From: Wietse Venema Date: Sun, 15 May 2016 05:00:00 +0000 (-0500) Subject: postfix-3.2-20160515 X-Git-Tag: v3.2.0-RC1~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a3700e86b50715fd7c7dcd744ea9cb9ad445ff60;p=thirdparty%2Fpostfix.git postfix-3.2-20160515 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 850a01190..52f161c22 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -22219,9 +22219,10 @@ Apologies for any names omitted. Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM (replace sender) request lost the sender_bcc_maps address. - Fixed by moving some record keeping to the sender output function. - Files: cleanup/cleanup_envelope.c, cleanup/cleanuop_addr.c, - cleanup/cleanup_milter.c, cleanup/cleanup.h, regression tests. + Fixed by moving some record keeping to the sender output + function. Files: cleanup/cleanup_envelope.c, + cleanup/cleanup_addr.c, cleanup/cleanup_milter.c, + cleanup/cleanup.h, regression tests. 20160314 @@ -22277,3 +22278,31 @@ Apologies for any names omitted. Cleanup: un-broke regression tests. Files: dns/mxonly_test.ref, dns/no-mx.ref, smtpd/smtpd_server.ref, smtpd/smtpd_server.in. + + Added Postfix version information to the "postconf -m" manpage + section. File: postconf/postconf.c. + +20160330 + + The collate.pl script by Viktor Dukhovni for grouping Postfix + logfile records into "sessions" based on queue ID and process + ID information. Files: auxiliary/collate/*. + +20160407 + + Treat SASL_FAIL and SASL_NOMEM as temporary errors. + Markus Benning. File: xsasl/xsasl_cyrus_server.c. + +20160410 + + Bugfix (introduced: Postfix 2.6): the "bad filetype" + header_checks pattern falsely rejected Content-Mumble headers + with ``name="example"; x-apple-part-url="example.com"''. + Fixed by respecting the ";" separator between content + attribute values. Reported by Cedric Knight. File: + proto/header_checks. + +20160515 + + Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h, + dns/dns_str_resflags.c. diff --git a/postfix/auxiliary/collate/README b/postfix/auxiliary/collate/README new file mode 100644 index 000000000..6e7e0aba2 --- /dev/null +++ b/postfix/auxiliary/collate/README @@ -0,0 +1,11 @@ +This script, by Viktor Dukhovni, untangles a Postfix logfile and +groups the records one "session" at a time based on queue ID and +process ID information. + +Records from different sessions are separated by an empty line. +Such text is easy to process with $/="" in perl, or RS="" in awk. + +Usage: + perl collate.pl file... + +It reads standard input when no file is specified. diff --git a/postfix/auxiliary/collate/collate.pl b/postfix/auxiliary/collate/collate.pl new file mode 100755 index 000000000..3676fbefd --- /dev/null +++ b/postfix/auxiliary/collate/collate.pl @@ -0,0 +1,132 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +# Postfix delivery agents +my @agents = qw(discard error lmtp local pipe smtp virtual); + +my $instre = qr{(?x) + \A # Absolute line start + (?:\S+ \s+){3} # Timestamp, adjust for other time formats + \S+ \s+ # Hostname + (postfix(?:-\S+)?)/ # postfix instance + }; + +my $cmdpidre = qr{(?x) + \G # Continue from previous match + (\S+)\[(\d+)\]:\s+ # command[pid]: +}; + +my %smtpd; +my %smtp; +my %transaction; +my $i = 0; +my %seqno; + +my %isagent = map { ($_, 1) } @agents; + +while (<>) { + next unless m{$instre}ogc; my $inst = $1; + next unless m{$cmdpidre}ogc; my $command = $1; my $pid = $2; + + if ($command eq "smtpd") { + if (m{\Gconnect from }gc) { + # Start new log + $smtpd{$pid}->{"log"} = $_; next; + } + + $smtpd{$pid}->{"log"} .= $_; + + if (m{\G(\w+): client=}gc) { + # Fresh transaction + my $qid = "$inst/$1"; + $smtpd{$pid}->{"qid"} = $qid; + $transaction{$qid} = $smtpd{$pid}->{"log"}; + $seqno{$qid} = ++$i; + next; + } + + my $qid = $smtpd{$pid}->{"qid"}; + $transaction{$qid} .= $_ + if (defined($qid) && exists $transaction{$qid}); + delete $smtpd{$pid} if (m{\Gdisconnect from}gc); + next; + } + + if ($command eq "pickup") { + if (m{\G(\w+): uid=}gc) { + my $qid = "$inst/$1"; + $transaction{$qid} = $_; + $seqno{$qid} = ++$i; + } + next; + } + + # bounce(8) logs transaction start after cleanup(8) already logged + # the message-id, so the cleanup log entry may be first + # + if ($command eq "cleanup") { + next unless (m{\G(\w+): }gc); + my $qid = "$inst/$1"; + $transaction{$qid} .= $_; + $seqno{$qid} = ++$i if (! exists $seqno{$qid}); + next; + } + + if ($command eq "qmgr") { + next unless (m{\G(\w+): }gc); + my $qid = "$inst/$1"; + if (defined($transaction{$qid})) { + $transaction{$qid} .= $_; + if (m{\Gremoved$}gc) { + print delete $transaction{$qid}, "\n"; + } + } + next; + } + + # Save pre-delivery messages for smtp(8) and lmtp(8) + # + if ($command eq "smtp" || $command eq "lmtp") { + $smtp{$pid} .= $_; + + if (m{\G(\w+): to=}gc) { + my $qid = "$inst/$1"; + if (defined($transaction{$qid})) { + $transaction{$qid} .= $smtp{$pid}; + } + delete $smtp{$pid}; + } + next; + } + + if ($command eq "bounce") { + if (m{\G(\w+): .*? notification: (\w+)$}gc) { + my $qid = "$inst/$1"; + my $newid = "$inst/$2"; + if (defined($transaction{$qid})) { + $transaction{$qid} .= $_; + } + $transaction{$newid} = + $_ . $transaction{$newid}; + $seqno{$newid} = ++$i if (! exists $seqno{$newid}); + } + next; + } + + if ($isagent{$command}) { + if (m{\G(\w+): to=}gc) { + my $qid = "$inst/$1"; + if (defined($transaction{$qid})) { + $transaction{$qid} .= $_; + } + } + next; + } +} + +# Dump logs of incomplete transactions. +foreach my $qid (sort {$seqno{$a} <=> $seqno{$b}} keys %transaction) { + print $transaction{$qid}, "\n"; +} diff --git a/postfix/auxiliary/qshape/qshape.pl b/postfix/auxiliary/qshape/qshape.pl old mode 100644 new mode 100755 diff --git a/postfix/conf/header_checks b/postfix/conf/header_checks index 0029f321f..d5984370f 100644 --- a/postfix/conf/header_checks +++ b/postfix/conf/header_checks @@ -470,7 +470,7 @@ # header_checks = pcre:/etc/postfix/header_checks.pcre # # /etc/postfix/header_checks.pcre: -# /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( +# /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( # ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| # hlp|ht[at]| # inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| diff --git a/postfix/html/header_checks.5.html b/postfix/html/header_checks.5.html index 25fd023d1..dce6f7cc6 100644 --- a/postfix/html/header_checks.5.html +++ b/postfix/html/header_checks.5.html @@ -417,7 +417,7 @@ HEADER_CHECKS(5) HEADER_CHECKS(5) header_checks = pcre:/etc/postfix/header_checks.pcre /etc/postfix/header_checks.pcre: - /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( + /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| hlp|ht[at]| inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| diff --git a/postfix/html/postconf.1.html b/postfix/html/postconf.1.html index 38a5b166e..72ebc994b 100644 --- a/postfix/html/postconf.1.html +++ b/postfix/html/postconf.1.html @@ -213,10 +213,14 @@ POSTCONF(1) POSTCONF(1) tal updates. Available on systems with support for CDB databases. + This feature is available with Postfix 2.2 and later. + cidr A table that associates values with Classless Inter-Domain Routing (CIDR) patterns. This is described in cidr_table(5). + This feature is available with Postfix 2.2 and later. + dbm An indexed file type based on hashing. Available on sys- tems with support for DBM databases. @@ -229,6 +233,8 @@ POSTCONF(1) POSTCONF(1) ble name is used for logging. This table exists to sim- plify Postfix error tests. + This feature is available with Postfix 2.9 and later. + hash An indexed file type based on hashing. Available on sys- tems with support for Berkeley DB databases. @@ -241,6 +247,8 @@ POSTCONF(1) POSTCONF(1) just a few fixed elements. See also the static: map type. + This feature is available with Postfix 3.0 and later. + internal A non-shared, in-memory hash table. Its content are lost when a process terminates. @@ -249,6 +257,8 @@ POSTCONF(1) POSTCONF(1) file). Available on systems with support for LMDB data- bases. This is described in lmdb_table(5). + This feature is available with Postfix 2.11 and later. + ldap (read-only) LDAP database client. This is described in ldap_table(5). @@ -256,6 +266,8 @@ POSTCONF(1) POSTCONF(1) Memcache database client. This is described in mem- cache_table(5). + This feature is available with Postfix 2.9 and later. + mysql (read-only) MySQL database client. Available on systems with support for MySQL databases. This is described in mysql_ta- @@ -269,6 +281,8 @@ POSTCONF(1) POSTCONF(1) PostgreSQL database client. This is described in pgsql_table(5). + This feature is available with Postfix 2.1 and later. + pipemap (read-only) A lookup table that constructs a pipeline of tables. Example: "pipemap:{type_1:name_1, ..., type_n:name_n}". @@ -280,9 +294,13 @@ POSTCONF(1) POSTCONF(1) "pipemap:" table name must be "{" and "}". Within these, individual maps are separated with comma or whitespace. + This feature is available with Postfix 3.0 and later. + proxy Postfix proxymap(8) client for shared access to Postfix databases. The table name syntax is type:name. + This feature is available with Postfix 2.0 and later. + randmap (read-only) An in-memory table that performs random selection. Exam- ple: "randmap:{result_1, ..., result_n}". Each table @@ -292,6 +310,8 @@ POSTCONF(1) POSTCONF(1) results are separated with comma or whitespace. To give a specific result more weight, specify it multiple times. + This feature is available with Postfix 3.0 and later. + regexp (read-only) A lookup table based on regular expressions. The file format is described in regexp_table(5). @@ -299,15 +319,21 @@ POSTCONF(1) POSTCONF(1) sdbm An indexed file type based on hashing. Available on sys- tems with support for SDBM databases. + This feature is available with Postfix 2.2 and later. + socketmap (read-only) Sendmail-style socketmap client. The table name is inet:host:port:name for a TCP/IP server, or unix:path- name:name for a UNIX-domain server. This is described in socketmap_table(5). + This feature is available with Postfix 2.10 and later. + sqlite (read-only) SQLite database. This is described in sqlite_table(5). + This feature is available with Postfix 2.8 and later. + static (read-only) A table that always returns its name as lookup result. For example, static:foobar always returns the string foo- @@ -316,57 +342,64 @@ POSTCONF(1) POSTCONF(1) ignores whitespace after "{" and before "}". See also the inline: map. + The form "static:{text} is available with Postfix 3.0 and + later. + tcp (read-only) TCP/IP client. The protocol is described in tcp_table(5). texthash (read-only) - Produces similar results as hash: files, except that you - don't need to run the postmap(1) command before you can - use the file, and that it does not detect changes after + Produces similar results as hash: files, except that you + don't need to run the postmap(1) command before you can + use the file, and that it does not detect changes after the file is read. + This feature is available with Postfix 2.8 and later. + unionmap (read-only) - A table that sends each query to multiple lookup tables - and that concatenates all found results, separated by + A table that sends each query to multiple lookup tables + and that concatenates all found results, separated by comma. The table name syntax is the same as for pipemap. + This feature is available with Postfix 3.0 and later. + unix (read-only) - A limited view of the UNIX authentication database. The + A limited view of the UNIX authentication database. The following tables are implemented: unix:passwd.byname - The table is the UNIX password database. The key - is a login name. The result is a password file + The table is the UNIX password database. The key + is a login name. The result is a password file entry in passwd(5) format. unix:group.byname The table is the UNIX group database. The key is a - group name. The result is a group file entry in + group name. The result is a group file entry in group(5) format. - Other table types may exist depending on how Postfix was built. + Other table types may exist depending on how Postfix was built. - -M Show master.cf file contents instead of main.cf file contents. + -M Show master.cf file contents instead of main.cf file contents. Specify -Mf to fold long lines for human readability. Specify zero or more arguments, each with a service-name or ser- - vice-name/service-type pair, where service-name is the first - field of a master.cf entry and service-type is one of (inet, + vice-name/service-type pair, where service-name is the first + field of a master.cf entry and service-type is one of (inet, unix, fifo, or pass). - If service-name or service-name/service-type is specified, only - the matching master.cf entries will be output. For example, - "postconf -Mf smtp" will output all services named "smtp", and - "postconf -Mf smtp/inet" will output only the smtp service that - listens on the network. Trailing service type fields that are + If service-name or service-name/service-type is specified, only + the matching master.cf entries will be output. For example, + "postconf -Mf smtp" will output all services named "smtp", and + "postconf -Mf smtp/inet" will output only the smtp service that + listens on the network. Trailing service type fields that are omitted will be handled as "*" wildcard fields. This feature is available with Postfix 2.9 and later. The syntax - was changed from "name.type" to "name/type", and "*" wildcard + was changed from "name.type" to "name/type", and "*" wildcard support was added with Postfix 2.11. -n Show only configuration parameters that have explicit name=value - settings in main.cf. Specify -nf to fold long lines for human + settings