed
+but report an error anyway<sup>[1]</sup>. </p>
 
-</body>
+<p> Workaround: when rename(old, new) reports an error, Postfix
+checks if the new name exists and the old name is gone. If the check
+succeeds, Postfix assumes that the rename() operation completed
+normally.  </p>
+
+<li> <p> Problem: when creating a directory, the operation may succeed
+but report an error anyway<sup>[1]</sup>. </p>
+
+<p> Workaround: when mkdir(new) reports an EEXIST error, Postfix
+checks if the new name resolves to a directory. If the check succeeds,
+Postfix assumes that the mkdir() operation completed normally.  </p>
+
+<li> <p> Problem: when creating a hardlink to a file, the operation
+may succeed but report an error anyway<sup>[1]</sup>. </p>
+
+<p> Workaround: when link(old, new) fails, Postfix compares the
+device and inode number of the old and new files. When the two files
+are identical, Postfix assumes that the link() operation completed
+normally. </p>
+
+<li> <p> Problem: when creating a dotlock (<i>username</i>.lock)
+file, the operation may succeed but report an error anyway<sup>[1]</sup>.
+</p>
+
+<p> Workaround: in this case, the only safe action is to back off
+and try again later.  </p>
+
+<li> <p> Problem: when a file server's "time of day" clock is not
+synchronized with the client's "time of day" clock, email deliveries
+are delayed by a minute or more.  </p>
+
+<p> Workaround: Postfix explicitly sets file time stamps to avoid
+delays with new mail (Postfix uses "last modified" file time stamps
+to decide when a queue file is ready for delivery).  </p>
+
+</ul>
+
+<p> <sup>[1]</sup> How can an operation succeed and report an error
+anyway? </p>
+
+<p> Suppose that an NFS server executes a client request successfully,
+and that the server's reply to the client is lost.  After some time
+the client retransmits the request to the server.  Normally, the
+server remembers that it already completed the request (it keeps a
+list of recently-completed requests and replies), and simply
+retransmits the reply. </p>
+
+<p> However, when the server has rebooted or when it has been very
+busy, the server no longer remembers that it already completed the
+request, and repeats the operation.  This causes no problems with
+file read/write requests (they contain a file offset and can therefore
+be repeated safely), but fails with non-idempotent operations. For
+example, when the server executes a retransmitted rename() request,
+the server reports an ENOENT error because the old name does not
+exist; and when the server executes a retransmitted link(), mkdir()
+or create() request, the server reports an EEXIST error because the
+name already exists. </p>
+
+<p> Thus, successful, non-idempotent, NFS operations will report
+false errors when the server reply is lost, the client retransmits
+the request, and the server does not remember that it already
+completed the request.  </p>
 
 </html>
diff --git a/postfix/proto/access b/postfix/proto/access
index 088b87eee..48b6deb1a 100644
--- a/postfix/proto/access
+++ b/postfix/proto/access
@@ -173,21 +173,33 @@
 #	"\fB$access_map_reject_code \fIoptional text...\fR" when the
 #	optional text is
 #	specified, otherwise reply with a generic error response message.
+# .IP "\fBDEFER \fIoptional text...\fR
+#	Reject the address etc. that matches the pattern. Reply with
+#	"\fB$access_map_defer_code \fIoptional text...\fR" when the
+#	optional text is
+#	specified, otherwise reply with a generic error response message.
+# .sp
+#	This feature is available in Postfix 2.6 and later.
 # .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
 #	Defer the request if some later restriction would result in a
-#	REJECT action. Reply with "\fB450 4.7.1 \fI optional
-#	text...\fR" when the
+#	REJECT action. Reply with "\fB$access_map_defer_code 4.7.1
+#	\fIoptional text...\fR" when the
 #	optional text is specified, otherwise reply with a generic error
 #	response message.
 # .sp
+#	Prior to Postfix 2.6, the SMTP reply code is 450.
+# .sp
 #	This feature is available in Postfix 2.1 and later.
 # .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
 #	Defer the request if some later restriction would result in a
 #	an explicit or implicit PERMIT action.
-#	Reply with "\fB450 4.7.1 \fI optional text...\fR" when the
+#	Reply with "\fB$access_map_defer_code 4.7.1 \fI optional
+#	text...\fR" when the
 #	optional text is specified, otherwise reply with a generic error
 #	response message.
 # .sp
+#	Prior to Postfix 2.6, the SMTP reply code is 450.
+# .sp
 #	This feature is available in Postfix 2.1 and later.
 # OTHER ACTIONS
 # .ad
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 0c7d4b9fc..6626b8f75 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -152,14 +152,31 @@ and operate this feature.
 %PARAM access_map_reject_code 554
 
 <p>
-The numerical Postfix SMTP server response code when a client
-is rejected by an access(5) map restriction.
+The numerical Postfix SMTP server response code for
+an access(5) map "reject" action.
 </p>
 
 <p>
 Do not change this unless you have a complete understanding of RFC 2821.
 </p>
 
+%PARAM access_map_defer_code 450
+
+<p>
+The numerical Postfix SMTP server response code for
+an access(5) map "defer" action, including "defer_if_permit"
+or "defer_if_reject". Prior to Postfix 2.6, the response 
+is hard-coded as "450".
+</p>
+
+<p>
+Do not change this unless you have a complete understanding of RFC 2821.
+</p>
+
+<p>
+This feature is available in Postfix 2.6 and later.
+</p>
+
 %PARAM address_verify_default_transport $default_transport
 
 <p>
@@ -11944,3 +11961,38 @@ This service is normally implemented by the proxymap(8) daemon.
 
 <p> This feature is available in Postfix 2.6 and later. </p>
 
+%PARAM master_service_disable 
+
+<p> Selectively disable master(8) listener ports by service type
+or by service name and type.  Specify a list of service types
+("inet", "unix", "fifo", or "pass") or "name.type" tuples, where
+"name" is the first field of a master.cf entry and "type" is a
+service type. As with other Postfix matchlists, a search stops at
+the first match.  Specify "!pattern" to exclude a service from the
+list. By default, all master(8) listener ports are enabled.  </p>
+
+<p> Examples: </p>
+
+<pre>
+# Turn on all master(8) listener ports (the default).
+master_service_disable =
+# Turn off only the main SMTP listener port.
+master_service_disable = smtp.inet
+# Turn off all TCP/IP listener ports.
+master_service_disable = inet
+# Turn off all TCP/IP listener ports except "foo".
+master_service_disable = !foo.inet, inet
+</pre>
+
+<p> This feature is available in Postfix 2.6 and later. </p>
+
+%PARAM tcp_windowsize 0 
+
+<p> An optional workaround for routers that break TCP window scaling.
+Specify a value > 0 and < 65536 to enable this feature. </p>
+
+<p> Note: for Postfix servers, this feature is implemented by the
+Postfix master(8) daemon, not by the servers themselves. The Postfix
+master must be restarted for a parameter change to take effect. </p>
+
+<p> This feature is available in Postfix 2.6 and later. </p>
diff --git a/postfix/proto/transport b/postfix/proto/transport
index aa69b6450..e411e3046 100644
--- a/postfix/proto/transport
+++ b/postfix/proto/transport
@@ -106,15 +106,16 @@
 #	string \fBtransport_maps\fR is not listed in the
 #	\fBparent_domain_matches_subdomains\fR configuration setting.
 #	Otherwise, a domain name matches itself and its subdomains.
+# .IP "\fB*\fI transport\fR:\fInexthop\fR"
+#	The special pattern \fB*\fR represents any address (i.e. it
+#	functions as the wild-card pattern, and is unique to Postfix
+#	transport tables).
 # .PP
-#	Note 1: the special pattern \fB*\fR represents any address (i.e. it
-#	functions as the wild-card pattern).
-#
-#	Note 2: the null recipient address is looked up as
+#	Note 1: the null recipient address is looked up as
 #	\fB$empty_address_recipient\fR@\fB$myhostname\fR (default:
 #	mailer-daemon@hostname).
 #
-#	Note 3: \fIuser@domain\fR or \fIuser+extension@domain\fR
+#	Note 2: \fIuser@domain\fR or \fIuser+extension@domain\fR
 #	lookup is available in Postfix 2.0 and later.
 # RESULT FORMAT
 # .ad
diff --git a/postfix/src/bounce/Makefile.in b/postfix/src/bounce/Makefile.in
index 93d484caa..09de6e9d0 100644
--- a/postfix/src/bounce/Makefile.in
+++ b/postfix/src/bounce/Makefile.in
@@ -168,11 +168,9 @@ bounce_notify_service.o: ../../include/dsn.h
 bounce_notify_service.o: ../../include/dsn_buf.h
 bounce_notify_service.o: ../../include/dsn_mask.h
 bounce_notify_service.o: ../../include/int_filt.h
-bounce_notify_service.o: ../../include/iostuff.h
 bounce_notify_service.o: ../../include/mail_addr.h
 bounce_notify_service.o: ../../include/mail_error.h
 bounce_notify_service.o: ../../include/mail_params.h
-bounce_notify_service.o: ../../include/mail_proto.h
 bounce_notify_service.o: ../../include/mail_queue.h
 bounce_notify_service.o: ../../include/msg.h
 bounce_notify_service.o: ../../include/msg_stats.h
@@ -234,11 +232,9 @@ bounce_notify_verp.o: ../../include/dsn.h
 bounce_notify_verp.o: ../../include/dsn_buf.h
 bounce_notify_verp.o: ../../include/dsn_mask.h
 bounce_notify_verp.o: ../../include/int_filt.h
-bounce_notify_verp.o: ../../include/iostuff.h
 bounce_notify_verp.o: ../../include/mail_addr.h
 bounce_notify_verp.o: ../../include/mail_error.h
 bounce_notify_verp.o: ../../include/mail_params.h
-bounce_notify_verp.o: ../../include/mail_proto.h
 bounce_notify_verp.o: ../../include/mail_queue.h
 bounce_notify_verp.o: ../../include/msg.h
 bounce_notify_verp.o: ../../include/msg_stats.h
@@ -263,11 +259,9 @@ bounce_one_service.o: ../../include/dsn.h
 bounce_one_service.o: ../../include/dsn_buf.h
 bounce_one_service.o: ../../include/dsn_mask.h
 bounce_one_service.o: ../../include/int_filt.h
-bounce_one_service.o: ../../include/iostuff.h
 bounce_one_service.o: ../../include/mail_addr.h
 bounce_one_service.o: ../../include/mail_error.h
 bounce_one_service.o: ../../include/mail_params.h
-bounce_one_service.o: ../../include/mail_proto.h
 bounce_one_service.o: ../../include/msg.h
 bounce_one_service.o: ../../include/msg_stats.h
 bounce_one_service.o: ../../include/name_mask.h
@@ -321,11 +315,9 @@ bounce_trace_service.o: ../../include/dsn.h
 bounce_trace_service.o: ../../include/dsn_buf.h
 bounce_trace_service.o: ../../include/dsn_mask.h
 bounce_trace_service.o: ../../include/int_filt.h
-bounce_trace_service.o: ../../include/iostuff.h
 bounce_trace_service.o: ../../include/mail_addr.h
 bounce_trace_service.o: ../../include/mail_error.h
 bounce_trace_service.o: ../../include/mail_params.h
-bounce_trace_service.o: ../../include/mail_proto.h
 bounce_trace_service.o: ../../include/mail_queue.h
 bounce_trace_service.o: ../../include/msg.h
 bounce_trace_service.o: ../../include/msg_stats.h
diff --git a/postfix/src/discard/Makefile.in b/postfix/src/discard/Makefile.in
index 1692de1cf..00a5d5c34 100644
--- a/postfix/src/discard/Makefile.in
+++ b/postfix/src/discard/Makefile.in
@@ -65,8 +65,6 @@ discard.o: ../../include/dsn.h
 discard.o: ../../include/dsn_buf.h
 discard.o: ../../include/dsn_util.h
 discard.o: ../../include/flush_clnt.h
-discard.o: ../../include/iostuff.h
-discard.o: ../../include/mail_proto.h
 discard.o: ../../include/mail_queue.h
 discard.o: ../../include/mail_server.h
 discard.o: ../../include/mail_version.h
diff --git a/postfix/src/global/mail_conf.c b/postfix/src/global/mail_conf.c
index e1331f028..c323ab6af 100644
--- a/postfix/src/global/mail_conf.c
+++ b/postfix/src/global/mail_conf.c
@@ -10,6 +10,8 @@
 /*
 /*	void	mail_conf_suck()
 /*
+/*	void	mail_conf_flush()
+/*
 /*	void	mail_conf_update(name, value)
 /*	const char *name;
 /*	const char *value;
@@ -29,6 +31,10 @@
 /*	mail_conf_read() invokes mail_conf_suck() and assigns the values
 /*	to global variables by calling mail_params_init().
 /*
+/*	mail_conf_flush() discards the global configuration dictionary.
+/*	This is needed in programs that read main.cf multiple times, to
+/*	ensure that deleted parameter settings are handled properly.
+/*
 /*	The following routines are wrappers around the generic dictionary
 /*	access routines.
 /*
@@ -177,6 +183,14 @@ void    mail_conf_suck(void)
     myfree(path);
 }
 
