Prereq: "2.4.3"
diff -cr --new-file /var/tmp/postfix-2.4.3/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-2.4.3/src/global/mail_version.h	Thu May 31 14:20:10 2007
--- ./src/global/mail_version.h	Tue Jul 31 12:46:23 2007
***************
*** 20,27 ****
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20070531"
! #define MAIL_VERSION_NUMBER	"2.4.3"
  
  #ifdef SNAPSHOT
  # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- 20,27 ----
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20070731"
! #define MAIL_VERSION_NUMBER	"2.4.4"
  
  #ifdef SNAPSHOT
  # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-2.4.3/HISTORY ./HISTORY
*** /var/tmp/postfix-2.4.3/HISTORY	Thu May 31 11:19:10 2007
--- ./HISTORY	Tue Jul 31 10:20:34 2007
***************
*** 13481,13483 ****
--- 13481,13536 ----
  	Portability: Victor helpfully pointed out that change
  	20070425 broke on non-IPv6 systems. Files: smtpd/smtpd_peer.c,
  	qmqpd/qmqpd_peer.c.
+ 
+ 20070613
+ 
+ 	Bugfix: the Milter client assumed that a Milter application
+ 	does not modify the message header or envelope, after that
+ 	same Milter application has modified the message body of
+ 	that same email message. This is not a problem with updates
+ 	by different Milter applications.  Problem was triggered
+ 	by Jose-Marcio Martins da Cruz. Also simplified the handling
+ 	of queue file update errors. File: milter/milter8.c.
+ 
+ 20070614
+ 
+ 	Workaround: some non-Cyrus SASL SMTP servers require SASL
+ 	login without authzid (authoriZation ID), i.e. the client
+ 	must send only the authcid (authentiCation ID) + the authcid's
+ 	password.  In this case the server is supposed to derive
+ 	the authzid from the authcid. This works as expected when
+ 	authenticating to a Cyrus SASL SMTP server.  To get the old
+ 	behavior specify "send_cyrus_sasl_authzid = yes", in which
+ 	case Postfix sends the (authzid, authcid, password), with
+ 	the authzid equal to the authcid. File: xsasl/xsasl_cyrus_client.c.
+ 
+ 20070619
+ 
+ 	Portability: /dev/poll support for Solaris chroot jail setup
+ 	scripts. Files: examples/chroot-setup/Solaris8,
+ 	examples/chroot-setup/Solaris10.
+ 
+ 20070719
+ 
+ 	Cleanup: Milter client error handling, so that the (Postfix
+ 	SMTP server's Milter client) does not get out of sync with
+ 	Milter applications after the (cleanup server's Milter
+ 	client) encounters some non-recoverable problem.  Files:
+ 	milter/milter8.c, smtpd/smtpd.c.
+ 
+ 20070729
+ 
+ 	Performance: workaround for poor TCP performance on loopback
+ 	(127.0.0.1) connections. Problem reported by Mark Martinec.
+ 	Files: util/vstream_tweak.c, milter/milter8.c, smtp/smtp_connect.c,
+ 	smtpstone/*source.c.
+ 
+ 20070730
+ 
+ 	Bugfix: when a milter replied with ACCEPT at or before the
+ 	first RCPT command, the cleanup server would apply the
+ 	non_smtpd_milters setting as if the message was a local
+ 	submission. Problem reported by Jukka Salmi. Also, the
+ 	cleanup server would get out of sync with the milter when
+ 	a milter replied with ACCEPT at the DATA command. Files:
+ 	cleanup/cleanup_envelope.c, smtpd/smtpd.c, milter/milters.c.
diff -cr --new-file /var/tmp/postfix-2.4.3/README_FILES/RELEASE_NOTES ./README_FILES/RELEASE_NOTES
*** /var/tmp/postfix-2.4.3/README_FILES/RELEASE_NOTES	Wed Mar 28 14:18:39 2007
--- ./README_FILES/RELEASE_NOTES	Fri Jul 20 11:27:38 2007
***************
*** 11,16 ****
--- 11,30 ----
  The mail_release_date configuration parameter (format: yyyymmdd)
  specifies the release date of a stable release or snapshot release.
  
+ Incompatibility with Postfix 2.4.4
+ ==================================
+ 
+ By default, the Postfix Cyrus SASL client no longer sends a SASL
+ authoriZation ID (authzid); it sends only the SASL authentiCation
+ ID (authcid) plus the authcid's password. Specify "send_cyrus_sasl_authzid
+ = yes" to get the old behavior, which is to send the (authzid,
+ authcid, password), with the authzid equal to the authcid. This
+ workaround for non-Cyrus SASL servers is back-ported from Postfix
+ 2.5.
+ 
+ Release notes for Postfix 2.4.0
+ ===============================
+ 
  Major changes - critical
  ------------------------
  
diff -cr --new-file /var/tmp/postfix-2.4.3/README_FILES/SASL_README ./README_FILES/SASL_README
*** /var/tmp/postfix-2.4.3/README_FILES/SASL_README	Tue Mar 13 19:53:54 2007
--- ./README_FILES/SASL_README	Tue Jul 10 13:36:34 2007
***************
*** 356,375 ****
      250-ETRN
      250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
      250 8BITMIME
!     AAUUTTHH PPLLAAIINN ddGGVVzzddAABB00ZZXXNN00AAHHRRllcc33RRwwYYXXNNzz
      235 Authentication successful
  
! Instead of dGVzdAB0ZXN0AHRlc3RwYXNz, specify the base64 encoded form of
! username\0username\0password (the \0 is a null byte). The example above is for
! a user named `test' with password `testpass'.
  
  In order to generate base64 encoded authentication information you can use one
  of the following commands:
  
!     % printf 'username\0username\0password' | mmencode
  
      % perl -MMIME::Base64 -e \
!         'print encode_base64("username\0username\0password");'
  
  The mmencode command is part of the metamail software. MIME::Base64 is
  available from http://www.cpan.org/.
--- 356,375 ----
      250-ETRN
      250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
      250 8BITMIME
!     AAUUTTHH PPLLAAIINN AAHHRRllcc33QQAAddGGVVzzddHHBBhhcc33MM==
      235 Authentication successful
  
! Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64 encoded form of
! \0username\0password (the \0 is a null byte). The example above is for a user
! named `test' with password `testpass'.
  
  In order to generate base64 encoded authentication information you can use one
  of the following commands:
  
!     % printf '\0username\0password' | mmencode
  
      % perl -MMIME::Base64 -e \
!         'print encode_base64("\0username\0password");'
  
  The mmencode command is part of the metamail software. MIME::Base64 is
  available from http://www.cpan.org/.
diff -cr --new-file /var/tmp/postfix-2.4.3/RELEASE_NOTES ./RELEASE_NOTES
*** /var/tmp/postfix-2.4.3/RELEASE_NOTES	Wed Mar 28 14:18:39 2007
--- ./RELEASE_NOTES	Fri Jul 20 11:27:38 2007
***************
*** 11,16 ****
--- 11,30 ----
  The mail_release_date configuration parameter (format: yyyymmdd)
  specifies the release date of a stable release or snapshot release.
  
+ Incompatibility with Postfix 2.4.4
+ ==================================
+ 
+ By default, the Postfix Cyrus SASL client no longer sends a SASL
+ authoriZation ID (authzid); it sends only the SASL authentiCation
+ ID (authcid) plus the authcid's password. Specify "send_cyrus_sasl_authzid
+ = yes" to get the old behavior, which is to send the (authzid,
+ authcid, password), with the authzid equal to the authcid. This
+ workaround for non-Cyrus SASL servers is back-ported from Postfix
+ 2.5.
+ 
+ Release notes for Postfix 2.4.0
+ ===============================
+ 
  Major changes - critical
  ------------------------
  
diff -cr --new-file /var/tmp/postfix-2.4.3/examples/chroot-setup/Solaris10 ./examples/chroot-setup/Solaris10
*** /var/tmp/postfix-2.4.3/examples/chroot-setup/Solaris10	Sun Dec 12 10:34:18 2004
--- ./examples/chroot-setup/Solaris10	Tue Jun 19 06:19:55 2007
***************
*** 61,66 ****
--- 61,67 ----
  /dev/tcp6
  /dev/udp
  /dev/tcp
+ /dev/poll
  /dev/rawip
  /dev/ticlts
  /dev/ticotsord
***************
*** 71,76 ****
--- 72,78 ----
  /devices/pseudo/tcp6@0:tcp6
  /devices/pseudo/udp@0:udp
  /devices/pseudo/tcp@0:tcp
+ /devices/pseudo/poll@0:poll
  /devices/pseudo/icmp@0:icmp
  /devices/pseudo/tl@0:ticlts
  /devices/pseudo/tl@0:ticotsord
diff -cr --new-file /var/tmp/postfix-2.4.3/examples/chroot-setup/Solaris8 ./examples/chroot-setup/Solaris8
*** /var/tmp/postfix-2.4.3/examples/chroot-setup/Solaris8	Fri May 20 04:49:37 2005
--- ./examples/chroot-setup/Solaris8	Tue Jun 19 06:19:55 2007
***************
*** 61,66 ****
--- 61,67 ----
  /dev/tcp6
  /dev/udp
  /dev/tcp
+ /dev/poll
  /dev/rawip
  /dev/ticlts
  /dev/ticotsord
***************
*** 71,76 ****
--- 72,78 ----
  /devices/pseudo/tcp6@0:tcp6
  /devices/pseudo/udp@0:udp
  /devices/pseudo/tcp@0:tcp
+ /devices/pseudo/poll@0:poll
  /devices/pseudo/icmp@0:icmp
  /devices/pseudo/tl@0:ticlts
  /devices/pseudo/tl@0:ticotsord
diff -cr --new-file /var/tmp/postfix-2.4.3/html/SASL_README.html ./html/SASL_README.html
*** /var/tmp/postfix-2.4.3/html/SASL_README.html	Tue Mar 13 19:53:54 2007
--- ./html/SASL_README.html	Tue Jul 10 13:36:32 2007
***************
*** 537,549 ****
  250-ETRN
  250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
  250 8BITMIME
! <b>AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz</b>
  235 Authentication successful
  </pre>
  </blockquote>
  
! <p> Instead of dGVzdAB0ZXN0AHRlc3RwYXNz, specify the base64 encoded
! form of username\0username\0password (the \0 is a null byte). The
  example above is for a user named `test' with password `testpass'.
  </p>
  
--- 537,549 ----
  250-ETRN
  250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
  250 8BITMIME
! <b>AUTH PLAIN AHRlc3QAdGVzdHBhc3M=</b>
  235 Authentication successful
  </pre>
  </blockquote>
  
! <p> Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64 encoded
! form of \0username\0password (the \0 is a null byte). The
  example above is for a user named `test' with password `testpass'.
  </p>
  
***************
*** 552,565 ****
  
  <blockquote>
  <pre>
! % printf 'username\0username\0password' | mmencode 
  </pre>
  </blockquote>
  
  <blockquote>
  <pre>
  % perl -MMIME::Base64 -e \
!     'print encode_base64("username\0username\0password");'
  </pre>
  </blockquote>
  
--- 552,565 ----
  
  <blockquote>
  <pre>
! % printf '\0username\0password' | mmencode 
  </pre>
  </blockquote>
  
  <blockquote>
  <pre>
  % perl -MMIME::Base64 -e \
!     'print encode_base64("\0username\0password");'
  </pre>
  </blockquote>
  
diff -cr --new-file /var/tmp/postfix-2.4.3/html/lmtp.8.html ./html/lmtp.8.html
*** /var/tmp/postfix-2.4.3/html/lmtp.8.html	Sun Mar 25 18:46:38 2007
--- ./html/lmtp.8.html	Fri Jul 20 11:25:24 2007
***************
*** 253,263 ****
                will ignore in the LHLO response from a remote LMTP
                server.
  
  <b>MIME PROCESSING CONTROLS</b>
         Available in Postfix version 2.0 and later:
  
         <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
!               Disable the conversion of 8BITMIME format  to  7BIT
                format.
  
         <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
--- 253,271 ----
                will ignore in the LHLO response from a remote LMTP
                server.
  
+        Available in Postfix version 2.4.4 and later:
+ 
+        <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b>
+               When authenticating to a remote SMTP or LMTP server
+               with  the default setting "no", send no SASL autho-
+               riZation ID (authzid); send only the SASL authenti-
+               Cation ID (authcid) plus the authcid's password.
+ 
  <b>MIME PROCESSING CONTROLS</b>
         Available in Postfix version 2.0 and later:
  
         <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
!               Disable  the  conversion of 8BITMIME format to 7BIT
                format.
  
         <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
***************
*** 272,361 ****
         Available in Postfix version 2.1 and later:
  
         <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
!               Send  the  non-standard  XFORWARD  command when the
!               Postfix SMTP server EHLO response  announces  XFOR-
                WARD support.
  
  <b>SASL AUTHENTICATION CONTROLS</b>
         <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
!               Enable  SASL  authentication  in  the  Postfix SMTP
                client.
  