in main.cf. Specify -nf to fold long lines for human readability (Postfix 2.9 and later). -o name=value @@ -378,38 +411,38 @@ POSTCONF(1) POSTCONF(1) This feature is available with Postfix 2.11 and later. - -P Show master.cf service parameter settings (by default all ser- - vices and all parameters), formatted as "service/type/parame- + -P Show master.cf service parameter settings (by default all ser- + vices and all parameters), formatted as "service/type/parame- ter=value", one per line. Specify -Pf to fold long lines. - Specify one or more "service/type/parameter" instances on the - postconf(1) command line to limit the output to parameters of - interest. Trailing parameter name or service type fields that + Specify one or more "service/type/parameter" instances on the + postconf(1) command line to limit the output to parameters of + interest. Trailing parameter name or service type fields that are omitted will be handled as "*" wildcard fields. This feature is available with Postfix 2.11 and later. -t [template_file] - Display the templates for text that appears at the beginning of - delivery status notification (DSN) messages, without expanding + Display the templates for text that appears at the beginning of + delivery status notification (DSN) messages, without expanding $name expressions. - To override the bounce_template_file parameter setting, specify - a template file name at the end of the "postconf -t" command - line. Specify an empty file name to display built-in templates + To override the bounce_template_file parameter setting, specify + a template file name at the end of the "postconf -t" command + line. Specify an empty file name to display built-in templates (in shell language: ""). This feature is available with Postfix 2.3 and later. -T mode - If Postfix is compiled without TLS support, the -T option pro- - duces no output. Otherwise, if an invalid mode is specified, - the -T option reports an error and exits with a non-zero status + If Postfix is compiled without TLS support, the -T option pro- + duces no output. Otherwise, if an invalid mode is specified, + the -T option reports an error and exits with a non-zero status code. The valid modes are: compile-version Output the OpenSSL version that Postfix was compiled with - (i.e. the OpenSSL version in a header file). The output + (i.e. the OpenSSL version in a header file). The output format is the same as with the command "openssl version". run-version @@ -417,28 +450,28 @@ POSTCONF(1) POSTCONF(1) runtime (i.e. the OpenSSL version in a shared library). public-key-algorithms - Output the lower-case names of the supported public-key + Output the lower-case names of the supported public-key algorithms, one per-line. This feature is available with Postfix 3.1 and later. - -v Enable verbose logging for debugging purposes. Multiple -v + -v Enable verbose logging for debugging purposes. Multiple -v options make the software increasingly verbose. - -x Expand $name in main.cf or master.cf parameter values. The + -x Expand $name in main.cf or master.cf parameter values. The expansion is recursive. This feature is available with Postfix 2.10 and later. - -X Edit the main.cf configuration file, and remove the parameters + -X Edit the main.cf configuration file, and remove the parameters named on the postconf(1) command line. Specify a list of param- eter names, not "name=value" pairs. - With -M, edit the master.cf configuration file, and remove one - or more service entries as specified with "service/type" on the + With -M, edit the master.cf configuration file, and remove one + or more service entries as specified with "service/type" on the postconf(1) command line. - With -P, edit the master.cf configuration file, and remove one + With -P, edit the master.cf configuration file, and remove one or more service parameter settings (-o parameter=value settings) as specied with "service/type/parameter" on the postconf(1) com- mand line. @@ -447,10 +480,10 @@ POSTCONF(1) POSTCONF(1) into place. Specify quotes to protect special characters on the postconf(1) command line. - There is no postconf(1) command to perform the reverse opera- + There is no postconf(1) command to perform the reverse opera- tion. - This feature is available with Postfix 2.10 and later. Support + This feature is available with Postfix 2.10 and later. Support for -M and -P was added with Postfix 2.11. -# Edit the main.cf configuration file, and comment out the parame- @@ -458,18 +491,18 @@ POSTCONF(1) POSTCONF(1) eters revert to their default values. Specify a list of parame- ter names, not "name=value" pairs. - With -M, edit the master.cf configuration file, and comment out - one or more service entries as specified with "service/type" on + With -M, edit the master.cf configuration file, and comment out + one or more service entries as specified with "service/type" on the postconf(1) command line. In all cases the file is copied to a temporary file then renamed into place. Specify quotes to protect special characters on the postconf(1) command line. - There is no postconf(1) command to perform the reverse opera- + There is no postconf(1) command to perform the reverse opera- tion. - This feature is available with Postfix 2.6 and later. Support + This feature is available with Postfix 2.6 and later. Support for -M was added with Postfix 2.11. DIAGNOSTICS @@ -480,27 +513,27 @@ POSTCONF(1) POSTCONF(1) Directory with Postfix configuration files. CONFIGURATION PARAMETERS - The following main.cf parameters are especially relevant to this pro- + The following main.cf parameters are especially relevant to this pro- gram. - The text below provides only a parameter summary. See postconf(5) for + The text below provides only a parameter summary. See postconf(5) for more details including examples. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. bounce_template_file (empty) - Pathname of a configuration file with bounce message templates. + Pathname of a configuration file with bounce message templates. FILES /etc/postfix/main.cf, Postfix configuration parameters /etc/postfix/master.cf, Postfix master daemon configuration SEE ALSO - bounce(5), bounce template file format master(5), master.cf - configuration file syntax postconf(5), main.cf configuration - file syntax + bounce(5), bounce template file format + master(5), master.cf configuration file syntax + postconf(5), main.cf configuration file syntax README FILES DATABASE_README, Postfix lookup table overview diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html index 6bdb0e248..f5884e2cb 100644 --- a/postfix/html/postscreen.8.html +++ b/postfix/html/postscreen.8.html @@ -4,7 +4,7 @@ Postfix manual - postscreen(8) 
-POSTSCREEN(8)                                                    POSTSCREEN(8)
+POSTSCREEN(8)               System Manager's Manual              POSTSCREEN(8)
 
