From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 16 Jan 2010 05:00:00 +0000 (-0500)
Subject: postfix-2.7-20100116
X-Git-Tag: v2.7.0-RC1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f06480fb179e73fac21011b0916da8befa9474f8;p=thirdparty%2Fpostfix.git

postfix-2.7-20100116
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index f2c8f7bc2..983f1ca47 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -15621,3 +15621,48 @@ Apologies for any names omitted.
 	Workaround: don't report bogus Berkeley DB close errors as
 	fatal errors. All operations before close are already error
 	checked, so the data is known to be safe.  File: util/dict_db.c.
+
+20100107
+
+	Documentation: the access(5) manual page did not document
+	the "send 521 and disconnect" behavior in the Postfix SMTP
+	server (introduced with Postfix 2.6). File: proto/access.
+
+	Bugfix: the pickup daemon did not discard messages that
+	were requeued after all recipients were delivered (or
+	bounced), and the cleanup server tried to bounce such
+	messages. Files: pickup/pickup.c, global/cleanup_user.h.
+
+	Future proofing: redundant code in postdrop to reject a
+	submission without recipient record. File: postdrop/postdrop.c.
+
+20100109
+
+	Cleanup: "postcat -q" will now access files in the "saved"
+	queue directory (for corrupted queue files). As before, the
+	"postsuper" command will not, to avoid suddenly deleting
+	such files. Files: global/mail_queue.h postcat/postcat.c.
+
+20100113
+
+	Cleanup: don't supply the "-o stress" command-line option
+	with a single-process service. File: master/master_ent.c.
+
+20100116
+
+	Bugfix: the valid_hostname() fuction did not set the
+	"non-numeric" flag after encountering the '-' character.
+	Reported by Jan Schampera.  File: util/valid_hostname.c.
+
+	Cleanup: when a content_filter parameter or FILTER command
+	specifies an empty next-hop destination, the queue manager
+	now uses the recipient domain instead of $myhostname. Specify
+	"legacy_filter_nexthop = yes" for backwards compatibility
+	with Postfix 2.6 and earlier, or specify a non-empty next-hop
+	destination.  Files: *qmgr/qmgr_message.c proto/access,
+	proto/header_checks, proto/postconf.proto, proto/FILTER_README.
+
+	Documentation: the content_filter and FILTER features never
+	supported the special cases of transport_maps. References
+	to transport_maps syntax are now removed from content filter
+	discussions.  Files: proto/postconf.proto, proto/FILTER_README.
diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README
index 3251de38e..4baf27a46 100644
--- a/postfix/README_FILES/ADDRESS_VERIFICATION_README
+++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README
@@ -303,11 +303,15 @@ results can remain "unrefreshed" before they expire. Postfix uses different
 controls for positive results (address was accepted) and for negative results
 (address was rejected, or address verification failed for some other reason).
 
-Current Postfix versions will periodically remove expired entries from the
-address verification database. With Postfix version 2.6 and earlier, database
-cleanup had to be done as described next.
-
-If the address verification database file becomes too big, or if it becomes
+The verify(8) daemon will periodically remove expired entries from the address
+verification database, and log the number of entries retained and dropped
+(Postfix versions 2.7 and later). A cleanup run is logged as "partial" when the
+daemon terminates early because of "postfix reload, "postfix stop", or because
+the daemon received no requests for $max_idle seconds. Postfix versions 2.6 and
+earlier do not implement automatic address verification database cleanup.
+There, the database is managed manually as described next.
+
+When the address verification database file becomes too big, or when it becomes
 corrupted, the solution is to manually rename or delete (NOT: truncate) the
 file and run "postfix reload". The verify(8) daemon will then create a new
 database file.
diff --git a/postfix/README_FILES/CONNECTION_CACHE_README b/postfix/README_FILES/CONNECTION_CACHE_README
index 5fefa5f67..09ebbe61b 100644
--- a/postfix/README_FILES/CONNECTION_CACHE_README
+++ b/postfix/README_FILES/CONNECTION_CACHE_README
@@ -178,7 +178,7 @@ Postfix SMTP connection caching conflicts with certain applications:
   * Postfix connection caching currently does not support multiple SASL
     accounts per mail server. Specifically, Postfix connection caching assumes
     that a SASL credential is valid for all hostnames or domain names that
-    deliver via the same mail server IP address and TCP port, and assume that
+    deliver via the same mail server IP address and TCP port, and assumes that
     the SASL credential does not depend on the message originator.
 
 CCoonnnneeccttiioonn ccaacchhee ssttaattiissttiiccss
diff --git a/postfix/README_FILES/FILTER_README b/postfix/README_FILES/FILTER_README
index ee5a275de..872741515 100644
--- a/postfix/README_FILES/FILTER_README
+++ b/postfix/README_FILES/FILTER_README
@@ -219,8 +219,19 @@ Once you're satisfied with the content filtering script:
     This record overrides the normal mail routing and causes mail to be given
     to the content filter instead.
 
-    The content_filter configuration parameter accepts the same syntax as the
-    right-hand side in a Postfix transport table.
+    The content_filter configuration parameter expects a value of the form
+    transport:destination. The transport name specifies the first field of a
+    mail delivery agent definition in master.cf; the syntax of destination is
+    described in the manual page of the corresponding delivery agent.
+
+    The meaning of an empty filter destination is version dependent. Postfix
+    2.7 and later will use the recipient domain; earlier versions will use
+    $myhostname. Specify "legacy_filter_nexthop = yes" for compatibility with
+    Postfix 2.6 or earlier, or specify a non-empty filter destination.
+
+    The content_filter setting has a lower precedence than a content filter
+    that is specified with an access(5) table or in a header_checks(5) or
+    body_checks(5) table.
 
   * Execute "ppoossttffiixx rreellooaadd" to complete the change.
 
@@ -312,6 +323,11 @@ To enable the advanced content filter method for all mail, specify in main.cf:
         content_filter = scan:localhost:10025
         receive_override_options = no_address_mappings
 
+  * The "receive_override_options" line disables address manipulation before
+    the content filter, so that the content filter sees the original mail
+    addresses instead of the result of virtual alias expansion, canonical
+    mapping, automatic bcc, address masquerading, etc.
+
   * The "content_filter" line causes Postfix to add one content filter request
     record to each incoming mail message, with content "scan:localhost:10025".
     The content filter request records are added by the smtpd(8) and pickup(8)
@@ -322,10 +338,19 @@ To enable the advanced content filter method for all mail, specify in main.cf:
     content filter request, the queue manager will deliver the mail to the
     specified content filter regardless of its final destination.
 
-  * The "receive_override_options" line disables address manipulation before
-    the content filter, so that the content filter sees the original mail
-    addresses instead of the result of virtual alias expansion, canonical
-    mapping, automatic bcc, address masquerading, etc.
+  * The content_filter configuration parameter expects a value of the form
+    transport:destination. The transport name specifies the first field of a
+    mail delivery agent definition in master.cf; the syntax of destination is
+    described in the manual page of the corresponding delivery agent.
+
+  * The meaning of an empty filter destination is version dependent. Postfix
+    2.7 and later will use the recipient domain; earlier versions will use
+    $myhostname. Specify "legacy_filter_nexthop = yes" for compatibility with
+    Postfix 2.6 or earlier, or specify a non-empty filter destination.
+
+  * The content_filter setting has a lower precedence than a content filter
+    that is specified with an access(5) table or in a header_checks(5) or
+    body_checks(5) table.
 
 AAddvvaanncceedd ccoonntteenntt ffiilltteerr:: sseennddiinngg uunnffiilltteerreedd mmaaiill ttoo tthhee ccoonntteenntt ffiilltteerr
 
diff --git a/postfix/README_FILES/MAILDROP_README b/postfix/README_FILES/MAILDROP_README
index 23c90e08f..e1d320ee6 100644
--- a/postfix/README_FILES/MAILDROP_README
+++ b/postfix/README_FILES/MAILDROP_README
@@ -81,13 +81,15 @@ instead:
     /etc/postfix/master.cf:
         maildrop  unix  -       n       n       -       -       pipe
           flags=ODRhu user=vmail argv=/path/to/maildrop
-          -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
+          -d ${user}@${domain} ${extension} ${recipient} ${user} ${nexthop}
 
-The mail is delivered to ${user}@${nexthop} (match key for maildrop userdb
+The mail is delivered to ${user}@${domain} (search key for maildrop userdb
 lookup). The ${extension} and the other address components are available to
 maildrop rules as $1, $2, $3, ... and can be omitted from master.cf or ignored
 by maildrop when not needed.
 
+With Postfix 2.4 and earlier, use ${nexthop} instead of ${domain}.
+
 IInnddiirreecctt ddeelliivveerryy vviiaa tthhee llooccaall ddeelliivveerryy aaggeenntt
 
 Postfix can be configured to deliver mail to maildrop via the local delivery
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 2782086a5..337050ac0 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -14,6 +14,24 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
 before proceeding.
 
+Incompatibility with snapshot 20100116
+======================================
+
+The meaning of an empty content filter next-hop destination has
+changed.  Postfix now uses the recipient domain, instead of using
+$myhostname as in Postfix 2.6 and earlier.  To get the old behavior
+use "legacy_filter_nexthop = yes", or specify a non-empty next-hop
+filter destination.
+
+Major changes with snapshot 20100116
+====================================
+
+The FILTER command can now be used to implement sender reputation
+schemes that dynamically choose the SMTP source IP address.  This
+is implemented by specifying a FILTER with an empty next-hop
+destination, and by configuring SMTP transports in master.cf with
+appropriate "-o myhostname" and "-o smtp_bind_address" settings.
+
 Incompatibility with snapshot 20100101
 ======================================
 
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 38337c5cf..89d05f77f 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -2,10 +2,26 @@ Wish list:
 
 	Remove this file from the stable release.
 
+	Should the postscreen temporary cache remember hosts that
+	are listed in the permanent white/black lists, and be queried
+	first? Skipping white/black list lookups will speed up the
+	handling of "good" clients without a permanent whitelist
+	entry.  Of course, this means that updates to the white/black
+	lists do not immediately take effect. Workarounds: 1) ignore
+	cached white/black list lookup results after "postfix
+	reload"; 2) use a short temporary cache TTL for clients on
+	the permanent black/white lists; 3) adjust the logging, for
+	example "WHITELISTED address (cached)" and "BLACKLISTED
+	address (cached)" to eliminate surprises.  Comparing the
+	cache entry time with the white/blacklist file modification
+	time is not foolproof: for example, pcre or CIDR tables are
+	read only once.
+
 	It would be nice if the generic dict_cache(3) cache manager
 	could postpone process suicide until cache cleanup is
 	completed (but that is not possible when postscreen forks
-	into the background to finish already-accepted connections).
+	into the background to finish already-accepted connections,
+	and it is not desirable when a host is being shut down).
 
