From 481bad91ee2fd412ebd162b83468bdc1c8e6bfc4 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 10 Feb 2019 00:00:00 -0500
Subject: [PATCH] postfix-3.4.0-RC1

---
 postfix/AAAREADME                       |    3 +-
 postfix/HISTORY                         |   15 +-
 postfix/README_FILES/AAAREADME          |    1 +
 postfix/README_FILES/BDAT_README        |  124 +++
 postfix/RELEASE_NOTES                   |  296 +++----
 postfix/WISHLIST                        | 1032 -----------------------
 postfix/html/BDAT_README.html           |  178 ++++
 postfix/html/index.html                 |    2 +
 postfix/html/lmtp.8.html                |  137 +--
 postfix/html/postlogd.8.html            |    2 +-
 postfix/html/smtp.8.html                |  137 +--
 postfix/html/smtpd.8.html               |    3 +-
 postfix/html/tlsproxy.8.html            |  159 +++-
 postfix/makedefs                        |    2 +-
 postfix/man/man8/postlogd.8             |    2 +-
 postfix/man/man8/smtp.8                 |    7 +
 postfix/man/man8/smtpd.8                |    3 +-
 postfix/man/man8/tlsproxy.8             |  107 ++-
 postfix/mantools/postlink               |    2 +
 postfix/proto/BDAT_README.html          |  178 ++++
 postfix/proto/Makefile.in               |    8 +
 postfix/src/global/mail_version.h       |    4 +-
 postfix/src/master/master_conf.c        |    5 +
 postfix/src/postlogd/postlogd.c         |    2 +-
 postfix/src/smtp/smtp.c                 |    7 +
 postfix/src/smtpd/smtpd.c               |    3 +-
 postfix/src/tls/tls_proxy.h             |    1 +
 postfix/src/tls/tls_proxy_client_misc.c |   60 +-
 postfix/src/tls/tls_proxy_client_scan.c |   24 -
 postfix/src/tlsproxy/tlsproxy.c         |  147 +++-
 30 files changed, 1197 insertions(+), 1454 deletions(-)
 create mode 100644 postfix/README_FILES/BDAT_README
 delete mode 100644 postfix/WISHLIST
 create mode 100644 postfix/html/BDAT_README.html
 create mode 100644 postfix/proto/BDAT_README.html

diff --git a/postfix/AAAREADME b/postfix/AAAREADME
index e6f5940d5..7b7a4b696 100644
--- a/postfix/AAAREADME
+++ b/postfix/AAAREADME
@@ -149,6 +149,7 @@ Postfix daemons:
     src/oqmgr/		Old queue manager
     src/pickup/		Local pickup
     src/pipe/		Pipe delivery
+    src/postlogd/	Syslog alternative, logs to file or stdout
     src/postscreen/	Zombie blocker
     src/proxymap/	Table lookup proxy agent
     src/qmgr/		Queue manager
@@ -159,7 +160,7 @@ Postfix daemons:
     src/smtpd/		SMTP server
     src/spawn/		Run non-Postfix server
     src/tlsmgr/		TLS session keys and random pool
-    src/tlsproxy/	TLS proxy for postscreen
+    src/tlsproxy/	TLS proxy for postscreen and outbound connection reuse
     src/trivial-rewrite/ Address rewriting and resolving
     src/verify/		address verification service
     src/virtual/	virtual mailbox-only delivery agent
diff --git a/postfix/HISTORY b/postfix/HISTORY
index 1ea5d38b0..c0119def5 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -17692,7 +17692,7 @@ Apologies for any names omitted.
 
 20120330
 
-	Workaround: specify "\c" at the start of an smtp_reject_footer
+	Workaround: specify "\c" at the start of an smtpd_reject_footer
 	template to suppress the line break between the reply text
 	and the footer text. Files: global/smtp_reply_footer.c,
 	proto/postconf.proto.
@@ -23633,10 +23633,10 @@ Apologies for any names omitted.
 
 20180812
 
-	Feature: smtp_reject_footer_maps (as well as the postscreen
+	Feature: smtpd_reject_footer_maps (as well as the postscreen
 	variant postscreen_reject_footer_maps). This is indexed
 	with the SMTP server response text, and overrides the footer
-	specified with smtp_reject_footer. Files: global/mail_params.h,
+	specified with smtpd_reject_footer. Files: global/mail_params.h,
 	mantools/postlink, postscreen/postscreen.c,
 	postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c,
 	proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c.
@@ -24105,3 +24105,12 @@ Apologies for any names omitted.
 	Debugging: tlsproxy(8) now logs more details about unexpected
 	configuration differences between the Postfix SMTP client
 	and the tlsproxy(8) daemon.
+
+20190210
+
+	Documentation: Postfix 3.4.0 RELEASE NOTES.
+
+	Documentation: added BDAT_README.
+
+	Documentation: global TLS settings. Files: mantools/postlink,
+	smtp/smtp.c, tlsproxy/tlsproxy.c.
diff --git a/postfix/README_FILES/AAAREADME b/postfix/README_FILES/AAAREADME
index 07bd21ea1..9afa3b7d2 100644
--- a/postfix/README_FILES/AAAREADME
+++ b/postfix/README_FILES/AAAREADME
@@ -78,6 +78,7 @@ OOtthheerr ttooppiiccss
   * ADDRESS_CLASS_README: Address Classes
   * CONNECTION_CACHE_README: Connection cache howto
   * DSN_README: Postfix DSN support
+  * BDAT_README: Postfix BDAT (CHUNKING) support
   * PACKAGE_README: Guidelines for Package Builders
   * SCHEDULER_README: Queue Scheduler
   * XCLIENT_README: XCLIENT Command
diff --git a/postfix/README_FILES/BDAT_README b/postfix/README_FILES/BDAT_README
new file mode 100644
index 000000000..2dc1df35c
--- /dev/null
+++ b/postfix/README_FILES/BDAT_README
@@ -0,0 +1,124 @@
+PPoossttffiixx BBDDAATT ((CCHHUUNNKKIINNGG)) ssuuppppoorrtt
+
+-------------------------------------------------------------------------------
+
+OOvveerrvviieeww
+
+Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command) without
+BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled by default.
+
+Topics covered in this document:
+
+  * Disabling BDAT support
+  * Impact on existing configurations
+  * Example SMTP session
+  * Benefits of CHUNKING (BDAT) support without BINARYMIME
+  * Downsides of CHUNKING (BDAT) support
+
+DDiissaabblliinngg BBDDAATT ssuuppppoorrtt
+
+BDAT support is enabled by default. To disable BDAT support globally:
+
+    /etc/postfix/main.cf:
+        # The logging alternative:
+        smtpd_discard_ehlo_keywords = chunking
+        # The non-logging alternative:
+        smtpd_discard_ehlo_keywords = chunking, silent_discard
+
+Specify '-o smtpd_discard_ehlo_keywords=' in master.cf for the submission and
+smtps services, if you have clients that benefit from CHUNKING support.
+
+IImmppaacctt oonn eexxiissttiinngg ccoonnffiigguurraattiioonnss
+
+  * There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
+    smtpd_milters, or for postscreen settings, except for the above mentioned
+    option to suppress the SMTP server's CHUNKING service announcement.
+
+  * There are no changes in the Postfix queue file content, no changes for
+    down-stream SMTP servers or after-queue content filters, and no changes in
+    the envelope or message content that Milters will receive.
+
+EExxaammppllee SSMMTTPP sseessssiioonn
+
+The main differences are that the Postfix SMTP server announces "CHUNKING"
+support in the EHLO response, and that instead of sending one DATA request, the
+remote SMTP client may send one or more BDAT requests. In the example below,
+"S:" indicates server responses, and "C:" indicates client requests (bold
+font).
+
+        S: 220 server.example.com
+        C: EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
+        S: 250-server.example.com
+        S: 250-PIPELINING
+        S: 250-SIZE 153600000
+        S: 250-VRFY
+        S: 250-ETRN
+        S: 250-STARTTLS
+        S: 250-AUTH PLAIN LOGIN
+        S: 250-ENHANCEDSTATUSCODES
+        S: 250-8BITMIME
+        S: 250-DSN
+        S: 250-SMTPUTF8
+        S: 250 CHUNKING
+        C: MMAAIILL FFRROOMM::<<sseennddeerr@@eexxaammppllee..ccoomm>>
+        S: 250 2.1.0 Ok
+        C: RRCCPPTT TTOO::<<rreecciippiieenntt@@eexxaammppllee..ccoomm>>
+        S: 250 2.1.5 Ok
+        C: BBDDAATT 1100000000
+        C: ....ffoolllloowweedd bbyy 1100000000 bbyytteess......
+        S: 250 2.0.0 Ok: 10000 bytes
+        C: BBDDAATT 112233
+        C: ....ffoolllloowweedd bbyy 112233 bbyytteess......
+        S: 250 2.0.0 Ok: 123 bytes
+        C: BBDDAATT 00 LLAASSTT
+        S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
+        C: QQUUIITT
+        S: 221 2.0.0 Bye
+
+Internally in Postfix, there is no difference between mail that was received
+with BDAT or with DATA. Postfix smtpd_mumble_restrictions, policy delegation
+queries, smtpd_proxy_filter and Milters all behave as if Postfix received (MAIL
++ RCPT + DATA + end-of-data). However, Postfix will log BDAT-related failures
+as "xxx after BDAT" to avoid complicating troubleshooting (xxx = 'lost
+connection' or 'timeout'), and will log a warning when a client sends a
+malformed BDAT command.
+
+BBeenneeffiittss ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt wwiitthhoouutt BBIINNAARRYYMMIIMMEE
+
+Support for CHUNKING (BDAT) was added to improve interoperability with some
+clients, a benefit that would reportedly exist even without Postfix support for
+BINARYMIME. Since June 2018, Wietse's mail server has received BDAT commands
+from a variety of systems.
+
+Postfix does not support BINARYMIME at this time because:
+
+  * BINARYMIME support would require moderately invasive changes to Postfix, to
+    support email content that is not line-oriented. With BINARYMIME, the
+    Content-Length: message header specifies the length of content that may or
+    may not have line boundaries. Without BINARYMIME support, email RFCs
+    require that binary content is base64-encoded, and formatted as lines of
+    text.
+
+  * For delivery to non-BINARYMIME systems including UNIX mbox, the available
+    options are to convert binary content into 8bit text, one of the 7bit forms
+    (base64 or quoted-printable), or to return email as undeliverable. Any
+    conversion would obviously break digital signatures, so conversion would
+    have to happen before signing.
+
+DDoowwnnssiiddeess ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt
+
+The RFC 3030 authors did not specify any limitations on how clients may
+pipeline commands (i.e. send commands without waiting for a server response).
+If a server announces PIPELINING support, like Postfix does, then a remote SMTP
+client can pipeline all commands following EHLO, for example, MAIL/RCPT/BDAT/
+BDAT/MAIL/RCPT/BDAT, without ever having to wait for a server response. This
+means that with BDAT, the Postfix SMTP server cannot distinguish between a
+well-behaved client and a spambot, based on their command pipelining behavior.
+If you require "reject_unauth_pipelining" to block spambots, then turn off
+Postfix's CHUNKING announcement as described above.
+
+In RFC 4468, the authors write that a client may pipeline commands, and that
+after sending BURL LAST or BDAT LAST, a client must wait for the server's
+response. But as this text does not appear in RFC 3030 which defines BDAT, is
+it a useless restriction that Postfix will not enforce.
+
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 5037b316f..6794f1d3c 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,12 +1,12 @@
-This is the Postfix 3.4 (experimental) release.
+This is the Postfix 3.4 (stable) release.
 
-The stable Postfix release is called postfix-3.3.x where 3=major
-release number, 3=minor release number, x=patchlevel.  The stable
+The stable Postfix release is called postfix-3.4.x where 3=major
+release number, 4=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-3.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
@@ -25,19 +25,58 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 
-Incompatible changes with snapshot 20190126-nonprod
-====================================================
+Summary of changes
+------------------
 
-This introduces a new master.cf service 'postlog' with type
-'unix-dgram' that is used by the new postlogd(8) daemon. The
-'unix-dgram' service type is not supported by older Postfix versions.
-Before backing out to an older version, edit the master.cf file and
-remove the postlog entry.
+Incompatible changes, bdat support, containers, database support,
+logging, safety, tls connection pooling, tls support, usability,
 
-Major changes with snapshot 20190126-nonprod
-============================================
+Incompatible changes
+--------------------
+
+[Incompat 20180826] The Postfix SMTP server announces CHUNKING (BDAT
+command) by default. In the unlikely case that this breaks some
+important remote SMTP client, disable the feature as follows:
+
+/etc/postfix/main.cf:
+    # The logging alternative:
+    smtpd_discard_ehlo_keywords = chunking
+    # The non-logging alternative:
+    smtpd_discard_ehlo_keywords = chunking, silent_discard
+
+See BDAT_README for more.
+
+[Incompat 20190126] This introduces a new master.cf service 'postlog'
+with type 'unix-dgram' that is used by the new postlogd(8) daemon.
+Before backing out to an older Postfix version, edit the master.cf
+file and remove the postlog entry.
+
+[Incompat 20190106] Postfix 3.4 drops support for OpenSSL 1.0.1
+(end-of-life was December 31, 2016) and all earlier releases.
+
+[Incompat 20180701] To avoid performance loss under load, the
+tlsproxy(8) daemon now requires a zero process limit in master.cf
+(this setting is provided with the default master.cf file). By
+default, a tlsproxy(8) process will retire after several hours.
+
+To set the tlsproxy process limit to zero:
+
+# postconf -F tlsproxy/unix/process_limit=0
+# postfix reload
+
+Major changes - bdat support
+--------------------
+
+[Feature 20180826] Postfix SMTP server support for RFC 3030 CHUNKING
+(the BDAT command) without BINARYMIME, in both smtpd(8) and
+postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions,
+and smtpd_proxy_filter. See BDAT_README for more.
 
-Support for logging to file or stdout, instead of using syslog.
+Major changes - containers
+--------------------------
+
+[Feature 20190126] Support for logging to file or stdout, instead
+of using syslog.
 
 - Logging to file solves a usability problem for MacOS, and
   eliminates multiple problems with systemd-based systems.
@@ -47,169 +86,65 @@ Support for logging to file or stdout, instead of using syslog.
 
 See MAILLOG_README for configuration examples and logfile rotation.
 
-Incompatible changes with snapshot 20190106
-===========================================
-
-Postfix 3.4 drops support for OpenSSL 1.0.1 (end-of-life December
-31, 2016) and earlier releases.
-
-Major changes with snapshot 20190106
-====================================
+[Feature 20180422] Better handling of undocumented(!) Linux behavior
+whether or not signals are delivered to a PID=1 process.
 
-SNI support in the Postfix SMTP server, the Postfix SMTP client,
-and in the tlsproxy daemon (both server and client roles). See the
-postconf(5) documentation for the new tls_server_sni_maps and
-smtp_tls_servername parameters.
+Major changes - database support
+--------------------------------
 
-Support for files that contain multiple (key, certificate, trust
-chain) instances. This was required to implement server-side SNI
-table lookups, but it also eliminates the need for separate cert/key
-files for RSA, DSA, Elliptic Curve, and so on. The file format is
-documented in the TLS_README sections "Server-side certificate and
-private key configuration" and "Client-side certificate and private
-key configuration", and in the postconf(5) documentation for the
-parameters smtp_tls_chain_files, smtpd_tls_chain_files,
-tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.
-
-Note: the command "postfix tls" does not yet support the new
-consolidated certificate chain format.  If you switch to the new
-format, you'll need to manage your keys and certificates directly,
-rather than via postfix-tls(1).
+[Feature 20181105] Support for (key, list of filenames) in map
+source text.
 
-Major changes with snapshot 20180826
-====================================
+- Currently, this feature is used only by tls_server_sni_maps.
 
-Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command)
-without BINARYMIME, in both smtpd(8) and postscreen(8).
+- When a map is created from source with "postmap -F maptype:mapname",
+  the command processes each key as usual and processes each value
+  as a list of filenames, concatenates the content of those files
+  (with one newline character in-between files), and stores an entry
+  with (key, base64-encoded result).
 
-To disable the SMTP server's CHUNKING support:
+- When a map is queried with "postmap -F -q ...", the command
+  base64-decodes each value. It reports an error when a value is
+  not in base64 form.
 
-/etc/postfix/main.cf:
-    # The logging alternative:
-    smtpd_discard_ehlo_keywords = chunking
-    # The non-logging alternative:
-    smtpd_discard_ehlo_keywords = chunking, silent_discard
+  This "postmap -F -q ..." behavior also works when querying the
+  memory-resident map types cidr:, inline:, pcre:, randmap:, regexp:,
+  and static:. Postfix reads the files specified as table values,
+  stores base64-encoded content, and base64-decodes content upon
+  table lookup.
 
-Be sure to specify '-o smtpd_discard_ehlo_keywords=' in master.cf
-for the submission and smtps services, in case you have clients
-that benefit from CHUNKING support.
+  Internally, Postfix will turn on this behavior for lookups (not
+  updates) when a map is opened with the DICT_FLAG_RHS_IS_FILE flag.
 
