[pkg-kolab] r138 - in trunk/postfix/debian: . patches po

Steffen Joeris white-guest at costa.debian.org
Fri Jan 13 09:54:41 UTC 2006


Author: white-guest
Date: 2006-01-13 09:53:12 +0000 (Fri, 13 Jan 2006)
New Revision: 138

Added:
   trunk/postfix/debian/README.Debian
   trunk/postfix/debian/arch-version
   trunk/postfix/debian/changelog
   trunk/postfix/debian/conffiles
   trunk/postfix/debian/config
   trunk/postfix/debian/control
   trunk/postfix/debian/copyright
   trunk/postfix/debian/dirs
   trunk/postfix/debian/functions
   trunk/postfix/debian/init.d
   trunk/postfix/debian/ip-down.d
   trunk/postfix/debian/ip-up.d
   trunk/postfix/debian/lintian-override
   trunk/postfix/debian/patches/
   trunk/postfix/debian/patches/00list
   trunk/postfix/debian/patches/10cyrus.dpatch
   trunk/postfix/debian/patches/10greylist.dpatch
   trunk/postfix/debian/patches/10hostname.dpatch
   trunk/postfix/debian/patches/10main.cf.dpatch
   trunk/postfix/debian/patches/10man.dpatch
   trunk/postfix/debian/patches/10master.cf.dpatch
   trunk/postfix/debian/patches/10rmail.dpatch
   trunk/postfix/debian/patches/10smtplinelength.dpatch
   trunk/postfix/debian/patches/20maps.dpatch
   trunk/postfix/debian/patches/30-kolab.dpatch
   trunk/postfix/debian/patches/50tls.dpatch
   trunk/postfix/debian/patches/60hpux.dpatch
   trunk/postfix/debian/patches/master.cf.local
   trunk/postfix/debian/po/
   trunk/postfix/debian/po/POTFILES.in
   trunk/postfix/debian/po/cs.po
   trunk/postfix/debian/po/de.po
   trunk/postfix/debian/po/es.po
   trunk/postfix/debian/po/fr.po
   trunk/postfix/debian/po/it.po
   trunk/postfix/debian/po/ja.po
   trunk/postfix/debian/po/nl.po
   trunk/postfix/debian/po/pt_BR.po
   trunk/postfix/debian/po/ru.po
   trunk/postfix/debian/po/templates.pot
   trunk/postfix/debian/postfix-dev.copyright
   trunk/postfix/debian/postfix-dev.dirs
   trunk/postfix/debian/postfix-dev.postinst
   trunk/postfix/debian/postfix-dev.prerm
   trunk/postfix/debian/postfix-doc.copyright
   trunk/postfix/debian/postfix-doc.dirs
   trunk/postfix/debian/postfix-doc.doc-base
   trunk/postfix/debian/postfix-doc.postinst
   trunk/postfix/debian/postfix-doc.prerm
   trunk/postfix/debian/postfix-ldap.README.Debian
   trunk/postfix/debian/postfix-ldap.copyright
   trunk/postfix/debian/postfix-ldap.dirs
   trunk/postfix/debian/postfix-ldap.files
   trunk/postfix/debian/postfix-ldap.postinst
   trunk/postfix/debian/postfix-ldap.prerm
   trunk/postfix/debian/postfix-mysql.README.Debian
   trunk/postfix/debian/postfix-mysql.copyright
   trunk/postfix/debian/postfix-mysql.dirs
   trunk/postfix/debian/postfix-mysql.files
   trunk/postfix/debian/postfix-mysql.postinst
   trunk/postfix/debian/postfix-mysql.prerm
   trunk/postfix/debian/postfix-pcre.README.Debian
   trunk/postfix/debian/postfix-pcre.copyright
   trunk/postfix/debian/postfix-pcre.dirs
   trunk/postfix/debian/postfix-pcre.files
   trunk/postfix/debian/postfix-pcre.postinst
   trunk/postfix/debian/postfix-pcre.prerm
   trunk/postfix/debian/postfix-pgsql.README.Debian
   trunk/postfix/debian/postfix-pgsql.copyright
   trunk/postfix/debian/postfix-pgsql.dirs
   trunk/postfix/debian/postfix-pgsql.files
   trunk/postfix/debian/postfix-pgsql.postinst
   trunk/postfix/debian/postfix-pgsql.prerm
   trunk/postfix/debian/postfix-tls.copyright
   trunk/postfix/debian/postfix-tls.dirs
   trunk/postfix/debian/postfix-tls.postinst
   trunk/postfix/debian/postfix-tls.postrm
   trunk/postfix/debian/postfix-tls.preinst
   trunk/postfix/debian/postfix-tls.prerm
   trunk/postfix/debian/postinst
   trunk/postfix/debian/postrm
   trunk/postfix/debian/preinst
   trunk/postfix/debian/prerm
   trunk/postfix/debian/rules
   trunk/postfix/debian/shlibs
   trunk/postfix/debian/templates
   trunk/postfix/debian/tls-patch
   trunk/postfix/debian/update-libc.d
   trunk/postfix/debian/vars.in
Log:
* postfix version with small patch
* this is the sarge version
* we use it because it is stable and so
  sarge user can also test the packages later
* this package will be removed if the debian maintainer
  includes the patch or postfix 2.3 is released


Added: trunk/postfix/debian/README.Debian
===================================================================
--- trunk/postfix/debian/README.Debian	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/README.Debian	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,19 @@
+There are some significant differences between the Debian Postfix packages,
+and the source from upstream:
+
+1.  The Debian install is chrooted by default.
+2.  IPV6 support is present and enabled.
+3.  TLS/SASL support is found in the postfix-tls package.
+4.  Dynamically loadable map support.
+5.  For policy reasons:
+  a. SASL configuration is found in /etc/postfix/sasl
+  b. myhostname=/path/to/file is supported (and used) in main.cf
+
+Known caveats:
+1.  The dynamically loadable modules are not found in the chroot.
+    Therefore, proxy maps may require you to copy the appropriate shared
+    object into the chroot if you chroot the proxy service in master.cf.
+2.  Some map types (and SASL support) require some extra configuration
+    (beyond what upstream indicates) to run inside the chroot.  The simplest
+    solution for the maps is to use the proxy service, which is not chrooted.
+    SASL is a bit more complex, and is on the TODO list...

Added: trunk/postfix/debian/arch-version
===================================================================
--- trunk/postfix/debian/arch-version	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/arch-version	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+lamont at debian.org--2004/postfix--debian--2.1--patch-6