         <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
!               Optional SMTP client lookup tables with  one  user-
!               name:password  entry per remote hostname or domain,
                or sender address when sender-dependent authentica-
                tion is enabled.
  
         <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
!               SASL  security  options; as of Postfix 2.3 the list
!               of available features depends on  the  SASL  client
!               implementation     that     is     selected    with
                <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
!               If non-empty, a Postfix SMTP client filter for  the
!               remote  SMTP  server's  list of offered SASL mecha-
                nisms.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
                Enable sender-dependent authentication in the Post-
!               fix  SMTP  client; this is available only with SASL
!               authentication,  and   disables   SMTP   connection
!               caching  to ensure that mail from different senders
                will use the appropriate credentials.
  
         <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
!               Implementation-specific information that is  passed
!               through  to the SASL plug-in implementation that is
                selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
!               The SASL plug-in type that the Postfix SMTP  client
                should use for authentication.
  
  <b>STARTTLS SUPPORT CONTROLS</b>
!        Detailed  information  about STARTTLS configuration may be
         found in the <a href="TLS_README.html">TLS_README</a> document.
  
         <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
                The default SMTP TLS security level for the Postfix
!               SMTP  client;  when a non-empty value is specified,
!               this    overrides    the    obsolete     parameters
                <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
                <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
  
         <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
         <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
!               The SASL authentication security options  that  the
!               Postfix  SMTP  client  uses  for TLS encrypted SMTP
                sessions.
  
         <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
!               Time limit for Postfix SMTP client write  and  read
!               operations  during  TLS  startup and shutdown hand-
                shake procedures.
  
         <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
!               The file with the certificate of the  certification
!               authority  (CA) that issued the Postfix SMTP client
                certificate.
  
         <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
!               Directory with  PEM  format  certificate  authority
!               certificates  that  the Postfix SMTP client uses to
                verify a remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
!               File with the Postfix SMTP client  RSA  certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
!               The  minimum TLS cipher grade that the Postfix SMTP
                client will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
--- 280,369 ----
         Available in Postfix version 2.1 and later:
  
         <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
!               Send the non-standard  XFORWARD  command  when  the
!               Postfix  SMTP  server EHLO response announces XFOR-
                WARD support.
  
  <b>SASL AUTHENTICATION CONTROLS</b>
         <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
!               Enable SASL  authentication  in  the  Postfix  SMTP
                client.
  
         <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
!               Optional  SMTP  client lookup tables with one user-
!               name:password entry per remote hostname or  domain,
                or sender address when sender-dependent authentica-
                tion is enabled.
  
         <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
!               SASL security options; as of Postfix 2.3  the  list
!               of  available  features  depends on the SASL client
!               implementation    that     is     selected     with
                <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
!               If  non-empty, a Postfix SMTP client filter for the
!               remote SMTP server's list of  offered  SASL  mecha-
                nisms.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
                Enable sender-dependent authentication in the Post-
!               fix SMTP client; this is available only  with  SASL
!               authentication,   and   disables   SMTP  connection
!               caching to ensure that mail from different  senders
                will use the appropriate credentials.
  
         <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
!               Implementation-specific  information that is passed
!               through to the SASL plug-in implementation that  is
                selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
!               The  SASL plug-in type that the Postfix SMTP client
                should use for authentication.
  
  <b>STARTTLS SUPPORT CONTROLS</b>
!        Detailed information about STARTTLS configuration  may  be
         found in the <a href="TLS_README.html">TLS_README</a> document.
  
         <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
                The default SMTP TLS security level for the Postfix
!               SMTP client; when a non-empty value  is  specified,
!               this     overrides    the    obsolete    parameters
                <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
                <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
  
         <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
         <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
!               The  SASL  authentication security options that the
!               Postfix SMTP client uses  for  TLS  encrypted  SMTP
                sessions.
  
         <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
!               Time  limit  for Postfix SMTP client write and read
!               operations during TLS startup  and  shutdown  hand-
                shake procedures.
  
         <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
!               The  file with the certificate of the certification
!               authority (CA) that issued the Postfix SMTP  client
                certificate.
  
         <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
!               Directory  with  PEM  format  certificate authority
!               certificates that the Postfix SMTP client  uses  to
                verify a remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
!               File  with  the Postfix SMTP client RSA certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
!               The minimum TLS cipher grade that the Postfix  SMTP
                client will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
***************
*** 364,406 ****
                levels.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
!               Additional list  of  ciphers  or  cipher  types  to
!               exclude  from the SMTP client cipher list at manda-
                tory TLS security levels.
  
         <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
!               File with the Postfix SMTP client  DSA  certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
!               File  with  the Postfix SMTP client DSA private key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
!               File with the Postfix SMTP client RSA  private  key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
!               Enable  additional  Postfix  SMTP client logging of
                TLS activity.
  
         <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
!               Log the hostname  of  a  remote  SMTP  server  that
!               offers  STARTTLS,  when  TLS is not already enabled
                for that server.
  
         <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
                TLS security policy by next-hop destination; when a
!               non-empty value is specified,  this  overrides  the
                obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
!               List  of TLS protocols that the Postfix SMTP client
                will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
!               The verification depth for remote SMTP server  cer-
                tificates.
  
         <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
--- 372,414 ----
                levels.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
!               Additional  list  of  ciphers  or  cipher  types to
!               exclude from the SMTP client cipher list at  manda-
                tory TLS security levels.
  
         <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
!               File  with  the Postfix SMTP client DSA certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
!               File with the Postfix SMTP client DSA  private  key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
!               File  with  the Postfix SMTP client RSA private key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
!               Enable additional Postfix SMTP  client  logging  of
                TLS activity.
  
         <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
!               Log  the  hostname  of  a  remote  SMTP server that
!               offers STARTTLS, when TLS is  not  already  enabled
                for that server.
  
         <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
                TLS security policy by next-hop destination; when a
!               non-empty  value  is  specified, this overrides the
                obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
!               List of TLS protocols that the Postfix SMTP  client
                will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
!               The  verification depth for remote SMTP server cer-
                tificates.
  
         <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
***************
*** 408,414 ****
                for the "secure" TLS security level.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
!               Name of the file containing  the  optional  Postfix
                SMTP client TLS session cache.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
--- 416,422 ----
                for the "secure" TLS security level.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
!               Name  of  the  file containing the optional Postfix
                SMTP client TLS session cache.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
***************
*** 420,428 ****
                for the "verify" TLS security level.
  
         <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
!               The  number  of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
!               or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process  requests  from  the  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
!               server  in order to seed its internal pseudo random
                number generator (PRNG).
  
         <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
--- 428,436 ----
                for the "verify" TLS security level.
  
         <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
!               The number of pseudo-random bytes that  an  <a href="smtp.8.html"><b>smtp</b>(8)</a>
!               or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>  process  requests  from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
!               server in order to seed its internal pseudo  random
                number generator (PRNG).
  
         <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
***************
*** 434,440 ****
                ciphers.
  
         <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
!               The  OpenSSL  cipherlist  for "LOW" or higher grade
                ciphers.
  
         <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
--- 442,448 ----
                ciphers.
  
         <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
!               The OpenSSL cipherlist for "LOW"  or  higher  grade
                ciphers.
  
         <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
***************
*** 442,481 ****
                ciphers.
  
         <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
!               The  OpenSSL  cipherlist  for  "NULL" grade ciphers
                that provide authentication without encryption.
  
         Available in Postfix version 2.4 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
         <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
!               The SASL authentication security options  that  the
!               Postfix  SMTP  client  uses  for TLS encrypted SMTP
                sessions with a verified server certificate.
  
  <b>OBSOLETE STARTTLS CONTROLS</b>
!        The following configuration parameters exist for  compati-
         bility with Postfix versions before 2.3. Support for these
         will be removed in a future release.
  
         <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
!               Opportunistic mode: use  TLS  when  a  remote  SMTP
!               server  announces  STARTTLS support, otherwise send
                the mail in the clear.
  
         <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
!               Enforcement mode: require that remote SMTP  servers
!               use  TLS  encryption,  and  never  send mail in the
                clear.
  
         <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
!               With mandatory TLS  encryption,  require  that  the
                remote SMTP server hostname matches the information
                in the remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
!               TLS  usage  policy  by  next-hop destination and by
                remote SMTP server hostname.
  
         <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
--- 450,489 ----
                ciphers.
  
         <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
!               The OpenSSL cipherlist  for  "NULL"  grade  ciphers
                that provide authentication without encryption.
  
         Available in Postfix version 2.4 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
         <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
!               The  SASL  authentication security options that the
!               Postfix SMTP client uses  for  TLS  encrypted  SMTP
                sessions with a verified server certificate.
  
  <b>OBSOLETE STARTTLS CONTROLS</b>
!        The  following configuration parameters exist for compati-
         bility with Postfix versions before 2.3. Support for these
         will be removed in a future release.
  
         <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
!               Opportunistic  mode:  use  TLS  when  a remote SMTP
!               server announces STARTTLS support,  otherwise  send
                the mail in the clear.
  
         <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
!               Enforcement  mode: require that remote SMTP servers
!               use TLS encryption, and  never  send  mail  in  the
                clear.
  
         <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
!               With  mandatory  TLS  encryption,  require that the
                remote SMTP server hostname matches the information
                in the remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
!               TLS usage policy by  next-hop  destination  and  by
                remote SMTP server hostname.
  
         <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
***************
*** 485,511 ****
  <b>RESOURCE AND RATE CONTROLS</b>
         <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
!               The  maximal  number  of parallel deliveries to the
!               same destination  via  the  smtp  message  delivery
                transport.
  
         <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
!               The  maximal  number of recipients per delivery via
                the smtp message delivery transport.
  
         <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
!               The SMTP client time limit  for  completing  a  TCP
                connection,  or  zero  (use  the  operating  system
                built-in time limit).
  
         <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
!               The SMTP client time limit for sending the HELO  or
!               EHLO  command, and for receiving the initial server
                response.
  
         <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
!               The LMTP client time limit  for  sending  the  LHLO
                command,  and  for  receiving  the  initial  server
                response.
  
--- 493,519 ----
  <b>RESOURCE AND RATE CONTROLS</b>
         <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
!               The maximal number of parallel  deliveries  to  the
!               same  destination  via  the  smtp  message delivery
                transport.
  
         <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
!               The maximal number of recipients per  delivery  via
                the smtp message delivery transport.
  
         <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
!               The  SMTP  client  time  limit for completing a TCP
                connection,  or  zero  (use  the  operating  system
                built-in time limit).
  
         <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
!               The  SMTP client time limit for sending the HELO or
!               EHLO command, and for receiving the initial  server
                response.
  
         <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
!               The  LMTP  client  time  limit for sending the LHLO
                command,  and  for  receiving  the  initial  server
                response.
  
***************
*** 514,543 ****
                command, and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
!               The  SMTP  client  time  limit for sending the MAIL
!               FROM  command,  and  for   receiving   the   server
                response.
  
         <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
!               RCPT TO  command,  and  for  receiving  the  server
                response.
  
         <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
!               DATA  command,  and  for   receiving   the   server
                response.
  
         <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
                message content.
  
         <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
                ".", and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
!               The  SMTP  client  time  limit for sending the QUIT
                command, and for receiving the server response.
  
         Available in Postfix version 2.1 and later:
--- 522,551 ----
                command, and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
!               The SMTP client time limit  for  sending  the  MAIL
!               FROM   command,   and   for  receiving  the  server
                response.
  
         <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
!               RCPT  TO  command,  and  for  receiving  the server
                response.
  
         <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
!               DATA   command,   and   for  receiving  the  server
                response.
  
         <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
                message content.
  
         <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
                ".", and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
!               The SMTP client time limit  for  sending  the  QUIT
                command, and for receiving the server response.
  
         Available in Postfix version 2.1 and later:
***************
*** 548,559 ****
                lookups, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
!               The maximal number of SMTP  sessions  per  delivery
!               request  before  giving up or delivering to a fall-
                back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
!               The SMTP client time limit  for  sending  the  RSET
                command, and for receiving the server response.
  
         Available in Postfix version 2.2 and earlier:
--- 556,567 ----
                lookups, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
!               The  maximal  number  of SMTP sessions per delivery
!               request before giving up or delivering to  a  fall-
                back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
!               The  SMTP  client  time  limit for sending the RSET
                command, and for receiving the server response.
  
         Available in Postfix version 2.2 and earlier:
***************
*** 565,575 ****
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
!               Permanently enable SMTP connection caching for  the
                specified destinations.
  
         <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
!               Temporarily  enable SMTP connection caching while a
                destination has a high volume of mail in the active
                queue.
  
--- 573,583 ----
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
!               Permanently  enable SMTP connection caching for the
                specified destinations.
  
         <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
!               Temporarily enable SMTP connection caching while  a
                destination has a high volume of mail in the active
                queue.
  
***************
*** 579,640 ****
  
         <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
                When SMTP connection caching is enabled, the amount
!               of  time  that an unused SMTP client socket is kept
                open before it is closed.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
!               Time limit for connection cache  connect,  send  or
                receive operations.
  