-Impact on existing configurations:
-----------------------------------
+Major changes - logging
+-----------------------
 
-- There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
-  smtpd_milters, or for postscreen settings, except for the additional
-  option to suppress the SMTP server's CHUNKING service announcement.
+[Feature 20190126] Support for logging to file or stdout, instead
+of using syslog.
 
-- There are no changes in the Postfix queue file content, no changes
-  for down-stream SMTP servers or after-queue content filters, and
-  no changes in the envelope or message content that Milters will
-  receive.
+- Logging to file solves a usability problem for MacOS, and
+  eliminates multiple problems with systemd-based systems.
 
-Example SMTP session
---------------------
+- Logging to stdout is useful when Postfix runs in a container, as
+  it eliminates a syslogd dependency.
 
-The main differences are that the Postfix SMTP server announces
-"CHUNKING" support in the EHLO response, and that instead of sending
-one DATA request, the remote SMTP client may send one or more BDAT
-requests. In the example below, "S:" indicates server responses,
-and "C:" indicates client requests.
-
-    S: 220 server.example.com
-    C: EHLO client.example.com
-    S: 250-server.example.com
-    S: 250-PIPELINING
-    S: 250-SIZE 153600000
-    S: 250-VRFY
-    S: 250-ETRN
-    S: 250-STARTTLS
-    S: 250-AUTH PLAIN LOGIN
-    S: 250-ENHANCEDSTATUSCODES
-    S: 250-8BITMIME
-    S: 250-DSN
-    S: 250-SMTPUTF8
-    S: 250 CHUNKING
-    C: MAIL FROM:<sender@example.com>
-    S: 250 2.1.0 Ok
-    C: RCPT TO:<recipient@example.com>
-    S: 250 2.1.5 Ok
-    C: BDAT 10000
-    C: ..followed by 10000 bytes...
-    S: 250 2.0.0 Ok: 10000 bytes
-    C: BDAT 123
-    C: ..followed by 123 bytes...
-    S: 250 2.0.0 Ok: 123 bytes
-    C: BDAT 0 LAST
-    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
-    C: QUIT
-    S: 221 2.0.0 Bye
-
-Internally in Postfix, there is no difference between mail that was
-received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
-policy delegation queries, smtpd_proxy_filter and Milters all behave
-as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
-Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
-complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
-and will log a warning when a client sends a malformed BDAT command.
-
-Benefits of CHUNKING (BDAT) support without BINARYMIME:
--------------------------------------------------------
-
-Support for CHUNKING (BDAT) was added to improve interoperability
-with some clients, a benefit that would reportedly exist even without
-Postfix support for BINARYMIME.
-
-Postfix does not support BINARYMIME at this time because:
-
-- BINARYMIME support would require moderately invasive changes to
-  support email content that is not line-oriented. With BINARYMIME,
-  the Content-Length: header specifies the length of arbitrary
-  content that has no line boundaries. Without BINARYMIME, binary
-  content is base64-encoded, and formatted as lines of text.
-
-- There is no conversion of BINARYMIME to a line-oriented 8BITMIME
-  form that is compatible with legacy systems including UNIX mbox.
-  The available options are to convert binary content into one of
-  the 7bit forms (base64 or quoted-printable), or to return email
-  as undeliverable. Any conversion would break digital signatures,
-  so it would have to happen before signing.
-  
-Downsides of CHUNKING (BDAT) support:
--------------------------------------
-
-The RFC 3030 authors did not specify any limitations on how clients
-may pipeline commands (i.e. send commands without waiting for a
-server response). If a server announces PIPELINING support, like
-Postfix does, then a remote SMTP client can pipeline all commands
-following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
-without ever having to wait for a server response. This means that
-with BDAT, the Postfix SMTP server cannot distinguish between a
-well-behaved client and a spambot, based on their command pipelining
-behavior. If you require "reject_unauth_pipelining" to block spambots,
-turn off the CHUNKING support announcement as described above.
-
-Incompatible change with snapshot 20180701
-==========================================
-
-To avoid performance loss under load, the tlsproxy(8) daemon now
-requires a zero process limit in master.cf (this setting is provided
-with the default master.cf file). As tlsproxy(8) processes become
-too busy handling TLS connections, more processes will automatically
-be added. By default, a tlsproxy(8) process will retire after several
-hours.
+See MAILLOG_README for configuration examples and logfile rotation.
 
-To set the tlsproxy process limit to zero:
+Major changes - safety
+----------------------
 
-# postconf -F tlsproxy/unix/process_limit=0
-# postfix reload
+[Feature 20180623] Automatic retirement: dnsblog(8) and tlsproxy(8) process
+will now voluntarily retire after after max_idle*max_use, or some
+sane limit if either limit is disabled. Without this, a process
+could stay busy for days or more.
 
-Major changes with snapshot 20180617
-====================================
+Major changes - tls connection pooling
+--------------------------------------
 
-Preliminary Postfix SMTP client support for multiple deliveries per
-TLS-encrypted connection. This is primarily to improve mail delivery
-performance for destinations that throttle clients when they don't
-combine deliveries.
+[Feature 20180617] Postfix SMTP client support for multiple deliveries
+per TLS-encrypted connection. This is primarily to improve mail
+delivery performance for destinations that throttle clients when
+they don't combine deliveries.
 
 This feature is enabled with "smtp_tls_connection_reuse=yes" in
 main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
@@ -223,6 +158,10 @@ inbound connections, and relies on the same hints from the qmgr(8)
 daemon. It reuses the configuration parameters described in
 CONNECTION_CACHE_README.
 
+The Postfix SMTP client now logs whether an SMTP-over-TLS connection
+is newly established ("TLS connection established") or whether the
+connection is reused ("TLS connection reused").
+
 The following illustrates how TLS connections are reused:
 
     Initial plaintext SMTP handshake:
@@ -234,7 +173,36 @@ The following illustrates how TLS connections are reused:
     Cached SMTP/TLS connection:
       scache(8) -> tlsproxy(8) -> remote SMTP server
 
-There are a few refinements planned:
+Major changes - tls support
+---------------------------
+
+[Feature 20190106] SNI support in the Postfix SMTP server, the
+Postfix SMTP client, and in the tlsproxy(8) daemon (both server and
+client roles). See the postconf(5) documentation for the new
+tls_server_sni_maps and smtp_tls_servername parameters.
+
+[Feature 20190106] Support for files that contain multiple (key,
+certificate, trust chain) instances. This was required to implement
+server-side SNI table lookups, but it also eliminates the need for
+separate cert/key files for RSA, DSA, Elliptic Curve, and so on.
+The file format is documented in the TLS_README sections "Server-side
+certificate and private key configuration" and "Client-side certificate
+and private key configuration", and in the postconf(5) documentation
+for the parameters smtp_tls_chain_files, smtpd_tls_chain_files,
+tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.
+
+Note: the command "postfix tls" does not yet support the new
+consolidated certificate chain format.  If you switch to the new
+format, you'll need to manage your keys and certificates directly,
+rather than via postfix-tls(1).
+
+Major changes - usability
+-------------------------
+
+[Feature 20180812] Support for smtpd_reject_footer_maps (as well
+as the postscreen variant postscreen_reject_footer_maps) for more
+informative reject messages. This is indexed with the Postfix SMTP
+server response text, and overrides the footer specified with
+smtpd_reject_footer.  One will want to use a pcre: or regexp: map
+with this.
 