Added: trunk/postfix/debian/changelog
===================================================================
--- trunk/postfix/debian/changelog	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/changelog	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,1392 @@
+postfix (2.1.5-10kolab1) unstable; urgency=low
+
+  * Build for Kolab
+  * Add patch (30-kolab.dpatch)
+
+ --  <steffen.joeris at skolelinux.de>  Wed, 11 Jan 2006 15:55:55 +0000
+
+postfix (2.1.5-9) unstable; urgency=low
+
+  * more cleanup in if-up.d script.  Closes: #297127
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 27 Feb 2005 09:33:07 -0700
+
+postfix (2.1.5-8) unstable; urgency=low
+
+  * Only force queue run in if-up.d script if postfix is running.
+    Closes: #296817
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 26 Feb 2005 22:03:17 -0700
+
+postfix (2.1.5-7) unstable; urgency=low
+
+  * Fix stupid typo: /etc/network/ip-* -> /etc/network/if-*.
+    Thanks to Andrew Bennetts.  Closes: #296525
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 22 Feb 2005 20:10:19 -0700
+
+postfix (2.1.5-6) unstable; urgency=low
+
+  * inet_interfaces=loopback-only from 2.2 snapshot.  Closes: #293250, #292086
+  * Add relay entry to master.cf if missing.  Closes: #260593
+
+ -- LaMont Jones <lamont at mmjgroup.com>  Thu,  3 Feb 2005 11:57:06 -0700
+
+postfix (2.1.5-5) unstable; urgency=low
+
+  * Actually stop postfix in preinst.  Closes: #290855
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 17 Jan 2005 20:24:49 -0700
+
+postfix (2.1.5-4) unstable; urgency=low
+
+  * cleanup 50tls.  Closes: #288557
+
+ -- LaMont Jones <lamont at debian.org>  Tue,  4 Jan 2005 12:03:29 -0700
+
+postfix (2.1.5-3) unstable; urgency=low
+
+  * postmap and postalias would segv on map types that do not support
+    creation.
+  * restart when postfix-not-running needs to start
+  * clone ppp ifup/down scripts into etc/network as well.
+  * Switch to using dpatch to manage patches.
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 28 Dec 2004 08:37:23 -0700
+
+postfix (2.1.5-2) unstable; urgency=low
+
+  * Update pt_BR debconf template.  Closes: #281986
+  * Update es debconf template.  Closes: #283165
+  * Update ja debconf template.  Closes: #280114
+  * Update fr debconf template.  Closes: #281214
+  * Fix broken upgrade case in postfix-tls.
+  * Drop duplicate debconf Depends.  Closes: #284003
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 11 Dec 2004 03:39:58 -0700
+
+postfix (2.1.5-1) unstable; urgency=low
+
+  * New upstream version
+  * Drop 'HP' config option from the templates.
+  * Build-Depend: groff-base
+  * Deliver man pages for master.cf services in 8postfix section.
+    Remove smtpd.8.gz diversion. Closes: #274777
+  * Add a README.Debian.  Closes: #274323, #272087
+  * Fix typo in postmap man page.  Closes: #271369
+  * Add Czech translations.  Closes: #275338
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 30 Oct 2004 21:59:51 -0600
+
+postfix (2.1.4-5) unstable; urgency=low
+
+  * Only listen on loopback for local-only client.
+  * updated Brazilian Portugese translations.  Closes: #263857
+  * ipv6 patch version of own_inet_addr behaved incorrectly.
+  * Deal with null domain names better.
+  * Properly cleanup on purge.  Closes: #166913, #251668
+  * Only listen on loopback for local-only and satellite config.
+  * tls_random_exchange_name needs to default to /var/spool/postfix/prng_exch
+    Closes: #270122
+
+ -- LaMont Jones <lamont at mmjgroup.com>  Sun,  5 Sep 2004 19:33:39 -0600
+
+postfix (2.1.4-4) unstable; urgency=low
+
+  * New italian translations.  Closes: #262705
+  * Use invoke-rc.d if present.  Closes: #262621
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  1 Aug 2004 10:47:00 -0600
+
+postfix (2.1.4-3) unstable; urgency=low
+
+  * Cleanup typos in postinst.  Closes: #262194,#262127
+  * Fix typo in smtp/TLS.  Closes: #258775
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 30 Jul 2004 01:39:49 -0600
+
+postfix (2.1.4-2) unstable; urgency=low
+
+  * use start-stop-daemon to launch postfix.
+  * Update japanese translations.  Closes: #260822
+  * Update French translations.  Closes: #261124
+  * Update Dutch translations.  Closes: #261336
+  * Need to handle sdbm map creation.  Closes: #261842
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 28 Jul 2004 09:29:53 -0600
+
+postfix (2.1.4-1) unstable; urgency=low
+
+  * New upstream
+  * Deal with being configured _really_ early.  Closes: #255884
+  * Fix typo in spf.pl.  Closes: #256912
+  * Clean up log message in smtp_connect.  Closes: #257052
+  * Correct debconf template.  Closes: #258876
+  * Better dynamicmaps.cf conversion.  Closes: #257326
+  * Always ask about root email address, not just after preinst
+    decides that we need to.  Closes: #256055
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 11 Jul 2004 18:25:31 -0600
+
+postfix (2.1.3-1) unstable; urgency=medium
+
+  * New upstream
+  * New translations.  Closes: #254405, #255675
+  * Deliver qshape.  Closes: #254414
+  * remove (default) setgid_group decl from main.cf.
+  * Add trace and verify to master.cf in postinst.  Closes: #255260
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 22 Jun 2004 13:39:08 -0600
+
+postfix (2.1.1-8) unstable; urgency=low
+
+  * dpkg-divert revisited.  Closes: #254211, #252162
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 13 Jun 2004 12:23:32 -0600
+
+postfix (2.1.1-7) unstable; urgency=low
+
+  * Missing html pages.  Closes: #254164
+  * Really add back in gdbm support.  Sigh.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 13 Jun 2004 11:49:52 -0600
+
+postfix (2.1.1-6) unstable; urgency=low
+
+  * Force rename of nqmgr->qmgr in master.cf if needed.  Closes: #254043
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 12 Jun 2004 19:41:21 -0600
+
+postfix (2.1.1-5) unstable; urgency=low
+
+  * Prototypes missing from pfixtls stuff cause broken sdbm maps on
+    64-bit architectures.  Closes: #254025
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 12 Jun 2004 09:23:55 -0600
+
+postfix (2.1.1-4) unstable; urgency=low
+
+  * Can't drop gdbm completely until sarge actually ships. :-(
+  * Deliver more examples. (greylisting, etc.)  Closes: #252838
+  * Fix typo in postinst.  Closes: #250105
+  * Don't ask procmail question if procmail is not installed. Closes: #229280
+  * Italian templates.  Closes: #253501
+  * Make postconf diversion from ancient postfix-tls go away.
+    Closes: #253277, #252398, #250404
+  * Don't complain when trying to bind ipv6 addresses on a machine without
+    ipv6.  Closes: #253371
+  * Remove all references to cyrus from master.cf, at the request of the
+    Cyrus maintainer (hmh at debian.org).  See README.postfix in the cyrus
+    packages.  Closes: #253952, #228721
+  * Better master.cf handling.  Closes: #232715
+  * Apply patch from Victor to fix va_arg usage (ppc broke.)  Closes: #253228
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 12 Jun 2004 07:46:39 -0600
+
+postfix (2.1.1-3) unstable; urgency=low
+
+  * add back postfix-files.  Closes: #252316
+  * Remove unused variable from init.d script.  Closes: #252371
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  2 Jun 2004 21:35:29 -0600
+
+postfix (2.1.1-2) unstable; urgency=low
+
+  * Add IPv6 support.  This may change when upstream incorporates IPv6,
+    but is based on the most likely configuration interface.
+    Closes: #144840.
+  * clean up config files that aren't needed under /etc/postfix
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  2 Jun 2004 06:44:15 -0600
+
+postfix (2.1.1-1) unstable; urgency=low
+
+  * New upstream.  Closes: #250507, #144128, #220674, #170691
+    GDBM support is now turned off, results in a fatal error.
+  * Add Russian debconf template.  Closes: #135847
+  * Patch from upstream fixing get_hostname failures.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 30 May 2004 17:07:10 -0600
+
+postfix (2.0.19-1) unstable; urgency=low
+
+  * New upstream version
+  * Minor tweaks to main.cf.debian. (Shorten it some more.)
+  * Have update-libc.d/postfix check to make sure postfix is installed.
+    Closes: #230330
+  * Cleanup resolvconf output.  Closes: #225797
+  * Add abort option to /etc/init.d/postfix. Closes: #230573
+  * Recommend: resolvconf.  Closes: #154669
+  * Update Japanese translation.  Closes: #237787
+  * Change the default smtp_line_length_limit to unlimited.
+  * Add spanish debconf template.  Closes: #239096
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 20 Mar 2004 18:02:39 -0700
+
+postfix (2.0.18-1) unstable; urgency=low
+
+  * New upstream release.  Closes: #229045
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 22 Jan 2004 08:13:50 -0700
+
+postfix (2.0.17-1) unstable; urgency=low
+
+  * New upstream release
+  * update Japanese debconf template.  Closes: #224139
+  * Add some directory decls to default main.cf (match config.)  Closes: #226238
+  * it's regex(7), not re_format(7).  Closes: #228773
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 20 Jan 2004 16:41:40 -0700
+
+postfix (2.0.16-4) unstable; urgency=low
+
+  * /etc/resolvconf/update-libc.d/postfix is a conffile.  Closes: #212552
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  8 Dec 2003 14:46:22 -0700
+
+postfix (2.0.16-3) unstable; urgency=low
+
+  * Fix NEED_CHROOT in init.d to handle 'y' as well as '-'.  Closes: #218512
+  * Change cyrus invocation.  Closes: #222893, #174206
+  * Stop delivering HISTORY in postfix-doc (it's in
+    /usr/share/doc/postfix/changelog).  Closes: #146959
+  * Make wildcard dynamicmaps.cf entry be a warning, not fatal.
+    Closes: #159988
+  * Add resolfconf support.  Closes: #212552
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  8 Dec 2003 10:02:34 -0700
+
+postfix (2.0.16-2) unstable; urgency=low
+
+  * Make some centarian happy with the debconf descriptions.  Closes: #215019
+  * postfix-tls needs to conflict: postfix-snap-tls.  Closes: #215958
+  * Clean up debconf template wrt root mail.  Closes: #215104
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 26 Oct 2003 18:48:55 -0700
+
+postfix (2.0.16-1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 20 Sep 2003 13:14:50 -0600
+
+postfix (2.0.14-3) unstable; urgency=low
+
+  * Cleanup dependency screwup.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 14 Sep 2003 09:08:34 -0600
+
+postfix (2.0.14-2) unstable; urgency=low
+
+  * New Brazilian Portuguese, Japanese, Dutch, and French translations.
+    Closes: #207818, #206705, #208048, #210717
+  * Don't set /etc/mailname if hostname has only one label.
+  * Clean up descriptions.  Closes: #209874
+  * Quit suggesting cyrus-common, Remove recommends for sasl2 modules,
+    since "that is the sasl2 packages' responsibility."  Closes: #209266
+  * Cleanup SASL_README.  Closes: #202815
+  * Change the default location for prng_exch to /var/spool/postfix.
+    Closes: #190285
+  * No need for a separate postconf for tls now, get rid of it.
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 13 Sep 2003 17:47:38 -0600
+
+postfix (2.0.14-1) unstable; urgency=low
+
+  * New upstream version
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 12 Aug 2003 23:44:09 -0600
+
+postfix (2.0.13-4) unstable; urgency=high
+
+  * Ignore errors from chattr, patch based on Gerry Patterson's. Closes: #203279
+  * High urgency because testing (1.1.11) is broken now that openldap 2.1
+    is there.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 28 Jul 2003 20:49:26 -0600
+
+postfix (2.0.13-3) unstable; urgency=low
+
+  * Default to non-synchronous mail queue metadata updates, new debconf
+    question.  Closes: #202720
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 27 Jul 2003 20:05:21 -0600
+
+postfix (2.0.13-2) unstable; urgency=low
+
+  * Incorporate tls-0.8.15.  Closes: #200642
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 23 Jul 2003 09:36:34 -0600
+
+postfix (2.0.13-1) unstable; urgency=low
+
+  * New upstream version
+  * Add --system to addgroup's in postinst.  Closes: #176905
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 30 Jun 2003 12:23:48 -0600
+
+postfix (2.0.12-1) unstable; urgency=low
+
+  * New upstream version.  2.0.11 broke sendmail -bs.  Closes: #197660
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 18 Jun 2003 20:33:01 -0600
+
+postfix (2.0.11-2) unstable; urgency=low
+
+  * Roll to new gdbm libs.
+  * Fix postfix-tls recommends.  Closes: #195032, #191905, #145861, #144636
+  * Deal with missing /etc/postfix/sasl better.  Closes: #155246
+  * Don't use -a in [ or test calls.  Closes: #196549
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 11 Jun 2003 23:18:05 -0600
+
+postfix (2.0.11-1) unstable; urgency=low
+
+  * New upstream version
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 11 Jun 2003 10:02:22 -0600
+
+postfix (2.0.10-2) unstable; urgency=low
+
+  * Dynamicmap.cf cleanup needs to happen before db conversion.
+  * Remove ldap cache support (no longer present in ldap 2.1
+  * Add ldap limits.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 25 May 2003 18:12:51 -0600
+
+postfix (2.0.10-1) unstable; urgency=low
+
+  * New upstream version
+  * Include translations: Closes: #190707
+  * restore copyright file for postfix-tls. oops.
+  * Clean up chroot handling.  Closes: #193721
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 22 May 2003 17:07:11 -0600
+
+postfix (2.0.9-3) unstable; urgency=low
+
+  * Somehow dropped the upstream change in the version number.  Closes: #190112
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 22 Apr 2003 00:22:40 -0600
+
+postfix (2.0.9-2) unstable; urgency=low
+
+  * Rebuild against ldap 2.1 and sasl2.  Closes: #146627, #177153
+  * Use --system in addgroup.  Closes: #189833
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 20 Apr 2003 20:08:19 -0600
+
+postfix (2.0.9-1) unstable; urgency=low
+
+  * New upstream release.
+    - Refuses to run if netblocks have non-zero host parts, since too many
+      people can't seem to get them right... (2.0.8)
+    - The SMTP client did not deliver a partial last line when someone
+      submitted 8BITMIME mail not ending in newline via /usr/sbin/sendmail
+      while MIME input processing was turned off (not the default), and
+      MIME 8bit->7bit conversion was requested upon delivery. (2.0.9)
+  * Fix debconf dependency.  Closes: #188401
+  * Switch to db4.1 - auto convert all databases: This is a low priority
+    debconf question...
+  * Incorporate upstream feedback in dict_pgsql.[ch] (Now part of the
+    upstream snapshot releases.)
+  * Fix hp-ux build again..
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 18 Apr 2003 23:58:30 -0600
+
+postfix (2.0.7-3) unstable; urgency=low
+
+  * Real upstream 2.0.7 release...
+    - The SMTP server access map actions HOLD, DISCARD, FILTER (and
+      REDIRECT in snapshots) dumped core with smtpd_delay_reject=no,
+      and with ETRN.
+    - The DISCARD action now works as expected and causes Postfix to
+      skip other restrictions such as REJECT.
+    - The postsuper manual page documented support for the -c command
+      line option, but the feature was not implemented.
+    - The VRFY command was broken as of Postfix 2.0, and would always
+      reply with 252 (neutral) unless the service was disabled.
+  * rename the french templates file.  Closes: #184314
+  * Add german template translations.  Closes: #185626
+  * Add a commented out delay_warning_time = 4h.  Closes: #171704
+  * Allow empty mynetworks --> no mynetworks in the file.  Closes: #160493
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 20 Mar 2003 12:33:27 -0700
+
+postfix (2.0.7-2) unstable; urgency=low
+
+  * The "there is no 2.0.7 yet" relase.  Sigh.  This is 2.0.7-1 minus the
+    upstream patch-that-isn't.  sigh.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 17 Mar 2003 18:40:55 -0700
+
+postfix (2.0.7-1) unstable; urgency=low
+
+  * New upstream release, cosmetic fixes.
+  * Add French templates.  Closes: #184314
+  * have postfix-tls Recommend libsasl-modules-plain, libsasl-digestmd5-plain.
+    Closes: #176048
+  * Fix code for dealing with dynamicmaps.cf.  Closes: #184759
+  * Make sure we ask about dynamicmaps upgrade when we should.  Closes: #184106
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 16 Mar 2003 22:19:04 -0700
+
+postfix (2.0.6-1) unstable; urgency=low
+
+  * New upstream release:
+     Postfix truncates non-address information in message address headers
+     (comments, etc.) to 250 characters per address, in order to protect
+     vulnerable Sendmail systems against exploitation of a remote buffer
+     overflow problem (CERT advisory CA-2003-07).
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  6 Mar 2003 22:25:25 -0700
+
+postfix (2.0.5-1) unstable; urgency=low
+
+  * New upstream release.
+    The smtpd_hard_error_limit and smtpd_soft_error_limit values now
+    behave as documented, that is, smtpd_hard_error_limit=1 causes
+    Postfix to disconnect upon the first client error. Previously,
+    there was an off-by-one error causing Postfix to change behavior
+    after smtpd_hard/soft_error_limit+1 errors.
+  * Switch to gettext based template translations.  Closes: #183455, #140699
+  * Fix typo in postinst.  Closes: #156654
+
+ -- LaMont Jones <lamont at debian.org>  Tue,  4 Mar 2003 22:06:34 -0700
+
+postfix (2.0.4-1) unstable; urgency=low
+
+  * New upstream release. Closes: #181831
+  * more template cleanup.  Closes: #178523
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 23 Feb 2003 09:12:04 -0700
+
+postfix (2.0.3-5) unstable; urgency=low
+
+  * Add pgsql support (by Lenart Janos <ocsi at debian.org>), based on
+    http://downloads.rhyme.com.au/postfix/postfix-1.1.11-20020613pg_020626.patch.gz
+  * Explicitly link libraries.  Closes: #180678
+  * Fix debconf prompts.  Closes: #179365
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 17 Feb 2003 20:27:54 -0700
+
+postfix (2.0.3-4) unstable; urgency=low
+
+  * Switch to -O1 for all archs, since it's not just sparc that has
+    optimization issues with gcc 3.2.  Closes: #179246
+
+ -- LaMont Jones <lamont at debian.org>  Sat,  1 Feb 2003 13:21:14 -0700
+
+postfix (2.0.3-3) unstable; urgency=low
+
+  * Use -O1 on sparc.  Closes: #179087
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 30 Jan 2003 14:17:27 -0700
+
+postfix (2.0.3-2) unstable; urgency=low
+
+  * Fix bashism in init.d script.  Closes: #178368, #178424
+  * Cleanup the error message for missing maps.  Closes: #177774
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 26 Jan 2003 10:35:01 -0700
+
+postfix (2.0.3-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 24 Jan 2003 20:45:03 -0700
+
+postfix (2.0.2-3) unstable; urgency=low
+
+  * Handle dynamicmaps upgrade for 'No configuration' users.  Closes: #178037
+  * Force proxymap service into master.cf.  Closes: #177914
+  * Make chroot-syncing configurable.  Closes: #165326
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 23 Jan 2003 15:37:33 -0700
+
+postfix (2.0.2-2) unstable; urgency=low
+
+  * make sasl paths autoswitch for sasl1 vs sasl2.
+  * deal with maps transition for sdbm and tcp maps.  Closes:#177592
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 20 Jan 2003 09:40:51 -0700
+
+postfix (2.0.2-1) unstable; urgency=low
+
+  * New upstream release
+  * Fix postconf -m.  Closes: #150072
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 18 Jan 2003 22:10:01 -0700
+
+postfix (2.0.1-3) unstable; urgency=low
+
+  * Fix typo in preinst.  Closes: #176897
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 15 Jan 2003 12:51:31 -0700
+
+postfix (2.0.1-2) unstable; urgency=low
+
+  * Patch from upstream for sendmail -bs.  Closes: #176783
+  * Clean up postfix-dev Depends.  Closes: #176851
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 15 Jan 2003 07:12:39 -0700
+
+postfix (2.0.1-1) unstable; urgency=low
+
+  * New upstream version.  Adds proxymap service.  Closes: #96157
+  * Deal with multiple alias maps in preinst.  Closes: #175384, #156661
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 13 Jan 2003 22:43:22 -0700
+
+postfix (2.0.0.1-1) unstable; urgency=low
+
+  * New upstream version.  See /usr/share/doc/postfix/changelog.
+  * Fix SASL v1 paths. This closes Bug#174191 (the opposite of
+    Bug#159724).  Thanks to Jonas Smedegard (dr at jones.dk) for the patch.
+  * Correct s/certficate/certificate/. Closes Bug#156345.  Ditto.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 27 Dec 2002 01:02:55 -0700
+
+postfix (1.1.12-1) unstable; urgency=low
+
+  * New upstream relase.
+  * Fix postfix-tls description.  Closes: #160697
+  * New upstream TLS (0.8.11a).
+  * Fix wildcard transport initialization.  Closes: #167093
+  * Use libsasl-dev: libldap2-dev conflicts with it.  Closes: #160670
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 23 Dec 2002 10:34:17 -0700
+
+postfix (1.1.11.0-3) unstable; urgency=low
+
+  * setting wrong flags in config.  Closes: #159882
+  * Enhancements to rbl support.
+  * Make nqmgr the default.
+  * One more tls screwup, it would appear.  Closes: #144968
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 12 Sep 2002 10:37:36 -0600
+
+postfix (1.1.11.0-2) unstable; urgency=low
+
+  * Fix sasl2 roll screwup.  Closes: #159724
+  * Fix template typo.  Closes: #159734
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  5 Sep 2002 09:44:40 -0600
+
+postfix (1.1.11.0-1) unstable; urgency=low
+
+  * Merge in tls stuff from snapshots, using tls-0.8.7.  Requires a bump
+    of the upstream version number because of the old postfix-tls version
+    numbering.
+  * Need to deliver /etc/postfix/sasl.
+  * If we couldn't set the LDAP protocol version, we didn't remember that.
+    Closes: #158730, #158288
+  * Read system values for mynetworks and mydestination if main.cf exists.
+    (Once mydestination is set, we'll always read it from main.cf if it
+    exists...) Closes: #145072, #142726
+  * Add flush to the list of directories that get created/chowned.
+    Closes: #156791
+  * Quit depending on postfix-pcre and postfix-ldap, just suggests.
+    Closes: #144201
+  * Handle == VERP as well as -= VERP.  Makes murphy happy.
+  * Make /usr/lib/postfix the default daemon directory.  Closes: #155250.
+
+ -- LaMont Jones <lamont at debian.org>  Tue,  3 Sep 2002 23:48:01 -0600
+
+postfix (1.1.11-2) unstable; urgency=low
+
+  * reincorporate lost fixes from upstream merge.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 14 Jul 2002 10:11:31 -0600
+
+postfix (1.1.11-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 12 Jul 2002 21:32:06 -0600
+
+postfix (1.1.11-0.woody1) testing; urgency=medium
+
+  * New upstream version.  Closes: #150298, #146626
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 11 Jul 2002 12:03:14 -0600
+
+postfix (1.1.7-7) unstable; urgency=low
+
+  * Actually fix wildcard transports.  Was dying if transport map didn't
+    hit, and there wasn't a wildcard.  Closes: #145884
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  5 May 2002 22:18:57 -0600
+
+postfix (1.1.7-6) unstable; urgency=low
+
+  * HP config, and root address setting in postinst were broken.
+  * Fix wildcard transport change.  Closes: #145745, #145792
+  * Turn off optimization on hppa for now.
+
+ -- LaMont Jones <lamont at debian.org>  Sat,  4 May 2002 11:19:13 -0600
+
+postfix (1.1.7-5) unstable; urgency=low
+
+  * Changes to transport maps: add wildcard, and have ':' to tell
+    postfix to pretend that there is no match for this entry, which
+    allows a relayhost-for-all-but-these type config.
+  * Patch from Victor.Duchovni at morganstanley.com to implement timeouts
+    in LDAP bind.
+  * Add 'HP' option to mailer type, does HP-esque config (transport map
+    entries).
+  * Only copy everything to the chroot if something is being run chrooted.
+    Closes: #139782
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  2 May 2002 23:27:22 -0600
+
+postfix (1.1.7-4) unstable; urgency=low
+
+  * Can't touch files in directories that don't exist.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 22 Apr 2002 23:30:28 -0600
+
+postfix (1.1.7-3) unstable; urgency=medium
+
+  * The keep-the-maintainer sane release, to keep postfix and postfix-tls
+    source sane in the CVS tree.
+  * Mention package names in the README files.
+  * Make things happier for postfix-tls.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 22 Apr 2002 21:57:58 -0600
+
+postfix (1.1.7-2) unstable; urgency=medium
+
+  * If $myorigin bears no resemblance to $myhostname, then include it in
+    $mydestination by default.  Closes: #142296
+  * Prompt for a root alias (and add it _iff_ creating /etc/aliases).
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 19 Apr 2002 12:50:08 -0600
+
+postfix (1.1.7-1) unstable; urgency=low
+
+  * New upstream patch-release.  Various minor bug fixes.
+  * Cause a 'no' answer to append_dot_mydomain to re-prompt for destinations,
+    since localhost needs to be added.  Closes: #141129, #123745.
+  * Do a restart instead of start for dpkg-reconfigure.  Closes: #140163
+  * Add support for ldap_version and ldap_chase_referrals, patch from
+    Sami Haahtinen <ressu at debian.org>.  Closes: #139756
+  * Deliver upstream changelog in postfix package (as well as postfix-doc)
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  7 Apr 2002 15:47:54 -0600
+
+postfix (1.1.6-1) unstable; urgency=low
+
+  * New upstream patch-release.
+  * Add ldap_result_filter (from postfix-snap ldap map) into released bits.
+  * Add a pointer to SASL being in postfix-tls.
+  * Add debconf question about append_dot_mydomain.  Closes: #131167
+  * Fix ldap map screwup in 1.1.4-3.  Closes: #139872
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 28 Mar 2002 12:26:40 -0700
+
+postfix (1.1.4-3) unstable; urgency=low
+
+  * Call ber_free in dict_ldap.c, get rid of memory leak.
+  * Break %u %d (in dict_ldap) on rightmost @, not leftmost.
+  * Unset TZ when launching postfix.  Closes: #125658.
+  * Upstream dropped creation of flush service.  Closes: #136793
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 22 Mar 2002 22:53:00 -0700
+
+postfix (1.1.4-2) unstable; urgency=low
+
+  * Let the user say to not fix master.cf.  Closes: #136113.
+  * Fix queue related perms.  Closes: #136118, #136296.
+  * /usr/share/doc/postfix/changelog is (still) delivered by postfix-doc,
+    not postfix.  Closes: #136133.
+  * Templates now indicate just when relayhost's MX RR's are used.
+    Closes: #103738
+
+ -- LaMont Jones <lamont at debian.org>  Sat,  2 Mar 2002 01:54:49 -0700
+
+postfix (1.1.4-1) unstable; urgency=low
+
+  * New upstream version.  See /usr/share/doc/postfix/changelog.
+    Corner case problem in qmgr with certain length addrs, resulting
+    in SEGV.
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 26 Feb 2002 02:34:34 -0700
+
+postfix (1.1.3-2) unstable; urgency=low
+
+  * postfix-script link needs removed on install too.  Closes: #135051
+  * Comment on ciriticality of directory settings in main.cf.debian.
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 21 Feb 2002 12:43:35 -0700
+
+postfix (1.1.3-1) unstable; urgency=low
+
+  * New upstream version.  See /usr/share/doc/postfix/changelog.
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  3 Feb 2002 21:40:49 -0700
+
+postfix (1.1.1-3) unstable; urgency=low
+
+  * If postfix-script is a link, then nuke it in preinst.  Closes: #130635
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 28 Jan 2002 08:59:38 -0700
+
+postfix (1.1.1-2) unstable; urgency=low
+
+  * Fix postfix-dev depends, so that postfix-tls and friends build from
+    source.  Closes: #130743
+  * Use LD_LIBRARY_PATH when building shlibdeps.
+  * remove statoverrides on remoev, and postdrop group on purge.
+    Closes: #130786
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 25 Jan 2002 11:52:09 -0700
+
+postfix (1.1.1-1) unstable; urgency=high
+
+  * New upstream version.
+    When the postmap command creates a non-existent result file, the
+    new file inherits the group/other read permissions of the source
+    file.  Closes: #130315
+  * Move dict_ldap.so build point to global, instead of util, to correct
+    build order.  (hp-ux build now actually works.)
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 22 Jan 2002 12:38:45 -0700
+
+postfix (1.1.0-1) unstable; urgency=low
+
+  * New upstream version.  Closes: #129735
+      pickup now unpriv, cleanup and flush public.
+  * Add postfix-dev package to allow loadable modules to be built.
+  * use $DAEMON in init.d script to facilitate passing it arguments.
+    Closes: #126288
+  * make default (on new install only) biff = no.  Closes: #105914
+  * Allow (but warn about) permit_sasl_authenticated in main.cf, even with
+    no SASL support.  (Helps out postfix-tls.)
+  * Fix shlibs file.
+  * Fix segv in postqueue -s.
+  * Cleanup hpux diff
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 22 Jan 2002 10:44:20 -0700
+
+postfix (0.0.20011217.SNAPSHOT-1) unstable; urgency=high
+
+  * New upstream version.  Closes: #123734, #124149
+      Postfix configuration file comments no longer continue on the next
+      line when that next line starts with whitespace. This change avoids
+      surprises, but it may cause unexpected behavior with existing,
+      poorly formatted, configuration files. Caveat user.
+  * Handle iPlanet 5.0 (and probably other SDK's) in dict_ldap.c, by defining
+    LDAP_CONST and LDAP_OPT_SUCCESS if <ldap.h> doesn't.
+  * Only enable lber logging when debuglevel>0.  Closes: #125919.
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 22 Dec 2001 21:54:33 -0700
+
+postfix (0.0.20011210.SNAPSHOT-2) unstable; urgency=high
+  * Various fixes in (hp-ux) build rules
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 12 Dec 2001 15:56:04 -0700
+
+postfix (0.0.20011210.SNAPSHOT-1) unstable; urgency=high
+
+  * New upstream version.
+  * High urgency to get sendmail -bs fix into testing (0.0.20011125.SNAPSHOT-1
+    should have been.)
+  * Make lack of /etc/postfix/dynamicmaps.cf be a warning, instead of
+    an obscure failure (SIGBUS).
+  * Include LDAP patch from Will Day willday at rom.oit.gatech.edu (deal with
+    timeouts from LDAP server by reconnecting, instead of saying '451',
+    other cleanup.)
+  * Upstream version of ia64 alignment fix added.
+  * main.cf.dist is not gziped.  Closes: #122709.
+  * add diversion of smtpd package's smtpd.8 (to smtpd.real.8).
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 11 Dec 2001 09:18:57 -0700
+
+postfix (0.0.20011125.SNAPSHOT-1) unstable; urgency=low
+
+  * New upstream version.  See /usr/share/doc/postfix/changelog.
+  * Fix smtpd session-rest bug.  (patch from upstream.)
+  * Move default config file to /usr/share/postfix, per policy.
+  * Fix procmail invocation. (quotes around $EXTENSION).
+  * Fix sendmail -bs, broken as of 20011115.SNAPSHOT-1.  Closes: #120375
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 25 Nov 2001 20:11:43 -0700
+
+postfix (0.0.20011115.SNAPSHOT-1) unstable; urgency=low
+
+  * New upstream version.  See /usr/share/doc/postfix/changelog.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 16 Nov 2001 05:39:39 -0700
+
+postfix (0.0.20011008.SNAPSHOT-2) unstable; urgency=low
+
+  * Make the default mailbox_size_limit (in debconf) be unlimited.
+    Closes: #117101.
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 25 Oct 2001 17:12:53 -0600
+
+postfix (0.0.20011008.SNAPSHOT-1) unstable; urgency=low
+
+  * New upstream version.  See /usr/share/doc/postfix/changelog.
+  * Treat bogus DN's in _special_result_attributes the same as DN's that
+    have no _result_attribute (that is, ignore them.)
+  * Change default SMTP banner to include Debian/GNU.
+  * Add a bit more descriptive text to postfix-* packages.  Closes: #110227
+  * Fix how mailbox_command gets set (support extensions.)  Closes: #109867
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 16 Oct 2001 07:04:33 -0600
+
+postfix (0.0.20010808.SNAPSHOT-1) unstable; urgency=low
+
+  * New upstream version.
+  * Include brazilian templates translation.  Closes: #105281.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 13 Aug 2001 13:18:14 -0600
+
+postfix (0.0.20010714.SNAPSHOT-3) unstable; urgency=low
+
+  * Remove needless use File::Copy from config.  Closes: #107795
+  * Don't run newaliases if there's no main.cf.
+  * Restore nuked man pages.  Closes: #107632
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  8 Aug 2001 12:18:19 -0600
+
+postfix (0.0.20010714.SNAPSHOT-2) unstable; urgency=low
+
+  * Fix typo in debconf usage.  Closes: #107531.
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  2 Aug 2001 17:22:32 -0600
+
+postfix (0.0.20010714.SNAPSHOT-1) unstable; urgency=low
+
+  * New upstream version.
+  * Dynamically load various maps at runtime.  This splits the package
+    into the base postfix package, and various map-support packages.
+  * Add mysql support (suggests libmysqlclient10)  Closes: #64923
+  * Move shared libs to /usr/lib.  Closes: #101688.
+  * use Debian::Debconf::Client::ConfModule, which works with all revs of
+    debconf.  Closes: #103947.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  1 Aug 2001 12:56:39 -0600
+
+postfix (0.0.20010610.SNAPSHOT-1) unstable; urgency=high
+  * New upstream version.  Includes RFC282[12] support, and other changes.
+    See /usr/share/doc/postfix/changelog.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 11 Jun 2001 08:54:52 -0600
+
+postfix (0.0.20010502.SNAPSHOT-5) unstable; urgency=high
+  * Fix corner case where newaliases did not get run.  Closes: #99165.
+  * Don't purge /etc/postfix and /var/spool/postfix at purge.  Closes: #98987.
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 29 May 2001 23:30:15 -0600
+
+postfix (0.0.20010502.SNAPSHOT-4) unstable; urgency=high
+  * Reduce the disk/memory footprint of Postfix by using shlibs for util,
+    global, dns, and master libraries.
+  * Support 'debug' and 'nostrip' options in DEB_BUILD_OPTIONS
+  * dpkg-statoverride exits (correctly) with non-zero status in places
+    where it didn't before.  
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 23 May 2001 22:13:25 -0600
+
+postfix (0.0.20010502.SNAPSHOT-3) unstable; urgency=high
+  * No-maps case wasn't handled well for upgrades.
+    Closes: #98008, #97763, #98116.
+  * Make no-config case more prominant in selections, partially addresses
+    #97670.
+  * Correct sample-ldap.cf to correctly specify timeout parm.  Closes: #93978.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 20 May 2001 08:17:33 -0600
+
+postfix (0.0.20010502.SNAPSHOT-2) unstable; urgency=low
+  * Cleanup warning for db2->db3 upgrade, try to restart
+    even if they say no to auto-conversion.  Closes: #97587.
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 15 May 2001 10:41:16 -0600
+
+postfix (0.0.20010502.SNAPSHOT-1) unstable; urgency=low
+  * New upstream version.  Includes all fixes through 20010228-pl02.
+    See /usr/share/doc/postfix/changelog.
+  * Add 'Conflicts: libnss-db (<<2.2-3)' to force db3 version of
+    libnss-db, if libnss-db is on the machine.
+  * Auto-convert postfix maps when upgrading to db3.  Closes: #94954, #95587.
+  * Add || true on removing overrides.  Closes: #96820.
+  * Add scalemail support into the default master.cf.
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  6 May 2001 08:53:21 -0600
+
+postfix (0.0.20010329.SNAPSHOT-5) unstable; urgency=low
+  * compromise with upstream on how to do the db3 changeover...
+  * With libdb3 change, libdb2/3 interactions go away.  Closes: #94379.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 20 Apr 2001 23:43:37 -0600
+
+postfix (0.0.20010329.SNAPSHOT-4) unstable; urgency=low
+  * Change to use libdb3 to avoid any libdb2/3 interactions in libc.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 18 Apr 2001 07:56:37 -0600
+
+postfix (0.0.20010329.SNAPSHOT-3) unstable; urgency=low
+  * Eliminate useless notes from LDAP dictionaries.
+  * If relayhost was manually set on an internet site, upgrades would
+    clear the relayhost.  Closes: #93161.
+
+ -- LaMont Jones <lamont at debian.org>  Sat,  7 Apr 2001 22:14:47 -0600
+
+postfix (0.0.20010329.SNAPSHOT-2) unstable; urgency=low
+  * Somehow lost dbm support.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  4 Apr 2001 11:47:12 -0600
+
+postfix (0.0.20010329.SNAPSHOT-1) unstable; urgency=low
+  * New upstream version.
+  * Add ia64 workaround in mymalloc.c (was causing SIGBUS).
+  * Lintian (debconf config) fixes.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 30 Mar 2001 22:39:24 -0700
+
+postfix (0.0.20010228-2) unstable; urgency=low
+  * No configuration on install failed.  Closes: #88085
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  1 Mar 2001 11:47:45 -0700
+
+postfix (0.0.20010228-1) unstable; urgency=low
+  * FIRST NON-BETA RELEASE!!!  Otherwise, no change from
+    0.0.20010225.SNAPSHOT-1.  Differences from upstream are:
+    - nqmgr and virtual delivery agents are included (these are
+      still pretty fluid, and therefore not in the upstream
+      release, although they remain in the upstream snapshots.)
+    - rmail client from Sendmail is included.
+    - minor bug fixes in LDAP maps (to be incorporated upstream
+      very soon - they just didn't make the cut for first release.)
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 28 Feb 2001 16:03:40 -0700
+
+postfix (0.0.20010225.SNAPSHOT-1) unstable; urgency=low
+  * New upstream revision.
+  * Introduces mynetworks_style config parameter, which affects how
+    mynetworks is built by default.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 26 Feb 2001 09:41:28 -0700
+
+postfix (0.0.20010222.SNAPSHOT-1) unstable; urgency=low
+  * New upstream revision, release candidtate.  See
+    /usr/share/doc/postfix/changelog and .../RELEASE_NOTES for details.
+    - Postfix no longer automatically delivers recipients one at a time
+      when their domain is listed in $mydestination.  This change solves
+      delivery performance problems with delivery via LMTP, and with
+      firewall relays that forward all mail for $mydestination to an
+      inside host.  See xxx_destination_recipient_limit.
+    - Virtual mailbox delivery agent (actually introduced in 0.0.20010128)
+    - Closes: #87255.
+  * Fix core dump in closing ldap maps without _domain specified.
+  * Always ask whether to use a world-writable maildrop (even for "No
+    configuration" case.)  Closes: #86408.
+  * Teach init.d script about force-reload.  Closes: #86399.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 23 Feb 2001 08:03:53 -0700
+
+postfix (0.0.20010204.SNAPSHOT-1) unstable; urgency=low
+  * New upstream release.
+  * Make 'No configuration' the default if main.cf exists.  Closes: #84335.
+  * Make sure to handle maildrop perms even in 'No configuration' case.
+    Reported by Branden Robinson on IRC.
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  4 Feb 2001 18:16:02 -0700
+
+postfix (0.0.20010128.SNAPSHOT-1) unstable; urgency=low
+  * New upstream release, near-to-release.
+  * it's mydestination, not destinations.  Closes: #83606.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 28 Jan 2001 21:15:18 -0700
+
+postfix (0.0.20001217.SNAPSHOT-7) unstable; urgency=high
+  * Fix stupid mistake with move of main.cf.dist to examples. (install fails)
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 23 Jan 2001 15:24:58 -0700
+
+postfix (0.0.20001217.SNAPSHOT-6) unstable; urgency=low
+  * When copying /etc/passwd into chroot (because of local_maps), strip
+    passwords...
+  * Leave the source-default for myorigin set to the upstream default.
+    Move main.cf.{default,dist} to /usr/share/doc/postfix/examples.
+    Reported by Marco d'Itri.  Closes: #82905.
+  * Remove pointless README's from the binary.
+  * /etc/postfix/{pcre_table,regexp_table} were not listed as config
+    files.
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 20 Jan 2001 10:51:30 -0700
+
+postfix (0.0.20001217.SNAPSHOT-5) unstable; urgency=low
+  * If using local_recipient_maps = ... unix:passwd.byname, then copy
+    /etc/passwd into the chroot jail so that local users get mail.
+    Closes: #65473.
+  * remove dpkg-statoverride workaround.
+  * If 'No configuration' is specified, leave main.cf ALONE.
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 13 Jan 2001 21:02:25 -0700
+
+postfix (0.0.20001217.SNAPSHOT-4) unstable; urgency=low
+  * Fix ldap_domain.  Closes: #81558.
+  * Fix version comparison in preinst.  Closes: #81044.
+  * Give procmail question a default answer (on iff procmail exists).
+  * Use dpkg-statoverride to deal with postdrop.  Closes: #65083, #65089
+  * Remove contents of /var/spool/postfix/{lib,etc} in prerm.
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 11 Jan 2001 18:43:37 -0700
+
+postfix (0.0.20001217.SNAPSHOT-2) unstable; urgency=low
+  * maildrop was created in /etc/postfix.  Closes: #80117.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 20 Dec 2000 07:50:35 -0700
+
+postfix (0.0.20001217.SNAPSHOT-1) unstable; urgency=low
+  * New upstream version.  See /usr/share/doc/postfix/RELEASE_NOTES.
+    - All time-related config parameters (except for LDAP and MYSQL)
+      now take a 1 letter suffix to indicate units: (s)econd, (m)inute,
+      (h)our, (d)ay, (w)eek.
+    - Partial rewrite of MYSQL client around memory problems - needs
+      more work and a production test.  Please report any problems.
+    - local_transport and default_transport now accept transport:destination
+      notation.  The :destination is optional.
+    - Fix for postconf -m defect.
+    - Starting with snapshot-20000531, mail submitted via the sendmail
+      interface (SMTP was OK) had unterminated text records, and parts of
+      lines longer than 2048 bytes deleted from message content.
+    - Failure to connect to an LDAP server could result in coredumps
+      due to a dangling pointer.
+  * Don't set myhostname in postinst if main.cf exists.  Closes: #79390.
+  * Allow myorigin=/etc/mailname, which will help eliminate stomping on
+    main.cf.  Setting the mailname with debconf will result in /etc/mailname
+    having the new mailname, and myorigin=/etc/mailname.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 17 Dec 2000 21:31:04 -0700
+
+postfix (0.0.20001210.SNAPSHOT-1) unstable; urgency=low
+  * New upstream version.  See /usr/share/doc/postfix/RELEASE_NOTES.
+    - local delivery agent now logs warning when unable to create
+      /file/name.lock (on /file/name deliveries).  Delivery continues
+      as before.
+    - The queue manager could deadlock for 10 seconds when bouncing
+      mail under extreme load from one-to-one mass mailings.
+    - Local delivery performance was substandard, because the per-user
+      concurrency limit accidentally applied to the entire local
+      domain.
+    - smtp client skips "CODE TEXT" (instead of treating it as "CODE
+      SPACE TEXT".
+    - Changes in libutil and libglobal routines, may affect third party
+      code.
+    - mailbox locking now fully run-time configurable.
+    - "import_environment" and "export_environment" parameters now
+      provide explicit control over the environment of postfix daemons.
+    - "mailbox_transport" and "fallback_transport" parameters now
+      understand the form "transport:nexthop", with suitable defaults.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 10 Dec 2000 22:56:06 -0700
+
+postfix (0.0.20001121.SNAPSHOT-1) unstable; urgency=low
+  * New upstream version, support for sendmail style virtual domains.
+    Upstream fix for #76760.  (sendmail now supports -G option.)
+  * Defaults were handled poorly in config code.  Closes: #77444.
+  * More debconf cleanup.  Closes: #77094.
+  * Only set myorigin in /etc/init.d/postfix if /etc/mailname is newer
+    than /etc/postfix/main.cf (was unconditional).  Closes: #77789.
+  * Prior rev had problems if upgrading a non-world-writable mailspool
+    from -3.  Closes: #78222.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 27 Nov 2000 20:34:27 -0700
+
+postfix (0.0.20001030.SNAPSHOT-4) unstable; urgency=low
+  * Remove -G option from rmail's invocation of sendmail.  Closes: #76760.
+  * Cleanup debconf config file.  Closes: #76759, #76770.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 11 Nov 2000 19:16:40 -0600
+
+postfix (0.0.20001030.SNAPSHOT-3) unstable; urgency=low
+  * If /etc/mailname doesn't exist, don't set myorigin at startup.
+    Closes: #76546, #76584.
+  * LDAP queries were broken if _domain was not specified.
+  * Integrated debconf support, based on patches by Colin Walters
+    <walters at cis.ohio-state.edu> and John Goerzen <jgoerzen at progenylinux.com>,
+    and some Perl help from Tommi Virtanen on IRC.
+  * Change default 'mynetworks' to just 127.0.0.0/8.  If the machine
+    is supposed to relay mail for other hosts, main.cf needs to be
+    edited.  Closes: #72744, #56287, #74288.
+  * Upgrade rmail to the copy from sendmail 8.11.1.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 10 Nov 2000 08:11:46 -0600
+
+postfix (0.0.20001030.SNAPSHOT-2) unstable; urgency=low
+  * Remove bash-ism in /etc/init.d/postfix.  Closes: #76292.
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  5 Nov 2000 12:35:04 -0600
+
+postfix (0.0.20001030.SNAPSHOT-1) unstable; urgency=low
+
+  * New upstream version: DSN-style bounce messages, better LDAP support
+    Closes: #72659, #75017, #75962.
+  * Fix bsmtp line.  Closes: #72504
+  * Fix build-depends line.  Closes: #73678
+  * Copy resolv.conf at ppp startup.  Closes: #74497
+  * Remove SASL support (introduced in prior NMU).  Waiting for
+    the upstream author to support SASL.
+  * Add quotes in postinst.  Closes: #68351
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 31 Oct 2000 16:09:40 -0600
+
+postfix (0.0.20000531.SNAPSHOT-1.1) unstable; urgency=low
+
+  * NMU for libdb2/glibc upgrade
+  * Move build-deps to general control section
+  * Add version to libdb2 build-dep, also changed libopenldap-dev to
+    libldap2-dev and libpcre2-dev to libpcre3-dev.
+  * Fixed some minor compilation problems with dict_ldap.c for libldap2
+  * debian/rules: modify AUXLIBS to include libgdbm, libsasl and libdb2,
+    and add -ldl to LIBS.
+
+ -- Ben Collins <bcollins at debian.org>  Wed, 27 Sep 2000 16:22:15 -0400
+
+postfix (0.0.20000531.SNAPSHOT-1) unstable; urgency=low
+  * New upstream SNAPSHOT.  FEATURES IN SNAPSHOTS ARE SUBJECT TO CHANGE
+    WITHOUT WARNING.  Future uploads to unstable may or may not roll
+    such changes into your configuration.  You have been warned...
+    See /usr/share/doc/postfix/RELEASE_NOTES.
+
+    Note that queue files from this version and later will not be accepted
+    by earlier versions of Postfix, so downgrading would be a challenge...
+    (Old queue files work just fine with this version.)
+
+  * Content filtering support.  See /usr/share/doc/postfix/FILTER_README.
+  * LMTP support.  See /usr/share/doc/postfix/LMTP_README.
+  * nroff commands are gone from the config files.  Closes: #49674.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 31 May 2000 22:39:40 -0600
+
+postfix (0.0.19991231pl08-1) unstable; urgency=low
+  * New upstream version:  adds body_checks for content filter looking
+    at non-header lines one at a time (including MIME headers in the
+    message body.)
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 28 May 2000 21:29:16 -0600
+
+postfix (0.0.19991231pl07-1) unstable; urgency=low
+  * New upstream version, see RELEASE_NOTES for changes.
+  * Makefile cleanup, switch to using doc-base.  Closes: #64086.
+    Also gets rid of /usr/share/doc/postfix/index.html.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 24 May 2000 10:24:17 -0600
+
+postfix (0.0.19991231pl05-2) frozen unstable; urgency=low
+  * Provide /usr/share/doc/postfix/index.html.  Closes: #60801.
+  * Change cyrus delivery agent in master.cf.  Closes: #62512.
+  * Handle case where admin created postfix user, but not group before
+    installing.  Closes: #61049.
+  * Add -e to startup script, avoiding nuking libnss_*so*.  Closes: #62330.
+  * Quit creating /usr/man/man[158].  Closes: #61430.
+  * lintian fixes.
+  * Suggest procmail, rather than recommend.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 24 May 2000 07:21:27 -0600
+
+postfix (0.0.19991231pl05-1) frozen unstable; urgency=low
+  * New upstream patch rev.
+  * Postdrop should be owned by root.  Closes: #59058
+  * Better detection of when postfix user already exists.  Closes: #59417
+  * If hostname is not set, figure it out at runtime.  Closes: #58199
+  # Upload to unstable and frozen.  Closes: #60343
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 15 Mar 2000 09:41:54 -0600
+
+postfix (0.0.19991231pl04-1) frozen; urgency=low
+  * New upstream version.
+  * Make postfix run chrooted, like it's supposed to.
+  * Eliminate complaints about different libnss* versions in chroot. Closes
+    #58364, #58181.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 20 Feb 2000 10:57:28 -0600
+
+postfix (0.0.19991231pl02-1) unstable; urgency=low
+  * New upstream version, with incompatible changes in transport map
+    processing.  Many other enhancements, see the upstream changelog
+    for more detail.
+  * RELEASE_NOTES didn't make it into the package before, because it
+    was overwritten by HISTORY (as changelog).
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 10 Jan 1999 22:22:53 -0600
+
+postfix (0.0.19990906pl07-1) unstable; urgency=low
+  * New upstream patch.
+  * Make console messages match standard.  Closes #44677,45209
+  * Rename HISTORY to changelog, per policy.  Closes #46034
+  * Move docs to /usr/share/doc/postfix, per current policy.  Closes #47279
+  * Only automatically start Postfix on an upgrade.  Close #48855
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 14 Nov 1999 11:06:56 -0600
+
+postfix (0.0.19990906pl02-1) unstable; urgency=low
+  * New upstream patch.
+  * Add in the rest of the README files, and BEWARE file.
+
+ -- LaMont Jones <lamont at debian.org>  Tue,  7 Sep 1999 12:49:06 -0600
+
+postfix (0.0.19990906pl01-1) unstable; urgency=low
+  * New upstream version.
+  * process check_sender_access (without a warning) when no sender has
+    been specified.
+
+ -- LaMont Jones <lamont at debian.org>  Tue,  7 Sep 1999 09:39:02 -0600
+
+postfix (0.0.19990627-6) unstable; urgency=low
+  * Missing several files from /usr/doc/postfix/html. Closes Bug#43407
+  * Upstream patch: possible core dump from VRFY with check_relay_domains
+  * Copy files into the chroot at startup time, add comment to the same
+    effect in ip-up.d/postfix.
+  * Rebuild with gcc 2.95-1.1, Closes Bug#43676
+  * New dict_ldap.c from upstream (and sideways).  I understand that this
+    should be in the next beta.  Add LDAP support (static built with
+    libopenldap1 1.2.6-1)  Closes Bug#43609
+  * Upstream patch: lock around DB open to avoid race with DB rebuilds.
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 31 Aug 1999 20:13:23 -0600
+
+postfix (0.0.19990627-5) unstable; urgency=low
+  * Bad port number in error message from smtp_connect (Bug#43178)
+  * Better fix for always_bcc problem (Bug#43235)
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 19 Aug 1999 20:52:11 -0600
+
+postfix (0.0.19990627-4) unstable; urgency=low
+  * Fix postinstall script's check for NIS. (Bug #43036)
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 16 Aug 1999 07:05:23 -0600
+
+postfix (0.0.19990627-3) unstable; urgency=low
+  * Various upstream fixes:
+  * Fix to build with libpcre2 2.07 (don't try to build with < 2.06) Bug #43004
+  * Fix sendmail exit status.
+  * Add $SENDER to supported mailbox_command arguments.
+  * always_bcc and sendmail -t didn't mix well (sendmail only sent to the
+    always_bcc recipient.)
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 14 Aug 1999 19:00:14 -0600
+
+postfix (0.0.19990627-2) unstable; urgency=low
+  * Postinst failed copying stuff into the chroot if the file did not exist
+    on the system. (Bug #41013)
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  8 Jul 1999 17:29:34 -0600
+
+postfix (0.0.19990627-0) unstable; urgency=low
+  * New upstream SNAPSHOT (pre-beta).
+  * DFSG compatible license!!!!
+  * Cleanup init.d to just let postfix-script say it's piece. (Bug #39822)
+  * Don't deliver /etc/postfix files that aren't conffiles... (Bug #40313)
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 27 Jun 1999 23:15:57 -0600
+
+postfix (0.0.19990601-3) unstable; urgency=low
+  * /usr/include/paths.h has a bad value for _PATH_MAILDIR.  Fixed by getting
+    a good copy of libc6-dev (2.1.1-10, not -5...)
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  6 Jun 1999 23:23:21 -0600
+
+postfix (0.0.19990601-2) unstable; urgency=low
+  * Have postinst take care of installing postfix-script,
+    instead of defaulting it in the package. (Bug #39009)
+
+ -- LaMont Jones <lamont at debian.org>  Sat,  5 Jun 1999 22:13:41 -0600
+
+postfix (0.0.19990601-1) unstable; urgency=low
+  * New upstream version
+  * Fix handling of mailname (Bug #37593)
+  * Remove prompt in preinst (Bug #35413)
+  * Only prompt when absolutely necessary during install/upgrade.
+  * Add PCRE support, using libpcre.a (Bug #36780)
+  * See /usr/doc/postfix/changelog for incompatible changes from
+    prior version.
+  * The supported map types in this build are: environ, unix, hash,
+    btree, nis, pcre, and regexp.
+
+ -- LaMont Jones <lamont at debian.org>  Tue,  1 Jun 1999 22:27:21 -0600
+
+postfix (0.0.19990317pl01-2) unstable; urgency=low
+  * add dhelp support
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 12 May 1999 17:25:00 -0600
+
+postfix (0.0.19990317pl01-1) unstable; urgency=low
+  * New upstream release
+  * If suidmanager is being used, unregister /usr/sbin/sendmail (Bug #33995).
+    This works around a sendmail defect (#33656), fixed in sendmail 8.9.3-2.
+  * Don't override CC setting in debian/rules (Bug #34720).
+  * Add rmail: actually, copy the source over from sendmail 8.9.3-2, and
+    wrap a Postfix-style makefile around it. (Bug #31814)
+  * Actually list the dependency on adduser. (Bug #34979)
+  
+ -- LaMont Jones <lamont at debian.org>  Wed, 24 Mar 1999 01:00:15 -0700
+
+postfix (0.0.19990122pl01-1) unstable; urgency=low
+  * Upstream patch release, see /usr/doc/postfix/changelog.
+  * Fix upload to include orig and .diff.  Sigh.
+  * Add /usr/lib/sendmail symlink (bug 30940)
+  
+ -- LaMont Jones <lamont at debian.org>  Mon,  1 Feb 1999 20:10:59 -0600
+
+postfix (0.0.19990122-1) unstable; urgency=low
+  * New upstream version.  See /usr/doc/postfix/changelog.
+  * Use dot locks, in conformance with Debian standards. (bug 32683)
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 22 Jan 1999 23:30:14 -0600
+
+postfix (0.0.19981230pl01-1) unstable; urgency=low
+  * Upstream patch for > 50 recipients per delivery.  Refused recipients
+    (with transient errors) would not be retried.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 13 Jan 1999 20:31:10 -0600
+
+postfix (0.0.19981230-3) unstable; urgency=low
+  * Make sure that postdrop and maildrop have the right permissions
+    in all of the permutations of writable/non world-writable
+    maildrop.
+
+ -- LaMont Jones <lamont at debian.org>  Sat,  9 Jan 1999 18:31:10 -0600
+
+postfix (0.0.19981230-2) unstable; urgency=low
+  * Fix erroneous symlink /usr/lib/zoneinfo - should be in
+    /var/spool/postfix/usr/lib, not the system root...
+  * Fix sed screwup in post-inst alias_maps expansion.
+
+ -- LaMont Jones <lamont at debian.org>  Fri,  8 Jan 1999 23:10:20 -0600
+
+postfix (0.0.19981230-1) unstable; urgency=low
+  * New upstream version.  See /usr/doc/postfix/HISTORY for changes.
+    Still suffers from the same not-quite-DFSG license.
+  * This version allows you to have a non-world-writable maildrop,
+    if you desire.  The (additional) group used for this purpose is
+    'postdrop', as is the setgid program in /usr/sbin.
+  * Split daemon and user commands.  post* now live in /usr/sbin,
+    and the daemon programs live in /usr/lib/postfix.
+  * Check if NIS is installed, and do (or do not) include nis:mail.aliases
+    accordingly.
+  * Make /etc/aliases not be a conffile, and don't delete it during
+    dpkg --purge.  The correct answer here is probably to have all of
+    the MTA's that use /etc/aliases depend on a package that provides
+    just that, and that way switching MTA's won't nuke the alias
+    file...
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  3 Jan 1999 19:40:30 -0600
+
+postfix (0.0.19981211-1) unstable; urgency=low
+
+  * Fix lintian errors, other minor cleanup.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 14 Dec 1998 11:22:32 -0600
+
+postfix (0.0.19981211-0) unstable; urgency=low
+
+  * Initial beta release, contains IBM code and contrib diretcory.
+    Claims to be Beta-19981211 internally...
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 11 Dec 1998 22:31:37 -0600

Added: trunk/postfix/debian/conffiles
===================================================================
--- trunk/postfix/debian/conffiles	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/conffiles	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,9 @@
+/etc/init.d/postfix
+/etc/ppp/ip-up.d/postfix
+/etc/ppp/ip-down.d/postfix
+/etc/network/if-up.d/postfix
+/etc/network/if-down.d/postfix
+/etc/postfix/postfix-script
+/etc/postfix/post-install
+/etc/postfix/postfix-files
+/etc/resolvconf/update-libc.d/postfix