+/* mail_conf_flush - discard configuration dictionary */
+
+void mail_conf_flush(void)
+{
+    if (dict_handle(CONFIG_DICT) != 0)
+        dict_unregister(CONFIG_DICT);
+}
+
 /* mail_conf_eval - expand macros in string */
 
 const char *mail_conf_eval(const char *string)
diff --git a/postfix/src/global/mail_conf.h b/postfix/src/global/mail_conf.h
index 89cce98c1..cdb27afae 100644
--- a/postfix/src/global/mail_conf.h
+++ b/postfix/src/global/mail_conf.h
@@ -35,6 +35,7 @@
   */
 extern void mail_conf_read(void);
 extern void mail_conf_suck(void);
+extern void mail_conf_flush(void);
 
 extern void mail_conf_update(const char *, const char *);
 extern const char *mail_conf_lookup(const char *);
diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c
index a8d9c11bd..80fc29985 100644
--- a/postfix/src/global/mail_params.c
+++ b/postfix/src/global/mail_params.c
@@ -74,6 +74,7 @@
 /*	char	*var_par_dom_match;
 /*	char	*var_config_dirs;
 /*
+/*	int	var_inet_windowsize;
 /*	char	*var_import_environ;
 /*	char	*var_export_environ;
 /*	char	*var_debug_peer_list;
@@ -169,6 +170,8 @@
 #endif
 #include <inet_proto.h>
 #include <vstring_vstream.h>
+#include <connect.h>
+#include <listen.h>
 
 /* Global library. */
 
@@ -252,6 +255,7 @@ int     var_in_flow_delay;
 char   *var_par_dom_match;
 char   *var_config_dirs;
 
+int     var_inet_windowsize;
 char   *var_import_environ;
 char   *var_export_environ;
 char   *var_debug_peer_list;
@@ -571,6 +575,7 @@ void    mail_params_init()
 	VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
 	VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
 	VAR_DELAY_MAX_RES, DEF_DELAY_MAX_RES, &var_delay_max_res, MIN_DELAY_MAX_RES, MAX_DELAY_MAX_RES,
+	VAR_INET_WINDOW, DEF_INET_WINDOW, &var_inet_windowsize, 0, 0,
 	0,
     };
     static const CONFIG_TIME_TABLE time_defaults[] = {
@@ -667,6 +672,7 @@ void    mail_params_init()
 #ifdef HAS_DB
     dict_db_cache_size = var_db_read_buf;
 #endif
+    inet_windowsize = var_inet_windowsize;
 
     /*
      * Variables whose defaults are determined at runtime, after other
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 7fe41d3b1..b976ed474 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -802,6 +802,13 @@ extern int var_proc_limit;
 #define DEF_THROTTLE_TIME	"60s"
 extern int var_throttle_time;
 
+ /*
+  * Master: what master.cf services are turned off.
+  */
+#define VAR_MASTER_DISABLE	"master_service_disable"
+#define DEF_MASTER_DISABLE	""
+extern char *var_master_disable;
+
  /*
   * Any subsystem: default maximum number of clients serviced before a mail
   * subsystem terminates (except queue manager).
@@ -2029,9 +2036,13 @@ extern int var_relay_code;
 #define DEF_PERM_MX_NETWORKS	""
 extern char *var_perm_mx_networks;
 
-#define VAR_ACCESS_MAP_CODE	"access_map_reject_code"
-#define DEF_ACCESS_MAP_CODE	554
-extern int var_access_map_code;
+#define VAR_MAP_REJECT_CODE	"access_map_reject_code"
+#define DEF_MAP_REJECT_CODE	554
+extern int var_map_reject_code;
+
+#define VAR_MAP_DEFER_CODE	"access_map_defer_code"
+#define DEF_MAP_DEFER_CODE	450
+extern int var_map_defer_code;
 
 #define CHECK_CLIENT_ACL	"check_client_access"
 #define CHECK_REVERSE_CLIENT_ACL "check_reverse_client_hostname_access"
@@ -3023,6 +3034,13 @@ extern char *var_stress;
 #define DEF_STRICT_MBOX_OWNER	1
 extern bool var_strict_mbox_owner;
 
+ /*
+  * Window scaling workaround.
+  */
+#define VAR_INET_WINDOW		"tcp_windowsize"
+#define DEF_INET_WINDOW		0
+extern int var_inet_windowsize;
+
 /* LICENSE
 /* .ad
 /* .fi
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 2c795782b..bb974f05a 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20081205"
+#define MAIL_RELEASE_DATE	"20090109"
 #define MAIL_VERSION_NUMBER	"2.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/local/Makefile.in b/postfix/src/local/Makefile.in
index 34cecd2a2..13a2788a1 100644
--- a/postfix/src/local/Makefile.in
+++ b/postfix/src/local/Makefile.in
@@ -78,9 +78,7 @@ alias.o: ../../include/dsn_buf.h
 alias.o: ../../include/dsn_mask.h
 alias.o: ../../include/fold_addr.h
 alias.o: ../../include/htable.h
-alias.o: ../../include/iostuff.h
 alias.o: ../../include/mail_params.h
-alias.o: ../../include/mail_proto.h
 alias.o: ../../include/maps.h
 alias.o: ../../include/mbox_conf.h
 alias.o: ../../include/msg.h
@@ -116,11 +114,9 @@ command.o: ../../include/dsn_buf.h
 command.o: ../../include/dsn_util.h
 command.o: ../../include/fold_addr.h
 command.o: ../../include/htable.h
-command.o: ../../include/iostuff.h
 command.o: ../../include/mac_parse.h
 command.o: ../../include/mail_copy.h
 command.o: ../../include/mail_params.h
-command.o: ../../include/mail_proto.h
 command.o: ../../include/maps.h
 command.o: ../../include/mbox_conf.h
 command.o: ../../include/msg.h
@@ -146,8 +142,6 @@ deliver_attr.o: ../../include/dsn.h
 deliver_attr.o: ../../include/dsn_buf.h
 deliver_attr.o: ../../include/fold_addr.h
 deliver_attr.o: ../../include/htable.h
-deliver_attr.o: ../../include/iostuff.h
-deliver_attr.o: ../../include/mail_proto.h
 deliver_attr.o: ../../include/maps.h
 deliver_attr.o: ../../include/mbox_conf.h
 deliver_attr.o: ../../include/msg.h
@@ -180,7 +174,6 @@ dotforward.o: ../../include/mac_expand.h
 dotforward.o: ../../include/mac_parse.h
 dotforward.o: ../../include/mail_conf.h
 dotforward.o: ../../include/mail_params.h
-dotforward.o: ../../include/mail_proto.h
 dotforward.o: ../../include/maps.h
 dotforward.o: ../../include/mbox_conf.h
 dotforward.o: ../../include/msg.h
@@ -214,10 +207,8 @@ file.o: ../../include/dsn_buf.h
 file.o: ../../include/dsn_util.h
 file.o: ../../include/fold_addr.h
 file.o: ../../include/htable.h
-file.o: ../../include/iostuff.h
 file.o: ../../include/mail_copy.h
 file.o: ../../include/mail_params.h
-file.o: ../../include/mail_proto.h
 file.o: ../../include/maps.h
 file.o: ../../include/mbox_conf.h
 file.o: ../../include/mbox_open.h
@@ -288,7 +279,6 @@ include.o: ../../include/fold_addr.h
 include.o: ../../include/htable.h
 include.o: ../../include/iostuff.h
 include.o: ../../include/mail_params.h
-include.o: ../../include/mail_proto.h
 include.o: ../../include/maps.h
 include.o: ../../include/mbox_conf.h
 include.o: ../../include/msg.h
@@ -319,9 +309,7 @@ indirect.o: ../../include/dsn.h
 indirect.o: ../../include/dsn_buf.h
 indirect.o: ../../include/fold_addr.h
 indirect.o: ../../include/htable.h
-indirect.o: ../../include/iostuff.h
 indirect.o: ../../include/mail_params.h
-indirect.o: ../../include/mail_proto.h
 indirect.o: ../../include/maps.h
 indirect.o: ../../include/mbox_conf.h
 indirect.o: ../../include/msg.h
@@ -353,7 +341,6 @@ local.o: ../../include/iostuff.h
 local.o: ../../include/mail_addr.h
 local.o: ../../include/mail_conf.h
 local.o: ../../include/mail_params.h
-local.o: ../../include/mail_proto.h
 local.o: ../../include/mail_server.h
 local.o: ../../include/mail_version.h
 local.o: ../../include/maps.h
@@ -382,11 +369,9 @@ local_expand.o: ../../include/dsn.h
 local_expand.o: ../../include/dsn_buf.h
 local_expand.o: ../../include/fold_addr.h
 local_expand.o: ../../include/htable.h
-local_expand.o: ../../include/iostuff.h
 local_expand.o: ../../include/mac_expand.h
 local_expand.o: ../../include/mac_parse.h
 local_expand.o: ../../include/mail_params.h
-local_expand.o: ../../include/mail_proto.h
 local_expand.o: ../../include/maps.h
 local_expand.o: ../../include/mbox_conf.h
 local_expand.o: ../../include/msg_stats.h
@@ -452,10 +437,8 @@ maildir.o: ../../include/dsn_util.h
 maildir.o: ../../include/fold_addr.h
 maildir.o: ../../include/get_hostname.h
 maildir.o: ../../include/htable.h
-maildir.o: ../../include/iostuff.h
 maildir.o: ../../include/mail_copy.h
 maildir.o: ../../include/mail_params.h
-maildir.o: ../../include/mail_proto.h
 maildir.o: ../../include/make_dirs.h
 maildir.o: ../../include/maps.h
 maildir.o: ../../include/mbox_conf.h
@@ -491,9 +474,7 @@ recipient.o: ../../include/dsn_buf.h
 recipient.o: ../../include/ext_prop.h
 recipient.o: ../../include/fold_addr.h
 recipient.o: ../../include/htable.h
-recipient.o: ../../include/iostuff.h
 recipient.o: ../../include/mail_params.h
-recipient.o: ../../include/mail_proto.h
 recipient.o: ../../include/maps.h
 recipient.o: ../../include/mbox_conf.h
 recipient.o: ../../include/msg.h
@@ -555,9 +536,7 @@ token.o: ../../include/dsn.h
 token.o: ../../include/dsn_buf.h
 token.o: ../../include/fold_addr.h
 token.o: ../../include/htable.h
-token.o: ../../include/iostuff.h
 token.o: ../../include/mail_params.h
-token.o: ../../include/mail_proto.h
 token.o: ../../include/maps.h
 token.o: ../../include/mbox_conf.h
 token.o: ../../include/msg.h
diff --git a/postfix/src/master/Makefile.in b/postfix/src/master/Makefile.in
index 9748b2257..4c2854b05 100644
--- a/postfix/src/master/Makefile.in
+++ b/postfix/src/master/Makefile.in
@@ -128,6 +128,7 @@ master_conf.o: master.h
 master_conf.o: master_conf.c
 master_ent.o: ../../include/argv.h
 master_ent.o: ../../include/attr.h
+master_ent.o: ../../include/domain_list.h
 master_ent.o: ../../include/host_port.h
 master_ent.o: ../../include/inet_addr_host.h
 master_ent.o: ../../include/inet_addr_list.h
@@ -135,6 +136,8 @@ master_ent.o: ../../include/iostuff.h
 master_ent.o: ../../include/mail_conf.h
 master_ent.o: ../../include/mail_params.h
 master_ent.o: ../../include/mail_proto.h
+master_ent.o: ../../include/match_list.h
+master_ent.o: ../../include/match_ops.h
 master_ent.o: ../../include/msg.h
 master_ent.o: ../../include/myaddrinfo.h
 master_ent.o: ../../include/mymalloc.h
diff --git a/postfix/src/master/master.c b/postfix/src/master/master.c
index 56e1ffdce..f18572ac7 100644
--- a/postfix/src/master/master.c
+++ b/postfix/src/master/master.c
@@ -95,6 +95,11 @@
 /* .IP "\fBservice_throttle_time (60s)\fR"
 /*	How long the Postfix \fBmaster\fR(8) waits before forking a server that
 /*	appears to be malfunctioning.
+/* .PP
+/*	Available in Postfix version 2.6 and later:
+/* .IP "\fBmaster_service_disable (empty)\fR"
+/*	Selectively disable \fBmaster\fR(8) listener ports by service type
+/*	or by service name and type.
 /* MISCELLANEOUS CONTROLS
 /* .ad
 /* .fi
@@ -266,7 +271,6 @@ int     main(int argc, char **argv)
      * Strip and save the process name for diagnostics etc.
      */
     var_procname = mystrdup(basename(argv[0]));
-    set_mail_conf_str(VAR_PROCNAME, var_procname);
 