-- Log the TLS properties every time a connection is reused.
-  Currently, the properties are logged when a TLS session is created.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
deleted file mode 100644
index 245590f35..000000000
--- a/postfix/WISHLIST
+++ /dev/null
@@ -1,1032 +0,0 @@
-Wish list:
-
-	Move tls_proxy_client_scan.c _to_string() function
-	to tls_proxy_client_misc.c.
-
-	In tlsproxy, include parameter names in the diffs between
-	expected and client properties. This requires a function
-	tls_proxy_client_init_with_names_to_string().
-
-	make tls_pre_jail_init() safe by design for use in programs
-	that implement both clients and servers.
-
-	postfix rotate-log command: mv postfix.log postfix.log.$(date
-	+%Y%M%d-%H%M%S) to avoid data loss if called repeatedly.
-
-	In smtpd(8) and postscreen(8), set the ehlo_discard_mask
-	to ~0 so that STARTTLS, BDAT, DSN, etc. work only for clients
-	that send EHLO.
-
-	Wordsmithing: "replace by X" -> "replace with X" unless X
-	is "responsible" for making the substitution.
-
-	In postscreen, don't fork after 'postfix reload' when
-	psc_check_queue_length (and psc_post_queue_length?) is zero.
-
-	Things to do before the stable release:
-
-	Spell-check, double-word check, HTML validator check,
-	mantools/missing-proxy-read-maps check.
-
-	Disable -DSNAPSHOT and -DNONPROD in makedefs.
-
-	After I/O error, store errno in VSTREAM object before errno
-	may be overwritten.
-
-	Add some tips for logging from container:
-	https://www.projectatomic.io/blog/2016/10/playing-with-docker-logging/;
-	syslog_name = $myhostname/postfix; mkdir queue and data
-	dir; postfix check to create queue subdirectories.
-
-	Add postwhite as a postscreen-related project.
-	https://github.com/stevejenkins/postwhite/blob/master/README.md
-
-	XFORWARD attributes in policy protocol?
-
-	Document postsrsd and postforward for srs-ifying. Would
-	more fine-grained smtp_generic_maps support help?
-
-	Decide whether to deprecate database configuration pathnames
-	that start with ".", for example, ldap:./file/name. These forms
-	are documented for ldap:, memcache:, mysql:, pgsql:, and sqlite:
-	maps. Postfix daemon processes will look up files relative to the
-	queue directory, but with postmap command-line processes it would
-	be more natural to interpret relative pathnames relative to the
-	current directory of the calling process (it would be a surprise
-	if "postmap hash:./foo" would access "/var/spool/postfix/foo",
-	or if "postmap hash:foo" and or "postmap hash:./foo" would access
-	different files).
-
-	Convert postalias(1) to store external-form keys, and convert
-	aliases(5) to perform external-first lookup with fallback to
-	internal form, to make it consistent with the rest of Postfix.
-	In several years we may remove the internal-form fallbacks
-	with a compatibility_level safety net.
-
-	In the bounce daemon, set util_utf8_enable if returning an
-	SMTPUTF8 message. This is wrong; if SMTPUTF8 is disabled,
-	then Postfix must not turn it on.
-
-	Add a header_body_checks extension callback in smtp_proto.c
-	that implements the PASS action.
-
-	Propagate SMTPD_PEER_CODE_XXX from smtpd(8) to cleanup(8),
-	so that {client_resolve} and {_} produce consistent results.
-
-	NO_IP_CYRUS_SASL_AUTH should be a main.cf parameter.
-
-	Modeline support in config files to enable/disable trailing
-	#comment, and to give hints about how to handle an LHS or
-	RHS. This will not preserve trailing comments in lines that
-	are modified with "postconf -e" and the like.
-
-	Maintainability: replace lengthy libmilter-API argument lists
-	with named parameters, as with the libtls API.
-	
-	Fix buflen integer overflow detection in dict*sql.c.
-
-	Fix "make test" bitrot.
-
-	Move DNS-based tests from porcupine.org to postfix.org, or use
-	a mock DNS library (a library that presents the same API as the
-	real library, but that produces canned responses).
-
-	Document dns_ncache_ttl_fix_enable use case in POSTSCREEN_README
-	and RELEASE_NOTES.
-
-	Remove this file from the stable release.
-
-	Things to do after the stable release:
-
-	Specify WARN_UNUSED_RESULT for all library functions that
-	pass, deliver, bounce or defer a delivery request.
-
-	Invent some kind of type-checking wrappers for htable(3),
-	ctable(3) and other modules that take and return a void*
-	pointer. We already did that for variadic functions.
-
-	TLS certificate provenance: indicate whether a subject
-	name/issuer are verified or not (for example, change the
-	attribute name to unverified_ccert_subject etc.).  This is
-	relevant only for fingerprint-based authentication including
-	DANE, and affects logging, SMTPD policy, and Milters.
-
-	Generalize the daemon '-S' stand-alone mode, so that it can
-	be used with custom configuration settings for request/reply
-	regression testing. This would use the existing "-o name=value"
-	support to override parameters. For example, queue_directory
-	would point to a directory with sockets for fake versions of
-	Postfix-internal services.
-
-	Update the list of Sendmail macros that Postfix can send
-	to Milters (auth_ssf and TLS-related).
-
-	Update smtpd command count when rejecting or skipping input
-	before command-table lookup. But then we need to count
-	commands that are rejected (malformed UTF-8, tokenizer
-	error, forbidden command), or skipped (noop).
-
-	What is the best place to detect spaces in pathnames during
-	installation/upgrade/packaging? postfix-install for early
-	warning, and post-install as a safety net?
-
-	When the service basename differs from the program file
-	basename, either prepend the service name to the syslogname (as
-	if syslog_name=postfix/service/program), or prepend the service
-	name to the process name (perhaps too confusing).  The service
-	indication is desirable for mail delivery transports (smtp
-	versus relay) as it identifies what scheduler parameters are
-	in effect, but it is also desirable for mail receiving services
-	(smtp versus submission verus smtps as configured in the stock
-	master.cf file). This requires exceptions for some program names
-	(exclude smtpd to avoid logging postfix/smtp/smtpd which could
-	result in more confusion, and maybe other program names).
-
-	UTF8 DNS[BW]L domain name.
-
-	Consolidate maps flags in mail_params.h instead of having
-	multiple copies scattered across programs.
-
-	Try to allow UTF-8 myhostname/mydomain, at least in bounce
-	template expansion.
-
-	In the SMTP server, do not issue an enhanced status code when
-	rejecting a connection before the HELO handshake is completed.
-
-	Maybe don't whitelist a client that has maxed out its
-	per-MTA connection count limit.
-
-	Inline support for pcre:{/pattern/=action, ...} and ditto
-	support for regexp: and cidr: tables. Factor out and reuse
-	code that already exists in inline: and other tables.
-
-	Log command=good/bad statistics in postscreen?
-
-	smtpd_checks tests either must use a DNS dummy resolver
-	(override the res_search API) or all names must be under
-	test.postfix.org (but that does not work for address->name
-	lookups, and cannot simulate some errors).
-
-	Reporting the original Message-ID in a bounce message
-	In-Reply-To: or References: header.  In the cleanup daemon,
-	grab a copy of the Message-ID and export it along with other
-	header-extracted information at the top of the "extracted"
-	queue file segment.  In the queue manager, extract this
-	along with other header-extracted information, and forward
-	the Message-ID in the bounce server notification request.
-
-	Clobber ORCPT when sender is owner-mumble?
-
-	Add milter_mumble_macros to the list of per-macro features.
-
-	The pickup daemon logs warnings only when the cleanup daemon
-	dit not provide a "reason" attribute. Is this logic right?
-
-	up-convert myhostname to UTF-8 in MIME boundary strings?
-
-	Eliminate code duplication between pcf_print_master_field()
-	and pcf_print_master_entry().
-
-	Error reporting: see if pcf_check_master_entry() and children
-	can return error descriptions instead of terminating with
-	a fatal error.
-
-	Add a switch to consider postscreen deep protocol tests as
-	"completed" when receiving "RSET" after "RCPT TO" and the
-	session has passed all tests up to that point. RSET becomes
-	like QUIT except perhaps that it does not hang up.
-
-	apipe: map, splits results into address lists and performs
-	lookups for the invidual addresses, converting back and
-	forth between external and internal forms.
-
-	Clarify that receive_override_options have no effect with
-	smtpd_proxy_filter.
-
-	Document the relative order of header_checks, address
-	rewriting, milters.
-
-	NOT: Table-driven case folding and case-insensitive string
-	comparison specifically for UTF-8. Use libicu functions
-	instead.
-
-	When downgrading message/global to 7bit, is quoted-printable
-	the appropriate encoding? Should it be base64?
-
-	Should we encode headers with RFC 2047, when that is the
-	only reason that Postfix cannot deliver to a non-UTF8SMTP
-	server? Probably not in the general case. What about 
-	Postfix as a gateway server that converts UTF8SMTP
-	for delivery to non-UTF8SMTP environments?
-
-	Document and test restriction_classes example for 
-	smtpd_policy_service_default_action.
-
-	Don't accept AUTH or other features that are not announced
-	in the EHLO response.
-
-	Suggested at Mailserver conference: Postscreen RDNS-based
-	reputation (but this makes postscreen performance highly
-	unpredicable because it introduces a dependency on random
-	DNS servers).
-
-	Suggested at Mailserver conference: a way to select a
-	specific field in a table, presumably as the result value.
-	This may be done with a filtermap{i,j,...}: table that propagates
-	only the specified field(s).
-
-	Discourage the use of "after 220" tests in POSTSCREEN_README
-	and the documentation of individual parameter settings.
-
-	To un-break "make tests" under src/smtpd, make tests
-	independent from the DNS and native routines for host
-	name/address lookup.
-
-	Make been_here flag BH_FLAG_FOLD configurable for masochists.
-
-	Replace some redundant TLS_README sections with pointers
-	to FORWARD_SECRECY_README.
-
-	Move html/index.html source to proto/.
-
-	How hard is it to follow canonical or virtual mapping
-	for the purpose of address validation? We must never
-	reject a valid address.
-
-	Preserve case in smtpd_resolve_addr() and add a structure
-	member for the case-folded address. IIRC some Milter macro
-	needs to show the unfolded address.
-
-	Per SASL account rate limits. This requires new infrastructure
-	that maintains stats by SASL account instead of client IP
-	address.
-
-	Watchdog timer in postmap/postalias.
-
-	Begin code revision, after DANE support stabilizes.  This
-	should be one pass that changes only names and no code.
-
-	recipient_delimiters = $recipient_delimiter for BC
-
-	All source code must specify its original author and
-	license statement. Some code modules specify Lutz Jaenicke
-	as the original author and fall under his liberal license.
-	Code that is added to such a module has the same license
-	(or at least something that is not more restrictive). Code
-	modules without input from Lutz Jaenicke must state its
-	original author and license (preferably no more restrictive
-	than Postfix's own license). Currently, too many files list
-	Wietse as the original author, and Lutz Jaenicke's license,
-	which is wrong.
-
-	We have smtp_host_lookup, smtp_dns_resolver_options, and
-	now smtp_dns_support_level.  Of these, smtp_dns_resolver_options
-	is orthogonal but the rest has overlap.
-
-	There needs to be support for automatic migration from the
-	deprecated disable_dns_lookups feature to the preferred
-	smtp_dns_support_level feature. This support needs to exist
-	for several releases before the deprecated feature can be
-	removed.
-
-	End code revision, after DANE support stabilizes.
-
-	It would be nice if "bare username" lookup is not hard-coded
-	for domains in the local address class.
-
-	Don't forget Apple's code donation for fetching mail from
-	IMAP server.
-
-	Should postconf -o refuse to work without the -x option?
-
-	Make 30s caching (feature 20070414) configurable, such that
-	0 means no caching.
-
-	Make errno white/blacklist for getpwnam_r etc. and mailbox
-	write errors.
-
-	smtpd_muble_restrictions rule names are case-insensitive.
-	restriction_classes values are case-sensitive but should
-	be case-insensitive for consistency with smtpd_muble_restrictions.
-
-	Make "rename" the default when postmapping a DB file
-	(later: use copy+rename for postmap -i, postmap -d).
-
-	Service-name parameters aren't documented in daemon manpages.
-
-	When faking up the DSN ORCPT, don't send bare usernames
-	from local command-line submission.
-
-	lmtp_assume_final is broken. A 2XX response does not imply
-	final delivery. The Sieve language implements accept-then-bounce.
-
-	postscreen event-driven plug-in interface to send out a
-	query in parallel with the Pregreet and DNSBL tests, using
-	a simplified version of the policy delegation protocol.
-
-	Parallelized queue preprocessing: rip out the queue manager
-	code to read queue files and resolve recipients, and run
-	it in parallel processes. The queue manager then processes
-	their results as they become available.  This would eliminate
-	the qmgr<->trivial-rewrite bottleneck. This can also eliminate
-	much of the scheduling disadvantage of a single queue manager
-	compared to hundreds of mail receiving or sending processes
-	(especially if there is a way to scan the queue in parallel).
-
-	Memory pools for same-type memory objects.  This can be
-	used to either increase memory locality for frequently-allocated
-	objects (MRU allocation) or to make use-after-free bugs
-	more detectable (use LRU allocation and wipe the object
-	immediately after free().  Finally, same-type memory pools
-	prevent object type errors with use-after-free bugs.
-
-	"no-cache" option for selected postscreen tests?
-
-	Need a new DICT flag to indicate that a map handle supports
-	locking.  If it doesn't (as with memcache or proxymap
-	handles), then postscreen etc. don't need to close a cache
-	file after "postfix reload".  After a fork() it is OK to
-	keep using a memcache or proxymap handle, because the parent
-	exits immediately.  For this to work, the memcache client
-	needs to propagate the flag from a persistent backup map,
-	but the proxymap protocol should not propagate this to the
-	client.
-
-	Different TTL values for different DNSBL sources?
-
-	Replace master(8) SIGHUP by very simple socket protocol to
-	allow reload of a specific service.
-
-	postscreen: in the dummy SMTP engine, log the protocol state
-	at time of violation (like smtpd, set state->where initially
-	to CONNECT, then update it with the name of the last "known"
-	command, or set it to "unimplemented").
-
-	The discussion of postscreen cache configuration is in the
-	wrong place (how whitelisting works). Move it to the section
-	about configuring postscreen.
-
-	Before proxymap can be exposed to the network (primarily
-	to share postscreen or verify caches), need to enforce
-	limits on attribute string name and value length in IPC
-	protocols.  10-20KB seems OK. We need to enforce content
-	sanity checks (for example, no control characters; Postfix
-	does not pass around multi-line data in table lookups). The
-	VSTREAM library already supports read/write deadlines.  We
-	need to use attack-resistant code for numeric conversion.
-
-	move flush_init() etc. from defer service clients to the
-	bounce daemon? Postfix works best when work can be spread
-	out over many clients, instead of over a few servers.
-
-	multi_connect() function that takes a list of inet:host:port
-	and/or unix:pathname specs, with an explicit "inet" prefix
-	argument to handle applications that use host:port only.
-	This will simplify multi-host implementation for memcache
-	client, dovecot client, and other.
-
-	dict_memcache: treat "bad" key as cache miss, i.e.  read/write
-	the backup database as if the cache did not exist. This
-	does not help because most Postfix maps (virtual, canonical,
-	access, transport, ...) also don't support spaces in keys.
-
-	postscreen: keep the cache open after "postfix reload" when
-	it is remote (type memcache: or proxy:). This does not work
-	because memcache can use a non-proxied file as backup).
-
-	What is the feasibility of adding an mta_name (personality)
-	attribute that is propagated via queue files and delivery
-	agent requests? It would default to myhostname.
-
-	Major performance improvement opportunity (that is until
-	everyone runs Postfix queues on SSDs).  Investigate the
-	viability of a daemon that produces incoming and postdrop
-	queue files on request (in reality it would maintain a
-	limited queue of "spare" files). Central queue file allocation
-	reduces the I/O performance disadvantage that qmgr has when
-	100 smtpd processes are receiving mail, or when lots of
-	mail is submitted with the sendmail command line.  When an
-	smtpd process accepts MAIL FROM, a cleanup daemon requests
-	a queue file and receives a queue ID + file handle from the
-	queue file daemon.  If the queue file daemon is down, the
-	cleanup daemon creates the file itself like it does now;
-	this can be hidden in the mail_stream library module.  If
-	the mail transaction is aborted, then the cleanup daemon
-	gives the queue file back to the queue file daemon's "spare"
-	file pool, saving most of the overhead of creating and
-	deleting a queue file (the file would still need to be
-	renamed at the start of the next mail transaction).  If the
-	cleanup daemon is unable to give a file back, then it can
-	delete the file like it does now; this can be hidden in the
-	mail_stream library module.  The whole thing can be
-	transparently added to Postfix by adding calls to a
-	queue-file-service client to the mail_queue_enter() and
-	mail_queue_remove() library routines.  Other advantages:
-	1) negligible performance hit when queue file allocation
-	happens earlier, so that logging and milters have a queue
-	ID for the whole transaction not just the first valid
-	recipient; 2) by not removing every queue files we get most
-	of the performance gain of a queue based on append/truncate
-	instead of the much more expensive create/delete.
-
-	Investigate viability of Sendmail dns maps.
-
-	Make the rules for how to use close-on-exec more explicit.
-
-	Provide separate timeout control for dict_proxy client,
-	rewrite client, resolve client, cleanup client, and so on.
-	Perhaps a timeout argument to the mail_connect() routines.
-
-	Trick from amavisd: save listen socket/fifo/etc state, clear
-	their close-on-exec flags, exec the same program file to
-	re-initialize (with saved socket state on command line or
-	in environment), then restore the listen socket/fifo/etc
-	close-on-exec flags.  This could be a way to mitigate the
-	impact of memory/file leaks, and to implement "postfix
-	reload" support for master(8) features that currently don't
-	support this. 
-
-	Sub-second time resolution. The first benefit is to make
-	per-destination rate delays more usable. Other applications
-	will come up once the support exists. The straightforward
-	approach is to represent all time intervals in milliseconds,
-	and to update all code that makes system calls with a time
-	argument (as well as the compiled-in upper and lower time
-	parameter bounds, which are currently in seconds).
-	Unfortunately, that limits he maximum time interval to less
-	than 25 days on 32-bit systems, and is likely to break
-	compatibility (for starters, it cannot even deal with the
-	compiled-in 100d upper bound on the queue file lifetime).
-	A second option is to have a "compatibility" time base
-	switch between milliseconds and seconds; this means extra
-	changes to all code that makes system calls with a time
-	argument, and the way that the compiled-in upper and lower
-	bounds are specified.  Some of this can be encapsulated in
-	macros like time_to_sec(t), time_to_msec(t) and sec_to_time(t).
-	Finally, it is relatively easy to replace the events(3)
-	interface to use "double" for the time delay arguments, but
-	it is a major pain to convert all main.cf time parameters
-	into doubles (converting only some leads to a documentation
-	nightmare).
-
-	Address verify cache: allow a negative cache "refresh"
-	result to purge a "positive" cache entry in some safe manner.
-	Currently, the negative cache "refresh" result is discarded,
-	address verify cache lookup returns OK, and each lookup
-	forces a "refresh" probe until the entry expires.
-
-	Some Sendmail configurations trigger sub-optimal behavior
-	when the postscreen_whitelist_interfaces parameter lists
-	primary MX addresses only.  When postscreen's "deep protocol
-	tests" are successful on the primary MX address (i.e. they
-	result in 4XX responses to RCPT TO), some Sendmail
-	configurations keep the primary MX connection open until
-	AFTER they finish talking to the backup MX address.  The
-	problem is that the backup connection runs into a WHITELIST
-	VETO condition because the whitelisting database has not
-	yet been updated with the PASS NEW result for the primary
-	MX connection.  Unfortunately postscreen can't update the
-	whitelisting database before the primary MX connection is
-	closed, because a client may still make a mistake.
-
-	In the SMTP server, check if the connection is closed before
-	replying to ".", and discard the message if the reply can't
-	be sent. This reduces the time window for RFC 1047 message
-	duplication, and may even prevent the delivery of some spam.
-	http://www.exim.org/lurker/message/20070416.103159.9d5ff0ce.en.html
-	This requires splitting the SMTP server's commit operation
-	into two operations: first, a tentative commit operation
-	that performs most of the I/O and processing in milters and
-	in the cleanup server; second, a final commit operation
-	that is executed only if the remote SMTP client hasn't hung
-	up in the mean time. Unfortunately, SMTP-based before-queue
-	content filters don't support a tentative commit operation.
-
-	Find out how to reproduce Berkeley DB bogus ENOENT errors.
-	postscreen does not log this with Berkeley DB 1 (FreeBSD
-	4..8), 4.7.25 (Ubuntu 9.04) and 4.8.24 (Ubuntu 10.04).
-
-	postconf command-line option to show the compile-time
-	settings (CCARGS, AUXLIBS) in case binary packages
-	don't install the makedefs.out file.
-
-	events.c: cache the side effects of file descriptor event
-	enable/disable operations in user space, and do bulk kernel
-	updates at event_loop() time.  This can eliminate costly
-	system calls with successive event disable/enable operations
-	on the same file descriptor. This can also eliminate the
-	need for tricky code that tries to avoid the expense of
-	successive disable/enable operations. Such code is likely
-	to introduce bugs.
-
-	When does it pay off to send domains in the active queue
-	to a DNS prefetch daemon? Could this generalize to a dynamic
-	transport map that piggy-backs domains with the same MX
-	host into the same mail delivery transaction?
-
-	tlsproxy(8) should receive TLS preferences from postscreen(8)
-	and smtpd(8), instead of reading them from main.cf. This
-	means that many tlsproxy_ parameters become postscreen_
-	parameters, and that tls_server_init() parameters move to
-	to tls_server_start(). That is a significant API change.
-	It also means tlsproxy can't open all files before chroot().
-
-	anvil rate limit for sasl_username.
-
-	Encapsulate nbbio buffer access and update by tlsproxy.
-
-	Full-duplex support for tlsproxy(8). This requires updating
-	events(3) and nbbio(3).
-
-	Register automagic destructor for object attached to VSTREAM.
-
-	Use different ipc time limits for email message transactions
-	(smtpd, pickup)->cleanup and for quick query/reply transactions
-	such as address rewriting/resolution. Beware of large time
-	limits for local or virtual alias expansion.
-
-	permit_tempfail_action (default: defer_if_reject) to be
-	used as the default value for dnswl_tempfail_action and
-	rhswl_tempfail_action. Steal liberally from the code that
-	implements unverified_recipient_tempfail_action etc.
-
-	Support filtering of messages that are generated by Postfix:
-	This would apply to postmaster notices and bounce messages
-	(DKIM), and address verification (BATV).
-
-	Consistency: in postconf.proto make <dt>..</dt> tags bold.
-
-	Would it help if there were different cleanup_service
-	parameter names for different message paths? smtpd(8) uses
-	the same cleanup_service value for receiving remote mail
-	and for submitting postmaster problem reports. Do we need
-	separate mumble_cleanup_service_name parameters for "inject",
-	"notify" and "forward" (with backwards compatible defaults)?
-
-	IF/ENDIF support for CIDR tables.
-
-	Need a regular expression table to translate address
-	verification responses into hard/soft/accept reply codes.
-
-	Is there a way to make sendmail -V work after local alias
-	expansion? Majordomo-like mailing lists would benefit from
-	this; the example in VERP_README does not work in the general
-	case.
-
-	When an alias is a member of an :include: list with owner-
-	alias, local(8) needs an option to deliver alias or alias->user
-	indirectly. What happens when an :include: list with owner-
-	alias includes another list?
-