Added: trunk/postfix/debian/config
===================================================================
--- trunk/postfix/debian/config	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/config	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,355 @@
+#!/usr/bin/perl -w
+# -*-CPerl-*-
+# Script to configure Postfix.
+# Based on code by Colin Walters <walters at cis.ohio-state.edu>,
+# and John Goerzen <jgoerzen at progenylinux.com>.
+
+use Debconf::Client::ConfModule qw(:all);
+use Fcntl;
+
+my $version = version(2.0);
+capb("backup");
+title("Postfix Configuration");
+
+# begin configuration script
+  
+my $topstate;
+my $back;
+my $noninteractive;
+
+# Regexps for checking domain names, blatantly stolen from exim config
+my $rfc1035_label_re= '[0-9A-Za-z]([-0-9A-Za-z]*[0-9A-Za-z])?';
+my $rfc1035_domain_re= "$rfc1035_label_re(\\.$rfc1035_label_re)*";
+my $network_re= '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}';
+
+$topstate = "start";
+
+while ($topstate ne "done") {
+ TOPSTATE: {
+    if ($topstate eq "start") {
+      if (fget("postfix/main_mailer_type", "isdefault") eq "true") {
+	if (-f "/etc/postfix/main.cf") {
+	    set("postfix/main_mailer_type", "No configuration");
+	}
+      }
+      $noninteractive = (((input("high", "postfix/main_mailer_type"))[0]) == 30);
+      if ($noninteractive) {
+	my $mailertype = get("postfix/main_mailer_type");
+	if ($mailertype eq "No configuration") {
+	  # We can't display a note here, because it could send mail,
+	  # which isn't configured...
+	  #$noninteractive = ((input("critical", "postfix/not_configured"))[0] == 30);
+	  #go();
+	  $topstate="ending-setup";
+	} else {
+	  $topstate="root";
+	}
+      } else {
+	go();
+	$back = (((go())[0]) == 30);
+	$mailertype = get("postfix/main_mailer_type");
+	if ($mailertype eq "No configuration") {
+	  $topstate="ending-setup";
+	} else {
+	  fset("postfix/main_mailer_type", "changed", "true");
+	  if ($back) {
+	    fset("postfix/main_mailer_type", "isdefault", "true");
+	    fset("postfix/db2_db3_upgrade", "isdefault", "true");
+	  } else {
+	    fset("postfix/main_mailer_type", "changed", "true");
+	    $topstate = "root";
+	    if (!(($mailertype eq "Internet with smarthost") ||
+		  ($mailertype eq "Satellite system") ||
+		  ($mailertype eq "HP"))) {
+	      set("postfix/relayhost", "");
+	      fset("postfix/relayhost", "changed", "true");
+	    }
+	  }
+	}
+      }
+    }
+
+    if ($topstate eq "root") {
+      if (fget("postfix/root_address", "isdefault") eq "true") {
+        open(F,"getent passwd 1000|");
+        @l=<F>;
+        close(F);
+        if ($#l > 0) {
+          $l[0] =~ s/:.*$//;
+          set("postfix/root_address",$l[0]);
+          fset("postfix/root_address", "changed", "true");
+        }
+      }
+      $noninteractive = (((input("medium", "postfix/root_address"))[0]) == 30);
+      if (!$noninteractive) {
+	go();
+	fset("postfix/root_address", "changed", "true");
+      }
+      $topstate="mailname";
+    }
+
+    if ($topstate eq "mailname") {
+      my $mailertype = get("postfix/main_mailer_type");
+      if (fget("postfix/mailname", "isdefault") eq "true") {
+	my $mailname;
+	if (-f "/etc/mailname") {
+	  $mailname =`cat /etc/mailname`;
+	  chomp $mailname;
+	} else {
+	  $mailname = `hostname --fqdn 2>/dev/null` || "localdomain";
+	  chomp $mailname;
+	} 
+	set("postfix/mailname", $mailname);
+      }
+      $noninteractive = (((input("high", "postfix/mailname"))[0]) == 30);
+      if ($noninteractive) {
+	$topstate = "relayhost";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/main_mailer_type", "isdefault", "true");
+	  fset("postfix/mailname", "isdefault", "true");
+	  $topstate = "type";
+	} else {
+	  # error checking
+	  my $mailname = get("postfix/mailname");
+	  fset("postfix/mailname", "changed", "true");
+	  if (not ($mailname =~ /$rfc1035_domain_re/)) {
+	    set("postfix/rfc1035_violation", "false");
+	    fset("postfix/rfc1035_violation", "isdefault", "true");
+	    subst("postfix/rfc1035_violation", "enteredstring", $mailname);
+	    $noninteractive = (((input("high", "postfix/rfc1035_violation"))[0]) == 30);
+	    $back = (((go())[0]) == 30);
+	    if ($back) {
+	      fset("postfix/mailname", "isdefault", "true");
+	      # and back around to ask mailname again.
+	    } 
+	    if (get("postfix/rfc1035_violation") eq "true") {
+	      # they wanted to continue despite the error
+	      $topstate = "relayhost";
+	    } else {
+	      fset("postfix/mailname", "isdefault", "true");
+	      # and back around to ask mailname again.
+	    }
+	  } else {
+	    # their mailname passed error checking, go on
+	    $topstate = "relayhost";
+	  }
+	}
+      }
+    }
+
+    if ($topstate eq "relayhost") {
+      my $mailertype = get("postfix/main_mailer_type");
+      if (($mailertype eq "Internet with smarthost") || ($mailertype eq "Satellite system")) {
+	if (fget("postfix/relayhost", "isdefault") eq "true") {
+	  my $hostname = `hostname --domain` || "localdomain";
+	  chomp $hostname;
+	  my $relayname = "smtp." . $hostname;
+	  set("postfix/relayhost", $relayname);
+	}
+	$noninteractive = (((input("high", "postfix/relayhost"))[0]) == 30);
+      } else {
+	# skip relayhost if we're an "Internet site" or a "Local only"
+	$topstate = "destinations";
+	$noninteractive=1;
+      }
+      if ($noninteractive) {
+	$topstate = "destinations";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/mailname", "isdefault", "true");
+	  fset("postfix/relayhost", "isdefault", "true");
+	  $topstate = "mailname"; # we skip back to the last question of
+	  # equal or higher priority
+	} else {
+	  fset("postfix/relayhost", "changed", "true");
+	  $topstate = "destinations";
+	}
+      }
+    }
+    
+    if ($topstate eq "destinations") {
+      my $mailertype = get("postfix/main_mailer_type");
+      my $hostname = `hostname --fqdn` || "localhost";
+      chomp $hostname;
+      my $domain = `hostname --domain` || "localdomain";
+      chomp $domain;
+      my $mailname = get("postfix/mailname") || "localhost";
+      my $destinations;
+      my $priority="medium";
+      if (fget("postfix/destinations", "set") eq "true") {
+	if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
+	  if (open(POSTCONF, "postconf -h mydestination |")) {
+	    $destinations=<POSTCONF>;
+	    close(POSTCONF);
+	    chomp $destinations;
+	    set("postfix/destinations", $destinations);
+	  }
+	}
+      } else {
+	if ($mailertype eq "Internet Site") {
+	  if ($mailname eq $hostname) {
+	    $destinations = join ", ",($mailname, "localhost." . $domain, ", localhost");
+	  } else {
+	    $destinations = join ", ",($mailname, $hostname, "localhost." . $domain . ", localhost");
+	  }
+	} else {
+	  # don't accept mail for $mailname by default if we have a relayhost or local only mail,
+	  # unless the mailname bears no resemblance to $myorigin.
+	  $destinations = join ", ",($hostname, "localhost." . $domain . ", localhost" );
+	  unless ( $hostname =~ m/(^|[\.])$mailname$/  ) {
+	    $destinations = $mailname . ", " . $destinations;
+	  }
+	}
+	set("postfix/destinations", $destinations);
+	fset("postfix/destinations","set","true");
+      }
+      if ($mailertype eq "Local only") {
+	$priority="low";
+      }
+      $noninteractive = (((input($priority, "postfix/destinations"))[0]) == 30);
+      if ($noninteractive) {
+	$topstate = "chattr";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/relayhost", "isdefault", "true");
+	  fset("postfix/destinations", "isdefault", "true");
+	  $topstate = "relayhost";
+	} else {
+	  fset("postfix/destinations", "changed", "true");
+	  $topstate = "chattr";
+	}
+      }
+    }
+
+    if ($topstate eq "chattr") {
+      $noninteractive = (((input("medium", "postfix/chattr"))[0]) == 30);
+      if ($noninteractive) {
+	$topstate = "mynetworks";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/destinations", "isdefault", "true");
+	  fset("postfix/chattr", "isdefault", "true");
+	  $topstate = "destinations";
+	} else {
+	  fset("postfix/chattr", "changed", "true");
+	  $topstate = "mynetworks";
+	}
+      }
+    }
+
+    if ($topstate eq "mynetworks") {
+      if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
+	my $mynetworks;
+	if (open(POSTCONF, "postconf -h mynetworks |")) {
+	  $mynetworks=<POSTCONF>;
+	  close(POSTCONF);
+	  chomp $mynetworks;
+	  set("postfix/mynetworks", $mynetworks);
+	}
+      }
+      $noninteractive = (((input("low", "postfix/mynetworks"))[0]) == 30);
+      if ($noninteractive) {
+	$topstate = "procmail";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/chattr", "isdefault", "true");
+	  fset("postfix/mynetworks", "isdefault", "true");
+	  $topstate = "chattr";
+	} else {
+	  fset("postfix/mynetworks", "changed", "true");
+	  $topstate = "procmail";
+	}
+      }
+    }
+
+    if ($topstate eq "procmail") {
+      if (fget("postfix/procmail", "isdefault") eq "true") {
+	my $pmdefault="false";
+	if (-x "/usr/bin/procmail") {
+	  $pmdefault="true";
+	}
+	set("postfix/procmail", $pmdefault);
+      }
+      if (-x "/usr/bin/procmail") {
+	$noninteractive = (((input("low", "postfix/procmail"))[0]) == 30);
+      } else {
+	$noninteractive = 1;
+      }
+      if ($noninteractive) {
+	$topstate = "mailbox_limit";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/mynetworks", "isdefault", "true");
+	  fset("postfix/procmail", "isdefault", "true");
+	  $topstate = "mynetworks";
+	} else {
+	  fset("postfix/procmail", "changed", "true");
+	  $topstate = "mailbox_limit";
+	}
+      }
+    }
+
+    if ($topstate eq "mailbox_limit") {
+      $noninteractive = (((input("low", "postfix/mailbox_limit"))[0]) == 30);
+      if ($noninteractive) {
+	$topstate = "recipient_delim";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/procmail", "isdefault", "true");
+	  fset("postfix/mailbox_limit", "isdefault", "true");
+	  $topstate = "procmail";
+	} else {
+	  fset("postfix/mailbox_limit", "changed", "true");
+	  $topstate = "recipient_delim";
+	}
+      }
+    }
+
+    if ($topstate eq "recipient_delim") {
+      $noninteractive = (((input("low", "postfix/recipient_delim"))[0]) == 30);
+      if ($noninteractive) {
+	$topstate = "ending-setup";
+      } else {
+	$back = (((go())[0]) == 30);
+	if ($back) {
+	  fset("postfix/mailbox_limit", "isdefault", "true");
+	  fset("postfix/recipient_delim", "isdefault", "true");
+	  $topstate = "mailbox_limit";
+	} else {
+	  my $delim = get("postfix/recipient_delim");
+	  if (length($delim) > 1) {
+	    fset("postfix/bad_recipient_delimiter","isdefault","true");
+	    subst("postfix/bad_recipient_delimiter", "enteredstring", $delim);
+	    $noninteractive = (((input("low", "postfix/bad_recipient_delimiter"))[0]) == 30);
+	    fset("postfix/recipient_delim","isdefault","true");
+	    # and do it again...
+	  } else {
+	    fset("postfix/recipient_delim", "changed", "true");
+	    $topstate = "ending-setup";
+	  }
+	}
+      }
+    }
+
+    if ($topstate eq "ending-setup") {
+      if ($ARGV[1] eq "reconfigure") {
+	# touch /var/lib/postfix/reload
+	sysopen RESTARTFILE, "/var/spool/postfix/reload", O_CREAT;
+	close RESTARTFILE;
+      } else {
+	# touch /var/lib/postfix/restart
+	sysopen RESTARTFILE, "/var/spool/postfix/restart", O_CREAT;
+	close RESTARTFILE;
+      }
+      $topstate = "done";
+    }
+  }				# end TOPSTATE
+}				# end while ($topstate ne q(done))

Added: trunk/postfix/debian/control
===================================================================
--- trunk/postfix/debian/control	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/control	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,88 @@
+Source: postfix
+Section: mail
+Priority: extra
+Maintainer: LaMont Jones <lamont at debian.org>
+Standards-Version: 3.5.2.0
+Build-Depends: debhelper (>= 4.1.16), libdb4.2-dev, libgdbm-dev, libldap2-dev (>=2.1), libpcre3-dev, libmysqlclient10-dev, patch, libssl-dev (>=0.9.7-1), libsasl2-dev, postgresql-dev, po-debconf (>= 0.5.0), groff-base, dpatch
+
+Package: postfix
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser (>=3.48), dpkg (>= 1.8.3)
+Recommends: mail-reader, resolvconf
+Replaces: postfix-doc (<<1.1.7-0), postfix-tls
+Suggests: procmail, postfix-mysql, postfix-pgsql, postfix-ldap, postfix-pcre
+Conflicts: mail-transport-agent, smail, libnss-db (<< 2.2-3), postfix-tls (<< 2.0-0)
+Provides: mail-transport-agent
+Description: A high-performance mail transport agent
+ ${Description}
+ .
+ This package does not have SASL or TLS support.  For SASL and TLS support,
+ install postfix-tls.
+
+Package: postfix-ldap
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Description: LDAP map support for Postfix
+ ${Description}
+ .
+ This provides support for LDAP maps in Postfix.  If you plan to use LDAP maps
+ with Postfix, you need this.
+
+Package: postfix-pcre
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Description: PCRE map support for Postfix
+ ${Description}
+ .
+ This provides support for PCRE (perl compatible regular expression) maps in
+ Postfix.  If you plan to use PCRE maps with Postfix, you need this.
+
+Package: postfix-mysql
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Description: MYSQL map support for Postfix
+ ${Description}
+ .
+ This provides support for MYSQL maps in Postfix. If you plan to use MYSQL
+ maps with Postfix, you need this.
+
+Package: postfix-pgsql
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Description: PGSQL map support for Postfix
+ ${Description}
+ .
+ This provides support for PGSQL maps in Postfix. If you plan to use PGSQL
+ maps with Postfix, you need this.
+
+Package: postfix-dev
+Architecture: all
+Section: devel
+Depends: postfix (>= ${Upstream}-0), postfix (<< ${Upstream}.0-0)
+Description: Postfix loadable modules development environment
+ ${Description}
+ .
+ This provides the headers and library links to build additional map
+ types for Postfix.  If you're not developing postfix modules, then you
+ do not need this.
+
+Package: postfix-doc
+Architecture: all
+Section: doc
+Suggests: postfix
+Replaces: postfix (<<0.0.20020113), postfix-tls
+Description: Postfix documentation
+ ${Description}
+ .
+ This package provides documentation for Postfix.
+
+Package: postfix-tls
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Conflicts: postfix-snap-tls
+Recommends: mail-reader
+Description: TLS and SASL support for Postfix
+ ${Description}
+ .
+ This package adds support for TLS (see RFC 2487) and SASL (see RFC 2554) to
+ Postfix.

Added: trunk/postfix/debian/copyright
===================================================================
--- trunk/postfix/debian/copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,326 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) 1997,1998,1999, International Business Machines
+	Corporation and others. All Rights Reserved.
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+
+			     SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
+    Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete compilable
+	   and linkable source code of sendmail including all modifications.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998-2000 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    $Revision: 1.1.4.3 $, Last updated $Date: 2003/07/23 16:13:15 $
+
+The TLS patch was written by Lutz Jänicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>.
+Downlaoded from ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls, it has the
+following license:
+
+    This software is free. You can do with it whatever you want. I would
+    however kindly ask you to acknowledge the use of this package, if you
+    are going use it in your software, which you might be going to
+    distribute. I would also like to receive a note if you are a satisfied
+    user :-)

Added: trunk/postfix/debian/dirs
===================================================================
--- trunk/postfix/debian/dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,24 @@
+DEBIAN
+etc/init.d
+etc/ppp/ip-up.d
+etc/ppp/ip-down.d
+etc/network/if-up.d
+etc/network/if-down.d
+usr/bin
+usr/sbin
+usr/lib/postfix
+usr/share/doc/postfix
+usr/share/man/man1
+usr/share/man/man5
+usr/share/man/man8
+usr/share/lintian/overrides
+usr/share/postfix
+etc/postfix
+etc/resolvconf/update-libc.d
+var/spool/postfix
+var/spool/postfix/etc
+var/spool/postfix/lib
+var/spool/postfix/usr
+var/spool/postfix/usr/lib
+var/spool/postfix/usr/lib/zoneinfo
+var/log

Added: trunk/postfix/debian/functions
===================================================================
--- trunk/postfix/debian/functions	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/functions	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,25 @@
+addmap()
+{   
+    name=$1
+    if [ "x$2" != "x" ]; then
+	mkmap=${2:=}
+    fi
+    FILE=/etc/postfix/dynamicmaps.cf
+    if ! grep -q "^${name}[[:space:]]" ${FILE}; then
+	 echo "Adding ${name} map entry to ${FILE}"
+	 echo "${name}	/usr/lib/postfix/dict_${name}.so		dict_${name}_open	${mkmap}" >> ${FILE}
+    fi
+    return 0
+}
+delmap()
+{   
+    name=$1
+    FILE=/etc/postfix/dynamicmaps.cf
+    if grep -q "^${name}[[:space:]]" ${FILE}; then
+	 echo "Removing ${name} map entry from ${FILE}"
+	 sed "/^${name}[[:space:]]/d" ${FILE} > ${FILE}.$$ && \
+	     cp ${FILE}.$$ ${FILE} && \
+	     rm ${FILE}.$$
+    fi
+    return 0
+}

Added: trunk/postfix/debian/init.d
===================================================================
--- trunk/postfix/debian/init.d	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/init.d	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,91 @@
+#!/bin/sh -e
+
+# Start or stop Postfix
+#
+# LaMont Jones <lamont at debian.org>
+# based on sendmail's init.d script
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/sbin/postfix
+NAME=Postfix
+TZ=
+unset TZ
+
+# Defaults - don't touch, edit /etc/default/postfix
+SYNC_CHROOT="y"
+
+test -f /etc/default/postfix && . /etc/default/postfix
+
+test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0
+
+case "$1" in
+    start)
+	echo -n "Starting mail transport agent: Postfix"
+
+	# see if anything is running chrooted.
+	NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
+
+	if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
+	    # Make sure that the chroot environment is set up correctly.
+	    oldumask=$(umask)
+	    umask 022
+	    cd $(postconf -h queue_directory)
+
+	    # if we're using unix:passwd.byname, then we need to add etc/passwd.
+	    local_maps=$(postconf -h local_recipient_maps)
+	    if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
+		if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
+		    sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
+		    chmod a+r etc/passwd
+		fi
+	    fi
+
+	    FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
+		etc/nsswitch.conf"
+	    for file in $FILES; do 
+		[ -d ${file%/*} ] || mkdir -p ${file%/*}
+		if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
+		if [ -f  ${file} ]; then chmod a+rX ${file}; fi
+	    done
+	    rm -f usr/lib/zoneinfo/localtime
+	    ln -sf /etc/localtime usr/lib/zoneinfo/localtime
+	    rm -f lib/libnss_*so*
+	    tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
+	    umask $oldumask
+	fi
+
+	start-stop-daemon --start --exec ${DAEMON} -- start 2>&1 |
+		(grep -v 'starting the Postfix' 1>&2 || /bin/true)
+	echo "."
+    ;;
+
+    stop)
+	echo -n "Stopping mail transport agent: Postfix"
+	${DAEMON} stop 2>&1 |
+		(grep -v 'stopping the Postfix' 1>&2 || /bin/true)
+	echo "."
+    ;;
+
+    restart)
+        $0 stop || true
+        $0 start
+    ;;
+    
+    force-reload|reload)
+	echo -n "Reloading Postfix configuration..."
+	${DAEMON} reload 2>&1 |
+		(grep -v 'refreshing the Postfix' 1>&2 || /bin/true)
+	echo "done."
+    ;;
+
+    flush|check|abort)
+	${DAEMON} $1
+    ;;
+
+    *)
+	echo "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
+	exit 1
+    ;;
+esac
+
+exit 0

Added: trunk/postfix/debian/ip-down.d
===================================================================
--- trunk/postfix/debian/ip-down.d	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/ip-down.d	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+# Called when ppp disconnects
+# Written by LaMont Jones <lamont at debian.org>
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+	cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
+	/etc/init.d/postfix reload >/dev/null 2>&1
+fi
+
+exit 0

Added: trunk/postfix/debian/ip-up.d
===================================================================
--- trunk/postfix/debian/ip-up.d	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/ip-up.d	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+# Called when a new interface comes up
+# Written by LaMont Jones <lamont at debian.org>
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+	cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
+	/etc/init.d/postfix reload >/dev/null 2>&1
+fi
+
+# If master is running, force a queue run to unload any mail that is
+# hanging around.  Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+	pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+	exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //')
+	if [ "X$exe" = "X/usr/lib/postfix/master" ]; then
+		if [ -x /usr/sbin/sendmail ]; then
+			/usr/sbin/sendmail -q
+		fi
+	fi
+fi

Added: trunk/postfix/debian/lintian-override
===================================================================
--- trunk/postfix/debian/lintian-override	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/lintian-override	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,3 @@
+# Lintian doesn't know how to parse the damn files.
+postfix: postinst-unsafe-ldconfig
+postfix: postrm-unsafe-ldconfig

Added: trunk/postfix/debian/patches/00list
===================================================================
--- trunk/postfix/debian/patches/00list	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/00list	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,12 @@
+10cyrus
+10greylist
+10hostname
+10main.cf
+10man
+10master.cf
+10rmail
+10smtplinelength
+20maps
+50tls
+60hpux
+30-kolab

Added: trunk/postfix/debian/patches/10cyrus.dpatch
===================================================================
--- trunk/postfix/debian/patches/10cyrus.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10cyrus.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,15 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10cyrus.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/README_FILES/CYRUS_README /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README
+--- postfix-2.1.5/README_FILES/CYRUS_README	2004-04-11 15:05:32.000000000 -0600
++++ /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README	2004-12-27 22:18:15.721024714 -0700
+@@ -3,3 +3,4 @@
+ -------------------------------------------------------------------------------
+ This document will be made available via http://www.postfix.org/.
+ 
++See also /usr/share/doc/cyrus21-doc/README.postfix.gz.

Added: trunk/postfix/debian/patches/10greylist.dpatch
===================================================================
--- trunk/postfix/debian/patches/10greylist.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10greylist.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10greylist.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/examples/smtpd-policy/greylist.pl /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl
+--- postfix-2.1.5/examples/smtpd-policy/greylist.pl	2004-02-10 18:37:27.000000000 -0700
++++ /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl	2004-12-27 22:18:25.645891286 -0700
+@@ -73,7 +73,7 @@
+ # In case of database corruption, this script saves the database as
+ # $database_name.time(), so that the mail system does not get stuck.
+ #
+-$database_name="/var/mta/greylist.db";
++$database_name="/var/lib/postfix/greylist.db";
+ $greylist_delay=60;
+ 
+ #

Added: trunk/postfix/debian/patches/10hostname.dpatch
===================================================================
--- trunk/postfix/debian/patches/10hostname.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10hostname.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10hostname.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/src/util/get_hostname.c /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c
+--- postfix-2.1.5/src/util/get_hostname.c	2001-01-28 07:00:12.000000000 -0700
++++ /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c	2004-12-27 22:18:38.981024795 -0700
+@@ -33,6 +33,7 @@
+ #include <sys/param.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <netdb.h>
+ 
+ #if (MAXHOSTNAMELEN < 256)
+ #undef MAXHOSTNAMELEN
+@@ -55,6 +56,7 @@
+ const char *get_hostname(void)
+ {
+     char    namebuf[MAXHOSTNAMELEN + 1];
++    struct hostent *hp;
+ 
+     /*
+      * The gethostname() call is not (or not yet) in ANSI or POSIX, but it is
+@@ -66,9 +68,11 @@
+ 	if (gethostname(namebuf, sizeof(namebuf)) < 0)
+ 	    msg_fatal("gethostname: %m");
+ 	namebuf[MAXHOSTNAMELEN] = 0;
+-	if (valid_hostname(namebuf, DO_GRIPE) == 0)
++	if (!(hp = gethostbyname(namebuf)))
++	    msg_fatal("gethostbyname: %m");
++	if (valid_hostname(hp->h_name, DO_GRIPE) == 0)
+ 	    msg_fatal("unable to use my own hostname");
+-	my_host_name = mystrdup(namebuf);
++	my_host_name = mystrdup(hp->h_name);
+     }
+     return (my_host_name);
+ }

Added: trunk/postfix/debian/patches/10main.cf.dpatch
===================================================================
--- trunk/postfix/debian/patches/10main.cf.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10main.cf.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,101 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10main.cf.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/conf/main.cf /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf
+--- postfix-2.1.5/conf/main.cf	2004-12-27 22:02:52.879396736 -0700
++++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf	2004-12-27 22:18:47.208256287 -0700
+@@ -27,7 +27,7 @@
+ # See the files in examples/chroot-setup for setting up Postfix chroot
+ # environments on different UNIX systems.
+ #
+-queue_directory = /var/spool/postfix
++#queue_directory = /var/spool/postfix
+ 
+ # The command_directory parameter specifies the location of all
+ # postXXX commands.
+@@ -38,7 +38,7 @@
+ # daemon programs (i.e. programs listed in the master.cf file). This
+ # directory must be owned by root.
+ #
+-daemon_directory = /usr/libexec/postfix
++daemon_directory = /usr/lib/postfix
+ 
+ # QUEUE AND PROCESS OWNERSHIP
+ #
+@@ -49,7 +49,7 @@
+ # particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+ # USER.
+ #
+-mail_owner = postfix
++#mail_owner = postfix
+ 
+ # The default_privs parameter specifies the default rights used by
+ # the local delivery agent for delivery to external file or command.
+@@ -88,6 +88,11 @@
+ # myorigin also specifies the default domain name that is appended
+ # to recipient addresses that have no @domain part.
+ #
++# Debian GNU/Linux specific:  Specifying a file name will cause the
++# first line of that file to be used as the name.  The Debian default
++# is /etc/mailname.
++#
++#myorigin = /etc/mailname
+ #myorigin = $myhostname
+ #myorigin = $mydomain
+ 
+@@ -253,6 +258,7 @@
+ #mynetworks = 168.100.189.0/28, 127.0.0.0/8
+ #mynetworks = $config_directory/mynetworks
+ #mynetworks = hash:/etc/postfix/network_table
++mynetworks = 127.0.0.0/8
+ 
+ # The relay_domains parameter restricts what destinations this system will
+ # relay mail to.  See the smtpd_recipient_restrictions description in
+@@ -433,8 +439,8 @@
+ # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+ # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+ #
+-#mailbox_command = /some/where/procmail
+-#mailbox_command = /some/where/procmail -a "$EXTENSION"
++#mailbox_command = /usr/bin/procmail
++#mailbox_command = /usr/bin/procmail -a "$EXTENSION"
+ 
+ # The mailbox_transport specifies the optional transport in master.cf
+ # to use after processing aliases and .forward files. This parameter
+@@ -536,6 +542,8 @@
+ #
+ #smtpd_banner = $myhostname ESMTP $mail_name
+ #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
++smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
++
+ 
+ # PARALLEL DELIVERY TO THE SAME DESTINATION
+ #
+@@ -560,7 +568,7 @@
+ # logging level when an SMTP client or server host name or address
+ # matches a pattern in the debug_peer_list parameter.
+ #
+-debug_peer_level = 2
++#debug_peer_level = 2
+ 
+ # The debug_peer_list parameter specifies an optional list of domain
+ # or network patterns, /file/name patterns or type:name tables. When
+diff -urNad postfix-2.1.5/conf/main.cf.debian /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian
+--- postfix-2.1.5/conf/main.cf.debian	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian	2004-12-27 22:18:47.208256287 -0700
+@@ -0,0 +1,11 @@
++# See /usr/share/postfix/main.cf.dist for a commented, more complete version
++
++smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
++biff = no
++
++# appending .domain is the MUA's job.
++append_dot_mydomain = no
++
++# Uncomment the next line to generate "delayed mail" warnings
++#delay_warning_time = 4h
++

