From 38cb735342f38f0b58948919a8833b883d988002 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 16 Aug 2022 00:00:00 -0500
Subject: [PATCH] postfix-3.8-20220816

---
 postfix/HISTORY                          | 30 +++++++++
 postfix/README_FILES/SASL_README         |  7 +++
 postfix/README_FILES/SMTPD_POLICY_README |  5 ++
 postfix/WISHLIST                         |  4 +-
 postfix/conf/aliases                     | 35 ++++++-----
 postfix/html/SASL_README.html            |  8 +++
 postfix/html/SMTPD_POLICY_README.html    |  7 +++
 postfix/html/aliases.5.html              | 77 ++++++++++++------------
 postfix/html/postconf.5.html             | 34 ++++++-----
 postfix/man/man5/aliases.5               | 13 ++--
 postfix/man/man5/postconf.5              | 33 +++++-----
 postfix/proto/SASL_README.html           |  8 +++
 postfix/proto/SMTPD_POLICY_README.html   |  7 +++
 postfix/proto/aliases                    | 13 ++--
 postfix/proto/postconf.proto             | 34 ++++++-----
 postfix/src/global/mail_proto.h          |  3 +-
 postfix/src/global/mail_version.h        |  2 +-
 postfix/src/smtpd/Makefile.in            |  1 +
 postfix/src/smtpd/smtpd_check.c          |  3 +
 19 files changed, 210 insertions(+), 114 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 443cb2ab2..a650537fd 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -26562,3 +26562,33 @@ Apologies for any names omitted.
 	regression that broke TLS handshakes. It is rarely useful.
 	Report by Spil Oss, fix by Viktor Dukhovni. File:
 	tls/tls_server.c.
+
+20220802
+
+	Documentation: in the aliases(5) manpage, more specific
+	pointers to the local(8) manpage sections for delivery to
+	file, command execution, and delivery rights. File:
+	proto/aliases.
+
+20220805
+
+	Feature: "mail_version" attribute in the SMTPD policy
+	protocol, with the value of the "mail_version" configuration
+	parameter. This differs from the "compatibility_level"
+	attribute, because "mail_version" indicates the presence
+	of new features, while "compatibility_level" concerns changes
+	in default settings. Files: global/mail_proto.h,
+	proto/SMTPD_POLICY_README.html, smtpd/smtpd_check.c.
+
+20220808
+
+	Documentation: some Debian releases hard-code the search
+	path for Cyrus SASL application configuration files,
+	overriding the cyrus_sasl_config_path setting. Viktor
+	Dukhovni. File: proto/SASL_README.html.
+
+20220815
+
+	Updated the postscreen_dnsbl_sites documentation, based
+	on questions on the postfix-users mailing list.  File:
+	proto/postconf.proto.
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index e5eabc57a..580a0131d 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -186,6 +186,13 @@ postfix/sasl/, /var/lib/sasl2/ etc. See the output of postconf
 cyrus_sasl_config_path and/or the distribution-specific documentation to
 determine the expected location.
 
+Some Debian-based Postfix distributions patch Postfix to hardcode a non-default
+search path, making it impossible to set an alternate search path via the
+"cyrus_sasl_config_path" parameter. This is likely to be the case when the
+distribution documents a Postfix-specific path (e.g. /etc/postfix/sasl/) that
+is different from the default value of "cyrus_sasl_config_path" (which then is
+likely to be empty).
+
     NNoottee
 
     Cyrus SASL searches /usr/lib/sasl2/ first. If it finds the specified
diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README
index 46bbf165f..47a6fa310 100644
--- a/postfix/README_FILES/SMTPD_POLICY_README
+++ b/postfix/README_FILES/SMTPD_POLICY_README
@@ -87,6 +87,7 @@ a delegated SMTPD access policy request:
     server_port=54321
     PPoossttffiixx vveerrssiioonn 33..88 aanndd llaatteerr::
     compatibility_level=major.minor.patch
+    mail_version=3.8.0
     [empty line]
 
 Notes:
@@ -170,6 +171,10 @@ Notes:
     parameter value. It has the form major.minor.patch where minor and patch
     may be absent.
 
+  * The "mail_version" attribute corresponds to the mail_version parameter
+    value. It has the form major.minor.patch for stable releases, and
+    major.minor-yyyymmdd for unstable releases.
+
 The following is specific to SMTPD delegated policy requests:
 
   * Protocol names are ESMTP or SMTP.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 12e8b031e..6738649a9 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -9,6 +9,8 @@ Wish list:
 	Scan Postfix code with github.com/googleprojectzero/weggli
 	(depends on "rust").
 