-	Don't allow empty result values in pcre and regexp maps.
-	Postfix doesn't allow them anywhere else (check this).
-
-	Make PCRE_MAX_CAPTURE configurable.
-
-	Add some checks for tokens starting with #. A challenge
-	is to report sensible context from the guts of some low-level
-	parser, without introducing a great deal of clumsiness.
-
-	Add sendmail macros for {verify} and maybe other TLS info.
-
-	Find out if we are doing the correct thing by looking at
-	state->milter_reject_text when expanding {rcpt_addr} or
-	{rcpt_host}.
-
-	Find out why post_mail() etc. block when the qmgr fifo is
-	full (answer: trigger_timeout). How can this cause delays
-	in the queue manager?  When a recipient bounces during
-	(transport, nexthop, address) resolution, it is redirected
-	to the error or retry mailer; and bounce-after-delivery is
-	asynchrounous so it can't block the queue manager, either.
-
-	How to ensure that proxy_read_maps is processed after all
-	its dependencies are initialized, or just bite the bullet
-	and rewrite the parameter initialization code.
-
-	The cleanup virtual alias expansion limit does not really
-	deliver on its promises. 1) It promises to truncate the
-	result without aborting delivery, which would be undesirable
-	anyway, but that is not what it does, so that is good.  2)
-	It keeps all the recipients from multi-recipient database
-	lookup, then terminates further recursion when the result
-	exceeds the expansion limit. This behavior achieves the
-	original goal that all things shall have a finite size (even
-	though but we don'really care how large they are) but may
-	result in surprises when recipients are listed in virtual
-	alias domains or need expansion for other reasons.  In a
-	phone call with Victor, a reasonable way out is to set the
-	limit to some large number (100000) and abort delivery when
-	the result exceeds the limit.
-
-	Should the postscreen save permanent white/black list lookup
-	results to the temporary cache, and query the temporary
-	cache first? Skipping white/black list lookups will speed
-	up the handling of "good" clients without a permanent
-	whitelist entry.  Of course, this means that updates to the
-	white/black lists do not immediately take effect. Workarounds:
-	1) use a shorter temporary cache TTL for clients on the
-	permanent black/white lists; 2) ignore cached white/black
-	list lookup results after "postfix reload"; 2) adjust the
-	logging, for example "WHITELISTED address (cached)" and
-	"BLACKLISTED address (cached)" to eliminate surprises.
-	Comparing the cache entry time with the white/blacklist
-	file modification time is not foolproof: for example, pcre
-	or CIDR tables are read only once.
-
-	It would be nice if the generic dict_cache(3) cache manager
-	could postpone process suicide until cache cleanup is
-	completed (but that is not possible when postscreen forks
-	into the background to finish already-accepted connections,
-	and it is not desirable when a host is being shut down).
-
-	When postscreen drops a connection, a 521 "greeting" should
-	be of the form "521 servername..." and not have an enhanced
-	status code. The "521 5.7.1" form can be used after EHLO.
-	Of course no spammer is going to complain about Postfix
-	SMTP compliance.
-
-	Find a place to document all the mail routing mechanisms
-	in one place so people can figure out how Postfix works.
-
-	The access map BCC action is marked "not stable", perhaps
-	because people would also expect BCC actions in header/body_checks.
-	How much would it take to make the queue file editing code
-	generally usable?
-
-	Move smtpd_command_filter into smtpd_chat_query() and update
-	the session transcript (see smtp_chat_reply() for an example).
-
-	SMTP connection caching without storing connections, to
-	improve TLS mail delivery performance.
-
-	Should not milter8_mail_event() unset the "hold" default
-	reply? Better, the default reply should not be used for
-	this purpose.
-
-	Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server
-	runs with process limit of 1. But this means the master
-	never learns that the process is successful and will always
-	pause $service_throttle_time before restarting a failed service.
-
-	Don't bother maintaining a per-service lockfile when a
-	server runs with process limit of 1. The purpose of the
-	lockfile is to avoid thundering herd problems when the kernel
-	wakes up multiple processes for each new client connection.
-
-	Implement PREPEND action for milter_header_checks. Save the
-	to-be-prepended text to buffer, then emit it along with the
-	new header.
-
-	Fix the header_body_checks API, so that the name of the map
-	class (e.g. milter_header_checks) is available for logging.
-
-	Fix the mime_state and header_body_checks APIs, so that
-	they use VSTRINGs. This simplifies REPLACE actions.
-
-	Update FILTER_README for multi-instance support, and rename
-	the old document to FILTER_LEGACY_README.
-
-	Need to sign delivery status notifications, to avoid surprises
-	when eventually people start enforcing DKIM etc. signatures.
-
-	Either document or remove the internal_mail_filter_classes
-	feature (it's disabled by default).
-
-	Make the "unknown recipient" test configurable as
-	first|last|never, with "yes"=="last" for backwards
-	compatibility. The "first" setting is good for performance
-	(stress=yes) when all users are defined in local files; but
-	it may perform worse when users are in networked tables.
-
-	Cleanup: make DNSBL query format configurable beyond the
-	client's reversed IP address.
-
-	With 'final delivery' in the LMTP client, need an option
-	to also add delivered-to and other pipe(8) features.  This
-	requires making mail_copy() functionality available in
-	non-mailbox context.
-
-	Cleanup: modernize the "add missing From: header" code, to
-	``phrase <addr>'' form. Most likely, quote the entire phrase
-	if it contains any text that is special, then rfc822_externalize
-	the whole thing.
-
-	SMTP server: make the server_addr and server_port available
-	to policy server, Dovecot, and perhaps Milters.
-
-	Med: local and remote source port and IP address for smtpd
-	policy hook.
-
-	Maybe change maps_rbl_reject_code default to 521, and
-	update wording in STRESS_README.
-
-	Encapsulate time_t comparisons so that they can be made
-	system dependent (use difftime() where available).
-
-	Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that
-	they can be made system dependent.
-
-	Plan for time_t larger than long, or wait for LP64 to
-	dominate the world?
-
-	Make "AUTH=<>" appendage to MAIL FROM configurable, enabled
-	by default.
-
-	To support ternary operator without a huge parsing effort,
-	consider ${value?{xxx}:{yyy}} where ${name} is existing
-	syntax, and where ?{text} and :{text} are new syntax that
-	is unlikely to break existing configurations. Or perhaps
-	it's just too ugly.
-
-	Write delivery rate delay example (which _README?) and auth
-	failure cache example (SASL_README). Then include them in
-	SOHO_README.
-
-	Look for alternatives for the use of non_smtpd_milters.
-	This involves some way to force local submissions to go
-	through a local SMTP client and server, without triggering
-	"mail loops back to myself" false alarms. The advantage is
-	that it makes smtpd_mumble_restrictions available for local
-	and remote mail; the disadvantage is that it makes local
-	submissions more dependent on networking.  One possibility
-	is to use "pickup -o content_filter=smtp:127.0.0.1:10025",
-	or a dedicated SMTP client/server on UNIX-domain sockets;
-	we could also decide to always suppress "mail loop" detection
-	for loopback connections.  Another option is to have the
-	pickup or cleanup server drive an SMTP client directly;
-	this would require extension of the mail_stream() interface,
-	plus a way to handle bounced/deferred recipients intelligently,
-	but it would be at odds with Postfix design where delivery
-	agents access queue files directly; exposing delivery agents
-	to raw queue files violates another Postfix design principle.
-
-	Consolidate duplicated code in *_server_accept_{pass,inet}().
-
-	Consolidate duplicated code in {inet,unix,upass}_trigger.c.
-
-	In the SMTP client, handle 421 replies in smtp_loop() by
-	having the input function raise a flag after detecting 421
-	(kill connection caching and be sure to do the right thing
-	with RSET probes), leave the smtp_loop() per-command reply
-	handlers unchanged, and have the smtp_loop() reader loop
-	bail out with smtp_site_fail("server disconnected after
-	%s", where), but only in the case that it isn't already in
-	the final state. But first we need to clean up the handling
-	of do/don't cache, expired, bad and dead sessions.
-
-	Combine smtpd_peer.c and qmqpd_peer.c into a single function
-	that produces a client context object, and provide attribute
-	print/scan routines that pass these client context objects
-	around. With this, we no longer have to update multiple
-	pieces of code when a client attribute is added. Ditto for
-	SASL and TLS context.
-
-	Don't log "warning: XXXXX: undeliverable postmaster
-	notification discarded" for spam from outside.
-
-	Really need a cleanup driver that allows testing against
-	Milter applications instead of synthetic events. This would
-	have to provide stubs for clients that talk to Postfix
-	daemon processes. See if this approach can also be used for
-	other daemons.
-
-	smtpd(8) exempts $address_verify_sender from access controls,
-	but it doesn't know whether cleanup(8) or delivery agents
-	modify the sender. Would it be possible to "calibrate" this
-	exemption, perhaps by having delivery agents pass the probe
-	sender to the verify server, keeping in mind that the probe
-	sender may differ per delivery agent due to output rewriting.
-
-	Update attr_print/scan() so they can send/receive file
-	descriptors. This simplifies kludgy code in many daemons.
-
-	Would there be a problem adding $smtpd_mumble_restrictions
-	and $smtpd_sender_login_maps to the default proxy_read_maps
-	settings?
-
-	Remove defer(8) and trace(8) references and man pages. These
-	are services not program names. On the other hand we have
-	man pages for lmtp(8) and smtp(8), but not for relay(8).
-	Likewise, retry(8) does not have a man page.
-
-	Bind all deliveries to the same local delivery process,
-	making Postfix perform as poorly as monolithic mailers, but
-	giving a possibility to eliminate duplicate deliveries.
-
-	Maybe declare loop when resolve_local(mxhost) is true?
-
-	Update message content length when adding/removing headers.
-
-	Need scache size limit.
-
-	REDIRECT should override original recipient info, and
-	probably override DSN as well.
-
-	Update FILTER_README with mailing list suggestions to tag
-	with a badness indicator and then filter down-stream.
-
-	Make null local-part handling configurable: either expand
-	into mailer-daemon (current behavior) or disallow (strict
-	behavior, currently implemented only in the SMTP server).
-
-	Add M flag (enable multi-recipient delivery) to pipe daemon.
-
-	The usage of TLScontext->cache_type is unclear. It specifies
-	a TLS session cache type (smtpd, smtp, or lmtp), but it is
-	sometimes used as an indicator that TLS session caching is
-	unavailable.  In reality, that decision is made by not
-	registering call-back functions for cache maintenance.
-
-	Postfix TLS library code should copy any strings that it
-	receives from the application, instead of passing them
-	around as pointers. TLScontext->cache_type is a case in
-	point.
-
-	Are transport:nexthop null fields the same as in the case
-	of default_transport etc. parameters?
-
-	Don't lose bits when converting st_dev into maildir file
-	name. It's 64 bits on Linux. Found with the BEAM source
-	code analyzer. Is this really a problem, or are they just
-	using 64 bits for upwards compatibility with LP64 systems?
-
-	Do or don't introduce unknown_reverse_client_reject_code.
-
-	Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
-	UNIX).
-
-	Tempfail when a Milter application tries to negotiate content
-	access, while it is configured in an SMTP server that runs
-	before the smtpd_proxy filter.
-
-	Log DSN original recipient when rejecting mail.
-
-	Keep whitespace between label and ":"?
-
-	Make the map case folding/locking options configurable, if
-	not at run-time then at least at compile time so we get
-	consistent behavior across applications.
-
-	Investigate what it would take to eliminate oqmgr, and to
-	make the old behavior configurable in a unified queue
-	manager.  This would shave another 2.7 KLOC from the source
-	footprint.
-
-	Document the case folding strategy for match_list like
-	features.
-
-	Eliminate the (incoming,deferred)->active rename operation.
-	This requires an in-memory hash of queue file names to avoid 
-	duplicate open() operations.
-
-	Softbounce fallback-to-ISP for SOHO users. This heuristic
-	assumes that when direct-to-MX delivery fails with 5XX,
-	delivery via the ISP may still succeed.  This could be
-	implemented by enabling soft bounces for destinations other
-	than the smtp_fallback_relay. So the only benefit of this
-	over the existing soft_bounce feature is that it has no
-	effect on smtp_fallback_relay deliveries.
-
-	Centralize main.cf parameter input so that defaults work
-	consistently. What about parameter names that are prefixed
-	with mail delivery transport names?
-
-	Fix default time unit handling so that we can have a default
-	bounce lifetime of $maximal_queue_lifetime, without causing
-	panics when a non-default maximal_queue_lifetime setting
-	includes no time unit.
-
-	After the 20051222 ISASCII paranoia, lowercase() lowercases
-	ASCII text only.
-
-	Privacy: remove local command/pathname details from remote
-	delivery status reports, and log them via local msg_warn().
-
-	Is it safe to cache a connection after it has been used for
-	more than some number of address verification probes?
-
-	Try to recognize that Resent- headers appear in blocks,
-	newest block first. But don't break on incorrect header
-	block organization.
-
-	Hard limits on cache sizes (anvil, specifically).
-
-	Laptop friendliness: make the qmgr remember when the next
-	deferred queue scan needs to be done, and have the pickup
-	server stat() the maildrop directory before searching it.
-
-	Low: replace_sender/replace_recipient actions in access
-	maps, so they can be used in policy servers?
-
-	Low: configurable order of local(8) delivery methods.
-
-	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
-	to limit the total time spent trying to connect.
-
-	Med: transform IPv4-in-IPv6 address literals to IPv4 form
-	when comparing against local IP addresses?
-
-	Med: transform IPv4-in-IPv6 address literals to IPv4 form
-	when eliminating MX mailer loops?
-
-	Med: Postfix requires [] around IPv6 address information
-	in match lists such as mynetworks, debug_peer_list etc.,
-	but the [] must not be specified in access(5) maps. Other
-	places don't care.  For now, this gotcha is documented in
-	IPV6_README and in postconf(5) with each feature that may
-	use IPv6 address information. The general recommendation
-	is not to use [] unless absolutely necessary.
-
-	Med: the partial address matching of IPv6 addresses in
-	access(5) maps is a bit lame: it repeatedly truncates the
-	last ":octetpair" from the printable address representation
-	until a match is found or until truncation is no longer
-	possible.  Since one or more ":" are usually omitted from
-	the printable IPv6 address representation, this does not
-	really try all the possibilities that one might expect to
-	be tried. For now, this gotcha is documented in access(5).
-
-	Low: reject HELO with any domain name or IP address that
-	this MTA is the final destination for.
-
-	Low: should the Delivered-To: test in local(8) be configurable?
-
-	Low: make mail_addr_find() lookup configurable.
-
-	Low: update events.c so that 1-second timer requests do not
-	suffer from rounding errors. This is needed for 1-second
-	SMTP session caching time limits. A 1-second interval would
-	become arbitrarily short when an event is scheduled just
-	before the current second rolls over.
-
-	Low: configurable internal/system locking method.
-
-	Low: add INSTALL section for pre-existing Postfix systems.
-
-	Low: add INSTALL section for pre-existing RPM Postfixes.
-
-	Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).
-
-	Low: noise filter: allow smtp(8) to retry immediately if
-	all MXes return a quick ECONNRESET or 4xx reply during the
-	initial handshake. Retry once? How many times?
-
-	Low: make post-install a "postfix-only script" so it can
-	take data from the environment instead of main.cf.
-
-	Low: randomize deferred mail backoff.
-
-	Med: separate ulimit for delivery to command?
-
-	Med: postsuper -r should do something with recipients in
-	bounce logfiles, to make sure the sender will be notified.
-	To be perfectly safe, no process other than the queue manager
-	should move a queue file away from the active queue.
-
-	This could involve tagging a queue file, and use up another
-	permission bit (postsuper tags a "hot" file, qmgr requeues it).
-
-	Low: postsuper re-run after renaming files, but only a
-	limited number of times.
-
-	Low: smtp-source may block when sending large test messages.
-
-	Med: find a way to log the sender address when MAIL FROM
-	is rejected due to lack of disk space.
-
-	Low: revise other local delivery agent duplicate filters.
-
-	Low: all table lookups should consistently use internalized
-	(unquoted) or externalized (quoted) forms as lookup keys.
-	smtpd, qmgr, local, etc. use unquoted address forms as keys.
-	cleanup uses quoted forms.
-
-	Low: have a configurable list of errno values for mailbox
-	or maildir delivery that result in deferral rather than
-	bouncing mail. What about "killed by signal" exits?
-
-	Low: after reorganizing configuration parameters, add flags
-	to all parameters whose value can be read from file.
-
-	Medium: need in-process caching for map lookups. LDAP servers
-	seem to need this in particular. Need a way to expire cached
-	results that are too old.
-
-	Low: generic showq protocol, to allow for more intelligent
-	processing than just mailq. Maybe marry this with postsuper.
-
-	Low: default domain for appending to unqualified recipients,
-	so that unqualified names can be delivered locally.
-
-	Low: The $process_id_directory setting is not used anywhere
-	in Postfix. Problem reported by Michael Smith, texas.net.
-	This should be documented, or better, the code should warn
-	about attempts to set read-only parameters.
-
-	Low: while converting 8bit text to quoted-printable, perhaps
-	use =46rom to avoid having to produce >From when delivering
-	to mailbox.
-
-	virtual_mailbox_path expression like forward_path, so that
-	people can specify prefix and suffix.
diff --git a/postfix/html/BDAT_README.html b/postfix/html/BDAT_README.html
new file mode 100644
index 000000000..b8feeeb14
--- /dev/null
+++ b/postfix/html/BDAT_README.html
@@ -0,0 +1,178 @@
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix BDAT (CHUNKING) support</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
+BDAT (CHUNKING) support</h1>
+
+<hr>
+
+<h2>Overview </h2>
+
+<p> Postfix SMTP server supports <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> CHUNKING (the BDAT command)
+without BINARYMIME, in both <a href="smtpd.8.html">smtpd(8)</a> and <a href="postscreen.8.html">postscreen(8)</a>. It is enabled
+by default. </p>
+
+<p> Topics covered in this document: </p>
+
+<ul>
+
+<li><a href="#disable"> Disabling BDAT support</a>
+
+<li><a href="#impact"> Impact on existing configurations</a>
+
+<li><a href="#example"> Example SMTP session</a>
+
+<li> <a href="#benefits">Benefits of CHUNKING (BDAT) support without BINARYMIME</a>
+
+<li> <a href="#downsides">Downsides of CHUNKING (BDAT) support</a>
+
+</ul>
+
+<h2> <a name="disable"> Disabling BDAT support </a> </h2>
+
+<p> BDAT support is enabled by default. To disable BDAT support
+globally: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    # The logging alternative:
+    <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking
+    # The non-logging alternative:
+    <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent_discard
+</pre>
+</blockquote>
+
+<p> Specify '-o <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>=' in <a href="master.5.html">master.cf</a>
+for the submission and smtps services, if you have clients
+that benefit from CHUNKING support. </p>
+
+<h2> <a name="impact"> Impact on existing configurations </a> </h2>
+
+<ul>
+
+<li> <p> There are no changes for smtpd_mumble_restrictions,
+<a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>, <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>, or for postscreen settings,
+except for the above mentioned option to suppress the SMTP server's
+CHUNKING service announcement. </p>
+
+<li> <p> There are no changes in the Postfix queue file content,
+no changes for down-stream SMTP servers or after-queue content
+filters, and no changes in the envelope or message content that
+Milters will receive. </p>
+
+</ul>
+
+<h2> <a name="example"> Example SMTP session</a> </h2>
+
+<p> The main differences are that the Postfix SMTP server announces
+"CHUNKING" support in the EHLO response, and that instead of sending
+one DATA request, the remote SMTP client may send one or more BDAT
+requests. In the example below, "S:" indicates server responses,
+and "C:" indicates client requests (bold font). </p>
+
+<blockquote>
+<pre>
+    S: 220 server.example.com
+    C: <b>EHLO client.example.com</b>
+    S: 250-server.example.com
+    S: 250-PIPELINING
+    S: 250-SIZE 153600000
+    S: 250-VRFY
+    S: 250-ETRN
+    S: 250-STARTTLS
+    S: 250-AUTH PLAIN LOGIN
+    S: 250-ENHANCEDSTATUSCODES
+    S: 250-8BITMIME
+    S: 250-DSN
+    S: 250-SMTPUTF8
+    S: 250 CHUNKING
+    C: <b>MAIL FROM:&lt;sender@example.com&gt;</b>
+    S: 250 2.1.0 Ok
+    C: <b>RCPT TO:&lt;recipient@example.com&gt;</b>
+    S: 250 2.1.5 Ok
+    C: <b>BDAT 10000</b>
+    C: <b>..followed by 10000 bytes...</b>
+    S: 250 2.0.0 Ok: 10000 bytes
+    C: <b>BDAT 123</b>
+    C: <b>..followed by 123 bytes...</b>
+    S: 250 2.0.0 Ok: 123 bytes
+    C: <b>BDAT 0 LAST</b>
+    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
+    C: <b>QUIT</b>
+    S: 221 2.0.0 Bye
+</pre>
+</blockquote>
+
+<p> Internally in Postfix, there is no difference between mail that
+was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
+policy delegation queries, <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> and Milters all behave
+as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
+Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
+complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
+and will log a warning when a client sends a malformed BDAT command.
+</p>
+
+<h2> <a name="benefits">Benefits of CHUNKING (BDAT) support without
+BINARYMIME</a> </h2>
+
+<p> Support for CHUNKING (BDAT) was added to improve interoperability
+with some clients, a benefit that would reportedly exist even without
+Postfix support for BINARYMIME. Since June 2018, Wietse's mail
+server has received BDAT commands from a variety of systems. </p>
+
+<p> Postfix does not support BINARYMIME at this time because: </p>
+
+<ul>
+
+<li> <p> BINARYMIME support would require moderately invasive
+changes to Postfix, to support email content that is not line-oriented.
+With BINARYMIME, the Content-Length: message header specifies the
+length of content that may or may not have line boundaries. Without
+BINARYMIME support, email RFCs require that binary content is
+base64-encoded, and formatted as lines of text. </p>
+
+<li> <p> For delivery to non-BINARYMIME systems including UNIX mbox,
+the available options are to convert binary content into 8bit text,
+one of the 7bit forms (base64 or quoted-printable), or to return
+email as undeliverable. Any conversion would obviously break digital
+signatures, so conversion would have to happen before signing. </p>
+
+</ul>
+
+<h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
+</h2>
+
+<p> The <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> authors did not specify any limitations on how
+clients may pipeline commands (i.e. send commands without waiting
+for a server response). If a server announces PIPELINING support,
+like Postfix does, then a remote SMTP client can pipeline all
+commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
+without ever having to wait for a server response. This means that
+with BDAT, the Postfix SMTP server cannot distinguish between a
+well-behaved client and a spambot, based on their command pipelining
+behavior. If you require "<a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>" to block spambots,
+then turn off Postfix's CHUNKING announcement as described above.
+</p>
+
+<p> In <a href="http://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
+commands, and that after sending BURL LAST or BDAT LAST, a client
+must wait for the server's response. But as this text does not
+appear in <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
+that Postfix will not enforce. </p>
+
+</body>
+
+</html>
diff --git a/postfix/html/index.html b/postfix/html/index.html
index 983ae42e9..c88728195 100644
--- a/postfix/html/index.html
+++ b/postfix/html/index.html
@@ -199,6 +199,8 @@ Recipients </a>
 