Added: trunk/postfix/debian/patches/10man.dpatch
===================================================================
--- trunk/postfix/debian/patches/10man.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10man.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,947 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10man.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-release/man/Makefile.in /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in
+--- postfix-release/man/Makefile.in	2004-12-27 22:31:17.051071712 -0700
++++ /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in	2004-12-27 22:39:32.648539161 -0700
+@@ -3,6 +3,8 @@
+ # For now, just hard-coded rules for daemons, commands, config files.
+ 
+ DAEMONS	= man8/bounce.8 man8/defer.8 man8/cleanup.8 man8/error.8 man8/local.8 \
++	man8/qmqp-sink.8 man8/qmqp-source.8 \
++	man8/smtp-sink.8 man8/smtp-source.8 \
+ 	man8/lmtp.8 man8/master.8 man8/pickup.8 man8/pipe.8 man8/qmgr.8 \
+ 	man8/showq.8 man8/smtp.8 man8/smtpd.8 man8/trivial-rewrite.8 \
+ 	man8/oqmgr.8 man8/spawn.8 man8/flush.8 man8/virtual.8 man8/qmqpd.8 \
+@@ -103,6 +105,12 @@
+ 	    (cmp -s junk $? || mv junk $?)
+ 	../mantools/srctoman $? >$@
+ 
++man8/qmqp-sink.8: ../src/smtpstone/qmqp-sink.c
++	../mantools/srctoman $? >$@
++
++man8/qmqp-source.8: ../src/smtpstone/qmqp-source.c
++	../mantools/srctoman $? >$@
++
+ man8/qmqpd.8: ../src/qmqpd/qmqpd.c
+ 	../mantools/fixman ../proto/postconf.proto $? >junk && \
+ 	    (cmp -s junk $? || mv junk $?)
+@@ -123,6 +131,12 @@
+ 	    (cmp -s junk $? || mv junk $?)
+ 	../mantools/srctoman $? >$@
+ 
++man8/smtp-sink.8: ../src/smtpstone/smtp-sink.c
++	../mantools/srctoman $? >$@
++
++man8/smtp-source.8: ../src/smtpstone/smtp-source.c
++	../mantools/srctoman $? >$@
++
+ man8/smtpd.8: ../src/smtpd/smtpd.c
+ 	../mantools/fixman ../proto/postconf.proto $? >junk && \
+ 	    (cmp -s junk $? || mv junk $?)
+diff -urNad postfix-release/mantools/postlink /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink
+--- postfix-release/mantools/postlink	2004-12-27 22:31:17.054071067 -0700
++++ /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink	2004-12-27 22:39:32.651538517 -0700
+@@ -47,360 +47,360 @@
+ 		p
+ 		d
+ 		}
+-	s;[[:<:]]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
+-	s;[[:<:]]debugger_command[[:>:]];<a href="postconf.5.html#debugger_command">&</a>;g
+-	s;[[:<:]]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[[:>:]];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
+-	s;[[:<:]]access_map_reject_code[[:>:]];<a href="postconf.5.html#access_map_reject_code">&</a>;g
+-	s;[[:<:]]address_verify_default_transport[[:>:]];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
+-	s;[[:<:]]address_verify_local_transport[[:>:]];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
+-	s;[[:<:]]address_verify_map[[:>:]];<a href="postconf.5.html#address_verify_map">&</a>;g
+-	s;[[:<:]]address_verify_negative_cache[[:>:]];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
+-	s;[[:<:]]address_verify_negative_expire_time[[:>:]];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
+-	s;[[:<:]]address_verify_negative_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
+-	s;[[:<:]]address_verify_poll_count[[:>:]];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
+-	s;[[:<:]]address_verify_poll_delay[[:>:]];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
+-	s;[[:<:]]address_verify_positive_expire_time[[:>:]];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
+-	s;[[:<:]]address_verify_positive_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
+-	s;[[:<:]]address_verify_relay_transport[[:>:]];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
+-	s;[[:<:]]address_verify_relayhost[[:>:]];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
+-	s;[[:<:]]address_verify_sender[[:>:]];<a href="postconf.5.html#address_verify_sender">&</a>;g
+-	s;[[:<:]]address_verify_service_name[[:>:]];<a href="postconf.5.html#address_verify_service_name">&</a>;g
+-	s;[[:<:]]address_verify_transport_maps[[:>:]];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
+-	s;[[:<:]]address_verify_virtual_transport[[:>:]];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
+-	s;[[:<:]]alias_database[[:>:]];<a href="postconf.5.html#alias_database">&</a>;g
+-	s;[[:<:]]alias_maps[[:>:]];<a href="postconf.5.html#alias_maps">&</a>;g
+-	s;[[:<:]]allow_mail_to_commands[[:>:]];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
+-	s;[[:<:]]allow_mail_to_files[[:>:]];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
+-	s;[[:<:]]allow_min_user[[:>:]];<a href="postconf.5.html#allow_min_user">&</a>;g
+-	s;[[:<:]]allow_percent_hack[[:>:]];<a href="postconf.5.html#allow_percent_hack">&</a>;g
+-	s;[[:<:]]allow_untrusted_routing[[:>:]];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
+-	s;[[:<:]]alternate_config_directories[[:>:]];<a href="postconf.5.html#alternate_config_directories">&</a>;g
+-	s;[[:<:]]always_bcc[[:>:]];<a href="postconf.5.html#always_bcc">&</a>;g
+-	s;[[:<:]]anvil_rate_time_unit[[:>:]];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
+-	s;[[:<:]]append_at_myorigin[[:>:]];<a href="postconf.5.html#append_at_myorigin">&</a>;g
+-	s;[[:<:]]append_dot_mydomain[[:>:]];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
+-	s;[[:<:]]application_event_drain_time[[:>:]];<a href="postconf.5.html#application_event_drain_time">&</a>;g
+-	s;[[:<:]]backwards_bounce_logfile_compatibility[[:>:]];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
+-	s;[[:<:]]berkeley_db_create_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
+-	s;[[:<:]]berkeley_db_read_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
+-	s;[[:<:]]best_mx_transport[[:>:]];<a href="postconf.5.html#best_mx_transport">&</a>;g
+-	s;[[:<:]]biff[[:>:]];<a href="postconf.5.html#biff">&</a>;g
+-	s;[[:<:]]body_checks[[:>:]];<a href="postconf.5.html#body_checks">&</a>;g
+-	s;[[:<:]]body_checks_size_limit[[:>:]];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
+-	s;[[:<:]]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
+-	s;[[:<:]]bounce_queue_lifetime[[:>:]];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
+-	s;[[:<:]]bounce_service_name[[:>:]];<a href="postconf.5.html#bounce_service_name">&</a>;g
+-	s;[[:<:]]bounce_size_limit[[:>:]];<a href="postconf.5.html#bounce_size_limit">&</a>;g
+-	s;[[:<:]]broken_sasl_auth_clients[[:>:]];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
+-	s;[[:<:]]canonical_maps[[:>:]];<a href="postconf.5.html#canonical_maps">&</a>;g
+-	s;[[:<:]]cleanup_service_name[[:>:]];<a href="postconf.5.html#cleanup_service_name">&</a>;g
+-	s;[[:<:]]anvil_status_update_time[[:>:]];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
+-	s;[[:<:]]command_directory[[:>:]];<a href="postconf.5.html#command_directory">&</a>;g
+-	s;[[:<:]]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#command_expansion_filter">&</a>;g
+-	s;[[:<:]]command_time_limit[[:>:]];<a href="postconf.5.html#command_time_limit">&</a>;g
+-	s;[[:<:]]config_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#config_directory">&</a>;g
+-	s;[[:<:]]con[-</bB>]*\n*[ <bB>]*tent_filter[[:>:]];<a href="postconf.5.html#content_filter">&</a>;g
+-	s;[[:<:]]daemon_directory[[:>:]];<a href="postconf.5.html#daemon_directory">&</a>;g
+-	s;[[:<:]]daemon_timeout[[:>:]];<a href="postconf.5.html#daemon_timeout">&</a>;g
+-	s;[[:<:]]debug_peer_level[[:>:]];<a href="postconf.5.html#debug_peer_level">&</a>;g
+-	s;[[:<:]]debug_peer_list[[:>:]];<a href="postconf.5.html#debug_peer_list">&</a>;g
+-	s;[[:<:]]default_database_type[[:>:]];<a href="postconf.5.html#default_database_type">&</a>;g
+-	s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[[:>:]];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
+-	s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[[:>:]];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
+-	s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[[:>:]];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
+-	s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[[:>:]];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
+-	s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
+-	s;[[:<:]]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
+-	s;[[:<:]]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[[:>:]];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
+-	s;[[:<:]]default_privs[[:>:]];<a href="postconf.5.html#default_privs">&</a>;g
+-	s;[[:<:]]default_process_limit[[:>:]];<a href="postconf.5.html#default_process_limit">&</a>;g
+-	s;[[:<:]]default_rbl_reply[[:>:]];<a href="postconf.5.html#default_rbl_reply">&</a>;g
+-	s;[[:<:]]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_recipient_limit">&</a>;g
+-	s;[[:<:]]default_transport[[:>:]];<a href="postconf.5.html#default_transport">&</a>;g
+-	s;[[:<:]]default_verp_delimiters[[:>:]];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
+-	s;[[:<:]]defer_code[[:>:]];<a href="postconf.5.html#defer_code">&</a>;g
+-	s;[[:<:]]defer_service_name[[:>:]];<a href="postconf.5.html#defer_service_name">&</a>;g
+-	s;[[:<:]]defer_transports[[:>:]];<a href="postconf.5.html#defer_transports">&</a>;g
+-	s;[[:<:]]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
+-	s;[[:<:]]delay_warning_time[[:>:]];<a href="postconf.5.html#delay_warning_time">&</a>;g
+-	s;[[:<:]]deliver_lock_attempts[[:>:]];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
+-	s;[[:<:]]deliver_lock_delay[[:>:]];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
+-	s;[[:<:]]disable_dns_lookups[[:>:]];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
+-	s;[[:<:]]disable_mime_input_processing[[:>:]];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
+-	s;[[:<:]]disable_mime_output_conversion[[:>:]];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
+-	s;[[:<:]]disable_verp_bounces[[:>:]];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
+-	s;[[:<:]]disable_vrfy_command[[:>:]];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
+-	s;[[:<:]]dont_remove[[:>:]];<a href="postconf.5.html#dont_remove">&</a>;g
+-	s;[[:<:]]double_bounce_sender[[:>:]];<a href="postconf.5.html#double_bounce_sender">&</a>;g
+-	s;[[:<:]]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[[:>:]];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
+-	s;[[:<:]]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#empty_address_recipient">&</a>;g
+-	s;[[:<:]]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#enable_original_recipient">&</a>;g
+-	s;[[:<:]]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#error_notice_recipient">&</a>;g
+-	s;[[:<:]]error_service_name[[:>:]];<a href="postconf.5.html#error_service_name">&</a>;g
+-	s;[[:<:]]expand_owner_alias[[:>:]];<a href="postconf.5.html#expand_owner_alias">&</a>;g
+-	s;[[:<:]]export_environment[[:>:]];<a href="postconf.5.html#export_environment">&</a>;g
+-	s;[[:<:]]fallback_relay[[:>:]];<a href="postconf.5.html#fallback_relay">&</a>;g
+-	s;[[:<:]]fallback_transport[[:>:]];<a href="postconf.5.html#fallback_transport">&</a>;g
+-	s;[[:<:]]fast_flush_domains[[:>:]];<a href="postconf.5.html#fast_flush_domains">&</a>;g
+-	s;[[:<:]]fast_flush_purge_time[[:>:]];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
+-	s;[[:<:]]fast_flush_refresh_time[[:>:]];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
+-	s;[[:<:]]fault_injection_code[[:>:]];<a href="postconf.5.html#fault_injection_code">&</a>;g
+-	s;[[:<:]]flush_service_name[[:>:]];<a href="postconf.5.html#flush_service_name">&</a>;g
+-	s;[[:<:]]fork_attempts[[:>:]];<a href="postconf.5.html#fork_attempts">&</a>;g
+-	s;[[:<:]]fork_delay[[:>:]];<a href="postconf.5.html#fork_delay">&</a>;g
+-	s;[[:<:]]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
+-	s;[[:<:]]for[-</bB>]*\n* *[<bB>]*ward_path[[:>:]];<a href="postconf.5.html#forward_path">&</a>;g
+-	s;[[:<:]]hash_queue_depth[[:>:]];<a href="postconf.5.html#hash_queue_depth">&</a>;g
+-	s;[[:<:]]hash_queue_names[[:>:]];<a href="postconf.5.html#hash_queue_names">&</a>;g
+-	s;[[:<:]]header_address_token_limit[[:>:]];<a href="postconf.5.html#header_address_token_limit">&</a>;g
+-	s;[[:<:]]header_checks[[:>:]];<a href="postconf.5.html#header_checks">&</a>;g
+-	s;[[:<:]]header_size_limit[[:>:]];<a href="postconf.5.html#header_size_limit">&</a>;g
+-	s;[[:<:]]helpful_warnings[[:>:]];<a href="postconf.5.html#helpful_warnings">&</a>;g
+-	s;[[:<:]]home_mailbox[[:>:]];<a href="postconf.5.html#home_mailbox">&</a>;g
+-	s;[[:<:]]hopcount_limit[[:>:]];<a href="postconf.5.html#hopcount_limit">&</a>;g
+-	s;[[:<:]]html_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#html_directory">&</a>;g
+-	s;[[:<:]]ignore_mx_lookup_error[[:>:]];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
+-	s;[[:<:]]import_environment[[:>:]];<a href="postconf.5.html#import_environment">&</a>;g
+-	s;[[:<:]]in_flow_delay[[:>:]];<a href="postconf.5.html#in_flow_delay">&</a>;g
+-	s;[[:<:]]inet_interfaces[[:>:]];<a href="postconf.5.html#inet_interfaces">&</a>;g
+-	s;[[:<:]]initial_destination_concurrency[[:>:]];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
+-	s;[[:<:]]invalid_hostname_reject_code[[:>:]];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
+-	s;[[:<:]]ipc_idle[[:>:]];<a href="postconf.5.html#ipc_idle">&</a>;g
+-	s;[[:<:]]ipc_timeout[[:>:]];<a href="postconf.5.html#ipc_timeout">&</a>;g
+-	s;[[:<:]]ipc_ttl[[:>:]];<a href="postconf.5.html#ipc_ttl">&</a>;g
+-	s;[[:<:]]line_length_limit[[:>:]];<a href="postconf.5.html#line_length_limit">&</a>;g
+-	s;[[:<:]]lmtp_cache_connection[[:>:]];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
+-	s;[[:<:]]lmtp_connect_timeout[[:>:]];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
+-	s;[[:<:]]lmtp_data_done_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
+-	s;[[:<:]]lmtp_data_init_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
+-	s;[[:<:]]lmtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
+-	s;[[:<:]]lmtp_lhlo_timeout[[:>:]];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
+-	s;[[:<:]]lmtp_mail_timeout[[:>:]];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
+-	s;[[:<:]]lmtp_quit_timeout[[:>:]];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
+-	s;[[:<:]]lmtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
+-	s;[[:<:]]lmtp_rset_timeout[[:>:]];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
+-	s;[[:<:]]lmtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
+-	s;[[:<:]]lmtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
+-	s;[[:<:]]lmtp_sasl_security_options[[:>:]];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
+-	s;[[:<:]]lmtp_send_xforward_command[[:>:]];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
+-	s;[[:<:]]lmtp_skip_quit_response[[:>:]];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
+-	s;[[:<:]]lmtp_tcp_port[[:>:]];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
+-	s;[[:<:]]lmtp_xforward_timeout[[:>:]];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
+-	s;[[:<:]]local_command_shell[[:>:]];<a href="postconf.5.html#local_command_shell">&</a>;g
+-	s;[[:<:]]local_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
+-	s;[[:<:]]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
+-	s;[[:<:]]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[[:>:]];<a href="postconf.5.html#local_recipient_maps">&</a>;g
+-	s;[[:<:]]local_transport[[:>:]];<a href="postconf.5.html#local_transport">&</a>;g
+-	s;[[:<:]]luser_relay[[:>:]];<a href="postconf.5.html#luser_relay">&</a>;g
+-	s;[[:<:]]mail_name[[:>:]];<a href="postconf.5.html#mail_name">&</a>;g
+-	s;[[:<:]]mail_owner[[:>:]];<a href="postconf.5.html#mail_owner">&</a>;g
+-	s;[[:<:]]mail_release_date[[:>:]];<a href="postconf.5.html#mail_release_date">&</a>;g
+-	s;[[:<:]]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[[:>:]];<a href="postconf.5.html#mail_spool_directory">&</a>;g
+-	s;[[:<:]]mail_version[[:>:]];<a href="postconf.5.html#mail_version">&</a>;g
+-	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command[[:>:]];<a href="postconf.5.html#mailbox_command">&</a>;g
+-	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command_maps[[:>:]];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
+-	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[[:>:]];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
+-	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_size_limit[[:>:]];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
+-	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_transport[[:>:]];<a href="postconf.5.html#mailbox_transport">&</a>;g
+-	s;[[:<:]]mailq_path[[:>:]];<a href="postconf.5.html#mailq_path">&</a>;g
+-	s;[[:<:]]manpage_directory[[:>:]];<a href="postconf.5.html#manpage_directory">&</a>;g
+-	s;[[:<:]]maps_rbl_domains[[:>:]];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
+-	s;[[:<:]]maps_rbl_reject_code[[:>:]];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
+-	s;[[:<:]]masquerade_classes[[:>:]];<a href="postconf.5.html#masquerade_classes">&</a>;g
+-	s;[[:<:]]masquerade_domains[[:>:]];<a href="postconf.5.html#masquerade_domains">&</a>;g
+-	s;[[:<:]]masquerade_exceptions[[:>:]];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
+-	s;[[:<:]]max_idle[[:>:]];<a href="postconf.5.html#max_idle">&</a>;g
+-	s;[[:<:]]max_use[[:>:]];<a href="postconf.5.html#max_use">&</a>;g
+-	s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[[:>:]];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
+-	s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[[:>:]];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
+-	s;[[:<:]]message_size_limit[[:>:]];<a href="postconf.5.html#message_size_limit">&</a>;g
+-	s;[[:<:]]mime_boundary_length_limit[[:>:]];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
+-	s;[[:<:]]mime_header_checks[[:>:]];<a href="postconf.5.html#mime_header_checks">&</a>;g
+-	s;[[:<:]]mime_nesting_limit[[:>:]];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
+-	s;[[:<:]]minimal_backoff_time[[:>:]];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
+-	s;[[:<:]]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[[:>:]];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
+-	s;[[:<:]]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[[:>:]];<a href="postconf.5.html#mydestination">&</a>;g
+-	s;[[:<:]]mydomain[[:>:]];<a href="postconf.5.html#mydomain">&</a>;g
+-	s;[[:<:]]myhostname[[:>:]];<a href="postconf.5.html#myhostname">&</a>;g
+-	s;[[:<:]]mynetworks[[:>:]];<a href="postconf.5.html#mynetworks">&</a>;g
+-	s;[[:<:]]mynetworks_style[[:>:]];<a href="postconf.5.html#mynetworks_style">&</a>;g
+-	s;[[:<:]]myorigin[[:>:]];<a href="postconf.5.html#myorigin">&</a>;g
+-	s;[[:<:]]nested_header_checks[[:>:]];<a href="postconf.5.html#nested_header_checks">&</a>;g
+-	s;[[:<:]]newaliases_path[[:>:]];<a href="postconf.5.html#newaliases_path">&</a>;g
+-	s;[[:<:]]non_fqdn_reject_code[[:>:]];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
+-	s;[[:<:]]notify_classes[[:>:]];<a href="postconf.5.html#notify_classes">&</a>;g
+-	s;[[:<:]]owner_request_special[[:>:]];<a href="postconf.5.html#owner_request_special">&</a>;g
+-	s;[[:<:]]parent_domain_matches_subdomains[[:>:]];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
+-	s;[[:<:]]permit_mx_backup_networks[[:>:]];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
+-	s;[[:<:]]pickup_service_name[[:>:]];<a href="postconf.5.html#pickup_service_name">&</a>;g
+-	s;[[:<:]]prepend_delivered_header[[:>:]];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
+-	s;[[:<:]]process_id[[:>:]];<a href="postconf.5.html#process_id">&</a>;g
+-	s;[[:<:]]process_id_directory[[:>:]];<a href="postconf.5.html#process_id_directory">&</a>;g
+-	s;[[:<:]]process_name[[:>:]];<a href="postconf.5.html#process_name">&</a>;g
+-	s;[[:<:]]propagate_unmatched_extensions[[:>:]];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
+-	s;[[:<:]]proxy_interfaces[[:>:]];<a href="postconf.5.html#proxy_interfaces">&</a>;g
+-	s;[[:<:]]proxy_read_maps[[:>:]];<a href="postconf.5.html#proxy_read_maps">&</a>;g
+-	s;[[:<:]]qmgr_clog_warn_time[[:>:]];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
+-	s;[[:<:]]qmgr_fudge_factor[[:>:]];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
+-	s;[[:<:]]qmgr_message_active_limit[[:>:]];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
+-	s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
+-	s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
+-	s;[[:<:]]qmqpd_authorized_clients[[:>:]];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
+-	s;[[:<:]]qmqpd_error_delay[[:>:]];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
+-	s;[[:<:]]qmqpd_timeout[[:>:]];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
+-	s;[[:<:]]queue_directory[[:>:]];<a href="postconf.5.html#queue_directory">&</a>;g
+-	s;[[:<:]]queue_file_attribute_count_limit[[:>:]];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
+-	s;[[:<:]]queue_minfree[[:>:]];<a href="postconf.5.html#queue_minfree">&</a>;g
+-	s;[[:<:]]queue_run_delay[[:>:]];<a href="postconf.5.html#queue_run_delay">&</a>;g
+-	s;[[:<:]]queue_service_name[[:>:]];<a href="postconf.5.html#queue_service_name">&</a>;g
+-	s;[[:<:]]rbl_reply_maps[[:>:]];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
+-	s;[[:<:]]readme_directory[[:>:]];<a href="postconf.5.html#readme_directory">&</a>;g
+-	s;[[:<:]]receive_override_options[[:>:]];<a href="postconf.5.html#receive_override_options">&</a>;g
+-	s;[[:<:]]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[[:>:]];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
+-	s;[[:<:]]no_address_mappings[[:>:]];<a href="postconf.5.html#no_address_mappings">&</a>;g
+-	s;[[:<:]]no_header_body_checks[[:>:]];<a href="postconf.5.html#no_header_body_checks">&</a>;g
+-	s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[[:>:]];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
+-	s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[[:>:]];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
+-	s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[[:>:]];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
+-	s;[[:<:]]reject_code[[:>:]];<a href="postconf.5.html#reject_code">&</a>;g
+-	s;[[:<:]]relay_domains[[:>:]];<a href="postconf.5.html#relay_domains">&</a>;g
+-	s;[[:<:]]relay_domains_reject_code[[:>:]];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
+-	s;[[:<:]]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[[:>:]];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
+-	s;[[:<:]]relay_transport[[:>:]];<a href="postconf.5.html#relay_transport">&</a>;g
+-	s;[[:<:]]relayhost[[:>:]];<a href="postconf.5.html#relayhost">&</a>;g
+-	s;[[:<:]]relocated_maps[[:>:]];<a href="postconf.5.html#relocated_maps">&</a>;g
+-	s;[[:<:]]require_home_directory[[:>:]];<a href="postconf.5.html#require_home_directory">&</a>;g
+-	s;[[:<:]]resolve_dequoted_address[[:>:]];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
+-	s;[[:<:]]rewrite_service_name[[:>:]];<a href="postconf.5.html#rewrite_service_name">&</a>;g
+-	s;[[:<:]]sample_directory[[:>:]];<a href="postconf.5.html#sample_directory">&</a>;g
+-	s;[[:<:]]sender_based_routing[[:>:]];<a href="postconf.5.html#sender_based_routing">&</a>;g
+-	s;[[:<:]]sender_bcc_maps[[:>:]];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
+-	s;[[:<:]]sender_canonical_maps[[:>:]];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
+-	s;[[:<:]]sendmail_path[[:>:]];<a href="postconf.5.html#sendmail_path">&</a>;g
+-	s;[[:<:]]service_throttle_time[[:>:]];<a href="postconf.5.html#service_throttle_time">&</a>;g
+-	s;[[:<:]]setgid_group[[:>:]];<a href="postconf.5.html#setgid_group">&</a>;g
+-	s;[[:<:]]show_user_unknown_table_name[[:>:]];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
+-	s;[[:<:]]showq_service_name[[:>:]];<a href="postconf.5.html#showq_service_name">&</a>;g
+-	s;[[:<:]]smtp_always_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
+-	s;[[:<:]]smtp_bind_address[[:>:]];<a href="postconf.5.html#smtp_bind_address">&</a>;g
+-	s;[[:<:]]smtp_connect_timeout[[:>:]];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
+-	s;[[:<:]]smtp_data_done_timeout[[:>:]];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
+-	s;[[:<:]]smtp_data_init_timeout[[:>:]];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
+-	s;[[:<:]]smtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
+-	s;[[:<:]]smtp_defer_if_no_mx_address_found[[:>:]];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
+-	s;[[:<:]]lmtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
+-	s;[[:<:]]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
+-	s;[[:<:]]relay_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
+-	s;[[:<:]]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
+-	s;[[:<:]]resolve_null_domain[[:>:]];<a href="postconf.5.html#resolve_null_domain">&</a>;g
+-	s;[[:<:]]smtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
+-	s;[[:<:]]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
+-	s;[[:<:]]smtp_helo_name[[:>:]];<a href="postconf.5.html#smtp_helo_name">&</a>;g
+-	s;[[:<:]]smtp_helo_timeout[[:>:]];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
+-	s;[[:<:]]smtp_host_lookup[[:>:]];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
+-	s;[[:<:]]smtp_line_length_limit[[:>:]];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
+-	s;[[:<:]]smtp_mail_timeout[[:>:]];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
+-	s;[[:<:]]smtp_mx_address_limit[[:>:]];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
+-	s;[[:<:]]smtp_mx_session_limit[[:>:]];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
+-	s;[[:<:]]smtp_never_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
+-	s;[[:<:]]smtp_pix_workaround_delay_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
+-	s;[[:<:]]smtp_pix_workaround_threshold_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
+-	s;[[:<:]]smtp_quit_timeout[[:>:]];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
+-	s;[[:<:]]smtp_quote_rfc821_envelope[[:>:]];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
+-	s;[[:<:]]smtp_randomize_addresses[[:>:]];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
+-	s;[[:<:]]smtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
+-	s;[[:<:]]smtp_rset_timeout[[:>:]];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
+-	s;[[:<:]]smtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
+-	s;[[:<:]]smtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
+-	s;[[:<:]]smtp_sasl_security_options[[:>:]];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
+-	s;[[:<:]]smtp_send_xforward_command[[:>:]];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
+-	s;[[:<:]]smtp_skip_4xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
+-	s;[[:<:]]smtp_skip_5xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
+-	s;[[:<:]]smtp_skip_quit_response[[:>:]];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
+-	s;[[:<:]]smtp_xforward_timeout[[:>:]];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
+-	s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
+-	s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
+-	s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
+-	s;[[:<:]]smtpd_banner[[:>:]];<a href="postconf.5.html#smtpd_banner">&</a>;g
+-	s;[[:<:]]smtpd_client_connection_count_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
+-	s;[[:<:]]smtpd_client_connection_limit_exceptions[[:>:]];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
+-	s;[[:<:]]smtpd_client_connection_rate_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
+-	s;[[:<:]]smtpd_client_restrictions[[:>:]];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
+-	s;[[:<:]]smtpd_data_restrictions[[:>:]];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
+-	s;[[:<:]]smtpd_delay_reject[[:>:]];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
+-	s;[[:<:]]smtpd_error_sleep_time[[:>:]];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
+-	s;[[:<:]]smtpd_etrn_restrictions[[:>:]];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
+-	s;[[:<:]]smtpd_expansion_filter[[:>:]];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
+-	s;[[:<:]]smtpd_hard_error_limit[[:>:]];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
+-	s;[[:<:]]smtpd_helo_required[[:>:]];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
+-	s;[[:<:]]smtpd_helo_restrictions[[:>:]];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
+-	s;[[:<:]]smtpd_history_flush_threshold[[:>:]];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
+-	s;[[:<:]]smtpd_junk_command_limit[[:>:]];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
+-	s;[[:<:]]smtpd_noop_commands[[:>:]];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
+-	s;[[:<:]]smtpd_null_access_lookup_key[[:>:]];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
+-	s;[[:<:]]smtpd_recipient_overshoot_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
+-	s;[[:<:]]smtpd_policy_service_max_idle[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
+-	s;[[:<:]]smtpd_policy_service_max_ttl[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
+-	s;[[:<:]]smtpd_policy_service_timeout[[:>:]];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
+-	s;[[:<:]]smtpd_proxy_ehlo[[:>:]];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
+-	s;[[:<:]]smtpd_proxy_filter[[:>:]];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
+-	s;[[:<:]]smtpd_proxy_timeout[[:>:]];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
+-	s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
+-	s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[[:>:]];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
+-	s;[[:<:]]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
+-	s;[[:<:]]smtpd_reject_unlisted_sender[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
+-	s;[[:<:]]smtpd_restriction_classes[[:>:]];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
+-	s;[[:<:]]smtpd_sasl_application_name[[:>:]];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
+-	s;[[:<:]]smtpd_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
+-	s;[[:<:]]smtpd_sasl_exceptions_networks[[:>:]];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
+-	s;[[:<:]]smtpd_sasl_local_domain[[:>:]];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
+-	s;[[:<:]]smtpd_sasl_security_options[[:>:]];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
+-	s;[[:<:]]smtpd_sender_login_maps[[:>:]];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
+-	s;[[:<:]]smtpd_sender_restrictions[[:>:]];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
+-	s;[[:<:]]smtpd_soft_error_limit[[:>:]];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
+-	s;[[:<:]]smtpd_timeout[[:>:]];<a href="postconf.5.html#smtpd_timeout">&</a>;g
+-	s;[[:<:]]soft_bounce[[:>:]];<a href="postconf.5.html#soft_bounce">&</a>;g
+-	s;[[:<:]]stale_lock_time[[:>:]];<a href="postconf.5.html#stale_lock_time">&</a>;g
+-	s;[[:<:]]strict_7bit_headers[[:>:]];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
+-	s;[[:<:]]strict_8bitmime[[:>:]];<a href="postconf.5.html#strict_8bitmime">&</a>;g
+-	s;[[:<:]]strict_8bitmime_body[[:>:]];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
+-	s;[[:<:]]strict_mime_encoding_domain[[:>:]];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
+-	s;[[:<:]]strict_rfc821_envelopes[[:>:]];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
+-	s;[[:<:]]sun_mailtool_compatibility[[:>:]];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
+-	s;[[:<:]]swap_bangpath[[:>:]];<a href="postconf.5.html#swap_bangpath">&</a>;g
+-	s;[[:<:]]syslog_facility[[:>:]];<a href="postconf.5.html#syslog_facility">&</a>;g
+-	s;[[:<:]]syslog_name[[:>:]];<a href="postconf.5.html#syslog_name">&</a>;g
+-	s;[[:<:]]trace_service_name[[:>:]];<a href="postconf.5.html#trace_service_name">&</a>;g
+-	s;[[:<:]]transport_maps[[:>:]];<a href="postconf.5.html#transport_maps">&</a>;g
+-	s;[[:<:]]transport_retry_time[[:>:]];<a href="postconf.5.html#transport_retry_time">&</a>;g
+-	s;[[:<:]]trigger_timeout[[:>:]];<a href="postconf.5.html#trigger_timeout">&</a>;g
+-	s;[[:<:]]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[[:>:]];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
+-	s;[[:<:]]unknown_address_reject_code[[:>:]];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
+-	s;[[:<:]]unknown_client_reject_code[[:>:]];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
+-	s;[[:<:]]unknown_hostname_reject_code[[:>:]];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
+-	s;[[:<:]]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
+-	s;[[:<:]]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[[:>:]];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
+-	s;[[:<:]]unknown_virtual_alias_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
+-	s;[[:<:]]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
+-	s;[[:<:]]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
+-	s;[[:<:]]unverified_sender_reject_code[[:>:]];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
+-	s;[[:<:]]verp_delimiter_filter[[:>:]];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[[:>:]];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[[:>:]];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_maps[[:>:]];<a href="postconf.5.html#virtual_maps">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[[:>:]];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[[:>:]];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[[:>:]];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[[:>:]];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[[:>:]];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[[:>:]];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[[:>:]];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_transport[[:>:]];<a href="postconf.5.html#virtual_transport">&</a>;g
+-	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[[:>:]];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
++	s;[\[{(<]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
++	s;[\[{(<]debugger_command[\]})>];<a href="postconf.5.html#debugger_command">&</a>;g
++	s;[\[{(<]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[\]})>];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
++	s;[\[{(<]access_map_reject_code[\]})>];<a href="postconf.5.html#access_map_reject_code">&</a>;g
++	s;[\[{(<]address_verify_default_transport[\]})>];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
++	s;[\[{(<]address_verify_local_transport[\]})>];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
++	s;[\[{(<]address_verify_map[\]})>];<a href="postconf.5.html#address_verify_map">&</a>;g
++	s;[\[{(<]address_verify_negative_cache[\]})>];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
++	s;[\[{(<]address_verify_negative_expire_time[\]})>];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
++	s;[\[{(<]address_verify_negative_refresh_time[\]})>];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
++	s;[\[{(<]address_verify_poll_count[\]})>];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
++	s;[\[{(<]address_verify_poll_delay[\]})>];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
++	s;[\[{(<]address_verify_positive_expire_time[\]})>];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
++	s;[\[{(<]address_verify_positive_refresh_time[\]})>];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
++	s;[\[{(<]address_verify_relay_transport[\]})>];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
++	s;[\[{(<]address_verify_relayhost[\]})>];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
++	s;[\[{(<]address_verify_sender[\]})>];<a href="postconf.5.html#address_verify_sender">&</a>;g
++	s;[\[{(<]address_verify_service_name[\]})>];<a href="postconf.5.html#address_verify_service_name">&</a>;g
++	s;[\[{(<]address_verify_transport_maps[\]})>];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
++	s;[\[{(<]address_verify_virtual_transport[\]})>];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
++	s;[\[{(<]alias_database[\]})>];<a href="postconf.5.html#alias_database">&</a>;g
++	s;[\[{(<]alias_maps[\]})>];<a href="postconf.5.html#alias_maps">&</a>;g
++	s;[\[{(<]allow_mail_to_commands[\]})>];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
++	s;[\[{(<]allow_mail_to_files[\]})>];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
++	s;[\[{(<]allow_min_user[\]})>];<a href="postconf.5.html#allow_min_user">&</a>;g
++	s;[\[{(<]allow_percent_hack[\]})>];<a href="postconf.5.html#allow_percent_hack">&</a>;g
++	s;[\[{(<]allow_untrusted_routing[\]})>];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
++	s;[\[{(<]alternate_config_directories[\]})>];<a href="postconf.5.html#alternate_config_directories">&</a>;g
++	s;[\[{(<]always_bcc[\]})>];<a href="postconf.5.html#always_bcc">&</a>;g
++	s;[\[{(<]anvil_rate_time_unit[\]})>];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
++	s;[\[{(<]append_at_myorigin[\]})>];<a href="postconf.5.html#append_at_myorigin">&</a>;g
++	s;[\[{(<]append_dot_mydomain[\]})>];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
++	s;[\[{(<]application_event_drain_time[\]})>];<a href="postconf.5.html#application_event_drain_time">&</a>;g
++	s;[\[{(<]backwards_bounce_logfile_compatibility[\]})>];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
++	s;[\[{(<]berkeley_db_create_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
++	s;[\[{(<]berkeley_db_read_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
++	s;[\[{(<]best_mx_transport[\]})>];<a href="postconf.5.html#best_mx_transport">&</a>;g
++	s;[\[{(<]biff[\]})>];<a href="postconf.5.html#biff">&</a>;g
++	s;[\[{(<]body_checks[\]})>];<a href="postconf.5.html#body_checks">&</a>;g
++	s;[\[{(<]body_checks_size_limit[\]})>];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
++	s;[\[{(<]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
++	s;[\[{(<]bounce_queue_lifetime[\]})>];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
++	s;[\[{(<]bounce_service_name[\]})>];<a href="postconf.5.html#bounce_service_name">&</a>;g
++	s;[\[{(<]bounce_size_limit[\]})>];<a href="postconf.5.html#bounce_size_limit">&</a>;g
++	s;[\[{(<]broken_sasl_auth_clients[\]})>];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
++	s;[\[{(<]canonical_maps[\]})>];<a href="postconf.5.html#canonical_maps">&</a>;g
++	s;[\[{(<]cleanup_service_name[\]})>];<a href="postconf.5.html#cleanup_service_name">&</a>;g
++	s;[\[{(<]anvil_status_update_time[\]})>];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
++	s;[\[{(<]command_directory[\]})>];<a href="postconf.5.html#command_directory">&</a>;g
++	s;[\[{(<]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#command_expansion_filter">&</a>;g
++	s;[\[{(<]command_time_limit[\]})>];<a href="postconf.5.html#command_time_limit">&</a>;g
++	s;[\[{(<]config_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#config_directory">&</a>;g
++	s;[\[{(<]con[-</bB>]*\n*[ <bB>]*tent_filter[\]})>];<a href="postconf.5.html#content_filter">&</a>;g
++	s;[\[{(<]daemon_directory[\]})>];<a href="postconf.5.html#daemon_directory">&</a>;g
++	s;[\[{(<]daemon_timeout[\]})>];<a href="postconf.5.html#daemon_timeout">&</a>;g
++	s;[\[{(<]debug_peer_level[\]})>];<a href="postconf.5.html#debug_peer_level">&</a>;g
++	s;[\[{(<]debug_peer_list[\]})>];<a href="postconf.5.html#debug_peer_list">&</a>;g
++	s;[\[{(<]default_database_type[\]})>];<a href="postconf.5.html#default_database_type">&</a>;g