+	Migrate masquerade_domains from ARGV to STRING_LIST.
+
 	Enforce var_line_limit in util/attr_scan*c.
 
 	Investigate clang-format compatibility compared to indent.
@@ -26,8 +28,6 @@ Wish list:
 
 	WARN_IF_REJECT like prefix that disables the error counter increment.
 
-	Send the Postfix version in a policy server request.
-
 	postscreen_dnsbl_sites is evaluated in the reverse order, breaking
 	expectations when different reply patterns have different weights.
 	We need a compatibility_level feature to correct this.
diff --git a/postfix/conf/aliases b/postfix/conf/aliases
index 941551e9d..8f1a28451 100644
--- a/postfix/conf/aliases
+++ b/postfix/conf/aliases
@@ -108,16 +108,20 @@ decode:		root
 #               with the RFC 822 standard.
 # 
 #        /file/name
-#               Mail  is  appended  to /file/name. See local(8) for
-#               details of delivery to file.  Delivery is not  lim-
-#               ited  to regular files.  For example, to dispose of
-#               unwanted mail, deflect it to /dev/null.
+#               Mail  is appended to /file/name. For details on how
+#               a file is written see the sections  "EXTERNAL  FILE
+#               DELIVERY"  and  "DELIVERY  RIGHTS"  in the local(8)
+#               documentation.  Delivery is not limited to  regular
+#               files.   For  example, to dispose of unwanted mail,
+#               deflect it to /dev/null.
 # 
 #        |command
 #               Mail is piped into command. Commands  that  contain
 #               special  characters,  such as whitespace, should be
-#               enclosed between double quotes.  See  local(8)  for
-#               details of delivery to command.
+#               enclosed between double quotes. For details on  how
+#               a  command is executed see "EXTERNAL COMMAND DELIV-
+#               ERY" and "DELIVERY RIGHTS" in the local(8) documen-
+#               tation.
 # 
 #               When the command fails, a limited amount of command
 #               output is mailed back  to  the  sender.   The  file
@@ -218,18 +222,17 @@ decode:		root
 #               the recipient_delimiter is set to "-".
 # 
 #        recipient_delimiter (empty)
-#               The set of characters that can separate a user name
-#               from its extension (example: user+foo), or a  .for-
-#               ward  file  name from its extension (example: .for-
-#               ward+foo).
+#               The  set  of  characters that can separate an email
+#               address localpart, user name, or  a  .forward  file
+#               name from its extension.
 # 
 #        Available in Postfix version 2.3 and later:
 # 
 #        frozen_delivered_to (yes)
-#               Update the local(8) delivery agent's  idea  of  the
-#               Delivered-To:     address    (see    prepend_deliv-
-#               ered_header) only once, at the start of a  delivery
-#               attempt;  do  not  update the Delivered-To: address
+#               Update  the  local(8)  delivery agent's idea of the
+#               Delivered-To:    address    (see     prepend_deliv-
+#               ered_header)  only once, at the start of a delivery
+#               attempt; do not update  the  Delivered-To:  address
 #               while expanding aliases or .forward files.
 # 
 # STANDARDS
@@ -242,12 +245,12 @@ decode:		root
 #        postconf(5), configuration parameters
 # 
 # README FILES
-#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        Use  "postconf  readme_directory" or "postconf html_direc-
 #        tory" to locate this information.
 #        DATABASE_README, Postfix lookup table overview
 # 
 # LICENSE
-#        The  Secure  Mailer  license must be distributed with this
+#        The Secure Mailer license must be  distributed  with  this
 #        software.
 # 
 # AUTHOR(S)
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index 6520a6966..f31391668 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -280,6 +280,14 @@ configuration file in <code>/etc/postfix/sasl/</code>,
 <a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a></code> and/or the distribution-specific
 documentation to determine the expected location. </p> </li>
 
+<li> <p> Some Debian-based Postfix distributions patch Postfix to
+hardcode a non-default search path, making it impossible to set an
+alternate search path via the "<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" parameter.  This
+is likely to be the case when the distribution documents a
+Postfix-specific path (e.g. <code>/etc/postfix/sasl/</code>) that is
+different from the default value of "<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" (which
+then is likely to be empty). </p> </li>
+
 </ul>
 