 <li> <a href="DSN_README.html"> Postfix DSN support </a>
 
+<li> <a href="BDAT_README.html"> Postfix BDAT (CHUNKING) support </a>
+
 <li> <a href="PACKAGE_README.html"> Guidelines for Package Builders
 </a>
 
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index ee724df51..e02d89807 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -547,14 +547,23 @@ SMTP(8)                                                                SMTP(8)
        <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
               List or bit-mask of OpenSSL bug work-arounds to disable.
 
+       Available in Postfix version 2.11-3.1:
+
+       <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
+              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+
+       <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
+              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+              digests of trust-anchors with certificate usage "2".
+
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
-              Zero or more PEM-format  files  with  trust-anchor  certificates
+              Zero  or  more  PEM-format  files with trust-anchor certificates
               and/or public keys.
 
        <b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b>
-              Lookup  the  associated  DANE TLSA RRset even when a hostname is
+              Lookup the associated DANE TLSA RRset even when  a  hostname  is
               not an alias and its address records lie in an unsigned zone.
 
        <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
@@ -563,14 +572,14 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
-              Request that the Postfix SMTP client connects using  the  legacy
+              Request  that  the Postfix SMTP client connects using the legacy
               SMTPS protocol instead of using the STARTTLS command.
 
        Available in Postfix version 3.1 and later:
 
        <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
-              The  TLS policy for MX hosts with "secure" TLSA records when the
-              nexthop destination security level is <b>dane</b>, but  the  MX  record
+              The TLS policy for MX hosts with "secure" TLSA records when  the
+              nexthop  destination  security  level is <b>dane</b>, but the MX record
               was found via an "insecure" MX lookup.
 
        Available in Postfix version 3.4 and later:
@@ -579,48 +588,48 @@ SMTP(8)                                                                SMTP(8)
               Try to make multiple deliveries per TLS-encrypted connection.
 
        <b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
-              List  of one or more PEM files, each holding one or more private
+              List of one or more PEM files, each holding one or more  private
               keys directly followed by a corresponding certificate chain.
 
        <b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
-              Optional name to send to the  remote  SMTP  server  in  the  TLS
+              Optional  name  to  send  to  the  remote SMTP server in the TLS
               Server Name Indication (SNI) extension.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
-       The  following  configuration  parameters  exist for compatibility with
-       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       The following configuration parameters  exist  for  compatibility  with
+       Postfix  versions  before  2.3.  Support for these will be removed in a
        future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode: use TLS when a remote SMTP server announces
+              Opportunistic mode: use TLS when a remote SMTP server  announces
               STARTTLS support, otherwise send the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
+              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
               encryption, and never send mail in the clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require  that the remote SMTP
-              server hostname matches  the  information  in  the  remote  SMTP
+              With mandatory TLS encryption,  require  that  the  remote  SMTP
+              server  hostname  matches  the  information  in  the remote SMTP
               server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional  lookup  tables  with the Postfix SMTP client TLS usage
-              policy by next-hop destination and by remote SMTP  server  host-
+              Optional lookup tables with the Postfix SMTP  client  TLS  usage
+              policy  by  next-hop destination and by remote SMTP server host-
               name.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
               cipher list.
 
 <b>RESOURCE AND RATE CONTROLS</b>
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The Postfix SMTP client time limit for completing a TCP  connec-
+              The  Postfix SMTP client time limit for completing a TCP connec-
               tion, or zero (use the operating system built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the HELO or EHLO
-              command, and  for  receiving  the  initial  remote  SMTP  server
+              The Postfix SMTP client time limit for sending the HELO or  EHLO
+              command,  and  for  receiving  the  initial  remote  SMTP server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@@ -632,19 +641,19 @@ SMTP(8)                                                                SMTP(8)
               mand, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
+              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
+              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
+              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The Postfix SMTP client time limit for sending the SMTP  message
+              The  Postfix SMTP client time limit for sending the SMTP message
               content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@@ -658,13 +667,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The  maximal number of MX (mail exchanger) IP addresses that can
-              result from Postfix SMTP client mail exchanger lookups, or  zero
+              The maximal number of MX (mail exchanger) IP addresses that  can
+              result  from Postfix SMTP client mail exchanger lookups, or zero
               (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal number of SMTP sessions per delivery request before
-              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
+              The maximal number of SMTP sessions per delivery request  before
+              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
               <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@@ -674,17 +683,17 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and earlier:
 
        <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
               seconds.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable  SMTP  connection  caching for the specified
+              Permanently enable SMTP connection  caching  for  the  specified
               destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a  destination
+              Temporarily  enable  SMTP connection caching while a destination
               has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
 
        <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@@ -698,23 +707,23 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit for connection cache connect, send or receive opera-
+              Time limit for connection cache connect, send or receive  opera-
               tions.
 
        Available in Postfix version 2.9 and later:
 
        <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time  limit  per  read  or write system call, to a time limit to
-              send or receive a complete record (an SMTP  command  line,  SMTP
-              response  line,  SMTP message content line, or TLS protocol mes-
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              time limit per read or write system call, to  a  time  limit  to
+              send  or  receive  a complete record (an SMTP command line, SMTP
+              response line, SMTP message content line, or TLS  protocol  mes-
               sage).
 
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When SMTP connection caching is enabled,  the  number  of  times
-              that  an SMTP session may be reused before it is closed, or zero
+              When  SMTP  connection  caching  is enabled, the number of times
+              that an SMTP session may be reused before it is closed, or  zero
               (no limit).
 
        Available in Postfix version 3.4 and later:
@@ -726,52 +735,52 @@ SMTP(8)                                                                SMTP(8)
 
        <b>transport_destination_concurrency_limit   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A transport-specific override for  the  default_destination_con-
+              A  transport-specific  override for the default_destination_con-
               currency_limit parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
        <b>transport_destination_recipient_limit     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
               A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
 <b>SMTPUTF8 CONTROLS</b>
        Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable preliminary SMTPUTF8 support for the protocols  described
+              Enable  preliminary SMTPUTF8 support for the protocols described
               in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect  that  a message requires SMTPUTF8 support for the speci-
+              Detect that a message requires SMTPUTF8 support for  the  speci-
               fied mail origin classes.
 
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable  'transitional'  compatibility   between   IDNA2003   and
-              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
+              Enable   'transitional'   compatibility   between  IDNA2003  and
+              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
               form that is used for DNS lookups.
 
 <b>TROUBLE SHOOTING CONTROLS</b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment in verbose logging level when a remote  client  or
+              The  increment  in verbose logging level when a remote client or
               server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional  list  of  remote  client or server hostname or network
+              Optional list of remote client or  server  hostname  or  network
               address  patterns  that  cause  the  verbose  logging  level  to
               increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster notifications about mail delivery
+              The recipient of postmaster notifications  about  mail  delivery
               problems that are caused by policy, resource, software or proto-
               col errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What   categories  of  Postfix-generated  mail  are  subject  to
-              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              What  categories  of  Postfix-generated  mail  are  subject   to
+              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
               <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@@ -779,46 +788,46 @@ SMTP(8)                                                                SMTP(8)
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where  the  Postfix  SMTP  client  should  deliver  mail when it
+              Where the Postfix  SMTP  client  should  deliver  mail  when  it
               detects a "mail loops back to myself" error condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
+              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
               figuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much  time  a  Postfix  daemon process may take to handle a
+              How much time a Postfix daemon process  may  take  to  handle  a
               request before it is terminated by a built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The maximal number of digits after the decimal point  when  log-
+              The  maximal  number of digits after the decimal point when log-
               ging sub-second delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The  network  interface addresses that this mail system receives
+              The network interface addresses that this mail  system  receives
               mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
-              The Internet protocols Postfix will attempt to use  when  making
+              The  Internet  protocols Postfix will attempt to use when making
               or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The  time  limit  for  sending  or receiving information over an
+              The time limit for sending  or  receiving  information  over  an
               internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When a remote LMTP server announces no DSN support, assume  that
-              the  server performs final delivery, and send "delivered" deliv-
+              When  a remote LMTP server announces no DSN support, assume that
+              the server performs final delivery, and send "delivered"  deliv-
               ery status notifications instead of "relayed".
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
               The default TCP port that the Postfix LMTP client connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time that an idle Postfix  daemon  process
+              The  maximum  amount of time that an idle Postfix daemon process
               waits for an incoming connection before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@@ -832,20 +841,20 @@ SMTP(8)                                                                SMTP(8)
               The process name of a Postfix command or daemon process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The  network  interface addresses that this mail system receives
+              The network interface addresses that this mail  system  receives
               mail on by way of a proxy or network address translation unit.
 
        <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
               The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client  will  try  first,  when  a destination has IPv6 and IPv4
+              client will try first, when a  destination  has  IPv6  and  IPv4
               addresses with equal MX preference.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
               client should bind to when making an IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
               client should bind to when making an IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -865,7 +874,7 @@ SMTP(8)                                                                SMTP(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A  prefix  that  is  prepended  to  the  process  name in syslog
+              A prefix that  is  prepended  to  the  process  name  in  syslog
               records, so that, for example, "smtpd" becomes "prefix/smtpd".
 
        Available with Postfix 2.2 and earlier:
@@ -883,7 +892,7 @@ SMTP(8)                                                                SMTP(8)
        Available with Postfix 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In the context of email address verification, the SMTP  protocol
+              In  the context of email address verification, the SMTP protocol
               stage that determines whether an email address is deliverable.
 
        Available with Postfix 3.1 and later:
diff --git a/postfix/html/postlogd.8.html b/postfix/html/postlogd.8.html
index ae4a26a75..8cdc50d4d 100644
--- a/postfix/html/postlogd.8.html
+++ b/postfix/html/postlogd.8.html
@@ -31,7 +31,7 @@ POSTLOGD(8)                                                        POSTLOGD(8)
        <b><a href="postconf.5.html#maillog_file">log_file</a></b> (also, logging to stdout would interfere with the operation of
        some of these programs). These programs can log to <a href="postlogd.8.html"><b>postlogd</b>(8)</a> if  they
        are run by the super-user, or if their executable file has set-gid per-
-       mission. Do not set this permision on programs other  than  <a href="postdrop.1.html"><b>postdrop</b>(1)</a>
+       mission. Do not set this permission on programs other than  <a href="postdrop.1.html"><b>postdrop</b>(1)</a>
        and <a href="postqueue.1.html"><b>postqueue</b>(1)</a>.
 
 <b>CONFIGURATION PARAMETERS</b>
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index ee724df51..e02d89807 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -547,14 +547,23 @@ SMTP(8)                                                                SMTP(8)
        <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
               List or bit-mask of OpenSSL bug work-arounds to disable.
 
+       Available in Postfix version 2.11-3.1:
+
+       <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
+              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+
+       <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
+              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+              digests of trust-anchors with certificate usage "2".
+
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
-              Zero or more PEM-format  files  with  trust-anchor  certificates
+              Zero  or  more  PEM-format  files with trust-anchor certificates
               and/or public keys.
 
        <b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b>
-              Lookup  the  associated  DANE TLSA RRset even when a hostname is
+              Lookup the associated DANE TLSA RRset even when  a  hostname  is
               not an alias and its address records lie in an unsigned zone.
 
        <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
@@ -563,14 +572,14 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
-              Request that the Postfix SMTP client connects using  the  legacy
+              Request  that  the Postfix SMTP client connects using the legacy
               SMTPS protocol instead of using the STARTTLS command.
 
        Available in Postfix version 3.1 and later:
 
        <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
-              The  TLS policy for MX hosts with "secure" TLSA records when the
-              nexthop destination security level is <b>dane</b>, but  the  MX  record
+              The TLS policy for MX hosts with "secure" TLSA records when  the
+              nexthop  destination  security  level is <b>dane</b>, but the MX record
               was found via an "insecure" MX lookup.
 
        Available in Postfix version 3.4 and later:
@@ -579,48 +588,48 @@ SMTP(8)                                                                SMTP(8)
               Try to make multiple deliveries per TLS-encrypted connection.
 
        <b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
-              List  of one or more PEM files, each holding one or more private
+              List of one or more PEM files, each holding one or more  private
               keys directly followed by a corresponding certificate chain.
 
        <b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
-              Optional name to send to the  remote  SMTP  server  in  the  TLS
+              Optional  name  to  send  to  the  remote SMTP server in the TLS
               Server Name Indication (SNI) extension.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
-       The  following  configuration  parameters  exist for compatibility with
-       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       The following configuration parameters  exist  for  compatibility  with
+       Postfix  versions  before  2.3.  Support for these will be removed in a
        future release.
 
        <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
-              Opportunistic  mode: use TLS when a remote SMTP server announces
+              Opportunistic mode: use TLS when a remote SMTP server  announces
               STARTTLS support, otherwise send the mail in the clear.
 
        <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
-              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
+              Enforcement  mode:  require  that  remote  SMTP  servers use TLS
               encryption, and never send mail in the clear.
 
        <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
-              With  mandatory  TLS  encryption,  require  that the remote SMTP
-              server hostname matches  the  information  in  the  remote  SMTP
+              With mandatory TLS encryption,  require  that  the  remote  SMTP
+              server  hostname  matches  the  information  in  the remote SMTP
               server certificate.
 
        <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
-              Optional  lookup  tables  with the Postfix SMTP client TLS usage
-              policy by next-hop destination and by remote SMTP  server  host-
+              Optional lookup tables with the Postfix SMTP  client  TLS  usage
+              policy  by  next-hop destination and by remote SMTP server host-
               name.
 
        <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
-              Obsolete  Postfix  &lt; 2.3 control for the Postfix SMTP client TLS
+              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP  client  TLS
               cipher list.
 
 <b>RESOURCE AND RATE CONTROLS</b>
        <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
-              The Postfix SMTP client time limit for completing a TCP  connec-
+              The  Postfix SMTP client time limit for completing a TCP connec-
               tion, or zero (use the operating system built-in time limit).
 
        <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
-              The  Postfix SMTP client time limit for sending the HELO or EHLO
-              command, and  for  receiving  the  initial  remote  SMTP  server
+              The Postfix SMTP client time limit for sending the HELO or  EHLO
+              command,  and  for  receiving  the  initial  remote  SMTP server
               response.
 
        <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@@ -632,19 +641,19 @@ SMTP(8)                                                                SMTP(8)
               mand, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
-              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
+              The Postfix SMTP client time limit for  sending  the  MAIL  FROM
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
-              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
+              The  Postfix SMTP client time limit for sending the SMTP RCPT TO
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
-              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
+              The Postfix SMTP client time limit for  sending  the  SMTP  DATA
               command, and for receiving the remote SMTP server response.
 
        <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
-              The Postfix SMTP client time limit for sending the SMTP  message
+              The  Postfix SMTP client time limit for sending the SMTP message
               content.
 