++	s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[\]})>];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
++	s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[\]})>];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
++	s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[\]})>];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
++	s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[\]})>];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
++	s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
++	s;[\[{(<]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
++	s;[\[{(<]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[\]})>];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
++	s;[\[{(<]default_privs[\]})>];<a href="postconf.5.html#default_privs">&</a>;g
++	s;[\[{(<]default_process_limit[\]})>];<a href="postconf.5.html#default_process_limit">&</a>;g
++	s;[\[{(<]default_rbl_reply[\]})>];<a href="postconf.5.html#default_rbl_reply">&</a>;g
++	s;[\[{(<]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_recipient_limit">&</a>;g
++	s;[\[{(<]default_transport[\]})>];<a href="postconf.5.html#default_transport">&</a>;g
++	s;[\[{(<]default_verp_delimiters[\]})>];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
++	s;[\[{(<]defer_code[\]})>];<a href="postconf.5.html#defer_code">&</a>;g
++	s;[\[{(<]defer_service_name[\]})>];<a href="postconf.5.html#defer_service_name">&</a>;g
++	s;[\[{(<]defer_transports[\]})>];<a href="postconf.5.html#defer_transports">&</a>;g
++	s;[\[{(<]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
++	s;[\[{(<]delay_warning_time[\]})>];<a href="postconf.5.html#delay_warning_time">&</a>;g
++	s;[\[{(<]deliver_lock_attempts[\]})>];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
++	s;[\[{(<]deliver_lock_delay[\]})>];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
++	s;[\[{(<]disable_dns_lookups[\]})>];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
++	s;[\[{(<]disable_mime_input_processing[\]})>];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
++	s;[\[{(<]disable_mime_output_conversion[\]})>];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
++	s;[\[{(<]disable_verp_bounces[\]})>];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
++	s;[\[{(<]disable_vrfy_command[\]})>];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
++	s;[\[{(<]dont_remove[\]})>];<a href="postconf.5.html#dont_remove">&</a>;g
++	s;[\[{(<]double_bounce_sender[\]})>];<a href="postconf.5.html#double_bounce_sender">&</a>;g
++	s;[\[{(<]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[\]})>];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
++	s;[\[{(<]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#empty_address_recipient">&</a>;g
++	s;[\[{(<]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#enable_original_recipient">&</a>;g
++	s;[\[{(<]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#error_notice_recipient">&</a>;g
++	s;[\[{(<]error_service_name[\]})>];<a href="postconf.5.html#error_service_name">&</a>;g
++	s;[\[{(<]expand_owner_alias[\]})>];<a href="postconf.5.html#expand_owner_alias">&</a>;g
++	s;[\[{(<]export_environment[\]})>];<a href="postconf.5.html#export_environment">&</a>;g
++	s;[\[{(<]fallback_relay[\]})>];<a href="postconf.5.html#fallback_relay">&</a>;g
++	s;[\[{(<]fallback_transport[\]})>];<a href="postconf.5.html#fallback_transport">&</a>;g
++	s;[\[{(<]fast_flush_domains[\]})>];<a href="postconf.5.html#fast_flush_domains">&</a>;g
++	s;[\[{(<]fast_flush_purge_time[\]})>];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
++	s;[\[{(<]fast_flush_refresh_time[\]})>];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
++	s;[\[{(<]fault_injection_code[\]})>];<a href="postconf.5.html#fault_injection_code">&</a>;g
++	s;[\[{(<]flush_service_name[\]})>];<a href="postconf.5.html#flush_service_name">&</a>;g
++	s;[\[{(<]fork_attempts[\]})>];<a href="postconf.5.html#fork_attempts">&</a>;g
++	s;[\[{(<]fork_delay[\]})>];<a href="postconf.5.html#fork_delay">&</a>;g
++	s;[\[{(<]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
++	s;[\[{(<]for[-</bB>]*\n* *[<bB>]*ward_path[\]})>];<a href="postconf.5.html#forward_path">&</a>;g
++	s;[\[{(<]hash_queue_depth[\]})>];<a href="postconf.5.html#hash_queue_depth">&</a>;g
++	s;[\[{(<]hash_queue_names[\]})>];<a href="postconf.5.html#hash_queue_names">&</a>;g
++	s;[\[{(<]header_address_token_limit[\]})>];<a href="postconf.5.html#header_address_token_limit">&</a>;g
++	s;[\[{(<]header_checks[\]})>];<a href="postconf.5.html#header_checks">&</a>;g
++	s;[\[{(<]header_size_limit[\]})>];<a href="postconf.5.html#header_size_limit">&</a>;g
++	s;[\[{(<]helpful_warnings[\]})>];<a href="postconf.5.html#helpful_warnings">&</a>;g
++	s;[\[{(<]home_mailbox[\]})>];<a href="postconf.5.html#home_mailbox">&</a>;g
++	s;[\[{(<]hopcount_limit[\]})>];<a href="postconf.5.html#hopcount_limit">&</a>;g
++	s;[\[{(<]html_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#html_directory">&</a>;g
++	s;[\[{(<]ignore_mx_lookup_error[\]})>];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
++	s;[\[{(<]import_environment[\]})>];<a href="postconf.5.html#import_environment">&</a>;g
++	s;[\[{(<]in_flow_delay[\]})>];<a href="postconf.5.html#in_flow_delay">&</a>;g
++	s;[\[{(<]inet_interfaces[\]})>];<a href="postconf.5.html#inet_interfaces">&</a>;g
++	s;[\[{(<]initial_destination_concurrency[\]})>];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
++	s;[\[{(<]invalid_hostname_reject_code[\]})>];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
++	s;[\[{(<]ipc_idle[\]})>];<a href="postconf.5.html#ipc_idle">&</a>;g
++	s;[\[{(<]ipc_timeout[\]})>];<a href="postconf.5.html#ipc_timeout">&</a>;g
++	s;[\[{(<]ipc_ttl[\]})>];<a href="postconf.5.html#ipc_ttl">&</a>;g
++	s;[\[{(<]line_length_limit[\]})>];<a href="postconf.5.html#line_length_limit">&</a>;g
++	s;[\[{(<]lmtp_cache_connection[\]})>];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
++	s;[\[{(<]lmtp_connect_timeout[\]})>];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
++	s;[\[{(<]lmtp_data_done_timeout[\]})>];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
++	s;[\[{(<]lmtp_data_init_timeout[\]})>];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
++	s;[\[{(<]lmtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
++	s;[\[{(<]lmtp_lhlo_timeout[\]})>];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
++	s;[\[{(<]lmtp_mail_timeout[\]})>];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
++	s;[\[{(<]lmtp_quit_timeout[\]})>];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
++	s;[\[{(<]lmtp_rcpt_timeout[\]})>];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
++	s;[\[{(<]lmtp_rset_timeout[\]})>];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
++	s;[\[{(<]lmtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
++	s;[\[{(<]lmtp_sasl_password_maps[\]})>];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
++	s;[\[{(<]lmtp_sasl_security_options[\]})>];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
++	s;[\[{(<]lmtp_send_xforward_command[\]})>];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
++	s;[\[{(<]lmtp_skip_quit_response[\]})>];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
++	s;[\[{(<]lmtp_tcp_port[\]})>];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
++	s;[\[{(<]lmtp_xforward_timeout[\]})>];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
++	s;[\[{(<]local_command_shell[\]})>];<a href="postconf.5.html#local_command_shell">&</a>;g
++	s;[\[{(<]local_destination_concurrency_limit[\]})>];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
++	s;[\[{(<]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
++	s;[\[{(<]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[\]})>];<a href="postconf.5.html#local_recipient_maps">&</a>;g
++	s;[\[{(<]local_transport[\]})>];<a href="postconf.5.html#local_transport">&</a>;g
++	s;[\[{(<]luser_relay[\]})>];<a href="postconf.5.html#luser_relay">&</a>;g
++	s;[\[{(<]mail_name[\]})>];<a href="postconf.5.html#mail_name">&</a>;g
++	s;[\[{(<]mail_owner[\]})>];<a href="postconf.5.html#mail_owner">&</a>;g
++	s;[\[{(<]mail_release_date[\]})>];<a href="postconf.5.html#mail_release_date">&</a>;g
++	s;[\[{(<]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[\]})>];<a href="postconf.5.html#mail_spool_directory">&</a>;g
++	s;[\[{(<]mail_version[\]})>];<a href="postconf.5.html#mail_version">&</a>;g
++	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command[\]})>];<a href="postconf.5.html#mailbox_command">&</a>;g
++	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command_maps[\]})>];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
++	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[\]})>];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
++	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_size_limit[\]})>];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
++	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_transport[\]})>];<a href="postconf.5.html#mailbox_transport">&</a>;g
++	s;[\[{(<]mailq_path[\]})>];<a href="postconf.5.html#mailq_path">&</a>;g
++	s;[\[{(<]manpage_directory[\]})>];<a href="postconf.5.html#manpage_directory">&</a>;g
++	s;[\[{(<]maps_rbl_domains[\]})>];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
++	s;[\[{(<]maps_rbl_reject_code[\]})>];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
++	s;[\[{(<]masquerade_classes[\]})>];<a href="postconf.5.html#masquerade_classes">&</a>;g
++	s;[\[{(<]masquerade_domains[\]})>];<a href="postconf.5.html#masquerade_domains">&</a>;g
++	s;[\[{(<]masquerade_exceptions[\]})>];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
++	s;[\[{(<]max_idle[\]})>];<a href="postconf.5.html#max_idle">&</a>;g
++	s;[\[{(<]max_use[\]})>];<a href="postconf.5.html#max_use">&</a>;g
++	s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[\]})>];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
++	s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[\]})>];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
++	s;[\[{(<]message_size_limit[\]})>];<a href="postconf.5.html#message_size_limit">&</a>;g
++	s;[\[{(<]mime_boundary_length_limit[\]})>];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
++	s;[\[{(<]mime_header_checks[\]})>];<a href="postconf.5.html#mime_header_checks">&</a>;g
++	s;[\[{(<]mime_nesting_limit[\]})>];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
++	s;[\[{(<]minimal_backoff_time[\]})>];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
++	s;[\[{(<]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[\]})>];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
++	s;[\[{(<]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[\]})>];<a href="postconf.5.html#mydestination">&</a>;g
++	s;[\[{(<]mydomain[\]})>];<a href="postconf.5.html#mydomain">&</a>;g
++	s;[\[{(<]myhostname[\]})>];<a href="postconf.5.html#myhostname">&</a>;g
++	s;[\[{(<]mynetworks[\]})>];<a href="postconf.5.html#mynetworks">&</a>;g
++	s;[\[{(<]mynetworks_style[\]})>];<a href="postconf.5.html#mynetworks_style">&</a>;g
++	s;[\[{(<]myorigin[\]})>];<a href="postconf.5.html#myorigin">&</a>;g
++	s;[\[{(<]nested_header_checks[\]})>];<a href="postconf.5.html#nested_header_checks">&</a>;g
++	s;[\[{(<]newaliases_path[\]})>];<a href="postconf.5.html#newaliases_path">&</a>;g
++	s;[\[{(<]non_fqdn_reject_code[\]})>];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
++	s;[\[{(<]notify_classes[\]})>];<a href="postconf.5.html#notify_classes">&</a>;g
++	s;[\[{(<]owner_request_special[\]})>];<a href="postconf.5.html#owner_request_special">&</a>;g
++	s;[\[{(<]parent_domain_matches_subdomains[\]})>];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
++	s;[\[{(<]permit_mx_backup_networks[\]})>];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
++	s;[\[{(<]pickup_service_name[\]})>];<a href="postconf.5.html#pickup_service_name">&</a>;g
++	s;[\[{(<]prepend_delivered_header[\]})>];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
++	s;[\[{(<]process_id[\]})>];<a href="postconf.5.html#process_id">&</a>;g
++	s;[\[{(<]process_id_directory[\]})>];<a href="postconf.5.html#process_id_directory">&</a>;g
++	s;[\[{(<]process_name[\]})>];<a href="postconf.5.html#process_name">&</a>;g
++	s;[\[{(<]propagate_unmatched_extensions[\]})>];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
++	s;[\[{(<]proxy_interfaces[\]})>];<a href="postconf.5.html#proxy_interfaces">&</a>;g
++	s;[\[{(<]proxy_read_maps[\]})>];<a href="postconf.5.html#proxy_read_maps">&</a>;g
++	s;[\[{(<]qmgr_clog_warn_time[\]})>];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
++	s;[\[{(<]qmgr_fudge_factor[\]})>];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
++	s;[\[{(<]qmgr_message_active_limit[\]})>];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
++	s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
++	s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[\]})>];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
++	s;[\[{(<]qmqpd_authorized_clients[\]})>];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
++	s;[\[{(<]qmqpd_error_delay[\]})>];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
++	s;[\[{(<]qmqpd_timeout[\]})>];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
++	s;[\[{(<]queue_directory[\]})>];<a href="postconf.5.html#queue_directory">&</a>;g
++	s;[\[{(<]queue_file_attribute_count_limit[\]})>];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
++	s;[\[{(<]queue_minfree[\]})>];<a href="postconf.5.html#queue_minfree">&</a>;g
++	s;[\[{(<]queue_run_delay[\]})>];<a href="postconf.5.html#queue_run_delay">&</a>;g
++	s;[\[{(<]queue_service_name[\]})>];<a href="postconf.5.html#queue_service_name">&</a>;g
++	s;[\[{(<]rbl_reply_maps[\]})>];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
++	s;[\[{(<]readme_directory[\]})>];<a href="postconf.5.html#readme_directory">&</a>;g
++	s;[\[{(<]receive_override_options[\]})>];<a href="postconf.5.html#receive_override_options">&</a>;g
++	s;[\[{(<]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[\]})>];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
++	s;[\[{(<]no_address_mappings[\]})>];<a href="postconf.5.html#no_address_mappings">&</a>;g
++	s;[\[{(<]no_header_body_checks[\]})>];<a href="postconf.5.html#no_header_body_checks">&</a>;g
++	s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[\]})>];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
++	s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[\]})>];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
++	s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[\]})>];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
++	s;[\[{(<]reject_code[\]})>];<a href="postconf.5.html#reject_code">&</a>;g
++	s;[\[{(<]relay_domains[\]})>];<a href="postconf.5.html#relay_domains">&</a>;g
++	s;[\[{(<]relay_domains_reject_code[\]})>];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
++	s;[\[{(<]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[\]})>];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
++	s;[\[{(<]relay_transport[\]})>];<a href="postconf.5.html#relay_transport">&</a>;g
++	s;[\[{(<]relayhost[\]})>];<a href="postconf.5.html#relayhost">&</a>;g
++	s;[\[{(<]relocated_maps[\]})>];<a href="postconf.5.html#relocated_maps">&</a>;g
++	s;[\[{(<]require_home_directory[\]})>];<a href="postconf.5.html#require_home_directory">&</a>;g
++	s;[\[{(<]resolve_dequoted_address[\]})>];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
++	s;[\[{(<]rewrite_service_name[\]})>];<a href="postconf.5.html#rewrite_service_name">&</a>;g
++	s;[\[{(<]sample_directory[\]})>];<a href="postconf.5.html#sample_directory">&</a>;g
++	s;[\[{(<]sender_based_routing[\]})>];<a href="postconf.5.html#sender_based_routing">&</a>;g
++	s;[\[{(<]sender_bcc_maps[\]})>];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
++	s;[\[{(<]sender_canonical_maps[\]})>];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
++	s;[\[{(<]sendmail_path[\]})>];<a href="postconf.5.html#sendmail_path">&</a>;g
++	s;[\[{(<]service_throttle_time[\]})>];<a href="postconf.5.html#service_throttle_time">&</a>;g
++	s;[\[{(<]setgid_group[\]})>];<a href="postconf.5.html#setgid_group">&</a>;g
++	s;[\[{(<]show_user_unknown_table_name[\]})>];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
++	s;[\[{(<]showq_service_name[\]})>];<a href="postconf.5.html#showq_service_name">&</a>;g
++	s;[\[{(<]smtp_always_send_ehlo[\]})>];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
++	s;[\[{(<]smtp_bind_address[\]})>];<a href="postconf.5.html#smtp_bind_address">&</a>;g
++	s;[\[{(<]smtp_connect_timeout[\]})>];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
++	s;[\[{(<]smtp_data_done_timeout[\]})>];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
++	s;[\[{(<]smtp_data_init_timeout[\]})>];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
++	s;[\[{(<]smtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
++	s;[\[{(<]smtp_defer_if_no_mx_address_found[\]})>];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
++	s;[\[{(<]lmtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
++	s;[\[{(<]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
++	s;[\[{(<]relay_destination_concurrency_limit[\]})>];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
++	s;[\[{(<]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
++	s;[\[{(<]resolve_null_domain[\]})>];<a href="postconf.5.html#resolve_null_domain">&</a>;g
++	s;[\[{(<]smtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
++	s;[\[{(<]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[\]})>];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
++	s;[\[{(<]smtp_helo_name[\]})>];<a href="postconf.5.html#smtp_helo_name">&</a>;g
++	s;[\[{(<]smtp_helo_timeout[\]})>];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
++	s;[\[{(<]smtp_host_lookup[\]})>];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
++	s;[\[{(<]smtp_line_length_limit[\]})>];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
++	s;[\[{(<]smtp_mail_timeout[\]})>];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
++	s;[\[{(<]smtp_mx_address_limit[\]})>];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
++	s;[\[{(<]smtp_mx_session_limit[\]})>];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
++	s;[\[{(<]smtp_never_send_ehlo[\]})>];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
++	s;[\[{(<]smtp_pix_workaround_delay_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
++	s;[\[{(<]smtp_pix_workaround_threshold_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
++	s;[\[{(<]smtp_quit_timeout[\]})>];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
++	s;[\[{(<]smtp_quote_rfc821_envelope[\]})>];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
++	s;[\[{(<]smtp_randomize_addresses[\]})>];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
++	s;[\[{(<]smtp_rcpt_timeout[\]})>];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
++	s;[\[{(<]smtp_rset_timeout[\]})>];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
++	s;[\[{(<]smtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
++	s;[\[{(<]smtp_sasl_password_maps[\]})>];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
++	s;[\[{(<]smtp_sasl_security_options[\]})>];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
++	s;[\[{(<]smtp_send_xforward_command[\]})>];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
++	s;[\[{(<]smtp_skip_4xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
++	s;[\[{(<]smtp_skip_5xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
++	s;[\[{(<]smtp_skip_quit_response[\]})>];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
++	s;[\[{(<]smtp_xforward_timeout[\]})>];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
++	s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
++	s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
++	s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
++	s;[\[{(<]smtpd_banner[\]})>];<a href="postconf.5.html#smtpd_banner">&</a>;g
++	s;[\[{(<]smtpd_client_connection_count_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
++	s;[\[{(<]smtpd_client_connection_limit_exceptions[\]})>];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
++	s;[\[{(<]smtpd_client_connection_rate_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
++	s;[\[{(<]smtpd_client_restrictions[\]})>];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
++	s;[\[{(<]smtpd_data_restrictions[\]})>];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
++	s;[\[{(<]smtpd_delay_reject[\]})>];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
++	s;[\[{(<]smtpd_error_sleep_time[\]})>];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
++	s;[\[{(<]smtpd_etrn_restrictions[\]})>];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
++	s;[\[{(<]smtpd_expansion_filter[\]})>];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
++	s;[\[{(<]smtpd_hard_error_limit[\]})>];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
++	s;[\[{(<]smtpd_helo_required[\]})>];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
++	s;[\[{(<]smtpd_helo_restrictions[\]})>];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
++	s;[\[{(<]smtpd_history_flush_threshold[\]})>];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
++	s;[\[{(<]smtpd_junk_command_limit[\]})>];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
++	s;[\[{(<]smtpd_noop_commands[\]})>];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
++	s;[\[{(<]smtpd_null_access_lookup_key[\]})>];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
++	s;[\[{(<]smtpd_recipient_overshoot_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
++	s;[\[{(<]smtpd_policy_service_max_idle[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
++	s;[\[{(<]smtpd_policy_service_max_ttl[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
++	s;[\[{(<]smtpd_policy_service_timeout[\]})>];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
++	s;[\[{(<]smtpd_proxy_ehlo[\]})>];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
++	s;[\[{(<]smtpd_proxy_filter[\]})>];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
++	s;[\[{(<]smtpd_proxy_timeout[\]})>];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
++	s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
++	s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[\]})>];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
++	s;[\[{(<]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
++	s;[\[{(<]smtpd_reject_unlisted_sender[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
++	s;[\[{(<]smtpd_restriction_classes[\]})>];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
++	s;[\[{(<]smtpd_sasl_application_name[\]})>];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
++	s;[\[{(<]smtpd_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
++	s;[\[{(<]smtpd_sasl_exceptions_networks[\]})>];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
++	s;[\[{(<]smtpd_sasl_local_domain[\]})>];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
++	s;[\[{(<]smtpd_sasl_security_options[\]})>];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
++	s;[\[{(<]smtpd_sender_login_maps[\]})>];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
++	s;[\[{(<]smtpd_sender_restrictions[\]})>];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
++	s;[\[{(<]smtpd_soft_error_limit[\]})>];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
++	s;[\[{(<]smtpd_timeout[\]})>];<a href="postconf.5.html#smtpd_timeout">&</a>;g
++	s;[\[{(<]soft_bounce[\]})>];<a href="postconf.5.html#soft_bounce">&</a>;g
++	s;[\[{(<]stale_lock_time[\]})>];<a href="postconf.5.html#stale_lock_time">&</a>;g
++	s;[\[{(<]strict_7bit_headers[\]})>];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
++	s;[\[{(<]strict_8bitmime[\]})>];<a href="postconf.5.html#strict_8bitmime">&</a>;g
++	s;[\[{(<]strict_8bitmime_body[\]})>];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
++	s;[\[{(<]strict_mime_encoding_domain[\]})>];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
++	s;[\[{(<]strict_rfc821_envelopes[\]})>];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
++	s;[\[{(<]sun_mailtool_compatibility[\]})>];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
++	s;[\[{(<]swap_bangpath[\]})>];<a href="postconf.5.html#swap_bangpath">&</a>;g
++	s;[\[{(<]syslog_facility[\]})>];<a href="postconf.5.html#syslog_facility">&</a>;g
++	s;[\[{(<]syslog_name[\]})>];<a href="postconf.5.html#syslog_name">&</a>;g
++	s;[\[{(<]trace_service_name[\]})>];<a href="postconf.5.html#trace_service_name">&</a>;g
++	s;[\[{(<]transport_maps[\]})>];<a href="postconf.5.html#transport_maps">&</a>;g
++	s;[\[{(<]transport_retry_time[\]})>];<a href="postconf.5.html#transport_retry_time">&</a>;g
++	s;[\[{(<]trigger_timeout[\]})>];<a href="postconf.5.html#trigger_timeout">&</a>;g
++	s;[\[{(<]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[\]})>];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
++	s;[\[{(<]unknown_address_reject_code[\]})>];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
++	s;[\[{(<]unknown_client_reject_code[\]})>];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
++	s;[\[{(<]unknown_hostname_reject_code[\]})>];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
++	s;[\[{(<]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
++	s;[\[{(<]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[\]})>];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
++	s;[\[{(<]unknown_virtual_alias_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
++	s;[\[{(<]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
++	s;[\[{(<]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
++	s;[\[{(<]unverified_sender_reject_code[\]})>];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
++	s;[\[{(<]verp_delimiter_filter[\]})>];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[\]})>];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[\]})>];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[\]})>];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_maps[\]})>];<a href="postconf.5.html#virtual_maps">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[\]})>];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[\]})>];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[\]})>];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[\]})>];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[\]})>];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[\]})>];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[\]})>];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[\]})>];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_transport[\]})>];<a href="postconf.5.html#virtual_transport">&</a>;g
++	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[\]})>];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
+ 
+ 	# Undo hyperlinks of manual pages with the same name as parameters.
+ 
+@@ -424,7 +424,7 @@
+ 	s/[<bB>]*pickup[</bB>]*(8)/<a href="pickup.8.html">&<\/a>/g
+ 	s/[<bB>]*pipe[</bB>]*(8)/<a href="pipe.8.html">&<\/a>/g
+ 	s/[<bB>]*oqmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
+-	s/[<bB>]*[[:<:]]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
++	s/[<bB>]*[\[{(<]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
+ 	s/[<bB>]*qmqpd[</bB>]*(8)/<a href="qmqpd.8.html">&<\/a>/g
+ 	s/[<bB>]*showq[</bB>]*(8)/<a href="showq.8.html">&<\/a>/g
+ 	s/[<bB>]*smtp[</bB>]*(8)/<a href="smtp.8.html">&<\/a>/g
+@@ -475,9 +475,9 @@
+ 
+ 	# Hyperlink README document names
+ 
+-	s/[[:<:]][A-Z_]*_README[[:>:]]/<a href="&.html">&<\/a>/g
+-	s/[[:<:]]INSTALL[[:>:]]/<a href="&.html">&<\/a>/g
+-	s/[[:<:]]OVERVIEW[[:>:]]/<a href="&.html">&<\/a>/g
++	s/[\[{(<][A-Z_]*_README[\]})>]/<a href="&.html">&<\/a>/g
++	s/[\[{(<]INSTALL[\]})>]/<a href="&.html">&<\/a>/g
++	s/[\[{(<]OVERVIEW[\]})>]/<a href="&.html">&<\/a>/g
+ 	s/"type:table"/"<a href="DATABASE_README.html">type:table<\/a>"/g
+ 
+ 	# Split manual page hyperlinks across newlines
+@@ -486,61 +486,61 @@
+ 
+ 	# Access restrictions - generic
+ 
+-	s;[[:<:]]check_policy_service[[:>:]];<a href="postconf.5.html#check_policy_service">&</a>;g
+-	s;[[:<:]]defer_if_permit[[:>:]];<a href="postconf.5.html#defer_if_permit">&</a>;g
+-	s;[[:<:]]defer_if_reject[[:>:]];<a href="postconf.5.html#defer_if_reject">&</a>;g
+-	s;[[:<:]]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[[:>:]];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
+-	s;[[:<:]]reject_unauth_pipelining[[:>:]];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
+-	s;[[:<:]]warn_if_reject[[:>:]];<a href="postconf.5.html#warn_if_reject">&</a>;g
++	s;[\[{(<]check_policy_service[\]})>];<a href="postconf.5.html#check_policy_service">&</a>;g
++	s;[\[{(<]defer_if_permit[\]})>];<a href="postconf.5.html#defer_if_permit">&</a>;g
++	s;[\[{(<]defer_if_reject[\]})>];<a href="postconf.5.html#defer_if_reject">&</a>;g
++	s;[\[{(<]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[\]})>];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
++	s;[\[{(<]reject_unauth_pipelining[\]})>];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
++	s;[\[{(<]warn_if_reject[\]})>];<a href="postconf.5.html#warn_if_reject">&</a>;g
+ 
+ 	# Access restrictions - client
+ 
+-	s;[[:<:]]check_client_access[[:>:]];<a href="postconf.5.html#check_client_access">&</a>;g
+-	s;[[:<:]]permit_mynetworks[[:>:]];<a href="postconf.5.html#permit_mynetworks">&</a>;g
+-	s;[[:<:]]reject_unknown_client[[:>:]];<a href="postconf.5.html#reject_unknown_client">&</a>;g
+-	s;[[:<:]]reject_rbl_client[[:>:]];<a href="postconf.5.html#reject_rbl_client">&</a>;g
+-	s;[[:<:]]reject_rhsbl_client[[:>:]];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
++	s;[\[{(<]check_client_access[\]})>];<a href="postconf.5.html#check_client_access">&</a>;g
++	s;[\[{(<]permit_mynetworks[\]})>];<a href="postconf.5.html#permit_mynetworks">&</a>;g
++	s;[\[{(<]reject_unknown_client[\]})>];<a href="postconf.5.html#reject_unknown_client">&</a>;g
++	s;[\[{(<]reject_rbl_client[\]})>];<a href="postconf.5.html#reject_rbl_client">&</a>;g
++	s;[\[{(<]reject_rhsbl_client[\]})>];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
+ 
+ 	# Access restrictions - helo
+ 
+-	s;[[:<:]]check_helo_access[[:>:]];<a href="postconf.5.html#check_helo_access">&</a>;g
+-	s;[[:<:]]reject_invalid_hostname[[:>:]];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
+-	s;[[:<:]]reject_non_fqdn_hostname[[:>:]];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
+-	s;[[:<:]]reject_unknown_hostname[[:>:]];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
++	s;[\[{(<]check_helo_access[\]})>];<a href="postconf.5.html#check_helo_access">&</a>;g
++	s;[\[{(<]reject_invalid_hostname[\]})>];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
++	s;[\[{(<]reject_non_fqdn_hostname[\]})>];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
++	s;[\[{(<]reject_unknown_hostname[\]})>];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
+ 
+ 	# Access restrictions - sender
+ 
+-	s;[[:<:]]check_sender_access[[:>:]];<a href="postconf.5.html#check_sender_access">&</a>;g
+-	s;[[:<:]]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[[:>:]];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
+-	s;[[:<:]]reject_non_fqdn_sender[[:>:]];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
+-	s;[[:<:]]reject_rhsbl_sender[[:>:]];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
+-	s;[[:<:]]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[[:>:]];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
+-	s;[[:<:]]reject_unauthenticated_sender_login_mismatch[[:>:]];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
+-	s;[[:<:]]reject_unknown_sender_domain[[:>:]];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
+-	s;[[:<:]]reject_unlisted_sender[[:>:]];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
+-	s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[[:>:]];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
++	s;[\[{(<]check_sender_access[\]})>];<a href="postconf.5.html#check_sender_access">&</a>;g
++	s;[\[{(<]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[\]})>];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
++	s;[\[{(<]reject_non_fqdn_sender[\]})>];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
++	s;[\[{(<]reject_rhsbl_sender[\]})>];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
++	s;[\[{(<]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[\]})>];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
++	s;[\[{(<]reject_unauthenticated_sender_login_mismatch[\]})>];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
++	s;[\[{(<]reject_unknown_sender_domain[\]})>];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
++	s;[\[{(<]reject_unlisted_sender[\]})>];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
++	s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[\]})>];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
+ 
+ 	# Access restrictions - recip[-</bB>]*\n* *[<bB>]*ient
+ 
+-	s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_access[[:>:]];<a href="postconf.5.html#check_recipient_access">&</a>;g
+-	s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[[:>:]];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
+-	s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[[:>:]];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
+-	s;[[:<:]]permit_auth_destination[[:>:]];<a href="postconf.5.html#permit_auth_destination">&</a>;g
+-	s;[[:<:]]permit_mx_backup[[:>:]];<a href="postconf.5.html#permit_mx_backup">&</a>;g
+-	s;[[:<:]]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
+-	s;[[:<:]]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
+-	s;[[:<:]]reject_unauth_destination[[:>:]];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
+-	s;[[:<:]]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[[:>:]];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
+-	s;[[:<:]]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
+-	s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
++	s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_access[\]})>];<a href="postconf.5.html#check_recipient_access">&</a>;g
++	s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[\]})>];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
++	s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[\]})>];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
++	s;[\[{(<]permit_auth_destination[\]})>];<a href="postconf.5.html#permit_auth_destination">&</a>;g
++	s;[\[{(<]permit_mx_backup[\]})>];<a href="postconf.5.html#permit_mx_backup">&</a>;g
++	s;[\[{(<]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
++	s;[\[{(<]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
++	s;[\[{(<]reject_unauth_destination[\]})>];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
++	s;[\[{(<]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[\]})>];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
++	s;[\[{(<]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
++	s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
+ 
+ 	# Access restrictions - etrn
+ 
+-	s;[[:<:]]check_etrn_access[[:>:]];<a href="postconf.5.html#check_etrn_access">&</a>;g
++	s;[\[{(<]check_etrn_access[\]})>];<a href="postconf.5.html#check_etrn_access">&</a>;g
+ 
+ 	# Split parameter or restriction hyperlinks across line breaks
+ 
+-	s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[[:>:]]\([-</bB>]*\n *[<bB>]*\)[[:<:]]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
++	s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[\]})>]\([-</bB>]*\n *[<bB>]*\)[\[{(<]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
+ 
+ 	# Glue manual/parameter/restriction hyperlinks without line breaks.
+ 
+@@ -551,7 +551,7 @@
+ 
+ 	s/\(http:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
+ 	s/\(ftp:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
+-	s/[[:<:]]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
++	s/[\[{(<]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
+ 
+ 	# Hyperlink phrases not in headers.
+ 
+@@ -572,32 +572,32 @@
+ 	s/relay domains*/<a href="ADDRESS_CLASS_README.html#relay_domain_class">&<\/a>/
+ 	s/default domains*/<a href="ADDRESS_CLASS_README.html#default_domain_class">&<\/a>/
+ 	s/mydestination domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">&<\/a>/
+-	s/[[:<:]]"*maildrop"* *queues*[[:>:]]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
+-	s/[[:<:]]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
+-	s/[[:<:]]\("*incoming"*\) and[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
+-	s/[[:<:]]\("*incoming"*\) or[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
+-	s/[[:<:]]"*incoming"* *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
+-	s/<b> *incoming *<\/b> *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
+-	s/[[:<:]]"*active"* *queues*[[:>:]]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
+-	s/[[:<:]]"*deferred"* *queues*[[:>:]]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
+-	s/[[:<:]]"*hold"* *queues*[[:>:]]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
+-	s/[[:<:]]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
++	s/[\[{(<]"*maildrop"* *queues*[\]})>]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
++	s/[\[{(<]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
++	s/[\[{(<]\("*incoming"*\) and[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
++	s/[\[{(<]\("*incoming"*\) or[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
++	s/[\[{(<]"*incoming"* *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
++	s/<b> *incoming *<\/b> *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
++	s/[\[{(<]"*active"* *queues*[\]})>]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
++	s/[\[{(<]"*deferred"* *queues*[\]})>]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
++	s/[\[{(<]"*hold"* *queues*[\]})>]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
++	s/[\[{(<]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
+ 
+ 	# Hyperlink map types.
+ 
+-	s/[[:<:]]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
+-	s/[[:<:]]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
+-	s/[[:<:]]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
+-	s/[[:<:]]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
+-	s/[[:<:]]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
+-	s/[[:<:]]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
+-	s/[[:<:]]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
+-	#s/[[:<:]]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
++	s/[\[{(<]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
++	s/[\[{(<]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
++	s/[\[{(<]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
++	s/[\[{(<]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
++	s/[\[{(<]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
++	s/[\[{(<]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
++	s/[\[{(<]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
++	#s/[\[{(<]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
+ 
+ 	# Do nice links for smtp:host:port etc.
+ 
+-	s/[[:<:]]\(error\):/<a href="error.8.html">\1<\/a>:/g
+-	s/[[:<:]]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
+-	s/[[:<:]]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
++	s/[\[{(<]\(error\):/<a href="error.8.html">\1<\/a>:/g
++	s/[\[{(<]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
++	s/[\[{(<]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
+ 
+ ' "$@"