  <b>TROUBLE SHOOTING CONTROLS</b>
         <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
!               The  increment  in  verbose  logging  level  when a
!               remote client or server matches a  pattern  in  the
                <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
  
         <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
!               Optional  list  of remote client or server hostname
!               or network address patterns that cause the  verbose
!               logging  level  to increase by the amount specified
                in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
  
         <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
!               The recipient  of  postmaster  notifications  about
!               mail  delivery  problems that are caused by policy,
                resource, software or protocol errors.
  
         <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
!               What categories of Postfix-generated mail are  sub-
!               ject   to   before-queue   content   inspection  by
                <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
  
         <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
!               The list of error classes that are reported to  the
                postmaster.
  
  <b>MISCELLANEOUS CONTROLS</b>
         <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
!               Where  the  Postfix SMTP client should deliver mail
                when it detects a "mail loops back to myself" error
                condition.
  
         <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
!               The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
                <a href="master.5.html">master.cf</a> configuration files.
  
         <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
!               How much time a Postfix daemon process may take  to
!               handle  a  request  before  it  is  terminated by a
                built-in watchdog timer.
  
         <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
!               The maximal number  of  digits  after  the  decimal
                point when logging sub-second delay values.
  
         <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
!               Disable  DNS  lookups  in the Postfix SMTP and LMTP
                clients.
  
         <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
--- 587,648 ----
  
         <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
                When SMTP connection caching is enabled, the amount
!               of time that an unused SMTP client socket  is  kept
                open before it is closed.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
!               Time  limit  for  connection cache connect, send or
                receive operations.
  
  <b>TROUBLE SHOOTING CONTROLS</b>
         <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
!               The increment  in  verbose  logging  level  when  a
!               remote  client  or  server matches a pattern in the
                <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
  
         <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
!               Optional list of remote client or  server  hostname
!               or  network address patterns that cause the verbose
!               logging level to increase by the  amount  specified
                in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
  
         <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
!               The  recipient  of  postmaster  notifications about
!               mail delivery problems that are caused  by  policy,
                resource, software or protocol errors.
  
         <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
!               What  categories of Postfix-generated mail are sub-
!               ject  to   before-queue   content   inspection   by
                <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
  
         <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
!               The  list of error classes that are reported to the
                postmaster.
  
  <b>MISCELLANEOUS CONTROLS</b>
         <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
!               Where the Postfix SMTP client should  deliver  mail
                when it detects a "mail loops back to myself" error
                condition.
  
         <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
!               The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
                <a href="master.5.html">master.cf</a> configuration files.
  
         <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
!               How  much time a Postfix daemon process may take to
!               handle a request  before  it  is  terminated  by  a
                built-in watchdog timer.
  
         <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
!               The  maximal  number  of  digits  after the decimal
                point when logging sub-second delay values.
  
         <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
!               Disable DNS lookups in the Postfix  SMTP  and  LMTP
                clients.
  
         <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
***************
*** 642,648 ****
                tem receives mail on.
  
         <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
!               The  Internet protocols Postfix will attempt to use
                when making or accepting connections.
  
         <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
--- 650,656 ----
                tem receives mail on.
  
         <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
!               The Internet protocols Postfix will attempt to  use
                when making or accepting connections.
  
         <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
***************
*** 650,724 ****
                over an internal communication channel.
  
         <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
!               The  default  TCP port that the Postfix LMTP client
                connects to.
  
         <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
!               The maximum amount of time  that  an  idle  Postfix
!               daemon  process  waits  for  an incoming connection
                before terminating voluntarily.
  
         <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
!               The maximal number of incoming connections  that  a
!               Postfix  daemon  process will service before termi-
                nating voluntarily.
  
         <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
!               The process ID  of  a  Postfix  command  or  daemon
                process.
  
         <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
!               The  process  name  of  a Postfix command or daemon
                process.
  
         <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
                The network interface addresses that this mail sys-
!               tem  receives  mail on by way of a proxy or network
                address translation unit.
  
         <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
!               An optional  numerical  network  address  that  the
!               Postfix  SMTP  client should bind to when making an
                IPv4 connection.
  
         <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
!               An optional  numerical  network  address  that  the
!               Postfix  SMTP  client should bind to when making an
                IPv6 connection.
  
         <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
!               The hostname to send in the SMTP EHLO or HELO  com-
                mand.
  
         <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
                The hostname to send in the LMTP LHLO command.
  
         <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
!               What  mechanisms  when the Postfix SMTP client uses
                to look up a host's IP address.
  
         <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
!               Randomize the order  of  equal-preference  MX  host
                addresses.
  
         <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
                The syslog facility of Postfix logging.
  
         <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
!               The  mail  system  name  that  is  prepended to the
!               process name in syslog  records,  so  that  "smtpd"
                becomes, for example, "postfix/smtpd".
  
         Available with Postfix 2.2 and earlier:
  
         <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
!               Optional  list of relay hosts for SMTP destinations
                that can't be found or that are unreachable.
  
         Available with Postfix 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
!               Optional list of relay hosts for SMTP  destinations
                that can't be found or that are unreachable.
  
  <b>SEE ALSO</b>
--- 658,732 ----
                over an internal communication channel.
  
         <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
!               The default TCP port that the Postfix  LMTP  client
                connects to.
  
         <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
!               The  maximum  amount  of  time that an idle Postfix
!               daemon process waits  for  an  incoming  connection
                before terminating voluntarily.
  
         <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
!               The  maximal  number of incoming connections that a
!               Postfix daemon process will service  before  termi-
                nating voluntarily.
  
         <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
!               The  process  ID  of  a  Postfix  command or daemon
                process.
  
         <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
!               The process name of a  Postfix  command  or  daemon
                process.
  
         <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
                The network interface addresses that this mail sys-
!               tem receives mail on by way of a proxy  or  network
                address translation unit.
  
         <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
!               An  optional  numerical  network  address  that the
!               Postfix SMTP client should bind to when  making  an
                IPv4 connection.
  
         <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
!               An  optional  numerical  network  address  that the
!               Postfix SMTP client should bind to when  making  an
                IPv6 connection.
  
         <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
!               The  hostname to send in the SMTP EHLO or HELO com-
                mand.
  
         <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
                The hostname to send in the LMTP LHLO command.
  
         <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
!               What mechanisms when the Postfix SMTP  client  uses
                to look up a host's IP address.
  
         <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
!               Randomize  the  order  of  equal-preference MX host
                addresses.
  
         <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
                The syslog facility of Postfix logging.
  
         <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
!               The mail system  name  that  is  prepended  to  the
!               process  name  in  syslog  records, so that "smtpd"
                becomes, for example, "postfix/smtpd".
  
         Available with Postfix 2.2 and earlier:
  
         <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
!               Optional list of relay hosts for SMTP  destinations
                that can't be found or that are unreachable.
  
         Available with Postfix 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
!               Optional  list of relay hosts for SMTP destinations
                that can't be found or that are unreachable.
  
  <b>SEE ALSO</b>
***************
*** 736,742 ****
         <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
  
  <b>LICENSE</b>
!        The Secure Mailer license must be  distributed  with  this
         software.
  
  <b>AUTHOR(S)</b>
--- 744,750 ----
         <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
  
  <b>LICENSE</b>
!        The  Secure  Mailer  license must be distributed with this
         software.
  
  <b>AUTHOR(S)</b>
diff -cr --new-file /var/tmp/postfix-2.4.3/html/postconf.5.html ./html/postconf.5.html
*** /var/tmp/postfix-2.4.3/html/postconf.5.html	Mon Apr  2 19:15:49 2007
--- ./html/postconf.5.html	Fri Jul 20 11:25:24 2007
***************
*** 53,58 ****
--- 53,60 ----
  "$name" is empty. This form is supported with Postfix version 2.2
  and later.  </p>
  
+ <li> <p> Specify "$$" to produce a single "$" character. </p>
+ 
  </ul>
  
  <li> <p> When the same parameter is defined multiple times, only
***************
*** 6682,6687 ****
--- 6684,6707 ----
  <p>
  The name of the directory with example Postfix configuration files.
  </p>
+ 
+ 
+ </DD>
+ 
+ <DT><b><a name="send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a>
+ (default: no)</b></DT><DD>
+ 
+ <p> When authenticating to a remote SMTP or LMTP server with the
+ default setting "no", send no SASL authoriZation ID (authzid); send
+ only the SASL authentiCation ID (authcid) plus the authcid's password.
+ </p>
+ 
+ <p> The non-default setting "yes" enables the behavior of older
+ Postfix versions.  These always send a SASL authzid that is equal
+ to the SASL authcid, but this causes inter-operability problems
+ with some SMTP servers. </p>
+ 
+ <p> This feature is available in Postfix 2.4.4 and later. </p>
  
  
  </DD>
diff -cr --new-file /var/tmp/postfix-2.4.3/html/smtp.8.html ./html/smtp.8.html
*** /var/tmp/postfix-2.4.3/html/smtp.8.html	Sun Mar 25 18:46:38 2007
--- ./html/smtp.8.html	Fri Jul 20 11:25:24 2007
***************
*** 253,263 ****
                will ignore in the LHLO response from a remote LMTP
                server.
  
  <b>MIME PROCESSING CONTROLS</b>
         Available in Postfix version 2.0 and later:
  
         <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
!               Disable the conversion of 8BITMIME format  to  7BIT
                format.
  
         <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
--- 253,271 ----
                will ignore in the LHLO response from a remote LMTP
                server.
  
+        Available in Postfix version 2.4.4 and later:
+ 
+        <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b>
+               When authenticating to a remote SMTP or LMTP server
+               with  the default setting "no", send no SASL autho-
+               riZation ID (authzid); send only the SASL authenti-
+               Cation ID (authcid) plus the authcid's password.
+ 
  <b>MIME PROCESSING CONTROLS</b>
         Available in Postfix version 2.0 and later:
  
         <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
!               Disable  the  conversion of 8BITMIME format to 7BIT
                format.
  
         <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
***************
*** 272,361 ****
         Available in Postfix version 2.1 and later:
  
         <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
!               Send  the  non-standard  XFORWARD  command when the
!               Postfix SMTP server EHLO response  announces  XFOR-
                WARD support.
  
  <b>SASL AUTHENTICATION CONTROLS</b>
         <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
!               Enable  SASL  authentication  in  the  Postfix SMTP
                client.
  
         <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
!               Optional SMTP client lookup tables with  one  user-
!               name:password  entry per remote hostname or domain,
                or sender address when sender-dependent authentica-
                tion is enabled.
  
         <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
!               SASL  security  options; as of Postfix 2.3 the list
!               of available features depends on  the  SASL  client
!               implementation     that     is     selected    with
                <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
!               If non-empty, a Postfix SMTP client filter for  the
!               remote  SMTP  server's  list of offered SASL mecha-
                nisms.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
                Enable sender-dependent authentication in the Post-
!               fix  SMTP  client; this is available only with SASL
!               authentication,  and   disables   SMTP   connection
!               caching  to ensure that mail from different senders
                will use the appropriate credentials.
  
         <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
!               Implementation-specific information that is  passed
!               through  to the SASL plug-in implementation that is
                selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
!               The SASL plug-in type that the Postfix SMTP  client
                should use for authentication.
  
  <b>STARTTLS SUPPORT CONTROLS</b>
!        Detailed  information  about STARTTLS configuration may be
         found in the <a href="TLS_README.html">TLS_README</a> document.
  
         <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
                The default SMTP TLS security level for the Postfix
!               SMTP  client;  when a non-empty value is specified,
!               this    overrides    the    obsolete     parameters
                <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
                <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
  
         <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
         <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
!               The SASL authentication security options  that  the
!               Postfix  SMTP  client  uses  for TLS encrypted SMTP
                sessions.
  
         <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
!               Time limit for Postfix SMTP client write  and  read
!               operations  during  TLS  startup and shutdown hand-
                shake procedures.
  
         <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
!               The file with the certificate of the  certification
!               authority  (CA) that issued the Postfix SMTP client
                certificate.
  
         <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
!               Directory with  PEM  format  certificate  authority
!               certificates  that  the Postfix SMTP client uses to
                verify a remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
!               File with the Postfix SMTP client  RSA  certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
!               The  minimum TLS cipher grade that the Postfix SMTP
                client will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
--- 280,369 ----
         Available in Postfix version 2.1 and later:
  
         <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
!               Send the non-standard  XFORWARD  command  when  the
!               Postfix  SMTP  server EHLO response announces XFOR-
                WARD support.
  
  <b>SASL AUTHENTICATION CONTROLS</b>
         <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
!               Enable SASL  authentication  in  the  Postfix  SMTP
                client.
  
         <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
!               Optional  SMTP  client lookup tables with one user-
!               name:password entry per remote hostname or  domain,
                or sender address when sender-dependent authentica-
                tion is enabled.
  