 NAME
        postscreen - Postfix zombie blocker
@@ -22,8 +22,8 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
 
        This program should not be used on SMTP ports that  receive  mail  from
        end-user clients (MUAs). In a typical deployment, postscreen(8) handles
-       the MX service on TCP port 25, while MUA clients submit  mail  via  the
-       submission  service  on  TCP port 587 which requires client authentica-
+       the MX service on TCP port 25, and smtpd(8) receives mail from MUAs  on
+       the submission service (TCP port 587) which requires client authentica-
        tion.  Alternatively, a site could set up a dedicated,  non-postscreen,
        "port  25" server that provides submission service and client authenti-
        cation, but no MX service.
@@ -76,33 +76,28 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        The  postscreen(8)  built-in  SMTP  protocol  engine currently does not
        announce support for AUTH, XCLIENT or XFORWARD.  If you  need  to  make
        these  services  available  on port 25, then do not enable the optional
-       "after 220 server greeting" tests, and do not use  DNSBLs  that  reject
-       traffic from dial-up and residential networks.
-
-       The  optional "after 220 server greeting" tests involve postscreen(8)'s
-       built-in SMTP protocol engine. When these tests succeed,  postscreen(8)
-       adds  the client to the temporary whitelist, but it cannot not hand off
-       the "live" connection to a Postfix SMTP server process in the middle of
-       a session.  Instead, postscreen(8) defers attempts to deliver mail with
-       a 4XX status, and waits for the client to disconnect.  When the  client
-       connects  again, postscreen(8) will allow the client to talk to a Post-
-       fix SMTP server process (provided that the  whitelist  status  has  not
-       expired).   postscreen(8)  mitigates  the  impact of this limitation by
-       giving the "after 220 server greeting" tests a long expiration time.
+       "after 220 server greeting" tests.
+
+       The optional "after 220 server greeting" tests may result in unexpected
+       delivery delays from senders that retry email delivery from a different
+       IP address.  Reason: after passing these tests a new client  must  dis-
+       connect,  and  reconnect from the same IP address before it can deliver
+       mail. See POSTSCREEN_README, section "Tests after the 220  SMTP  server
+       greeting", for a discussion.
 