Added: trunk/postfix/debian/patches/10master.cf.dpatch
===================================================================
--- trunk/postfix/debian/patches/10master.cf.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10master.cf.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,81 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10master.cf.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/conf/master.cf /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf
+--- postfix-2.1.5/conf/master.cf	2004-12-27 22:02:52.864399960 -0700
++++ /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf	2004-12-27 22:19:03.606731307 -0700
+@@ -77,26 +77,26 @@
+ # service type  private unpriv  chroot  wakeup  maxproc command + args
+ #               (yes)   (yes)   (yes)   (never) (100)
+ # ==========================================================================
+-smtp      inet  n       -       n       -       -       smtpd
+-#submission inet n      -       n       -       -       smtpd
++smtp      inet  n       -       -       -       -       smtpd
++#submission inet n      -       -       -       -       smtpd
+ #	-o smtpd_etrn_restrictions=reject
+-#628      inet  n       -       n       -       -       qmqpd
+-pickup    fifo  n       -       n       60      1       pickup
+-cleanup   unix  n       -       n       -       0       cleanup
+-qmgr      fifo  n       -       n       300     1       qmgr
+-#qmgr     fifo  n       -       n       300     1       oqmgr
+-rewrite   unix  -       -       n       -       -       trivial-rewrite
+-bounce    unix  -       -       n       -       0       bounce
+-defer     unix  -       -       n       -       0       bounce
+-trace     unix  -       -       n       -       0       bounce
+-verify    unix  -       -       n       -       1       verify
+-flush     unix  n       -       n       1000?   0       flush
++#628      inet  n       -       -       -       -       qmqpd
++pickup    fifo  n       -       -       60      1       pickup
++cleanup   unix  n       -       -       -       0       cleanup
++qmgr      fifo  n       -       -       300     1       qmgr
++#qmgr     fifo  n       -       -       300     1       oqmgr
++rewrite   unix  -       -       -       -       -       trivial-rewrite
++bounce    unix  -       -       -       -       0       bounce
++defer     unix  -       -       -       -       0       bounce
++trace     unix  -       -       -       -       0       bounce
++verify    unix  -       -       -       -       1       verify
++flush     unix  n       -       -       1000?   0       flush
+ proxymap  unix  -       -       n       -       -       proxymap
+-smtp      unix  -       -       n       -       -       smtp
+-relay     unix  -       -       n       -       -       smtp
++smtp      unix  -       -       -       -       -       smtp
++relay     unix  -       -       -       -       -       smtp
+ #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+-showq     unix  n       -       n       -       -       showq
+-error     unix  -       -       n       -       -       error
++showq     unix  n       -       -       -       -       showq
++error     unix  -       -       -       -       -       error
+ local     unix  -       n       n       -       -       local
+ virtual   unix  -       n       n       -       -       virtual
+ lmtp      unix  -       -       n       -       -       lmtp
+@@ -109,18 +109,16 @@
+ #
+ maildrop  unix  -       n       n       -       -       pipe
+   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+-#
+-# The Cyrus deliver program has changed incompatibly, multiple times.
+-#
+-old-cyrus unix  -       n       n       -       -       pipe
+-  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+-# Cyrus 2.1.5 (Amos Gouaux)
+-# Also specify in main.cf: cyrus_destination_recipient_limit=1
+-cyrus     unix  -       n       n       -       -       pipe
+-  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+ uucp      unix  -       n       n       -       -       pipe
+   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+ ifmail    unix  -       n       n       -       -       pipe
+   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+ bsmtp     unix  -       n       n       -       -       pipe
+-  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
++  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
++scalemail-backend unix	-	n	n	-	2	pipe
++  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
++
++# only used by postfix-tls
++#tlsmgr	  fifo	-	-	n	300	1	tlsmgr
++#smtps	  inet	n	-	n	-	-	smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
++#587	  inet	n	-	n	-	-	smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