 	When postscreen drops a connection, a 521 "greeting" should
 	be of the form "521 servername..." and not have an enhanced
diff --git a/postfix/conf/access b/postfix/conf/access
index 00aa6cd19..e7691e5c8 100644
--- a/postfix/conf/access
+++ b/postfix/conf/access
@@ -187,8 +187,23 @@
 #               text.  4NN means "try again later", while 5NN means
 #               "do not try again".
 # 
-#               The reply code "421" causes Postfix  to  disconnect
-#               immediately (Postfix version 2.3 and later).
+#               The following responses have  special  meaning  for
+#               the Postfix SMTP server:
+# 
+#               421 text (Postfix 2.3 and later)
+# 
+#               521 text (Postfix 2.6 and later)
+#                      After  responding  with the numerical three-
+#                      digit code and text, disconnect  immediately
+#                      from  the  SMTP  client.  This frees up SMTP
+#                      server resources so that they  can  be  made
+#                      available to another SMTP client.
+# 
+#                      Note: The "521" response should be used only
+#                      with botnets and other malware where  inter-
+#                      operability is of no concern.  The "send 521
+#                      and disconnect" behavior is NOT  defined  in
+#                      the SMTP standard.
 # 
 #        REJECT optional text...
 #               Reject  the  address etc. that matches the pattern.
@@ -265,136 +280,153 @@
 #        FILTER transport:destination
 #               After  the  message is queued, send the entire mes-
 #               sage through the specified external content filter.
-#               The  transport:destination  syntax  is described in
-#               the transport(5)  manual  page.   More  information
-#               about  external  content  filters is in the Postfix
-#               FILTER_README file.
-# 
-#               Note: this action overrides the content_filter set-
-#               ting,  and  currently affects all recipients of the
-#               message.
+#               The  transport  name specifies the first field of a
+#               mail delivery agent definition  in  master.cf;  the
+#               syntax  of  destination  is described in the manual
+#               page of the  corresponding  delivery  agent.   More
+#               information  about  external  content filters is in
+#               the Postfix FILTER_README file.
+# 
+#               Note 1: do not use $number regular expression  sub-
+#               stitutions  for transport or destination unless you
+#               know that the information has a trusted origin.
+# 
+#               Note 2: this  action  overrides  the  main.cf  con-
+#               tent_filter  setting, and affects all recipients of
+#               the message.  In  the  case  that  multiple  FILTER
+#               actions fire, only the last one is executed.
+# 
+#               Note  3:  the  purpose  of the FILTER command is to
+#               override message routing.  To override the  recipi-
+#               ent's  transport  but  not  destination, specify an
+#               empty destination (Postfix 2.7 and later), or spec-
+#               ify a transport:destination that delivers through a
+#               different Postfix instance (Postfix  2.6  and  ear-
+#               lier). Other options are using the recipient-depen-
+#               dent transport_maps or the sender-dependent sender-
+#               _dependent_default_transport_maps features.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
 #        HOLD optional text...
-#               Place  the message on the hold queue, where it will
-#               sit until someone either deletes it or releases  it
-#               for  delivery.  Log the optional text if specified,
+#               Place the message on the hold queue, where it  will
+#               sit  until someone either deletes it or releases it
+#               for delivery.  Log the optional text if  specified,
 #               otherwise log a generic message.
 # 
-#               Mail that is placed on hold can  be  examined  with
-#               the  postcat(1)  command,  and  can be destroyed or
+#               Mail  that  is  placed on hold can be examined with
+#               the postcat(1) command, and  can  be  destroyed  or
 #               released with the postsuper(1) command.
 # 
-#               Note: use "postsuper -r" to release mail  that  was
-#               kept  on  hold for a significant fraction of $maxi-
+#               Note:  use  "postsuper -r" to release mail that was
+#               kept on hold for a significant fraction  of  $maxi-
 #               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
-#               longer.  Use "postsuper -H" only for mail that will
+#               longer. Use "postsuper -H" only for mail that  will
 #               not expire within a few delivery attempts.
 # 
-#               Note: this action currently affects all  recipients
+#               Note:  this action currently affects all recipients
 #               of the message.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
 #        PREPEND headername: headervalue
-#               Prepend the specified message header  to  the  mes-
-#               sage.   When more than one PREPEND action executes,
-#               the first prepended header appears before the  sec-
+#               Prepend  the  specified  message header to the mes-
+#               sage.  When more than one PREPEND action  executes,
+#               the  first prepended header appears before the sec-
 #               ond etc. prepended header.
 # 
-#               Note:  this  action must execute before the message
-#               content is received; it cannot execute in the  con-
+#               Note: this action must execute before  the  message
+#               content  is received; it cannot execute in the con-
 #               text of smtpd_end_of_data_restrictions.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        REDIRECT user@domain
-#               After the message is queued, send  the  message  to
+#               After  the  message  is queued, send the message to
 #               the  specified  address  instead  of  the  intended
 #               recipient(s).
 # 
-#               Note: this action overrides the FILTER action,  and
+#               Note:  this action overrides the FILTER action, and
 #               currently affects all recipients of the message.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        WARN optional text...
 #               Log a warning with the optional text, together with
-#               client  information  and  if  available, with helo,
+#               client information and  if  available,  with  helo,
 #               sender, recipient and protocol information.
 # 
 #               This feature is available in Postfix 2.1 and later.
 # 
 # ENHANCED STATUS CODES
-#        Postfix  version  2.3  and  later  support enhanced status
-#        codes as defined in RFC 3463.   When  an  enhanced  status
-#        code  is  specified  in  an access table, it is subject to
-#        modification. The  following  transformations  are  needed
-#        when  the  same  access  table  is  used for client, helo,
-#        sender, or  recipient  access  restrictions;  they  happen
+#        Postfix version 2.3  and  later  support  enhanced  status
+#        codes  as  defined  in  RFC 3463.  When an enhanced status
+#        code is specified in an access table,  it  is  subject  to
+#        modification.  The  following  transformations  are needed
+#        when the same access  table  is  used  for  client,  helo,
+#        sender,  or  recipient  access  restrictions;  they happen
 #        regardless of whether Postfix replies to a MAIL FROM, RCPT
 #        TO or other SMTP command.
 # 
-#        o      When a sender address matches a REJECT action,  the
-#               Postfix  SMTP server will transform a recipient DSN
-#               status (e.g., 4.1.1-4.1.6) into  the  corresponding
+#        o      When  a sender address matches a REJECT action, the
+#               Postfix SMTP server will transform a recipient  DSN
+#               status  (e.g.,  4.1.1-4.1.6) into the corresponding
 #               sender DSN status, and vice versa.
 # 
-#        o      When   non-address  information  matches  a  REJECT
-#               action (such as the HELO command  argument  or  the
-#               client  hostname/address),  the Postfix SMTP server
-#               will transform a sender  or  recipient  DSN  status
-#               into   a  generic  non-address  DSN  status  (e.g.,
+#        o      When  non-address  information  matches  a   REJECT
+#               action  (such  as  the HELO command argument or the
+#               client hostname/address), the Postfix  SMTP  server
+#               will  transform  a  sender  or recipient DSN status
+#               into  a  generic  non-address  DSN  status   (e.g.,
 #               4.0.0).
 # 
 # REGULAR EXPRESSION TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        the table is given in the form of regular expressions. For
-#        a description of regular expression lookup  table  syntax,
+#        a  description  of regular expression lookup table syntax,
 #        see regexp_table(5) or pcre_table(5).
 # 
-#        Each  pattern  is  a regular expression that is applied to
+#        Each pattern is a regular expression that  is  applied  to
 #        the entire string being looked up. Depending on the appli-
-#        cation,  that  string  is  an  entire  client hostname, an
+#        cation, that string  is  an  entire  client  hostname,  an
 #        entire client IP address, or an entire mail address. Thus,
 #        no  parent  domain  or  parent  network  search  is  done,
-#        user@domain mail addresses are not broken  up  into  their
+#        user@domain  mail  addresses  are not broken up into their
 #        user@ and domain constituent parts, nor is user+foo broken
 #        up into user and foo.
 # 
-#        Patterns are applied in the order as specified in the  ta-
-#        ble,  until  a  pattern  is  found that matches the search
+#        Patterns  are applied in the order as specified in the ta-
+#        ble, until a pattern is  found  that  matches  the  search
 #        string.
 # 
-#        Actions are the same as with indexed  file  lookups,  with
-#        the  additional feature that parenthesized substrings from
+#        Actions  are  the  same as with indexed file lookups, with
+#        the additional feature that parenthesized substrings  from
 #        the pattern can be interpolated as $1, $2 and so on.
 # 
 # TCP-BASED TABLES
-#        This section describes how the table lookups  change  when
+#        This  section  describes how the table lookups change when
 #        lookups are directed to a TCP-based server. For a descrip-
 #        tion of the TCP client/server lookup protocol, see tcp_ta-
 #        ble(5).  This feature is not available up to and including
 #        Postfix version 2.4.
 # 
-#        Each lookup operation uses the entire query  string  once.
-#        Depending  on  the  application,  that string is an entire
+#        Each  lookup  operation uses the entire query string once.
+#        Depending on the application, that  string  is  an  entire
 #        client hostname, an entire client IP address, or an entire
-#        mail  address.   Thus,  no parent domain or parent network
-#        search is done, user@domain mail addresses are not  broken
-#        up  into  their user@ and domain constituent parts, nor is
+#        mail address.  Thus, no parent domain  or  parent  network
+#        search  is done, user@domain mail addresses are not broken
+#        up into their user@ and domain constituent parts,  nor  is
 #        user+foo broken up into user and foo.
 # 
 #        Actions are the same as with indexed file lookups.
 # 
 # EXAMPLE
-#        The following example uses an indexed file,  so  that  the
-#        order  of  table entries does not matter. The example per-
-#        mits access by the client at address 1.2.3.4  but  rejects
-#        all  other  clients  in 1.2.3.0/24. Instead of hash lookup
-#        tables, some systems use dbm.  Use the  command  "postconf
-#        -m"  to  find  out  what lookup tables Postfix supports on
+#        The  following  example  uses an indexed file, so that the
+#        order of table entries does not matter. The  example  per-
+#        mits  access  by the client at address 1.2.3.4 but rejects
+#        all other clients in 1.2.3.0/24. Instead  of  hash  lookup
+#        tables,  some  systems use dbm.  Use the command "postconf
+#        -m" to find out what lookup  tables  Postfix  supports  on
 #        your system.
 # 
 #        /etc/postfix/main.cf:
@@ -405,11 +437,11 @@
 #            1.2.3   REJECT
 #            1.2.3.4 OK
 # 
-#        Execute the command  "postmap  /etc/postfix/access"  after
+#        Execute  the  command  "postmap /etc/postfix/access" after
 #        editing the file.
 # 
 # BUGS
-#        The  table format does not understand quoting conventions.
+#        The table format does not understand quoting  conventions.
 # 
 # SEE ALSO
 #        postmap(1), Postfix lookup table manager
@@ -418,13 +450,13 @@
 #        transport(5), transport:nexthop syntax
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        SMTPD_ACCESS_README, built-in SMTP server access control
 #        DATABASE_README, Postfix lookup table overview
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/conf/header_checks b/postfix/conf/header_checks
index 0fdc33235..ba355ebc8 100644
--- a/postfix/conf/header_checks
+++ b/postfix/conf/header_checks
@@ -167,17 +167,33 @@
 #               This feature is available in Postfix 2.1 and later.
 # 
 #        FILTER transport:destination
-#               Write a content filter request to the  queue  file,
-#               and  inspect  the  next input line.  After the com-
-#               plete message is received it will be  sent  through
-#               the specified external content filter.  More infor-
-#               mation about external content  filters  is  in  the
-#               Postfix FILTER_README file.
-# 
-#               Note: this action overrides the content_filter set-
-#               ting, and affects all recipients of the message. In
-#               the  case  that  multiple FILTER actions fire, only
-#               the last one is executed.
+#               After the message is queued, send the  entire  mes-
+#               sage through the specified external content filter.
+#               The transport name specifies the first field  of  a
+#               mail  delivery agent definition master.cf; the syn-
+#               tax of destination is described in the manual  page
+#               of the corresponding delivery agent.  More informa-
+#               tion about external content filters is in the Post-
+#               fix FILTER_README file.
+# 
+#               Note  1: do not use $number regular expression sub-
+#               stitutions for transport or destination unless  you
+#               know that the information has a trusted origin.
+# 
+#               Note  2:  this  action  overrides  the main.cf con-
+#               tent_filter setting, and affects all recipients  of
+#               the  message.  In  the  case  that  multiple FILTER
+#               actions fire, only the last one is executed.
+# 
+#               Note 3: the purpose of the  FILTER  command  is  to
+#               override  message routing.  To override the recipi-
+#               ent's transport but  not  destination,  specify  an
+#               empty destination (Postfix 2.7 and later), or spec-
+#               ify a transport:destination that delivers through a
+#               different  Postfix  instance  (Postfix 2.6 and ear-
+#               lier). Other options are using the recipient-depen-
+#               dent transport_maps or the sender-dependent sender-
+#               _dependent_default_transport_maps features.
 # 
 #               This feature is available in Postfix 2.0 and later.
 # 
diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf
index a973e4f28..82f976751 100644
--- a/postfix/conf/master.cf
+++ b/postfix/conf/master.cf
@@ -9,6 +9,9 @@
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 smtp      inet  n       -       n       -       -       smtpd
+#smtp      inet  n       -       n       -       1       postscreen
+#smtpd     pass  -       -       n       -       -       smtpd
+#dnsblog   unix  -       -       n       -       0       dnsblog
 #submission inet n       -       n       -       -       smtpd
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
@@ -19,7 +22,7 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
-#628      inet  n       -       n       -       -       qmqpd
+#628       inet  n       -       n       -       -       qmqpd
 pickup    fifo  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
@@ -113,6 +116,3 @@ scache    unix  -       -       n       -       1       scache
 #mailman   unix  -       n       n       -       -       pipe
 #  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 #  ${nexthop} ${user}
-#smtp      inet  n       -       n       -       1       postscreen
-#smtpd     pass  -       -       n       -       -       smtpd
-#dnsblog   unix  -       -       n       -       0       dnsblog
diff --git a/postfix/conf/postfix-script b/postfix/conf/postfix-script
index 30ddf1cbc..805e288e7 100644
--- a/postfix/conf/postfix-script
+++ b/postfix/conf/postfix-script
@@ -266,6 +266,9 @@ check-warn)
 	find $data_directory/. ! -user $mail_owner \
 	    -exec $WARN not owned by $mail_owner: {} \;
 
+	ls -lLd $data_directory | egrep '^.....(w|...w)' >/dev/null && \
+		$WARN group or other writable: $data_directory
+
 	find `ls -d $queue_directory/* | \
 	    egrep '/(saved|incoming|active|defer|deferred|bounce|hold|trace|corrupt|public|private|flush)$'` \
 	    ! \( -type p -o -type s \) ! -user $mail_owner \
diff --git a/postfix/html/ADDRESS_VERIFICATION_README.html b/postfix/html/ADDRESS_VERIFICATION_README.html
index 3e92d10ce..34e069dde 100644
--- a/postfix/html/ADDRESS_VERIFICATION_README.html
+++ b/postfix/html/ADDRESS_VERIFICATION_README.html
@@ -454,13 +454,18 @@ they expire.  Postfix uses different controls for positive results
 (address was accepted) and for negative results (address was rejected,
 or address verification failed for some other reason). </p>
 
-<p> Current Postfix versions will periodically remove expired entries
-from the address verification database. With Postfix version 2.6
-and earlier, database cleanup had to be done as described next. </p>
-
-<p> If the address verification database file becomes too big, or
-if it becomes corrupted, the solution is to manually rename or
-delete (NOT: truncate) the file and run "postfix reload".  The
+<p> The <a href="verify.8.html">verify(8)</a> daemon will periodically remove expired entries
+from the address verification database, and log the number of entries
+retained and dropped (Postfix versions 2.7 and later). A cleanup
+run is logged as "partial" when the daemon terminates early because
+of "postfix reload, "postfix stop", or because the daemon received
+no requests for $<a href="postconf.5.html#max_idle">max_idle</a> seconds.  Postfix versions 2.6 and earlier
+do not implement automatic address verification database cleanup.
+There, the database is managed manually as described next. </p>
+
+<p> When the address verification database file becomes too big,
+or when it becomes corrupted, the solution is to manually rename
+or delete (NOT: truncate) the file and run "postfix reload".  The
 <a href="verify.8.html">verify(8)</a> daemon will then create a new database file.  </p>
 
 <h2><a name="probe_routing">Controlling the routing of address
diff --git a/postfix/html/CONNECTION_CACHE_README.html b/postfix/html/CONNECTION_CACHE_README.html
index dd1a28bb2..d8d016599 100644
--- a/postfix/html/CONNECTION_CACHE_README.html
+++ b/postfix/html/CONNECTION_CACHE_README.html
@@ -268,7 +268,7 @@ deliver mail over TLS.  </p>
 multiple SASL accounts per mail server.  Specifically, Postfix
 connection caching assumes that a SASL credential is valid for all
 hostnames or domain names that deliver via the same mail server IP
-address and TCP port, and assume that the SASL credential does not
+address and TCP port, and assumes that the SASL credential does not
 depend on the message originator.  </p>
 
 </ul>
diff --git a/postfix/html/FILTER_README.html b/postfix/html/FILTER_README.html
index f1a6c12c8..5052c65ab 100644
--- a/postfix/html/FILTER_README.html
+++ b/postfix/html/FILTER_README.html
@@ -396,10 +396,24 @@ filter request record to each incoming mail message, with content
 "filter:dummy". This record overrides the normal mail routing
 and causes mail to be given to the content filter instead. </p>
 
-<p> The <a href="postconf.5.html#content_filter">content_filter</a> configuration parameter accepts the same syntax
-as the right-hand side in a Postfix transport table.  </p>
-
-<li> <p> Execute "<b>postfix reload</b>" to complete the change.  </p>
+<p> The <a href="postconf.5.html#content_filter">content_filter</a> configuration parameter expects a value of
+the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+<a href="master.5.html">master.cf</a>; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<p> The meaning of an empty filter <i>destination</i> is version
+dependent.  Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $<a href="postconf.5.html#myhostname">myhostname</a>.  Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a>
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination.  </p>
+
+<p> The <a href="postconf.5.html#content_filter">content_filter</a> setting has a lower precedence than a content
+filter that is specified with an <a href="access.5.html">access(5)</a> table or in a <a href="header_checks.5.html">header_checks(5)</a>
+or <a href="header_checks.5.html">body_checks(5)</a> table. </p>
+
+<li> <p> Execute "<b>postfix reload</b>" to complete the change.
+</p>
 
 </ul>
 
@@ -590,6 +604,12 @@ specify in <a href="postconf.5.html">main.cf</a>:  </p>
 
 <ul>
 
+<li> <p> The "<a href="postconf.5.html#receive_override_options">receive_override_options</a>" line disables address
+manipulation before the content filter, so that the content filter
+sees the original mail addresses instead of the result of virtual
+alias expansion, canonical mapping, automatic bcc, address
+masquerading, etc. </p>
+
 <li> <p> The "<a href="postconf.5.html#content_filter">content_filter</a>" line causes Postfix to add one content
 filter request record to each incoming mail message, with content
 "scan:localhost:10025".  The content filter request records are
@@ -602,11 +622,21 @@ queue file contains a content filter request, the queue manager
 will deliver the mail to the specified content filter regardless
 of its final destination. </p>
 
-<li> <p> The "<a href="postconf.5.html#receive_override_options">receive_override_options</a>" line disables address
-manipulation before the content filter, so that the content filter
-sees the original mail addresses instead of the result of virtual
-alias expansion, canonical mapping, automatic bcc, address
-masquerading, etc. </p>
+<li> <p> The <a href="postconf.5.html#content_filter">content_filter</a> configuration parameter expects a value
+of the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+<a href="master.5.html">master.cf</a>; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent.  Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $<a href="postconf.5.html#myhostname">myhostname</a>.  Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a>
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination.  </p>
+
+<li> <p> The <a href="postconf.5.html#content_filter">content_filter</a> setting has a lower precedence than a
+content filter that is specified with an <a href="access.5.html">access(5)</a> table or in a
+<a href="header_checks.5.html">header_checks(5)</a> or <a href="header_checks.5.html">body_checks(5)</a> table. </p>
 
 </ul>
 
diff --git a/postfix/html/MAILDROP_README.html b/postfix/html/MAILDROP_README.html
index 100cc297a..347c3b3a8 100644
--- a/postfix/html/MAILDROP_README.html
+++ b/postfix/html/MAILDROP_README.html
@@ -119,16 +119,19 @@ use the following instead: </p>
 /etc/postfix/<a href="master.5.html">master.cf</a>:
     maildrop  unix  -       n       n       -       -       pipe
       flags=ODRhu user=vmail argv=/path/to/maildrop 
-      -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
+      -d ${user}@${domain} ${extension} ${recipient} ${user} ${nexthop}
 </pre>
 </blockquote>
 
-<p> The mail is delivered to ${user}@${nexthop} (match key for
+<p> The mail is delivered to ${user}@${domain} (search key for
 maildrop userdb lookup). The ${extension} and the other address
 components are available to maildrop rules as $1, $2, $3, ...  and
 can be omitted from <a href="master.5.html">master.cf</a> or ignored by maildrop when not
 needed. </p>
 
+<p> With Postfix 2.4 and earlier, use ${nexthop} instead of ${domain}.
+</p>
+
 <h2><a name="indirect">Indirect delivery via the local delivery agent</a></h2>
 
 <p> Postfix can be configured to deliver mail to maildrop via the
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index 626d105e8..c2c6ca745 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -193,8 +193,23 @@ ACCESS(5)                                                            ACCESS(5)
               text.  <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
               "do not try again".
 