 CONFIGURATION PARAMETERS
-       Changes to main.cf are not picked up  automatically,  as  postscreen(8)
-       processes  may run for several hours.  Use the command "postfix reload"
+       Changes  to  main.cf  are not picked up automatically, as postscreen(8)
+       processes may run for several hours.  Use the command "postfix  reload"
        after a configuration change.
 
-       The text below provides only a parameter summary. See  postconf(5)  for
+       The  text  below provides only a parameter summary. See postconf(5) for
        more details including examples.
 
-       NOTE:  Some  postscreen(8) parameters implement stress-dependent behav-
-       ior.  This is supported  only  when  the  default  parameter  value  is
-       stress-dependent  (that  is,  it looks like ${stress?{X}:{Y}}, or it is
-       the $name of an  smtpd  parameter  with  a  stress-dependent  default).
-       Other  parameters  always  evaluate as if the stress parameter value is
+       NOTE: Some postscreen(8) parameters implement  stress-dependent  behav-
+       ior.   This  is  supported  only  when  the  default parameter value is
+       stress-dependent (that is, it looks like ${stress?{X}:{Y}},  or  it  is
+       the  $name  of  an  smtpd  parameter  with a stress-dependent default).
+       Other parameters always evaluate as if the stress  parameter  value  is
        the empty string.
 
 COMPATIBILITY CONTROLS
@@ -299,13 +294,13 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
 
        postscreen_dnsbl_max_ttl
        (${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
-              The  maximum  amount  of  time  that  postscreen(8) will use the
-              result from a successful  DNS-based  reputation  test  before  a
+              The maximum amount of  time  that  postscreen(8)  will  use  the
+              result  from  a  successful  DNS-based  reputation test before a
               client IP address is required to pass that test again.
 
        postscreen_dnsbl_min_ttl (60s)
-              The  minimum  amount  of  time  that  postscreen(8) will use the
-              result from a successful  DNS-based  reputation  test  before  a
+              The minimum amount of  time  that  postscreen(8)  will  use  the
+              result  from  a  successful  DNS-based  reputation test before a
               client IP address is required to pass that test again.
 
        postscreen_greet_ttl (1d)
@@ -322,7 +317,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
 
 RESOURCE CONTROLS
        line_length_limit (2048)
-              Upon input, long lines are chopped up into  pieces  of  at  most
+              Upon  input,  long  lines  are chopped up into pieces of at most
               this length; upon delivery, long lines are reconstructed.
 
        postscreen_client_connection_count_limit         ($smtpd_client_connec-
@@ -399,8 +394,8 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
               The syslog facility of Postfix logging.
 
        syslog_name (see 'postconf -d' output)
-              The mail system name that is prepended to the  process  name  in
-              syslog  records,  so  that  "smtpd" becomes, for example, "post-
+              The  mail  system  name that is prepended to the process name in
+              syslog records, so that "smtpd"  becomes,  for  example,  "post-
               fix/smtpd".
 
 SEE ALSO
@@ -418,7 +413,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
 HISTORY
        This service was introduced with Postfix version 2.8.
 
-       Many  ideas  in  postscreen(8) were explored in earlier work by Michael
+       Many ideas in postscreen(8) were explored in earlier  work  by  Michael
        Tokarev, in OpenBSD spamd, and in MailChannels Traffic Control.
 
 AUTHOR(S)
diff --git a/postfix/makedefs b/postfix/makedefs
index 181b274ff..694868c47 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -54,11 +54,11 @@
 #	are known to support it.
 # .IP \fB-DNO_EAI\fR
 #	Do not build with EAI (SMTPUTF8) support. By default, EAI
-#	support is compiled in when the "icuuc" library and header
-#	files are found.
+#	support is compiled in when the "icu-config" command is
+#	found.
 # .IP \fB-DNO_INLINE\fR
 #	Do not require support for C99 "inline" functions. Instead,
-#	implement argument typechecks for non-printf/scanf-like
+#	implement argument typechecks for non-(printf/scanf)-like
 #	functions with ternary operators and unreachable code.
 # .IP \fB-DNO_IPV6\fR
 #	Do not build with IPv6 support.
@@ -292,6 +292,15 @@ case "$SYSTEM.$RELEASE" in
 		: ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
 		: ${PLUGIN_LD="${CC} -shared"}
 		;;
+  OpenBSD.6*)	SYSTYPE=OPENBSD6
+		: ${CC=cc}
+		: ${SHLIB_SUFFIX=.so.1.0}
+		: ${SHLIB_CFLAGS=-fPIC}
+		: ${SHLIB_LD="${CC} -shared"' -Wl,-soname,${LIB}'}
+		: ${SHLIB_RPATH='-Wl,-rpath,${SHLIB_DIR}'}
+		: ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
+		: ${PLUGIN_LD="${CC} -shared"}
+		;;
   ekkoBSD.1*)	SYSTYPE=EKKOBSD1
 		;;
    NetBSD.1*)	SYSTYPE=NETBSD1
@@ -755,7 +764,7 @@ esac
 # Look for the ICU library and enable unicode email if available.
 #
 case "$CCARGS" in
-*-DNO_EAI*) ;;
+*-DNO_EAI*) CCARGS="$CCARGS "'-DDEF_SMTPUTF8_ENABLE=\"no\"';;
 	 *) icu_cppflags=`(icu-config --cppflags) 2>/dev/null` && {
 		icu_ldflags=`(icu-config --ldflags) 2>/dev/null` && {
 		    trap 'rm -f makedefs.test makedefs.test.[co]' 1 2 3 15
@@ -789,7 +798,7 @@ EOF
 		    fi
 		    rm -f makedefs.test makedefs.test.[co]
 		}
-	    } || CCARGS="$CCARGS -DNO_EAI"
+	    } || CCARGS="$CCARGS -DNO_EAI"'-DDEF_SMTPUTF8_ENABLE=\"no\"'
 esac
 