Added: trunk/postfix/debian/patches/10rmail.dpatch
===================================================================
--- trunk/postfix/debian/patches/10rmail.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10rmail.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,698 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10rmail.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in
+--- postfix-2.1.5/Makefile.in	2004-12-27 22:02:52.848403399 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in	2004-12-27 22:19:13.392627752 -0700
+@@ -1,10 +1,11 @@
+ SHELL	= /bin/sh
+ WARN    = -Wmissing-prototypes -Wformat
+-OPTS	= 'CC=$(CC)'
++OPTS	= "CC=$(CC)"
+ DIRS	= src/util src/global src/dns src/master src/postfix src/smtpstone \
+ 	src/sendmail src/error src/pickup src/cleanup src/smtpd src/local \
+ 	src/lmtp src/trivial-rewrite src/qmgr src/oqmgr src/smtp src/bounce \
+ 	src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \
++	rmail \
+ 	src/postkick src/postlock src/postlog src/postmap src/postqueue \
+ 	src/postsuper src/qmqpd src/spawn src/flush src/verify \
+ 	src/virtual src/proxymap
+diff -urNad postfix-2.1.5/rmail/LICENSE /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE
+--- postfix-2.1.5/rmail/LICENSE	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE	2004-12-27 22:19:13.392627752 -0700
+@@ -0,0 +1,79 @@
++			     SENDMAIL LICENSE
++
++The following license terms and conditions apply, unless a different
++license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
++Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
++
++License Terms:
++
++Use, Modification and Redistribution (including distribution of any
++modified or derived work) in source and binary forms is permitted only if
++each of the following conditions is met:
++
++1. Redistributions qualify as "freeware" or "Open Source Software" under
++   one of the following terms:
++
++   (a) Redistributions are made at no charge beyond the reasonable cost of
++       materials and delivery.
++
++   (b) Redistributions are accompanied by a copy of the Source Code or by an
++       irrevocable offer to provide a copy of the Source Code for up to three
++       years at the cost of materials and delivery.  Such redistributions
++       must allow further use, modification, and redistribution of the Source
++       Code under substantially the same terms as this license.  For the
++       purposes of redistribution "Source Code" means the complete compilable
++       and linkable source code of sendmail including all modifications.
++
++2. Redistributions of source code must retain the copyright notices as they
++   appear in each source code file, these license terms, and the
++   disclaimer/limitation of liability set forth as paragraph 6 below.
++
++3. Redistributions in binary form must reproduce the Copyright Notice,
++   these license terms, and the disclaimer/limitation of liability set
++   forth as paragraph 6 below, in the documentation and/or other materials
++   provided with the distribution.  For the purposes of binary distribution
++   the "Copyright Notice" refers to the following language:
++   "Copyright (c) 1998-2000 Sendmail, Inc.  All rights reserved."
++
++4. Neither the name of Sendmail, Inc. nor the University of California nor
++   the names of their contributors may be used to endorse or promote
++   products derived from this software without specific prior written
++   permission.  The name "sendmail" is a trademark of Sendmail, Inc.
++
++5. All redistributions must comply with the conditions imposed by the
++   University of California on certain embedded code, whose copyright
++   notice and conditions for redistribution are as follows:
++
++   (a) Copyright (c) 1988, 1993 The Regents of the University of
++       California.  All rights reserved.
++
++   (b) Redistribution and use in source and binary forms, with or without
++       modification, are permitted provided that the following conditions
++       are met:
++
++      (i)   Redistributions of source code must retain the above copyright
++            notice, this list of conditions and the following disclaimer.
++
++      (ii)  Redistributions in binary form must reproduce the above
++            copyright notice, this list of conditions and the following
++            disclaimer in the documentation and/or other materials provided
++            with the distribution.
++
++      (iii) Neither the name of the University nor the names of its
++            contributors may be used to endorse or promote products derived
++            from this software without specific prior written permission.
++
++6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
++   SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
++   WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
++   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
++   NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
++   CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
++   INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++   NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
++   USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
++   ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++   THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
++
++$Revision: 1.1.2.1 $, Last updated $Date: 2004/12/28 05:34:15 $
+diff -urNad postfix-2.1.5/rmail/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in
+--- postfix-2.1.5/rmail/Makefile.in	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in	2004-12-27 22:19:13.392627752 -0700
+@@ -0,0 +1,56 @@
++SHELL	= /bin/sh
++SRCS	= rmail.c
++OBJS	= rmail.o
++HDRS	= 
++TESTSRC	=
++WARN	= -W -Wformat -Wimplicit -Wmissing-prototypes \
++	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
++	-Wunused
++DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE) -DHASSNPRINTF -DHASSTRERROR
++CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
++TESTPROG= 
++PROG	= rmail
++INC_DIR = 
++LIBS	= 
++
++.c.o:;	$(CC) $(CFLAGS) -c $*.c
++
++$(PROG): $(OBJS) $(LIBS)
++	$(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
++
++Makefile: Makefile.in
++	(set -e; echo "# DO NOT EDIT"; $(OPTS) sh ../makedefs; cat $?) >$@
++
++test:	$(TESTPROG)
++
++update: ../bin/$(PROG)
++
++../bin/$(PROG): $(PROG)
++	cp $(PROG) ../bin
++
++printfck: $(OBJS) $(PROG)
++	rm -rf printfck
++	mkdir printfck
++	sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
++	set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
++	cd printfck; make "INC_DIR=../../include" `cd ..; ls *.o`
++
++lint:
++	lint $(DEFS) $(SRCS) $(LINTFIX)
++
++clean:
++	rm -f *.o *core $(PROG) $(TESTPROG) junk 
++	rm -rf printfck
++
++tidy:	clean
++
++depend: $(MAKES)
++	(sed '1,/^# do not edit/!d' Makefile.in; \
++	set -e; for i in [a-z][a-z0-9]*.c; do \
++	    $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
++	    -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
++	done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
++	@make -f Makefile.in Makefile
++
++# do not edit below this line - it is generated by 'make depend'
++rmail.o: rmail.c
+diff -urNad postfix-2.1.5/rmail/rmail.8 /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8
+--- postfix-2.1.5/rmail/rmail.8	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8	2004-12-27 22:19:13.393627537 -0700
+@@ -0,0 +1,49 @@
++.\" Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.
++.\"	 All rights reserved.
++.\" Copyright (c) 1983, 1990
++.\"	The Regents of the University of California.  All rights reserved.
++.\"
++.\" By using this file, you agree to the terms and conditions set
++.\" forth in the LICENSE file which can be found at the top level of
++.\" the sendmail distribution.
++.\"
++.\"
++.\"	$Id: 10rmail.dpatch,v 1.1.2.1 2004/12/28 05:34:15 lamont Exp $
++.\"
++.TH RMAIL 8 "$Date: 2004/12/28 05:34:15 $"
++.SH NAME
++.B rmail
++\- handle remote mail received via uucp
++.SH SYNOPSIS
++.B rmail
++.I 
++user ...
++.SH DESCRIPTION
++.B Rmail
++interprets incoming mail received via 
++uucp(1), 
++collapsing ``From'' lines in the form generated 
++by 
++mail.local(8) 
++into a single line of the form ``return-path!sender'', 
++and passing the processed mail on to 
++sendmail(8).
++.PP
++.B Rmail
++is explicitly designed for use with 
++uucp 
++and 
++sendmail.
++.SH SEE ALSO
++uucp(1), 
++mail.local(8), 
++sendmail(8)
++.SH HISTORY
++The
++.B rmail
++program appeared in 
++4.2BSD.
++.SH BUGS
++.B Rmail
++should not reside in 
++/bin.
+diff -urNad postfix-2.1.5/rmail/rmail.c /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c
+--- postfix-2.1.5/rmail/rmail.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c	2004-12-27 22:19:13.393627537 -0700
+@@ -0,0 +1,475 @@
++/*
++ * Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers.
++ *	All rights reserved.
++ * Copyright (c) 1988, 1993
++ *	The Regents of the University of California.  All rights reserved.
++ *
++ * By using this file, you agree to the terms and conditions set
++ * forth in the LICENSE file which can be found at the top level of
++ * the sendmail distribution.
++ *
++ */
++
++#ifndef lint
++static char copyright[] =
++"@(#) Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers.\n\
++	All rights reserved.\n\
++     Copyright (c) 1988, 1993\n\
++	The Regents of the University of California.  All rights reserved.\n";
++#endif /* ! lint */
++
++#ifndef lint
++static char id[] = "@(#)$Id: 10rmail.dpatch,v 1.1.2.1 2004/12/28 05:34:15 lamont Exp $";
++#endif /* ! lint */
++
++/*
++ * RMAIL -- UUCP mail server.
++ *
++ * This program reads the >From ... remote from ... lines that UUCP is so
++ * fond of and turns them into something reasonable.  It then execs sendmail
++ * with various options built from these lines.
++ *
++ * The expected syntax is:
++ *
++ *	 <user> := [-a-z0-9]+
++ *	 <date> := ctime format
++ *	 <site> := [-a-z0-9!]+
++ * <blank line> := "^\n$"
++ *	 <from> := "From" <space> <user> <space> <date>
++ *		  [<space> "remote from" <space> <site>]
++ *    <forward> := ">" <from>
++ *	    msg := <from> <forward>* <blank-line> <body>
++ *
++ * The output of rmail(8) compresses the <forward> lines into a single
++ * from path.
++ *
++ * The err(3) routine is included here deliberately to make this code
++ * a bit more portable.
++ */
++
++#include <sys/types.h>
++#include <sys/param.h>
++#include <sys/stat.h>
++#include <sys/wait.h>
++
++#include <ctype.h>
++#include <fcntl.h>
++#ifdef BSD4_4
++# define FORK vfork
++# include <paths.h>
++#else /* BSD4_4 */
++# define FORK fork
++# ifndef _PATH_SENDMAIL
++#  define _PATH_SENDMAIL "/usr/lib/sendmail"
++# endif /* ! _PATH_SENDMAIL */
++#endif /* BSD4_4 */
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#ifdef EX_OK
++# undef EX_OK		/* unistd.h may have another use for this */
++#endif /* EX_OK */
++#include <sysexits.h>
++
++#ifndef MAX
++# define MAX(a, b)	((a) < (b) ? (b) : (a))
++#endif /* ! MAX */
++
++#ifndef __P
++# ifdef __STDC__
++#  define __P(protos)	protos
++# else /* __STDC__ */
++#  define __P(protos)	()
++#  define const
++# endif /* __STDC__ */
++#endif /* ! __P */
++
++#ifndef STDIN_FILENO
++# define STDIN_FILENO	0
++#endif /* ! STDIN_FILENO */
++
++#if defined(BSD4_4) || defined(linux) || SOLARIS >= 20600 || (SOLARIS < 10000 && SOLARIS >= 206) || _AIX4 >= 40300 || defined(HPUX11)
++# define HASSNPRINTF	1
++#endif /* defined(BSD4_4) || defined(linux) || SOLARIS >= 20600 || (SOLARIS < 10000 && SOLARIS >= 206) || _AIX4 >= 40300 || defined(HPUX11) */
++
++#if defined(sun) && !defined(BSD) && !defined(SOLARIS) && !defined(__svr4__) && !defined(__SVR4)
++# define memmove(d, s, l)	(bcopy((s), (d), (l)))
++#endif /* defined(sun) && !defined(BSD) && !defined(SOLARIS) && !defined(__svr4__) && !defined(__SVR4) */
++
++#if !HASSNPRINTF
++extern int	snprintf __P((char *, size_t, const char *, ...));
++#endif /* !HASSNPRINTF */
++
++#if defined(BSD4_4) || defined(__osf__) || defined(__GNU_LIBRARY__) || defined(IRIX64) || defined(IRIX5) || defined(IRIX6)
++# ifndef HASSTRERROR
++#  define HASSTRERROR	1
++# endif /* ! HASSTRERROR */
++#endif /* defined(BSD4_4) || defined(__osf__) || defined(__GNU_LIBRARY__) ||
++	  defined(IRIX64) || defined(IRIX5) || defined(IRIX6) */
++
++#if defined(SUNOS403) || defined(NeXT) || (defined(MACH) && defined(i386) && !defined(__GNU__)) || defined(oldBSD43) || defined(MORE_BSD) || defined(umipsbsd) || defined(ALTOS_SYSTEM_V) || defined(RISCOS) || defined(_AUX_SOURCE) || defined(UMAXV) || defined(titan) || defined(UNIXWARE) || defined(sony_news) || defined(luna) || defined(nec_ews_svr4) || defined(_nec_ews_svr4) || defined(__MAXION__)
++# undef WIFEXITED
++# undef WEXITSTATUS
++# define WIFEXITED(st)		(((st) & 0377) == 0)
++# define WEXITSTATUS(st)	(((st) >> 8) & 0377)
++#endif /* defined(SUNOS403) || defined(NeXT) || (defined(MACH) && defined(i386) && !defined(__GNU__)) || defined(oldBSD43) || defined(MORE_BSD) || defined(umipsbsd) || defined(ALTOS_SYSTEM_V) || defined(RISCOS) || defined(_AUX_SOURCE) || defined(UMAXV) || defined(titan) || defined(UNIXWARE) || defined(sony_news) || defined(luna) || defined(nec_ews_svr4) || defined(_nec_ews_svr4) || defined(__MAXION__) */
++
++#include <errno.h>
++
++static void err __P((int, const char *, ...));
++static void usage __P((void));
++static char *xalloc __P((int));
++
++#define newstr(s)	strcpy(xalloc(strlen(s) + 1), s)
++
++static char *
++xalloc(sz)
++	register int sz;
++{
++	register char *p;
++
++	/* some systems can't handle size zero mallocs */
++	if (sz <= 0)
++		sz = 1;
++
++	p = malloc((unsigned) sz);
++	if (p == NULL)
++		err(EX_TEMPFAIL, "out of memory");
++	return (p);
++}
++
++int
++main(argc, argv)
++	int argc;
++	char *argv[];
++{
++	int ch, debug, i, pdes[2], pid, status;
++	size_t fplen = 0, fptlen = 0, len;
++	off_t offset;
++	FILE *fp;
++	char *addrp = NULL, *domain, *p, *t;
++	char *from_path, *from_sys, *from_user;
++	char **args, buf[2048], lbuf[2048];
++	struct stat sb;
++	extern char *optarg;
++	extern int optind;
++
++	debug = 0;
++	domain = "UUCP";		/* Default "domain". */
++	while ((ch = getopt(argc, argv, "D:T")) != -1)
++	{
++		switch (ch)
++		{
++		  case 'T':
++			debug = 1;
++			break;
++
++		  case 'D':
++			domain = optarg;
++			break;
++
++		  case '?':
++		  default:
++			usage();
++		}
++	}
++
++	argc -= optind;
++	argv += optind;
++
++	if (argc < 1)
++		usage();
++
++	from_path = from_sys = from_user = NULL;
++	for (offset = 0; ; )
++	{
++		/* Get and nul-terminate the line. */
++		if (fgets(lbuf, sizeof(lbuf), stdin) == NULL)
++			exit(EX_DATAERR);
++		if ((p = strchr(lbuf, '\n')) == NULL)
++			err(EX_DATAERR, "line too long");
++		*p = '\0';
++
++		/* Parse lines until reach a non-"From" line. */
++		if (!strncmp(lbuf, "From ", 5))
++			addrp = lbuf + 5;
++		else if (!strncmp(lbuf, ">From ", 6))
++			addrp = lbuf + 6;
++		else if (offset == 0)
++			err(EX_DATAERR,
++			    "missing or empty From line: %s", lbuf);
++		else
++		{
++			*p = '\n';
++			break;
++		}
++
++		if (addrp == NULL || *addrp == '\0')
++			err(EX_DATAERR, "corrupted From line: %s", lbuf);
++
++		/* Use the "remote from" if it exists. */
++		for (p = addrp; (p = strchr(p + 1, 'r')) != NULL; )
++		{
++			if (!strncmp(p, "remote from ", 12))
++			{
++				for (t = p += 12; *t != '\0'; ++t)
++				{
++					if (isascii(*t) && isspace(*t))
++						break;
++				}
++				*t = '\0';
++				if (debug)
++					fprintf(stderr, "remote from: %s\n", p);
++				break;
++			}
++		}
++
++		/* Else use the string up to the last bang. */
++		if (p == NULL)
++		{
++			if (*addrp == '!')
++				err(EX_DATAERR, "bang starts address: %s",
++				    addrp);
++			else if ((t = strrchr(addrp, '!')) != NULL)
++			{
++				*t = '\0';
++				p = addrp;
++				addrp = t + 1;
++				if (*addrp == '\0')
++					err(EX_DATAERR,
++					    "corrupted From line: %s", lbuf);
++				if (debug)
++					fprintf(stderr, "bang: %s\n", p);
++			}
++		}
++
++		/* 'p' now points to any system string from this line. */
++		if (p != NULL)
++		{
++			/* Nul terminate it as necessary. */
++			for (t = p; *t != '\0'; ++t)
++			{
++				if (isascii(*t) && isspace(*t))
++					break;
++			}
++			*t = '\0';
++
++			/* If the first system, copy to the from_sys string. */
++			if (from_sys == NULL)
++			{
++				from_sys = newstr(p);
++				if (debug)
++					fprintf(stderr, "from_sys: %s\n",
++						from_sys);
++			}
++
++			/* Concatenate to the path string. */
++			len = t - p;
++			if (from_path == NULL)
++			{
++				fplen = 0;
++				if ((from_path = malloc(fptlen = 256)) == NULL)
++					err(EX_TEMPFAIL, NULL);
++			}
++			if (fplen + len + 2 > fptlen)
++			{
++				fptlen += MAX(fplen + len + 2, 256);
++				if ((from_path = realloc(from_path,
++							 fptlen)) == NULL)
++					err(EX_TEMPFAIL, NULL);
++			}
++			memmove(from_path + fplen, p, len);
++			fplen += len;
++			from_path[fplen++] = '!';
++			from_path[fplen] = '\0';
++		}
++
++		/* Save off from user's address; the last one wins. */
++		for (p = addrp; *p != '\0'; ++p)
++		{
++			if (isascii(*p) && isspace(*p))
++				break;
++		}
++		*p = '\0';
++		if (*addrp == '\0')
++			addrp = "<>";
++		if (from_user != NULL)
++			free(from_user);
++		from_user = newstr(addrp);
++
++		if (debug)
++		{
++			if (from_path != NULL)
++				fprintf(stderr, "from_path: %s\n", from_path);
++			fprintf(stderr, "from_user: %s\n", from_user);
++		}
++
++		if (offset != -1)
++			offset = (off_t)ftell(stdin);
++	}
++
++
++	/* Allocate args (with room for sendmail args as well as recipients */
++	args = (char **)xalloc(sizeof(*args) * (10 + argc));
++
++	i = 0;
++	args[i++] = _PATH_SENDMAIL;	/* Build sendmail's argument list. */
++	args[i++] = "-G";		/* relay submission */
++	args[i++] = "-oee";		/* No errors, just status. */
++	args[i++] = "-odq";		/* Queue it, don't try to deliver. */
++	args[i++] = "-oi";		/* Ignore '.' on a line by itself. */
++
++	/* set from system and protocol used */
++	if (from_sys == NULL)
++		snprintf(buf, sizeof(buf), "-p%s", domain);
++	else if (strchr(from_sys, '.') == NULL)
++		snprintf(buf, sizeof(buf), "-p%s:%s.%s",
++			domain, from_sys, domain);
++	else
++		snprintf(buf, sizeof(buf), "-p%s:%s", domain, from_sys);
++	args[i++] = newstr(buf);
++
++	/* Set name of ``from'' person. */
++	snprintf(buf, sizeof(buf), "-f%s%s",
++		 from_path ? from_path : "", from_user);
++	args[i++] = newstr(buf);
++
++	/*
++	**  Don't copy arguments beginning with - as they will be
++	**  passed to sendmail and could be interpreted as flags.
++	**  To prevent confusion of sendmail wrap < and > around
++	**  the address (helps to pass addrs like @gw1, at gw2:aa at bb)
++	*/
++
++	while (*argv != NULL)
++	{
++		if (**argv == '-')
++			err(EX_USAGE, "dash precedes argument: %s", *argv);
++
++		if (strchr(*argv, ',') == NULL || strchr(*argv, '<') != NULL)
++			args[i++] = *argv;
++		else
++		{
++			len = strlen(*argv) + 3;
++			if ((args[i] = malloc(len)) == NULL)
++				err(EX_TEMPFAIL, "Cannot malloc");
++			snprintf(args[i++], len, "<%s>", *argv);
++		}
++		argv++;
++		argc--;
++
++		/* Paranoia check, argc used for args[] bound */
++		if (argc < 0)
++			err(EX_SOFTWARE, "Argument count mismatch");
++	}
++	args[i] = NULL;
++
++	if (debug)
++	{
++		fprintf(stderr, "Sendmail arguments:\n");
++		for (i = 0; args[i] != NULL; i++)
++			fprintf(stderr, "\t%s\n", args[i]);
++	}
++
++	/*
++	**  If called with a regular file as standard input, seek to the right
++	**  position in the file and just exec sendmail.  Could probably skip
++	**  skip the stat, but it's not unreasonable to believe that a failed
++	**  seek will cause future reads to fail.
++	*/
++
++	if (!fstat(STDIN_FILENO, &sb) && S_ISREG(sb.st_mode))
++	{
++		if (lseek(STDIN_FILENO, offset, SEEK_SET) != offset)
++			err(EX_TEMPFAIL, "stdin seek");
++		(void) execv(_PATH_SENDMAIL, args);
++		err(EX_OSERR, "%s", _PATH_SENDMAIL);
++	}
++
++	if (pipe(pdes) < 0)
++		err(EX_OSERR, NULL);
++
++	switch (pid = FORK())
++	{
++	  case -1:				/* Err. */
++		err(EX_OSERR, NULL);
++		/* NOTREACHED */
++
++	  case 0:				/* Child. */
++		if (pdes[0] != STDIN_FILENO)
++		{
++			(void) dup2(pdes[0], STDIN_FILENO);
++			(void) close(pdes[0]);
++		}
++		(void) close(pdes[1]);
++		(void) execv(_PATH_SENDMAIL, args);
++		_exit(127);
++		/* NOTREACHED */
++	}
++
++	if ((fp = fdopen(pdes[1], "w")) == NULL)
++		err(EX_OSERR, NULL);
++	(void) close(pdes[0]);
++
++	/* Copy the file down the pipe. */
++	do
++	{
++		(void) fprintf(fp, "%s", lbuf);
++	} while (fgets(lbuf, sizeof(lbuf), stdin) != NULL);
++
++	if (ferror(stdin))
++		err(EX_TEMPFAIL, "stdin: %s", strerror(errno));
++
++	if (fclose(fp))
++		err(EX_OSERR, NULL);
++
++	if ((waitpid(pid, &status, 0)) == -1)
++		err(EX_OSERR, "%s", _PATH_SENDMAIL);
++
++	if (!WIFEXITED(status))
++		err(EX_OSERR, "%s: did not terminate normally", _PATH_SENDMAIL);
++
++	if (WEXITSTATUS(status))
++		err(status, "%s: terminated with %d (non-zero) status",
++		    _PATH_SENDMAIL, WEXITSTATUS(status));
++	exit(EX_OK);
++	/* NOTREACHED */
++	return EX_OK;
++}
++
++static void
++usage()
++{
++	(void) fprintf(stderr, "usage: rmail [-T] [-D domain] user ...\n");
++	exit(EX_USAGE);
++}
++
++#ifdef __STDC__
++# include <stdarg.h>
++#else /* __STDC__ */
++# include <varargs.h>
++#endif /* __STDC__ */
++
++static void
++#ifdef __STDC__
++err(int eval, const char *fmt, ...)
++#else /* __STDC__ */
++err(eval, fmt, va_alist)
++	int eval;
++	const char *fmt;
++	va_dcl
++#endif /* __STDC__ */
++{
++	va_list ap;
++#ifdef __STDC__
++	va_start(ap, fmt);
++#else /* __STDC__ */
++	va_start(ap);
++#endif /* __STDC__ */
++	(void) fprintf(stderr, "rmail: ");
++	(void) vfprintf(stderr, fmt, ap);
++	va_end(ap);
++	(void) fprintf(stderr, "\n");
++	exit(eval);
++}

Added: trunk/postfix/debian/patches/10smtplinelength.dpatch
===================================================================
--- trunk/postfix/debian/patches/10smtplinelength.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/10smtplinelength.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,19 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10smtplinelength.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/src/global/mail_params.h /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h
+--- postfix-2.1.5/src/global/mail_params.h	2004-12-27 22:21:10.756399492 -0700
++++ /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h	2004-12-27 22:21:15.100465701 -0700
+@@ -837,7 +837,7 @@
+ extern bool var_smtp_rand_addr;
+ 
+ #define VAR_SMTP_LINE_LIMIT	"smtp_line_length_limit"
+-#define DEF_SMTP_LINE_LIMIT	990
++#define DEF_SMTP_LINE_LIMIT	0
+ extern int var_smtp_line_limit;
+ 
+ #define VAR_SMTP_PIX_THRESH	"smtp_pix_workaround_threshold_time"