 <blockquote>
diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html
index aaa5218ed..ba73f0058 100644
--- a/postfix/html/SMTPD_POLICY_README.html
+++ b/postfix/html/SMTPD_POLICY_README.html
@@ -118,6 +118,7 @@ server_address=10.3.2.1
 server_port=54321
 <b>Postfix version 3.8 and later:</b>
 <a href="postconf.5.html#compatibility_level">compatibility_level</a>=<i>major</i>.<i>minor</i>.<i>patch</i>
+<a href="postconf.5.html#mail_version">mail_version</a>=3.8.0
 [empty line]
 </pre>
 </blockquote>
@@ -220,6 +221,12 @@ server_port=54321
    <i>major</i>.<i>minor</i>.<i>patch</i> where <i>minor</i> and
    <i>patch</i> may be absent. </p>
 
+   <li> <p> The "<a href="postconf.5.html#mail_version">mail_version</a>" attribute corresponds to the
+   <a href="postconf.5.html#mail_version">mail_version</a> parameter value. It has the form
+   <i>major</i>.<i>minor</i>.<i>patch</i> for stable releases, and
+   <i>major</i>.<i>minor</i>-<i>yyyymmdd</i> for unstable releases.
+   </p>
+
 </ul>
 
 <p> The following is specific to SMTPD delegated policy requests:
diff --git a/postfix/html/aliases.5.html b/postfix/html/aliases.5.html
index e7d5b663b..68aa58a51 100644
--- a/postfix/html/aliases.5.html
+++ b/postfix/html/aliases.5.html
@@ -67,38 +67,41 @@ ALIASES(5)                                                          ALIASES(5)
               <a href="https://tools.ietf.org/html/rfc822">822</a> standard.
 
        <i>/file/name</i>
-              Mail  is  appended  to  <i>/file/name</i>.  See <a href="local.8.html"><b>local</b>(8)</a> for details of
-              delivery to file.  Delivery is not  limited  to  regular  files.
-              For  example,  to  dispose  of  unwanted  mail,  deflect  it  to
-              <b>/dev/null</b>.
+              Mail  is  appended  to  <i>/file/name</i>. For details on how a file is
+              written see the sections "EXTERNAL FILE DELIVERY" and  "DELIVERY
+              RIGHTS"  in the <a href="local.8.html"><b>local</b>(8)</a> documentation.  Delivery is not limited
+              to regular files.  For example, to  dispose  of  unwanted  mail,
+              deflect it to <b>/dev/null</b>.
 
        |<i>command</i>
-              Mail is piped into <i>command</i>. Commands that contain special  char-
-              acters,  such  as  whitespace, should be enclosed between double
-              quotes. See <a href="local.8.html"><b>local</b>(8)</a> for details of delivery to command.
-
-              When the command fails, a limited amount of  command  output  is
-              mailed  back  to  the  sender.  The file <b>/usr/include/sysexits.h</b>
-              defines the expected exit status codes. For example, use  <b>"|exit</b>
-              <b>67"</b>  to simulate a "user unknown" error, and <b>"|exit 0"</b> to imple-
+              Mail  is piped into <i>command</i>. Commands that contain special char-
+              acters, such as whitespace, should be  enclosed  between  double
+              quotes.  For  details on how a command is executed see "EXTERNAL
+              COMMAND DELIVERY" and "DELIVERY RIGHTS" in the <a href="local.8.html"><b>local</b>(8)</a> documen-
+              tation.
+
+              When  the  command  fails, a limited amount of command output is
+              mailed back to the  sender.   The  file  <b>/usr/include/sysexits.h</b>
+              defines  the expected exit status codes. For example, use <b>"|exit</b>
+              <b>67"</b> to simulate a "user unknown" error, and <b>"|exit 0"</b> to  imple-
               ment an expensive black hole.
 
        <b>:include:</b><i>/file/name</i>
-              Mail is sent to the  destinations  listed  in  the  named  file.
-              Lines  in <b>:include:</b> files have the same syntax as the right-hand
+              Mail  is  sent  to  the  destinations  listed in the named file.
+              Lines in <b>:include:</b> files have the same syntax as the  right-hand
               side of alias entries.
 