     /*
      * When running a child process, don't leak any open files that were
@@ -468,7 +472,9 @@ int     main(int argc, char **argv)
      * multiple things at the same time, it really is all a single thread, so
      * that there are no concurrency conflicts within the master process.
      */
-    watchdog = watchdog_create(1000, (WATCHDOG_FN) 0, (char *) 0);
+#define MASTER_WATCHDOG_TIME	1000
+
+    watchdog = watchdog_create(MASTER_WATCHDOG_TIME, (WATCHDOG_FN) 0, (char *) 0);
     for (;;) {
 #ifdef HAS_VOLATILE_LOCKS
 	if (myflock(vstream_fileno(lock_fp), INTERNAL_LOCK,
@@ -479,9 +485,9 @@ int     main(int argc, char **argv)
 	    msg_fatal("refresh exclusive lock: %m");
 #endif
 	watchdog_start(watchdog);		/* same as trigger servers */
-	event_loop(-1);
+	event_loop(MASTER_WATCHDOG_TIME / 2);
 	if (master_gotsighup) {
-	    msg_info("reload -- version %s, configuration %s", 
+	    msg_info("reload -- version %s, configuration %s",
 		     var_mail_version, var_config_dir);
 	    master_gotsighup = 0;		/* this first */
 	    master_vars_init();			/* then this */
diff --git a/postfix/src/master/master.h b/postfix/src/master/master.h
index 88dbb5622..dfc87941e 100644
--- a/postfix/src/master/master.h
+++ b/postfix/src/master/master.h
@@ -129,7 +129,7 @@ extern void master_refresh(void);
 extern void master_vars_init(void);
 
  /*
-  * master_tab.c
+  * master_service.c
   */
 extern MASTER_SERV *master_head;
 extern void master_start_service(MASTER_SERV *);
diff --git a/postfix/src/master/master_ent.c b/postfix/src/master/master_ent.c
index 5eb60f545..edae67978 100644
--- a/postfix/src/master/master_ent.c
+++ b/postfix/src/master/master_ent.c
@@ -90,6 +90,7 @@
 
 /* Global library. */
 
+#include <domain_list.h>
 #include <mail_proto.h>
 #include <mail_params.h>
 #include <own_inet_addr.h>
@@ -104,6 +105,7 @@
 static char *master_path;		/* config file name */
 static VSTREAM *master_fp;		/* config file pointer */
 static int master_line;			/* config file line number */
+static DOMAIN_LIST *master_disable;	/* disabled services */
 
 static char master_blanks[] = " \t\r\n";/* field delimiters */
 
@@ -132,6 +134,9 @@ void    set_master_ent()
     if ((master_fp = vstream_fopen(master_path, O_RDONLY, 0)) == 0)
 	msg_fatal("open %s: %m", master_path);
     master_line = 0;
+    if (master_disable != 0)
+	msg_panic("%s: service disable list still exists", myname);
+    master_disable = domain_list_init(MATCH_FLAG_PARENT, var_master_disable);
 }
 
 /* end_master_ent - close configuration file */
@@ -145,6 +150,10 @@ void    end_master_ent()
     if (vstream_fclose(master_fp) != 0)
 	msg_fatal("%s: close configuration file: %m", myname);
     master_fp = 0;
+    if (master_disable == 0)
+	msg_panic("%s: no service disable list", myname);
+    domain_list_free(master_disable);
+    master_disable = 0;
 }
 
 /* fatal_with_context - print fatal error with file/line context */
@@ -242,6 +251,8 @@ MASTER_SERV *get_master_ent()
 
     if (master_fp == 0)
 	msg_panic("get_master_ent: config file not open");
+    if (master_disable == 0)
+	msg_panic("get_master_ent: no service disable list");
 
     /*
      * XXX We cannot change the inet_interfaces setting for a running master
@@ -268,7 +279,12 @@ MASTER_SERV *get_master_ent()
 	    return (0);
 	}
 	bufp = vstring_str(buf);
-    } while ((cp = mystrtok(&bufp, master_blanks)) == 0);
+	if ((cp = mystrtok(&bufp, master_blanks)) == 0)
+	    continue;
+	name = cp;
+	transport = get_str_ent(&bufp, "transport type", (char *) 0);
+	vstring_sprintf(junk, "%s.%s", name, transport);
+    } while (domain_list_match(master_disable, vstring_str(junk)) != 0);
 
     /*
      * Parse one logical line from the configuration file. Initialize service
@@ -290,15 +306,13 @@ MASTER_SERV *get_master_ent()
     /*
      * Service name. Syntax is transport-specific.
      */
-    serv->ext_name = mystrdup(cp);
-    name = cp;
+    serv->ext_name = mystrdup(name);
 
     /*
      * Transport type: inet (wild-card listen or virtual) or unix.
      */
 #define STR_SAME	!strcmp
 
-    transport = get_str_ent(&bufp, "transport type", (char *) 0);
     if (STR_SAME(transport, MASTER_XPORT_NAME_INET)) {
 	if (!STR_SAME(saved_interfaces, var_inet_interfaces)) {
 	    msg_warn("service %s: ignoring %s change",
diff --git a/postfix/src/master/master_vars.c b/postfix/src/master/master_vars.c
index 1457d6b4b..21420431a 100644
--- a/postfix/src/master/master_vars.c
+++ b/postfix/src/master/master_vars.c
@@ -49,6 +49,110 @@
 char   *var_inet_protocols;
 int     var_proc_limit;
 int     var_throttle_time;
+char   *var_master_disable;
+
+ /*
+  * Support to warn about main.cf parameters that can only be initialized but
+  * not updated, and to initialize or update data structures that derive
+  * values from main.cf parameters. Add similar code if we also need to
+  * monitor non-string parameters.
+  */
+typedef struct MASTER_VARS_STR_WATCH {
+    const char *name;			/* parameter name */
+    char  **value;			/* current main.cf value */
+    char  **backup;			/* actual value that is being used */
+    int     flags;			/* see below */
+    void    (*assign) (void);		/* init or update data structure */
+} MASTER_VARS_STR_WATCH;
+
+typedef struct MASTER_VARS_INT_WATCH {
+    const char *name;			/* parameter name */
+    int    *value;			/* current main.cf value */
+    int    *backup;			/* actual value that is being used */
+    int     flags;			/* see below */
+    void    (*assign) (void);		/* init or update data structure */
+} MASTER_VARS_INT_WATCH;
+
+#define MASTER_VARS_WATCH_FLAG_UPDATE	(1<<0)	/* support update after init */
+#define MASTER_VARS_WATCH_FLAG_ISSET	(1<<1)	/* backup is initialized */
+
+/* master_vars_str_watch - watch string-valued parameters for change */
+
+static void master_vars_str_watch(MASTER_VARS_STR_WATCH *str_watch_table)
+{
+    MASTER_VARS_STR_WATCH *wp;
+
+    for (wp = str_watch_table; wp->name != 0; wp++) {
+
+	/*
+	 * Detect changes to monitored parameter values. If a change is
+	 * supported, we discard the backed up value and update it to the
+	 * current value later. Otherwise we complain.
+	 */
+	if (wp->backup[0] != 0
+	    && strcmp(wp->backup[0], wp->value[0]) != 0) {
+	    if ((wp->flags & MASTER_VARS_WATCH_FLAG_UPDATE) == 0) {
+		msg_warn("ignoring %s parameter value change", wp->name);
+		msg_warn("old value: \"%s\", new value: \"%s\"",
+			 wp->backup[0], wp->value[0]);
+		msg_warn("to change %s, stop and start Postfix", wp->name);
+	    } else {
+		myfree(wp->backup[0]);
+		wp->backup[0] = 0;
+	    }
+	}
+
+	/*
+	 * Initialize the backed up parameter value, or update if it this
+	 * parameter supports updates after initialization. Optionally assign
+	 * the parameter value to an application-specific data structure.
+	 */
+	if (wp->backup[0] == 0) {
+	    if (wp->assign != 0)
+		wp->assign();
+	    wp->backup[0] = mystrdup(wp->value[0]);
+	}
+    }
+}
+
+/* master_vars_int_watch - watch integer-valued parameters for change */
+
+static void master_vars_int_watch(MASTER_VARS_INT_WATCH *str_watch_table)
+{
+    MASTER_VARS_INT_WATCH *wp;
+
+    for (wp = str_watch_table; wp->name != 0; wp++) {
+
+	/*
+	 * Detect changes to monitored parameter values. If a change is
+	 * supported, we discard the backed up value and update it to the
+	 * current value later. Otherwise we complain.
+	 */
+	if ((wp->flags & MASTER_VARS_WATCH_FLAG_ISSET) != 0
+	    && wp->backup[0] != wp->value[0]) {
+	    if ((wp->flags & MASTER_VARS_WATCH_FLAG_UPDATE) == 0) {
+		msg_warn("ignoring %s parameter value change", wp->name);
+		msg_warn("old value: \"%d\", new value: \"%d\"",
+			 wp->backup[0], wp->value[0]);
+		msg_warn("to change %s, stop and start Postfix", wp->name);
+	    } else {
+		wp->flags &= ~MASTER_VARS_WATCH_FLAG_ISSET;
+	    }
+	}
+
+	/*
+	 * Initialize the backed up parameter value, or update if it this
+	 * parameter supports updates after initialization. Optionally assign
+	 * the parameter value to an application-specific data structure.
+	 */
+	if ((wp->flags & MASTER_VARS_WATCH_FLAG_ISSET) == 0) {
+	    if (wp->assign != 0)
+		wp->assign();
+	    wp->flags |= MASTER_VARS_WATCH_FLAG_ISSET;
+	    wp->backup[0] = wp->value[0];
+	}
+    }
+}
 
 /* master_vars_init - initialize from global Postfix configuration file */
 
@@ -57,6 +161,7 @@ void    master_vars_init(void)
     char   *path;
     static const CONFIG_STR_TABLE str_table[] = {
 	VAR_INET_PROTOCOLS, DEF_INET_PROTOCOLS, &var_inet_protocols, 1, 0,
+	VAR_MASTER_DISABLE, DEF_MASTER_DISABLE, &var_master_disable, 0, 0,
 	0,
     };
     static const CONFIG_INT_TABLE int_table[] = {
@@ -68,9 +173,27 @@ void    master_vars_init(void)
 	0,
     };
     static char *saved_inet_protocols;
+    static char *saved_queue_dir;
+    static char *saved_config_dir;
+    static MASTER_VARS_STR_WATCH str_watch_table[] = {
+	VAR_CONFIG_DIR, &var_config_dir, &saved_config_dir, 0, 0,
+	VAR_QUEUE_DIR, &var_queue_dir, &saved_queue_dir, 0, 0,
+	VAR_INET_PROTOCOLS, &var_inet_protocols, &saved_inet_protocols, 0, 0,
+	/* XXX Add inet_interfaces here after this code is burned in. */
+	0,
+    };
+    static int saved_inet_windowsize;
+    static MASTER_VARS_INT_WATCH int_watch_table[] = {
+	VAR_INET_WINDOW, &var_inet_windowsize, &saved_inet_windowsize, 0, 0,
+	0,
+    };
 