        <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@@ -658,13 +667,13 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.1 and later:
 
        <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
-              The  maximal number of MX (mail exchanger) IP addresses that can
-              result from Postfix SMTP client mail exchanger lookups, or  zero
+              The maximal number of MX (mail exchanger) IP addresses that  can
+              result  from Postfix SMTP client mail exchanger lookups, or zero
               (no limit).
 
        <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
-              The  maximal number of SMTP sessions per delivery request before
-              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
+              The maximal number of SMTP sessions per delivery request  before
+              the  Postfix  SMTP  client  gives  up or delivers to a fall-back
               <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
 
        <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@@ -674,17 +683,17 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2 and earlier:
 
        <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
-              Keep Postfix LMTP client connections open for  up  to  $<a href="postconf.5.html#max_idle">max_idle</a>
+              Keep  Postfix  LMTP  client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
               seconds.
 
        Available in Postfix version 2.2 and later:
 
        <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
-              Permanently  enable  SMTP  connection  caching for the specified
+              Permanently enable SMTP connection  caching  for  the  specified
               destinations.
 
        <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
-              Temporarily enable SMTP connection caching while  a  destination
+              Temporarily  enable  SMTP connection caching while a destination
               has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
 
        <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@@ -698,23 +707,23 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.3 and later:
 
        <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
-              Time  limit for connection cache connect, send or receive opera-
+              Time limit for connection cache connect, send or receive  opera-
               tions.
 
        Available in Postfix version 2.9 and later:
 
        <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
-              Change the behavior of the smtp_*_timeout time  limits,  from  a
-              time  limit  per  read  or write system call, to a time limit to
-              send or receive a complete record (an SMTP  command  line,  SMTP
-              response  line,  SMTP message content line, or TLS protocol mes-
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              time limit per read or write system call, to  a  time  limit  to
+              send  or  receive  a complete record (an SMTP command line, SMTP
+              response line, SMTP message content line, or TLS  protocol  mes-
               sage).
 
        Available in Postfix version 2.11 and later:
 
        <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
-              When SMTP connection caching is enabled,  the  number  of  times
-              that  an SMTP session may be reused before it is closed, or zero
+              When  SMTP  connection  caching  is enabled, the number of times
+              that an SMTP session may be reused before it is closed, or  zero
               (no limit).
 
        Available in Postfix version 3.4 and later:
@@ -726,52 +735,52 @@ SMTP(8)                                                                SMTP(8)
 
        <b>transport_destination_concurrency_limit   ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
        <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
-              A transport-specific override for  the  default_destination_con-
+              A  transport-specific  override for the default_destination_con-
               currency_limit parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
        <b>transport_destination_recipient_limit     ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
        <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
               A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
-              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>  parameter  value,  where  <i>transport</i> is the <a href="master.5.html">master.cf</a>
+              <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where  <i>transport</i>  is  the  <a href="master.5.html">master.cf</a>
               name of the message delivery transport.
 
 <b>SMTPUTF8 CONTROLS</b>
        Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
 
        <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
-              Enable preliminary SMTPUTF8 support for the protocols  described
+              Enable  preliminary SMTPUTF8 support for the protocols described
               in <a href="http://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
 
        <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b>
-              Detect  that  a message requires SMTPUTF8 support for the speci-
+              Detect that a message requires SMTPUTF8 support for  the  speci-
               fied mail origin classes.
 
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#enable_idna2003_compatibility">enable_idna2003_compatibility</a> (no)</b>
-              Enable  'transitional'  compatibility   between   IDNA2003   and
-              IDNA2008,  when  converting UTF-8 domain names to/from the ASCII
+              Enable   'transitional'   compatibility   between  IDNA2003  and
+              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
               form that is used for DNS lookups.
 
 <b>TROUBLE SHOOTING CONTROLS</b>
        <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
-              The increment in verbose logging level when a remote  client  or
+              The  increment  in verbose logging level when a remote client or
               server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
 
        <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
-              Optional  list  of  remote  client or server hostname or network
+              Optional list of remote client or  server  hostname  or  network
               address  patterns  that  cause  the  verbose  logging  level  to
               increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
 
        <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
-              The  recipient  of  postmaster notifications about mail delivery
+              The recipient of postmaster notifications  about  mail  delivery
               problems that are caused by policy, resource, software or proto-
               col errors.
 
        <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
-              What   categories  of  Postfix-generated  mail  are  subject  to
-              before-queue   content    inspection    by    <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
+              What  categories  of  Postfix-generated  mail  are  subject   to
+              before-queue    content    inspection    by   <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>,
               <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
 
        <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
@@ -779,46 +788,46 @@ SMTP(8)                                                                SMTP(8)
 
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
-              Where  the  Postfix  SMTP  client  should  deliver  mail when it
+              Where the Postfix  SMTP  client  should  deliver  mail  when  it
               detects a "mail loops back to myself" error condition.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of the Postfix <a href="postconf.5.html">main.cf</a> and  <a href="master.5.html">master.cf</a>  con-
+              The  default  location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
               figuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much  time  a  Postfix  daemon process may take to handle a
+              How much time a Postfix daemon process  may  take  to  handle  a
               request before it is terminated by a built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The maximal number of digits after the decimal point  when  log-
+              The  maximal  number of digits after the decimal point when log-
               ging sub-second delay values.
 
        <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
               Disable DNS lookups in the Postfix SMTP and LMTP clients.
 
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
-              The  network  interface addresses that this mail system receives
+              The network interface addresses that this mail  system  receives
               mail on.
 
        <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
-              The Internet protocols Postfix will attempt to use  when  making
+              The  Internet  protocols Postfix will attempt to use when making
               or accepting connections.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
-              The  time  limit  for  sending  or receiving information over an
+              The time limit for sending  or  receiving  information  over  an
               internal communication channel.
 
        <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
-              When a remote LMTP server announces no DSN support, assume  that
-              the  server performs final delivery, and send "delivered" deliv-
+              When  a remote LMTP server announces no DSN support, assume that
+              the server performs final delivery, and send "delivered"  deliv-
               ery status notifications instead of "relayed".
 
        <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
               The default TCP port that the Postfix LMTP client connects to.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time that an idle Postfix  daemon  process
+              The  maximum  amount of time that an idle Postfix daemon process
               waits for an incoming connection before terminating voluntarily.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@@ -832,20 +841,20 @@ SMTP(8)                                                                SMTP(8)
               The process name of a Postfix command or daemon process.
 
        <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
-              The  network  interface addresses that this mail system receives
+              The network interface addresses that this mail  system  receives
               mail on by way of a proxy or network address translation unit.
 
        <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
               The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
-              client  will  try  first,  when  a destination has IPv6 and IPv4
+              client will try first, when a  destination  has  IPv6  and  IPv4
               addresses with equal MX preference.
 
        <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
-              An optional numerical network  address  that  the  Postfix  SMTP
+              An  optional  numerical  network  address  that the Postfix SMTP
               client should bind to when making an IPv4 connection.
 
        <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
-              An  optional  numerical  network  address  that the Postfix SMTP
+              An optional numerical network  address  that  the  Postfix  SMTP
               client should bind to when making an IPv6 connection.
 
        <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@@ -865,7 +874,7 @@ SMTP(8)                                                                SMTP(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              A  prefix  that  is  prepended  to  the  process  name in syslog
+              A prefix that  is  prepended  to  the  process  name  in  syslog
               records, so that, for example, "smtpd" becomes "prefix/smtpd".
 
        Available with Postfix 2.2 and earlier:
@@ -883,7 +892,7 @@ SMTP(8)                                                                SMTP(8)
        Available with Postfix 3.0 and later:
 
        <b><a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a> (rcpt)</b>
-              In the context of email address verification, the SMTP  protocol
+              In  the context of email address verification, the SMTP protocol
               stage that determines whether an email address is deliverable.
 
        Available with Postfix 3.1 and later:
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index d019b52e0..191fe63b6 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -1322,7 +1322,8 @@ SMTPD(8)                                                              SMTPD(8)
 
 <b>README FILES</b>
        <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>, blocking unknown hosted or relay recipients
-       <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation
+       <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>, Postfix address manipulation
+       <a href="BDAT_README.html">BDAT_README</a>, Postfix CHUNKING support
        <a href="FILTER_README.html">FILTER_README</a>, external after-queue content filter
        <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>, blocking unknown local recipients
        <a href="MILTER_README.html">MILTER_README</a>, before-queue mail filter applications
diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html
index 5b9e73d22..25016ce57 100644
--- a/postfix/html/tlsproxy.8.html
+++ b/postfix/html/tlsproxy.8.html
@@ -55,20 +55,116 @@ TLSPROXY(8)                                                        TLSPROXY(8)
        The text below provides only a parameter summary. See  <a href="postconf.5.html"><b>postconf</b>(5)</a>  for
        more details including examples.
 
-<b>STARTTLS SUPPORT CONTROLS</b>
+<b>STARTTLS GLOBAL CONTROLS</b>
+       The  following settings are global and therefore cannot be overruled by
+       information specified in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request.
+
+       <b><a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> (no)</b>
+              Append the system-supplied default Certification Authority  cer-
+              tificates   to   the   ones   specified   with  *_tls_CApath  or
+              *_tls_CAfile.
+
+       <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
+              The number of pseudo-random bytes that an  <a href="smtp.8.html"><b>smtp</b>(8)</a>  or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
+              process  requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
+              internal pseudo random number generator (PRNG).
+
+       <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b>
+              The OpenSSL cipherlist for "high" grade ciphers.
+
+       <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
+              The OpenSSL cipherlist for "medium" or higher grade ciphers.
+
+       <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
+              The OpenSSL cipherlist for "low" or higher grade ciphers.
+
+       <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
+              The OpenSSL cipherlist for "export" or higher grade ciphers.
+
+       <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
+              The OpenSSL cipherlist for "NULL"  grade  ciphers  that  provide
+              authentication without encryption.
+
+       <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b>
+              The  elliptic curve used by the Postfix SMTP server for sensibly
+              strong ephemeral ECDH key exchange.
+
+       <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b>
+              The elliptic curve used by the Postfix SMTP server for maximally
+              strong ephemeral ECDH key exchange.
+
+       <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
+              List or bit-mask of OpenSSL bug work-arounds to disable.
+
+       <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b>
+              With SSLv3 and later, use the Postfix SMTP server's cipher pref-
+              erence order instead of the remote  client's  cipher  preference
+              order.
+
+       Available in Postfix version 2.9 and later:
+
+       <b><a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> (no)</b>
+              A  temporary  migration  aid for sites that use certificate <i>pub-</i>
+              <i>lic-key</i> fingerprints with Postfix  2.9.0..2.9.5,  which  use  an
+              incorrect algorithm.
+
+       Available in Postfix version 2.11-3.1:
+
+       <b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
+              Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
+
+       <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
+              Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
+              digests of trust-anchors with certificate usage "2".
+
+       Available in Postfix version 2.11 and later:
+
+       <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
+              The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
+
+       Available in Postfix version 3.0 and later:
+
+       <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> &gt;<b>= 3.0: aes-256-cbc, Postfix</b> &lt;  <b>3.0:</b>
+       <b>aes-128-cbc)</b>
+              Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
+
+       <b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
+              The location of the OpenSSL command line program <b>openssl</b>(1).
+
+       Available in Postfix version 3.2 and later:
+
+       <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
+              The prioritized list of elliptic curves supported by the Postfix
+              SMTP client and server.
+
+       Available in Postfix version 3.4 and later:
+
+       <b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b>
+              Optional  lookup tables that map names received from remote SMTP
+              clients via the TLS Server Name Indication  (SNI)  extension  to
+              the appropriate keys and certificate chains.
+
+<b>STARTTLS SERVER CONTROLS</b>
+       These  settings are clones of Postfix SMTP server settings.  They allow
+       <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
+       the  Postfix  SMTP  server, before dropping privileges, so that the key
+       files can be kept read-only for root. These settings can currently  not
+       be  overruled  by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request, but that
+       limitation may be removed in a future version.
+
        <b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b>
-              A  file  containing  (PEM  format)  CA  certificates of root CAs
+              A file containing (PEM  format)  CA  certificates  of  root  CAs
               trusted to sign either remote SMTP client certificates or inter-
               mediate CA certificates.
 
        <b><a href="postconf.5.html#tlsproxy_tls_CApath">tlsproxy_tls_CApath</a> ($<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b>
-              A  directory containing (PEM format) CA certificates of root CAs
+              A directory containing (PEM format) CA certificates of root  CAs
               trusted to sign either remote SMTP client certificates or inter-
               mediate CA certificates.
 
        <b><a href="postconf.5.html#tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a>     ($<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_ses</a>-</b>
        <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">sion_ids</a>)</b>
-              Force  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server to issue a TLS session id,
+              Force the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server to issue a TLS session  id,
               even when TLS session caching is turned off.
 
        <b><a href="postconf.5.html#tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a> ($<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b>
@@ -78,7 +174,7 @@ TLSPROXY(8)                                                        TLSPROXY(8)
               The verification depth for remote SMTP client certificates.
 
        <b><a href="postconf.5.html#tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
-              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA certificate in  PEM
+              File  with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA certificate in PEM
               format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b>
@@ -86,47 +182,47 @@ TLSPROXY(8)                                                        TLSPROXY(8)
               will use with opportunistic TLS encryption.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
-              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA certificate in  PEM
+              File  with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA certificate in PEM
               format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b>
-              File  with  DH  parameters  that  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server
+              File with DH parameters  that  the  Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server
               should use with non-export EDH ciphers.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b>
-              File with DH parameters  that  the  Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server
+              File  with  DH  parameters  that  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server
               should use with export-grade EDH ciphers.
 
        <b><a href="postconf.5.html#tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b>
-              File  with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA private key in PEM
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA private key in  PEM
               format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
-              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server  ECDSA  certificate  in
+              File  with  the  Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA certificate in
               PEM format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_eckey_file">tlsproxy_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>)</b>
-              File  with  the  Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA private key in
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA  private  key  in
               PEM format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a> ($<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b>
-              The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  security  grade  for  ephemeral
+              The  Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  security  grade for ephemeral
               elliptic-curve Diffie-Hellman (EECDH) key exchange.
 
        <b><a href="postconf.5.html#tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b>
-              List  of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
+              List of ciphers or cipher types to exclude from the  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
               server cipher list at all TLS security levels.
 
        <b><a href="postconf.5.html#tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a> ($<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>)</b>
-              The  message  digest  algorithm   to   construct   remote   SMTP
+              The   message   digest   algorithm   to  construct  remote  SMTP
               client-certificate fingerprints.
 
        <b><a href="postconf.5.html#tlsproxy_tls_key_file">tlsproxy_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b>
-              File  with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA private key in PEM
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA private key in  PEM
               format.
 
        <b><a href="postconf.5.html#tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a> ($<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b>
-              Enable additional Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  logging  of  TLS
+              Enable  additional  Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  logging of TLS
               activity.
 
        <b><a href="postconf.5.html#tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>)</b>
@@ -135,7 +231,7 @@ TLSPROXY(8)                                                        TLSPROXY(8)
 
        <b><a href="postconf.5.html#tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a>               ($<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_manda</a>-</b>
        <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">tory_exclude_ciphers</a>)</b>
-              Additional list of ciphers or cipher types to exclude  from  the
+              Additional  list  of ciphers or cipher types to exclude from the
               <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at mandatory TLS security levels.
 
        <b><a href="postconf.5.html#tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>)</b>
@@ -143,39 +239,28 @@ TLSPROXY(8)                                                        TLSPROXY(8)
               with mandatory TLS encryption.
 
        <b><a href="postconf.5.html#tlsproxy_tls_protocols">tlsproxy_tls_protocols</a> ($<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b>
-              List  of  TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will
+              List of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server  will
               exclude or include with opportunistic TLS encryption.
 
        <b><a href="postconf.5.html#tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a> ($<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b>
-              With mandatory TLS encryption, require  a  trusted  remote  SMTP
+              With  mandatory  TLS  encryption,  require a trusted remote SMTP
               client certificate in order to allow TLS connections to proceed.
 
        <b><a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
-              The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  server;
+              The  SMTP TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server;
               when a non-empty value is specified, this overrides the obsolete
               parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
 
-       Available in Postfix version 2.11 and later:
-
-       <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
-              The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
-
-       Available in Postfix version 3.4 and later:
-
        <b><a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a> ($<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>)</b>
-              Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys  and  certificate
+              Files  with  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys and certificate
               chains in PEM format.
 
-       <b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b>
-              Optional  lookup tables that map names received from remote SMTP
-              clients via the TLS Server Name Indication  (SNI)  extension  to
-              the appropriate keys and certificate chains.
-
-<b>TLS CLIENT CONTROLS</b>
-       These  parameters  are  clones  of  SMTP  client  settings.  They allow
+<b>STARTTLS CLIENT CONTROLS</b>
+       These settings are clones of Postfix SMTP client settings.  They  allow
        <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
-       the  SMTP client, before dropping privileges, so that the key files can
-       be kept read-only for root.
+       the Postfix SMTP client, before dropping privileges, so  that  the  key
+       files can be kept read-only for root. Some settings may be overruled by
+       information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request.
 