-              The reply code "421" causes Postfix  to  disconnect
-              immediately (Postfix version 2.3 and later).
+              The following responses have  special  meaning  for
+              the Postfix SMTP server:
+
+              <b>421</b> <i>text</i> (Postfix 2.3 and later)
+
+              <b>521</b> <i>text</i> (Postfix 2.6 and later)
+                     After  responding  with the numerical three-
+                     digit code and text, disconnect  immediately
+                     from  the  SMTP  client.  This frees up SMTP
+                     server resources so that they  can  be  made
+                     available to another SMTP client.
+
+                     Note: The "521" response should be used only
+                     with botnets and other malware where  inter-
+                     operability is of no concern.  The "send 521
+                     and disconnect" behavior is NOT  defined  in
+                     the SMTP standard.
 
        <b>REJECT</b> <i>optional text...</i>
               Reject  the  address etc. that matches the pattern.
@@ -271,136 +286,153 @@ ACCESS(5)                                                            ACCESS(5)
        <b>FILTER</b> <i>transport:destination</i>
               After  the  message is queued, send the entire mes-
               sage through the specified external content filter.
-              The  <i>transport:destination</i>  syntax  is described in
-              the <a href="transport.5.html"><b>transport</b>(5)</a>  manual  page.   More  information
-              about  external  content  filters is in the Postfix
-              <a href="FILTER_README.html">FILTER_README</a> file.
-
-              Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
-              ting,  and  currently affects all recipients of the
-              message.
+              The  <i>transport</i>  name specifies the first field of a
+              mail delivery agent definition  in  <a href="master.5.html">master.cf</a>;  the
+              syntax  of  <i>destination</i>  is described in the manual
+              page of the  corresponding  delivery  agent.   More
+              information  about  external  content filters is in
+              the Postfix <a href="FILTER_README.html">FILTER_README</a> file.
+
+              Note 1: do not use $<i>number</i> regular expression  sub-
+              stitutions  for <i>transport</i> or <i>destination</i> unless you
+              know that the information has a trusted origin.
+
+              Note 2: this  action  overrides  the  <a href="postconf.5.html">main.cf</a>  <b><a href="postconf.5.html#content_filter">con</a>-</b>
+              <b><a href="postconf.5.html#content_filter">tent_filter</a></b>  setting, and affects all recipients of
+              the message.  In  the  case  that  multiple  <b>FILTER</b>
+              actions fire, only the last one is executed.
+
+              Note  3:  the  purpose  of the FILTER command is to
+              override message routing.  To override the  recipi-
+              ent's  <i>transport</i>  but  not  <i>destination</i>, specify an
+              empty <i>destination</i> (Postfix 2.7 and later), or spec-
+              ify a <i>transport:destination</i> that delivers through a
+              different Postfix instance (Postfix  2.6  and  ear-
+              lier). Other options are using the recipient-depen-
+              dent <b><a href="postconf.5.html#transport_maps">transport_maps</a></b> or the sender-dependent <b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender</a>-</b>
+              <b><a href="postconf.5.html#sender_dependent_default_transport_maps">_dependent_default_transport_maps</a></b> features.
 
               This feature is available in Postfix 2.0 and later.
 
        <b>HOLD</b> <i>optional text...</i>
-              Place  the message on the <b>hold</b> queue, where it will
-              sit until someone either deletes it or releases  it
-              for  delivery.  Log the optional text if specified,
+              Place the message on the <b>hold</b> queue, where it  will
+              sit  until someone either deletes it or releases it
+              for delivery.  Log the optional text if  specified,
               otherwise log a generic message.
 
-              Mail that is placed on hold can  be  examined  with
-              the  <a href="postcat.1.html"><b>postcat</b>(1)</a>  command,  and  can be destroyed or
+              Mail  that  is  placed on hold can be examined with
+              the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and  can  be  destroyed  or
               released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
 
-              Note: use "<b>postsuper -r</b>" to release mail  that  was
-              kept  on  hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+              Note:  use  "<b>postsuper -r</b>" to release mail that was
+              kept on hold for a significant fraction  of  <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
               <b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b>  or  <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>,  or
-              longer.  Use "<b>postsuper -H</b>" only for mail that will
+              longer. Use "<b>postsuper -H</b>" only for mail that  will
               not expire within a few delivery attempts.
 
-              Note: this action currently affects all  recipients
+              Note:  this action currently affects all recipients
               of the message.
 
               This feature is available in Postfix 2.0 and later.
 
        <b>PREPEND</b> <i>headername: headervalue</i>
-              Prepend the specified message header  to  the  mes-
-              sage.   When more than one PREPEND action executes,
-              the first prepended header appears before the  sec-
+              Prepend  the  specified  message header to the mes-
+              sage.  When more than one PREPEND action  executes,
+              the  first prepended header appears before the sec-
               ond etc. prepended header.
 
-              Note:  this  action must execute before the message
-              content is received; it cannot execute in the  con-
+              Note: this action must execute before  the  message
+              content  is received; it cannot execute in the con-
               text of <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>REDIRECT</b> <i>user@domain</i>
-              After the message is queued, send  the  message  to
+              After  the  message  is queued, send the message to
               the  specified  address  instead  of  the  intended
               recipient(s).
 
-              Note: this action overrides the FILTER action,  and
+              Note:  this action overrides the FILTER action, and
               currently affects all recipients of the message.
 
               This feature is available in Postfix 2.1 and later.
 
        <b>WARN</b> <i>optional text...</i>
               Log a warning with the optional text, together with
-              client  information  and  if  available, with helo,
+              client information and  if  available,  with  helo,
               sender, recipient and protocol information.
 
               This feature is available in Postfix 2.1 and later.
 
 <b>ENHANCED STATUS CODES</b>
-       Postfix  version  2.3  and  later  support enhanced status
-       codes as defined in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>.   When  an  enhanced  status
-       code  is  specified  in  an access table, it is subject to
-       modification. The  following  transformations  are  needed
-       when  the  same  access  table  is  used for client, helo,
-       sender, or  recipient  access  restrictions;  they  happen
+       Postfix version 2.3  and  later  support  enhanced  status
+       codes  as  defined  in  <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>.  When an enhanced status
+       code is specified in an access table,  it  is  subject  to
+       modification.  The  following  transformations  are needed
+       when the same access  table  is  used  for  client,  helo,
+       sender,  or  recipient  access  restrictions;  they happen
        regardless of whether Postfix replies to a MAIL FROM, RCPT
        TO or other SMTP command.
 
-       <b>o</b>      When a sender address matches a REJECT action,  the
-              Postfix  SMTP server will transform a recipient DSN
-              status (e.g., 4.1.1-4.1.6) into  the  corresponding
+       <b>o</b>      When  a sender address matches a REJECT action, the
+              Postfix SMTP server will transform a recipient  DSN
+              status  (e.g.,  4.1.1-4.1.6) into the corresponding
               sender DSN status, and vice versa.
 
-       <b>o</b>      When   non-address  information  matches  a  REJECT
-              action (such as the HELO command  argument  or  the
-              client  hostname/address),  the Postfix SMTP server
-              will transform a sender  or  recipient  DSN  status
-              into   a  generic  non-address  DSN  status  (e.g.,
+       <b>o</b>      When  non-address  information  matches  a   REJECT
+              action  (such  as  the HELO command argument or the
+              client hostname/address), the Postfix  SMTP  server
+              will  transform  a  sender  or recipient DSN status
+              into  a  generic  non-address  DSN  status   (e.g.,
               4.0.0).
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        the table is given in the form of regular expressions. For
-       a description of regular expression lookup  table  syntax,
+       a  description  of regular expression lookup table syntax,
        see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
 
-       Each  pattern  is  a regular expression that is applied to
+       Each pattern is a regular expression that  is  applied  to
        the entire string being looked up. Depending on the appli-
-       cation,  that  string  is  an  entire  client hostname, an
+       cation, that string  is  an  entire  client  hostname,  an
        entire client IP address, or an entire mail address. Thus,
        no  parent  domain  or  parent  network  search  is  done,
-       <i>user@domain</i> mail addresses are not broken  up  into  their
+       <i>user@domain</i>  mail  addresses  are not broken up into their
        <i>user@</i> and <i>domain</i> constituent parts, nor is <i>user+foo</i> broken
        up into <i>user</i> and <i>foo</i>.
 
-       Patterns are applied in the order as specified in the  ta-
-       ble,  until  a  pattern  is  found that matches the search
+       Patterns  are applied in the order as specified in the ta-
+       ble, until a pattern is  found  that  matches  the  search
        string.
 
-       Actions are the same as with indexed  file  lookups,  with
-       the  additional feature that parenthesized substrings from
+       Actions  are  the  same as with indexed file lookups, with
+       the additional feature that parenthesized substrings  from
        the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
 
 <b>TCP-BASED TABLES</b>
-       This section describes how the table lookups  change  when
+       This  section  describes how the table lookups change when
        lookups are directed to a TCP-based server. For a descrip-
        tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
        <a href="tcp_table.5.html"><b>ble</b>(5)</a>.  This feature is not available up to and including
        Postfix version 2.4.
 
-       Each lookup operation uses the entire query  string  once.
-       Depending  on  the  application,  that string is an entire
+       Each  lookup  operation uses the entire query string once.
+       Depending on the application, that  string  is  an  entire
        client hostname, an entire client IP address, or an entire
-       mail  address.   Thus,  no parent domain or parent network
-       search is done, <i>user@domain</i> mail addresses are not  broken
-       up  into  their <i>user@</i> and <i>domain</i> constituent parts, nor is
+       mail address.  Thus, no parent domain  or  parent  network
+       search  is done, <i>user@domain</i> mail addresses are not broken
+       up into their <i>user@</i> and <i>domain</i> constituent parts,  nor  is
        <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
 
        Actions are the same as with indexed file lookups.
 
 <b>EXAMPLE</b>
-       The following example uses an indexed file,  so  that  the
-       order  of  table entries does not matter. The example per-
-       mits access by the client at address 1.2.3.4  but  rejects
-       all  other  clients  in 1.2.3.0/24. Instead of <b>hash</b> lookup
-       tables, some systems use <b>dbm</b>.  Use the  command  "<b>postconf</b>
-       <b>-m</b>"  to  find  out  what lookup tables Postfix supports on
+       The  following  example  uses an indexed file, so that the
+       order of table entries does not matter. The  example  per-
+       mits  access  by the client at address 1.2.3.4 but rejects
+       all other clients in 1.2.3.0/24. Instead  of  <b>hash</b>  lookup
+       tables,  some  systems use <b>dbm</b>.  Use the command "<b>postconf</b>
+       <b>-m</b>" to find out what lookup  tables  Postfix  supports  on
        your system.
 
        /etc/postfix/<a href="postconf.5.html">main.cf</a>:
@@ -411,11 +443,11 @@ ACCESS(5)                                                            ACCESS(5)
            1.2.3   REJECT
            1.2.3.4 OK
 
-       Execute the command  "<b>postmap  /etc/postfix/access</b>"  after
+       Execute  the  command  "<b>postmap /etc/postfix/access</b>" after
        editing the file.
 
 <b>BUGS</b>
-       The  table format does not understand quoting conventions.
+       The table format does not understand quoting  conventions.
 
 <b>SEE ALSO</b>
        <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
@@ -428,7 +460,7 @@ ACCESS(5)                                                            ACCESS(5)
        <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/header_checks.5.html b/postfix/html/header_checks.5.html
index cb17335e1..542ec2937 100644
--- a/postfix/html/header_checks.5.html
+++ b/postfix/html/header_checks.5.html
@@ -173,17 +173,33 @@ HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
               This feature is available in Postfix 2.1 and later.
 
        <b>FILTER</b> <i>transport:destination</i>
-              Write a content filter request to the  queue  file,
-              and  inspect  the  next input line.  After the com-
-              plete message is received it will be  sent  through
-              the specified external content filter.  More infor-
-              mation about external content  filters  is  in  the
-              Postfix <a href="FILTER_README.html">FILTER_README</a> file.
-
-              Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
-              ting, and affects all recipients of the message. In
-              the  case  that  multiple <b>FILTER</b> actions fire, only
-              the last one is executed.
+              After the message is queued, send the  entire  mes-
+              sage through the specified external content filter.
+              The <i>transport</i> name specifies the first field  of  a
+              mail  delivery agent definition <a href="master.5.html">master.cf</a>; the syn-
+              tax of <i>destination</i> is described in the manual  page
+              of the corresponding delivery agent.  More informa-
+              tion about external content filters is in the Post-
+              fix <a href="FILTER_README.html">FILTER_README</a> file.
+
+              Note  1: do not use $<i>number</i> regular expression sub-
+              stitutions for <i>transport</i> or <i>destination</i> unless  you
+              know that the information has a trusted origin.
+
+              Note  2:  this  action  overrides  the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#content_filter">con</a>-</b>
+              <b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and affects all recipients  of
+              the  message.  In  the  case  that  multiple <b>FILTER</b>
+              actions fire, only the last one is executed.
+
+              Note 3: the purpose of the  FILTER  command  is  to
+              override  message routing.  To override the recipi-
+              ent's <i>transport</i> but  not  <i>destination</i>,  specify  an
+              empty <i>destination</i> (Postfix 2.7 and later), or spec-
+              ify a <i>transport:destination</i> that delivers through a
+              different  Postfix  instance  (Postfix 2.6 and ear-
+              lier). Other options are using the recipient-depen-
+              dent <b><a href="postconf.5.html#transport_maps">transport_maps</a></b> or the sender-dependent <b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender</a>-</b>
+              <b><a href="postconf.5.html#sender_dependent_default_transport_maps">_dependent_default_transport_maps</a></b> features.
 
               This feature is available in Postfix 2.0 and later.
 
diff --git a/postfix/html/oqmgr.8.html b/postfix/html/oqmgr.8.html
index 589beee04..e25247fbd 100644
--- a/postfix/html/oqmgr.8.html
+++ b/postfix/html/oqmgr.8.html
@@ -193,6 +193,13 @@ OQMGR(8)                                                              OQMGR(8)
               Allow a sender or recipient address to have `-'  as
               the first character.
 
+       Available with Postfix version 2.7 and later:
+
+       <b><a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a> (no)</b>
+              When  a  FILTER command does not specify a destina-
+              tion, force  the  destination  to  be  $<a href="postconf.5.html#myhostname">myhostname</a>,
+              instead of using the recipient domain.
+
 <b>ACTIVE QUEUE CONTROLS</b>
        <b><a href="postconf.5.html#qmgr_clog_warn_time">qmgr_clog_warn_time</a> (300s)</b>
               The  minimal delay between warnings that a specific
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 955936e00..bffafa67e 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -129,6 +129,12 @@ database cleanup runs. This feature requires that the database
 supports the "delete" and "sequence" operators.  Specify a zero
 interval to disable database cleanup. </p>
 
+<p> After each database cleanup run, the <a href="verify.8.html">verify(8)</a> daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
+seconds. </p>
+
 <p> Time units: s (seconds), m (minutes), h (hours), d (days), w
 (weeks). </p>
 
@@ -177,10 +183,10 @@ is opened before the process releases privileges.
 </p>
 
 <p>
-The lookup table is persistent by default as of Postfix version
-2.7. Specify an empty table name to keep the information in volatile
+The lookup table is persistent by default (Postfix 2.7 and later).
+Specify an empty table name to keep the information in volatile
 memory which is lost after "<b>postfix reload</b>" or "<b>postfix
-stop</b>" (this is default with earlier Postfix versions).
+stop</b>". This is the default with Postfix version 2.6 and earlier.
 </p>
 
 <p>
@@ -189,11 +195,12 @@ database becomes corrupted, the world comes to an end. To recover
 delete (NOT: truncate) the file and do "<b>postfix reload</b>".
 </p>
 
-<p> As of version 2.5, Postfix no longer uses root privileges when
-opening this file. The file must now be stored under a Postfix-owned
-directory such as the <a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt
-to open the file under a non-Postfix directory is redirected to the
-Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+<p> Postfix daemon processes do not use root privileges when opening
+this file (Postfix 2.5 and later).  The file must therefore be
+stored under a Postfix-owned directory such as the <a href="postconf.5.html#data_directory">data_directory</a>.
+As a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a
+warning is logged. </p>
 
 <p>
 Examples:
@@ -275,11 +282,10 @@ of an address verification request in progress.
 </p>
 
 <p>
-With Postfix version 2.7 and later, the SMTP server polls the
-<a href="verify.8.html">verify(8)</a> service up to three times under non-overload conditions,
-and only once when under overload.  With earlier Postfix versions,
-the SMTP server always polls the <a href="verify.8.html">verify(8)</a> service up to three
-times.
+The Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service up to three
+times under non-overload conditions, and only once when under
+overload.  With Postfix version 2.6 and earlier, the SMTP server
+always polls the <a href="verify.8.html">verify(8)</a> service up to three times.
 </p>
 