         <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
!               SASL security options; as of Postfix 2.3  the  list
!               of  available  features  depends on the SASL client
!               implementation    that     is     selected     with
                <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
!               If  non-empty, a Postfix SMTP client filter for the
!               remote SMTP server's list of  offered  SASL  mecha-
                nisms.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
                Enable sender-dependent authentication in the Post-
!               fix SMTP client; this is available only  with  SASL
!               authentication,   and   disables   SMTP  connection
!               caching to ensure that mail from different  senders
                will use the appropriate credentials.
  
         <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
!               Implementation-specific  information that is passed
!               through to the SASL plug-in implementation that  is
                selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
  
         <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
!               The  SASL plug-in type that the Postfix SMTP client
                should use for authentication.
  
  <b>STARTTLS SUPPORT CONTROLS</b>
!        Detailed information about STARTTLS configuration  may  be
         found in the <a href="TLS_README.html">TLS_README</a> document.
  
         <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
                The default SMTP TLS security level for the Postfix
!               SMTP client; when a non-empty value  is  specified,
!               this     overrides    the    obsolete    parameters
                <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
                <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
  
         <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
         <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
!               The  SASL  authentication security options that the
!               Postfix SMTP client uses  for  TLS  encrypted  SMTP
                sessions.
  
         <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
!               Time  limit  for Postfix SMTP client write and read
!               operations during TLS startup  and  shutdown  hand-
                shake procedures.
  
         <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
!               The  file with the certificate of the certification
!               authority (CA) that issued the Postfix SMTP  client
                certificate.
  
         <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
!               Directory  with  PEM  format  certificate authority
!               certificates that the Postfix SMTP client  uses  to
                verify a remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
!               File  with  the Postfix SMTP client RSA certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
!               The minimum TLS cipher grade that the Postfix  SMTP
                client will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
***************
*** 364,406 ****
                levels.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
!               Additional list  of  ciphers  or  cipher  types  to
!               exclude  from the SMTP client cipher list at manda-
                tory TLS security levels.
  
         <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
!               File with the Postfix SMTP client  DSA  certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
!               File  with  the Postfix SMTP client DSA private key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
!               File with the Postfix SMTP client RSA  private  key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
!               Enable  additional  Postfix  SMTP client logging of
                TLS activity.
  
         <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
!               Log the hostname  of  a  remote  SMTP  server  that
!               offers  STARTTLS,  when  TLS is not already enabled
                for that server.
  
         <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
                TLS security policy by next-hop destination; when a
!               non-empty value is specified,  this  overrides  the
                obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
!               List  of TLS protocols that the Postfix SMTP client
                will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
!               The verification depth for remote SMTP server  cer-
                tificates.
  
         <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
--- 372,414 ----
                levels.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
!               Additional  list  of  ciphers  or  cipher  types to
!               exclude from the SMTP client cipher list at  manda-
                tory TLS security levels.
  
         <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
!               File  with  the Postfix SMTP client DSA certificate
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
!               File with the Postfix SMTP client DSA  private  key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
!               File  with  the Postfix SMTP client RSA private key
                in PEM format.
  
         <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
!               Enable additional Postfix SMTP  client  logging  of
                TLS activity.
  
         <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
!               Log  the  hostname  of  a  remote  SMTP server that
!               offers STARTTLS, when TLS is  not  already  enabled
                for that server.
  
         <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
                TLS security policy by next-hop destination; when a
!               non-empty  value  is  specified, this overrides the
                obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
  
         <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
!               List of TLS protocols that the Postfix SMTP  client
                will use with mandatory TLS encryption.
  
         <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
!               The  verification depth for remote SMTP server cer-
                tificates.
  
         <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
***************
*** 408,414 ****
                for the "secure" TLS security level.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
!               Name of the file containing  the  optional  Postfix
                SMTP client TLS session cache.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
--- 416,422 ----
                for the "secure" TLS security level.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
!               Name  of  the  file containing the optional Postfix
                SMTP client TLS session cache.
  
         <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
***************
*** 420,428 ****
                for the "verify" TLS security level.
  
         <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
!               The  number  of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
!               or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process  requests  from  the  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
!               server  in order to seed its internal pseudo random
                number generator (PRNG).
  
         <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
--- 428,436 ----
                for the "verify" TLS security level.
  
         <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
!               The number of pseudo-random bytes that  an  <a href="smtp.8.html"><b>smtp</b>(8)</a>
!               or  <a href="smtpd.8.html"><b>smtpd</b>(8)</a>  process  requests  from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
!               server in order to seed its internal pseudo  random
                number generator (PRNG).
  
         <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
***************
*** 434,440 ****
                ciphers.
  
         <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
!               The  OpenSSL  cipherlist  for "LOW" or higher grade
                ciphers.
  
         <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
--- 442,448 ----
                ciphers.
  
         <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
!               The OpenSSL cipherlist for "LOW"  or  higher  grade
                ciphers.
  
         <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
***************
*** 442,481 ****
                ciphers.
  
         <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
!               The  OpenSSL  cipherlist  for  "NULL" grade ciphers
                that provide authentication without encryption.
  
         Available in Postfix version 2.4 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
         <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
!               The SASL authentication security options  that  the
!               Postfix  SMTP  client  uses  for TLS encrypted SMTP
                sessions with a verified server certificate.
  
  <b>OBSOLETE STARTTLS CONTROLS</b>
!        The following configuration parameters exist for  compati-
         bility with Postfix versions before 2.3. Support for these
         will be removed in a future release.
  
         <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
!               Opportunistic mode: use  TLS  when  a  remote  SMTP
!               server  announces  STARTTLS support, otherwise send
                the mail in the clear.
  
         <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
!               Enforcement mode: require that remote SMTP  servers
!               use  TLS  encryption,  and  never  send mail in the
                clear.
  
         <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
!               With mandatory TLS  encryption,  require  that  the
                remote SMTP server hostname matches the information
                in the remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
!               TLS  usage  policy  by  next-hop destination and by
                remote SMTP server hostname.
  
         <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
--- 450,489 ----
                ciphers.
  
         <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
!               The OpenSSL cipherlist  for  "NULL"  grade  ciphers
                that provide authentication without encryption.
  
         Available in Postfix version 2.4 and later:
  
         <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
         <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
!               The  SASL  authentication security options that the
!               Postfix SMTP client uses  for  TLS  encrypted  SMTP
                sessions with a verified server certificate.
  
  <b>OBSOLETE STARTTLS CONTROLS</b>
!        The  following configuration parameters exist for compati-
         bility with Postfix versions before 2.3. Support for these
         will be removed in a future release.
  
         <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
!               Opportunistic  mode:  use  TLS  when  a remote SMTP
!               server announces STARTTLS support,  otherwise  send
                the mail in the clear.
  
         <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
!               Enforcement  mode: require that remote SMTP servers
!               use TLS encryption, and  never  send  mail  in  the
                clear.
  
         <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
!               With  mandatory  TLS  encryption,  require that the
                remote SMTP server hostname matches the information
                in the remote SMTP server certificate.
  
         <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
                Optional lookup tables with the Postfix SMTP client
!               TLS usage policy by  next-hop  destination  and  by
                remote SMTP server hostname.
  
         <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
***************
*** 485,511 ****
  <b>RESOURCE AND RATE CONTROLS</b>
         <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
!               The  maximal  number  of parallel deliveries to the
!               same destination  via  the  smtp  message  delivery
                transport.
  
         <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
!               The  maximal  number of recipients per delivery via
                the smtp message delivery transport.
  
         <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
!               The SMTP client time limit  for  completing  a  TCP
                connection,  or  zero  (use  the  operating  system
                built-in time limit).
  
         <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
!               The SMTP client time limit for sending the HELO  or
!               EHLO  command, and for receiving the initial server
                response.
  
         <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
!               The LMTP client time limit  for  sending  the  LHLO
                command,  and  for  receiving  the  initial  server
                response.
  
--- 493,519 ----
  <b>RESOURCE AND RATE CONTROLS</b>
         <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
!               The maximal number of parallel  deliveries  to  the
!               same  destination  via  the  smtp  message delivery
                transport.
  
         <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
         <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
!               The maximal number of recipients per  delivery  via
                the smtp message delivery transport.
  
         <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
!               The  SMTP  client  time  limit for completing a TCP
                connection,  or  zero  (use  the  operating  system
                built-in time limit).
  
         <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
!               The  SMTP client time limit for sending the HELO or
!               EHLO command, and for receiving the initial  server
                response.
  
         <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
!               The  LMTP  client  time  limit for sending the LHLO
                command,  and  for  receiving  the  initial  server
                response.
  
***************
*** 514,543 ****
                command, and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
!               The  SMTP  client  time  limit for sending the MAIL
!               FROM  command,  and  for   receiving   the   server
                response.
  
         <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
!               RCPT TO  command,  and  for  receiving  the  server
                response.
  
         <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
!               DATA  command,  and  for   receiving   the   server
                response.
  
         <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
                message content.
  
         <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
                ".", and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
!               The  SMTP  client  time  limit for sending the QUIT
                command, and for receiving the server response.
  
         Available in Postfix version 2.1 and later:
--- 522,551 ----
                command, and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
!               The SMTP client time limit  for  sending  the  MAIL
!               FROM   command,   and   for  receiving  the  server
                response.
  
         <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
!               RCPT  TO  command,  and  for  receiving  the server
                response.
  
         <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
!               DATA   command,   and   for  receiving  the  server
                response.
  
         <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
!               The SMTP client time limit  for  sending  the  SMTP
                message content.
  
         <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
!               The  SMTP  client  time  limit for sending the SMTP
                ".", and for receiving the server response.
  
         <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
!               The SMTP client time limit  for  sending  the  QUIT
                command, and for receiving the server response.
  
         Available in Postfix version 2.1 and later:
***************
*** 548,559 ****
                lookups, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
!               The maximal number of SMTP  sessions  per  delivery
!               request  before  giving up or delivering to a fall-
                back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
!               The SMTP client time limit  for  sending  the  RSET
                command, and for receiving the server response.
  
         Available in Postfix version 2.2 and earlier:
--- 556,567 ----
                lookups, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
!               The  maximal  number  of SMTP sessions per delivery
!               request before giving up or delivering to  a  fall-
                back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
  
         <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
!               The  SMTP  client  time  limit for sending the RSET
                command, and for receiving the server response.
  
         Available in Postfix version 2.2 and earlier:
***************
*** 565,575 ****
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
!               Permanently enable SMTP connection caching for  the
                specified destinations.
  
         <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
!               Temporarily  enable SMTP connection caching while a
                destination has a high volume of mail in the active
                queue.
  
--- 573,583 ----
         Available in Postfix version 2.2 and later:
  
         <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
!               Permanently  enable SMTP connection caching for the
                specified destinations.
  
         <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
!               Temporarily enable SMTP connection caching while  a
                destination has a high volume of mail in the active
                queue.
  
***************
*** 579,640 ****
  
         <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
                When SMTP connection caching is enabled, the amount
!               of  time  that an unused SMTP client socket is kept
                open before it is closed.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
!               Time limit for connection cache  connect,  send  or
                receive operations.
  
  <b>TROUBLE SHOOTING CONTROLS</b>
         <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
!               The  increment  in  verbose  logging  level  when a
!               remote client or server matches a  pattern  in  the
                <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
  
         <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
!               Optional  list  of remote client or server hostname
!               or network address patterns that cause the  verbose
!               logging  level  to increase by the amount specified
                in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
  
         <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
!               The recipient  of  postmaster  notifications  about
!               mail  delivery  problems that are caused by policy,
                resource, software or protocol errors.
  
         <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
!               What categories of Postfix-generated mail are  sub-
!               ject   to   before-queue   content   inspection  by
                <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
  
         <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
!               The list of error classes that are reported to  the
                postmaster.
  
  <b>MISCELLANEOUS CONTROLS</b>
         <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
!               Where  the  Postfix SMTP client should deliver mail
                when it detects a "mail loops back to myself" error
                condition.
  
         <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
!               The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
                <a href="master.5.html">master.cf</a> configuration files.
  
         <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
!               How much time a Postfix daemon process may take  to
!               handle  a  request  before  it  is  terminated by a
                built-in watchdog timer.
  
         <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
!               The maximal number  of  digits  after  the  decimal
                point when logging sub-second delay values.
  
         <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
!               Disable  DNS  lookups  in the Postfix SMTP and LMTP
                clients.
  
         <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
--- 587,648 ----
  
         <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
                When SMTP connection caching is enabled, the amount
!               of time that an unused SMTP client socket  is  kept
                open before it is closed.
  
         Available in Postfix version 2.3 and later:
  
         <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
!               Time  limit  for  connection cache connect, send or
                receive operations.
  
  <b>TROUBLE SHOOTING CONTROLS</b>
         <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
!               The increment  in  verbose  logging  level  when  a
!               remote  client  or  server matches a pattern in the
                <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
  
         <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
!               Optional list of remote client or  server  hostname
!               or  network address patterns that cause the verbose
!               logging level to increase by the  amount  specified
                in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
  
         <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
!               The  recipient  of  postmaster  notifications about
!               mail delivery problems that are caused  by  policy,
                resource, software or protocol errors.
  