 #
diff --git a/postfix/man/man1/postconf.1 b/postfix/man/man1/postconf.1
index daeb03260..42d5af64b 100644
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@@ -247,9 +247,13 @@ with support for Berkeley DB databases.
 .IP \fBcdb\fR
 A read\-optimized structure with no support for incremental
 updates.  Available on systems with support for CDB databases.
+
+This feature is available with Postfix 2.2 and later.
 .IP \fBcidr\fR
 A table that associates values with Classless Inter\-Domain
 Routing (CIDR) patterns. This is described in \fBcidr_table\fR(5).
+
+This feature is available with Postfix 2.2 and later.
 .IP \fBdbm\fR
 An indexed file type based on hashing.  Available on systems
 with support for DBM databases.
@@ -261,6 +265,8 @@ may find this useful someday.
 A table that reliably fails all requests. The lookup table
 name is used for logging. This table exists to simplify
 Postfix error tests.
+
+This feature is available with Postfix 2.9 and later.
 .IP \fBhash\fR
 An indexed file type based on hashing.  Available on systems
 with support for Berkeley DB databases.
@@ -272,6 +278,8 @@ whitespace or comma; whitespace after "\fB{\fR" and before "\fB}\fR"
 is ignored. Inline tables eliminate the need to create a
 database file for just a few fixed elements.  See also the
 \fIstatic:\fR map type.
+
+This feature is available with Postfix 3.0 and later.
 .IP \fBinternal\fR
 A non\-shared, in\-memory hash table. Its content are lost
 when a process terminates.
@@ -279,11 +287,15 @@ when a process terminates.
 OpenLDAP LMDB database (a memory\-mapped, persistent file).
 Available on systems with support for LMDB databases.  This
 is described in \fBlmdb_table\fR(5).
+
+This feature is available with Postfix 2.11 and later.
 .IP "\fBldap\fR (read\-only)"
 LDAP database client. This is described in \fBldap_table\fR(5).
 .IP "\fBmemcache\fR"
 Memcache database client. This is described in
 \fBmemcache_table\fR(5).
+
+This feature is available with Postfix 2.9 and later.
 .IP "\fBmysql\fR (read\-only)"
 MySQL database client.  Available on systems with support
 for MySQL databases.  This is described in \fBmysql_table\fR(5).
@@ -293,6 +305,8 @@ The file format is described in \fBpcre_table\fR(5).
 .IP "\fBpgsql\fR (read\-only)"
 PostgreSQL database client. This is described in
 \fBpgsql_table\fR(5).
+
+This feature is available with Postfix 2.1 and later.
 .IP "\fBpipemap\fR (read\-only)"
 A lookup table that constructs a pipeline of tables.  Example:
 "\fBpipemap:{\fItype_1:name_1,  ..., type_n:name_n\fB}\fR".
@@ -304,9 +318,13 @@ produces no result. The first and last characters of the
 "pipemap:" table name must be "\fB{\fR" and "\fB}\fR".
 Within these, individual maps are separated with comma or
 whitespace.
+
+This feature is available with Postfix 3.0 and later.
 .IP "\fBproxy\fR"
 Postfix \fBproxymap\fR(8) client for shared access to Postfix
 databases. The table name syntax is \fItype\fB:\fIname\fR.
+
+This feature is available with Postfix 2.0 and later.
 .IP "\fBrandmap\fR (read\-only)"
 An in\-memory table that performs random selection. Example:
 "\fBrandmap:{\fIresult_1, ..., result_n\fB}\fR". Each table query
@@ -315,19 +333,27 @@ and last characters of the "randmap:" table name must be
 "\fB{\fR" and "\fB}\fR".  Within these, individual results
 are separated with comma or whitespace. To give a specific
 result more weight, specify it multiple times.
+
+This feature is available with Postfix 3.0 and later.
 .IP "\fBregexp\fR (read\-only)"
 A lookup table based on regular expressions. The file format
 is described in \fBregexp_table\fR(5).
 .IP \fBsdbm\fR
 An indexed file type based on hashing.  Available on systems
 with support for SDBM databases.
+
+This feature is available with Postfix 2.2 and later.
 .IP "\fBsocketmap\fR (read\-only)"
 Sendmail\-style socketmap client. The table name is
 \fBinet\fR:\fIhost\fR:\fIport\fR:\fIname\fR for a TCP/IP
 server, or \fBunix\fR:\fIpathname\fR:\fIname\fR for a
 UNIX\-domain server. This is described in \fBsocketmap_table\fR(5).
+
+This feature is available with Postfix 2.10 and later.
 .IP "\fBsqlite\fR (read\-only)"
 SQLite database. This is described in \fBsqlite_table\fR(5).
+
+This feature is available with Postfix 2.8 and later.
 .IP "\fBstatic\fR (read\-only)"
 A table that always returns its name as lookup result. For
 example, \fBstatic:foobar\fR always returns the string
@@ -335,6 +361,9 @@ example, \fBstatic:foobar\fR always returns the string
 with whitespace\fB }\fR" when the result contains whitespace;
 this form ignores whitespace after "\fB{\fR" and before
 "\fB}\fR". See also the \fIinline:\fR map.
+
+The form "\fBstatic:{\fItext\fB}\fR is available with Postfix
+3.0 and later.
 .IP "\fBtcp\fR (read\-only)"
 TCP/IP client. The protocol is described in \fBtcp_table\fR(5).
 .IP "\fBtexthash\fR (read\-only)"
@@ -342,10 +371,14 @@ Produces similar results as hash: files, except that you
 don't need to run the \fBpostmap\fR(1) command before you
 can use the file, and that it does not detect changes after
 the file is read.
+
+This feature is available with Postfix 2.8 and later.
 .IP "\fBunionmap\fR (read\-only)"
 A table that sends each query to multiple lookup tables and
 that concatenates all found results, separated by comma.
 The table name syntax is the same as for \fBpipemap\fR.
+
+This feature is available with Postfix 3.0 and later.
 .IP "\fBunix\fR (read\-only)"
 A limited view of the UNIX authentication database. The
 following tables are implemented:
@@ -528,9 +561,9 @@ Pathname of a configuration file with bounce message templates.
 .SH "SEE ALSO"
 .na
 .nf
-bounce(5), bounce template file format master(5), master.cf
-configuration file syntax postconf(5), main.cf configuration
-file syntax
+bounce(5), bounce template file format
+master(5), master.cf configuration file syntax
+postconf(5), main.cf configuration file syntax
 .SH "README FILES"
 .na
 .nf
diff --git a/postfix/man/man5/header_checks.5 b/postfix/man/man5/header_checks.5
index e3d1c24cb..68b452ffa 100644
--- a/postfix/man/man5/header_checks.5
+++ b/postfix/man/man5/header_checks.5
@@ -443,7 +443,7 @@ sub\-expressions is to recognize Windows CLSID strings.
     header_checks = pcre:/etc/postfix/header_checks.pcre
 