 <p>
@@ -1209,11 +1215,11 @@ This feature is available in Postfix 2.0 and later.
 (default: 50000)</b></DT><DD>
 
 <p> The maximal amount of original message text that is sent in a
-non-delivery notification. Specify a byte count. With Postfix 2.4
-and later, a message is returned as either message/rfc822 (the
-complete original) or as text/rfc822-headers (the headers only).
-With earlier Postfix versions, a message is always returned as
-message/rfc822 and is truncated when it exceeds the size limit.
+non-delivery notification. Specify a byte count.  A message is
+returned as either message/rfc822 (the complete original) or as
+text/rfc822-headers (the headers only).  With Postfix version 2.4
+and earlier, a message is always returned as message/rfc822 and is
+truncated when it exceeds the size limit.
 </p>
 
 <p> Notes: </p>
@@ -1531,17 +1537,29 @@ is already bounded by $<a href="postconf.5.html#max_idle">max_idle</a>.  </p>
 <DT><b><a name="content_filter">content_filter</a>
 (default: empty)</b></DT><DD>
 
-<p>
-The name of a mail delivery transport that filters mail after
-it is queued.
+<p> After the message is queued, send the entire message to the
+specified <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+<a href="master.5.html">master.cf</a>; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent.  More information
+about external content filters is in the Postfix <a href="FILTER_README.html">FILTER_README</a> file.
 </p>
 
-<p>
-This parameter uses the same syntax as the right-hand side of a
-Postfix <a href="transport.5.html">transport(5)</a> table. This setting has a lower precedence
-than a content filter that is specified with an <a href="access.5.html">access(5)</a> table or
-in a <a href="header_checks.5.html">header_checks(5)</a> or <a href="header_checks.5.html">body_checks(5)</a> table.
-</p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> This setting has a lower precedence than a content filter that
+is specified with an <a href="access.5.html">access(5)</a> table or in a <a href="header_checks.5.html">header_checks(5)</a> or
+<a href="header_checks.5.html">body_checks(5)</a> table. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent.  Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $<a href="postconf.5.html#myhostname">myhostname</a>.  Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a>
+= yes" for compatibility with Postfix 2.6 or earlier, or specify
+a non-empty filter <i>destination</i>.  </p>
+
+</ul>
 
 
 </DD>
@@ -1950,7 +1968,8 @@ unit). </p>
 (weeks). The default time unit is s (seconds). </p>
 
 <p> NOTE: the delay is enforced by the queue manager. The delay
-timer state does not survive "postfix reload" or "postfix stop".
+timer state does not survive "<b>postfix reload</b>" or "<b>postfix
+stop</b>".
 </p>
 
 <p> Use <a href="postconf.5.html#transport_destination_rate_delay"><i>transport</i>_destination_rate_delay</a> to specify a
@@ -2358,7 +2377,7 @@ precision.  </p>
 
 <li> b = time from last <a href="QSHAPE_README.html#active_queue">active queue</a> entry to connection setup
 
-<li> c = time in connection setup, including DNS, EHLO and TLS
+<li> c = time in connection setup, including DNS, EHLO and STARTTLS
 
 <li> d = time in message transmission
 
@@ -3483,6 +3502,20 @@ This feature is available in Postfix 2.1 and later.
 </p>
 
 
+</DD>
+
+<DT><b><a name="legacy_filter_nexthop">legacy_filter_nexthop</a>
+(default: no)</b></DT><DD>
+
+<p> When a FILTER command does not specify a destination, force the
+destination to be $<a href="postconf.5.html#myhostname">myhostname</a>, instead of using the recipient domain.
+Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a> = yes" for compatibility with Postfix
+version 2.6 and earlier, or specify a non-empty filter destination.
+</p>
+
+<p> This feature is available in Postfix 2.7 and later.  </p>
+
+
 </DD>
 
 <DT><b><a name="line_length_limit">line_length_limit</a>
@@ -6594,6 +6627,12 @@ therefore not be run frequently. This feature requires that the
 cache database supports the "delete" and "sequence" operators.
 Specify a zero interval to disable cache cleanup. </p>
 
+<p> After each cache cleanup run, the <a href="postscreen.8.html">postscreen(8)</a> daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
+seconds. </p>
+
 <p> Time units: s (seconds), m (minutes), h (hours), d (days), w
 (weeks).  </p>
 
@@ -7188,8 +7227,9 @@ server to decide if it will accept any mail at all.
 </p>
 
 <p>
-By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands
-when the amount of free space is less than 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>.
+By default, the Postfix SMTP server rejects MAIL FROM commands when
+the amount of free space is less than 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>
+(Postfix version 2.1 and later).
 To specify a higher minimum free space limit, specify a <a href="postconf.5.html#queue_minfree">queue_minfree</a>
 value that is at least 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>.
 </p>
@@ -8001,9 +8041,10 @@ without overriding the global <a href="postconf.5.html#default_transport">defaul
 This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p>
 
 <p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and
-therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>.  This
-feature does not support the <a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport,
-null nexthop, or null email addresses. </p>
+therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the
+syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>.  Specifically, this does not support the
+<a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport, null nexthop, or null
+email addresses. </p>
 
 <p> For safety reasons, this feature does not allow $number
 substitutions in regular expression maps. </p>
@@ -11287,12 +11328,15 @@ client commands. </p>
 
 <ul>
 
-<li> <p> Use "<a href="postconf.5.html#resolve_numeric_domain">resolve_numeric_domain</a> = yes" to accept "<i>user@ipaddress</i>"
-Postfix already accepts the correct form "<i>user@[ipaddress]</i>".
-</p>
+<li> <p> Use "<a href="postconf.5.html#resolve_numeric_domain">resolve_numeric_domain</a> = yes" to accept
+"<i>user@ipaddress</i>". </p>
+
+<li> <p> Postfix already accepts the correct form
+"<i>user@[ipaddress]</i>".  </p>
 
 <li> <p> Use "<a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> = no" to accept "<i>User Name
-&lt;user@example.com&gt;</i>". </p>
+&lt;user@example.com&gt;</i>". Postfix will ignore the "User Name"
+part before delivering the mail. </p>
 
 </ul>
 
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index a0abf42cc..b90d47a14 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -14,41 +14,33 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
 
 <b>DESCRIPTION</b>
        The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server performs triage on multi-
-       ple inbound SMTP  connections  in  parallel.   By  running
-       time-consuming tests in parallel in <a href="postscreen.8.html"><b>postscreen</b>(8)</a>, zombies
-       and other bogus clients can be kept away from Postfix SMTP
-       server processes. Thus, more Postfix SMTP server processes
-       remain available for legitimate clients.
-
-       This triage process involves a number of tests, documented
-       below.  The tests introduce a delay of a few seconds; once
-       a client passes the tests, its IP address  is  temporarily
-       whitelisted, typically for 24 hours.
-
-       The program can run in two basic modes.
-
-       <b>Observation mode</b>
-              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> reports the results of the tests, and
-              forwards all connections to  a  real  Postfix  SMTP
-              server process.
-
-       <b>Enforcement mode</b>
-              <a href="postscreen.8.html"><b>postscreen</b>(8)</a> reports the results of the tests, but
-              forwards only connections to  a  real  SMTP  server
-              process from clients that passed the tests.
-
-              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  disconnects  clients  that  fail the
-              tests, after sending a 521 status message (a future
-              version  may  pass  the  connection to a dummy SMTP
-              protocol engine  that  logs  sender  and  recipient
-              information).
-
-       Note:  <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  is not an SMTP proxy; this is inten-
-       tional. The purpose is to  prioritize  legitimate  clients
+       ple  inbound   SMTP   connections   in   parallel.   While
+       <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  keeps  zombies and other bogus clients away
+       from Postfix SMTP  server  processes,  more  Postfix  SMTP
+       server  processes remain available for legitimate clients.
+
+<b>GENERAL OPERATION</b>
+       The triage process involves a  number  of  tests,  in  the
+       order as described below.  Some tests introduce a delay of
+       a few seconds.  Once a client passes  all  tests,  its  IP
+       address  is temporarily excluded from the tests, typically
+       for 24 hours.  This minimizes the impact of the  tests  on
+       legitimate mail clients.
+
+       After  logging  the  result of its tests, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> by
+       default forwards all connections to  a  real  SMTP  server
+       process.  This mode is useful for non-destructive testing.
+
+       In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is  config-
+       ured to disconnect clients that fail some tests.  A future
+       implementation may pass the connection  to  a  dummy  SMTP
+       protocol engine that logs sender and recipient information
+       before hanging up.
+
+       Note: <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this  is  inten-
+       tional.  The  purpose  is to prioritize legitimate clients
        with as little overhead as possible.
 
-       <a href="postscreen.8.html"><b>postscreen</b>(8)</a> performs tests in the order described below.
-
 <b>1. PERMANENT WHITELIST TEST</b>
        The  <a href="postconf.5.html#postscreen_whitelist_networks">postscreen_whitelist_networks</a>   parameter   (default:
        $<a href="postconf.5.html#mynetworks">mynetworks</a>)  specifies  a  permanent  whitelist  for SMTP
@@ -75,11 +67,10 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        The  <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a>  parameter  specifies the
        action that is taken next:
 
-       <b>continue</b> (default, observation mode)
+       <b>continue</b> (default)
               Continue with the SMTP GREETING PHASE TESTS  below.
 
-       <b>drop</b> (enforcement mode)
-              Drop  the  connection  immediately  with a 521 SMTP
+       <b>drop</b>   Drop  the  connection  immediately  with a 521 SMTP
               reply.  In a future implementation, the  connection
               may  instead  be  passed  to  a dummy SMTP protocol
               engine that logs sender and recipient  information.
@@ -156,14 +147,13 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        The <a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> parameter specifies the action
        that is taken next:
 
-       <b>continue</b> (default, observation mode)
+       <b>continue</b> (default)
               Wait   until  the  <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>  time  has
               elapsed, then report DNSBL lookup results if appli-
               cable. Either perform DNSBL-related actions or for-
               ward the connection to a real SMTP server  process.
 
-       <b>drop</b> (enforcement mode)
-              Drop  the  connection  immediately  with a 521 SMTP
+       <b>drop</b>   Drop  the  connection  immediately  with a 521 SMTP
               reply.  In a future implementation, the  connection
               may  instead  be  passed  to  a dummy SMTP protocol
               engine that logs sender and recipient  information.
@@ -178,14 +168,13 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        The  <a href="postconf.5.html#postscreen_hangup_action">postscreen_hangup_action</a> specifies the action that is
        taken next:
 
-       <b>continue</b> (default, observation mode)
+       <b>continue</b> (default)
               Wait  until  the  <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>  time   has
               elapsed, then report DNSBL lookup results if appli-
               cable. Do not forward the broken  connection  to  a
               real SMTP server process.
 
-       <b>drop</b> (enforcement mode)
-              Drop the connection immediately.
+       <b>drop</b>   Drop the connection immediately.
 
 <b>4C. DNS BLOCKLIST TEST</b>
        The   <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>  parameter  (default:  empty)
@@ -205,12 +194,11 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        The <a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> parameter specifies the action
        that is taken next:
 
-       <b>continue</b> (default, observation mode)
+       <b>continue</b> (default)
               Forward  the  connection  to  a  real  SMTP  server
               process.
 
-       <b>drop</b> (enforcement mode)
-              Drop  the  connection  immediately  with a 521 SMTP
+       <b>drop</b>   Drop  the  connection  immediately  with a 521 SMTP
               reply.  In a future implementation, the  connection
               may  instead  be  passed  to  a dummy SMTP protocol
               engine that logs sender and recipient  information.
diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html
index de1b0c0bf..9025c1cbb 100644
--- a/postfix/html/qmgr.8.html
+++ b/postfix/html/qmgr.8.html
@@ -199,6 +199,13 @@ QMGR(8)                                                                QMGR(8)
               Allow  a sender or recipient address to have `-' as
               the first character.
 
+       Available with Postfix version 2.7 and later:
+
+       <b><a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a> (no)</b>
+              When a FILTER command does not specify  a  destina-
+              tion,  force  the  destination  to  be $<a href="postconf.5.html#myhostname">myhostname</a>,
+              instead of using the recipient domain.
+
 <b>ACTIVE QUEUE CONTROLS</b>
        <b><a href="postconf.5.html#qmgr_clog_warn_time">qmgr_clog_warn_time</a> (300s)</b>
               The minimal delay between warnings that a  specific
diff --git a/postfix/html/verify.8.html b/postfix/html/verify.8.html
index 60df931ee..7fa70cdf2 100644
--- a/postfix/html/verify.8.html
+++ b/postfix/html/verify.8.html
@@ -118,8 +118,8 @@ VERIFY(8)                                                            VERIFY(8)
        Available with Postfix 2.7 and later:
 
        <b><a href="postconf.5.html#address_verify_cache_cleanup_interval">address_verify_cache_cleanup_interval</a> (12h)</b>
-              The  amount of time between <a href="verify.8.html"><b>verify</b>(8)</a> cache cleanup
-              runs.
+              The  amount of time between <a href="verify.8.html"><b>verify</b>(8)</a> address veri-
+              fication database cleanup runs.
 
 <b>PROBE MESSAGE ROUTING CONTROLS</b>
        By default, probe messages  are  delivered  via  the  same
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index 1fb511c80..17b816abb 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -185,9 +185,22 @@ defer actions. See "ENHANCED STATUS CODES" below.
 Reject the address etc. that matches the pattern, and respond with
 the numerical three-digit code and text. \fB4\fINN\fR means "try
 again later", while \fB5\fINN\fR means "do not try again".
+
+The following responses have special meaning for the Postfix
+SMTP server:
+.RS
+.IP "\fB421 \fItext\fR (Postfix 2.3 and later)"
+.IP "\fB521 \fItext\fR (Postfix 2.6 and later)"
+After responding with the numerical three-digit code and
+text, disconnect immediately from the SMTP client.  This
+frees up SMTP server resources so that they can be made
+available to another SMTP client.
 .IP
-The reply code "421" causes Postfix to disconnect immediately
-(Postfix version 2.3 and later).
+Note: The "521" response should be used only with botnets
+and other malware where interoperability is of no concern.
+The "send 521 and disconnect" behavior is NOT defined in
+the SMTP standard.
+.RE
 .IP "\fBREJECT \fIoptional text...\fR
 Reject the address etc. that matches the pattern. Reply with
 "\fB$access_map_reject_code \fIoptional text...\fR" when the
@@ -254,18 +267,37 @@ prevents Postfix from trying substrings of the lookup key
 This feature is available in Postfix 2.0 and later.
 .IP "\fBFILTER \fItransport:destination\fR"
 After the message is queued, send the entire message through
-the specified external content filter. The \fItransport:destination\fR
-syntax is described in the \fBtransport\fR(5) manual page.
-More information
-about external content filters is in the Postfix FILTER_README file.
+the specified external content filter. The \fItransport\fR
+name specifies the first field of a mail delivery agent
+definition in master.cf; the syntax of \fIdestination\fR
+is described in the manual page of the corresponding delivery
+agent.  More information about external content filters is
+in the Postfix FILTER_README file.
+.sp
+Note 1: do not use $\fInumber\fR regular expression
+substitutions for \fItransport\fR or \fIdestination\fR
+unless you know that the information has a trusted origin.
+.sp
+Note 2: this action overrides the main.cf \fBcontent_filter\fR
+setting, and affects all recipients of the message. In the
+case that multiple \fBFILTER\fR actions fire, only the last
+one is executed.
 .sp
-Note: this action overrides the \fBcontent_filter\fR setting,
-and currently affects all recipients of the message.
+Note 3: the purpose of the FILTER command is to override
+message routing.  To override the recipient's \fItransport\fR
+but not \fIdestination\fR, specify an empty \fIdestination\fR
+(Postfix 2.7 and later), or specify a \fItransport:destination\fR
+that delivers through a different Postfix instance (Postfix
+2.6 and earlier). Other options are using the recipient-dependent
+\fBtrans\%port\%_maps\fR or the sen\%der-dependent
+\fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+features.
 .sp
 This feature is available in Postfix 2.0 and later.
 .IP "\fBHOLD \fIoptional text...\fR"
-Place the message on the \fBhold\fR queue, where it will sit
-until someone either deletes it or releases it for delivery.
+Place the message on the \fBhold\fR queue, where it will
+sit until someone either deletes it or releases it for
+delivery.
 Log the optional text if specified, otherwise log a generic
 message.
 