         <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
!               What  categories of Postfix-generated mail are sub-
!               ject  to   before-queue   content   inspection   by
                <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
  
         <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
!               The  list of error classes that are reported to the
                postmaster.
  
  <b>MISCELLANEOUS CONTROLS</b>
         <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
!               Where the Postfix SMTP client should  deliver  mail
                when it detects a "mail loops back to myself" error
                condition.
  
         <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
!               The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
                <a href="master.5.html">master.cf</a> configuration files.
  
         <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
!               How  much time a Postfix daemon process may take to
!               handle a request  before  it  is  terminated  by  a
                built-in watchdog timer.
  
         <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
!               The  maximal  number  of  digits  after the decimal
                point when logging sub-second delay values.
  
         <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
!               Disable DNS lookups in the Postfix  SMTP  and  LMTP
                clients.
  
         <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
***************
*** 642,648 ****
                tem receives mail on.
  
         <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
!               The  Internet protocols Postfix will attempt to use
                when making or accepting connections.
  
         <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
--- 650,656 ----
                tem receives mail on.
  
         <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
!               The Internet protocols Postfix will attempt to  use
                when making or accepting connections.
  
         <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
***************
*** 650,724 ****
                over an internal communication channel.
  
         <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
!               The  default  TCP port that the Postfix LMTP client
                connects to.
  
         <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
!               The maximum amount of time  that  an  idle  Postfix
!               daemon  process  waits  for  an incoming connection
                before terminating voluntarily.
  
         <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
!               The maximal number of incoming connections  that  a
!               Postfix  daemon  process will service before termi-
                nating voluntarily.
  
         <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
!               The process ID  of  a  Postfix  command  or  daemon
                process.
  
         <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
!               The  process  name  of  a Postfix command or daemon
                process.
  
         <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
                The network interface addresses that this mail sys-
!               tem  receives  mail on by way of a proxy or network
                address translation unit.
  
         <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
!               An optional  numerical  network  address  that  the
!               Postfix  SMTP  client should bind to when making an
                IPv4 connection.
  
         <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
!               An optional  numerical  network  address  that  the
!               Postfix  SMTP  client should bind to when making an
                IPv6 connection.
  
         <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
!               The hostname to send in the SMTP EHLO or HELO  com-
                mand.
  
         <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
                The hostname to send in the LMTP LHLO command.
  
         <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
!               What  mechanisms  when the Postfix SMTP client uses
                to look up a host's IP address.
  
         <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
!               Randomize the order  of  equal-preference  MX  host
                addresses.
  
         <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
                The syslog facility of Postfix logging.
  
         <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
!               The  mail  system  name  that  is  prepended to the
!               process name in syslog  records,  so  that  "smtpd"
                becomes, for example, "postfix/smtpd".
  
         Available with Postfix 2.2 and earlier:
  
         <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
!               Optional  list of relay hosts for SMTP destinations
                that can't be found or that are unreachable.
  
         Available with Postfix 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
!               Optional list of relay hosts for SMTP  destinations
                that can't be found or that are unreachable.
  
  <b>SEE ALSO</b>
--- 658,732 ----
                over an internal communication channel.
  
         <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
!               The default TCP port that the Postfix  LMTP  client
                connects to.
  
         <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
!               The  maximum  amount  of  time that an idle Postfix
!               daemon process waits  for  an  incoming  connection
                before terminating voluntarily.
  
         <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
!               The  maximal  number of incoming connections that a
!               Postfix daemon process will service  before  termi-
                nating voluntarily.
  
         <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
!               The  process  ID  of  a  Postfix  command or daemon
                process.
  
         <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
!               The process name of a  Postfix  command  or  daemon
                process.
  
         <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
                The network interface addresses that this mail sys-
!               tem receives mail on by way of a proxy  or  network
                address translation unit.
  
         <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
!               An  optional  numerical  network  address  that the
!               Postfix SMTP client should bind to when  making  an
                IPv4 connection.
  
         <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
!               An  optional  numerical  network  address  that the
!               Postfix SMTP client should bind to when  making  an
                IPv6 connection.
  
         <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
!               The  hostname to send in the SMTP EHLO or HELO com-
                mand.
  
         <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
                The hostname to send in the LMTP LHLO command.
  
         <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
!               What mechanisms when the Postfix SMTP  client  uses
                to look up a host's IP address.
  
         <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
!               Randomize  the  order  of  equal-preference MX host
                addresses.
  
         <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
                The syslog facility of Postfix logging.
  
         <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
!               The mail system  name  that  is  prepended  to  the
!               process  name  in  syslog  records, so that "smtpd"
                becomes, for example, "postfix/smtpd".
  
         Available with Postfix 2.2 and earlier:
  
         <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
!               Optional list of relay hosts for SMTP  destinations
                that can't be found or that are unreachable.
  
         Available with Postfix 2.3 and later:
  
         <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
!               Optional  list of relay hosts for SMTP destinations
                that can't be found or that are unreachable.
  
  <b>SEE ALSO</b>
***************
*** 736,742 ****
         <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
  
  <b>LICENSE</b>
!        The Secure Mailer license must be  distributed  with  this
         software.
  
  <b>AUTHOR(S)</b>
--- 744,750 ----
         <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
  
  <b>LICENSE</b>
!        The  Secure  Mailer  license must be distributed with this
         software.
  
  <b>AUTHOR(S)</b>
diff -cr --new-file /var/tmp/postfix-2.4.3/man/man5/postconf.5 ./man/man5/postconf.5
*** /var/tmp/postfix-2.4.3/man/man5/postconf.5	Sun Mar 25 11:18:47 2007
--- ./man/man5/postconf.5	Fri Jul 20 11:25:24 2007
***************
*** 42,47 ****
--- 42,49 ----
  The expression "${name:value}" expands to "value" when
  "$name" is empty. This form is supported with Postfix
  version 2.2 and later.
+ .IP \(bu
+ Specify "$$" to produce a single "$" character.
  .RE
  .IP \(bu
  When the same parameter is defined multiple times, only the last
***************
*** 3709,3714 ****
--- 3711,3727 ----
  This feature is available in Postfix 2.0 and later.
  .SH sample_directory (default: /etc/postfix)
  The name of the directory with example Postfix configuration files.
+ .SH send_cyrus_sasl_authzid (default: no)
+ When authenticating to a remote SMTP or LMTP server with the
+ default setting "no", send no SASL authoriZation ID (authzid); send
+ only the SASL authentiCation ID (authcid) plus the authcid's password.
+ .PP
+ The non-default setting "yes" enables the behavior of older
+ Postfix versions.  These always send a SASL authzid that is equal
+ to the SASL authcid, but this causes inter-operability problems
+ with some SMTP servers.
+ .PP
+ This feature is available in Postfix 2.4.4 and later.
  .SH sender_based_routing (default: no)
  This parameter should not be used. It was replaced by sender_dependent_relayhost_maps
  in Postfix version 2.3.
diff -cr --new-file /var/tmp/postfix-2.4.3/man/man8/smtp.8 ./man/man8/smtp.8
*** /var/tmp/postfix-2.4.3/man/man8/smtp.8	Sun Mar 25 18:46:38 2007
--- ./man/man8/smtp.8	Fri Jul 20 11:25:24 2007
***************
*** 226,231 ****
--- 226,237 ----
  A case insensitive list of LHLO keywords (pipelining, starttls,
  auth, etc.) that the LMTP client will ignore in the LHLO response
  from a remote LMTP server.
+ .PP
+ Available in Postfix version 2.4.4 and later:
+ .IP "\fBsend_cyrus_sasl_authzid (no)\fR"
+ When authenticating to a remote SMTP or LMTP server with the
+ default setting "no", send no SASL authoriZation ID (authzid); send
+ only the SASL authentiCation ID (authcid) plus the authcid's password.
  .SH "MIME PROCESSING CONTROLS"
  .na
  .nf
diff -cr --new-file /var/tmp/postfix-2.4.3/mantools/postlink ./mantools/postlink
*** /var/tmp/postfix-2.4.3/mantools/postlink	Mon Apr  2 19:10:27 2007
--- ./mantools/postlink	Tue Jul 10 13:27:12 2007
***************
*** 364,369 ****
--- 364,370 ----
      s;\bresolve_dequoted_address\b;<a href="postconf.5.html#resolve_dequoted_address">$&</a>;g;
      s;\brewrite_service_name\b;<a href="postconf.5.html#rewrite_service_name">$&</a>;g;
      s;\bsample_directory\b;<a href="postconf.5.html#sample_directory">$&</a>;g;
+     s;\bsend_cyrus_sasl_authzid\b;<a href="postconf.5.html#send_cyrus_sasl_authzid">$&</a>;g;
      s;\bsender_based_routing\b;<a href="postconf.5.html#sender_based_routing">$&</a>;g;
      s;\bsender_bcc_maps\b;<a href="postconf.5.html#sender_bcc_maps">$&</a>;g;
      s;\bsender_canonical_classes\b;<a href="postconf.5.html#sender_canonical_classes">$&</a>;g;
diff -cr --new-file /var/tmp/postfix-2.4.3/proto/SASL_README.html ./proto/SASL_README.html
*** /var/tmp/postfix-2.4.3/proto/SASL_README.html	Mon Mar 12 20:40:22 2007
--- ./proto/SASL_README.html	Tue Jul 10 13:36:23 2007
***************
*** 537,549 ****
  250-ETRN
  250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
  250 8BITMIME
! <b>AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz</b>
  235 Authentication successful
  </pre>
  </blockquote>
  
! <p> Instead of dGVzdAB0ZXN0AHRlc3RwYXNz, specify the base64 encoded
! form of username\0username\0password (the \0 is a null byte). The
  example above is for a user named `test' with password `testpass'.
  </p>
  
--- 537,549 ----
  250-ETRN
  250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
  250 8BITMIME
! <b>AUTH PLAIN AHRlc3QAdGVzdHBhc3M=</b>
  235 Authentication successful
  </pre>
  </blockquote>
  
! <p> Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64 encoded
! form of \0username\0password (the \0 is a null byte). The
  example above is for a user named `test' with password `testpass'.
  </p>
  
***************
*** 552,565 ****
  
  <blockquote>
  <pre>
! % printf 'username\0username\0password' | mmencode 
  </pre>
  </blockquote>
  
  <blockquote>
  <pre>
  % perl -MMIME::Base64 -e \
!     'print encode_base64("username\0username\0password");'
  </pre>
  </blockquote>
  
--- 552,565 ----
  
  <blockquote>
  <pre>
! % printf '\0username\0password' | mmencode 
  </pre>
  </blockquote>
  
  <blockquote>
  <pre>
  % perl -MMIME::Base64 -e \
!     'print encode_base64("\0username\0password");'
  </pre>
  </blockquote>
  
diff -cr --new-file /var/tmp/postfix-2.4.3/proto/postconf.html.prolog ./proto/postconf.html.prolog
*** /var/tmp/postfix-2.4.3/proto/postconf.html.prolog	Tue Feb  8 17:18:11 2005
--- ./proto/postconf.html.prolog	Wed Jun 13 20:47:33 2007
***************
*** 53,58 ****
--- 53,60 ----
  "$name" is empty. This form is supported with Postfix version 2.2
  and later.  </p>
  
+ <li> <p> Specify "$$" to produce a single "$" character. </p>
+ 
  </ul>
  
  <li> <p> When the same parameter is defined multiple times, only
diff -cr --new-file /var/tmp/postfix-2.4.3/proto/postconf.man.prolog ./proto/postconf.man.prolog
*** /var/tmp/postfix-2.4.3/proto/postconf.man.prolog	Tue Feb  8 17:18:47 2005
--- ./proto/postconf.man.prolog	Wed Jun 13 20:47:59 2007
***************
*** 42,47 ****
--- 42,49 ----
  The expression "${name:value}" expands to "value" when
  "$name" is empty. This form is supported with Postfix
  version 2.2 and later.
+ .IP \(bu
+ Specify "$$" to produce a single "$" character.
  .RE
  .IP \(bu
  When the same parameter is defined multiple times, only the last
diff -cr --new-file /var/tmp/postfix-2.4.3/proto/postconf.proto ./proto/postconf.proto
*** /var/tmp/postfix-2.4.3/proto/postconf.proto	Sun Mar 25 11:18:40 2007
--- ./proto/postconf.proto	Fri Jul 20 11:24:56 2007
***************
*** 10572,10574 ****
--- 10572,10588 ----
  configuration parameter.  See there for details. </p>
  