-    if (var_inet_protocols && !saved_inet_protocols)
-	saved_inet_protocols = mystrdup(var_inet_protocols);
+    /*
+     * Flush existing main.cf settings, so that we handle deleted main.cf
+     * settings properly.
+     */
+    mail_conf_flush();
+    set_mail_conf_str(VAR_PROCNAME, var_procname);
     mail_conf_read();
     get_mail_conf_str_table(str_table);
     get_mail_conf_int_table(int_table);
@@ -79,8 +202,9 @@ void    master_vars_init(void)
     fset_master_ent(path);
     myfree(path);
 
-    if (saved_inet_protocols && strcmp(var_inet_protocols, saved_inet_protocols)) {
-	msg_warn("ignoring %s change", VAR_INET_PROTOCOLS);
-	msg_warn("to change %s, stop and start Postfix", VAR_INET_PROTOCOLS);
-    }
+    /*
+     * Look for parameter changes that require special attention.
+     */
+    master_vars_str_watch(str_watch_table);
+    master_vars_int_watch(int_watch_table);
 }
diff --git a/postfix/src/oqmgr/Makefile.in b/postfix/src/oqmgr/Makefile.in
index 52caec261..979c3caee 100644
--- a/postfix/src/oqmgr/Makefile.in
+++ b/postfix/src/oqmgr/Makefile.in
@@ -97,10 +97,8 @@ qmgr_active.o: ../../include/dsn.h
 qmgr_active.o: ../../include/dsn_buf.h
 qmgr_active.o: ../../include/dsn_mask.h
 qmgr_active.o: ../../include/events.h
-qmgr_active.o: ../../include/iostuff.h
 qmgr_active.o: ../../include/mail_open_ok.h
 qmgr_active.o: ../../include/mail_params.h
-qmgr_active.o: ../../include/mail_proto.h
 qmgr_active.o: ../../include/mail_queue.h
 qmgr_active.o: ../../include/msg.h
 qmgr_active.o: ../../include/msg_stats.h
@@ -122,8 +120,6 @@ qmgr_bounce.o: ../../include/deliver_completed.h
 qmgr_bounce.o: ../../include/deliver_request.h
 qmgr_bounce.o: ../../include/dsn.h
 qmgr_bounce.o: ../../include/dsn_buf.h
-qmgr_bounce.o: ../../include/iostuff.h
-qmgr_bounce.o: ../../include/mail_proto.h
 qmgr_bounce.o: ../../include/msg_stats.h
 qmgr_bounce.o: ../../include/recipient_list.h
 qmgr_bounce.o: ../../include/scan_dir.h
@@ -190,9 +186,7 @@ qmgr_entry.o: ../../include/attr.h
 qmgr_entry.o: ../../include/deliver_request.h
 qmgr_entry.o: ../../include/dsn.h
 qmgr_entry.o: ../../include/events.h
-qmgr_entry.o: ../../include/iostuff.h
 qmgr_entry.o: ../../include/mail_params.h
-qmgr_entry.o: ../../include/mail_proto.h
 qmgr_entry.o: ../../include/msg.h
 qmgr_entry.o: ../../include/msg_stats.h
 qmgr_entry.o: ../../include/mymalloc.h
diff --git a/postfix/src/pipe/Makefile.in b/postfix/src/pipe/Makefile.in
index 2d2cfc4a8..6a10d5ff6 100644
--- a/postfix/src/pipe/Makefile.in
+++ b/postfix/src/pipe/Makefile.in
@@ -78,7 +78,6 @@ pipe.o: ../../include/mail_addr.h
 pipe.o: ../../include/mail_conf.h
 pipe.o: ../../include/mail_copy.h
 pipe.o: ../../include/mail_params.h
-pipe.o: ../../include/mail_proto.h
 pipe.o: ../../include/mail_server.h
 pipe.o: ../../include/mail_version.h
 pipe.o: ../../include/msg.h
diff --git a/postfix/src/postconf/Makefile.in b/postfix/src/postconf/Makefile.in
index b10f3bed2..28f6ec39d 100644
--- a/postfix/src/postconf/Makefile.in
+++ b/postfix/src/postconf/Makefile.in
@@ -78,6 +78,7 @@ depend: $(MAKES)
 postconf.o: ../../include/argv.h
 postconf.o: ../../include/attr.h
 postconf.o: ../../include/dict.h
+postconf.o: ../../include/edit_file.h
 postconf.o: ../../include/get_hostname.h
 postconf.o: ../../include/htable.h
 postconf.o: ../../include/inet_proto.h
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index db6882ea7..311491b03 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -13,6 +13,9 @@
 /*	\fBpostconf\fR [\fB-ev\fR] [\fB-c \fIconfig_dir\fR]
 /*	[\fIparameter=value ...\fR]
 /*
+/*	\fBpostconf\fR [\fB-#v\fR] [\fB-c \fIconfig_dir\fR]
+/*	[\fIparameter ...\fR]
+/*
 /*	\fBpostconf\fR [\fB-btv\fR] [\fB-c \fIconfig_dir\fR] [\fItemplate_file\fR]
 /* DESCRIPTION
 /*	The \fBpostconf\fR(1) command displays the actual values
@@ -178,6 +181,15 @@
 /* .IP \fB-v\fR
 /*	Enable verbose logging for debugging purposes. Multiple \fB-v\fR
 /*	options make the software increasingly verbose.
+/* .IP \fB-#\fR
+/*	Edit the \fBmain.cf\fR configuration file. The file is copied
+/*	to a temporary file then renamed into place. The parameters
+/*	specified on the command line are commented-out, so that they
+/*	revert to their default values. Specify a list of parameter
+/*	names, not name=value pairs.  There is no \fBpostconf\fR command
+/*	to perform the reverse operation.
+/*
+/*	This feature is available with Postfix 2.6 and later.
 /* DIAGNOSTICS
 /*	Problems are reported to the standard error stream.
 /* ENVIRONMENT
@@ -254,6 +266,7 @@
 #include <myflock.h>
 #include <inet_proto.h>
 #include <argv.h>
+#include <edit_file.h>
 
 /* Global library. */
 
@@ -283,6 +296,7 @@
 #define SHOW_EVAL	(1<<6)		/* expand right-hand sides */
 #define SHOW_SASL_SERV	(1<<7)		/* show server auth plugin types */
 #define SHOW_SASL_CLNT	(1<<8)		/* show client auth plugin types */
+#define COMMENT_OUT	(1<<9)		/* #-out selected main.cf entries */
 
  /*
   * Lookup table for in-core parameter info.
@@ -451,11 +465,11 @@ static const char *check_mynetworks(void)
 
 /* edit_parameters - edit parameter file */
 
-static void edit_parameters(int argc, char **argv)
+static void edit_parameters(int cmd_mode, int argc, char **argv)
 {
     char   *config_dir;
     char   *path;
-    char   *temp;
+    EDIT_FILE *ep;
     VSTREAM *src;
     VSTREAM *dst;
     VSTRING *buf = vstring_alloc(100);
@@ -480,13 +494,25 @@ static void edit_parameters(int argc, char **argv)
     table = htable_create(argc);
     while ((cp = *argv++) != 0) {
 	if (strchr(cp, '\n') != 0)
-	    msg_fatal("edit accepts no multi-line input");
+	    msg_fatal("-e or -# accepts no multi-line input");
 	while (ISSPACE(*cp))
 	    cp++;
 	if (*cp == '#')
-	    msg_fatal("edit accepts no comment input");
-	if ((err = split_nameval(cp, &edit_key, &edit_val)) != 0)
-	    msg_fatal("%s: \"%s\"", err, cp);
+	    msg_fatal("-e or -# accepts no comment input");
+	if (cmd_mode & EDIT_MAIN) {
+	    if ((err = split_nameval(cp, &edit_key, &edit_val)) != 0)
+		msg_fatal("%s: \"%s\"", err, cp);
+	} else if (cmd_mode & COMMENT_OUT) {
+	    if (*cp == 0)
+		msg_fatal("-# requires non-blank parameter names");
+	    if (strchr(cp, '=') != 0)
+		msg_fatal("-# requires parameter names only");
+	    edit_key = mystrdup(cp);
+	    trimblanks(edit_key, 0);
+	    edit_val = 0;
+	} else {
+	    msg_panic("edit_parameters: unknown mode %d", cmd_mode);
+	}
 	cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
 	cvalue->value = edit_val;
 	cvalue->found = 0;
@@ -503,24 +529,22 @@ static void edit_parameters(int argc, char **argv)
     set_mail_conf_str(VAR_CONFIG_DIR, var_config_dir);
 
     /*
-     * Open the original file for input.
+     * Open a temp file for the result. This uses a deterministic name so we
+     * don't leave behind thrash with random names.
      */
     path = concatenate(var_config_dir, "/", "main.cf", (char *) 0);
-    if ((src = vstream_fopen(path, O_RDONLY, 0)) == 0)
-	msg_fatal("open %s for reading: %m", path);
+    if ((ep = edit_file_open(path, O_CREAT | O_WRONLY, 0644)) == 0)
+	msg_fatal("open %s%s: %m", path, EDIT_FILE_SUFFIX);
+    dst = ep->tmp_fp;
 
     /*
-     * Open a temp file for the result. We use a fixed name so we don't leave
-     * behind thrash with random names. Lock the temp file to avoid
-     * accidents. Truncate the file only after we have an exclusive lock.
+     * Open the original file for input.
      */
-    temp = concatenate(path, ".tmp", (char *) 0);
-    if ((dst = vstream_fopen(temp, O_CREAT | O_WRONLY, 0644)) == 0)
-	msg_fatal("open %s: %m", temp);
-    if (myflock(vstream_fileno(dst), INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-	msg_fatal("lock %s: %m", temp);
-    if (ftruncate(vstream_fileno(dst), 0) < 0)
-	msg_fatal("truncate %s: %m", temp);
+    if ((src = vstream_fopen(path, O_RDONLY, 0)) == 0) {
+	/* OK to delete, since we control the temp file name exclusively. */
+	(void) unlink(ep->tmp_path);
+	msg_fatal("open %s for reading: %m", path);
+    }
 
     /*
      * Copy original file to temp file, while replacing parameters on the
@@ -536,10 +560,12 @@ static void edit_parameters(int argc, char **argv)
 	if (*cp == '#' || *cp == 0) {
 	    vstream_fputs(STR(buf), dst);
 	}
-	/* Copy or skip continued text. */
+	/* Copy, skip or replace continued text. */
 	else if (cp > STR(buf)) {
 	    if (interesting == 0)
 		vstream_fputs(STR(buf), dst);
+	    else if (cmd_mode & COMMENT_OUT)
+		vstream_fprintf(dst, "#%s", STR(buf));
 	}
 	/* Copy or replace start of logical line. */
 	else {
@@ -548,7 +574,12 @@ static void edit_parameters(int argc, char **argv)
 	    if ((interesting = !!cvalue) != 0) {
 		if (cvalue->found++ == 1)
 		    msg_warn("%s: multiple entries for \"%s\"", path, STR(key));
-		vstream_fprintf(dst, "%s = %s\n", STR(key), cvalue->value);
+		if (cmd_mode & EDIT_MAIN)
+		    vstream_fprintf(dst, "%s = %s\n", STR(key), cvalue->value);
+		else if (cmd_mode & COMMENT_OUT)
+		    vstream_fprintf(dst, "#%s", cp);
+		else
+		    msg_panic("edit_parameters: unknown mode %d", cmd_mode);
 	    } else {
 		vstream_fputs(STR(buf), dst);
 	    }
@@ -558,28 +589,27 @@ static void edit_parameters(int argc, char **argv)
     /*
      * Generate new entries for parameters that were not found.
      */
-    for (ht_info = ht = htable_list(table); *ht; ht++) {
-	cvalue = (struct cvalue *) ht[0]->value;
-	if (cvalue->found == 0)
-	    vstream_fprintf(dst, "%s = %s\n", ht[0]->key, cvalue->value);
+    if (cmd_mode & EDIT_MAIN) {
+	for (ht_info = ht = htable_list(table); *ht; ht++) {
+	    cvalue = (struct cvalue *) ht[0]->value;
+	    if (cvalue->found == 0)
+		vstream_fprintf(dst, "%s = %s\n", ht[0]->key, cvalue->value);
+	}
+	myfree((char *) ht_info);
     }
-    myfree((char *) ht_info);
 