diff --git a/postfix/man/man5/header_checks.5 b/postfix/man/man5/header_checks.5
index 29d7984f6..b99752c35 100644
--- a/postfix/man/man5/header_checks.5
+++ b/postfix/man/man5/header_checks.5
@@ -168,15 +168,32 @@ For backwards compatibility reasons, Postfix also accepts
 .sp
 This feature is available in Postfix 2.1 and later.
 .IP "\fBFILTER \fItransport:destination\fR"
-Write a content filter request to the queue file, and
-inspect the next input line.
-After the complete message is received it will be sent through
-the specified external content filter.  More information about
-external content filters is in the Postfix FILTER_README file.
+After the message is queued, send the entire message through
+the specified external content filter. The \fItransport\fR
+name specifies the first field of a mail delivery agent
+definition master.cf; the syntax of \fIdestination\fR is
+described in the manual page of the corresponding delivery
+agent.  More information about external content filters is
+in the Postfix FILTER_README file.
 .sp
-Note: this action overrides the \fBcontent_filter\fR setting,
-and affects all recipients of the message. In the case that multiple
-\fBFILTER\fR actions fire, only the last one is executed.
+Note 1: do not use $\fInumber\fR regular expression
+substitutions for \fItransport\fR or \fIdestination\fR
+unless you know that the information has a trusted origin.
+.sp
+Note 2: this action overrides the main.cf \fBcontent_filter\fR
+setting, and affects all recipients of the message. In the
+case that multiple \fBFILTER\fR actions fire, only the last
+one is executed.
+.sp
+Note 3: the purpose of the FILTER command is to override
+message routing.  To override the recipient's \fItransport\fR
+but not \fIdestination\fR, specify an empty \fIdestination\fR
+(Postfix 2.7 and later), or specify a \fItransport:destination\fR
+that delivers through a different Postfix instance (Postfix
+2.6 and earlier). Other options are using the recipient-dependent
+\fBtrans\%port\%_maps\fR or the sen\%der-dependent
+\fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+features.
 .sp
 This feature is available in Postfix 2.0 and later.
 .IP "\fBHOLD \fIoptional text...\fR"
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index d58f43a00..2a613a2f9 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -83,6 +83,12 @@ database cleanup runs. This feature requires that the database
 supports the "delete" and "sequence" operators.  Specify a zero
 interval to disable database cleanup.
 .PP
+After each database cleanup run, the \fBverify\fR(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "\fBpostfix
+reload\fR", "\fBpostfix stop\fR", or no requests for $max_idle
+seconds.
+.PP
 Time units: s (seconds), m (minutes), h (hours), d (days), w
 (weeks).
 .PP
@@ -102,20 +108,21 @@ Lookup table for persistent address verification status
 storage.  The table is maintained by the \fBverify\fR(8) service, and
 is opened before the process releases privileges.
 .PP
-The lookup table is persistent by default as of Postfix version
-2.7. Specify an empty table name to keep the information in volatile
+The lookup table is persistent by default (Postfix 2.7 and later).
+Specify an empty table name to keep the information in volatile
 memory which is lost after "\fBpostfix reload\fR" or "\fBpostfix
-stop\fR" (this is default with earlier Postfix versions).
+stop\fR". This is the default with Postfix version 2.6 and earlier.
 .PP
 Specify a location in a file system that will not fill up. If the
 database becomes corrupted, the world comes to an end. To recover
 delete (NOT: truncate) the file and do "\fBpostfix reload\fR".
 .PP
-As of version 2.5, Postfix no longer uses root privileges when
-opening this file. The file must now be stored under a Postfix-owned
-directory such as the data_directory. As a migration aid, an attempt
-to open the file under a non-Postfix directory is redirected to the
-Postfix-owned data_directory, and a warning is logged.
+Postfix daemon processes do not use root privileges when opening
+this file (Postfix 2.5 and later).  The file must therefore be
+stored under a Postfix-owned directory such as the data_directory.
+As a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned data_directory, and a
+warning is logged.
 .PP
 Examples:
 .PP
@@ -154,11 +161,10 @@ This feature is available in Postfix 2.1 and later.
 How many times to query the \fBverify\fR(8) service for the completion
 of an address verification request in progress.
 .PP
-With Postfix version 2.7 and later, the SMTP server polls the
-\fBverify\fR(8) service up to three times under non-overload conditions,
-and only once when under overload.  With earlier Postfix versions,
-the SMTP server always polls the \fBverify\fR(8) service up to three
-times.
+The Postfix SMTP server polls the \fBverify\fR(8) service up to three
+times under non-overload conditions, and only once when under
+overload.  With Postfix version 2.6 and earlier, the SMTP server
+always polls the \fBverify\fR(8) service up to three times.
 .PP
 Specify 1 to implement a crude form of greylisting, that is, always
 defer the first delivery request for a new address.
@@ -670,11 +676,11 @@ of failed delivery attempts and generates non-delivery notifications.
 This feature is available in Postfix 2.0 and later.
 .SH bounce_size_limit (default: 50000)
 The maximal amount of original message text that is sent in a
-non-delivery notification. Specify a byte count. With Postfix 2.4
-and later, a message is returned as either message/rfc822 (the
-complete original) or as text/rfc822-headers (the headers only).
-With earlier Postfix versions, a message is always returned as
-message/rfc822 and is truncated when it exceeds the size limit.
+non-delivery notification. Specify a byte count.  A message is
+returned as either message/rfc822 (the complete original) or as
+text/rfc822-headers (the headers only).  With Postfix version 2.4
+and earlier, a message is always returned as message/rfc822 and is
+truncated when it exceeds the size limit.
 .PP
 Notes:
 .IP \(bu
@@ -844,13 +850,24 @@ maximum allowed TTL. The purpose of this additional control is to
 protect the infrastructure against careless people. The cache TTL
 is already bounded by $max_idle.
 .SH content_filter (default: empty)
-The name of a mail delivery transport that filters mail after
-it is queued.
+After the message is queued, send the entire message to the
+specified \fItransport:destination\fR. The \fItransport\fR name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of \fIdestination\fR is described in the
+manual page of the corresponding delivery agent.  More information
+about external content filters is in the Postfix FILTER_README file.
 .PP
-This parameter uses the same syntax as the right-hand side of a
-Postfix \fBtransport\fR(5) table. This setting has a lower precedence
-than a content filter that is specified with an \fBaccess\fR(5) table or
-in a \fBheader_checks\fR(5) or \fBbody_checks\fR(5) table.
+Notes:
+.IP \(bu
+This setting has a lower precedence than a content filter that
+is specified with an \fBaccess\fR(5) table or in a \fBheader_checks\fR(5) or
+\fBbody_checks\fR(5) table.
+.IP \(bu
+The meaning of an empty filter \fIdestination\fR is version
+dependent.  Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname.  Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify
+a non-empty filter \fIdestination\fR.
 .SH cyrus_sasl_config_path (default: empty)
 Search path for Cyrus SASL application configuration files,
 currently used only to locate the $smtpd_sasl_path.conf file.
@@ -1120,7 +1137,8 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w
 (weeks). The default time unit is s (seconds).
 .PP
 NOTE: the delay is enforced by the queue manager. The delay
-timer state does not survive "postfix reload" or "postfix stop".
+timer state does not survive "\fBpostfix reload\fR" or "\fBpostfix
+stop\fR".
 .PP
 Use \fItransport\fR_destination_rate_delay to specify a
 transport-specific override, where \fItransport\fR is the master.cf
@@ -1346,7 +1364,7 @@ a = time from message arrival to last active queue entry
 .IP \(bu
 b = time from last active queue entry to connection setup
 .IP \(bu
-c = time in connection setup, including DNS, EHLO and TLS
+c = time in connection setup, including DNS, EHLO and STARTTLS
 .IP \(bu
 d = time in message transmission
 .PP
@@ -1938,6 +1956,13 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
 .PP
 This feature is available in Postfix 2.1 and later.
+.SH legacy_filter_nexthop (default: no)
+When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
+Specify "legacy_filter_nexthop = yes" for compatibility with Postfix
+version 2.6 and earlier, or specify a non-empty filter destination.
+.PP
+This feature is available in Postfix 2.7 and later.
 .SH line_length_limit (default: 2048)
 Upon input, long lines are chopped up into pieces of at most
 this length; upon delivery, long lines are reconstructed.
@@ -3696,6 +3721,12 @@ therefore not be run frequently. This feature requires that the
 cache database supports the "delete" and "sequence" operators.
 Specify a zero interval to disable cache cleanup.
 .PP
+After each cache cleanup run, the \fBpostscreen\fR(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "\fBpostfix
+reload\fR", "\fBpostfix stop\fR", or no requests for $max_idle
+seconds.
+.PP
 Time units: s (seconds), m (minutes), h (hours), d (days), w
 (weeks).
 .PP
@@ -4002,8 +4033,9 @@ The minimal amount of free space in bytes in the queue file system
 that is needed to receive mail.  This is currently used by the SMTP
 server to decide if it will accept any mail at all.
 .PP
-By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands
-when the amount of free space is less than 1.5*$message_size_limit.
+By default, the Postfix SMTP server rejects MAIL FROM commands when
+the amount of free space is less than 1.5*$message_size_limit
+(Postfix version 2.1 and later).
 To specify a higher minimum free space limit, specify a queue_minfree
 value that is at least 1.5*$message_size_limit.
 .PP
@@ -4527,9 +4559,10 @@ without overriding the global default_transport parameter setting.
 This information is overruled with the \fBtransport\fR(5) table.
 .PP
 Note: this overrides default_transport, not transport_maps, and
-therefore the expected syntax is that of default_transport.  This
-feature does not support the transport_maps syntax for null transport,
-null nexthop, or null email addresses.
+therefore the expected syntax is that of default_transport, not the
+syntax of transport_maps.  Specifically, this does not support the
+transport_maps syntax for null transport, null nexthop, or null
+email addresses.
 .PP
 For safety reasons, this feature does not allow $number
 substitutions in regular expression maps.
@@ -6932,11 +6965,15 @@ server.
 Postfix already implements a number of workarounds for malformed
 client commands.
 .IP \(bu
-Use "resolve_numeric_domain = yes" to accept "\fIuser@ipaddress\fR"
-Postfix already accepts the correct form "\fIuser@[ipaddress]\fR".
+Use "resolve_numeric_domain = yes" to accept
+"\fIuser@ipaddress\fR".
+.IP \(bu
+Postfix already accepts the correct form
+"\fIuser@[ipaddress]\fR".
 .IP \(bu
 Use "strict_rfc821_envelopes = no" to accept "\fIUser Name
-<user@example.com>\fR".
+<user@example.com>\fR". Postfix will ignore the "User Name"
+part before delivering the mail.
 .PP
 Examples:
 .PP
diff --git a/postfix/man/man8/oqmgr.8 b/postfix/man/man8/oqmgr.8
index 1c781481a..9b4fbfb33 100644
--- a/postfix/man/man8/oqmgr.8
+++ b/postfix/man/man8/oqmgr.8
@@ -183,6 +183,11 @@ Available before Postfix version 2.5:
 .IP "\fBallow_min_user (no)\fR"
 Allow a sender or recipient address to have `-' as the first
 character.
+.PP
+Available with Postfix version 2.7 and later:
+.IP "\fBlegacy_filter_nexthop (no)\fR"
+When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
 .SH "ACTIVE QUEUE CONTROLS"
 .na
 .nf
diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8
index 6f08bea79..ea3e7d941 100644
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@@ -13,37 +13,35 @@ Postfix SMTP triage server
 .ad
 .fi
 The Postfix \fBpostscreen\fR(8) server performs triage on
-multiple inbound SMTP connections in parallel.  By running
-time-consuming tests in parallel in \fBpostscreen\fR(8),
-zombies and other bogus clients can be kept away from Postfix
-SMTP server processes. Thus, more Postfix SMTP server
-processes remain available for legitimate clients.
+multiple inbound SMTP connections in parallel. While
+\fBpostscreen\fR(8) keeps zombies and other bogus clients
+away from Postfix SMTP server processes, more Postfix SMTP
+server processes remain available for legitimate clients.
+.SH "GENERAL OPERATION"
+.na
+.nf
+.ad
+.fi
+The triage process involves a number of tests, in the order
+as described below.  Some tests introduce a delay of a few
+seconds.  Once a client passes all tests, its IP address
+is temporarily excluded from the tests, typically for 24
+hours.  This minimizes the impact of the tests on legitimate
+mail clients.
 
-This triage process involves a number of tests, documented
-below.  The tests introduce a delay of a few seconds; once
-a client passes the tests, its IP address is temporarily
-whitelisted, typically for 24 hours.
+After logging the result of its tests, \fBpostscreen\fR(8)
+by default forwards all connections to a real SMTP server
+process. This mode is useful for non-destructive testing.
+
+In a typical production setting, \fBpostscreen\fR(8) is
+configured to disconnect clients that fail some tests.  A
+future implementation may pass the connection to a dummy
+SMTP protocol engine that logs sender and recipient information
+before hanging up.
 
-The program can run in two basic modes.
-.IP "\fBObservation mode\fR"
-\fBpostscreen\fR(8) reports the results of the tests, and
-forwards all connections to a real Postfix SMTP server
-process.
-.IP "\fBEnforcement mode\fR"
-\fBpostscreen\fR(8) reports the results of the tests, but
-forwards only connections to a real SMTP server process
-from clients that passed the tests.
-.sp
-\fBpostscreen\fR(8) disconnects clients that fail the tests,
-after sending a 521 status message (a future version may
-pass the connection to a dummy SMTP protocol engine that
-logs sender and recipient information).
-.PP
 Note: \fBpostscreen\fR(8) is not an SMTP proxy; this is
 intentional. The purpose is to prioritize legitimate clients
 with as little overhead as possible.
-
-\fBpostscreen\fR(8) performs tests in the order described below.
 .SH 1. PERMANENT WHITELIST TEST
 .ad
 .fi
@@ -76,9 +74,9 @@ this is logged as:
 .sp
 The postscreen_blacklist_action parameter specifies the
 action that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
 Continue with the SMTP GREETING PHASE TESTS below.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
 Drop the connection immediately with a 521 SMTP reply.  In
 a future implementation, the connection may instead be
 passed to a dummy SMTP protocol engine that logs sender and
@@ -164,12 +162,12 @@ bytes, and with non-printable characters replaced with "?").
 
 The postscreen_greet_action parameter specifies the action
 that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
 Wait until the postscreen_greet_wait time has elapsed, then
 report DNSBL lookup results if applicable. Either perform
 DNSBL-related actions or forward the connection to a real
 SMTP server process.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
 Drop the connection immediately with a 521 SMTP reply.
 In a future implementation, the connection may instead be passed
 to a dummy SMTP protocol engine that logs sender and recipient
@@ -187,11 +185,11 @@ logged as:
 .sp
 The postscreen_hangup_action specifies the action
 that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
 Wait until the postscreen_greet_wait time has elapsed, then
 report DNSBL lookup results if applicable. Do not forward
 the broken connection to a real SMTP server process.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
 Drop the connection immediately.
 .SH 4C. DNS BLOCKLIST TEST
 .ad
@@ -215,9 +213,9 @@ server returns.
 