  <p> This feature is available in Postfix 2.4 and later. </p>
+ 
+ %PARAM send_cyrus_sasl_authzid no
+ 
+ <p> When authenticating to a remote SMTP or LMTP server with the
+ default setting "no", send no SASL authoriZation ID (authzid); send
+ only the SASL authentiCation ID (authcid) plus the authcid's password.
+ </p>
+ 
+ <p> The non-default setting "yes" enables the behavior of older
+ Postfix versions.  These always send a SASL authzid that is equal   
+ to the SASL authcid, but this causes inter-operability problems
+ with some SMTP servers. </p>
+ 
+ <p> This feature is available in Postfix 2.4.4 and later. </p>
diff -cr --new-file /var/tmp/postfix-2.4.3/src/cleanup/cleanup_envelope.c ./src/cleanup/cleanup_envelope.c
*** /var/tmp/postfix-2.4.3/src/cleanup/cleanup_envelope.c	Tue Jan 16 14:08:07 2007
--- ./src/cleanup/cleanup_envelope.c	Mon Jul 30 20:41:04 2007
***************
*** 148,160 ****
  #endif
      if (type == REC_TYPE_MILT_COUNT) {
  	/* Not part of queue file format. */
! 	if (state->milters != 0) {
! 	    msg_warn("%s: message rejected: too many milter instances",
! 		     state->queue_id);
! 	    state->errs |= CLEANUP_STAT_BAD;
! 	    return;
! 	}
! 	if ((milter_count = atoi(buf)) > 0)
  	    cleanup_milter_receive(state, milter_count);
  	return;
      }
--- 148,154 ----
  #endif
      if (type == REC_TYPE_MILT_COUNT) {
  	/* Not part of queue file format. */
! 	if ((milter_count = atoi(buf)) >= 0)
  	    cleanup_milter_receive(state, milter_count);
  	return;
      }
diff -cr --new-file /var/tmp/postfix-2.4.3/src/cleanup/cleanup_milter.c ./src/cleanup/cleanup_milter.c
*** /var/tmp/postfix-2.4.3/src/cleanup/cleanup_milter.c	Mon Jan 22 08:45:33 2007
--- ./src/cleanup/cleanup_milter.c	Mon Jul 30 20:39:41 2007
***************
*** 1314,1319 ****
--- 1314,1321 ----
  
  void    cleanup_milter_receive(CLEANUP_STATE *state, int count)
  {
+     if (state->milters)
+ 	milter_free(state->milters);
      state->milters = milter_receive(state->src, count);
      milter_macro_callback(state->milters, cleanup_milter_eval, (void *) state);
      milter_edit_callback(state->milters,
diff -cr --new-file /var/tmp/postfix-2.4.3/src/global/mail_params.c ./src/global/mail_params.c
*** /var/tmp/postfix-2.4.3/src/global/mail_params.c	Mon Jul 10 17:29:30 2006
--- ./src/global/mail_params.c	Tue Jul 10 13:27:12 2007
***************
*** 106,111 ****
--- 106,112 ----
  /*	int	var_oldlog_compat;
  /*	int	var_delay_max_res;
  /*	char	*var_int_filt_classes;
+ /*	int	var_cyrus_sasl_authzid;
  /*
  /*	void	mail_params_init()
  /*
***************
*** 275,280 ****
--- 276,282 ----
  int     var_oldlog_compat;
  int     var_delay_max_res;
  char   *var_int_filt_classes;
+ int     var_cyrus_sasl_authzid;
  
  const char null_format_string[1] = "";
  
***************
*** 543,548 ****
--- 545,551 ----
  	VAR_VERIFY_NEG_CACHE, DEF_VERIFY_NEG_CACHE, &var_verify_neg_cache,
  	VAR_OLDLOG_COMPAT, DEF_OLDLOG_COMPAT, &var_oldlog_compat,
  	VAR_HELPFUL_WARNINGS, DEF_HELPFUL_WARNINGS, &var_helpful_warnings,
+ 	VAR_CYRUS_SASL_AUTHZID, DEF_CYRUS_SASL_AUTHZID, &var_cyrus_sasl_authzid,
  	0,
      };
      const char *cp;
diff -cr --new-file /var/tmp/postfix-2.4.3/src/global/mail_params.h ./src/global/mail_params.h
*** /var/tmp/postfix-2.4.3/src/global/mail_params.h	Sat Feb 24 21:15:42 2007
--- ./src/global/mail_params.h	Tue Jul 10 19:47:45 2007
***************
*** 41,49 ****
    * What problem classes should be reported to the postmaster via email.
    * Default is bad problems only. See mail_error(3). Even when mail notices
    * are disabled, problems are still logged to the syslog daemon.
    */
  #define VAR_NOTIFY_CLASSES	"notify_classes"
! #define DEF_NOTIFY_CLASSES	"resource, software"
  extern char *var_notify_classes;
  
   /*
--- 41,52 ----
    * What problem classes should be reported to the postmaster via email.
    * Default is bad problems only. See mail_error(3). Even when mail notices
    * are disabled, problems are still logged to the syslog daemon.
+   * 
+   * Do not add "protocol" to the default setting. It gives Postfix a bad
+   * reputation: people get mail whenever spam software makes a mistake.
    */
  #define VAR_NOTIFY_CLASSES	"notify_classes"
! #define DEF_NOTIFY_CLASSES	"resource, software"	/* Not: "protocol" */
  extern char *var_notify_classes;
  
   /*
***************
*** 1531,1536 ****
--- 1534,1543 ----
    * SASL-based relay etc. control.
    */
  #define PERMIT_SASL_AUTH	"permit_sasl_authenticated"
+ 
+ #define VAR_CYRUS_SASL_AUTHZID	"send_cyrus_sasl_authzid"
+ #define DEF_CYRUS_SASL_AUTHZID	0
+ extern int var_cyrus_sasl_authzid;
  
   /*
    * LMTP client. Timeouts inspired by RFC 1123. The LMTP recipient limit
diff -cr --new-file /var/tmp/postfix-2.4.3/src/milter/milter.c ./src/milter/milter.c
*** /var/tmp/postfix-2.4.3/src/milter/milter.c	Wed Mar 14 20:46:12 2007
--- ./src/milter/milter.c	Mon Jul 30 20:42:56 2007
***************
*** 97,102 ****
--- 97,106 ----
  /*	MILTERS	*milter_receive(fp, count)
  /*	VSTREAM	*fp;
  /*	int	count;
+ /*
+ /*	int	milter_dummy(milters, fp)
+ /*	MILTERS	*milters;
+ /*	VSTREAM *fp;
  /* DESCRIPTION
  /*	The functions in this module manage one or more milter (mail
  /*	filter) clients. Currently, only the Sendmail 8 filter
***************
*** 192,197 ****
--- 196,204 ----
  /*	milter_receive() receives the specified number of mail
  /*	filters over the specified stream. The result is a null
  /*	pointer when no milters were sent, or when an error happened.
+ /*
+ /*	milter_dummy() is like milter_send(), except that it sends
+ /*	a dummy, but entirely valid, mail filter list.
  /* SEE ALSO
  /*	milter8(3) Sendmail 8 Milter protocol
  /* DIAGNOSTICS
***************
*** 587,592 ****
--- 594,609 ----
  #define MAIL_ATTR_MILT_EOD	"eod_macros"
  #define MAIL_ATTR_MILT_UNK	"unk_macros"
  
+ /* milter_dummy - send empty milter list */
+ 
+ int     milter_dummy(MILTERS *milters, VSTREAM *stream)
+ {
+     MILTERS dummy = *milters;
+ 
+     dummy.milter_list = 0;
+     return (milter_send(&dummy, stream));
+ }
+ 
  /* milter_send - send Milter instances over stream */
  
  int     milter_send(MILTERS *milters, VSTREAM *stream)
***************
*** 606,613 ****
  	for (m = milters->milter_list; m != 0; m = m->next)
  	    if (m->active(m))
  		count++;
-     if (count == 0)
- 	return (0);
      (void) rec_fprintf(stream, REC_TYPE_MILT_COUNT, "%d", count);
  
      /*
--- 623,628 ----
***************
*** 655,663 ****
      VSTRING *data_macros;
      VSTRING *eod_macros;
      VSTRING *unk_macros;
- 
-     if (count == 0)
- 	return (0);
  
      /*
       * Receive filter macros.
--- 670,675 ----
diff -cr --new-file /var/tmp/postfix-2.4.3/src/milter/milter.h ./src/milter/milter.h
*** /var/tmp/postfix-2.4.3/src/milter/milter.h	Tue Jan  9 20:55:23 2007
--- ./src/milter/milter.h	Tue Jul 31 13:10:17 2007
***************
*** 99,104 ****
--- 99,105 ----
  extern const char *milter_other_event(MILTERS *);
  extern void milter_abort(MILTERS *);
  extern void milter_disc_event(MILTERS *);
+ extern int milter_dummy(MILTERS *, VSTREAM *);
  extern int milter_send(MILTERS *, VSTREAM *);
  extern MILTERS *milter_receive(VSTREAM *, int);
  extern void milter_free(MILTERS *);
diff -cr --new-file /var/tmp/postfix-2.4.3/src/milter/milter8.c ./src/milter/milter8.c
*** /var/tmp/postfix-2.4.3/src/milter/milter8.c	Tue Jan 16 20:08:01 2007
--- ./src/milter/milter8.c	Tue Jul 31 13:12:10 2007
***************
*** 64,69 ****
--- 64,73 ----
  #include <string.h>
  #include <stdarg.h>
  
+ #ifndef SHUT_RDWR
+ #define SHUT_RDWR	2
+ #endif
+ 
  /* Sendmail 8 Milter protocol. */
  
  #ifdef USE_LIBMILTER_INCLUDES
***************
*** 437,443 ****
--- 441,456 ----
  {
      const char *reply;
  
+     /*
+      * XXX When the cleanup server closes its end of the Milter socket while
+      * editing a queue file, the SMTP server is left out of sync with the
+      * Milter. Sending an ABORT to the Milters will not restore
+      * synchronization, because there may be any number of Milter replies
+      * already in flight. Workaround: poison the socket and force the SMTP
+      * server to abandon it.
+      */
      if (milter->fp != 0) {
+ 	(void) shutdown(vstream_fileno(milter->fp), SHUT_RDWR);
  	(void) vstream_fclose(milter->fp);
  	milter->fp = 0;
      }
***************
*** 456,462 ****
--- 469,484 ----
  {
      const char *reply;
  
+     /*
+      * XXX When the cleanup server closes its end of the Milter socket while
+      * editing a queue file, the SMTP server is left out of sync with the
+      * Milter. Sending an ABORT to the Milters will not restore
+      * synchronization, because there may be any number of Milter replies
+      * already in flight. Workaround: poison the socket and force the SMTP
+      * server to abandon it.
+      */
      if (milter->fp != 0) {
+ 	(void) shutdown(vstream_fileno(milter->fp), SHUT_RDWR);
  	(void) vstream_fclose(milter->fp);
  	milter->fp = 0;
      }
***************
*** 873,878 ****
--- 895,901 ----
      const char *retval = 0;
      VSTRING *body_line_buf = 0;
      int     done = 0;
+     int     body_edit_lockout = 0;
  
  #define DONT_SKIP_REPLY	0
  
***************
*** 974,983 ****
      /*
       * Receive the reply or replies.
       * 
!      * Intercept all loop exits so that we can do post body replacement
       * processing.
       * 
       * XXX Bound the loop iteration count.
       */
  #define IN_CONNECT_EVENT(e) ((e) == SMFIC_CONNECT || (e) == SMFIC_HELO)
  
--- 997,1017 ----
      /*
       * Receive the reply or replies.
       * 
!      * Intercept all loop exits so that we can do post header/body edit
       * processing.
       * 
       * XXX Bound the loop iteration count.
+      * 
+      * In the end-of-body stage, the Milter may reply with one or more queue
+      * file edit requests before it replies with its final decision: accept,
+      * reject, etc. After a local queue file edit error (file too big, media
+      * write error), do not close the Milter socket in the cleanup server.
+      * Instead skip all further Milter replies until the final decision. This
+      * way the Postfix SMTP server stays in sync with the Milter, and Postfix
+      * doesn't have to lose the ability to handle multiple deliveries within
+      * the same SMTP session. This requires that the Postfix SMTP server uses
+      * something other than CLEANUP_STAT_WRITE when it loses contact with the
+      * cleanup server.
       */
  #define IN_CONNECT_EVENT(e) ((e) == SMFIC_CONNECT || (e) == SMFIC_HELO)
  
***************
*** 1002,1007 ****
--- 1036,1067 ----
  	    msg_info("reply: %s data %ld bytes",
  		     (smfir_name = str_name_code(smfir_table, cmd)) != 0 ?
  		     smfir_name : "unknown", (long) data_size);
+ 
+ 	/*
+ 	 * Handle unfinished message body replacement first.
+ 	 * 
+ 	 * XXX When SMFIR_REPLBODY is followed by some different request, we
+ 	 * assume that the body replacement operation is complete. The queue
+ 	 * file editing implementation currently does not support sending
+ 	 * part 1 of the body replacement text, doing some other queue file
+ 	 * updates, and then sending part 2 of the body replacement text. To
+ 	 * avoid loss of data, we log an error when SMFIR_REPLBODY requests
+ 	 * are alternated with other requests.
+ 	 */
+ 	if (body_line_buf != 0 && cmd != SMFIR_REPLBODY) {
+ 	    /* In case the last body replacement line didn't end in CRLF. */
+ 	    if (edit_resp == 0 && LEN(body_line_buf) > 0)
+ 		edit_resp = parent->repl_body(parent->chg_context,
+ 					      MILTER_BODY_LINE,
+ 					      body_line_buf);
+ 	    if (edit_resp == 0)
+ 		edit_resp = parent->repl_body(parent->chg_context,
+ 					      MILTER_BODY_END,
+ 					      (VSTRING *) 0);
+ 	    body_edit_lockout = 1;
+ 	    vstring_free(body_line_buf);
+ 	    body_line_buf = 0;
+ 	}
  	switch (cmd) {
  