     /*
      * When all is well, rename the temp file to the original one.
      */
     if (vstream_fclose(src))
 	msg_fatal("read %s: %m", path);
-    if (vstream_fclose(dst))
-	msg_fatal("write %s: %m", temp);
-    if (rename(temp, path) < 0)
-	msg_fatal("rename %s to %s: %m", temp, path);
+    if (edit_file_close(ep) != 0)
+	msg_fatal("close %s%s: %m", path, EDIT_FILE_SUFFIX);
 
     /*
      * Cleanup.
      */
     myfree(path);
-    myfree(temp);
     vstring_free(buf);
     vstring_free(key);
     htable_free(table, myfree);
@@ -1001,7 +1031,7 @@ int     main(int argc, char **argv)
     /*
      * Parse JCL.
      */
-    while ((ch = GETOPT(argc, argv, "aAbc:deEhmlntv")) > 0) {
+    while ((ch = GETOPT(argc, argv, "aAbc:deE#hmlntv")) > 0) {
 	switch (ch) {
 	case 'a':
 	    cmd_mode |= SHOW_SASL_SERV;
@@ -1037,6 +1067,10 @@ int     main(int argc, char **argv)
 	    cmd_mode |= SHOW_EVAL;
 	    break;
 #endif
+	case '#':
+	    cmd_mode = COMMENT_OUT;
+	    break;
+
 	case 'h':
 	    cmd_mode &= ~SHOW_NAME;
 	    break;
@@ -1059,19 +1093,20 @@ int     main(int argc, char **argv)
 	    msg_verbose++;
 	    break;
 	default:
-	    msg_fatal("usage: %s [-a (server SASL types)] [-A (client SASL types)] [-b (bounce templates)] [-c config_dir] [-d (defaults)] [-e (edit)] [-h (no names)] [-l (lock types)] [-m (map types)] [-n (non-defaults)] [-v] [name...]", argv[0]);
+	    msg_fatal("usage: %s [-a (server SASL types)] [-A (client SASL types)] [-b (bounce templates)] [-c config_dir] [-d (defaults)] [-e (edit)] [-# (comment-out)] [-h (no names)] [-l (lock types)] [-m (map types)] [-n (non-defaults)] [-v] [name...]", argv[0]);
 	}
     }
 
     /*
      * Sanity check.
      */
-    junk = (cmd_mode & (SHOW_DEFS | SHOW_NONDEF | SHOW_MAPS | SHOW_LOCKS | EDIT_MAIN | SHOW_SASL_SERV | SHOW_SASL_CLNT));
+    junk = (cmd_mode & (SHOW_DEFS | SHOW_NONDEF | SHOW_MAPS | SHOW_LOCKS | EDIT_MAIN | SHOW_SASL_SERV | SHOW_SASL_CLNT | COMMENT_OUT));
     if (junk != 0 && ((junk != SHOW_DEFS && junk != SHOW_NONDEF
 	     && junk != SHOW_MAPS && junk != SHOW_LOCKS && junk != EDIT_MAIN
-		       && junk != SHOW_SASL_SERV && junk != SHOW_SASL_CLNT)
+		       && junk != SHOW_SASL_SERV && junk != SHOW_SASL_CLNT
+		       && junk != COMMENT_OUT)
 		      || ext_argv != 0))
-	msg_fatal("specify one of -a, -A, -b, -d, -e, -m, -l and -n");
+	msg_fatal("specify one of -a, -A, -b, -d, -e, -#, -m, -l and -n");
 
     /*
      * Display bounce template information and exit.
@@ -1121,8 +1156,8 @@ int     main(int argc, char **argv)
     /*
      * Edit main.cf.
      */
-    else if (cmd_mode & EDIT_MAIN) {
-	edit_parameters(argc - optind, argv + optind);
+    else if (cmd_mode & (EDIT_MAIN | COMMENT_OUT)) {
+	edit_parameters(cmd_mode, argc - optind, argv + optind);
     }
 