 The postscreen_dnsbl_action parameter specifies the action
 that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
 Forward the connection to a real SMTP server process.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
 Drop the connection immediately with a 521 SMTP reply.
 In a future implementation, the connection may instead be passed
 to a dummy SMTP protocol engine that logs sender and recipient
diff --git a/postfix/man/man8/qmgr.8 b/postfix/man/man8/qmgr.8
index 8dd459e68..4bbfd5777 100644
--- a/postfix/man/man8/qmgr.8
+++ b/postfix/man/man8/qmgr.8
@@ -187,6 +187,11 @@ Available before Postfix version 2.5:
 .IP "\fBallow_min_user (no)\fR"
 Allow a sender or recipient address to have `-' as the first
 character.
+.PP
+Available with Postfix version 2.7 and later:
+.IP "\fBlegacy_filter_nexthop (no)\fR"
+When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
 .SH "ACTIVE QUEUE CONTROLS"
 .na
 .nf
diff --git a/postfix/man/man8/verify.8 b/postfix/man/man8/verify.8
index e7d0b96e1..f6646a7c3 100644
--- a/postfix/man/man8/verify.8
+++ b/postfix/man/man8/verify.8
@@ -116,7 +116,8 @@ be refreshed.
 .PP
 Available with Postfix 2.7 and later:
 .IP "\fBaddress_verify_cache_cleanup_interval (12h)\fR"
-The amount of time between \fBverify\fR(8) cache cleanup runs.
+The amount of time between \fBverify\fR(8) address verification
+database cleanup runs.
 .SH "PROBE MESSAGE ROUTING CONTROLS"
 .na
 .nf
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index c01171bfc..7cd756375 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -147,7 +147,7 @@ while (<>) {
     s;\bdefault_recipi[-</bB>]*\n* *[<bB>]*ent_refill_delay\b;<a href="postconf.5.html#default_recipient_refill_delay">$&</a>;g;
     s;\bdefault_recip[-</bB>]*\n* *[<bB>]*ient_limit\b;<a href="postconf.5.html#default_recipient_limit">$&</a>;g;
     s;\bdefault_transport\b;<a href="postconf.5.html#default_transport">$&</a>;g;
-    s;\bsender_depen[-</bB>]*\n* *[<bB>]*dent_default_trans[-</bB>]*\n* *[<bB>]*port_maps\b;<a href="postconf.5.html#sender_dependent_default_transport_maps">$&</a>;g;
+    s;\bsender[-</bB>]*\n* *[<bB>]*_de[-</bB>]*\n* *[<bB>]*pen[-</bB>]*\n* *[<bB>]*dent_de[-</bB>]*\n* *[<bB>]*fault[-</bB>]*\n* *[<bB>]*_trans[-</bB>]*\n* *[<bB>]*port[-</bB>]*\n* *[<bB>]*_maps\b;<a href="postconf.5.html#sender_dependent_default_transport_maps">$&</a>;g;
     s;\bempty_address_default_transport_maps_lookup_key\b;<a href="postconf.5.html#empty_address_default_transport_maps_lookup_key">$&</a>;g;
     s;\bdefault_verp_delimiters\b;<a href="postconf.5.html#default_verp_delimiters">$&</a>;g;
     s;\bdefer_code\b;<a href="postconf.5.html#defer_code">$&</a>;g;
@@ -355,6 +355,7 @@ while (<>) {
     s;\bproxy_write_maps\b;<a href="postconf.5.html#proxy_write_maps">$&</a>;g;
     s;\bqmgr_clog_warn_time\b;<a href="postconf.5.html#qmgr_clog_warn_time">$&</a>;g;
     s;\bqmgr_fudge_factor\b;<a href="postconf.5.html#qmgr_fudge_factor">$&</a>;g;
+    s;\blegacy_filter_nexthop\b;<a href="postconf.5.html#legacy_filter_nexthop">$&</a>;g;
     s;\bqmgr_message_active_limit\b;<a href="postconf.5.html#qmgr_message_active_limit">$&</a>;g;
     s;\bqmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit\b;<a href="postconf.5.html#qmgr_message_recipient_limit">$&</a>;g;
     s;\bqmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum\b;<a href="postconf.5.html#qmgr_message_recipient_minimum">$&</a>;g;
@@ -404,7 +405,7 @@ while (<>) {
     s;\bsender_bcc_maps\b;<a href="postconf.5.html#sender_bcc_maps">$&</a>;g;
     s;\bsender_canonical_classes\b;<a href="postconf.5.html#sender_canonical_classes">$&</a>;g;
     s;\bsender_canonical_maps\b;<a href="postconf.5.html#sender_canonical_maps">$&</a>;g;
-    s;\bsender_dependent_relay[-</bB>]*\n*[ <bB>]*host_maps\b;<a href="postconf.5.html#sender_dependent_relayhost_maps">$&</a>;g;
+    s;\bsender_de[-</bB>]*\n* *[<bB>]*pendent_relay[-</bB>]*\n*[ <bB>]*host_maps\b;<a href="postconf.5.html#sender_dependent_relayhost_maps">$&</a>;g;
     s;\bempty_address_relayhost_maps_lookup_key\b;<a href="postconf.5.html#empty_address_relayhost_maps_lookup_key">$&</a>;g;
     s;\bsendmail_path\b;<a href="postconf.5.html#sendmail_path">$&</a>;g;
     s;\bservice_throttle_time\b;<a href="postconf.5.html#service_throttle_time">$&</a>;g;
@@ -546,7 +547,7 @@ while (<>) {
     s;\bsyslog_facility\b;<a href="postconf.5.html#syslog_facility">$&</a>;g;
     s;\bsyslog_name\b;<a href="postconf.5.html#syslog_name">$&</a>;g;
     s;\btrace_service_name\b;<a href="postconf.5.html#trace_service_name">$&</a>;g;
-    s;\btransport_maps\b;<a href="postconf.5.html#transport_maps">$&</a>;g;
+    s;\btrans[-</bB>]*\n* *[<bB>]*port[-</bB>]*\n* *[<bB>]*_maps\b;<a href="postconf.5.html#transport_maps">$&</a>;g;
     s;\btransport_retry_time\b;<a href="postconf.5.html#transport_retry_time">$&</a>;g;
     s;\btrigger_timeout\b;<a href="postconf.5.html#trigger_timeout">$&</a>;g;
     s;\btcp_windowsize\b;<a href="postconf.5.html#tcp_windowsize">$&</a>;g;
diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html
index 4f8d55e3a..e8f50df60 100644
--- a/postfix/proto/ADDRESS_VERIFICATION_README.html
+++ b/postfix/proto/ADDRESS_VERIFICATION_README.html
@@ -454,13 +454,18 @@ they expire.  Postfix uses different controls for positive results
 (address was accepted) and for negative results (address was rejected,
 or address verification failed for some other reason). </p>
 
-<p> Current Postfix versions will periodically remove expired entries
-from the address verification database. With Postfix version 2.6
-and earlier, database cleanup had to be done as described next. </p>
-
-<p> If the address verification database file becomes too big, or
-if it becomes corrupted, the solution is to manually rename or
-delete (NOT: truncate) the file and run "postfix reload".  The
+<p> The verify(8) daemon will periodically remove expired entries
+from the address verification database, and log the number of entries
+retained and dropped (Postfix versions 2.7 and later). A cleanup
+run is logged as "partial" when the daemon terminates early because
+of "postfix reload, "postfix stop", or because the daemon received
+no requests for $max_idle seconds.  Postfix versions 2.6 and earlier
+do not implement automatic address verification database cleanup.
+There, the database is managed manually as described next. </p>
+
+<p> When the address verification database file becomes too big,
+or when it becomes corrupted, the solution is to manually rename
+or delete (NOT: truncate) the file and run "postfix reload".  The
 verify(8) daemon will then create a new database file.  </p>
 
 <h2><a name="probe_routing">Controlling the routing of address
diff --git a/postfix/proto/CONNECTION_CACHE_README.html b/postfix/proto/CONNECTION_CACHE_README.html
index 2b4fcd3fa..44685a1eb 100644
--- a/postfix/proto/CONNECTION_CACHE_README.html
+++ b/postfix/proto/CONNECTION_CACHE_README.html
@@ -268,7 +268,7 @@ deliver mail over TLS.  </p>
 multiple SASL accounts per mail server.  Specifically, Postfix
 connection caching assumes that a SASL credential is valid for all
 hostnames or domain names that deliver via the same mail server IP
-address and TCP port, and assume that the SASL credential does not
+address and TCP port, and assumes that the SASL credential does not
 depend on the message originator.  </p>
 
 </ul>
diff --git a/postfix/proto/FILTER_README.html b/postfix/proto/FILTER_README.html
index d021d8a33..ac303ab8b 100644
--- a/postfix/proto/FILTER_README.html
+++ b/postfix/proto/FILTER_README.html
@@ -396,10 +396,24 @@ filter request record to each incoming mail message, with content
 "filter:dummy". This record overrides the normal mail routing
 and causes mail to be given to the content filter instead. </p>
 
-<p> The content_filter configuration parameter accepts the same syntax
-as the right-hand side in a Postfix transport table.  </p>
-
-<li> <p> Execute "<b>postfix reload</b>" to complete the change.  </p>
+<p> The content_filter configuration parameter expects a value of
+the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<p> The meaning of an empty filter <i>destination</i> is version
+dependent.  Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname.  Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination.  </p>
+
+<p> The content_filter setting has a lower precedence than a content
+filter that is specified with an access(5) table or in a header_checks(5)
+or body_checks(5) table. </p>
+
+<li> <p> Execute "<b>postfix reload</b>" to complete the change.
+</p>
 
 </ul>
 
@@ -590,6 +604,12 @@ specify in main.cf:  </p>
 
 <ul>
 
+<li> <p> The "receive_override_options" line disables address
+manipulation before the content filter, so that the content filter
+sees the original mail addresses instead of the result of virtual
+alias expansion, canonical mapping, automatic bcc, address
+masquerading, etc. </p>
+
 <li> <p> The "content_filter" line causes Postfix to add one content
 filter request record to each incoming mail message, with content
 "scan:localhost:10025".  The content filter request records are
@@ -602,11 +622,21 @@ queue file contains a content filter request, the queue manager
 will deliver the mail to the specified content filter regardless
 of its final destination. </p>
 
-<li> <p> The "receive_override_options" line disables address
-manipulation before the content filter, so that the content filter
-sees the original mail addresses instead of the result of virtual
-alias expansion, canonical mapping, automatic bcc, address
-masquerading, etc. </p>
+<li> <p> The content_filter configuration parameter expects a value
+of the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent.  Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname.  Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination.  </p>
+
+<li> <p> The content_filter setting has a lower precedence than a
+content filter that is specified with an access(5) table or in a
+header_checks(5) or body_checks(5) table. </p>
 
 </ul>
 
diff --git a/postfix/proto/MAILDROP_README.html b/postfix/proto/MAILDROP_README.html
index 97a424ec0..4657df3ed 100644
--- a/postfix/proto/MAILDROP_README.html
+++ b/postfix/proto/MAILDROP_README.html
@@ -119,16 +119,19 @@ use the following instead: </p>
 /etc/postfix/master.cf:
     maildrop  unix  -       n       n       -       -       pipe
       flags=ODRhu user=vmail argv=/path/to/maildrop 
-      -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
+      -d ${user}@${domain} ${extension} ${recipient} ${user} ${nexthop}
 </pre>
 </blockquote>
 
-<p> The mail is delivered to ${user}@${nexthop} (match key for
+<p> The mail is delivered to ${user}@${domain} (search key for
 maildrop userdb lookup). The ${extension} and the other address
 components are available to maildrop rules as $1, $2, $3, ...  and
 can be omitted from master.cf or ignored by maildrop when not
 needed. </p>
 
+<p> With Postfix 2.4 and earlier, use ${nexthop} instead of ${domain}.
+</p>
+
 <h2><a name="indirect">Indirect delivery via the local delivery agent</a></h2>
 
 <p> Postfix can be configured to deliver mail to maildrop via the
diff --git a/postfix/proto/access b/postfix/proto/access
index 48b6deb1a..7ddacb81b 100644
--- a/postfix/proto/access
+++ b/postfix/proto/access
@@ -165,9 +165,22 @@
 #	Reject the address etc. that matches the pattern, and respond with
 #	the numerical three-digit code and text. \fB4\fINN\fR means "try
 #	again later", while \fB5\fINN\fR means "do not try again".
+#
+#	The following responses have special meaning for the Postfix
+#	SMTP server:
+# .RS
+# .IP "\fB421 \fItext\fR (Postfix 2.3 and later)"
+# .IP "\fB521 \fItext\fR (Postfix 2.6 and later)"
+#	After responding with the numerical three-digit code and
+#	text, disconnect immediately from the SMTP client.  This
+#	frees up SMTP server resources so that they can be made
+#	available to another SMTP client.
 # .IP
-#	The reply code "421" causes Postfix to disconnect immediately
-#	(Postfix version 2.3 and later).
+#	Note: The "521" response should be used only with botnets
+#	and other malware where interoperability is of no concern.
+#	The "send 521 and disconnect" behavior is NOT defined in
+#	the SMTP standard.
+# .RE
 # .IP "\fBREJECT \fIoptional text...\fR
 #	Reject the address etc. that matches the pattern. Reply with
 #	"\fB$access_map_reject_code \fIoptional text...\fR" when the
@@ -259,18 +272,37 @@
 #	This feature is available in Postfix 2.0 and later.
 # .IP "\fBFILTER \fItransport:destination\fR"
 #	After the message is queued, send the entire message through
-#       the specified external content filter. The \fItransport:destination\fR
-#	syntax is described in the \fBtransport\fR(5) manual page.
-#	More information
-#	about external content filters is in the Postfix FILTER_README file.
+#	the specified external content filter. The \fItransport\fR
+#	name specifies the first field of a mail delivery agent
+#	definition in master.cf; the syntax of \fIdestination\fR
+#	is described in the manual page of the corresponding delivery
+#	agent.  More information about external content filters is
+#	in the Postfix FILTER_README file.
+# .sp
+#	Note 1: do not use $\fInumber\fR regular expression
+#	substitutions for \fItransport\fR or \fIdestination\fR
+#	unless you know that the information has a trusted origin.
+# .sp
+#	Note 2: this action overrides the main.cf \fBcontent_filter\fR
+#	setting, and affects all recipients of the message. In the
+#	case that multiple \fBFILTER\fR actions fire, only the last
+#	one is executed.
 # .sp
-#	Note: this action overrides the \fBcontent_filter\fR setting,
-#	and currently affects all recipients of the message.
+#	Note 3: the purpose of the FILTER command is to override
+#	message routing.  To override the recipient's \fItransport\fR
+#	but not \fIdestination\fR, specify an empty \fIdestination\fR
+#	(Postfix 2.7 and later), or specify a \fItransport:destination\fR
+#	that delivers through a different Postfix instance (Postfix
+#	2.6 and earlier). Other options are using the recipient-dependent
+#	\fBtrans\%port\%_maps\fR or the sen\%der-dependent
+#	\fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+#	features.
 # .sp
 #	This feature is available in Postfix 2.0 and later.
 # .IP "\fBHOLD \fIoptional text...\fR"
-#	Place the message on the \fBhold\fR queue, where it will sit
-#	until someone either deletes it or releases it for delivery.
+#	Place the message on the \fBhold\fR queue, where it will
+#	sit until someone either deletes it or releases it for
+#	delivery.
 #	Log the optional text if specified, otherwise log a generic
 #	message.
 #
@@ -299,7 +331,7 @@
 #	This feature is available in Postfix 2.1 and later.
 # .IP "\fBREDIRECT \fIuser@domain\fR"
 #	After the message is queued, send the message to the specified
-#       address instead of the intended recipient(s).
+#	address instead of the intended recipient(s).
 # .sp
 #	Note: this action overrides the FILTER action, and currently affects
 #	all recipients of the message.
diff --git a/postfix/proto/header_checks b/postfix/proto/header_checks
index 01546c7b6..e1df4d97a 100644
--- a/postfix/proto/header_checks
+++ b/postfix/proto/header_checks
@@ -61,10 +61,10 @@
 # COMPATIBILITY
 # .ad
 # .fi
-#       With Postfix version 2.2 and earlier specify "\fBpostmap
-#       -fq\fR" to query a table that contains case sensitive
-#       patterns. By default, regexp: and pcre: patterns are case
-#       insensitive.
+#	With Postfix version 2.2 and earlier specify "\fBpostmap
+#	-fq\fR" to query a table that contains case sensitive
+#	patterns. By default, regexp: and pcre: patterns are case
+#	insensitive.
 # TABLE FORMAT
 # .ad
 # .fi
@@ -179,15 +179,32 @@
 # .sp
 #	This feature is available in Postfix 2.1 and later.
 # .IP "\fBFILTER \fItransport:destination\fR"
-#	Write a content filter request to the queue file, and
-#	inspect the next input line.
-#	After the complete message is received it will be sent through
-#	the specified external content filter.  More information about
-#	external content filters is in the Postfix FILTER_README file.
+#	After the message is queued, send the entire message through
+#	the specified external content filter. The \fItransport\fR
+#	name specifies the first field of a mail delivery agent
+#	definition master.cf; the syntax of \fIdestination\fR is
+#	described in the manual page of the corresponding delivery
+#	agent.  More information about external content filters is
+#	in the Postfix FILTER_README file.
 # .sp
-#	Note: this action overrides the \fBcontent_filter\fR setting,
-#	and affects all recipients of the message. In the case that multiple
-#	\fBFILTER\fR actions fire, only the last one is executed.
+#	Note 1: do not use $\fInumber\fR regular expression
+#	substitutions for \fItransport\fR or \fIdestination\fR
+#	unless you know that the information has a trusted origin.
+# .sp
+#	Note 2: this action overrides the main.cf \fBcontent_filter\fR
+#	setting, and affects all recipients of the message. In the
+#	case that multiple \fBFILTER\fR actions fire, only the last
+#	one is executed.
+# .sp
+#	Note 3: the purpose of the FILTER command is to override
+#	message routing.  To override the recipient's \fItransport\fR
+#	but not \fIdestination\fR, specify an empty \fIdestination\fR
+#	(Postfix 2.7 and later), or specify a \fItransport:destination\fR
+#	that delivers through a different Postfix instance (Postfix
+#	2.6 and earlier). Other options are using the recipient-dependent
+#	\fBtrans\%port\%_maps\fR or the sen\%der-dependent
+#	\fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+#	features.
 # .sp
 #	This feature is available in Postfix 2.0 and later.
 # .IP "\fBHOLD \fIoptional text...\fR"
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 716fbc5c1..113c66c80 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -208,10 +208,10 @@ is opened before the process releases privileges.
 </p>
 