-              A destination can be any destination that is described  in  this
-              manual  page.  However, delivery to "|<i>command</i>" and <i>/file/name</i> is
-              disallowed by default. To enable,  edit  the  <b><a href="postconf.5.html#allow_mail_to_commands">allow_mail_to_com</a>-</b>
+              A  destination  can be any destination that is described in this
+              manual page. However, delivery to "|<i>command</i>" and  <i>/file/name</i>  is
+              disallowed  by  default.  To enable, edit the <b><a href="postconf.5.html#allow_mail_to_commands">allow_mail_to_com</a>-</b>
               <b><a href="postconf.5.html#allow_mail_to_commands">mands</a></b> and <b><a href="postconf.5.html#allow_mail_to_files">allow_mail_to_files</a></b> configuration parameters.
 
 <b>ADDRESS EXTENSION</b>
-       When  alias database search fails, and the recipient localpart contains
-       the optional  recipient  delimiter  (e.g.,  <i>user+foo</i>),  the  search  is
+       When alias database search fails, and the recipient localpart  contains
+       the  optional  recipient  delimiter  (e.g.,  <i>user+foo</i>),  the  search is
        repeated for the unextended address (e.g., <i>user</i>).
 
-       The   <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter  controls  whether  an
+       The  <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>  parameter  controls   whether   an
        unmatched address extension (<i>+foo</i>) is propagated to the result of table
        lookup.
 
@@ -107,9 +110,9 @@ ALIASES(5)                                                          ALIASES(5)
        before database lookup.
 
 <b>REGULAR EXPRESSION TABLES</b>
-       This section describes how the table lookups change when the  table  is
-       given  in the form of regular expressions. For a description of regular
-       expression lookup table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>  or  <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
+       This  section  describes how the table lookups change when the table is
+       given in the form of regular expressions. For a description of  regular
+       expression  lookup  table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
        NOTE: these formats do not use ":" at the end of a pattern.
 
        Each regular expression is applied to the entire search string. Thus, a
@@ -122,21 +125,21 @@ ALIASES(5)                                                          ALIASES(5)
        reasons there is no support for <b>$1</b>, <b>$2</b> etc. substring interpolation.
 
 <b>SECURITY</b>
-       The <a href="local.8.html"><b>local</b>(8)</a> delivery agent disallows regular  expression  substitution
+       The  <a href="local.8.html"><b>local</b>(8)</a>  delivery agent disallows regular expression substitution
        of $1 etc. in <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>, because that would open a security hole.
 
-       The  <a href="local.8.html"><b>local</b>(8)</a>  delivery  agent will silently ignore requests to use the
-       <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server within <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>. Instead it will  open  the  table
+       The <a href="local.8.html"><b>local</b>(8)</a> delivery agent will silently ignore requests  to  use  the
+       <a href="proxymap.8.html"><b>proxymap</b>(8)</a>  server  within  <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>. Instead it will open the table
        directly.  Before Postfix version 2.2, the <a href="local.8.html"><b>local</b>(8)</a> delivery agent will
        terminate with a fatal error.
 
 <b>CONFIGURATION PARAMETERS</b>
-       The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are  especially  relevant.   The  text
-       below  provides  only  a  parameter  summary.  See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more
+       The  following  <a href="postconf.5.html"><b>main.cf</b></a>  parameters  are especially relevant.  The text
+       below provides only a  parameter  summary.  See  <a href="postconf.5.html"><b>postconf</b>(5)</a>  for  more
        details including examples.
 
        <b><a href="postconf.5.html#alias_database">alias_database</a> (see 'postconf -d' output)</b>
-              The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are updated  with
+              The  alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are updated with
               "<b>newaliases</b>" or with "<b>sendmail -bi</b>".
 
        <b><a href="postconf.5.html#alias_maps">alias_maps</a> (see 'postconf -d' output)</b>
@@ -149,30 +152,30 @@ ALIASES(5)                                                          ALIASES(5)
               Restrict <a href="local.8.html"><b>local</b>(8)</a> mail delivery to external files.
 
        <b><a href="postconf.5.html#expand_owner_alias">expand_owner_alias</a> (no)</b>
-              When   delivering   to   an   alias   "<i>aliasname</i>"  that  has  an
+              When  delivering  to  an   alias   "<i>aliasname</i>"   that   has   an
               "owner-<i>aliasname</i>"  companion  alias,  set  the  envelope  sender
               address to the expansion of the "owner-<i>aliasname</i>" alias.
 
        <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b>
-              What  address  lookup  tables copy an address extension from the
+              What address lookup tables copy an address  extension  from  the
               lookup key to the lookup result.
 