     /*
diff --git a/postfix/src/qmgr/Makefile.in b/postfix/src/qmgr/Makefile.in
index 352668bff..c1a7f2051 100644
--- a/postfix/src/qmgr/Makefile.in
+++ b/postfix/src/qmgr/Makefile.in
@@ -99,10 +99,8 @@ qmgr_active.o: ../../include/dsn.h
 qmgr_active.o: ../../include/dsn_buf.h
 qmgr_active.o: ../../include/dsn_mask.h
 qmgr_active.o: ../../include/events.h
-qmgr_active.o: ../../include/iostuff.h
 qmgr_active.o: ../../include/mail_open_ok.h
 qmgr_active.o: ../../include/mail_params.h
-qmgr_active.o: ../../include/mail_proto.h
 qmgr_active.o: ../../include/mail_queue.h
 qmgr_active.o: ../../include/msg.h
 qmgr_active.o: ../../include/msg_stats.h
@@ -124,8 +122,6 @@ qmgr_bounce.o: ../../include/deliver_completed.h
 qmgr_bounce.o: ../../include/deliver_request.h
 qmgr_bounce.o: ../../include/dsn.h
 qmgr_bounce.o: ../../include/dsn_buf.h
-qmgr_bounce.o: ../../include/iostuff.h
-qmgr_bounce.o: ../../include/mail_proto.h
 qmgr_bounce.o: ../../include/msg_stats.h
 qmgr_bounce.o: ../../include/recipient_list.h
 qmgr_bounce.o: ../../include/scan_dir.h
@@ -192,9 +188,7 @@ qmgr_entry.o: ../../include/attr.h
 qmgr_entry.o: ../../include/deliver_request.h
 qmgr_entry.o: ../../include/dsn.h
 qmgr_entry.o: ../../include/events.h
-qmgr_entry.o: ../../include/iostuff.h
 qmgr_entry.o: ../../include/mail_params.h
-qmgr_entry.o: ../../include/mail_proto.h
 qmgr_entry.o: ../../include/msg.h
 qmgr_entry.o: ../../include/msg_stats.h
 qmgr_entry.o: ../../include/mymalloc.h
diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in
index c4629dd1a..2d24a069c 100644
--- a/postfix/src/smtp/Makefile.in
+++ b/postfix/src/smtp/Makefile.in
@@ -100,10 +100,8 @@ smtp.o: ../../include/flush_clnt.h
 smtp.o: ../../include/header_body_checks.h
 smtp.o: ../../include/header_opts.h
 smtp.o: ../../include/htable.h
-smtp.o: ../../include/iostuff.h
 smtp.o: ../../include/mail_conf.h
 smtp.o: ../../include/mail_params.h
-smtp.o: ../../include/mail_proto.h
 smtp.o: ../../include/mail_server.h
 smtp.o: ../../include/mail_version.h
 smtp.o: ../../include/maps.h
@@ -143,9 +141,7 @@ smtp_addr.o: ../../include/header_opts.h
 smtp_addr.o: ../../include/htable.h
 smtp_addr.o: ../../include/inet_addr_list.h
 smtp_addr.o: ../../include/inet_proto.h
-smtp_addr.o: ../../include/iostuff.h
 smtp_addr.o: ../../include/mail_params.h
-smtp_addr.o: ../../include/mail_proto.h
 smtp_addr.o: ../../include/maps.h
 smtp_addr.o: ../../include/match_list.h
 smtp_addr.o: ../../include/match_ops.h
@@ -184,12 +180,10 @@ smtp_chat.o: ../../include/header_body_checks.h
 smtp_chat.o: ../../include/header_opts.h
 smtp_chat.o: ../../include/htable.h
 smtp_chat.o: ../../include/int_filt.h
-smtp_chat.o: ../../include/iostuff.h
 smtp_chat.o: ../../include/line_wrap.h
 smtp_chat.o: ../../include/mail_addr.h
 smtp_chat.o: ../../include/mail_error.h
 smtp_chat.o: ../../include/mail_params.h
-smtp_chat.o: ../../include/mail_proto.h
 smtp_chat.o: ../../include/maps.h
 smtp_chat.o: ../../include/match_list.h
 smtp_chat.o: ../../include/match_ops.h
@@ -270,9 +264,7 @@ smtp_map11.o: ../../include/dsn_buf.h
 smtp_map11.o: ../../include/header_body_checks.h
 smtp_map11.o: ../../include/header_opts.h
 smtp_map11.o: ../../include/htable.h
-smtp_map11.o: ../../include/iostuff.h
 smtp_map11.o: ../../include/mail_addr_map.h
-smtp_map11.o: ../../include/mail_proto.h
 smtp_map11.o: ../../include/maps.h
 smtp_map11.o: ../../include/match_list.h
 smtp_map11.o: ../../include/match_ops.h
@@ -363,8 +355,6 @@ smtp_rcpt.o: ../../include/dsn_mask.h
 smtp_rcpt.o: ../../include/header_body_checks.h
 smtp_rcpt.o: ../../include/header_opts.h
 smtp_rcpt.o: ../../include/htable.h
-smtp_rcpt.o: ../../include/iostuff.h
-smtp_rcpt.o: ../../include/mail_proto.h
 smtp_rcpt.o: ../../include/maps.h
 smtp_rcpt.o: ../../include/match_list.h
 smtp_rcpt.o: ../../include/match_ops.h
@@ -397,9 +387,7 @@ smtp_reuse.o: ../../include/dsn_buf.h
 smtp_reuse.o: ../../include/header_body_checks.h
 smtp_reuse.o: ../../include/header_opts.h
 smtp_reuse.o: ../../include/htable.h
-smtp_reuse.o: ../../include/iostuff.h
 smtp_reuse.o: ../../include/mail_params.h
-smtp_reuse.o: ../../include/mail_proto.h
 smtp_reuse.o: ../../include/maps.h
 smtp_reuse.o: ../../include/match_list.h
 smtp_reuse.o: ../../include/match_ops.h
@@ -435,8 +423,6 @@ smtp_sasl_auth_cache.o: ../../include/dsn_util.h
 smtp_sasl_auth_cache.o: ../../include/header_body_checks.h
 smtp_sasl_auth_cache.o: ../../include/header_opts.h
 smtp_sasl_auth_cache.o: ../../include/htable.h
-smtp_sasl_auth_cache.o: ../../include/iostuff.h
-smtp_sasl_auth_cache.o: ../../include/mail_proto.h
 smtp_sasl_auth_cache.o: ../../include/maps.h
 smtp_sasl_auth_cache.o: ../../include/match_list.h
 smtp_sasl_auth_cache.o: ../../include/match_ops.h
@@ -469,10 +455,8 @@ smtp_sasl_glue.o: ../../include/dsn_buf.h
 smtp_sasl_glue.o: ../../include/header_body_checks.h
 smtp_sasl_glue.o: ../../include/header_opts.h
 smtp_sasl_glue.o: ../../include/htable.h
-smtp_sasl_glue.o: ../../include/iostuff.h
 smtp_sasl_glue.o: ../../include/mail_addr_find.h
 smtp_sasl_glue.o: ../../include/mail_params.h
-smtp_sasl_glue.o: ../../include/mail_proto.h
 smtp_sasl_glue.o: ../../include/maps.h
 smtp_sasl_glue.o: ../../include/match_list.h
 smtp_sasl_glue.o: ../../include/match_ops.h
@@ -508,9 +492,7 @@ smtp_sasl_proto.o: ../../include/dsn_buf.h
 smtp_sasl_proto.o: ../../include/header_body_checks.h
 smtp_sasl_proto.o: ../../include/header_opts.h
 smtp_sasl_proto.o: ../../include/htable.h
-smtp_sasl_proto.o: ../../include/iostuff.h
 smtp_sasl_proto.o: ../../include/mail_params.h
-smtp_sasl_proto.o: ../../include/mail_proto.h
 smtp_sasl_proto.o: ../../include/maps.h
 smtp_sasl_proto.o: ../../include/match_list.h
 smtp_sasl_proto.o: ../../include/match_ops.h
@@ -544,9 +526,7 @@ smtp_session.o: ../../include/dsn_buf.h
 smtp_session.o: ../../include/header_body_checks.h
 smtp_session.o: ../../include/header_opts.h
 smtp_session.o: ../../include/htable.h
-smtp_session.o: ../../include/iostuff.h
 smtp_session.o: ../../include/mail_params.h
-smtp_session.o: ../../include/mail_proto.h
 smtp_session.o: ../../include/maps.h
 smtp_session.o: ../../include/match_list.h
 smtp_session.o: ../../include/match_ops.h
@@ -580,9 +560,7 @@ smtp_state.o: ../../include/dsn_buf.h
 smtp_state.o: ../../include/header_body_checks.h
 smtp_state.o: ../../include/header_opts.h
 smtp_state.o: ../../include/htable.h
-smtp_state.o: ../../include/iostuff.h
 smtp_state.o: ../../include/mail_params.h
-smtp_state.o: ../../include/mail_proto.h
 smtp_state.o: ../../include/maps.h
 smtp_state.o: ../../include/match_list.h
 smtp_state.o: ../../include/match_ops.h
@@ -617,9 +595,7 @@ smtp_trouble.o: ../../include/dsn_buf.h
 smtp_trouble.o: ../../include/header_body_checks.h
 smtp_trouble.o: ../../include/header_opts.h
 smtp_trouble.o: ../../include/htable.h
-smtp_trouble.o: ../../include/iostuff.h
 smtp_trouble.o: ../../include/mail_error.h
-smtp_trouble.o: ../../include/mail_proto.h
 smtp_trouble.o: ../../include/maps.h
 smtp_trouble.o: ../../include/match_list.h
 smtp_trouble.o: ../../include/match_ops.h
@@ -652,8 +628,6 @@ smtp_unalias.o: ../../include/dsn_buf.h
 smtp_unalias.o: ../../include/header_body_checks.h
 smtp_unalias.o: ../../include/header_opts.h
 smtp_unalias.o: ../../include/htable.h
-smtp_unalias.o: ../../include/iostuff.h
-smtp_unalias.o: ../../include/mail_proto.h
 smtp_unalias.o: ../../include/maps.h
 smtp_unalias.o: ../../include/match_list.h
 smtp_unalias.o: ../../include/match_ops.h
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 1b7830f7a..d4c7314bd 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -223,6 +223,10 @@
 /*	client.
 /* .IP "\fBsmtp_body_checks (empty)\fR"
 /*	Restricted \fBbody_checks\fR(5) tables for the Postfix SMTP client.
+/* .PP
+/*	Available in Postfix version 2.6 and later:
+/* .IP "\fBtcp_windowsize (0)\fR"
+/*	An optional workaround for routers that break TCP window scaling.
 /* MIME PROCESSING CONTROLS
 /* .ad
 /* .fi
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index f200610c7..387840479 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -119,6 +119,10 @@
 /*	Force the Postfix SMTP server to issue a TLS session id, even
 /*	when TLS session caching is turned off (smtpd_tls_session_cache_database
 /*	is empty).
+/* .PP
+/*	Available in Postfix version 2.6 and later:
+/* .IP "\fBtcp_windowsize (0)\fR"
+/*	An optional workaround for routers that break TCP window scaling.
 /* ADDRESS REWRITING CONTROLS
 /* .ad
 /* .fi
@@ -766,8 +770,8 @@
 /*	The following parameters control numerical SMTP reply codes
 /*	and/or text responses.
 /* .IP "\fBaccess_map_reject_code (554)\fR"
-/*	The numerical Postfix SMTP server response code when a client
-/*	is rejected by an \fBaccess\fR(5) map restriction.
+/*	The numerical Postfix SMTP server response code for
+/*	an \fBaccess\fR(5) map "reject" action.
 /* .IP "\fBdefer_code (450)\fR"
 /*	The numerical Postfix SMTP server response code when a remote SMTP
 /*	client request is rejected by the "defer" restriction.
@@ -816,6 +820,12 @@
 /*	restriction.
 /* .IP "\fBrbl_reply_maps (empty)\fR"
 /*	Optional lookup tables with RBL response templates.
+/* .PP
+/*	Available in Postfix version 2.6 and later:
+/* .IP "\fBaccess_map_defer_code (450)\fR"
+/*	The numerical Postfix SMTP server response code for
+/*	an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
+/*	or "defer_if_reject".
 /* MISCELLANEOUS CONTROLS
 /* .ad
 /* .fi
@@ -1053,7 +1063,8 @@ int     var_unk_name_code;
 int     var_unk_addr_code;
 int     var_relay_code;
 int     var_maps_rbl_code;
-int     var_access_map_code;
+int     var_map_reject_code;
+int     var_map_defer_code;
 char   *var_maps_rbl_domains;
 char   *var_rbl_reply_maps;
 int     var_helo_required;
@@ -4808,7 +4819,8 @@ int     main(int argc, char **argv)
 	VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code, 0, 0,
 	VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code, 0, 0,
 	VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code, 0, 0,
-	VAR_ACCESS_MAP_CODE, DEF_ACCESS_MAP_CODE, &var_access_map_code, 0, 0,
+	VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code, 0, 0,
+	VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code, 0, 0,
 	VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, 0, 0,
 	VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code, 0, 0,
 	VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0,
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 9e2a1e859..e0b897860 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -1967,7 +1967,22 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
     if (STREQUAL(value, "REJECT", cmd_len)) {
 	dsn_split(&dp, "5.7.1", cmd_text);
 	return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
-				   var_access_map_code,
+				   var_map_reject_code,
+				   smtpd_dsn_fix(DSN_STATUS(dp.dsn),
+						 reply_class),
+				   "<%s>: %s rejected: %s",
+				   reply_name, reply_class,
+				   *dp.text ? dp.text : "Access denied"));
+    }
+
+    /*
+     * DEFER means "try again". Use optional text or generate a generic error
+     * response.
+     */
+    if (STREQUAL(value, "DEFER", cmd_len)) {
+	dsn_split(&dp, "4.7.1", cmd_text);
+	return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
+				   var_map_defer_code,
 				   smtpd_dsn_fix(DSN_STATUS(dp.dsn),
 						 reply_class),
 				   "<%s>: %s rejected: %s",
@@ -2140,7 +2155,8 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
     if (STREQUAL(value, DEFER_IF_PERMIT, cmd_len)) {
 	dsn_split(&dp, "4.7.1", cmd_text);
 	DEFER_IF_PERMIT3(state, MAIL_ERROR_POLICY,
-			 450, smtpd_dsn_fix(DSN_STATUS(dp.dsn), reply_class),
+			 var_map_defer_code,
+			 smtpd_dsn_fix(DSN_STATUS(dp.dsn), reply_class),
 			 "<%s>: %s rejected: %s",
 			 reply_name, reply_class,
 			 *dp.text ? dp.text : "Service unavailable");
@@ -2154,7 +2170,8 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
     if (STREQUAL(value, DEFER_IF_REJECT, cmd_len)) {
 	dsn_split(&dp, "4.7.1", cmd_text);
 	DEFER_IF_REJECT3(state, MAIL_ERROR_POLICY,
-			 450, smtpd_dsn_fix(DSN_STATUS(dp.dsn), reply_class),
+			 var_map_defer_code,
+			 smtpd_dsn_fix(DSN_STATUS(dp.dsn), reply_class),
 			 "<%s>: %s rejected: %s",
 			 reply_name, reply_class,
 			 *dp.text ? dp.text : "Service unavailable");
@@ -4831,7 +4848,8 @@ int     var_unk_name_code;
 int     var_unk_addr_code;
 int     var_relay_code;
 int     var_maps_rbl_code;
-int     var_access_map_code;
+int     var_map_reject_code;
+int     var_map_defer_code;
 int     var_reject_code;
 int     var_defer_code;
 int     var_non_fqdn_code;
@@ -4866,7 +4884,8 @@ static const INT_TABLE int_table[] = {
     VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code,
     VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code,
     VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code,
-    VAR_ACCESS_MAP_CODE, DEF_ACCESS_MAP_CODE, &var_access_map_code,
+    VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code,
+    VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code,
     VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code,
     VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code,
     VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code,
diff --git a/postfix/src/tls/tls_bio_ops.c b/postfix/src/tls/tls_bio_ops.c
index 39e0b66cb..a39e19a0f 100644
--- a/postfix/src/tls/tls_bio_ops.c
+++ b/postfix/src/tls/tls_bio_ops.c
@@ -327,6 +327,19 @@ int     tls_bio(int fd, int timeout, TLS_SESS_STATE *TLScontext,
 	    if (biop_retval < 0)
 		return (-1);			/* network read/write error */
 	    break;
+
+	    /*
+	     * With tls_timed_read() and tls_timed_write() the caller is the
+	     * VSTREAM library module which is unaware of TLS, so we log the
+	     * TLS error stack here. In a better world, each VSTREAM I/O
+	     * object would provide an error reporting method in addition to
+	     * the timed_read and timed_write methods, so that we would not
+	     * need to have ad-hoc code like this.
+	     */
+	case SSL_ERROR_SSL:
+	    if (rfunc || wfunc)
+		tls_print_errors();
+	    /* FALLTHROUGH */
 	default:
 	    retval = status;
 	    done = 1;
diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in
index 1b28c324f..fca6be2ec 100644
--- a/postfix/src/util/Makefile.in
+++ b/postfix/src/util/Makefile.in
@@ -31,7 +31,7 @@ SRCS	= alldig.c allprint.c argv.c argv_split.c attr_clnt.c attr_print0.c \
 	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
 	write_buf.c write_wait.c sane_basename.c format_tv.c allspace.c \
 	allascii.c load_file.c killme_after.c vstream_tweak.c upass_connect.c \
-	upass_listen.c upass_trigger.c
+	upass_listen.c upass_trigger.c edit_file.c
 OBJS	= alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
 	attr_print64.o attr_print_plain.o attr_scan0.o attr_scan64.o \
 	attr_scan_plain.o auto_clnt.o base64_code.o basename.o binhash.o \
@@ -64,7 +64,7 @@ OBJS	= alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
 	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
 	write_buf.o write_wait.o sane_basename.o format_tv.o allspace.o \
 	allascii.o load_file.o killme_after.o vstream_tweak.o upass_connect.o \
-	upass_listen.o upass_trigger.o
+	upass_listen.o upass_trigger.o edit_file.o
 HDRS	= argv.h attr.h attr_clnt.h auto_clnt.h base64_code.h binhash.h \
 	chroot_uid.h cidr_match.h clean_env.h connect.h ctable.h dict.h \
 	dict_cdb.h dict_cidr.h dict_db.h dict_dbm.h dict_env.h dict_ht.h \
@@ -83,9 +83,10 @@ HDRS	= argv.h attr.h attr_clnt.h auto_clnt.h base64_code.h binhash.h \
 	sigdelay.h sock_addr.h spawn_command.h split_at.h stat_as.h \
 	stringops.h sys_defs.h timed_connect.h timed_wait.h trigger.h \
 	username.h valid_hostname.h vbuf.h vbuf_print.h vstream.h vstring.h \
-	vstring_vstream.h watchdog.h format_tv.h load_file.h killme_after.h
+	vstring_vstream.h watchdog.h format_tv.h load_file.h killme_after.h \
+	edit_file.h
 TESTSRC	= fifo_open.c fifo_rdwr_bug.c fifo_rdonly_bug.c select_bug.c \
-	stream_test.c dup2_pass_on_exec.c
+	stream_test.c dup2_pass_on_exec.c 
 DEFS	= -I. -D$(SYSTYPE)
 CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
 FILES	= Makefile $(SRCS) $(HDRS)
@@ -959,6 +960,16 @@ duplex_pipe.o: duplex_pipe.c
 duplex_pipe.o: iostuff.h
 duplex_pipe.o: sane_socketpair.h
 duplex_pipe.o: sys_defs.h
+edit_file.o: edit_file.c
+edit_file.o: edit_file.h
+edit_file.o: msg.h
+edit_file.o: myflock.h
+edit_file.o: mymalloc.h
+edit_file.o: stringops.h
+edit_file.o: sys_defs.h
+edit_file.o: vbuf.h
+edit_file.o: vstream.h
+edit_file.o: vstring.h
 environ.o: environ.c
 environ.o: sys_defs.h
 events.o: events.c
diff --git a/postfix/src/util/connect.h b/postfix/src/util/connect.h
index 40987dc72..a115e5744 100644
--- a/postfix/src/util/connect.h
+++ b/postfix/src/util/connect.h
@@ -24,6 +24,8 @@ extern int inet_connect(const char *, int, int);
 extern int stream_connect(const char *, int, int);
 extern int upass_connect(const char *, int, int);
 