 /etc/postfix/header_checks.pcre:
-    /^Content\-(Disposition|Type).*name\es*=\es*"?(.*(\e.|=2E)(
+    /^Content\-(Disposition|Type).*name\es*=\es*"?([^;]*(\e.|=2E)(
       ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
       hlp|ht[at]|
       inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8
index 020529481..8d43d953e 100644
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@@ -22,9 +22,9 @@ delays the onset of server overload conditions.
 
 This program should not be used on SMTP ports that receive
 mail from end\-user clients (MUAs). In a typical deployment,
-\fBpostscreen\fR(8) handles the MX service on TCP port 25,
-while MUA clients submit mail via the \fBsubmission\fR
-service on TCP port 587 which requires client authentication.
+\fBpostscreen\fR(8) handles the MX service on TCP port 25, and
+\fBsmtpd\fR(8) receives mail from MUAs on the \fBsubmission\fR
+service (TCP port 587) which requires client authentication.
 Alternatively, a site could set up a dedicated, non\-postscreen,
 "port 25" server that provides \fBsubmission\fR service and
 client authentication, but no MX service.
@@ -87,22 +87,14 @@ currently does not announce support for AUTH, XCLIENT or
 XFORWARD.
 If you need to make these services available
 on port 25, then do not enable the optional "after 220
-server greeting" tests, and do not use DNSBLs that reject
-traffic from dial\-up and residential networks.
+server greeting" tests.
 
-The optional "after 220 server greeting" tests involve
-\fBpostscreen\fR(8)'s built\-in SMTP protocol engine. When
-these tests succeed, \fBpostscreen\fR(8) adds the client
-to the temporary whitelist, but it cannot not hand off the
-"live" connection to a Postfix SMTP server process in the
-middle of a session.  Instead, \fBpostscreen\fR(8) defers
-attempts to deliver mail with a 4XX status, and waits for
-the client to disconnect.  When the client connects again,
-\fBpostscreen\fR(8) will allow the client to talk to a
-Postfix SMTP server process (provided that the whitelist
-status has not expired).  \fBpostscreen\fR(8) mitigates
-the impact of this limitation by giving the "after 220
-server greeting" tests a long expiration time.
+The optional "after 220 server greeting" tests may result in
+unexpected delivery delays from senders that retry email delivery
+from a different IP address.  Reason: after passing these tests a
+new client must disconnect, and reconnect from the same IP
+address before it can deliver mail. See POSTSCREEN_README, section
+"Tests after the 220 SMTP server greeting", for a discussion.
 .SH "CONFIGURATION PARAMETERS"
 .na
 .nf
@@ -430,9 +422,9 @@ POSTSCREEN_README, Postfix Postscreen Howto
 .ad
 .fi
 The Secure Mailer license must be distributed with this software.
-.SH "HISTORY"
-.na
-.nf
+.SH HISTORY
+.ad
+.fi
 .ad
 .fi
 This service was introduced with Postfix version 2.8.
diff --git a/postfix/proto/header_checks b/postfix/proto/header_checks
index d0b802dba..e78ea0815 100644
--- a/postfix/proto/header_checks
+++ b/postfix/proto/header_checks
@@ -442,7 +442,7 @@
 #	    header_checks = pcre:/etc/postfix/header_checks.pcre
 #
 #	/etc/postfix/header_checks.pcre:
-#	    /^Content-(Disposition|Type).*name\es*=\es*"?(.*(\e.|=2E)(
+#	    /^Content-(Disposition|Type).*name\es*=\es*"?([^;]*(\e.|=2E)(
 #	      ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
 #	      hlp|ht[at]|
 #	      inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
diff --git a/postfix/src/cleanup/cleanup_addr.c b/postfix/src/cleanup/cleanup_addr.c
index 1bcec766c..b6396ada8 100644
--- a/postfix/src/cleanup/cleanup_addr.c
+++ b/postfix/src/cleanup/cleanup_addr.c
@@ -156,7 +156,7 @@ off_t   cleanup_addr_sender(CLEANUP_STATE *state, const char *buf)
     /* Fix 20160310: Moved from cleanup_envelope.c. */
     if (state->milters || cleanup_milters) {
 	/* Make room to replace sender. */
-	if ((len = strlen(state->sender)) < REC_TYPE_PTR_PAYL_SIZE)
+	if ((len = LEN(clean_addr)) < REC_TYPE_PTR_PAYL_SIZE)
 	    rec_pad(state->dst, REC_TYPE_PTR, REC_TYPE_PTR_PAYL_SIZE - len);
 	/* Remember the after-sender record offset. */
 	if ((after_sender_offs = vstream_ftell(state->dst)) < 0)
diff --git a/postfix/src/dns/dns_str_resflags.c b/postfix/src/dns/dns_str_resflags.c
index 4885dfe34..5f2cce5e0 100644
--- a/postfix/src/dns/dns_str_resflags.c
+++ b/postfix/src/dns/dns_str_resflags.c
@@ -64,8 +64,12 @@ static const LONG_NAME_MASK resflag_table[] = {
     "RES_INSECURE2", RES_INSECURE2,
     "RES_NOALIASES", RES_NOALIASES,
     "RES_USE_INET6", RES_USE_INET6,
+#ifdef RES_ROTATE
     "RES_ROTATE", RES_ROTATE,
+#endif
+#ifdef RES_NOCHECKNAME
     "RES_NOCHECKNAME", RES_NOCHECKNAME,
+#endif
     "RES_USE_EDNS0", RES_USE_EDNS0,
     "RES_USE_DNSSEC", RES_USE_DNSSEC,
 #ifdef RES_KEEPTSIG
diff --git a/postfix/src/global/mail_error.c b/postfix/src/global/mail_error.c
index 0a239b816..e042f4ecd 100644
--- a/postfix/src/global/mail_error.c
+++ b/postfix/src/global/mail_error.c
@@ -21,7 +21,7 @@
 /*	does not exist, and so on.
 /* .IP "2bounce (MAIL_ERROR_2BOUNCE)"
 /*	A bounce message could not be delivered.
-/* .IP "dat (MAIL_ERROR_DATA)"
+/* .IP "data (MAIL_ERROR_DATA)"
 /*	A message could not be delivered because a critical data
 /*	file was unavailable.
 /* .IP "policy (MAIL_ERROR_POLICY)"
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index a9e48b319..8f56c64b5 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -3931,8 +3931,10 @@ extern char *var_meta_dir;
   * SMTPUTF8 support.
   */
 #define VAR_SMTPUTF8_ENABLE		"smtputf8_enable"
+#ifndef DEF_SMTPUTF8_ENABLE
 #define DEF_SMTPUTF8_ENABLE		"${{$compatibility_level} < {1} ? " \
 					"{no} : {yes}}"
+#endif
 extern int var_smtputf8_enable;
 