        <b><a href="postconf.5.html#owner_request_special">owner_request_special</a> (yes)</b>
-              Enable special  treatment  for  owner-<i>listname</i>  entries  in  the
+              Enable  special  treatment  for  owner-<i>listname</i>  entries  in the
               <a href="aliases.5.html"><b>aliases</b>(5)</a>  file,  and  don't  split  owner-<i>listname</i>  and  <i>list-</i>
-              <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>  is
+              <i>name</i>-request  address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is
               set to "-".
 
        <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
-              The  set of characters that can separate an email address local-
+              The set of characters that can separate an email address  local-
               part, user name, or a .forward file name from its extension.
 
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#frozen_delivered_to">frozen_delivered_to</a> (yes)</b>
-              Update the <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of  the  Delivered-To:
-              address  (see  <a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a>) only once, at the start
-              of a delivery attempt; do not update the  Delivered-To:  address
+              Update  the  <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of the Delivered-To:
+              address (see <a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a>) only once, at  the  start
+              of  a  delivery attempt; do not update the Delivered-To: address
               while expanding aliases or .forward files.
 
 <b>STANDARDS</b>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 4d9b705fe..03f0ddba9 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -8609,13 +8609,16 @@ the file is read). </p>
 <DT><b><a name="postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>
 (default: empty)</b></DT><DD>
 
-<p>Optional list of DNS allow/denylist domains, filters and weight
+<p>Optional list of patterns with DNS allow/denylist domains, filters
+and weight
 factors. When the list is non-empty, the <a href="dnsblog.8.html">dnsblog(8)</a> daemon will
-query these domains with the IP addresses of remote SMTP clients,
+query these domains with the reversed IP addresses of remote SMTP
+clients,
 and <a href="postscreen.8.html">postscreen(8)</a> will update an SMTP client's DNSBL score with
-each non-error reply. </p>
+each non-error reply as described below. </p>
 
-<p> Caution: when postscreen rejects mail, it replies with the DNSBL
+<p> Caution: when postscreen rejects mail, its SMTP response contains
+the DNSBL
 domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to hide
 "password" information in DNSBL domain names. </p>
 
@@ -8623,26 +8626,25 @@ domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postsc
 specified with <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>, <a href="postscreen.8.html">postscreen(8)</a> can drop
 the connection with the remote SMTP client. </p>
 
-<p> Specify a list of domain=filter*weight entries, separated by
+<p> Specify a list of domain=filter*weight patterns, separated by
 comma or whitespace.  </p>
 
 <ul>
 
-<li> <p> When no "=filter" is specified, <a href="postscreen.8.html">postscreen(8)</a> will use any
-non-error DNSBL reply.  Otherwise, <a href="postscreen.8.html">postscreen(8)</a> uses only DNSBL
-replies that match the filter. The filter has the form d.d.d.d,
+<li> <p> When a pattern specifies no "=filter", <a href="postscreen.8.html">postscreen(8)</a> will
+use any non-error DNSBL query result.  Otherwise, <a href="postscreen.8.html">postscreen(8)</a>
+will use only DNSBL
+query results that match the filter. The filter has the form d.d.d.d,
 where each d is a number, or a pattern inside [] that contains one
 or more ";"-separated numbers or number..number ranges.  </p>
 
-<li> <p> When no "*weight" is specified, <a href="postscreen.8.html">postscreen(8)</a> increments
-the remote SMTP client's DNSBL score by 1.  Otherwise, the weight must be
-an integral number, and <a href="postscreen.8.html">postscreen(8)</a> adds the specified weight to
-the remote SMTP client's DNSBL score.  Specify a negative number for
-allowlisting.  </p>
+<li> <p> When a pattern specifies no "*weight", the weight of the
+pattern is 1.  Otherwise, the weight must be an integral number.
+Specify a negative number for allowlisting.  </p>
 
-<li> <p> When one <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> entry produces multiple
-DNSBL responses, <a href="postscreen.8.html">postscreen(8)</a> applies the weight at most once.
-</p>
+<li> <p> When a pattern matches one or more DNSBL query results,
+<a href="postscreen.8.html">postscreen(8)</a> adds that pattern's weight once to the remote SMTP
+client's DNSBL score. </p>
 