+extern int inet_windowsize;
+
 /* LICENSE
 /* .ad
 /* .fi
diff --git a/postfix/src/util/edit_file.c b/postfix/src/util/edit_file.c
new file mode 100644
index 000000000..abd3dd917
--- /dev/null
+++ b/postfix/src/util/edit_file.c
@@ -0,0 +1,348 @@
+/*++
+/* NAME
+/*	edit_file 3
+/* SUMMARY
+/*	simple cooperative file updating protocol
+/* SYNOPSIS
+/*	#include <edit_file.h>
+/*
+/*	typedef struct {
+/* .in +4
+/*		char	*tmp_path;	/* temp. pathname */
+/*		VSTREAM *tmp_fp;	/* temp. stream */
+/*		/* private members... */
+/* .in -4
+/*	} EDIT_FILE;
+/*
+/*	EDIT_FILE *edit_file_open(original_path, output_flags, output_mode)
+/*	const char *original_path;
+/*	int	output_flags;
+/*	mode_t	output_mode;
+/*
+/*	int	edit_file_close(edit_file)
+/*	EDIT_FILE *edit_file;
+/*
+/*	void	edit_file_cleanup(edit_file)
+/*	EDIT_FILE *edit_file;
+/* DESCRIPTION
+/*	This module implements a simple protocol for cooperative
+/*	processes to update one file. The idea is to 1) create a
+/*	new file under a deterministic temporary pathname, 2)
+/*	populate the new file with updated information, and 3)
+/*	rename the new file into the place of the original file.
+/*	This module provides 1) and 3), and leaves 2) to the
+/*	application. The temporary pathname is deterministic to
+/*	avoid accumulation of thrash after program crashes.
+/*
+/*	edit_file_open() implements the first phase of the protocol.
+/*	It creates or opens an output file with a deterministic
+/*	temporary pathname, obtained by appending the suffix defined
+/*	with EDIT_FILE_SUFFIX to the specified original file pathname.
+/*	The original file itself is not opened.  edit_file_open()
+/*	then locks the output file for exclusive access, and verifies
+/*	that the file still exists under the temporary pathname.
+/*	At this point in the protocol, the current process controls
+/*	both the output file content and its temporary pathname.
+/*
+/*	In the second phase, the application is expected to update
+/*	the output file via the \fBtmp_fp\fR member of
+/*	the EDIT_FILE data structure.  This phase is not implemented
+/*	by the edit_file() module.
+/*
+/*	edit_file_close() implements the third and final phase of
+/*	the protocol.  It flushes the output file to persistent
+/*	storage, and renames the output file from its temporary
+/*	pathname into the place of the original file. When any of
+/*	these operations fails, edit_file_close() behaves as if
+/*	edit_file_cleanup() was called. Regardless of whether these
+/*	operations suceed, edit_file_close() releases the exclusive
+/*	lock, closes the output file, and frees up memory that was
+/*	allocated by edit_file_open().
+/*
+/*	edit_file_cleanup() aborts the protocol. It discards the
+/*	output file, releases the exclusive lock, closes the output
+/*	file, and frees up memory that was allocated by edit_file_open().
+/*
+/*	Arguments:
+/* .IP original_path
+/*	The pathname of the original file that will be replaced by
+/*	the output file. The temporary pathname for the output file
+/*	is obtained by appending the suffix defined with EDIT_FILE_SUFFIX
+/*	to a copy of the specified original file pathname.
+/* .IP output_flags
+/*	Flags for opening the output file. These are as with open(2),
+/*	except that the O_TRUNC flag is ignored.  edit_file_open()
+/*	always truncates the output file after it has obtained
+/*	exclusive control over the output file content and temporary
+/*	pathname.
+/* .IP output_mode
+/*	Permissions for the output file. These are as with open(2),
+/*	except that the output file is initially created with no
+/*	group or other access permissions. The specified output
+/*	file permissions are applied by edit_file_close().
+/* .IP edit_file
+/*	Pointer to data structure that is returned upon successful
+/*	completion by edit_file_open(), and that must be passed to
+/*	edit_file_close() or edit_file_cleanup().
+/* DIAGNOSTICS
+/*	Fatal errors: memory allocation failure, fstat() failure,
+/*	unlink() failure, lock failure, ftruncate() failure.
+/*
+/*	edit_file_open() immediately returns a null pointer when
+/*	it cannot open the output file.
+/*
+/*	edit_file_close() returns zero on success, VSTREAM_EOF on
+/*	failure.
+/*
+/*	With both functions, the global errno variable indicates
+/*	the nature of the problem.  All errors are relative to the
+/*	temporary output's pathname. 
+/* BUGS
+/*	In the non-error case, edit_file_open() will not return
+/*	until it obtains exclusive control over the output file
+/*	content and temporary pathname.  Applications that are
+/*	concerned about deadlock should protect the edit_file_open()
+/*	call with a watchdog timer.
+/*
+/*	When interrupted, edit_file_close() may leave behind a
+/*	world-readable output file under the temporary pathname.
+/*	On some systems this can be used to inflict a shared-file
+/*	DOS on the protocol.  Applications that are concerned about
+/*	maximal safety should protect the edit_file_close() call
+/*	with sigdelay() and sigresume() calls, but this introduces
+/*	the risk that the program will get stuck forever.
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Based on code originally by:
+/*	Victor Duchovni
+/*	Morgan Stanley
+/*
+/*	Packaged into one module with minor improvements by:
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+#include <sys/stat.h>
+#include <stdio.h>			/* rename(2) */
+#include <errno.h>
+
+ /*
+  * This mask selects all permission bits in the st_mode stat data. There is
+  * no portable definition (unlike S_IFMT, which is defined for the file type
+  * bits). For example, BSD / Linux have ALLPERMS, while Solaris has S_IAMB.
+  */
+#define FILE_PERM_MASK \
+	(S_ISUID | S_ISGID | S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO)
+
+/* Utility Library. */
+
+#include <msg.h>
+#include <vstream.h>
+#include <mymalloc.h>
+#include <stringops.h>
+#include <myflock.h>
+#include <edit_file.h>
+
+ /*
+  * Do we reuse and truncate an output file that persists after a crash, or
+  * do we unlink it and create a new file?
+  */
+#define EDIT_FILE_REUSE_AFTER_CRASH
+
+ /*
+  * Protocol internals: the temporary file permissions.
+  */
+#define EDIT_FILE_MODE	(S_IRUSR | S_IWUSR)	/* temp file mode */
+
+ /*
+  * Make complex operations more readable. We could use functions, instead.
+  * The main thing is that we keep the _alloc and _free code together.
+  */
+#define EDIT_FILE_ALLOC(ep, path, mode) do { \
+	(ep) = (EDIT_FILE *) mymalloc(sizeof(EDIT_FILE)); \
+	(ep)->final_path = mystrdup(path); \
+	(ep)->final_mode = (mode); \
+	(ep)->tmp_path = concatenate((path), EDIT_FILE_SUFFIX, (char *) 0); \
+	(ep)->tmp_fp = 0; \
+    } while (0)
+
+#define EDIT_FILE_FREE(ep) do { \
+	myfree((ep)->final_path); \
+	myfree((ep)->tmp_path); \
+	myfree((char *) (ep)); \
+    } while (0)
+
+/* edit_file_open - open and lock file with deterministic temporary pathname */
+
+EDIT_FILE *edit_file_open(const char *path, int flags, mode_t mode)
+{
+    struct stat before_lock;
+    struct stat after_lock;
+    int     saved_errno;
+    EDIT_FILE *ep;
+
+    /*
+     * Initialize. Do not bother to optimize for the error case.
+     */
+    EDIT_FILE_ALLOC(ep, path, mode);
+
+    /*
+     * As long as the output file can be opened under the temporary pathname,
+     * this code can loop or block forever.
+     * 
+     * Applications that are concerned about deadlock should protect the
+     * edit_file_open() call with a watchdog timer.
+     */
+    for ( /* void */ ; /* void */ ; (void) vstream_fclose(ep->tmp_fp)) {
+
+	/*
+	 * Try to open the output file under the temporary pathname. This
+	 * succeeds or fails immediately. To avoid creating a shared-lock DOS
+	 * opportunity after we crash, we create the output file with no
+	 * group or other permissions, and set the final permissions at the
+	 * end (this is one reason why we try to get exclusive control over
+	 * the output file instead of the original file). We postpone file
+	 * truncation until we have obtained exclusive control over the file
+	 * content and temporary pathname. If the open operation fails, we
+	 * give up immediately. The caller can retry the call if desirable.
+	 * 
+	 * XXX If we replace the vstream_fopen() call by safe_open(), then we
+	 * should replace the stat() call below by lstat().
+	 */
+	if ((ep->tmp_fp = vstream_fopen(ep->tmp_path, flags & ~(O_TRUNC),
+				    EDIT_FILE_MODE)) == 0) {
+	    saved_errno = errno;
+	    EDIT_FILE_FREE(ep);
+	    errno = saved_errno;
+	    return (0);
+	}
+
+	/*
+	 * At this point we may have opened an existing output file that was
+	 * already locked. Try to lock the open file exclusively. This may
+	 * take some time.
+	 */
+	if (myflock(vstream_fileno(ep->tmp_fp), INTERNAL_LOCK,
+		    MYFLOCK_OP_EXCLUSIVE) < 0)
+	    msg_fatal("lock %s: %m", ep->tmp_path);
+
+	/*
+	 * At this point we have an exclusive lock, but some other process
+	 * may have renamed or removed the output file while we were waiting
+	 * for the lock. If that is the case, back out and try again.
+	 */
+	if (fstat(vstream_fileno(ep->tmp_fp), &before_lock) < 0)
+	    msg_fatal("open %s: %m", ep->tmp_path);
+	if (stat(ep->tmp_path, &after_lock) < 0
+	    || before_lock.st_dev != after_lock.st_dev
+	    || before_lock.st_ino != after_lock.st_ino
+#ifdef HAS_ST_GEN
+	    || before_lock.st_gen != after_lock.st_gen
+#endif
+	/* No need to compare st_rdev or st_nlink here. */
+	    ) {
+	    continue;
+	}
+
+	/*
+	 * At this point we have exclusive control over the output file
+	 * content and its temporary pathname (within the rules of the
+	 * cooperative protocol). But wait, there is more.
+	 * 
+	 * There are many opportunies for trouble when opening a pre-existing
+	 * output file. Here are just a few.
+	 * 
+	 * - Victor observes that a system crash in the middle of the
+	 * final-phase rename() operation may result in the output file
+	 * having both the temporary pathname and the final pathname. In that
+	 * case we must not write to the output file.
+	 * 
+	 * - Wietse observes that crashes may also leave the output file in
+	 * other inconsistent states. To avoid permission-related trouble, we
+	 * simply refuse to work with an output file that has the wrong
+	 * temporary permissions. This won't stop the shared-lock DOS if we
+	 * crash after changing the file permissions, though.
+	 * 
+	 * To work around these crash-related problems, remove the temporary
+	 * pathname, back out, and try again.
+	 */
+	if (!S_ISREG(after_lock.st_mode)
+#ifndef EDIT_FILE_REUSE_AFTER_CRASH
+	    || after_lock.st_size > 0
+#endif
+	    || after_lock.st_nlink > 1
+	    || (after_lock.st_mode & FILE_PERM_MASK) != EDIT_FILE_MODE) {
+	    if (unlink(ep->tmp_path) < 0 && errno != ENOENT)
+		msg_fatal("unlink %s: %m", ep->tmp_path);
+	    continue;
+	}
+
+	/*
+	 * Settle the final details.
+	 */
+#ifdef EDIT_FILE_REUSE_AFTER_CRASH
+	if (ftruncate(vstream_fileno(ep->tmp_fp), 0) < 0)
+	    msg_fatal("truncate %s: %m", ep->tmp_path);
+#endif
+	return (ep);
+    }
+}
+
+/* edit_file_cleanup - clean up without completing the protocol */
+
+void    edit_file_cleanup(EDIT_FILE *ep)
+{
+
+    /*
+     * Don't touch the file after we lose the exclusive lock!
+     */
+    if (unlink(ep->tmp_path) < 0 && errno != ENOENT)
+	msg_fatal("unlink %s: %m", ep->tmp_path);
+    (void) vstream_fclose(ep->tmp_fp);
+    EDIT_FILE_FREE(ep);
+}
+
+/* edit_file_close - rename the file into place and and close the file */
+
+int     edit_file_close(EDIT_FILE *ep)
+{
+    VSTREAM *fp = ep->tmp_fp;
+    int     fd = vstream_fileno(fp);
+    int     saved_errno;
+
+    /*
+     * The rename/unlock portion of the protocol is relatively simple. The
+     * only things that really matter here are that we change permissions as
+     * late as possible, and that we rename the file to its final pathname
+     * before we lose the exclusive lock.
+     * 
+     * Applications that are concerned about maximal safety should protect the
+     * edit_file_close() call with sigdelay() and sigresume() calls. It is
+     * not safe for us to call these functions directly, because the calls do
+     * not nest. It is also not nice to force every caller to run with
+     * interrupts turned off.
+     */
+    if (vstream_fflush(fp) < 0
+	|| fchmod(fd, ep->final_mode) < 0
+#ifdef HAS_FSYNC
+	|| fsync(fd) < 0
+#endif
+	|| rename(ep->tmp_path, ep->final_path) < 0) {
+	saved_errno = errno;
+	edit_file_cleanup(ep);
+	errno = saved_errno;
+	return (VSTREAM_EOF);
+    } else {
+	(void) vstream_fclose(ep->tmp_fp);
+	EDIT_FILE_FREE(ep);
+	return (0);
+    }
+}
diff --git a/postfix/src/util/edit_file.h b/postfix/src/util/edit_file.h
new file mode 100644
index 000000000..ffa9aec04
--- /dev/null
+++ b/postfix/src/util/edit_file.h
@@ -0,0 +1,48 @@
+#ifndef _EDIT_FILE_H_INCLUDED_
+#define _EDIT_FILE_H_INCLUDED_
+
+/*++
+/* NAME
+/*	edit_file 3h
+/* SUMMARY
+/*	simple cooperative file updating protocol
+/* SYNOPSIS
+/*	#include <edit_file.h>
+/* DESCRIPTION
+/* .nf
+
+ /*
+  * Utility library.
+  */
+#include <vstream.h>
+
+ /*
+  * External interface.
+  */
+typedef struct {
+    /* Private. */
+    char   *final_path;
+    mode_t  final_mode;
+    /* Public. */
+    char   *tmp_path;
+    VSTREAM *tmp_fp;
+} EDIT_FILE;
+
+#define EDIT_FILE_SUFFIX ".tmp"
+
+extern EDIT_FILE *edit_file_open(const char *, int, mode_t);
+extern int edit_file_close(EDIT_FILE *);
+extern void edit_file_cleanup(EDIT_FILE *);
+
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+#endif
diff --git a/postfix/src/util/inet_connect.c b/postfix/src/util/inet_connect.c
index cc2cbf6f9..f531329ff 100644
--- a/postfix/src/util/inet_connect.c
+++ b/postfix/src/util/inet_connect.c
@@ -6,6 +6,8 @@
 /* SYNOPSIS
 /*	#include <connect.h>
 /*
+/*	int	inet_windowsize;
+/*
 /*	int	inet_connect(addr, block_mode, timeout)
 /*	const char *addr;
 /*	int	block_mode;
@@ -14,6 +16,9 @@
 /*	inet_connect connects to a TCP listener at
 /*	the specified address, and returns the resulting file descriptor.
 /*
+/*	Specify an inet_windowsize value > 0 to override the default
+/*	window size that the client advertises to the server.
+/*
 /*	Arguments:
 /* .IP addr
 /*	The destination to connect to. The format is host:port. If no
@@ -141,6 +146,18 @@ static int inet_connect_one(struct addrinfo * res, int block_mode, int timeout)
     if (sock < 0)
 	return (-1);
 