        Available in Postfix version 3.4 and later:
 
diff --git a/postfix/makedefs b/postfix/makedefs
index 5b16e1fb3..dfb87d472 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -878,7 +878,7 @@ case "$CC" in
 esac
 
 # Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
 
 # Non-production: needs thorough testing, or major changes are still
 # needed before the code stabilizes.
diff --git a/postfix/man/man8/postlogd.8 b/postfix/man/man8/postlogd.8
index 6ec826cee..19112f2bd 100644
--- a/postfix/man/man8/postlogd.8
+++ b/postfix/man/man8/postlogd.8
@@ -34,7 +34,7 @@ Other non\-daemon Postfix programs will never write directly to
 with the operation of some of these programs). These programs
 can log to \fBpostlogd\fR(8) if they are run by the super\-user,
 or if their executable file has set\-gid permission. Do not
-set this permision on programs other than \fBpostdrop\fR(1)
+set this permission on programs other than \fBpostdrop\fR(1)
 and \fBpostqueue\fR(1).
 .SH "CONFIGURATION PARAMETERS"
 .na
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index a0a0c32cc..ca81ebc48 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -489,6 +489,13 @@ Available in Postfix version 2.8 and later:
 .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
 List or bit\-mask of OpenSSL bug work\-arounds to disable.
 .PP
+Available in Postfix version 2.11\-3.1:
+.IP "\fBtls_dane_digest_agility (on)\fR"
+Configure RFC7671 DANE TLSA digest algorithm agility.
+.IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
+Enable support for RFC 6698 (DANE TLSA) DNS records that contain
+digests of trust\-anchors with certificate usage "2".
+.PP
 Available in Postfix version 2.11 and later:
 .IP "\fBsmtp_tls_trust_anchor_file (empty)\fR"
 Zero or more PEM\-format files with trust\-anchor certificates
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 2505c8edd..1ea172fdf 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -1157,7 +1157,8 @@ Use "\fBpostconf readme_directory\fR" or
 .na
 .nf
 ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
-ADDRESS_REWRITING_README Postfix address manipulation
+ADDRESS_REWRITING_README, Postfix address manipulation
+BDAT_README, Postfix CHUNKING support
 FILTER_README, external after\-queue content filter
 LOCAL_RECIPIENT_README, blocking unknown local recipients
 MILTER_README, before\-queue mail filter applications
diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8
index 5fc67049f..71a3e4e8d 100644
--- a/postfix/man/man8/tlsproxy.8
+++ b/postfix/man/man8/tlsproxy.8
@@ -71,11 +71,93 @@ reload\fR" to speed up a change.
 
 The text below provides only a parameter summary. See
 \fBpostconf\fR(5) for more details including examples.
-.SH "STARTTLS SUPPORT CONTROLS"
+.SH "STARTTLS GLOBAL CONTROLS"
 .na
 .nf
 .ad
 .fi
+The following settings are global and therefore cannot be
+overruled by information specified in a \fBtlsproxy\fR(8)
+client request.
+.IP "\fBtls_append_default_CA (no)\fR"
+Append the system\-supplied default Certification Authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+.IP "\fBtls_daemon_random_bytes (32)\fR"
+The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
+process requests from the \fBtlsmgr\fR(8) server in order to seed its
+internal pseudo random number generator (PRNG).
+.IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
+The OpenSSL cipherlist for "high" grade ciphers.
+.IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
+The OpenSSL cipherlist for "medium" or higher grade ciphers.
+.IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+The OpenSSL cipherlist for "low" or higher grade ciphers.
+.IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+The OpenSSL cipherlist for "export" or higher grade ciphers.
+.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
+The OpenSSL cipherlist for "NULL" grade ciphers that provide
+authentication without encryption.
+.IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
+The elliptic curve used by the Postfix SMTP server for sensibly
+strong
+ephemeral ECDH key exchange.
+.IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
+The elliptic curve used by the Postfix SMTP server for maximally
+strong
+ephemeral ECDH key exchange.
+.IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
+List or bit\-mask of OpenSSL bug work\-arounds to disable.
+.IP "\fBtls_preempt_cipherlist (no)\fR"
+With SSLv3 and later, use the Postfix SMTP server's cipher
+preference order instead of the remote client's cipher preference
+order.
+.PP
+Available in Postfix version 2.9 and later:
+.IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
+A temporary migration aid for sites that use certificate
+\fIpublic\-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
+an incorrect algorithm.
+.PP
+Available in Postfix version 2.11\-3.1:
+.IP "\fBtls_dane_digest_agility (on)\fR"
+Configure RFC7671 DANE TLSA digest algorithm agility.
+.IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
+Enable support for RFC 6698 (DANE TLSA) DNS records that contain
+digests of trust\-anchors with certificate usage "2".
+.PP
+Available in Postfix version 2.11 and later:
+.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
+The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+.PP
+Available in Postfix version 3.0 and later:
+.IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes\-256\-cbc, Postfix < 3.0: aes\-128\-cbc)\fR"
+Algorithm used to encrypt RFC5077 TLS session tickets.
+.IP "\fBopenssl_path (openssl)\fR"
+The location of the OpenSSL command line program \fBopenssl\fR(1).
+.PP
+Available in Postfix version 3.2 and later:
+.IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
+The prioritized list of elliptic curves supported by the Postfix
+SMTP client and server.
+.PP
+Available in Postfix version 3.4 and later:
+.IP "\fBtls_server_sni_maps (empty)\fR"
+Optional lookup tables that map names received from remote SMTP
+clients via the TLS Server Name Indication (SNI) extension to the
+appropriate keys and certificate chains.
+.SH "STARTTLS SERVER CONTROLS"
+.na
+.nf
+.ad
+.fi
+These settings are clones of Postfix SMTP server settings.
+They allow \fBtlsproxy\fR(8) to load the same certificate
+and private key information as the Postfix SMTP server,
+before dropping privileges, so that the key files can be
+kept read\-only for root. These settings can currently not
+be overruled by information in a \fBtlsproxy\fR(8) client
+request, but that limitation may be removed in a future
+version.
 .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR"
 A file containing (PEM format) CA certificates of root CAs
 trusted to sign either remote SMTP client certificates or intermediate
@@ -150,29 +232,20 @@ client certificate in order to allow TLS connections to proceed.
 The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server;
 when a non\-empty value is specified, this overrides the obsolete
 parameters smtpd_use_tls and smtpd_enforce_tls.
-.PP
-Available in Postfix version 2.11 and later:
-.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
-The name of the \fBtlsmgr\fR(8) service entry in master.cf.
-.PP
-Available in Postfix version 3.4 and later:
 .IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR"
 Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate
 chains in PEM format.
-.IP "\fBtls_server_sni_maps (empty)\fR"
-Optional lookup tables that map names received from remote SMTP
-clients via the TLS Server Name Indication (SNI) extension to the
-appropriate keys and certificate chains.
-.SH "TLS CLIENT CONTROLS"
+.SH "STARTTLS CLIENT CONTROLS"
 .na
 .nf
 .ad
 .fi
-These parameters are clones of SMTP client settings. They
-allow \fBtlsproxy\fR(8) to load the same certificate and
-private key information as the SMTP client, before dropping
-privileges, so that the key files can be kept read\-only for
-root.
+These settings are clones of Postfix SMTP client settings.
+They allow \fBtlsproxy\fR(8) to load the same certificate
+and private key information as the Postfix SMTP client,
+before dropping privileges, so that the key files can be
+kept read\-only for root. Some settings may be overruled by
+information in a \fBtlsproxy\fR(8) client request.
 .PP
 Available in Postfix version 3.4 and later:
 .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 31b0172c6..e2749fe9b 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -763,6 +763,8 @@ while (<>) {
     s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
     s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
     s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
+    s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
+    s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
 
     s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
     s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;
diff --git a/postfix/proto/BDAT_README.html b/postfix/proto/BDAT_README.html
new file mode 100644
index 000000000..60f0d1fa1
--- /dev/null
+++ b/postfix/proto/BDAT_README.html
@@ -0,0 +1,178 @@
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix BDAT (CHUNKING) support</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
+BDAT (CHUNKING) support</h1>
+
+<hr>
+
+<h2>Overview </h2>
+
+<p> Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command)
+without BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled
+by default. </p>
+
+<p> Topics covered in this document: </p>
+
+<ul>
+
+<li><a href="#disable"> Disabling BDAT support</a>
+
+<li><a href="#impact"> Impact on existing configurations</a>
+
+<li><a href="#example"> Example SMTP session</a>
+
+<li> <a href="#benefits">Benefits of CHUNKING (BDAT) support without BINARYMIME</a>
+
+<li> <a href="#downsides">Downsides of CHUNKING (BDAT) support</a>
+
+</ul>
+
+<h2> <a name="disable"> Disabling BDAT support </a> </h2>
+
+<p> BDAT support is enabled by default. To disable BDAT support
+globally: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    # The logging alternative:
+    smtpd_discard_ehlo_keywords = chunking
+    # The non-logging alternative:
+    smtpd_discard_ehlo_keywords = chunking, silent_discard
+</pre>
+</blockquote>
+
+<p> Specify '-o smtpd_discard_ehlo_keywords=' in master.cf
+for the submission and smtps services, if you have clients
+that benefit from CHUNKING support. </p>
+
+<h2> <a name="impact"> Impact on existing configurations </a> </h2>
+
+<ul>
+
+<li> <p> There are no changes for smtpd_mumble_restrictions,
+smtpd_proxy_filter, smtpd_milters, or for postscreen settings,
+except for the above mentioned option to suppress the SMTP server's
+CHUNKING service announcement. </p>
+
+<li> <p> There are no changes in the Postfix queue file content,
+no changes for down-stream SMTP servers or after-queue content
+filters, and no changes in the envelope or message content that
+Milters will receive. </p>
+
+</ul>
+
+<h2> <a name="example"> Example SMTP session</a> </h2>
+
+<p> The main differences are that the Postfix SMTP server announces
+"CHUNKING" support in the EHLO response, and that instead of sending
+one DATA request, the remote SMTP client may send one or more BDAT
+requests. In the example below, "S:" indicates server responses,
+and "C:" indicates client requests (bold font). </p>
+
+<blockquote>
+<pre>
+    S: 220 server.example.com
+    C: <b>EHLO client.example.com</b>
+    S: 250-server.example.com
+    S: 250-PIPELINING
+    S: 250-SIZE 153600000
+    S: 250-VRFY
+    S: 250-ETRN
+    S: 250-STARTTLS
+    S: 250-AUTH PLAIN LOGIN
+    S: 250-ENHANCEDSTATUSCODES
+    S: 250-8BITMIME
+    S: 250-DSN
+    S: 250-SMTPUTF8
+    S: 250 CHUNKING
+    C: <b>MAIL FROM:&lt;sender@example.com&gt;</b>
+    S: 250 2.1.0 Ok
+    C: <b>RCPT TO:&lt;recipient@example.com&gt;</b>
+    S: 250 2.1.5 Ok
+    C: <b>BDAT 10000</b>
+    C: <b>..followed by 10000 bytes...</b>
+    S: 250 2.0.0 Ok: 10000 bytes
+    C: <b>BDAT 123</b>
+    C: <b>..followed by 123 bytes...</b>
+    S: 250 2.0.0 Ok: 123 bytes
+    C: <b>BDAT 0 LAST</b>
+    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
+    C: <b>QUIT</b>
+    S: 221 2.0.0 Bye
+</pre>
+</blockquote>
+
+<p> Internally in Postfix, there is no difference between mail that
+was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
+policy delegation queries, smtpd_proxy_filter and Milters all behave
+as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
+Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
+complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
+and will log a warning when a client sends a malformed BDAT command.
+</p>
+
+<h2> <a name="benefits">Benefits of CHUNKING (BDAT) support without
+BINARYMIME</a> </h2>
+
+<p> Support for CHUNKING (BDAT) was added to improve interoperability
+with some clients, a benefit that would reportedly exist even without
+Postfix support for BINARYMIME. Since June 2018, Wietse's mail
+server has received BDAT commands from a variety of systems. </p>
+
+<p> Postfix does not support BINARYMIME at this time because: </p>
+
+<ul>
+
+<li> <p> BINARYMIME support would require moderately invasive
+changes to Postfix, to support email content that is not line-oriented.
+With BINARYMIME, the Content-Length: message header specifies the
+length of content that may or may not have line boundaries. Without
+BINARYMIME support, email RFCs require that binary content is
+base64-encoded, and formatted as lines of text. </p>
+
+<li> <p> For delivery to non-BINARYMIME systems including UNIX mbox,
+the available options are to convert binary content into 8bit text,
+one of the 7bit forms (base64 or quoted-printable), or to return
+email as undeliverable. Any conversion would obviously break digital
+signatures, so conversion would have to happen before signing. </p>
+
+</ul>
+
+<h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
+</h2>
+
+<p> The RFC 3030 authors did not specify any limitations on how
+clients may pipeline commands (i.e. send commands without waiting
+for a server response). If a server announces PIPELINING support,
+like Postfix does, then a remote SMTP client can pipeline all
+commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
+without ever having to wait for a server response. This means that
+with BDAT, the Postfix SMTP server cannot distinguish between a
+well-behaved client and a spambot, based on their command pipelining
+behavior. If you require "reject_unauth_pipelining" to block spambots,
+then turn off Postfix's CHUNKING announcement as described above.
+</p>
+
+<p> In RFC 4468, the authors write that a client may pipeline
+commands, and that after sending BURL LAST or BDAT LAST, a client
+must wait for the server's response. But as this text does not
+appear in RFC 3030 which defines BDAT, is it a useless restriction
+that Postfix will not enforce. </p>
+
+</body>
+
+</html>
diff --git a/postfix/proto/Makefile.in b/postfix/proto/Makefile.in
index d60c318dc..6f435ee4a 100644
--- a/postfix/proto/Makefile.in
+++ b/postfix/proto/Makefile.in
@@ -11,6 +11,7 @@ HTML	= ../html/ADDRESS_CLASS_README.html \
 	../html/ADDRESS_VERIFICATION_README.html \
 	../html/BACKSCATTER_README.html \
 	../html/BASIC_CONFIGURATION_README.html \
+	../html/BDAT_README.html \
 	../html/BUILTIN_FILTER_README.html \
 	../html/CDB_README.html \
 	../html/COMPATIBILITY_README.html \
@@ -57,6 +58,7 @@ README	= ../README_FILES/ADDRESS_CLASS_README \
 	../README_FILES/ADDRESS_VERIFICATION_README \
 	../README_FILES/BACKSCATTER_README \
 	../README_FILES/BASIC_CONFIGURATION_README \
+	../README_FILES/BDAT_README \
 	../README_FILES/BUILTIN_FILTER_README \
 	../README_FILES/CDB_README \
 	../README_FILES/COMPATIBILITY_README \
@@ -179,6 +181,9 @@ clobber:
 ../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
 	$(DETAB) $? | $(POSTLINK) >$@
 
+../html/BDAT_README.html: BDAT_README.html
+	$(DETAB) $? | $(POSTLINK) >$@
+
 ../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
 	$(DETAB) $? | $(POSTLINK) >$@
 
@@ -338,6 +343,9 @@ clobber:
 ../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
 	$(DETAB) $? | $(HT2READ) >$@
 
+../README_FILES/BDAT_README: BDAT_README.html
+	$(DETAB) $? | $(HT2READ) >$@
+
 ../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
 	$(DETAB) $? | $(HT2READ) >$@
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index e0af21080..4b8c970bc 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20190209"
-#define MAIL_VERSION_NUMBER	"3.4"
+#define MAIL_RELEASE_DATE	"20190210"
+#define MAIL_VERSION_NUMBER	"3.4.0-RC1"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/master/master_conf.c b/postfix/src/master/master_conf.c
index 851e662fe..37cad2a85 100644
--- a/postfix/src/master/master_conf.c
+++ b/postfix/src/master/master_conf.c
@@ -30,6 +30,11 @@
 /*	IBM T.J. Watson Research
 /*	P.O. Box 704
 /*	Yorktown Heights, NY 10598, USA
+/*
+/*	Wietse Venema
+/*	Google, Inc.
+/*	111 8th Avenue
+/*	New York, NY 10011, USA
 /*--*/
 