 </ul>
 
diff --git a/postfix/man/man5/aliases.5 b/postfix/man/man5/aliases.5
index 628b5d75d..a5da9069e 100644
--- a/postfix/man/man5/aliases.5
+++ b/postfix/man/man5/aliases.5
@@ -71,14 +71,17 @@ The \fIvalue\fR contains one or more of the following:
 Mail is forwarded to \fIaddress\fR, which is compatible
 with the RFC 822 standard.
 .IP \fI/file/name\fR
-Mail is appended to \fI/file/name\fR. See \fBlocal\fR(8)
-for details of delivery to file.
+Mail is appended to \fI/file/name\fR. For details on how a
+file is written see the sections "EXTERNAL FILE DELIVERY"
+and "DELIVERY RIGHTS" in the \fBlocal\fR(8) documentation.
 Delivery is not limited to regular files.  For example, to dispose
 of unwanted mail, deflect it to \fB/dev/null\fR.
 .IP "|\fIcommand\fR"
-Mail is piped into \fIcommand\fR. Commands that contain special
-characters, such as whitespace, should be enclosed between double
-quotes. See \fBlocal\fR(8) for details of delivery to command.
+Mail is piped into \fIcommand\fR. Commands that contain
+special characters, such as whitespace, should be enclosed
+between double quotes. For details on how a command is
+executed see "EXTERNAL COMMAND DELIVERY" and "DELIVERY
+RIGHTS" in the \fBlocal\fR(8) documentation.
 .sp
 When the command fails, a limited amount of command output is
 mailed back to the sender.  The file \fB/usr/include/sysexits.h\fR
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 1bdbc9cef..289f0de88 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -5441,13 +5441,16 @@ Example:
 .PP
 This feature is available in Postfix 2.8.
 .SH postscreen_dnsbl_sites (default: empty)
-Optional list of DNS allow/denylist domains, filters and weight
+Optional list of patterns with DNS allow/denylist domains, filters
+and weight
 factors. When the list is non\-empty, the \fBdnsblog\fR(8) daemon will
-query these domains with the IP addresses of remote SMTP clients,
+query these domains with the reversed IP addresses of remote SMTP
+clients,
 and \fBpostscreen\fR(8) will update an SMTP client's DNSBL score with
-each non\-error reply.
+each non\-error reply as described below.
 .PP
-Caution: when postscreen rejects mail, it replies with the DNSBL
+Caution: when postscreen rejects mail, its SMTP response contains
+the DNSBL
 domain name. Use the postscreen_dnsbl_reply_map feature to hide
 "password" information in DNSBL domain names.
 .PP
@@ -5455,23 +5458,23 @@ When a client's score is equal to or greater than the threshold
 specified with postscreen_dnsbl_threshold, \fBpostscreen\fR(8) can drop
 the connection with the remote SMTP client.
 .PP
-Specify a list of domain=filter*weight entries, separated by
+Specify a list of domain=filter*weight patterns, separated by
 comma or whitespace.
 .IP \(bu
-When no "=filter" is specified, \fBpostscreen\fR(8) will use any
-non\-error DNSBL reply.  Otherwise, \fBpostscreen\fR(8) uses only DNSBL
-replies that match the filter. The filter has the form d.d.d.d,
+When a pattern specifies no "=filter", \fBpostscreen\fR(8) will
+use any non\-error DNSBL query result.  Otherwise, \fBpostscreen\fR(8)
+will use only DNSBL
+query results that match the filter. The filter has the form d.d.d.d,
 where each d is a number, or a pattern inside [] that contains one
 or more ";"\-separated numbers or number..number ranges.
 .IP \(bu
-When no "*weight" is specified, \fBpostscreen\fR(8) increments
-the remote SMTP client's DNSBL score by 1.  Otherwise, the weight must be
-an integral number, and \fBpostscreen\fR(8) adds the specified weight to
-the remote SMTP client's DNSBL score.  Specify a negative number for
-allowlisting.
+When a pattern specifies no "*weight", the weight of the
+pattern is 1.  Otherwise, the weight must be an integral number.
+Specify a negative number for allowlisting.
 .IP \(bu
-When one postscreen_dnsbl_sites entry produces multiple
-DNSBL responses, \fBpostscreen\fR(8) applies the weight at most once.
+When a pattern matches one or more DNSBL query results,
+\fBpostscreen\fR(8) adds that pattern's weight once to the remote SMTP
+client's DNSBL score.
 .br
 .PP
 Examples:
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index c3aaad7bd..3e2025a7a 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -280,6 +280,14 @@ configuration file in <code>/etc/postfix/sasl/</code>,
 cyrus_sasl_config_path</code> and/or the distribution-specific
 documentation to determine the expected location. </p> </li>
 