 <p>
-The lookup table is persistent by default as of Postfix version
-2.7. Specify an empty table name to keep the information in volatile
+The lookup table is persistent by default (Postfix 2.7 and later).
+Specify an empty table name to keep the information in volatile
 memory which is lost after "<b>postfix reload</b>" or "<b>postfix
-stop</b>" (this is default with earlier Postfix versions).
+stop</b>". This is the default with Postfix version 2.6 and earlier.
 </p>
 
 <p>
@@ -220,11 +220,12 @@ database becomes corrupted, the world comes to an end. To recover
 delete (NOT: truncate) the file and do "<b>postfix reload</b>".
 </p>
 
-<p> As of version 2.5, Postfix no longer uses root privileges when
-opening this file. The file must now be stored under a Postfix-owned
-directory such as the data_directory. As a migration aid, an attempt
-to open the file under a non-Postfix directory is redirected to the
-Postfix-owned data_directory, and a warning is logged. </p>
+<p> Postfix daemon processes do not use root privileges when opening
+this file (Postfix 2.5 and later).  The file must therefore be
+stored under a Postfix-owned directory such as the data_directory.
+As a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned data_directory, and a
+warning is logged. </p>
 
 <p>
 Examples:
@@ -289,6 +290,12 @@ database cleanup runs. This feature requires that the database
 supports the "delete" and "sequence" operators.  Specify a zero
 interval to disable database cleanup. </p>
 
+<p> After each database cleanup run, the verify(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $max_idle
+seconds. </p>
+
 <p> Time units: s (seconds), m (minutes), h (hours), d (days), w
 (weeks). </p>
 
@@ -302,11 +309,10 @@ of an address verification request in progress.
 </p>
 
 <p>
-With Postfix version 2.7 and later, the SMTP server polls the
-verify(8) service up to three times under non-overload conditions,
-and only once when under overload.  With earlier Postfix versions,
-the SMTP server always polls the verify(8) service up to three
-times.
+The Postfix SMTP server polls the verify(8) service up to three
+times under non-overload conditions, and only once when under
+overload.  With Postfix version 2.6 and earlier, the SMTP server
+always polls the verify(8) service up to three times.
 </p>
 
 <p>
@@ -744,11 +750,11 @@ This feature is available in Postfix 2.1 and later.
 %PARAM bounce_size_limit 50000
 
 <p> The maximal amount of original message text that is sent in a
-non-delivery notification. Specify a byte count. With Postfix 2.4
-and later, a message is returned as either message/rfc822 (the
-complete original) or as text/rfc822-headers (the headers only).
-With earlier Postfix versions, a message is always returned as
-message/rfc822 and is truncated when it exceeds the size limit.
+non-delivery notification. Specify a byte count.  A message is
+returned as either message/rfc822 (the complete original) or as
+text/rfc822-headers (the headers only).  With Postfix version 2.4
+and earlier, a message is always returned as message/rfc822 and is
+truncated when it exceeds the size limit.
 </p>
 
 <p> Notes: </p>
@@ -3217,8 +3223,9 @@ server to decide if it will accept any mail at all.
 </p>
 
 <p>
-By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands
-when the amount of free space is less than 1.5*$message_size_limit.
+By default, the Postfix SMTP server rejects MAIL FROM commands when
+the amount of free space is less than 1.5*$message_size_limit
+(Postfix version 2.1 and later).
 To specify a higher minimum free space limit, specify a queue_minfree
 value that is at least 1.5*$message_size_limit.
 </p>
@@ -6854,17 +6861,29 @@ allowed set are replaced by underscores.
 
 %PARAM content_filter 
 
-<p>
-The name of a mail delivery transport that filters mail after
-it is queued.
+<p> After the message is queued, send the entire message to the
+specified <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent.  More information
+about external content filters is in the Postfix FILTER_README file.
 </p>
 
-<p>
-This parameter uses the same syntax as the right-hand side of a
-Postfix transport(5) table. This setting has a lower precedence
-than a content filter that is specified with an access(5) table or
-in a header_checks(5) or body_checks(5) table.
-</p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> This setting has a lower precedence than a content filter that
+is specified with an access(5) table or in a header_checks(5) or
+body_checks(5) table. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent.  Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname.  Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify
+a non-empty filter <i>destination</i>.  </p>
+
+</ul>
 
 %PARAM default_delivery_slot_discount 50
 
@@ -9496,7 +9515,7 @@ precision.  </p>
 
 <li> b = time from last active queue entry to connection setup
 
-<li> c = time in connection setup, including DNS, EHLO and TLS
+<li> c = time in connection setup, including DNS, EHLO and STARTTLS
 
 <li> d = time in message transmission
 
@@ -11968,7 +11987,8 @@ unit). </p>
 (weeks). The default time unit is s (seconds). </p>
 
 <p> NOTE: the delay is enforced by the queue manager. The delay
-timer state does not survive "postfix reload" or "postfix stop".
+timer state does not survive "<b>postfix reload</b>" or "<b>postfix
+stop</b>".
 </p>
 
 <p> Use <i>transport</i>_destination_rate_delay to specify a
@@ -12489,6 +12509,12 @@ therefore not be run frequently. This feature requires that the
 cache database supports the "delete" and "sequence" operators.
 Specify a zero interval to disable cache cleanup. </p>
 
+<p> After each cache cleanup run, the postscreen(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $max_idle
+seconds. </p>
+
 <p> Time units: s (seconds), m (minutes), h (hours), d (days), w
 (weeks).  </p>
 
@@ -12663,12 +12689,15 @@ client commands. </p>
 
 <ul>
 
-<li> <p> Use "resolve_numeric_domain = yes" to accept "<i>user@ipaddress</i>"
-Postfix already accepts the correct form "<i>user@[ipaddress]</i>".
-</p>
+<li> <p> Use "resolve_numeric_domain = yes" to accept
+"<i>user@ipaddress</i>". </p>
+
+<li> <p> Postfix already accepts the correct form
+"<i>user@[ipaddress]</i>".  </p>
 
 <li> <p> Use "strict_rfc821_envelopes = no" to accept "<i>User Name
-&lt;user@example.com&gt;</i>". </p>
+&lt;user@example.com&gt;</i>". Postfix will ignore the "User Name"
+part before delivering the mail. </p>
 
 </ul>
 
@@ -12786,9 +12815,10 @@ without overriding the global default_transport parameter setting.
 This information is overruled with the transport(5) table. </p>
 
 <p> Note: this overrides default_transport, not transport_maps, and
-therefore the expected syntax is that of default_transport.  This
-feature does not support the transport_maps syntax for null transport,
-null nexthop, or null email addresses. </p>
+therefore the expected syntax is that of default_transport, not the
+syntax of transport_maps.  Specifically, this does not support the
+transport_maps syntax for null transport, null nexthop, or null
+email addresses. </p>
 
 <p> For safety reasons, this feature does not allow $number
 substitutions in regular expression maps. </p>
@@ -12802,3 +12832,13 @@ setting for address verification probes.  </p>
 
 <p> This feature is available in Postfix 2.7 and later.  </p>
 
+%PARAM legacy_filter_nexthop no
+
+<p> When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
+Specify "legacy_filter_nexthop = yes" for compatibility with Postfix
+version 2.6 and earlier, or specify a non-empty filter destination.
+</p>
+
+<p> This feature is available in Postfix 2.7 and later.  </p>
+
diff --git a/postfix/src/cleanup/cleanup_bounce.c b/postfix/src/cleanup/cleanup_bounce.c
index e5a9cf921..2118b96d9 100644
--- a/postfix/src/cleanup/cleanup_bounce.c
+++ b/postfix/src/cleanup/cleanup_bounce.c
@@ -221,6 +221,7 @@ int     cleanup_bounce(CLEANUP_STATE *state)
 	    encoding = MAIL_ATTR_ENC_NONE;
 	dsn_envid = state->dsn_envid ?
 	    state->dsn_envid : "";
+	/* Do not send unfiltered (body) content. */
 	dsn_ret = (state->errs & (CLEANUP_STAT_CONT | CLEANUP_STAT_SIZE)) ?
 	    DSN_RET_HDRS : state->dsn_ret;
 
diff --git a/postfix/src/global/cleanup_user.h b/postfix/src/global/cleanup_user.h
index e44f105ab..0a098d3da 100644
--- a/postfix/src/global/cleanup_user.h
+++ b/postfix/src/global/cleanup_user.h
@@ -65,7 +65,8 @@
   * These are set when we can't bounce even if we were asked to.
   */
 #define CLEANUP_STAT_MASK_CANT_BOUNCE \
-	(CLEANUP_STAT_BAD | CLEANUP_STAT_WRITE | CLEANUP_STAT_DEFER)
+	(CLEANUP_STAT_BAD | CLEANUP_STAT_WRITE | CLEANUP_STAT_DEFER \
+	    | CLEANUP_STAT_RCPT)
 
  /*
   * These are set when we can't examine every record of a message.
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 31dd2c25c..71c2b3f9d 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2253,6 +2253,10 @@ extern void mail_params_init(void);
 #define DEF_FILTER_XPORT		""
 extern char *var_filter_xport;
 
+#define VAR_LEGACY_FILTER_NEXTHOP	"legacy_filter_nexthop"
+#define DEF_LEGACY_FILTER_NEXTHOP	0
+extern bool var_legacy_filter_nexthop;
+
  /*
   * Fast flush service support.
   */
diff --git a/postfix/src/global/mail_queue.h b/postfix/src/global/mail_queue.h
index f1c2389d9..47cb61bdf 100644
--- a/postfix/src/global/mail_queue.h
+++ b/postfix/src/global/mail_queue.h
@@ -35,6 +35,7 @@
 #define MAIL_QUEUE_BOUNCE	"bounce"
 #define MAIL_QUEUE_CORRUPT	"corrupt"
 #define MAIL_QUEUE_FLUSH	"flush"
+#define MAIL_QUEUE_SAVED	"saved"
 
  /*
   * Queue file modes.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 5e5a8d5e2..85a6d560f 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20100102"
+#define MAIL_RELEASE_DATE	"20100116"
 #define MAIL_VERSION_NUMBER	"2.7"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/sys_exits.c b/postfix/src/global/sys_exits.c
index bdd26b440..05d1afd49 100644
--- a/postfix/src/global/sys_exits.c
+++ b/postfix/src/global/sys_exits.c
@@ -39,6 +39,8 @@
 /*	sys_exits_detail() returns a table entry with assorted
 /*	information about the specified sendmail-compatible status
 /*	code, or a generic entry for an unknown status code.
+/*	The generic entry may be overwritten with each sys_exits_detail()
+/*	call.
 /*
 /*	sys_exits_softerror() returns non-zero when the specified
 /*	sendmail-compatible status code corresponds to a recoverable error.
diff --git a/postfix/src/master/master_ent.c b/postfix/src/master/master_ent.c
index a520b7d2f..4723251bd 100644
--- a/postfix/src/master/master_ent.c
+++ b/postfix/src/master/master_ent.c
@@ -526,7 +526,7 @@ MASTER_SERV *get_master_ent()
 	argv_add(serv->args, "-u", (char *) 0);
     if (chroot)
 	argv_add(serv->args, "-c", (char *) 0);
-    if ((serv->flags & MASTER_FLAG_LOCAL_ONLY) == 0) {
+    if ((serv->flags & MASTER_FLAG_LOCAL_ONLY) == 0 && serv->max_proc > 1) {
 	argv_add(serv->args, "-o", "stress=" CONFIG_BOOL_YES, (char *) 0);
 	serv->stress_param_val =
 	    serv->args->argv[serv->args->argc - 1] + sizeof("stress=") - 1;
diff --git a/postfix/src/oqmgr/qmgr.c b/postfix/src/oqmgr/qmgr.c
index e1e1b2d7f..2d6d84fbe 100644
--- a/postfix/src/oqmgr/qmgr.c
+++ b/postfix/src/oqmgr/qmgr.c
@@ -157,6 +157,11 @@
 /* .IP "\fBallow_min_user (no)\fR"
 /*	Allow a sender or recipient address to have `-' as the first
 /*	character.
+/* .PP
+/*	Available with Postfix version 2.7 and later:
+/* .IP "\fBlegacy_filter_nexthop (no)\fR"
+/*	When a FILTER command does not specify a destination, force the
+/*	destination to be $myhostname, instead of using the recipient domain.
 /* ACTIVE QUEUE CONTROLS
 /* .ad
 /* .fi
@@ -369,6 +374,7 @@ char   *var_conc_neg_feedback;
 int     var_conc_cohort_limit;
 int     var_conc_feedback_debug;
 int     var_dest_rate_delay;
+bool    var_legacy_filter_nexthop;
 
 static QMGR_SCAN *qmgr_scans[2];
 
@@ -627,6 +633,7 @@ int     main(int argc, char **argv)
     static const CONFIG_BOOL_TABLE bool_table[] = {
 	VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
 	VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
+	VAR_LEGACY_FILTER_NEXTHOP, DEF_LEGACY_FILTER_NEXTHOP, &var_legacy_filter_nexthop,
 	0,
     };
 
diff --git a/postfix/src/oqmgr/qmgr_message.c b/postfix/src/oqmgr/qmgr_message.c
index 27c5c92bb..cb7b87ce1 100644
--- a/postfix/src/oqmgr/qmgr_message.c
+++ b/postfix/src/oqmgr/qmgr_message.c
@@ -998,12 +998,19 @@ static void qmgr_message_resolve(QMGR_MESSAGE *message)
 	 * me" bits turned on, but we handle them here anyway for the sake of
 	 * future proofing.
 	 */
+#define FILTER_WITHOUT_NEXTHOP(filter, next) \
+	(((next) = split_at((filter), ':')) == 0 || *(next) == 0)
+
+#define RCPT_WITHOUT_DOMAIN(rcpt, next) \
+	((next = strrchr(rcpt, '@')) == 0 || *++(next) == 0)
+
 	else if (message->filter_xport
 		 && (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) {
 	    reply.flags = 0;
 	    vstring_strcpy(reply.transport, message->filter_xport);
-	    if ((nexthop = split_at(STR(reply.transport), ':')) == 0
-		|| *nexthop == 0)
+	    if (FILTER_WITHOUT_NEXTHOP(STR(reply.transport), nexthop)
+		&& (var_legacy_filter_nexthop != 0
+		    || RCPT_WITHOUT_DOMAIN(recipient->address, nexthop)))
 		nexthop = var_myhostname;
 	    vstring_strcpy(reply.nexthop, nexthop);
 	    vstring_strcpy(reply.recipient, recipient->address);
diff --git a/postfix/src/pickup/pickup.c b/postfix/src/pickup/pickup.c
index ccf64749e..921c07d91 100644
--- a/postfix/src/pickup/pickup.c
+++ b/postfix/src/pickup/pickup.c
@@ -191,10 +191,14 @@ static int cleanup_service_error_reason(PICKUP_INFO *info, int status,
     /*
      * XXX If the cleanup server gave a reason, then it was already logged.
      * Don't bother logging it another time.
+     * 
+     * XXX Discard a message without recipient. This can happen with "postsuper
+     * -r" when a message is already delivered (or bounced). The Postfix
+     * sendmail command rejects submissions without recipients.
      */
     if (reason == 0)
 	msg_warn("%s: %s", info->path, cleanup_strerror(status));
-    return ((status & CLEANUP_STAT_BAD) ?
+    return ((status & (CLEANUP_STAT_BAD | CLEANUP_STAT_RCPT)) ?
 	    REMOVE_MESSAGE_FILE : KEEP_MESSAGE_FILE);
 }
 
diff --git a/postfix/src/postcat/postcat.c b/postfix/src/postcat/postcat.c
index 1a728ed9b..7c687bfe4 100644
--- a/postfix/src/postcat/postcat.c
+++ b/postfix/src/postcat/postcat.c
@@ -413,6 +413,7 @@ int     main(int argc, char **argv)
 	MAIL_QUEUE_ACTIVE,
 	MAIL_QUEUE_DEFERRED,
 	MAIL_QUEUE_HOLD,
+	MAIL_QUEUE_SAVED,
 	0,
     };
     char  **cpp;
diff --git a/postfix/src/postdrop/postdrop.c b/postfix/src/postdrop/postdrop.c
index a2fdc7355..34e4fdf8e 100644
--- a/postfix/src/postdrop/postdrop.c
+++ b/postfix/src/postdrop/postdrop.c
@@ -233,6 +233,8 @@ int     main(int argc, char **argv)
     char   *junk;
     struct timeval start;
     int     saved_errno;
+    int     from_count = 0;
+    int     rcpt_count = 0;
 