 /* System libraries. */
diff --git a/postfix/src/postlogd/postlogd.c b/postfix/src/postlogd/postlogd.c
index 0d615147a..4c6db6362 100644
--- a/postfix/src/postlogd/postlogd.c
+++ b/postfix/src/postlogd/postlogd.c
@@ -26,7 +26,7 @@
 /*	with the operation of some of these programs). These programs
 /*	can log to \fBpostlogd\fR(8) if they are run by the super-user,
 /*	or if their executable file has set-gid permission. Do not
-/*	set this permision on programs other than \fBpostdrop\fR(1)
+/*	set this permission on programs other than \fBpostdrop\fR(1)
 /*	and \fBpostqueue\fR(1).
 /* CONFIGURATION PARAMETERS
 /* .ad
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index f2dd52008..4e50699f8 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -459,6 +459,13 @@
 /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
 /*	List or bit-mask of OpenSSL bug work-arounds to disable.
 /* .PP
+/*	Available in Postfix version 2.11-3.1:
+/* .IP "\fBtls_dane_digest_agility (on)\fR"
+/*	Configure RFC7671 DANE TLSA digest algorithm agility.
+/* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
+/*	Enable support for RFC 6698 (DANE TLSA) DNS records that contain
+/*	digests of trust-anchors with certificate usage "2".
+/* .PP
 /*	Available in Postfix version 2.11 and later:
 /* .IP "\fBsmtp_tls_trust_anchor_file (empty)\fR"
 /*	Zero or more PEM-format files with trust-anchor certificates
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index cf6bac428..d115fca3b 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -1095,7 +1095,8 @@
 /* .na
 /* .nf
 /*	ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
-/*	ADDRESS_REWRITING_README Postfix address manipulation
+/*	ADDRESS_REWRITING_README, Postfix address manipulation
+/*	BDAT_README, Postfix CHUNKING support
 /*	FILTER_README, external after-queue content filter
 /*	LOCAL_RECIPIENT_README, blocking unknown local recipients
 /*	MILTER_README, before-queue mail filter applications
diff --git a/postfix/src/tls/tls_proxy.h b/postfix/src/tls/tls_proxy.h
index 8104c5bdb..4a9db08fb 100644
--- a/postfix/src/tls/tls_proxy.h
+++ b/postfix/src/tls/tls_proxy.h
@@ -123,6 +123,7 @@ extern int tls_proxy_client_init_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, voi
 extern int tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *);
 extern void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *);
 extern char *tls_proxy_client_init_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *);
+extern char *tls_proxy_client_init_with_names_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *);
 
 extern int tls_proxy_client_start_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, void *);
 extern int tls_proxy_client_start_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *);
diff --git a/postfix/src/tls/tls_proxy_client_misc.c b/postfix/src/tls/tls_proxy_client_misc.c
index 4732a8564..2c67f62ad 100644
--- a/postfix/src/tls/tls_proxy_client_misc.c
+++ b/postfix/src/tls/tls_proxy_client_misc.c
@@ -16,6 +16,10 @@
 /*	char	*tls_proxy_client_param_with_names_to_string(buf, params)
 /*	VSTRING *buf;
 /*	TLS_CLIENT_PARAMS *params;
+/*
+/*	char	*tls_proxy_client_init_to_string(buf, init_props)
+/*	VSTRING *buf;
+/*	TLS_CLIENT_INIT_PROPS *init_props;
 /* DESCRIPTION
 /*	tls_proxy_client_param_from_config() initializes a TLS_CLIENT_PARAMS
 /*	structure from configuration parameters and returns its
@@ -25,10 +29,19 @@
 /*	tls_proxy_client_param_to_string() produces a lookup key
 /*	that is unique for the TLS_CLIENT_PARAMS member values.
 /*
-/*	tls_proxy_client_param_with_names_to_string() TODO produces a
-/*	string with "name = value\n" for each TLS_CLIENT_PARAMS member.
-/*	This may be useful for reporting differences between
+/*	tls_proxy_client_param_with_names_to_string() produces a
+/*	string with "name = value\n" for each TLS_CLIENT_PARAMS
+/*	member. This may be useful for reporting differences between
 /*	TLS_CLIENT_PARAMS instances.
+/*
+/*	tls_proxy_client_init_to_string() produces a lookup key
+/*	that is unique for the properties received by
+/*	tls_proxy_client_init_scan().
+/*
+/*	tls_proxy_client_init_with_names_to_string() produces a
+/*	string with "name = value\n" for each TLS_CLIENT_INIT_PROPS
+/*	member. This may be useful for reporting differences between
+/*	TLS_CLIENT_INIT_PROPS instances.
 /* LICENSE
 /* .ad
 /* .fi
@@ -141,4 +154,45 @@ char   *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR
     return (vstring_str(buf));
 }
 
+/* tls_proxy_client_init_to_string - serialize to string */
+
+char   *tls_proxy_client_init_to_string(VSTRING *buf,
+					        TLS_CLIENT_INIT_PROPS *props)
+{
+    vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n"
+		    "%s\n%s\n%s\n%s\n%s\n", props->log_param,
+		    props->log_level, props->verifydepth,
+		    props->cache_type, props->chain_files,
+		    props->cert_file, props->key_file,
+		    props->dcert_file, props->dkey_file,
+		    props->eccert_file, props->eckey_file,
+		    props->CAfile, props->CApath, props->mdalg);
+    return (vstring_str(buf));
+}
+
+/* tls_proxy_client_init_with_names_to_string - serialize to string */
+
+char   *tls_proxy_client_init_with_names_to_string(VSTRING *buf,
+					        TLS_CLIENT_INIT_PROPS *props)
+{
+    vstring_sprintf(buf, "%s = %s\n%s = %s\n%s = %d\n%s = %s\n%s = %s\n"
+		    "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n"
+		    "%s = %s\n%s = %s\n%s = %s\n%s = %s\n",
+		    TLS_ATTR_LOG_PARAM, props->log_param,
+		    TLS_ATTR_LOG_LEVEL, props->log_level,
+		    TLS_ATTR_VERIFYDEPTH, props->verifydepth,
+		    TLS_ATTR_CACHE_TYPE, props->cache_type,
+		    TLS_ATTR_CHAIN_FILES, props->chain_files,
+		    TLS_ATTR_CERT_FILE, props->cert_file,
+		    TLS_ATTR_KEY_FILE, props->key_file,
+		    TLS_ATTR_DCERT_FILE, props->dcert_file,
+		    TLS_ATTR_DKEY_FILE, props->dkey_file,
+		    TLS_ATTR_ECCERT_FILE, props->eccert_file,
+		    TLS_ATTR_ECKEY_FILE, props->eckey_file,
+		    TLS_ATTR_CAFILE, props->CAfile,
+		    TLS_ATTR_CAPATH, props->CApath,
+		    TLS_ATTR_MDALG, props->mdalg);
+    return (vstring_str(buf));
+}
+
 #endif
diff --git a/postfix/src/tls/tls_proxy_client_scan.c b/postfix/src/tls/tls_proxy_client_scan.c
index 4cf362f0e..61aa6ef2e 100644
--- a/postfix/src/tls/tls_proxy_client_scan.c
+++ b/postfix/src/tls/tls_proxy_client_scan.c
@@ -21,10 +21,6 @@
 /*	int	flags;
 /*	void	*ptr;
 /*
-/*	char	*tls_proxy_client_init_to_string(buf, init_props)
-/*	VSTRING *buf;
-/*	TLS_CLIENT_INIT_PROPS *init_props;
-/*
 /*	void	tls_proxy_client_init_free(init_props)
 /*	TLS_CLIENT_INIT_PROPS *init_props;
 /*
@@ -57,10 +53,6 @@
 /*	scan routine. tls_proxy_client_init_scan() is meant to be passed
 /*	as a call-back function to attr_scan(), as shown below.
 /*
-/*	tls_proxy_client_init_to_string() produces a lookup key
-/*	that is unique for the properties received by
-/*	tls_proxy_client_init_scan().
-/*
 /*	tls_proxy_client_init_free() destroys a TLS_CLIENT_INIT_PROPS
 /*	structure that was created by tls_proxy_client_init_scan().
 /*
@@ -324,22 +316,6 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp,
     return (ret);
 }
 
-/* tls_proxy_client_init_to_string - serialize to string */
-
-char   *tls_proxy_client_init_to_string(VSTRING *buf,
-					        TLS_CLIENT_INIT_PROPS *props)
-{
-    vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n"
-		    "%s\n%s\n%s\n%s\n%s\n", props->log_param,
-		    props->log_level, props->verifydepth,
-		    props->cache_type, props->chain_files,
-		    props->cert_file, props->key_file,
-		    props->dcert_file, props->dkey_file,
-		    props->eccert_file, props->eckey_file,
-		    props->CAfile, props->CApath, props->mdalg);
-    return (vstring_str(buf));
-}
-
 /* tls_proxy_client_certs_free - destroy TLS_PKEYS from stream */
 
 static void tls_proxy_client_certs_free(TLS_CERTS *tp)
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index b6440952f..2c8714cb4 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -57,9 +57,89 @@
 /*
 /*	The text below provides only a parameter summary. See
 /*	\fBpostconf\fR(5) for more details including examples.
-/* STARTTLS SUPPORT CONTROLS
+/* STARTTLS GLOBAL CONTROLS
 /* .ad
 /* .fi
+/*	The following settings are global and therefore cannot be
+/*	overruled by information specified in a \fBtlsproxy\fR(8)
+/*	client request.
+/* .IP "\fBtls_append_default_CA (no)\fR"
+/*	Append the system-supplied default Certification Authority
+/*	certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+/* .IP "\fBtls_daemon_random_bytes (32)\fR"
+/*	The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
+/*	process requests from the \fBtlsmgr\fR(8) server in order to seed its
+/*	internal pseudo random number generator (PRNG).
+/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "high" grade ciphers.
+/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "medium" or higher grade ciphers.
+/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "low" or higher grade ciphers.
+/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
+/*	The OpenSSL cipherlist for "export" or higher grade ciphers.
+/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
+/*	The OpenSSL cipherlist for "NULL" grade ciphers that provide
+/*	authentication without encryption.
+/* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
+/*	The elliptic curve used by the Postfix SMTP server for sensibly
+/*	strong
+/*	ephemeral ECDH key exchange.
+/* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
+/*	The elliptic curve used by the Postfix SMTP server for maximally
+/*	strong
+/*	ephemeral ECDH key exchange.
+/* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
+/*	List or bit-mask of OpenSSL bug work-arounds to disable.
+/* .IP "\fBtls_preempt_cipherlist (no)\fR"
+/*	With SSLv3 and later, use the Postfix SMTP server's cipher
+/*	preference order instead of the remote client's cipher preference
+/*	order.
+/* .PP
+/*	Available in Postfix version 2.9 and later:
+/* .IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
+/*	A temporary migration aid for sites that use certificate
+/*	\fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
+/*	an incorrect algorithm.
+/* .PP
+/*	Available in Postfix version 2.11-3.1:
+/* .IP "\fBtls_dane_digest_agility (on)\fR"
+/*	Configure RFC7671 DANE TLSA digest algorithm agility.
+/* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
+/*	Enable support for RFC 6698 (DANE TLSA) DNS records that contain
+/*	digests of trust-anchors with certificate usage "2".
+/* .PP
+/*	Available in Postfix version 2.11 and later:
+/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
+/*	The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+/* .PP
+/*	Available in Postfix version 3.0 and later:
+/* .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\fR"
+/*	Algorithm used to encrypt RFC5077 TLS session tickets.
+/* .IP "\fBopenssl_path (openssl)\fR"
+/*	The location of the OpenSSL command line program \fBopenssl\fR(1).
+/* .PP
+/*	Available in Postfix version 3.2 and later:
+/* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
+/*	The prioritized list of elliptic curves supported by the Postfix
+/*	SMTP client and server.
+/* .PP
+/*	Available in Postfix version 3.4 and later:
+/* .IP "\fBtls_server_sni_maps (empty)\fR"
+/*	Optional lookup tables that map names received from remote SMTP
+/*	clients via the TLS Server Name Indication (SNI) extension to the
+/*	appropriate keys and certificate chains.
+/* STARTTLS SERVER CONTROLS
+/* .ad
+/* .fi
+/*	These settings are clones of Postfix SMTP server settings.
+/*	They allow \fBtlsproxy\fR(8) to load the same certificate
+/*	and private key information as the Postfix SMTP server,
+/*	before dropping privileges, so that the key files can be
+/*	kept read-only for root. These settings can currently not
+/*	be overruled by information in a \fBtlsproxy\fR(8) client
+/*	request, but that limitation may be removed in a future
+/*	version.
 /* .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR"
 /*	A file containing (PEM format) CA certificates of root CAs
 /*	trusted to sign either remote SMTP client certificates or intermediate
@@ -134,27 +214,18 @@
 /*	The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server;
 /*	when a non-empty value is specified, this overrides the obsolete
 /*	parameters smtpd_use_tls and smtpd_enforce_tls.
-/* .PP
-/*	Available in Postfix version 2.11 and later:
-/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
-/*	The name of the \fBtlsmgr\fR(8) service entry in master.cf.
-/* .PP
-/*	Available in Postfix version 3.4 and later:
 /* .IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR"
 /*	Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate
 /*	chains in PEM format.
-/* .IP "\fBtls_server_sni_maps (empty)\fR"
-/*	Optional lookup tables that map names received from remote SMTP
-/*	clients via the TLS Server Name Indication (SNI) extension to the
-/*	appropriate keys and certificate chains.
-/* TLS CLIENT CONTROLS
+/* STARTTLS CLIENT CONTROLS
 /* .ad
 /* .fi
-/*	These parameters are clones of SMTP client settings. They
-/*	allow \fBtlsproxy\fR(8) to load the same certificate and
-/*	private key information as the SMTP client, before dropping
-/*	privileges, so that the key files can be kept read-only for
-/*	root.
+/*	These settings are clones of Postfix SMTP client settings.
+/*	They allow \fBtlsproxy\fR(8) to load the same certificate
+/*	and private key information as the Postfix SMTP client,
+/*	before dropping privileges, so that the key files can be
+/*	kept read-only for root. Some settings may be overruled by
+/*	information in a \fBtlsproxy\fR(8) client request.
 /* .PP
 /*	Available in Postfix version 3.4 and later:
 /* .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
@@ -430,14 +501,14 @@ static TLS_APPL_STATE *tlsp_server_ctx;
 static TLS_APPL_STATE *tlsp_client_ctx;
 static bool tlsp_pre_jail_done;
 static int ask_client_cert;
+static char *tlsp_pre_jail_client_param_key;	/* pre-jail global params */
+static char *tlsp_pre_jail_client_init_key;	/* pre-jail init props */
 
  /*
   * TLS per-client status.
   */
-static HTABLE *tlsp_client_app_cache;
-static BH_TABLE *tlsp_params_mismatch_filter;
-static char *tlsp_pre_jail_client_param_key;
-static char *tlsp_pre_jail_client_init_key;
+static HTABLE *tlsp_client_app_cache;	/* per-client init props */
+static BH_TABLE *tlsp_params_mismatch_filter;	/* per-client nag filter */
 
  /*
   * Error handling: if a function detects an error, then that function is
@@ -1088,16 +1159,19 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
     /*
      * Use one TLS_APPL_STATE object for all requests that specify the same
      * TLS_CLIENT_INIT_PROPS. Each TLS_APPL_STATE owns an SSL_CTX, which is
-     * expensive to create.
+     * expensive to create. Bug: TLS_CLIENT_PARAMS are not used when creating
+     * a TLS_APPL_STATE instance.
      * 
      * First, compute the TLS_APPL_STATE cache lookup key. Save a copy of the
-     * TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS settings from the
-     * pre-jail internal request.
+     * pre-jail request TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS
+     * settings, so that we can detect post-jail requests that do not match.
      */
     param_buf = vstring_alloc(100);
-    param_key = tls_proxy_client_param_to_string(param_buf, tls_params);
+    param_key = tls_proxy_client_param_with_names_to_string(
+						     param_buf, tls_params);
     init_buf = vstring_alloc(100);
-    init_key = tls_proxy_client_init_to_string(init_buf, init_props);
+    init_key = tls_proxy_client_init_with_names_to_string(
+						      init_buf, init_props);
     if (tlsp_pre_jail_done == 0) {
 	if (tlsp_pre_jail_client_param_key != 0
 	    || tlsp_pre_jail_client_init_key != 0)
@@ -1108,9 +1182,9 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
 
     /*
      * Log a warning if a post-jail request uses unexpected TLS_CLIENT_PARAMS
-     * settings. These differences are problematic because TLS_CLIENT_PARAMS
-     * settings are unfortunately not passed to tls_client_init(). Only the
-     * init_props settings are used.
+     * settings. Bug: TLS_CLIENT_PARAMS settings are not used when creating a
+     * TLS_APPL_STATE instance; this makes a mismatch of TLS_CLIENT_PARAMS
+     * settings problematic.
      */
     if (tlsp_pre_jail_done
 	&& !been_here_fixed(tlsp_params_mismatch_filter, param_key)
@@ -1129,10 +1203,12 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
 	/*
 	 * Before creating a TLS_APPL_STATE instance, log a warning if a
 	 * post-jail request differs from the saved pre-jail request AND the
-	 * request specifies file/directory pathname arguments. Requests
-	 * containing pathnames are problematic after chroot (pathname
-	 * resolution) and after dropping privileges (key files must be root
-	 * read-only).
+	 * post-jail request specifies file/directory pathname arguments.
+	 * Unexpected requests containing pathnames are problematic after
+	 * chroot (pathname resolution) and after dropping privileges (key
+	 * files must be root read-only). Unexpected requests are not a
+	 * problem as long as they contain no pathnames (for example a
+	 * tls_loglevel change).
 	 * 
 	 * We could eliminate some of this complication by adding code that
 	 * opens a cert/key lookup table at pre-jail time, and by reading
@@ -1607,9 +1683,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
     tlsp_pre_jail_done = 1;
 
     /*
-     * Unfortunately TLS_CLIENT_PARAMS attributes correspond to global state
-     * and can therefore not be used when creating TLS_APPL_STATE instances,
-     * but we can warn about attribute mismatches.
+     * Bug: TLS_CLIENT_PARAMS attributes are not used when creating a
+     * TLS_APPL_STATE instance; we can only warn about attribute mismatches.
      */
     tlsp_params_mismatch_filter = been_here_init(BH_BOUND_NONE, BH_FLAG_NONE);
 }
-- 
2.47.3