+    /*
+     * Window scaling workaround.
+     */
+    if (inet_windowsize > 0) {
+	if (setsockopt(sock, SOL_SOCKET, SO_SNDBUF, (char *) &inet_windowsize,
+		       sizeof(inet_windowsize)) < 0)
+	    msg_warn("setsockopt SO_SNDBUF %d: %m", inet_windowsize);
+	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (char *) &inet_windowsize,
+		       sizeof(inet_windowsize)) < 0)
+	    msg_warn("setsockopt SO_RCVBUF %d: %m", inet_windowsize);
+    }
+
     /*
      * Timed connect.
      */
diff --git a/postfix/src/util/inet_listen.c b/postfix/src/util/inet_listen.c
index 72f277cc3..b5a463c6c 100644
--- a/postfix/src/util/inet_listen.c
+++ b/postfix/src/util/inet_listen.c
@@ -6,6 +6,8 @@
 /* SYNOPSIS
 /*	#include <listen.h>
 /*
+/*	int	inet_windowsize;
+/*
 /*	int	inet_listen(addr, backlog, block_mode)
 /*	const char *addr;
 /*	int	backlog;
@@ -20,6 +22,9 @@
 /*
 /*	inet_accept() accepts a connection and sanitizes error results.
 /*
+/*	Specify an inet_windowsize value > 0 to override the default
+/*	TCP window size that the server advertises to the server.
+/*
 /*	Arguments:
 /* .IP addr
 /*	The communication endpoint to listen on. The syntax is "host:port".
@@ -72,6 +77,11 @@
 #include "sock_addr.h"
 #include "inet_proto.h"
 
+ /*
+  * Tunable to work around broken routers.
+  */
+int     inet_windowsize = 0;
+
 /* inet_listen - create TCP listener */
 
 int     inet_listen(const char *addr, int backlog, int block_mode)
@@ -135,12 +145,12 @@ int     inet_listen(const char *addr, int backlog, int block_mode)
     if ((sock = socket(res->ai_family, res->ai_socktype, 0)) < 0)
 	msg_fatal("socket: %m");
 #ifdef HAS_IPV6
-# if defined(IPV6_V6ONLY) && !defined(BROKEN_AI_PASSIVE_NULL_HOST)
+#if defined(IPV6_V6ONLY) && !defined(BROKEN_AI_PASSIVE_NULL_HOST)
     if (res->ai_family == AF_INET6
 	&& setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
 		      (char *) &on, sizeof(on)) < 0)
 	msg_fatal("setsockopt(IPV6_V6ONLY): %m");
-# endif
+#endif
 #endif
     if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR,
 		   (char *) &on, sizeof(on)) < 0)
@@ -150,6 +160,14 @@ int     inet_listen(const char *addr, int backlog, int block_mode)
 			     &hostaddr, &portnum, 0);
 	msg_fatal("bind %s port %s: %m", hostaddr.buf, portnum.buf);
     }
+    if (inet_windowsize > 0) {
+	if (setsockopt(sock, SOL_SOCKET, SO_SNDBUF, (char *) &inet_windowsize,
+		       sizeof(inet_windowsize)) < 0)
+	    msg_warn("setsockopt SO_SNDBUF %d: %m", inet_windowsize);
+	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, (char *) &inet_windowsize,
+		       sizeof(inet_windowsize)) < 0)
+	    msg_warn("setsockopt SO_RCVBUF %d: %m", inet_windowsize);
+    }
     freeaddrinfo(res0);
     non_blocking(sock, block_mode);
     if (listen(sock, backlog) < 0)
diff --git a/postfix/src/util/listen.h b/postfix/src/util/listen.h
index 8a9041547..c499c0341 100644
--- a/postfix/src/util/listen.h
+++ b/postfix/src/util/listen.h
@@ -31,6 +31,8 @@ extern int unix_accept(int);
 extern int stream_accept(int);
 extern int upass_accept(int);
 
+extern int inet_windowsize;
+
 /* LICENSE
 /* .ad
 /* .fi
diff --git a/postfix/src/virtual/Makefile.in b/postfix/src/virtual/Makefile.in
index bb443b23b..9aed39f41 100644
--- a/postfix/src/virtual/Makefile.in
+++ b/postfix/src/virtual/Makefile.in
@@ -64,8 +64,6 @@ deliver_attr.o: ../../include/deliver_request.h
 deliver_attr.o: ../../include/dict.h
 deliver_attr.o: ../../include/dsn.h
 deliver_attr.o: ../../include/dsn_buf.h
-deliver_attr.o: ../../include/iostuff.h
-deliver_attr.o: ../../include/mail_proto.h
 deliver_attr.o: ../../include/maps.h
 deliver_attr.o: ../../include/mbox_conf.h
 deliver_attr.o: ../../include/msg.h
@@ -86,11 +84,9 @@ mailbox.o: ../../include/dict.h
 mailbox.o: ../../include/dsn.h
 mailbox.o: ../../include/dsn_buf.h
 mailbox.o: ../../include/dsn_util.h
-mailbox.o: ../../include/iostuff.h
 mailbox.o: ../../include/mail_addr_find.h
 mailbox.o: ../../include/mail_copy.h
 mailbox.o: ../../include/mail_params.h
-mailbox.o: ../../include/mail_proto.h
 mailbox.o: ../../include/maps.h
 mailbox.o: ../../include/mbox_conf.h
 mailbox.o: ../../include/mbox_open.h
@@ -118,10 +114,8 @@ maildir.o: ../../include/dsn.h
 maildir.o: ../../include/dsn_buf.h
 maildir.o: ../../include/dsn_util.h
 maildir.o: ../../include/get_hostname.h
-maildir.o: ../../include/iostuff.h
 maildir.o: ../../include/mail_copy.h
 maildir.o: ../../include/mail_params.h
-maildir.o: ../../include/mail_proto.h
 maildir.o: ../../include/make_dirs.h
 maildir.o: ../../include/maps.h
 maildir.o: ../../include/mbox_conf.h
@@ -148,8 +142,6 @@ recipient.o: ../../include/deliver_request.h
 recipient.o: ../../include/dict.h
 recipient.o: ../../include/dsn.h
 recipient.o: ../../include/dsn_buf.h
-recipient.o: ../../include/iostuff.h
-recipient.o: ../../include/mail_proto.h
 recipient.o: ../../include/maps.h
 recipient.o: ../../include/mbox_conf.h
 recipient.o: ../../include/msg.h
@@ -170,8 +162,6 @@ unknown.o: ../../include/deliver_request.h
 unknown.o: ../../include/dict.h
 unknown.o: ../../include/dsn.h
 unknown.o: ../../include/dsn_buf.h
-unknown.o: ../../include/iostuff.h
-unknown.o: ../../include/mail_proto.h
 unknown.o: ../../include/maps.h
 unknown.o: ../../include/mbox_conf.h
 unknown.o: ../../include/msg.h
@@ -195,7 +185,6 @@ virtual.o: ../../include/iostuff.h
 virtual.o: ../../include/mail_addr_find.h
 virtual.o: ../../include/mail_conf.h
 virtual.o: ../../include/mail_params.h
-virtual.o: ../../include/mail_proto.h
 virtual.o: ../../include/mail_queue.h
 virtual.o: ../../include/mail_server.h
 virtual.o: ../../include/mail_version.h