     /*
      * Fingerprint executables and core dumps.
@@ -315,7 +317,8 @@ int     main(int argc, char **argv)
 	set_file_limit((off_t) var_message_limit);
 
     /*
-     * Strip the environment so we don't have to trust the C library.
+     * This program is installed with setgid privileges. Strip the process
+     * environment so that we don't have to trust the C library.
      */
     import_env = argv_split(var_import_environ, ", \t\r\n");
     clean_env(import_env->argv);
@@ -408,6 +411,12 @@ int     main(int argc, char **argv)
 	/* Override time information from the untrusted caller. */
 	if (rec_type == REC_TYPE_TIME)
 	    continue;
+	/* Check these at submission time instead of pickup time. */
+	if (rec_type == REC_TYPE_FROM)
+	    from_count++;
+	if (rec_type == REC_TYPE_RCPT)
+	    rcpt_count++;
+	/* Limit the attribute types that users may specify. */
 	if (rec_type == REC_TYPE_ATTR) {
 	    if ((error_text = split_nameval(vstring_str(buf), &attr_name,
 					    &attr_value)) != 0) {
@@ -452,10 +461,32 @@ int     main(int argc, char **argv)
     }
     vstring_free(buf);
 
+    /*
+     * As of Postfix 2.7 the pickup daemon discards mail without recipients.
+     * Such mail may enter the maildrop queue when "postsuper -r" is invoked
+     * before the queue manager deletes an already delivered message. Looking
+     * at file ownership is not a good way to make decisions on what mail to
+     * discard. Instead, the pickup server now requires that new submissions
+     * always have at least one recipient record.
+     * 
+     * The Postfix sendmail command already rejects mail without recipients.
+     * However, in the future postdrop may receive mail via other programs,
+     * so we add a redundant recipient check here for future proofing.
+     * 
+     * The test for the sender address is just for consistency of error
+     * reporting (report at submission time instead of pickup time). Besides
+     * the segment terminator records, there aren't any other mandatory
+     * records in a Postfix submission queue file.
+     */
+    if (from_count == 0 || rcpt_count == 0) {
+	status = CLEANUP_STAT_BAD;
+	mail_stream_cleanup(dst);
+    }
+
     /*
      * Finish the file.
      */
-    if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
+    else if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
 	msg_warn("uid=%ld: %m", (long) uid);
 	postdrop_cleanup();
     }
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index bef281ff4..ec8e11a28 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -7,37 +7,33 @@
 /*	\fBpostscreen\fR [generic Postfix daemon options]
 /* DESCRIPTION
 /*	The Postfix \fBpostscreen\fR(8) server performs triage on
-/*	multiple inbound SMTP connections in parallel.  By running
-/*	time-consuming tests in parallel in \fBpostscreen\fR(8),
-/*	zombies and other bogus clients can be kept away from Postfix
-/*	SMTP server processes. Thus, more Postfix SMTP server
-/*	processes remain available for legitimate clients.
+/*	multiple inbound SMTP connections in parallel. While
+/*	\fBpostscreen\fR(8) keeps zombies and other bogus clients
+/*	away from Postfix SMTP server processes, more Postfix SMTP
+/*	server processes remain available for legitimate clients.
+/* GENERAL OPERATION
+/* .ad
+/* .fi
+/*	The triage process involves a number of tests, in the order
+/*	as described below.  Some tests introduce a delay of a few
+/*	seconds.  Once a client passes all tests, its IP address
+/*	is temporarily excluded from the tests, typically for 24
+/*	hours.  This minimizes the impact of the tests on legitimate
+/*	mail clients.
 /*
-/*	This triage process involves a number of tests, documented
-/*	below.  The tests introduce a delay of a few seconds; once
-/*	a client passes the tests, its IP address is temporarily
-/*	whitelisted, typically for 24 hours.
+/*	After logging the result of its tests, \fBpostscreen\fR(8)
+/*	by default forwards all connections to a real SMTP server
+/*	process. This mode is useful for non-destructive testing.
+/*
+/*	In a typical production setting, \fBpostscreen\fR(8) is
+/*	configured to disconnect clients that fail some tests.  A
+/*	future implementation may pass the connection to a dummy
+/*	SMTP protocol engine that logs sender and recipient information
+/*	before hanging up.
 /*
-/*	The program can run in two basic modes.
-/* .IP "\fBObservation mode\fR"
-/*	\fBpostscreen\fR(8) reports the results of the tests, and
-/*	forwards all connections to a real Postfix SMTP server
-/*	process.
-/* .IP "\fBEnforcement mode\fR"
-/*	\fBpostscreen\fR(8) reports the results of the tests, but
-/*	forwards only connections to a real SMTP server process
-/*	from clients that passed the tests.
-/* .sp
-/*	\fBpostscreen\fR(8) disconnects clients that fail the tests,
-/*	after sending a 521 status message (a future version may
-/*	pass the connection to a dummy SMTP protocol engine that
-/*	logs sender and recipient information).
-/* .PP
 /*	Note: \fBpostscreen\fR(8) is not an SMTP proxy; this is
 /*	intentional. The purpose is to prioritize legitimate clients
 /*	with as little overhead as possible.
-/*
-/*	\fBpostscreen\fR(8) performs tests in the order described below.
 /* .SH 1. PERMANENT WHITELIST TEST
 /* .ad
 /* .fi
@@ -70,9 +66,9 @@
 /* .sp
 /*	The postscreen_blacklist_action parameter specifies the
 /*	action that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
 /*	Continue with the SMTP GREETING PHASE TESTS below.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
 /*	Drop the connection immediately with a 521 SMTP reply.  In
 /*	a future implementation, the connection may instead be
 /*	passed to a dummy SMTP protocol engine that logs sender and
@@ -158,12 +154,12 @@
 /*
 /*	The postscreen_greet_action parameter specifies the action
 /*	that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
 /*	Wait until the postscreen_greet_wait time has elapsed, then
 /*	report DNSBL lookup results if applicable. Either perform
 /*	DNSBL-related actions or forward the connection to a real
 /*	SMTP server process.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
 /*	Drop the connection immediately with a 521 SMTP reply.
 /*	In a future implementation, the connection may instead be passed
 /*	to a dummy SMTP protocol engine that logs sender and recipient
@@ -181,11 +177,11 @@
 /* .sp
 /*	The postscreen_hangup_action specifies the action
 /*	that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
 /*	Wait until the postscreen_greet_wait time has elapsed, then
 /*	report DNSBL lookup results if applicable. Do not forward
 /*	the broken connection to a real SMTP server process.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
 /*	Drop the connection immediately.
 /* .SH 4C. DNS BLOCKLIST TEST
 /* .ad
@@ -209,9 +205,9 @@
 /*
 /*	The postscreen_dnsbl_action parameter specifies the action
 /*	that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
 /*	Forward the connection to a real SMTP server process.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
 /*	Drop the connection immediately with a 521 SMTP reply.
 /*	In a future implementation, the connection may instead be passed
 /*	to a dummy SMTP protocol engine that logs sender and recipient
@@ -848,7 +844,7 @@ static void send_socket(PS_STATE *state)
 		      vstream_fileno(state->smtp_client_stream)) < 0) {
 	msg_warn("cannot pass connection to service %s: %m", smtp_service_name);
 	smtp_reply(vstream_fileno(state->smtp_client_stream), state->smtp_client_addr,
-	      state->smtp_client_port, "421 4.3.2 No system resources\r\n");
+		   state->smtp_client_port, "421 4.3.2 No system resources\r\n");
 	free_session_state(state);
 	return;
     } else {
@@ -1012,7 +1008,7 @@ static void postscreen_drain(char *unused_service, char **unused_argv)
      * instead of dropping already-accepted connections on the floor.
      * 
      * Unfortunately we must close all writable tables, so we can't store or
-     * look up reputation information. The reason is that don't have any
+     * look up reputation information. The reason is that we don't have any
      * multi-writer safety guarantees. We also can't use the single-writer
      * proxywrite service, because its latency guarantees are too weak.
      * 
@@ -1302,7 +1298,7 @@ static void post_jail_init(char *unused_name, char **unused_argv)
 	"continue", PS_ACT_CONT,
 	0, -1,
     };
-    int     expire_flags;
+    int     cache_flags;
 
     /*
      * This routine runs after the skeleton code has entered the chroot jail.
@@ -1343,12 +1339,12 @@ static void post_jail_init(char *unused_name, char **unused_argv)
      * verbose logging more informative (we get positive confirmation that
      * the cleanup thread runs).
      */
-    expire_flags = DICT_CACHE_FLAG_STATISTICS;
+    cache_flags = DICT_CACHE_FLAG_STATISTICS;
     if (msg_verbose)
-	expire_flags |= DICT_CACHE_FLAG_VERBOSE;
+	cache_flags |= DICT_CACHE_FLAG_VERBOSE;
     if (cache_map != 0 && var_ps_cache_scan > 0)
 	dict_cache_control(cache_map,
-			   DICT_CACHE_CTL_FLAGS, expire_flags,
+			   DICT_CACHE_CTL_FLAGS, cache_flags,
 			   DICT_CACHE_CTL_INTERVAL, var_ps_cache_scan,
 		       DICT_CACHE_CTL_VALIDATOR, postscreen_cache_validator,
 			   DICT_CACHE_CTL_CONTEXT, (char *) 0,
diff --git a/postfix/src/qmgr/qmgr.c b/postfix/src/qmgr/qmgr.c
index a99993b58..e2ef6e540 100644
--- a/postfix/src/qmgr/qmgr.c
+++ b/postfix/src/qmgr/qmgr.c
@@ -161,6 +161,11 @@
 /* .IP "\fBallow_min_user (no)\fR"
 /*	Allow a sender or recipient address to have `-' as the first
 /*	character.
+/* .PP
+/*	Available with Postfix version 2.7 and later:
+/* .IP "\fBlegacy_filter_nexthop (no)\fR"
+/*	When a FILTER command does not specify a destination, force the
+/*	destination to be $myhostname, instead of using the recipient domain.
 /* ACTIVE QUEUE CONTROLS
 /* .ad
 /* .fi
@@ -429,6 +434,7 @@ char   *var_conc_neg_feedback;
 int     var_conc_cohort_limit;
 int     var_conc_feedback_debug;
 int     var_dest_rate_delay;
+bool    var_legacy_filter_nexthop;
 
 static QMGR_SCAN *qmgr_scans[2];
 
@@ -702,6 +708,7 @@ int     main(int argc, char **argv)
     static const CONFIG_BOOL_TABLE bool_table[] = {
 	VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
 	VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
+	VAR_LEGACY_FILTER_NEXTHOP, DEF_LEGACY_FILTER_NEXTHOP, &var_legacy_filter_nexthop,
 	0,
     };
 
diff --git a/postfix/src/qmgr/qmgr_message.c b/postfix/src/qmgr/qmgr_message.c
index a588d6791..25ed0b75d 100644
--- a/postfix/src/qmgr/qmgr_message.c
+++ b/postfix/src/qmgr/qmgr_message.c
@@ -1057,12 +1057,19 @@ static void qmgr_message_resolve(QMGR_MESSAGE *message)
 	 * me" bits turned on, but we handle them here anyway for the sake of
 	 * future proofing.
 	 */
+#define FILTER_WITHOUT_NEXTHOP(filter, next) \
+	(((next) = split_at((filter), ':')) == 0 || *(next) == 0)
+
+#define RCPT_WITHOUT_DOMAIN(rcpt, next) \
+	((next = strrchr(rcpt, '@')) == 0 || *++(next) == 0)
+
 	else if (message->filter_xport
 		 && (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) {
 	    reply.flags = 0;
 	    vstring_strcpy(reply.transport, message->filter_xport);
-	    if ((nexthop = split_at(STR(reply.transport), ':')) == 0
-		|| *nexthop == 0)
+	    if (FILTER_WITHOUT_NEXTHOP(STR(reply.transport), nexthop)
+		&& (var_legacy_filter_nexthop != 0
+		    || RCPT_WITHOUT_DOMAIN(recipient->address, nexthop)))
 		nexthop = var_myhostname;
 	    vstring_strcpy(reply.nexthop, nexthop);
 	    vstring_strcpy(reply.recipient, recipient->address);
diff --git a/postfix/src/util/dict_ht.c b/postfix/src/util/dict_ht.c
index 8e44bad19..32ad47c34 100644
--- a/postfix/src/util/dict_ht.c
+++ b/postfix/src/util/dict_ht.c
@@ -122,6 +122,8 @@ static void dict_ht_close(DICT *dict)
     DICT_HT *dict_ht = (DICT_HT *) dict;
 
     htable_free(dict_ht->table, myfree);
+    if (dict_ht->dict.fold_buf)
+	vstring_free(dict_ht->dict.fold_buf);
     dict_free(dict);
 }
 
diff --git a/postfix/src/util/events.c b/postfix/src/util/events.c
index 485697c30..50751db96 100644
--- a/postfix/src/util/events.c
+++ b/postfix/src/util/events.c
@@ -431,6 +431,7 @@ typedef struct pollfd EVENT_BUFFER;
   * descriptor is closed, so our information could get out of sync with the
   * kernel. But that will never happen, because we have to meticulously
   * unregister a file descriptor before it is closed, to avoid errors on
+  * systems that are built with EVENTS_STYLE == EVENTS_STYLE_SELECT.
   */
 #if (EVENTS_STYLE == EVENTS_STYLE_EPOLL)
 #include <sys/epoll.h>
diff --git a/postfix/src/util/valid_hostname.c b/postfix/src/util/valid_hostname.c
index 66ebdef5c..1beeb9af4 100644
--- a/postfix/src/util/valid_hostname.c
+++ b/postfix/src/util/valid_hostname.c
@@ -116,6 +116,7 @@ int     valid_hostname(const char *name, int gripe)
 	    }
 	    label_length = 0;
 	} else if (ch == '-') {
+	    non_numeric = 1;
 	    label_length++;
 	    if (label_length == 1 || cp[1] == 0 || cp[1] == '.') {
 		if (gripe)
diff --git a/postfix/src/verify/verify.c b/postfix/src/verify/verify.c
index b716ca48e..116dd53a6 100644
--- a/postfix/src/verify/verify.c
+++ b/postfix/src/verify/verify.c
@@ -100,7 +100,8 @@
 /* .PP
 /*	Available with Postfix 2.7 and later:
 /* .IP "\fBaddress_verify_cache_cleanup_interval (12h)\fR"
-/*	The amount of time between \fBverify\fR(8) cache cleanup runs.
+/*	The amount of time between \fBverify\fR(8) address verification
+/*	database cleanup runs.
 /* PROBE MESSAGE ROUTING CONTROLS
 /* .ad
 /* .fi
@@ -603,13 +604,13 @@ static void post_jail_init(char *unused_name, char **unused_argv)
      * Start the cache cleanup thread.
      */
     if (var_verify_scan_cache > 0) {
-	int     expire_flags;
+	int     cache_flags;
 
-	expire_flags = DICT_CACHE_FLAG_STATISTICS;
+	cache_flags = DICT_CACHE_FLAG_STATISTICS;
 	if (msg_verbose)
-	    expire_flags |= DICT_CACHE_FLAG_VERBOSE;
+	    cache_flags |= DICT_CACHE_FLAG_VERBOSE;
 	dict_cache_control(verify_map,
-			   DICT_CACHE_CTL_FLAGS, expire_flags,
+			   DICT_CACHE_CTL_FLAGS, cache_flags,
 			   DICT_CACHE_CTL_INTERVAL, var_verify_scan_cache,
 			   DICT_CACHE_CTL_VALIDATOR, verify_cache_validator,
 			DICT_CACHE_CTL_CONTEXT, (char *) vstring_alloc(100),