+<li> <p> Some Debian-based Postfix distributions patch Postfix to
+hardcode a non-default search path, making it impossible to set an
+alternate search path via the "cyrus_sasl_config_path" parameter.  This
+is likely to be the case when the distribution documents a
+Postfix-specific path (e.g. <code>/etc/postfix/sasl/</code>) that is
+different from the default value of "cyrus_sasl_config_path" (which
+then is likely to be empty). </p> </li>
+
 </ul>
 
 <blockquote>
diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html
index 189fb08dd..dd0a5494a 100644
--- a/postfix/proto/SMTPD_POLICY_README.html
+++ b/postfix/proto/SMTPD_POLICY_README.html
@@ -118,6 +118,7 @@ server_address=10.3.2.1
 server_port=54321
 <b>Postfix version 3.8 and later:</b>
 compatibility_level=<i>major</i>.<i>minor</i>.<i>patch</i>
+mail_version=3.8.0
 [empty line]
 </pre>
 </blockquote>
@@ -220,6 +221,12 @@ compatibility_level=<i>major</i>.<i>minor</i>.<i>patch</i>
    <i>major</i>.<i>minor</i>.<i>patch</i> where <i>minor</i> and
    <i>patch</i> may be absent. </p>
 
+   <li> <p> The "mail_version" attribute corresponds to the
+   mail_version parameter value. It has the form
+   <i>major</i>.<i>minor</i>.<i>patch</i> for stable releases, and
+   <i>major</i>.<i>minor</i>-<i>yyyymmdd</i> for unstable releases.
+   </p>
+
 </ul>
 
 <p> The following is specific to SMTPD delegated policy requests:
diff --git a/postfix/proto/aliases b/postfix/proto/aliases
index ed01ec0c9..d2d3f19b5 100644
--- a/postfix/proto/aliases
+++ b/postfix/proto/aliases
@@ -65,14 +65,17 @@
 #	Mail is forwarded to \fIaddress\fR, which is compatible
 #	with the RFC 822 standard.
 # .IP \fI/file/name\fR
-#	Mail is appended to \fI/file/name\fR. See \fBlocal\fR(8)
-#	for details of delivery to file.
+#	Mail is appended to \fI/file/name\fR. For details on how a
+#	file is written see the sections "EXTERNAL FILE DELIVERY"
+#	and "DELIVERY RIGHTS" in the \fBlocal\fR(8) documentation.
 #	Delivery is not limited to regular files.  For example, to dispose
 #	of unwanted mail, deflect it to \fB/dev/null\fR.
 # .IP "|\fIcommand\fR"
-#	Mail is piped into \fIcommand\fR. Commands that contain special
-#	characters, such as whitespace, should be enclosed between double
-#	quotes. See \fBlocal\fR(8) for details of delivery to command.
+#	Mail is piped into \fIcommand\fR. Commands that contain
+#	special characters, such as whitespace, should be enclosed
+#	between double quotes. For details on how a command is
+#	executed see "EXTERNAL COMMAND DELIVERY" and "DELIVERY
+#	RIGHTS" in the \fBlocal\fR(8) documentation.
 # .sp
 #	When the command fails, a limited amount of command output is
 #	mailed back to the sender.  The file \fB/usr/include/sysexits.h\fR
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 76919f0ca..0f335eea9 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -14354,13 +14354,16 @@ The default time unit is s (seconds).  </p>
 
 %PARAM postscreen_dnsbl_sites
 
-<p>Optional list of DNS allow/denylist domains, filters and weight
+<p>Optional list of patterns with DNS allow/denylist domains, filters
+and weight
 factors. When the list is non-empty, the dnsblog(8) daemon will
-query these domains with the IP addresses of remote SMTP clients,
+query these domains with the reversed IP addresses of remote SMTP
+clients,
 and postscreen(8) will update an SMTP client's DNSBL score with
-each non-error reply. </p>
+each non-error reply as described below. </p>
 
-<p> Caution: when postscreen rejects mail, it replies with the DNSBL
+<p> Caution: when postscreen rejects mail, its SMTP response contains
+the DNSBL
 domain name. Use the postscreen_dnsbl_reply_map feature to hide
 "password" information in DNSBL domain names. </p>
 
@@ -14368,26 +14371,25 @@ domain name. Use the postscreen_dnsbl_reply_map feature to hide
 specified with postscreen_dnsbl_threshold, postscreen(8) can drop
 the connection with the remote SMTP client. </p>
 