  	    /*
***************
*** 1052,1058 ****
  	    if (IN_CONNECT_EVENT(event)) {
  		msg_warn("milter %s: DISCARD action is not allowed "
  			 "for connect or helo", milter->m.name);
- 		milter8_conf_error(milter);
  		MILTER8_EVENT_BREAK(milter->def_reply);
  	    } else {
  		/* No more events for this message. */
--- 1112,1117 ----
***************
*** 1188,1193 ****
--- 1247,1255 ----
  					  MILTER8_DATA_STRING, milter->body,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
+ 		    /* Skip to the next request after previous edit error. */
+ 		    if (edit_resp)
+ 			continue;
  		    /* XXX Sendmail 8 compatibility. */
  		    if (index == 0)
  			index = 1;
***************
*** 1212,1219 ****
  			edit_resp = parent->del_header(parent->chg_context,
  						       (ssize_t) index,
  						       STR(milter->buf));
- 		    if (edit_resp)
- 			MILTER8_EVENT_BREAK(edit_resp);
  		    continue;
  #endif
  
--- 1274,1279 ----
***************
*** 1226,1236 ****
  					  MILTER8_DATA_STRING, milter->body,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
  		    edit_resp = parent->add_header(parent->chg_context,
  						   STR(milter->buf),
  						   STR(milter->body));
- 		    if (edit_resp)
- 			MILTER8_EVENT_BREAK(edit_resp);
  		    continue;
  
  		    /*
--- 1286,1297 ----
  					  MILTER8_DATA_STRING, milter->body,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
+ 		    /* Skip to the next request after previous edit error. */
+ 		    if (edit_resp)
+ 			continue;
  		    edit_resp = parent->add_header(parent->chg_context,
  						   STR(milter->buf),
  						   STR(milter->body));
  		    continue;
  
  		    /*
***************
*** 1247,1252 ****
--- 1308,1316 ----
  					  MILTER8_DATA_STRING, milter->body,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
+ 		    /* Skip to the next request after previous edit error. */
+ 		    if (edit_resp)
+ 			continue;
  		    if ((ssize_t) index + 1 < 1) {
  			msg_warn("milter %s: bad insert header index: %ld",
  				 milter->m.name, (long) index);
***************
*** 1257,1264 ****
  						   (ssize_t) index + 1,
  						   STR(milter->buf),
  						   STR(milter->body));
- 		    if (edit_resp)
- 			MILTER8_EVENT_BREAK(edit_resp);
  		    continue;
  #endif
  
--- 1321,1326 ----
***************
*** 1270,1279 ****
  					  MILTER8_DATA_STRING, milter->buf,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
  		    edit_resp = parent->add_rcpt(parent->chg_context,
  						 STR(milter->buf));
- 		    if (edit_resp)
- 			MILTER8_EVENT_BREAK(edit_resp);
  		    continue;
  
  		    /*
--- 1332,1342 ----
  					  MILTER8_DATA_STRING, milter->buf,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
+ 		    /* Skip to the next request after previous edit error. */
+ 		    if (edit_resp)
+ 			continue;
  		    edit_resp = parent->add_rcpt(parent->chg_context,
  						 STR(milter->buf));
  		    continue;
  
  		    /*
***************
*** 1284,1293 ****
  					  MILTER8_DATA_STRING, milter->buf,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
  		    edit_resp = parent->del_rcpt(parent->chg_context,
  						 STR(milter->buf));
- 		    if (edit_resp)
- 			MILTER8_EVENT_BREAK(edit_resp);
  		    continue;
  
  		    /*
--- 1347,1357 ----
  					  MILTER8_DATA_STRING, milter->buf,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
+ 		    /* Skip to the next request after previous edit error. */
+ 		    if (edit_resp)
+ 			continue;
  		    edit_resp = parent->del_rcpt(parent->chg_context,
  						 STR(milter->buf));
  		    continue;
  
  		    /*
***************
*** 1295,1304 ****
--- 1359,1378 ----
  		     * update the message size.
  		     */
  		case SMFIR_REPLBODY:
+ 		    if (body_edit_lockout) {
+ 			msg_warn("milter %s: body replacement requests can't "
+ 				 "currently be mixed with other requests",
+ 				 milter->m.name);
+ 			milter8_conf_error(milter);
+ 			MILTER8_EVENT_BREAK(milter->def_reply);
+ 		    }
  		    if (milter8_read_data(milter, data_size,
  					  MILTER8_DATA_BUFFER, milter->body,
  					  MILTER8_DATA_END) != 0)
  			MILTER8_EVENT_BREAK(milter->def_reply);
+ 		    /* Skip to the next request after previous edit error. */
+ 		    if (edit_resp)
+ 			continue;
  		    /* Start body replacement. */
  		    if (body_line_buf == 0) {
  			body_line_buf = vstring_alloc(var_line_limit);
***************
*** 1348,1382 ****
      }
  
      /*
!      * Finish message body replacement.
       */
!     if (body_line_buf != 0) {
! 	if (edit_resp == 0) {
! 	    /* In case the last body replacement line didn't end in CRLF. */
! 	    if (LEN(body_line_buf) > 0)
! 		edit_resp = parent->repl_body(parent->chg_context,
! 					      MILTER_BODY_LINE,
! 					      body_line_buf);
! 	    if (edit_resp == 0)
! 		edit_resp = parent->repl_body(parent->chg_context,
! 					      MILTER_BODY_END,
! 					      (VSTRING *) 0);
! 	}
  	vstring_free(body_line_buf);
  
! 	/*
! 	 * Override a non-reject/discard result value after body replacement
! 	 * failure.
! 	 * 
! 	 * XXX Some cleanup clients ask the cleanup server to bounce mail for
! 	 * them. In that case we must override a hard reject retval result
! 	 * after queue file update failure. This is not a big problem; the
! 	 * odds are small that a Milter application sends a hard reject after
! 	 * replacing the message body.
! 	 */
! 	if (edit_resp && (retval == 0 || strchr("DS4", retval[0]) == 0))
! 	    retval = edit_resp;
!     }
      return (retval);
  }
  
--- 1422,1441 ----
      }
  
      /*
!      * Clean up after aborted message body replacement.
       */
!     if (body_line_buf)
  	vstring_free(body_line_buf);
  
!     /*
!      * XXX Some cleanup clients ask the cleanup server to bounce mail for
!      * them. In that case we must override a hard reject retval result after
!      * queue file update failure. This is not a big problem; the odds are
!      * small that a Milter application sends a hard reject after replacing
!      * the message body.
!      */
!     if (edit_resp && (retval == 0 || strchr("DS4", retval[0]) == 0))
! 	retval = edit_resp;
      return (retval);
  }
  
***************
*** 1532,1537 ****
--- 1591,1599 ----
  		    VSTREAM_CTL_DOUBLE,
  		    VSTREAM_CTL_TIMEOUT, milter->cmd_timeout,
  		    VSTREAM_CTL_END);
+     /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+     if (connect_fn == inet_connect)
+ 	vstream_tweak_tcp(milter->fp);
  
      /*
       * Open the negotiations by sending what actions the Milter may request
***************
*** 2434,2439 ****
--- 2496,2503 ----
  			    msg_timeout, NO_PROTOCOL, STR(act_buf), parent);
  	milter->fp = vstream_fdopen(fd, O_RDWR);
  	vstream_control(milter->fp, VSTREAM_CTL_DOUBLE, VSTREAM_CTL_END);
+ 	/* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+ 	vstream_tweak_sock(milter->fp);
  	milter->version = version;
  	milter->rq_mask = rq_mask;
  	milter->ev_mask = ev_mask;
diff -cr --new-file /var/tmp/postfix-2.4.3/src/smtp/smtp.c ./src/smtp/smtp.c
*** /var/tmp/postfix-2.4.3/src/smtp/smtp.c	Sun Mar 25 18:46:36 2007
--- ./src/smtp/smtp.c	Fri Jul 20 11:25:24 2007
***************
*** 204,209 ****
--- 204,215 ----
  /*	A case insensitive list of LHLO keywords (pipelining, starttls,
  /*	auth, etc.) that the LMTP client will ignore in the LHLO response
  /*	from a remote LMTP server.
+ /* .PP
+ /*	Available in Postfix version 2.4.4 and later:
+ /* .IP "\fBsend_cyrus_sasl_authzid (no)\fR"
+ /*	When authenticating to a remote SMTP or LMTP server with the
+ /*	default setting "no", send no SASL authoriZation ID (authzid); send
+ /*	only the SASL authentiCation ID (authcid) plus the authcid's password.
  /* MIME PROCESSING CONTROLS
  /* .ad
  /* .fi
diff -cr --new-file /var/tmp/postfix-2.4.3/src/smtp/smtp_connect.c ./src/smtp/smtp_connect.c
*** /var/tmp/postfix-2.4.3/src/smtp/smtp_connect.c	Sun Dec  3 14:58:09 2006
--- ./src/smtp/smtp_connect.c	Tue Jul 31 11:31:48 2007
***************
*** 304,309 ****
--- 304,319 ----
      stream = vstream_fdopen(sock, O_RDWR);
  
      /*
+      * Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE.
+      */
+     if (sa->sa_family == AF_INET
+ #ifdef AF_INET6
+ 	|| sa->sa_family == AF_INET6
+ #endif
+ 	)
+ 	vstream_tweak_tcp(stream);
+ 
+     /*
       * Bundle up what we have into a nice SMTP_SESSION object.
       */
      return (smtp_session_alloc(stream, destination, name, addr,
***************
*** 380,386 ****
      if (THIS_SESSION_IS_EXPIRED)
  	smtp_quit(state);			/* also disables caching */
      if (THIS_SESSION_IS_CACHED
! 	/* Redundant tests for safety... */
  	&& vstream_ferror(session->stream) == 0
  	&& vstream_feof(session->stream) == 0) {
  	smtp_save_session(state);
--- 390,396 ----
      if (THIS_SESSION_IS_EXPIRED)
  	smtp_quit(state);			/* also disables caching */
      if (THIS_SESSION_IS_CACHED
!     /* Redundant tests for safety... */
  	&& vstream_ferror(session->stream) == 0
  	&& vstream_feof(session->stream) == 0) {
  	smtp_save_session(state);
diff -cr --new-file /var/tmp/postfix-2.4.3/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
*** /var/tmp/postfix-2.4.3/src/smtpd/smtpd.c	Sat Mar 17 13:59:38 2007
--- ./src/smtpd/smtpd.c	Tue Jul 31 11:35:26 2007
***************
*** 1618,1624 ****
  	if (SMTPD_STAND_ALONE(state) == 0) {
  	    if (smtpd_milters != 0
  		&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
! 		(void) milter_send(smtpd_milters, state->dest->stream);
  	    rec_fprintf(state->cleanup, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
  			REC_TYPE_TIME_ARG(state->arrival_time));
  	    if (*var_filter_xport)
--- 1618,1625 ----
  	if (SMTPD_STAND_ALONE(state) == 0) {
  	    if (smtpd_milters != 0
  		&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
! 		/* Send place-holder smtpd_milters list. */
! 		(void) milter_dummy(smtpd_milters, state->cleanup);
  	    rec_fprintf(state->cleanup, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
  			REC_TYPE_TIME_ARG(state->arrival_time));
  	    if (*var_filter_xport)
***************
*** 2521,2526 ****
--- 2522,2531 ----
       */
      if (state->cleanup) {
  	if (SMTPD_STAND_ALONE(state) == 0) {
+ 	    if (smtpd_milters != 0
+ 		&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
+ 		/* Send actual smtpd_milters list. */
+ 		(void) milter_send(smtpd_milters, state->cleanup);
  	    if (state->saved_flags)
  		rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
  			    state->saved_flags);
***************
*** 2735,2740 ****
--- 2740,2764 ----
  	state->dest = 0;
  	state->cleanup = 0;
      }
+ 
+     /*
+      * XXX If we lose the cleanup server while it is editing a queue file,
+      * the Postfix SMTP server will be out of sync with Milter applications.
+      * Sending an ABORT to the Milters is not sufficient to restore
+      * synchronization, because there may be any number of Milter replies
+      * already in flight. Destroying and recreating the Milters (and faking
+      * the connect and ehlo events) is too much trouble for testing and
+      * maintenance. Workaround: force the Postfix SMTP server to hang up with
+      * a 421 response in the rare case that the cleanup server breaks AND
+      * that the remote SMTP client continues the session after end-of-data.
+      * 
+      * XXX Should use something other than CLEANUP_STAT_WRITE when we lose
+      * contact with the cleanup server. This requires changes to the
+      * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail).
+      * That is too much change for a stable release.
+      */
+     if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0)
+ 	state->access_denied = mystrdup("421 4.3.0 Mail system error");
  