 #define VAR_STRICT_SMTPUTF8		"strict_smtputf8"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index f99b12cd2..a749bf2f9 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20160327"
+#define MAIL_RELEASE_DATE	"20160515"
 #define MAIL_VERSION_NUMBER	"3.2"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/smtp_reply_footer.c b/postfix/src/global/smtp_reply_footer.c
index ad41a7793..6e5bb75d9 100644
--- a/postfix/src/global/smtp_reply_footer.c
+++ b/postfix/src/global/smtp_reply_footer.c
@@ -257,7 +257,7 @@ static const char *lookup(const char *name, int unused_mode, void *context)
 
 int     main(int argc, char **argv)
 {
-    struct test_case *tp;
+    const struct test_case *tp;
     int     status;
     VSTRING *buf = vstring_alloc(10);
     void   *context = 0;
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 34800d0e3..96bccbefd 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -241,9 +241,13 @@
 /* .IP \fBcdb\fR
 /*	A read-optimized structure with no support for incremental
 /*	updates.  Available on systems with support for CDB databases.
+/*
+/*	This feature is available with Postfix 2.2 and later.
 /* .IP \fBcidr\fR
 /*	A table that associates values with Classless Inter-Domain
 /*	Routing (CIDR) patterns. This is described in \fBcidr_table\fR(5).
+/*
+/*	This feature is available with Postfix 2.2 and later.
 /* .IP \fBdbm\fR
 /*	An indexed file type based on hashing.  Available on systems
 /*	with support for DBM databases.
@@ -255,6 +259,8 @@
 /*	A table that reliably fails all requests. The lookup table
 /*	name is used for logging. This table exists to simplify
 /*	Postfix error tests.
+/*
+/*	This feature is available with Postfix 2.9 and later.
 /* .IP \fBhash\fR
 /*	An indexed file type based on hashing.  Available on systems
 /*	with support for Berkeley DB databases.
@@ -266,6 +272,8 @@
 /*	is ignored. Inline tables eliminate the need to create a
 /*	database file for just a few fixed elements.  See also the
 /*	\fIstatic:\fR map type.
+/*
+/*	This feature is available with Postfix 3.0 and later.
 /* .IP \fBinternal\fR
 /*	A non-shared, in-memory hash table. Its content are lost
 /*	when a process terminates.
@@ -273,11 +281,15 @@
 /*	OpenLDAP LMDB database (a memory-mapped, persistent file).
 /*	Available on systems with support for LMDB databases.  This
 /*	is described in \fBlmdb_table\fR(5).
+/*
+/*	This feature is available with Postfix 2.11 and later.
 /* .IP "\fBldap\fR (read-only)"
 /*	LDAP database client. This is described in \fBldap_table\fR(5).
 /* .IP "\fBmemcache\fR"
 /*	Memcache database client. This is described in
 /*	\fBmemcache_table\fR(5).
+/*
+/*	This feature is available with Postfix 2.9 and later.
 /* .IP "\fBmysql\fR (read-only)"
 /*	MySQL database client.  Available on systems with support
 /*	for MySQL databases.  This is described in \fBmysql_table\fR(5).
@@ -287,6 +299,8 @@
 /* .IP "\fBpgsql\fR (read-only)"
 /*	PostgreSQL database client. This is described in
 /*	\fBpgsql_table\fR(5).
+/*
+/*	This feature is available with Postfix 2.1 and later.
 /* .IP "\fBpipemap\fR (read-only)"
 /*	A lookup table that constructs a pipeline of tables.  Example:
 /*	"\fBpipemap:{\fItype_1:name_1,  ..., type_n:name_n\fB}\fR".
@@ -298,9 +312,13 @@
 /*	"pipemap:" table name must be "\fB{\fR" and "\fB}\fR".
 /*	Within these, individual maps are separated with comma or
 /*	whitespace.
+/*
+/*	This feature is available with Postfix 3.0 and later.
 /* .IP "\fBproxy\fR"
 /*	Postfix \fBproxymap\fR(8) client for shared access to Postfix
 /*	databases. The table name syntax is \fItype\fB:\fIname\fR.
+/*
+/*	This feature is available with Postfix 2.0 and later.
 /* .IP "\fBrandmap\fR (read-only)"
 /*	An in-memory table that performs random selection. Example:
 /*	"\fBrandmap:{\fIresult_1, ..., result_n\fB}\fR". Each table query
@@ -309,19 +327,27 @@
 /*	"\fB{\fR" and "\fB}\fR".  Within these, individual results
 /*	are separated with comma or whitespace. To give a specific
 /*	result more weight, specify it multiple times.
+/*
+/*	This feature is available with Postfix 3.0 and later.
 /* .IP "\fBregexp\fR (read-only)"
 /*	A lookup table based on regular expressions. The file format
 /*	is described in \fBregexp_table\fR(5).
 /* .IP \fBsdbm\fR
 /*	An indexed file type based on hashing.  Available on systems
 /*	with support for SDBM databases.
+/*
+/*	This feature is available with Postfix 2.2 and later.
 /* .IP "\fBsocketmap\fR (read-only)"
 /*	Sendmail-style socketmap client. The table name is
 /*	\fBinet\fR:\fIhost\fR:\fIport\fR:\fIname\fR for a TCP/IP
 /*	server, or \fBunix\fR:\fIpathname\fR:\fIname\fR for a
 /*	UNIX-domain server. This is described in \fBsocketmap_table\fR(5).
+/*
+/*	This feature is available with Postfix 2.10 and later.
 /* .IP "\fBsqlite\fR (read-only)"
 /*	SQLite database. This is described in \fBsqlite_table\fR(5).
+/*
+/*	This feature is available with Postfix 2.8 and later.
 /* .IP "\fBstatic\fR (read-only)"
 /*	A table that always returns its name as lookup result. For
 /*	example, \fBstatic:foobar\fR always returns the string
@@ -329,6 +355,9 @@
 /*	with whitespace\fB }\fR" when the result contains whitespace;
 /*	this form ignores whitespace after "\fB{\fR" and before
 /*	"\fB}\fR". See also the \fIinline:\fR map.
+/*
+/*	The form "\fBstatic:{\fItext\fB}\fR is available with Postfix
+/*	3.0 and later.
 /* .IP "\fBtcp\fR (read-only)"
 /*	TCP/IP client. The protocol is described in \fBtcp_table\fR(5).
 /* .IP "\fBtexthash\fR (read-only)"
@@ -336,10 +365,14 @@
 /*	don't need to run the \fBpostmap\fR(1) command before you
 /*	can use the file, and that it does not detect changes after
 /*	the file is read.
+/*
+/*	This feature is available with Postfix 2.8 and later.
 /* .IP "\fBunionmap\fR (read-only)"
 /*	A table that sends each query to multiple lookup tables and
 /*	that concatenates all found results, separated by comma.
 /*	The table name syntax is the same as for \fBpipemap\fR.
+/*
+/*	This feature is available with Postfix 3.0 and later.
 /* .IP "\fBunix\fR (read-only)"
 /*	A limited view of the UNIX authentication database. The
 /*	following tables are implemented:
@@ -512,9 +545,9 @@
 /*	/etc/postfix/main.cf, Postfix configuration parameters
 /*	/etc/postfix/master.cf, Postfix master daemon configuration
 /* SEE ALSO
-/*	bounce(5), bounce template file format master(5), master.cf
-/*	configuration file syntax postconf(5), main.cf configuration
-/*	file syntax
+/*	bounce(5), bounce template file format
+/*	master(5), master.cf configuration file syntax
+/*	postconf(5), main.cf configuration file syntax
 /* README FILES
 /* .ad
 /* .fi
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index 3eca2d44d..188d28423 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -16,9 +16,9 @@
 /*
 /*	This program should not be used on SMTP ports that receive
 /*	mail from end-user clients (MUAs). In a typical deployment,
-/*	\fBpostscreen\fR(8) handles the MX service on TCP port 25,
-/*	while MUA clients submit mail via the \fBsubmission\fR
-/*	service on TCP port 587 which requires client authentication.
+/*	\fBpostscreen\fR(8) handles the MX service on TCP port 25, and
+/*	\fBsmtpd\fR(8) receives mail from MUAs on the \fBsubmission\fR
+/*	service (TCP port 587) which requires client authentication.
 /*	Alternatively, a site could set up a dedicated, non-postscreen,
 /*	"port 25" server that provides \fBsubmission\fR service and
 /*	client authentication, but no MX service.
@@ -73,22 +73,14 @@
 /*	XFORWARD.
 /*	If you need to make these services available
 /*	on port 25, then do not enable the optional "after 220
-/*	server greeting" tests, and do not use DNSBLs that reject
-/*	traffic from dial-up and residential networks.
+/*	server greeting" tests.
 /*
-/*	The optional "after 220 server greeting" tests involve
-/*	\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
-/*	these tests succeed, \fBpostscreen\fR(8) adds the client
-/*	to the temporary whitelist, but it cannot not hand off the
-/*	"live" connection to a Postfix SMTP server process in the
-/*	middle of a session.  Instead, \fBpostscreen\fR(8) defers
-/*	attempts to deliver mail with a 4XX status, and waits for
-/*	the client to disconnect.  When the client connects again,
-/*	\fBpostscreen\fR(8) will allow the client to talk to a
-/*	Postfix SMTP server process (provided that the whitelist
-/*	status has not expired).  \fBpostscreen\fR(8) mitigates
-/*	the impact of this limitation by giving the "after 220
-/*	server greeting" tests a long expiration time.
+/*	The optional "after 220 server greeting" tests may result in
+/*	unexpected delivery delays from senders that retry email delivery
+/*	from a different IP address.  Reason: after passing these tests a
+/*	new client must disconnect, and reconnect from the same IP
+/*	address before it can deliver mail. See POSTSCREEN_README, section
+/*	"Tests after the 220 SMTP server greeting", for a discussion.
 /* CONFIGURATION PARAMETERS
 /* .ad
 /* .fi
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 830a7311d..db583fbeb 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -989,10 +989,11 @@ static int smtpd_check_reject(SMTPD_STATE *state, int error_class,
 
     /*
      * Do not reject mail if we were asked to warn only. However,
-     * configuration errors cannot be converted into warnings.
+     * configuration/software/data errors cannot be converted into warnings.
      */
     if (state->warn_if_reject && error_class != MAIL_ERROR_SOFTWARE
-	&& error_class != MAIL_ERROR_RESOURCE) {
+	&& error_class != MAIL_ERROR_RESOURCE
+	&& error_class != MAIL_ERROR_DATA) {
 	warn_if_reject = 1;
 	whatsup = "reject_warning";
     } else {
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index 20cd9c9f0..e3b4f8a59 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -29,7 +29,7 @@
     || defined(FREEBSD8) || defined(FREEBSD9) || defined(FREEBSD10) \
     || defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
     || defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \
-    || defined(OPENBSD5) \
+    || defined(OPENBSD5) || defined(OPENBSD6) \
     || defined(NETBSD1) || defined(NETBSD2) || defined(NETBSD3) \
     || defined(NETBSD4) || defined(NETBSD5) || defined(NETBSD6) \
     || defined(NETBSD7) \
diff --git a/postfix/src/xsasl/xsasl_cyrus_server.c b/postfix/src/xsasl/xsasl_cyrus_server.c
index 95c470d32..70e7a9d68 100644
--- a/postfix/src/xsasl/xsasl_cyrus_server.c
+++ b/postfix/src/xsasl/xsasl_cyrus_server.c
@@ -480,6 +480,8 @@ static int xsasl_cyrus_server_auth_response(int sasl_status,
 	    sasl_status = SASL_BADAUTH;
 	vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
 	switch (sasl_status) {
+	case SASL_FAIL:
+	case SASL_NOMEM:
 	case SASL_TRYAGAIN:
 	case SASL_UNAVAIL:
 	    return XSASL_AUTH_TEMP;