-<p> Specify a list of domain=filter*weight entries, separated by
+<p> Specify a list of domain=filter*weight patterns, separated by
 comma or whitespace.  </p>
 
 <ul>
 
-<li> <p> When no "=filter" is specified, postscreen(8) will use any
-non-error DNSBL reply.  Otherwise, postscreen(8) uses only DNSBL
-replies that match the filter. The filter has the form d.d.d.d,
+<li> <p> When a pattern specifies no "=filter", postscreen(8) will
+use any non-error DNSBL query result.  Otherwise, postscreen(8)
+will use only DNSBL
+query results that match the filter. The filter has the form d.d.d.d,
 where each d is a number, or a pattern inside [] that contains one
 or more ";"-separated numbers or number..number ranges.  </p>
 
-<li> <p> When no "*weight" is specified, postscreen(8) increments
-the remote SMTP client's DNSBL score by 1.  Otherwise, the weight must be
-an integral number, and postscreen(8) adds the specified weight to
-the remote SMTP client's DNSBL score.  Specify a negative number for
-allowlisting.  </p>
+<li> <p> When a pattern specifies no "*weight", the weight of the
+pattern is 1.  Otherwise, the weight must be an integral number.
+Specify a negative number for allowlisting.  </p>
 
-<li> <p> When one postscreen_dnsbl_sites entry produces multiple
-DNSBL responses, postscreen(8) applies the weight at most once.
-</p>
+<li> <p> When a pattern matches one or more DNSBL query results,
+postscreen(8) adds that pattern's weight once to the remote SMTP
+client's DNSBL score. </p>
 
 </ul>
 
diff --git a/postfix/src/global/mail_proto.h b/postfix/src/global/mail_proto.h
index c5f59c2d7..315a2e15d 100644
--- a/postfix/src/global/mail_proto.h
+++ b/postfix/src/global/mail_proto.h
@@ -141,7 +141,7 @@ extern char *mail_pathname(const char *, const char *);
 #define MAIL_ATTR_PROTO_VERIFY	"address_verification_prrotocol"
 
  /*
-  * Attribute names.
+  * Attribute names in internal and policy delegation protocols.
   */
 #define MAIL_ATTR_REQ		"request"
 #define MAIL_ATTR_NREQ		"nrequest"
@@ -201,6 +201,7 @@ extern char *mail_pathname(const char *, const char *);
 #define MAIL_ATTR_CRYPTO_CIPHER	"encryption_cipher"
 #define MAIL_ATTR_CRYPTO_KEYSIZE "encryption_keysize"
 #define MAIL_ATTR_COMPAT_LEVEL	"compatibility_level"
+#define MAIL_ATTR_MAIL_VERSION	"mail_version"
 
  /*
   * Suffixes for sender_name, sender_domain etc.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 49f073faa..820708a2d 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20220724"
+#define MAIL_RELEASE_DATE	"20220816"
 #define MAIL_VERSION_NUMBER	"3.8"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in
index 8c4132a30..f48d38f02 100644
--- a/postfix/src/smtpd/Makefile.in
+++ b/postfix/src/smtpd/Makefile.in
@@ -340,6 +340,7 @@ smtpd_check.o: ../../include/mail_error.h
 smtpd_check.o: ../../include/mail_params.h
 smtpd_check.o: ../../include/mail_proto.h
 smtpd_check.o: ../../include/mail_stream.h
+smtpd_check.o: ../../include/mail_version.h
 smtpd_check.o: ../../include/map_search.h
 smtpd_check.o: ../../include/maps.h
 smtpd_check.o: ../../include/match_list.h
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 2785ce1fc..29e8671a4 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -253,6 +253,7 @@
 #include <attr_override.h>
 #include <map_search.h>
 #include <info_log_addr_form.h>
+#include <mail_version.h>
 
 /* Application-specific. */
 
@@ -4101,6 +4102,8 @@ static int check_policy_service(SMTPD_STATE *state, const char *server,
 					policy_clnt->policy_context),
 			  SEND_ATTR_STR(MAIL_ATTR_COMPAT_LEVEL,
 					var_compatibility_level),
+			  SEND_ATTR_STR(MAIL_ATTR_MAIL_VERSION,
+					var_mail_version),
 			  ATTR_TYPE_END,
 			  ATTR_FLAG_MISSING,	/* Reply attributes. */
 			  RECV_ATTR_STR(MAIL_ATTR_ACTION, action),
-- 
2.47.3