      /*
       * Handle any errors. One message may suffer from multiple errors, so
diff -cr --new-file /var/tmp/postfix-2.4.3/src/smtpstone/qmqp-source.c ./src/smtpstone/qmqp-source.c
*** /var/tmp/postfix-2.4.3/src/smtpstone/qmqp-source.c	Sat Mar 17 13:59:38 2007
--- ./src/smtpstone/qmqp-source.c	Tue Jul 31 12:40:47 2007
***************
*** 356,361 ****
--- 356,368 ----
  	dequeue_connect(session);
  	non_blocking(fd, BLOCKING);
  	event_disable_readwrite(fd);
+ 	/* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+ 	if (sa->sa_family == AF_INET
+ #ifdef AF_INET6
+ 	    || sa->sa_family == AF_INET6
+ #endif
+ 	    )
+ 	    vstream_tweak_tcp(session->stream);
  	send_data(session);
      }
  }
diff -cr --new-file /var/tmp/postfix-2.4.3/src/smtpstone/smtp-source.c ./src/smtpstone/smtp-source.c
*** /var/tmp/postfix-2.4.3/src/smtpstone/smtp-source.c	Sat Mar 17 13:59:38 2007
--- ./src/smtpstone/smtp-source.c	Tue Jul 31 12:41:41 2007
***************
*** 472,477 ****
--- 472,484 ----
  	event_disable_readwrite(fd);
  	event_enable_read(fd, read_banner, (char *) session);
  	dequeue_connect(session);
+ 	/* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+ 	if (sa->sa_family == AF_INET
+ #ifdef AF_INET6
+ 	    || sa->sa_family == AF_INET6
+ #endif
+ 	    )
+ 	    vstream_tweak_tcp(session->stream);
      }
  }
  
diff -cr --new-file /var/tmp/postfix-2.4.3/src/util/Makefile.in ./src/util/Makefile.in
*** /var/tmp/postfix-2.4.3/src/util/Makefile.in	Sat Mar 17 13:51:33 2007
--- ./src/util/Makefile.in	Sun Jul 29 12:02:35 2007
***************
*** 30,36 ****
  	username.c valid_hostname.c vbuf.c vbuf_print.c vstream.c \
  	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
  	write_buf.c write_wait.c sane_basename.c format_tv.c allspace.c \
! 	allascii.c load_file.c killme_after.c
  OBJS	= alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
  	attr_print64.o attr_print_plain.o attr_scan0.o attr_scan64.o \
  	attr_scan_plain.o auto_clnt.o base64_code.o basename.o binhash.o \
--- 30,36 ----
  	username.c valid_hostname.c vbuf.c vbuf_print.c vstream.c \
  	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
  	write_buf.c write_wait.c sane_basename.c format_tv.c allspace.c \
! 	allascii.c load_file.c killme_after.c vstream_tweak.c
  OBJS	= alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
  	attr_print64.o attr_print_plain.o attr_scan0.o attr_scan64.o \
  	attr_scan_plain.o auto_clnt.o base64_code.o basename.o binhash.o \
***************
*** 62,68 ****
  	username.o valid_hostname.o vbuf.o vbuf_print.o vstream.o \
  	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
  	write_buf.o write_wait.o sane_basename.o format_tv.o allspace.o \
! 	allascii.o load_file.o killme_after.o
  HDRS	= argv.h attr.h attr_clnt.h auto_clnt.h base64_code.h binhash.h \
  	chroot_uid.h cidr_match.h clean_env.h connect.h ctable.h dict.h \
  	dict_cdb.h dict_cidr.h dict_db.h dict_dbm.h dict_env.h dict_ht.h \
--- 62,68 ----
  	username.o valid_hostname.o vbuf.o vbuf_print.o vstream.o \
  	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
  	write_buf.o write_wait.o sane_basename.o format_tv.o allspace.o \
! 	allascii.o load_file.o killme_after.o vstream_tweak.o
  HDRS	= argv.h attr.h attr_clnt.h auto_clnt.h base64_code.h binhash.h \
  	chroot_uid.h cidr_match.h clean_env.h connect.h ctable.h dict.h \
  	dict_cdb.h dict_cidr.h dict_db.h dict_dbm.h dict_env.h dict_ht.h \
***************
*** 1600,1605 ****
--- 1600,1610 ----
  vstream_popen.o: vbuf.h
  vstream_popen.o: vstream.h
  vstream_popen.o: vstream_popen.c
+ vstream_tweak.o: msg.h
+ vstream_tweak.o: sys_defs.h
+ vstream_tweak.o: vbuf.h
+ vstream_tweak.o: vstream.h
+ vstream_tweak.o: vstream_tweak.c
  vstring.o: msg.h
  vstring.o: mymalloc.h
  vstring.o: sys_defs.h
diff -cr --new-file /var/tmp/postfix-2.4.3/src/util/vstream.h ./src/util/vstream.h
*** /var/tmp/postfix-2.4.3/src/util/vstream.h	Wed Feb 14 18:46:29 2007
--- ./src/util/vstream.h	Tue Jul 31 09:20:47 2007
***************
*** 153,158 ****
--- 153,164 ----
  #define vstream_setjmp(stream)		setjmp((stream)->jbuf[0])
  #define vstream_longjmp(stream, val)	longjmp((stream)->jbuf[0], (val))
  
+  /*
+   * Tweaks and workarounds.
+   */
+ extern int vstream_tweak_sock(VSTREAM *);
+ extern int vstream_tweak_tcp(VSTREAM *);
+ 
  /* LICENSE
  /* .ad
  /* .fi
diff -cr --new-file /var/tmp/postfix-2.4.3/src/util/vstream_tweak.c ./src/util/vstream_tweak.c
*** /var/tmp/postfix-2.4.3/src/util/vstream_tweak.c	Wed Dec 31 19:00:00 1969
--- ./src/util/vstream_tweak.c	Tue Jul 31 11:01:49 2007
***************
*** 0 ****
--- 1,139 ----
+ /*++
+ /* NAME
+ /*	vstream_tweak 3
+ /* SUMMARY
+ /*	performance tweaks
+ /* SYNOPSIS
+ /*	#include <vstream.h>
+ /*
+ /*	VSTREAM	*vstream_tweak_sock(stream)
+ /*	VSTREAM	*stream;
+ /*
+ /*	VSTREAM	*vstream_tweak_tcp(stream)
+ /*	VSTREAM	*stream;
+ /* DESCRIPTION
+ /*	vstream_tweak_sock() does a best effort to boost your
+ /*	network performance on the specified generic stream.
+ /*
+ /*	vstream_tweak_tcp() does a best effort to boost your
+ /*	Internet performance on the specified TCP stream.
+ /*
+ /*	Arguments:
+ /* .IP stream
+ /*	The stream being boosted.
+ /* DIAGNOSTICS
+ /*	Panics: interface violations.
+ /* LICENSE
+ /* .ad
+ /* .fi
+ /*	The Secure Mailer license must be distributed with this software.
+ /* AUTHOR(S)
+ /*	Wietse Venema
+ /*	IBM T.J. Watson Research
+ /*	P.O. Box 704
+ /*	Yorktown Heights, NY 10598, USA
+ /*--*/
+ 
+ /* System library. */
+ 
+ #include <sys_defs.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <netinet/tcp.h>
+ 
+ /* Utility library. */
+ 
+ #include <msg.h>
+ #include <vstream.h>
+ 
+ /* Application-specific. */
+ 
+ #ifdef HAS_IPV6
+ #define SOCKADDR_STORAGE struct sockaddr_storage
+ #else
+ #define SOCKADDR_STORAGE struct sockaddr
+ #endif
+ 
+ /* vstream_tweak_sock - boost your generic network performance */
+ 
+ int     vstream_tweak_sock(VSTREAM *fp)
+ {
+     SOCKADDR_STORAGE ss;
+     struct sockaddr *sa = (struct sockaddr *) & ss;
+     SOCKADDR_SIZE sa_length = sizeof(ss);
+     int     ret;
+ 
+     /*
+      * If the caller doesn't know if this socket is AF_LOCAL, AF_INET, etc.,
+      * figure it out for them.
+      */
+     if ((ret = getsockname(vstream_fileno(fp), sa, &sa_length)) >= 0) {
+ 	switch (sa->sa_family) {
+ #ifdef AF_INET6
+ 	case AF_INET6:
+ #endif
+ 	case AF_INET:
+ 	    ret = vstream_tweak_tcp(fp);
+ 	    break;
+ 	}
+     }
+     return (ret);
+ }
+ 
+ /* vstream_tweak_tcp - boost your TCP performance */
+ 
+ int     vstream_tweak_tcp(VSTREAM *fp)
+ {
+     const char *myname = "vstream_tweak_tcp";
+     int     mss;
+     SOCKOPT_SIZE mss_len = sizeof(mss);
+     int     err;
+ 
+     /*
+      * Avoid Nagle delays when VSTREAM buffers are smaller than the MSS.
+      * 
+      * Forcing TCP_NODELAY to be "always on" would hurt performance in the
+      * common case where VSTREAM buffers are larger than the MSS.
+      * 
+      * Instead we ask the kernel what the current MSS is, and take appropriate
+      * action. Linux <= 2.2 getsockopt(TCP_MAXSEG) always returns zero (or
+      * whatever value was stored last with setsockopt()).
+      */
+     if ((err = getsockopt(vstream_fileno(fp), IPPROTO_TCP, TCP_MAXSEG,
+ 			  (char *) &mss, &mss_len)) < 0) {
+ 	msg_warn("%s: getsockopt TCP_MAXSEG: %m", myname);
+ 	return (err);
+     }
+     if (msg_verbose)
+ 	msg_info("%s: TCP_MAXSEG %d", myname, mss);
+ 
+     /*
+      * Fix for recent Postfix versions: increase the VSTREAM buffer size if
+      * the VSTREAM buffer is smaller than the MSS. Note: the MSS may change
+      * when the route changes and IP path MTU discovery is turned on, so we
+      * choose a somewhat larger buffer.
+      */
+ #ifdef VSTREAM_CTL_BUFSIZE
+     if (mss > 0) {
+ 	if (mss < __MAXINT__(ssize_t) /2)
+ 	    mss *= 2;
+ 	vstream_control(fp,
+ 			VSTREAM_CTL_BUFSIZE, (ssize_t) mss,
+ 			VSTREAM_CTL_END);
+     }
+ 
+     /*
+      * Workaround for older Postfix versions: turn on TCP_NODELAY if the
+      * VSTREAM buffer size is smaller than the MSS.
+      */
+ #else
+     if (mss > VSTREAM_BUFSIZE) {
+ 	int     nodelay = 0;
+ 
+ 	if ((err = setsockopt(vstream_fileno(fp), IPPROTO_TCP, TCP_NODELAY,
+ 			      (char *) &nodelay, sizeof(nodelay))) < 0)
+ 	    msg_warn("%s: setsockopt TCP_NODELAY: %m", myname);
+     }
+ #endif
+     return (err);
+ }
diff -cr --new-file /var/tmp/postfix-2.4.3/src/xsasl/xsasl_cyrus_client.c ./src/xsasl/xsasl_cyrus_client.c
*** /var/tmp/postfix-2.4.3/src/xsasl/xsasl_cyrus_client.c	Mon Nov 27 17:18:58 2006
--- ./src/xsasl/xsasl_cyrus_client.c	Wed Jul 11 08:35:45 2007
***************
*** 66,71 ****
--- 66,76 ----
  #include <stringops.h>
  
   /*
+   * Global library
+   */
+ #include <mail_params.h>
+ 
+  /*
    * Application-specific
    */
  #include <xsasl.h>
***************
*** 329,335 ****
  
      if ((sasl_status = SASL_CLIENT_NEW(service, server,
  				       NULL_CLIENT_ADDR, NULL_SERVER_ADDR,
! 				       custom_callbacks, NULL_SECFLAGS,
  				       &sasl_conn)) != SASL_OK) {
  	msg_warn("per-session SASL client initialization: %s",
  		 xsasl_cyrus_strerror(sasl_status));
--- 334,341 ----
  
      if ((sasl_status = SASL_CLIENT_NEW(service, server,
  				       NULL_CLIENT_ADDR, NULL_SERVER_ADDR,
! 				 var_cyrus_sasl_authzid ? custom_callbacks :
! 				       custom_callbacks + 1, NULL_SECFLAGS,
  				       &sasl_conn)) != SASL_OK) {
  	msg_warn("per-session SASL client initialization: %s",
  		 xsasl_cyrus_strerror(sasl_status));