Added: trunk/postfix/debian/patches/20maps.dpatch
===================================================================
--- trunk/postfix/debian/patches/20maps.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/20maps.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,2762 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20maps.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-release/conf/postfix-files /tmp/dpep.TxugCA/postfix-release/conf/postfix-files
+--- postfix-release/conf/postfix-files	2004-12-27 22:28:28.638273359 -0700
++++ /tmp/dpep.TxugCA/postfix-release/conf/postfix-files	2004-12-27 22:29:11.315099642 -0700
+@@ -62,6 +62,9 @@
+ $queue_directory/saved:d:$mail_owner:-:700:ucr
+ $queue_directory/trace:d:$mail_owner:-:700:ucr
+ $daemon_directory/bounce:f:root:-:755
++$daemon_directory/dict_ldap.so:f:root:-:755
++$daemon_directory/dict_pcre.so:f:root:-:755
++$daemon_directory/dict_mysql.so:f:root:-:755
+ $daemon_directory/cleanup:f:root:-:755
+ $daemon_directory/error:f:root:-:755
+ $daemon_directory/flush:f:root:-:755
+@@ -81,6 +84,10 @@
+ $daemon_directory/trivial-rewrite:f:root:-:755
+ $daemon_directory/verify:f:root:-:755
+ $daemon_directory/virtual:f:root:-:755
++/usr/lib/libpostfix-dns.so.1:f:root:-:755
++/usr/lib/libpostfix-global.so.1:f:root:-:755
++/usr/lib/libpostfix-master.so.1:f:root:-:755
++/usr/lib/libpostfix-util.so.1:f:root:-:755
+ $daemon_directory/nqmgr:h:$daemon_directory/qmgr
+ $command_directory/postalias:f:root:-:755
+ $command_directory/postcat:f:root:-:755
+@@ -100,6 +107,7 @@
+ $config_directory/access:f:root:-:644:p
+ $config_directory/aliases:f:root:-:644:p
+ $config_directory/canonical:f:root:-:644:p
++$config_directory/dynamicmaps.cf:f:root:-:644:p
+ $config_directory/cidr_table:f:root:-:644:o
+ $config_directory/header_checks:f:root:-:644:p
+ $config_directory/install.cf:f:root:-:644:o
+diff -urNad postfix-release/makedefs /tmp/dpep.TxugCA/postfix-release/makedefs
+--- postfix-release/makedefs	2004-12-27 22:28:28.639273144 -0700
++++ /tmp/dpep.TxugCA/postfix-release/makedefs	2004-12-27 22:29:11.315099642 -0700
+@@ -208,6 +208,20 @@
+ 		#     CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
+ 		#     GDBM_LIBS=gdbm
+ 		# fi
++
++		# XXX: post-sarge
++		# But, we'll keep shipping it (with error generation) until
++		# sarge releases.
++		if [ -f /usr/include/gdbm-ndbm.h ]
++		then
++		    CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm-ndbm.h>'"
++		    GDBM_LIBS=gdbm_compat
++		elif [ -f /usr/include/gdbm/ndbm.h ]
++		then
++		    CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
++		    GDBM_LIBS=gdbm
++		fi
++
+ 		SYSLIBS="-ldb"
+ 		for name in nsl resolv $GDBM_LIBS
+ 		do
+diff -urNad postfix-release/src/dns/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in
+--- postfix-release/src/dns/Makefile.in	2004-12-27 22:28:28.639273144 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in	2004-12-27 22:29:11.315099642 -0700
+@@ -12,7 +12,7 @@
+ LIB_DIR	= ../../lib
+ INC_DIR	= ../../include
+ 
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) -fPIC $(CFLAGS) -c $*.c
+ 
+ all: $(LIB)
+ 
+@@ -24,12 +24,10 @@
+ tests:	test
+ 
+ $(LIB):	$(OBJS)
+-	$(AR) $(ARFL) $(LIB) $?
+-	$(RANLIB) $(LIB)
++	gcc -shared -Wl,-soname,libpostfix-dns.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
+ 
+ $(LIB_DIR)/$(LIB): $(LIB)
+ 	cp $(LIB) $(LIB_DIR)
+-	$(RANLIB) $(LIB_DIR)/$(LIB)
+ 
+ update: $(LIB_DIR)/$(LIB) $(HDRS)
+ 	-for i in $(HDRS); \
+diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in
+--- postfix-release/src/global/Makefile.in	2004-12-27 22:28:28.640272930 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in	2004-12-27 22:29:11.316099427 -0700
+@@ -3,6 +3,7 @@
+ 	canon_addr.c cfg_parser.c cleanup_strerror.c cleanup_strflags.c \
+ 	clnt_stream.c debug_peer.c debug_process.c defer.c \
+ 	deliver_completed.c deliver_flock.c deliver_pass.c deliver_request.c \
++	dict_sdbm.c sdbm.c \
+ 	dict_ldap.c dict_mysql.c dict_pgsql.c dict_proxy.c domain_list.c \
+ 	dot_lockfile.c dot_lockfile_as.c ext_prop.c file_id.c flush_clnt.c \
+ 	header_opts.c header_token.c hold_message.c input_transp.c \
+@@ -27,7 +28,7 @@
+ 	canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
+ 	clnt_stream.o debug_peer.o debug_process.o defer.o \
+ 	deliver_completed.o deliver_flock.o deliver_pass.o deliver_request.o \
+-	dict_ldap.o dict_mysql.o dict_pgsql.o dict_proxy.o domain_list.o \
++	dict_proxy.o domain_list.o \
+ 	dot_lockfile.o dot_lockfile_as.o ext_prop.o file_id.o flush_clnt.o \
+ 	header_opts.o header_token.o hold_message.o input_transp.o \
+ 	is_header.o log_adhoc.o mail_addr.o mail_addr_crunch.o \
+@@ -51,6 +52,7 @@
+ 	canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
+ 	debug_peer.h debug_process.h defer.h deliver_completed.h \
+ 	deliver_flock.h deliver_pass.h deliver_request.h dict_ldap.h \
++	dict_sdbm.h sdbm.h \
+ 	dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h dot_lockfile.h \
+ 	dot_lockfile_as.h ext_prop.h file_id.h flush_clnt.h header_opts.h \
+ 	header_token.h hold_message.h input_transp.h is_header.h \
+@@ -84,10 +86,14 @@
+ LIB_DIR	= ../../lib
+ INC_DIR	= ../../include
+ MAKES	=
++SDBMSO  = dict_sdbm.so
++LDAPSO  = dict_ldap.so
++MYSQLSO = dict_mysql.so
++PGSQLSO = dict_pgsql.so
+ 
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) -fPIC $(CFLAGS) -c $*.c
+ 
+-all: $(LIB)
++all: $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) 
+ 
+ Makefile: Makefile.in
+ 	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
+@@ -95,14 +101,36 @@
+ test:	$(TESTPROG)
+ 
+ $(LIB):	$(OBJS)
+-	$(AR) $(ARFL) $(LIB) $?
+-	$(RANLIB) $(LIB)
++	gcc -shared -Wl,-soname,libpostfix-global.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
++
++$(SDBMSO): dict_sdbm.o sdbm.o
++	gcc -shared -Wl,-soname,dict_sdbm.so -o $@ dict_sdbm.o sdbm.o -L. -lutil -lglobal
++
++$(LDAPSO): dict_ldap.o
++	gcc -shared -Wl,-soname,dict_ldap.so -o $@ $? -lldap -llber -L../../lib -lutil -L. -lglobal
++
++$(MYSQLSO): dict_mysql.o
++	gcc -shared -Wl,-soname,dict_mysql.so -o $@ $? -lmysqlclient -L. -lutil -lglobal
++
++$(PGSQLSO): dict_pgsql.o
++	gcc -shared -Wl,-soname,dict_pgsql.so -o $@ $? -lpq -L. -lutil -lglobal
+ 
+ $(LIB_DIR)/$(LIB): $(LIB)
+ 	cp $(LIB) $(LIB_DIR)
+-	$(RANLIB) $(LIB_DIR)/$(LIB)
+ 
+-update: $(LIB_DIR)/$(LIB) $(HDRS)
++$(LIB_DIR)/$(SDBMSO): $(SDBMSO)
++	cp $(SDBMSO) $(LIB_DIR)
++
++$(LIB_DIR)/$(LDAPSO): $(LDAPSO)
++	cp $(LDAPSO) $(LIB_DIR)
++
++$(LIB_DIR)/$(MYSQLSO): $(MYSQLSO)
++	cp $(MYSQLSO) $(LIB_DIR)
++
++$(LIB_DIR)/$(PGSQLSO): $(PGSQLSO)
++	cp $(PGSQLSO) $(LIB_DIR)
++
++update: $(LIB_DIR)/$(LIB) $(LIB_DIR)/${LDAPSO} $(LIB_DIR)/${MYSQLSO} $(LIB_DIR)/${PGSQLSO} $(LIB_DIR)/$(SDBMSO) $(HDRS)
+ 	-for i in $(HDRS); \
+ 	do \
+ 	  cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
+@@ -354,7 +382,7 @@
+ 	lint $(DEFS) $(SRCS) $(LINTFIX)
+ 
+ clean:
+-	rm -f *.o $(LIB) *core $(TESTPROG) junk
++	rm -f *.o $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) *core $(TESTPROG) junk
+ 	rm -rf printfck
+ 
+ tidy:	clean
+@@ -569,6 +597,10 @@
+ dict_proxy.o: mail_params.h
+ dict_proxy.o: clnt_stream.h
+ dict_proxy.o: dict_proxy.h
++dict_sdbm.o: ../../include/sys_defs.h
++dict_sdbm.o: sdbm.h
++dict_sdbm.o: dict_sdbm.c
++dict_sdbm.o: dict_sdbm.h
+ domain_list.o: domain_list.c
+ domain_list.o: ../../include/sys_defs.h
+ domain_list.o: ../../include/match_list.h
+@@ -643,6 +675,10 @@
+ hold_message.o: ../../include/vstream.h
+ hold_message.o: mail_params.h
+ hold_message.o: hold_message.h
++inet_interfaces_to_af.o: inet_interfaces_to_af.c
++inet_interfaces_to_af.o: ../../include/sys_defs.h
++inet_interfaces_to_af.o: mail_params.h
++inet_interfaces_to_af.o: inet_interfaces_to_af.h
+ input_transp.o: input_transp.c
+ input_transp.o: ../../include/sys_defs.h
+ input_transp.o: ../../include/name_mask.h
+@@ -1088,6 +1124,7 @@
+ own_inet_addr.o: ../../include/vbuf.h
+ own_inet_addr.o: mail_params.h
+ own_inet_addr.o: own_inet_addr.h
++own_inet_addr.o: inet_interfaces_to_af.h
+ pipe_command.o: pipe_command.c
+ pipe_command.o: ../../include/sys_defs.h
+ pipe_command.o: ../../include/msg.h
+@@ -1220,6 +1257,8 @@
+ rewrite_clnt.o: mail_params.h
+ rewrite_clnt.o: clnt_stream.h
+ rewrite_clnt.o: rewrite_clnt.h
++sdbm.o: sdbm.c
++sdbm.o: sdbm.h
+ sent.o: sent.c
+ sent.o: ../../include/sys_defs.h
+ sent.o: ../../include/msg.h
+diff -urNad postfix-release/src/global/dict_sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c
+--- postfix-release/src/global/dict_sdbm.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c	2004-12-27 22:29:11.317099212 -0700
+@@ -0,0 +1,469 @@
++/*++
++/* NAME
++/*	dict_sdbm 3
++/* SUMMARY
++/*	dictionary manager interface to SDBM files
++/* SYNOPSIS
++/*	#include <dict_sdbm.h>
++/*
++/*	DICT	*dict_sdbm_open(path, open_flags, dict_flags)
++/*	const char *name;
++/*	const char *path;
++/*	int	open_flags;
++/*	int	dict_flags;
++/* DESCRIPTION
++/*	dict_sdbm_open() opens the named SDBM database and makes it available
++/*	via the generic interface described in dict_open(3).
++/* DIAGNOSTICS
++/*	Fatal errors: cannot open file, file write error, out of memory.
++/* SEE ALSO
++/*	dict(3) generic dictionary manager
++/*	sdbm(3) data base subroutines
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*	Wietse Venema
++/*	IBM T.J. Watson Research
++/*	P.O. Box 704
++/*	Yorktown Heights, NY 10598, USA
++/*--*/
++
++#include "sys_defs.h"
++
++/* System library. */
++
++#include <sys/stat.h>
++#include <string.h>
++#include <unistd.h>
++
++/* Utility library. */
++
++#include "msg.h"
++#include "mymalloc.h"
++#include "htable.h"
++#include "iostuff.h"
++#include "vstring.h"
++#include "myflock.h"
++#include "stringops.h"
++#include "dict.h"
++#include "dict_sdbm.h"
++#include "sdbm.h"
++
++/* Application-specific. */
++
++typedef struct {
++    DICT    dict;			/* generic members */
++    SDBM   *dbm;			/* open database */
++    char   *path;			/* pathname */
++} DICT_SDBM;
++
++/* dict_sdbm_lookup - find database entry */
++
++static const char *dict_sdbm_lookup(DICT *dict, const char *name)
++{
++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++    datum   dbm_key;
++    datum   dbm_value;
++    static VSTRING *buf;
++    const char *result = 0;
++
++    dict_errno = 0;
++
++    /*
++     * Acquire an exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++    /*
++     * See if this DBM file was written with one null byte appended to key
++     * and value.
++     */
++    if (dict->flags & DICT_FLAG_TRY1NULL) {
++	dbm_key.dptr = (void *) name;
++	dbm_key.dsize = strlen(name) + 1;
++	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++	if (dbm_value.dptr != 0) {
++	    dict->flags &= ~DICT_FLAG_TRY0NULL;
++	    result = dbm_value.dptr;
++	}
++    }
++
++    /*
++     * See if this DBM file was written with no null byte appended to key and
++     * value.
++     */
++    if (result == 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
++	dbm_key.dptr = (void *) name;
++	dbm_key.dsize = strlen(name);
++	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++	if (dbm_value.dptr != 0) {
++	    if (buf == 0)
++		buf = vstring_alloc(10);
++	    vstring_strncpy(buf, dbm_value.dptr, dbm_value.dsize);
++	    dict->flags &= ~DICT_FLAG_TRY1NULL;
++	    result = vstring_str(buf);
++	}
++    }
++
++    /*
++     * Release the exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++
++    return (result);
++}
++
++/* dict_sdbm_update - add or update database entry */
++
++static void dict_sdbm_update(DICT *dict, const char *name, const char *value)
++{
++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++    datum   dbm_key;
++    datum   dbm_value;
++    int     status;
++
++    dbm_key.dptr = (void *) name;
++    dbm_value.dptr = (void *) value;
++    dbm_key.dsize = strlen(name);
++    dbm_value.dsize = strlen(value);
++
++    /*
++     * If undecided about appending a null byte to key and value, choose a
++     * default depending on the platform.
++     */
++    if ((dict->flags & DICT_FLAG_TRY1NULL)
++	&& (dict->flags & DICT_FLAG_TRY0NULL)) {
++#ifdef DBM_NO_TRAILING_NULL
++	dict->flags &= ~DICT_FLAG_TRY1NULL;
++#else
++	dict->flags &= ~DICT_FLAG_TRY0NULL;
++#endif
++    }
++
++    /*
++     * Optionally append a null byte to key and value.
++     */
++    if (dict->flags & DICT_FLAG_TRY1NULL) {
++	dbm_key.dsize++;
++	dbm_value.dsize++;
++    }
++
++    /*
++     * Acquire an exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++    /*
++     * Do the update.
++     */
++    if ((status = sdbm_store(dict_sdbm->dbm, dbm_key, dbm_value,
++     (dict->flags & DICT_FLAG_DUP_REPLACE) ? DBM_REPLACE : DBM_INSERT)) < 0)
++	msg_fatal("error writing SDBM database %s: %m", dict_sdbm->path);
++    if (status) {
++	if (dict->flags & DICT_FLAG_DUP_IGNORE)
++	     /* void */ ;
++	else if (dict->flags & DICT_FLAG_DUP_WARN)
++	    msg_warn("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
++	else
++	    msg_fatal("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
++    }
++
++    /*
++     * Release the exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++}
++
++
++/* dict_sdbm_delete - delete one entry from the dictionary */
++
++static int dict_sdbm_delete(DICT *dict, const char *name)
++{
++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++    datum   dbm_key;
++    int     status = 1;
++    int     flags = 0;
++
++    /*
++     * Acquire an exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++    /*
++     * See if this DBM file was written with one null byte appended to key
++     * and value.
++     */
++    if (dict->flags & DICT_FLAG_TRY1NULL) {
++	dbm_key.dptr = (void *) name;
++	dbm_key.dsize = strlen(name) + 1;
++	sdbm_clearerr(dict_sdbm->dbm);
++	if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
++	    if (sdbm_error(dict_sdbm->dbm) != 0)	/* fatal error */
++		msg_fatal("error deleting from %s: %m", dict_sdbm->path);
++	    status = 1;				/* not found */
++	} else {
++	    dict->flags &= ~DICT_FLAG_TRY0NULL;	/* found */
++	}
++    }
++
++    /*
++     * See if this DBM file was written with no null byte appended to key and
++     * value.
++     */
++    if (status > 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
++	dbm_key.dptr = (void *) name;
++	dbm_key.dsize = strlen(name);
++	sdbm_clearerr(dict_sdbm->dbm);
++	if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
++	    if (sdbm_error(dict_sdbm->dbm) != 0)	/* fatal error */
++		msg_fatal("error deleting from %s: %m", dict_sdbm->path);
++	    status = 1;				/* not found */
++	} else {
++	    dict->flags &= ~DICT_FLAG_TRY1NULL;	/* found */
++	}
++    }
++
++    /*
++     * Release the exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++
++    return (status);
++}
++
++/* traverse the dictionary */
++
++static int dict_sdbm_sequence(DICT *dict, const int function,
++			             const char **key, const char **value)
++{
++    char   *myname = "dict_sdbm_sequence";
++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++    datum   dbm_key;
++    datum   dbm_value;
++    int     status = 0;
++    static VSTRING *key_buf;
++    static VSTRING *value_buf;
++
++    /*
++     * Acquire an exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++
++    /*
++     * Determine and execute the seek function. It returns the key.
++     */
++    switch (function) {
++    case DICT_SEQ_FUN_FIRST:
++	dbm_key = sdbm_firstkey(dict_sdbm->dbm);
++	break;
++    case DICT_SEQ_FUN_NEXT:
++	dbm_key = sdbm_nextkey(dict_sdbm->dbm);
++	break;
++    default:
++	msg_panic("%s: invalid function: %d", myname, function);
++    }
++
++    /*
++     * Release the exclusive lock.
++     */
++    if ((dict->flags & DICT_FLAG_LOCK)
++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++
++    if (dbm_key.dptr != 0 && dbm_key.dsize > 0) {
++
++	/*
++	 * See if this DB file was written with one null byte appended to key
++	 * an d value or not. If necessary, copy the key.
++	 */
++	if (((char *) dbm_key.dptr)[dbm_key.dsize - 1] == 0) {
++	    *key = dbm_key.dptr;
++	} else {
++	    if (key_buf == 0)
++		key_buf = vstring_alloc(10);
++	    vstring_strncpy(key_buf, dbm_key.dptr, dbm_key.dsize);
++	    *key = vstring_str(key_buf);
++	}
++
++	/*
++	 * Fetch the corresponding value.
++	 */
++	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++
++	if (dbm_value.dptr != 0 && dbm_value.dsize > 0) {
++
++	    /*
++	     * See if this DB file was written with one null byte appended to
++	     * key and value or not. If necessary, copy the key.
++	     */
++	    if (((char *) dbm_value.dptr)[dbm_value.dsize - 1] == 0) {
++		*value = dbm_value.dptr;
++	    } else {
++		if (value_buf == 0)
++		    value_buf = vstring_alloc(10);
++		vstring_strncpy(value_buf, dbm_value.dptr, dbm_value.dsize);
++		*value = vstring_str(value_buf);
++	    }
++	} else {
++
++	    /*
++	     * Determine if we have hit the last record or an error
++	     * condition.
++	     */
++	    if (sdbm_error(dict_sdbm->dbm))
++		msg_fatal("error seeking %s: %m", dict_sdbm->path);
++	    return (1);				/* no error: eof/not found
++						 * (should not happen!) */
++	}
++    } else {
++
++	/*
++	 * Determine if we have hit the last record or an error condition.
++	 */
++	if (sdbm_error(dict_sdbm->dbm))
++	    msg_fatal("error seeking %s: %m", dict_sdbm->path);
++	return (1);				/* no error: eof/not found */
++    }
++    return (0);
++}
++
++/* dict_sdbm_close - disassociate from data base */
++
++static void dict_sdbm_close(DICT *dict)
++{
++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++
++    sdbm_close(dict_sdbm->dbm);
++    myfree(dict_sdbm->path);
++    myfree((char *) dict_sdbm);
++}
++
++/* dict_sdbm_open - open SDBM data base */
++
++DICT   *dict_sdbm_open(const char *path, int open_flags, int dict_flags)
++{
++    DICT_SDBM *dict_sdbm;
++    struct stat st;
++    SDBM   *dbm;
++    char   *dbm_path;
++    int     lock_fd;
++
++    if (dict_flags & DICT_FLAG_LOCK) {
++	dbm_path = concatenate(path, ".pag", (char *) 0);
++	if ((lock_fd = open(dbm_path, open_flags, 0644)) < 0)
++	    msg_fatal("open database %s: %m", dbm_path);
++	if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
++	    msg_fatal("shared-lock database %s for open: %m", dbm_path);
++    }
++
++    /*
++     * XXX SunOS 5.x has no const in dbm_open() prototype.
++     */
++    if ((dbm = sdbm_open((char *) path, open_flags, 0644)) == 0)
++	msg_fatal("open database %s.{dir,pag}: %m", path);
++
++    if (dict_flags & DICT_FLAG_LOCK) {
++	if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
++	    msg_fatal("unlock database %s for open: %m", dbm_path);
++	if (close(lock_fd) < 0)
++	    msg_fatal("close database %s: %m", dbm_path);
++	myfree(dbm_path);
++    }
++    dict_sdbm = (DICT_SDBM *) mymalloc(sizeof(*dict_sdbm));
++    dict_sdbm->dict.lookup = dict_sdbm_lookup;
++    dict_sdbm->dict.update = dict_sdbm_update;
++    dict_sdbm->dict.delete = dict_sdbm_delete;
++    dict_sdbm->dict.sequence = dict_sdbm_sequence;
++    dict_sdbm->dict.close = dict_sdbm_close;
++    dict_sdbm->dict.lock_fd = sdbm_dirfno(dbm);
++    dict_sdbm->dict.stat_fd = sdbm_pagfno(dbm);
++    if (fstat(dict_sdbm->dict.stat_fd, &st) < 0)
++	msg_fatal("dict_sdbm_open: fstat: %m");
++    dict_sdbm->dict.mtime = st.st_mtime;
++    close_on_exec(sdbm_pagfno(dbm), CLOSE_ON_EXEC);
++    close_on_exec(sdbm_dirfno(dbm), CLOSE_ON_EXEC);
++    dict_sdbm->dict.flags = dict_flags | DICT_FLAG_FIXED;
++    if ((dict_flags & (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL)) == 0)
++	dict_sdbm->dict.flags |= (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL);
++    dict_sdbm->dbm = dbm;
++    dict_sdbm->path = mystrdup(path);
++
++    return (&dict_sdbm->dict);
++}
++
++#include "mkmap.h"
++
++typedef struct MKMAP_DBM {
++    MKMAP   mkmap;			/* parent class */
++    char   *lock_file;			/* path name */
++    int     lock_fd;			/* -1 or open locked file */
++} MKMAP_DBM;
++
++/* mkmap_dbm_after_close - clean up after closing database */
++
++static void mkmap_sdbm_after_close(MKMAP *mp)
++{
++    MKMAP_DBM *mkmap = (MKMAP_DBM *) mp;
++
++    if (mkmap->lock_fd >= 0 && close(mkmap->lock_fd) < 0)
++	msg_warn("close %s: %m", mkmap->lock_file);
++    myfree(mkmap->lock_file);
++}
++
++/* mkmap_sdbm_open - create or open database */
++
++MKMAP  *mkmap_sdbm_open(const char *path)
++{
++    MKMAP_DBM *mkmap = (MKMAP_DBM *) mymalloc(sizeof(*mkmap));
++    char   *pag_file;
++    int     pag_fd;
++
++    /*
++     * Fill in the generic members.
++     */
++    mkmap->lock_file = concatenate(path, ".dir", (char *) 0);
++    mkmap->mkmap.open = dict_sdbm_open;
++    mkmap->mkmap.after_open = 0;
++    mkmap->mkmap.after_close = mkmap_sdbm_after_close;
++
++    /*
++     * Unfortunately, not all systems support locking on open(), so we open
++     * the .dir and .pag files before truncating them. Keep one file open for
++     * locking.
++     */
++    if ((mkmap->lock_fd = open(mkmap->lock_file, O_CREAT | O_RDWR, 0644)) < 0)
++	msg_fatal("open %s: %m", mkmap->lock_file);
++
++    pag_file = concatenate(path, ".pag", (char *) 0);
++    if ((pag_fd = open(pag_file, O_CREAT | O_RDWR, 0644)) < 0)
++	msg_fatal("open %s: %m", pag_file);
++    if (close(pag_fd))
++	msg_warn("close %s: %m", pag_file);
++    myfree(pag_file);
++
++    /*
++     * Get an exclusive lock - we're going to change the database so we can't
++     * have any spectators.
++     */
++    if (myflock(mkmap->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
++	msg_fatal("lock %s: %m", mkmap->lock_file);
++
++    return (&mkmap->mkmap);
++}
++
+diff -urNad postfix-release/src/global/dict_sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h
+--- postfix-release/src/global/dict_sdbm.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h	2004-12-27 22:29:11.317099212 -0700
+@@ -0,0 +1,36 @@
++#ifndef _DICT_SDBM_H_INCLUDED_
++#define _DICT_SDBM_H_INCLUDED_
++
++/*++
++/* NAME
++/*	dict_dbm 3h
++/* SUMMARY
++/*	dictionary manager interface to DBM files
++/* SYNOPSIS
++/*	#include <dict_dbm.h>
++/* DESCRIPTION
++/* .nf
++
++ /*
++  * Utility library.
++  */
++#include <dict.h>
++
++ /*
++  * External interface.
++  */
++#define DICT_TYPE_SDBM	"sdbm"
++extern DICT *dict_sdbm_open(const char *, int, int);
++
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*	Wietse Venema
++/*	IBM T.J. Watson Research
++/*	P.O. Box 704
++/*	Yorktown Heights, NY 10598, USA
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/global/mail_conf.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c
+--- postfix-release/src/global/mail_conf.c	2004-12-27 22:28:28.642272500 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c	2004-12-27 22:29:11.318098997 -0700
+@@ -175,6 +175,13 @@
+     path = concatenate(var_config_dir, "/", "main.cf", (char *) 0);
+     dict_load_file(CONFIG_DICT, path);
+     myfree(path);
++
++#ifndef NO_DYNAMIC_MAPS
++    path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++    dict_open_dlinfo(path);
++    myfree(path);
++#endif
++
+ }
+ 
+ /* mail_conf_eval - expand macros in string */
+diff -urNad postfix-release/src/global/mail_dict.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c
+--- postfix-release/src/global/mail_dict.c	2004-12-27 22:28:28.642272500 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c	2004-12-27 22:29:11.318098997 -0700
+@@ -45,6 +45,7 @@
+ 
+ static DICT_OPEN_INFO dict_open_info[] = {
+     DICT_TYPE_PROXY, dict_proxy_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_LDAP
+     DICT_TYPE_LDAP, dict_ldap_open,
+ #endif
+@@ -54,6 +55,7 @@
+ #ifdef HAS_PGSQL
+     DICT_TYPE_PGSQL, dict_pgsql_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+     0,
+ };
+ 
+diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c
+--- postfix-release/src/global/mail_params.c	2004-12-27 22:28:28.643272285 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c	2004-12-27 22:29:11.318098997 -0700
+@@ -149,6 +149,8 @@
+ #include <valid_hostname.h>
+ #include <stringops.h>
+ #include <safe.h>
++#include <safe_open.h>
++#include <mymalloc.h>
+ #ifdef HAS_DB
+ #include <dict_db.h>
+ #endif
+@@ -422,6 +424,38 @@
+ 		  (long) var_sgid_gid);
+ }
+ 
++static char *read_file(const char *name)
++{
++    char *ret;
++    VSTRING *why=vstring_alloc(1);
++    VSTRING *new_name=vstring_alloc(1);
++    VSTREAM *vp=safe_open(name, O_RDONLY, 0, NULL, -1, -1, why);
++
++    /*
++     * Ugly macros to make complex expressions less unreadable.
++     */
++#define SKIP(start, var, cond) \
++	for (var = start; *var && (cond); var++);
++
++#define TRIM(s) { \
++	char *p; \
++	for (p = (s) + strlen(s); p > (s) && ISSPACE(p[-1]); p--); \
++	*p = 0; \
++    }
++
++    if (!vp) {
++	msg_fatal("%s: unable to open: %s",name,vstring_str(why));
++    }
++    vstring_get_nonl(new_name,vp);
++    vstream_fclose(vp);
++    SKIP(vstring_str(new_name),ret,ISSPACE(*ret));
++    ret=mystrdup(ret);
++    TRIM(ret);
++    vstring_free(why);
++    vstring_free(new_name);
++    return ret;
++}
++
+ /* mail_params_init - configure built-in parameters */
+ 
+ void    mail_params_init()
+@@ -563,6 +597,9 @@
+      * Variables that are needed by almost every program.
+      */
+     get_mail_conf_str_table(other_str_defaults);
++    if (*var_myorigin=='/') {
++	var_myorigin=read_file(var_myorigin);
++    }
+     get_mail_conf_int_table(other_int_defaults);
+     get_mail_conf_bool_table(bool_defaults);
+     get_mail_conf_time_table(time_defaults);
+diff -urNad postfix-release/src/global/mkmap_open.c /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c
+--- postfix-release/src/global/mkmap_open.c	2004-12-27 22:28:28.643272285 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c	2004-12-27 22:29:11.318098997 -0700
+@@ -144,7 +144,16 @@
+      */
+     for (mp = mkmap_types; /* void */ ; mp++) {
+ 	if (mp->type == 0)
++#ifndef NO_DYNAMIC_MAPS
++	{
++	    static MKMAP_OPEN_INFO oi;
++	    oi.before_open=dict_mkmap_func(type);
++	    oi.type=type;
++	    mp=&oi;
++	}
++#else
+ 	    msg_fatal("unsupported map type: %s", type);
++#endif
+ 	if (strcmp(type, mp->type) == 0)
+ 	    break;
+     }
+diff -urNad postfix-release/src/global/sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c
+--- postfix-release/src/global/sdbm.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c	2004-12-27 22:29:11.320098567 -0700
+@@ -0,0 +1,972 @@
++/*++
++/* NAME
++/*      sdbm 3h
++/* SUMMARY
++/*      SDBM Simple DBM: ndbm work-alike hashed database library
++/* SYNOPSIS
++/*      include "sdbm.h"
++/* DESCRIPTION
++/*	This file includes the public domain SDBM (ndbm work-alike hashed
++/*	database library), based on Per-Aake Larson's Dynamic Hashing
++/*	algorithms. BIT 18 (1978).
++/*	author: oz at nexus.yorku.ca
++/*	status: public domain
++/*	The file has been patched following the advice of Uwe Ohse
++/*	<uwe at ohse.de>:
++/*	--------------------------------------------------------------
++/*	this patch fixes a problem with sdbms .dir file, which arrises when
++/*	a second .dir block is needed for the first time. read() returns 0
++/*	in that case, and the library forgot to initialize that new block.
++/*
++/*	A related problem is that the calculation of db->maxbno is wrong.
++/*	It just appends 4096*BYTESIZ bits, which is not enough except for
++/*	small databases (.dir basically doubles everytime it's too small).
++/*	--------------------------------------------------------------
++/*	According to Uwe Ohse, the patch has also been submitted to the
++/*	author of SDBM. (The 4096*BYTESIZ bits comment may apply with a
++/*	different size for Postfix/TLS, as the patch was sent against the
++/*	original SDBM distributiona and for Postfix/TLS I have changed the
++/*	default sizes.
++/* .nf
++/*--*/
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain.
++ *
++ * core routines
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#ifdef WIN32
++#include <io.h>
++#include <errno.h>
++#else
++#include <unistd.h>
++#endif
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <errno.h>
++#include <string.h>
++#ifdef __STDC__
++#include <stddef.h>
++#endif
++#include <mymalloc.h>
++
++#include <sdbm.h>
++
++/*
++ * useful macros
++ */
++#define bad(x)          ((x).dptr == NULL || (x).dsize <= 0)
++#define exhash(item)    sdbm_hash((item).dptr, (item).dsize)
++#define ioerr(db)       ((db)->flags |= DBM_IOERR)
++
++#define OFF_PAG(off)    (long) (off) * PBLKSIZ
++#define OFF_DIR(off)    (long) (off) * DBLKSIZ
++
++static long masks[] =
++{
++    000000000000, 000000000001, 000000000003, 000000000007,
++    000000000017, 000000000037, 000000000077, 000000000177,
++    000000000377, 000000000777, 000000001777, 000000003777,
++    000000007777, 000000017777, 000000037777, 000000077777,
++    000000177777, 000000377777, 000000777777, 000001777777,
++    000003777777, 000007777777, 000017777777, 000037777777,
++    000077777777, 000177777777, 000377777777, 000777777777,
++    001777777777, 003777777777, 007777777777, 017777777777
++};
++
++datum   nullitem =
++{NULL, 0};
++
++typedef struct
++{
++    int     dirf;			/* directory file descriptor */
++    int     pagf;			/* page file descriptor */
++    int     flags;			/* status/error flags, see below */
++    long    maxbno;			/* size of dirfile in bits */
++    long    curbit;			/* current bit number */
++    long    hmask;			/* current hash mask */
++    long    blkptr;			/* current block for nextkey */
++    int     keyptr;			/* current key for nextkey */
++    long    blkno;			/* current page to read/write */
++    long    pagbno;			/* current page in pagbuf */
++    char   *pagbuf;			/* page file block buffer */
++    long    dirbno;			/* current block in dirbuf */
++    char   *dirbuf;			/* directory file block buffer */
++}       DBM;
++
++
++/* ************************* */
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain. keep it that way.
++ *
++ * hashing routine
++ */
++
++/*
++ * polynomial conversion ignoring overflows
++ * [this seems to work remarkably well, in fact better
++ * then the ndbm hash function. Replace at your own risk]
++ * use: 65599   nice.
++ *      65587   even better.
++ */
++static long sdbm_hash (char *str, int len)
++{
++    unsigned long n = 0;
++
++#ifdef DUFF
++#define HASHC   n = *str++ + 65599 * n
++    if (len > 0)
++      {
++	  int     loop = (len + 8 - 1) >> 3;
++
++	  switch (len & (8 - 1))
++	    {
++	    case 0:
++		do
++		  {
++		      HASHC;
++	    case 7:
++		      HASHC;
++	    case 6:
++		      HASHC;
++	    case 5:
++		      HASHC;
++	    case 4:
++		      HASHC;
++	    case 3:
++		      HASHC;
++	    case 2:
++		      HASHC;
++	    case 1:
++		      HASHC;
++		  }
++		while (--loop);
++	    }
++
++      }
++#else
++    while (len--)
++	n = *str++ + 65599 * n;
++#endif
++    return n;
++}
++
++/*
++ * check page sanity:
++ * number of entries should be something
++ * reasonable, and all offsets in the index should be in order.
++ * this could be made more rigorous.
++ */
++static int chkpage (char *pag)
++{
++    int     n;
++    int     off;
++    short  *ino = (short *) pag;
++
++    if ((n = ino[0]) < 0 || n > PBLKSIZ / sizeof (short))
++	        return 0;
++
++    if (n > 0)
++      {
++	  off = PBLKSIZ;
++	  for (ino++; n > 0; ino += 2)
++	    {
++		if (ino[0] > off || ino[1] > off ||
++		    ino[1] > ino[0])
++		    return 0;
++		off = ino[1];
++		n -= 2;
++	    }
++      }
++    return 1;
++}
++
++/*
++ * search for the key in the page.
++ * return offset index in the range 0 < i < n.
++ * return 0 if not found.
++ */
++static int seepair (char *pag, int n, char *key, int siz)
++{
++    int     i;
++    int     off = PBLKSIZ;
++    short  *ino = (short *) pag;
++
++    for (i = 1; i < n; i += 2)
++      {
++	  if (siz == off - ino[i] &&
++	      memcmp (key, pag + ino[i], siz) == 0)
++	      return i;
++	  off = ino[i + 1];
++      }
++    return 0;
++}
++
++#ifdef SEEDUPS
++static int duppair (char *pag, datum key)
++{
++    short  *ino = (short *) pag;
++
++    return ino[0] > 0 && seepair (pag, ino[0], key.dptr, key.dsize) > 0;
++}
++
++#endif
++
++/* ************************* */
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain.
++ *
++ * page-level routines
++ */
++
++/*
++ * page format:
++ *      +------------------------------+
++ * ino  | n | keyoff | datoff | keyoff |
++ *      +------------+--------+--------+
++ *      | datoff | - - - ---->         |
++ *      +--------+---------------------+
++ *      |        F R E E A R E A       |
++ *      +--------------+---------------+
++ *      |  <---- - - - | data          |
++ *      +--------+-----+----+----------+
++ *      |  key   | data     | key      |
++ *      +--------+----------+----------+
++ *
++ * calculating the offsets for free area:  if the number
++ * of entries (ino[0]) is zero, the offset to the END of
++ * the free area is the block size. Otherwise, it is the
++ * nth (ino[ino[0]]) entry's offset.
++ */
++
++static int fitpair (char *pag, int need)
++{
++    int     n;
++    int     off;
++    int     avail;
++    short  *ino = (short *) pag;
++
++    off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
++    avail = off - (n + 1) * sizeof (short);
++    need += 2 * sizeof (short);
++
++    return need <= avail;
++}
++
++static void putpair (char *pag, datum key, datum val)
++{
++    int     n;
++    int     off;
++    short  *ino = (short *) pag;
++
++    off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
++/*
++ * enter the key first
++ */
++    off -= key.dsize;
++    (void) memcpy (pag + off, key.dptr, key.dsize);
++    ino[n + 1] = off;
++/*
++ * now the data
++ */
++    off -= val.dsize;
++    (void) memcpy (pag + off, val.dptr, val.dsize);
++    ino[n + 2] = off;
++/*
++ * adjust item count
++ */
++    ino[0] += 2;
++}
++
++static datum getpair (char *pag, datum key)
++{
++    int     i;
++    int     n;
++    datum   val;
++    short  *ino = (short *) pag;
++
++    if ((n = ino[0]) == 0)
++	return nullitem;
++
++    if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
++	return nullitem;
++
++    val.dptr = pag + ino[i + 1];
++    val.dsize = ino[i] - ino[i + 1];
++    return val;
++}
++
++static datum getnkey (char *pag, int num)
++{
++    datum   key;
++    int     off;
++    short  *ino = (short *) pag;
++
++    num = num * 2 - 1;
++    if (ino[0] == 0 || num > ino[0])
++	return nullitem;
++
++    off = (num > 1) ? ino[num - 1] : PBLKSIZ;
++
++    key.dptr = pag + ino[num];
++    key.dsize = off - ino[num];
++
++    return key;
++}
++
++static int delpair (char *pag, datum key)
++{
++    int     n;
++    int     i;
++    short  *ino = (short *) pag;
++
++    if ((n = ino[0]) == 0)
++	return 0;
++
++    if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
++	return 0;
++/*
++ * found the key. if it is the last entry
++ * [i.e. i == n - 1] we just adjust the entry count.
++ * hard case: move all data down onto the deleted pair,
++ * shift offsets onto deleted offsets, and adjust them.
++ * [note: 0 < i < n]
++ */
++    if (i < n - 1)
++      {
++	  int     m;
++	  char   *dst = pag + (i == 1 ? PBLKSIZ : ino[i - 1]);
++	  char   *src = pag + ino[i + 1];
++	  int     zoo = dst - src;
++
++/*
++ * shift data/keys down
++ */
++	  m = ino[i + 1] - ino[n];
++#ifdef DUFF
++#define MOVB    *--dst = *--src
++	  if (m > 0)
++	    {
++		int     loop = (m + 8 - 1) >> 3;
++
++		switch (m & (8 - 1))
++		  {
++		  case 0:
++		      do
++			{
++			    MOVB;
++		  case 7:
++			    MOVB;
++		  case 6:
++			    MOVB;
++		  case 5:
++			    MOVB;
++		  case 4:
++			    MOVB;
++		  case 3:
++			    MOVB;
++		  case 2:
++			    MOVB;
++		  case 1:
++			    MOVB;
++			}
++		      while (--loop);
++		  }
++	    }
++#else
++	  dst -= m;
++	  src -= m;
++	  memmove (dst, src, m);
++#endif
++/*
++ * adjust offset index up
++ */
++	  while (i < n - 1)
++	    {
++		ino[i] = ino[i + 2] + zoo;
++		i++;
++	    }
++      }
++    ino[0] -= 2;
++    return 1;
++}
++
++static void splpage (char *pag, char *new, long sbit)
++{
++    datum   key;
++    datum   val;
++
++    int     n;
++    int     off = PBLKSIZ;
++    char    cur[PBLKSIZ];
++    short  *ino = (short *) cur;
++
++    (void) memcpy (cur, pag, PBLKSIZ);
++    (void) memset (pag, 0, PBLKSIZ);
++    (void) memset (new, 0, PBLKSIZ);
++
++    n = ino[0];
++    for (ino++; n > 0; ino += 2)
++      {
++	  key.dptr = cur + ino[0];
++	  key.dsize = off - ino[0];
++	  val.dptr = cur + ino[1];
++	  val.dsize = ino[0] - ino[1];
++/*
++ * select the page pointer (by looking at sbit) and insert
++ */
++	  (void) putpair ((exhash (key) & sbit) ? new : pag, key, val);
++
++	  off = ino[1];
++	  n -= 2;
++      }
++}
++
++static int getdbit (DBM * db, long dbit)
++{
++    long    c;
++    long    dirb;
++
++    c = dbit / BYTESIZ;
++    dirb = c / DBLKSIZ;
++
++    if (dirb != db->dirbno)
++      {
++	  int got;
++	  if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
++	      || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
++	      return 0;
++	  if (got==0)
++              memset(db->dirbuf,0,DBLKSIZ);
++	  db->dirbno = dirb;
++      }
++
++    return db->dirbuf[c % DBLKSIZ] & (1 << dbit % BYTESIZ);
++}
++
++static int setdbit (DBM * db, long dbit)
++{
++    long    c;
++    long    dirb;
++
++    c = dbit / BYTESIZ;
++    dirb = c / DBLKSIZ;
++
++    if (dirb != db->dirbno)
++      {
++	  int got;
++	  if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
++	      || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
++	      return 0;
++	  if (got==0)
++              memset(db->dirbuf,0,DBLKSIZ);
++	  db->dirbno = dirb;
++      }
++
++    db->dirbuf[c % DBLKSIZ] |= (1 << dbit % BYTESIZ);
++
++#if 0
++    if (dbit >= db->maxbno)
++	db->maxbno += DBLKSIZ * BYTESIZ;
++#else
++    if (OFF_DIR((dirb+1))*BYTESIZ > db->maxbno)
++        db->maxbno=OFF_DIR((dirb+1))*BYTESIZ;
++#endif
++
++    if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
++	|| write (db->dirf, db->dirbuf, DBLKSIZ) < 0)
++	return 0;
++
++    return 1;
++}
++
++/*
++ * getnext - get the next key in the page, and if done with
++ * the page, try the next page in sequence
++ */
++static datum getnext (DBM * db)
++{
++    datum   key;
++
++    for (;;)
++      {
++	  db->keyptr++;
++	  key = getnkey (db->pagbuf, db->keyptr);
++	  if (key.dptr != NULL)
++	      return key;
++/*
++ * we either run out, or there is nothing on this page..
++ * try the next one... If we lost our position on the
++ * file, we will have to seek.
++ */
++	  db->keyptr = 0;
++	  if (db->pagbno != db->blkptr++)
++	      if (lseek (db->pagf, OFF_PAG (db->blkptr), SEEK_SET) < 0)
++		  break;
++	  db->pagbno = db->blkptr;
++	  if (read (db->pagf, db->pagbuf, PBLKSIZ) <= 0)
++	      break;
++	  if (!chkpage (db->pagbuf))
++	      break;
++      }
++
++    return ioerr (db), nullitem;
++}
++
++/*
++ * all important binary trie traversal
++ */
++static int getpage (DBM * db, long hash)
++{
++    int     hbit;
++    long    dbit;
++    long    pagb;
++
++    dbit = 0;
++    hbit = 0;
++    while (dbit < db->maxbno && getdbit (db, dbit))
++	dbit = 2 * dbit + ((hash & (1 << hbit++)) ? 2 : 1);
++
++    db->curbit = dbit;
++    db->hmask = masks[hbit];
++
++    pagb = hash & db->hmask;
++/*
++ * see if the block we need is already in memory.
++ * note: this lookaside cache has about 10% hit rate.
++ */
++    if (pagb != db->pagbno)
++      {
++/*
++ * note: here, we assume a "hole" is read as 0s.
++ * if not, must zero pagbuf first.
++ */
++	  if (lseek (db->pagf, OFF_PAG (pagb), SEEK_SET) < 0
++	      || read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++	      return 0;
++	  if (!chkpage (db->pagbuf))
++	      return 0;
++	  db->pagbno = pagb;
++      }
++    return 1;
++}
++
++/*
++ * makroom - make room by splitting the overfull page
++ * this routine will attempt to make room for SPLTMAX times before
++ * giving up.
++ */
++static int makroom (DBM * db, long hash, int need)
++{
++    long    newp;
++    char    twin[PBLKSIZ];
++    char   *pag = db->pagbuf;
++    char   *new = twin;
++    int     smax = SPLTMAX;
++
++    do
++      {
++/*
++ * split the current page
++ */
++	  (void) splpage (pag, new, db->hmask + 1);
++/*
++ * address of the new page
++ */
++	  newp = (hash & db->hmask) | (db->hmask + 1);
++
++/*
++ * write delay, read avoidence/cache shuffle:
++ * select the page for incoming pair: if key is to go to the new page,
++ * write out the previous one, and copy the new one over, thus making
++ * it the current page. If not, simply write the new page, and we are
++ * still looking at the page of interest. current page is not updated
++ * here, as sdbm_store will do so, after it inserts the incoming pair.
++ */
++	  if (hash & (db->hmask + 1))
++	    {
++		if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++		    || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++		    return 0;
++		db->pagbno = newp;
++		(void) memcpy (pag, new, PBLKSIZ);
++	    }
++	  else if (lseek (db->pagf, OFF_PAG (newp), SEEK_SET) < 0
++		   || write (db->pagf, new, PBLKSIZ) < 0)
++	      return 0;
++
++	  if (!setdbit (db, db->curbit))
++	      return 0;
++/*
++ * see if we have enough room now
++ */
++	  if (fitpair (pag, need))
++	      return 1;
++/*
++ * try again... update curbit and hmask as getpage would have
++ * done. because of our update of the current page, we do not
++ * need to read in anything. BUT we have to write the current
++ * [deferred] page out, as the window of failure is too great.
++ */
++	  db->curbit = 2 * db->curbit +
++	      ((hash & (db->hmask + 1)) ? 2 : 1);
++	  db->hmask |= db->hmask + 1;
++
++	  if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++	      || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++	      return 0;
++
++      }
++    while (--smax);
++/*
++ * if we are here, this is real bad news. After SPLTMAX splits,
++ * we still cannot fit the key. say goodnight.
++ */
++#ifdef BADMESS
++    (void) write (2, "sdbm: cannot insert after SPLTMAX attempts.\n", 44);
++#endif
++    return 0;
++
++}
++
++static SDBM *sdbm_prep (char *dirname, char *pagname, int flags, int mode)
++{
++    SDBM   *db;
++    struct stat dstat;
++
++    if ((db = (SDBM *) mymalloc (sizeof (SDBM))) == NULL)
++	return errno = ENOMEM, (SDBM *) NULL;
++
++    db->flags = 0;
++    db->blkptr = 0;
++    db->keyptr = 0;
++/*
++ * adjust user flags so that WRONLY becomes RDWR,
++ * as required by this package. Also set our internal
++ * flag for RDONLY if needed.
++ */
++    if (flags & O_WRONLY)
++	flags = (flags & ~O_WRONLY) | O_RDWR;
++    else if ((flags & 03) == O_RDONLY)
++	db->flags = DBM_RDONLY;
++#if defined(OS2) || defined(MSDOS) || defined(WIN32)
++    flags |= O_BINARY;
++#endif
++
++/*
++ * Make sure to ignore the O_EXCL option, as the file might exist due
++ * to the locking.
++ */
++    flags &= ~O_EXCL;
++
++/*
++ * open the files in sequence, and stat the dirfile.
++ * If we fail anywhere, undo everything, return NULL.
++ */
++
++    if ((db->pagf = open (pagname, flags, mode)) > -1)
++      {
++	  if ((db->dirf = open (dirname, flags, mode)) > -1)
++	    {
++/*
++ * need the dirfile size to establish max bit number.
++ */
++		if (fstat (db->dirf, &dstat) == 0)
++		  {
++		      /*
++                       * success
++                       */
++		      return db;
++		  }
++		msg_info ("closing dirf");
++		(void) close (db->dirf);
++	    }
++	  msg_info ("closing pagf");
++	  (void) close (db->pagf);
++      }
++    myfree ((char *) db);
++    return (SDBM *) NULL;
++}
++
++static DBM *sdbm_internal_open (SDBM * sdbm)
++{
++    DBM    *db;
++    struct stat dstat;
++
++    if ((db = (DBM *) mymalloc (sizeof (DBM))) == NULL)
++	return errno = ENOMEM, (DBM *) NULL;
++
++    db->flags = sdbm->flags;
++    db->hmask = 0;
++    db->blkptr = sdbm->blkptr;
++    db->keyptr = sdbm->keyptr;
++    db->pagf = sdbm->pagf;
++    db->dirf = sdbm->dirf;
++    db->pagbuf = sdbm->pagbuf;
++    db->dirbuf = sdbm->dirbuf;
++
++/*
++ * need the dirfile size to establish max bit number.
++ */
++    if (fstat (db->dirf, &dstat) == 0)
++      {
++/*
++ * zero size: either a fresh database, or one with a single,
++ * unsplit data page: dirpage is all zeros.
++ */
++	  db->dirbno = (!dstat.st_size) ? 0 : -1;
++	  db->pagbno = -1;
++	  db->maxbno = dstat.st_size * BYTESIZ;
++
++	  (void) memset (db->pagbuf, 0, PBLKSIZ);
++	  (void) memset (db->dirbuf, 0, DBLKSIZ);
++	  return db;
++      }
++    myfree ((char *) db);
++    return (DBM *) NULL;
++}
++
++static void sdbm_internal_close (DBM * db)
++{
++    if (db == NULL)
++	errno = EINVAL;
++    else
++      {
++	  myfree ((char *) db);
++      }
++}
++
++datum   sdbm_fetch (SDBM * sdb, datum key)
++{
++    datum   retval;
++    DBM    *db;
++
++    if (sdb == NULL || bad (key))
++	return errno = EINVAL, nullitem;
++
++    if (!(db = sdbm_internal_open (sdb)))
++	return errno = EINVAL, nullitem;
++
++    if (getpage (db, exhash (key)))
++      {
++	  retval = getpair (db->pagbuf, key);
++	  sdbm_internal_close (db);
++	  return retval;
++      }
++
++    sdbm_internal_close (db);
++
++    return ioerr (sdb), nullitem;
++}
++
++int     sdbm_delete (SDBM * sdb, datum key)
++{
++    int     retval;
++    DBM    *db;
++
++    if (sdb == NULL || bad (key))
++	return errno = EINVAL, -1;
++    if (sdbm_rdonly (sdb))
++	return errno = EPERM, -1;
++
++    if (!(db = sdbm_internal_open (sdb)))
++	return errno = EINVAL, -1;
++
++    if (getpage (db, exhash (key)))
++      {
++	  if (!delpair (db->pagbuf, key))
++	      retval = -1;
++/*
++ * update the page file
++ */
++	  else if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++		   || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++	      retval = ioerr (sdb), -1;
++	  else
++	      retval = 0;
++      }
++    else
++	retval = ioerr (sdb), -1;
++
++    sdbm_internal_close (db);
++
++    return retval;
++}
++
++int     sdbm_store (SDBM * sdb, datum key, datum val, int flags)
++{
++    int     need;
++    int     retval;
++    long    hash;
++    DBM    *db;
++
++    if (sdb == NULL || bad (key))
++	return errno = EINVAL, -1;
++    if (sdbm_rdonly (sdb))
++	return errno = EPERM, -1;
++
++    need = key.dsize + val.dsize;
++/*
++ * is the pair too big (or too small) for this database ??
++ */
++    if (need < 0 || need > PAIRMAX)
++	return errno = EINVAL, -1;
++
++    if (!(db = sdbm_internal_open (sdb)))
++	return errno = EINVAL, -1;
++
++    if (getpage (db, (hash = exhash (key))))
++      {
++/*
++ * if we need to replace, delete the key/data pair
++ * first. If it is not there, ignore.
++ */
++	  if (flags == DBM_REPLACE)
++	      (void) delpair (db->pagbuf, key);
++#ifdef SEEDUPS
++	  else if (duppair (db->pagbuf, key))
++	    {
++		sdbm_internal_close (db);
++		return 1;
++	    }
++#endif
++/*
++ * if we do not have enough room, we have to split.
++ */
++	  if (!fitpair (db->pagbuf, need))
++	      if (!makroom (db, hash, need))
++		{
++		    sdbm_internal_close (db);
++		    return ioerr (db), -1;
++		}
++/*
++ * we have enough room or split is successful. insert the key,
++ * and update the page file.
++ */
++	  (void) putpair (db->pagbuf, key, val);
++
++	  if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
++	      || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++	    {
++		sdbm_internal_close (db);
++		return ioerr (db), -1;
++	    }
++	  /*
++           * success
++           */
++	  sdbm_internal_close (db);
++	  return 0;
++      }
++
++    sdbm_internal_close (db);
++    return ioerr (sdb), -1;
++}
++
++/*
++ * the following two routines will break if
++ * deletions aren't taken into account. (ndbm bug)
++ */
++datum   sdbm_firstkey (SDBM * sdb)
++{
++    datum   retval;
++    DBM    *db;
++
++    if (sdb == NULL)
++	return errno = EINVAL, nullitem;
++
++    if (!(db = sdbm_internal_open (sdb)))
++	return errno = EINVAL, nullitem;
++
++/*
++ * start at page 0
++ */
++    if (lseek (db->pagf, OFF_PAG (0), SEEK_SET) < 0
++	|| read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
++      {
++	  sdbm_internal_close (db);
++	  return ioerr (sdb), nullitem;
++      }
++    db->pagbno = 0;
++    db->blkptr = 0;
++    db->keyptr = 0;
++
++    retval = getnext (db);
++    sdb->blkptr = db->blkptr;
++    sdb->keyptr = db->keyptr;
++    sdbm_internal_close (db);
++    return retval;
++}
++
++datum   sdbm_nextkey (SDBM * sdb)
++{
++    datum   retval;
++    DBM    *db;
++
++    if (sdb == NULL)
++	return errno = EINVAL, nullitem;
++
++    if (!(db = sdbm_internal_open (sdb)))
++	return errno = EINVAL, nullitem;
++
++    retval = getnext (db);
++    sdb->blkptr = db->blkptr;
++    sdb->keyptr = db->keyptr;
++    sdbm_internal_close (db);
++    return retval;
++}
++
++void    sdbm_close (SDBM * db)
++{
++    if (db == NULL)
++	errno = EINVAL;
++    else
++      {
++	  (void) close (db->dirf);
++	  (void) close (db->pagf);
++	  myfree ((char *) db);
++      }
++}
++
++SDBM   *sdbm_open (char *file, int flags, int mode)
++{
++    SDBM   *db;
++    char   *dirname;
++    char   *pagname;
++    int     n;
++
++    if (file == NULL || !*file)
++	return errno = EINVAL, (SDBM *) NULL;
++/*
++ * need space for two seperate filenames
++ */
++    n = strlen (file) * 2 + strlen (DIRFEXT) + strlen (PAGFEXT) + 2;
++
++    if ((dirname = (char *) mymalloc ((unsigned) n)) == NULL)
++	return errno = ENOMEM, (SDBM *) NULL;
++/*
++ * build the file names
++ */
++    dirname = strcat (strcpy (dirname, file), DIRFEXT);
++    pagname = strcpy (dirname + strlen (dirname) + 1, file);
++    pagname = strcat (pagname, PAGFEXT);
++
++    db = sdbm_prep (dirname, pagname, flags, mode);
++    myfree ((char *) dirname);
++    return db;
++}
++
+diff -urNad postfix-release/src/global/sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h
+--- postfix-release/src/global/sdbm.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h	2004-12-27 22:29:11.320098567 -0700
+@@ -0,0 +1,97 @@
++/*++
++/* NAME
++/*      sdbm 3h
++/* SUMMARY
++/*      SDBM Simple DBM: ndbm work-alike hashed database library
++/* SYNOPSIS
++/*      include "sdbm.h"
++/* DESCRIPTION
++/* .nf
++/*--*/
++
++#ifndef UTIL_SDBM_H
++#define UTIL_SDBM_H
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * based on Per-Ake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
++ * author: oz at nexus.yorku.ca
++ * status: public domain.
++ */
++
++#define DUFF    /* go ahead and use the loop-unrolled version */
++
++#include <stdio.h>
++
++#define DBLKSIZ 16384                   /* SSL cert chains require more */
++#define PBLKSIZ 8192                    /* SSL cert chains require more */
++#define PAIRMAX 8008                    /* arbitrary on PBLKSIZ-N */
++#define SPLTMAX 10                      /* maximum allowed splits */
++                                        /* for a single insertion */
++#define DIRFEXT ".dir"
++#define PAGFEXT ".pag"
++
++typedef struct {
++        int dirf;                      /* directory file descriptor */
++        int pagf;                      /* page file descriptor */
++        int flags;                     /* status/error flags, see below */
++        long blkptr;                   /* current block for nextkey */
++        int keyptr;                    /* current key for nextkey */
++        char pagbuf[PBLKSIZ];          /* page file block buffer */
++        char dirbuf[DBLKSIZ];          /* directory file block buffer */
++} SDBM;
++
++#define DBM_RDONLY      0x1            /* data base open read-only */
++#define DBM_IOERR       0x2            /* data base I/O error */
++
++/*
++ * utility macros
++ */
++#define sdbm_rdonly(db)         ((db)->flags & DBM_RDONLY)
++#define sdbm_error(db)          ((db)->flags & DBM_IOERR)
++
++#define sdbm_clearerr(db)       ((db)->flags &= ~DBM_IOERR)  /* ouch */
++
++#define sdbm_dirfno(db) ((db)->dirf)
++#define sdbm_pagfno(db) ((db)->pagf)
++
++typedef struct {
++        char *dptr;
++        int dsize;
++} datum;
++
++extern datum nullitem;
++
++/*
++ * flags to sdbm_store
++ */
++#define DBM_INSERT      0
++#define DBM_REPLACE     1
++
++/*
++ * ndbm interface
++ */
++extern SDBM *sdbm_open(char *, int, int);
++extern void sdbm_close(SDBM *);
++extern datum sdbm_fetch(SDBM *, datum);
++extern int sdbm_delete(SDBM *, datum);
++extern int sdbm_store(SDBM *, datum, datum, int);
++extern datum sdbm_firstkey(SDBM *);
++extern datum sdbm_nextkey(SDBM *);
++
++/*
++ * sdbm - ndbm work-alike hashed database library
++ * tuning and portability constructs [not nearly enough]
++ * author: oz at nexus.yorku.ca
++ */
++
++#define BYTESIZ         8
++
++/*
++ * important tuning parms (hah)
++ */
++
++#define SEEDUPS                 /* always detect duplicates */
++#define BADMESS                 /* generate a message for worst case:
++                                   cannot make room after SPLTMAX splits */
++#endif /* UTIL_SDBM_H */
+diff -urNad postfix-release/src/master/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in
+--- postfix-release/src/master/Makefile.in	2004-12-27 22:28:28.645271855 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in	2004-12-27 22:29:11.320098567 -0700
+@@ -20,7 +20,7 @@
+ INC_DIR	= ../../include
+ BIN_DIR	= ../../libexec
+ 
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) `for i in $(LIB_OBJ); do [ $$i = $@ ] && echo -fPIC; done` $(CFLAGS) -c $*.c
+ 
+ all:	$(PROG) $(LIB)
+ 
+@@ -35,12 +35,10 @@
+ tests:	test
+ 
+ $(LIB):	$(LIB_OBJ)
+-	$(AR) $(ARFL) $(LIB) $?
+-	$(RANLIB) $(LIB)
++	gcc -shared -Wl,-soname,libpostfix-master.so.1 -o $(LIB) $(LIB_OBJ) $(LIBS) $(SYSLIBS)
+ 
+ $(LIB_DIR)/$(LIB): $(LIB)
+ 	cp $(LIB) $(LIB_DIR)/$(LIB)
+-	$(RANLIB) $(LIB_DIR)/$(LIB)
+ 
+ $(BIN_DIR)/$(PROG): $(PROG)
+ 	 cp $(PROG) $(BIN_DIR)
+diff -urNad postfix-release/src/postconf/postconf.c /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c
+--- postfix-release/src/postconf/postconf.c	2004-12-27 22:28:28.646271640 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c	2004-12-27 22:29:11.321098352 -0700
+@@ -822,6 +822,16 @@
+ {
+     ARGV   *maps_argv;
+     int     i;
++#ifndef NO_DYNAMIC_MAPS
++    char   *path;
++    char   *config_dir;
++
++    var_config_dir = mystrdup((config_dir = safe_getenv(CONF_ENV_PATH)) != 0 ?
++			      config_dir : DEF_CONFIG_DIR);	/* XXX */
++    path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++    dict_open_dlinfo(path);
++    myfree(path);
++#endif
+ 
+     maps_argv = dict_mapnames();
+     for (i = 0; i < maps_argv->argc; i++)
+diff -urNad postfix-release/src/postmap/postmap.c /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c
+--- postfix-release/src/postmap/postmap.c	2004-12-27 22:28:28.647271425 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c	2004-12-27 22:29:11.321098352 -0700
+@@ -5,7 +5,7 @@
+ /*	Postfix lookup table management
+ /* SYNOPSIS
+ /* .fi
+-/*	\fBpostmap\fR [\fB-Nfinoprvw\fR] [\fB-c \fIconfig_dir\fR]
++/*	\fBpostmap\fR [\fB-Nfinopruvw\fR] [\fB-c \fIconfig_dir\fR]
+ /*	[\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
+ /*		[\fIfile_type\fR:]\fIfile_name\fR ...
+ /* DESCRIPTION
+@@ -92,6 +92,8 @@
+ /* .IP \fB-r\fR
+ /*	When updating a table, do not warn about duplicate entries; silently
+ /*	replace them.
++/* .IP \fB-u\fR
++/*	Upgrade the database to the current version.
+ /* .IP \fB-v\fR
+ /*	Enable verbose logging for debugging purposes. Multiple \fB-v\fR
+ /*	options make the software increasingly verbose.
+@@ -102,7 +104,7 @@
+ /*	Arguments:
+ /* .IP \fIfile_type\fR
+ /*	The database type. To find out what types are supported, use
+-/*	the "\fBpostconf -m" command.
++/*	the "\fBpostconf -m\fR" command.
+ /*
+ /*	The \fBpostmap\fR command can query any supported file type,
+ /*	but it can create only the following file types:
+@@ -484,6 +486,18 @@
+     return (status == 0);
+ }
+ 
++/* postmap_upgrade - upgrade a map */
++
++static int postmap_upgrade(const char *map_type, const char *map_name)
++{
++    DICT   *dict;
++
++    dict = dict_open3(map_type, map_name, O_RDWR,
++			DICT_FLAG_LOCK|DICT_FLAG_UPGRADE);
++    dict_close(dict);
++    return (dict != 0);
++}
++
+ /* usage - explain */
+ 
+ static NORETURN usage(char *myname)
+@@ -504,6 +518,7 @@
+     int     dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_KEY;
+     char   *query = 0;
+     char   *delkey = 0;
++    int     upgrade=0;
+     int     found;
+ 
+     /*
+@@ -540,7 +555,7 @@
+     /*
+      * Parse JCL.
+      */
+-    while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rvw")) > 0) {
++    while ((ch = GETOPT(argc, argv, "Nc:d:finopq:ruvw")) > 0) {
+ 	switch (ch) {
+ 	default:
+ 	    usage(argv[0]);
+@@ -554,8 +569,8 @@
+ 		msg_fatal("out of memory");
+ 	    break;
+ 	case 'd':
+-	    if (query || delkey)
+-		msg_fatal("specify only one of -q or -d");
++	    if (query || delkey || upgrade)
++		msg_fatal("specify only one of -q or -d or -u");
+ 	    delkey = optarg;
+ 	    break;
+ 	case 'f':
+@@ -575,14 +590,19 @@
+ 	    postmap_flags &= ~POSTMAP_FLAG_SAVE_PERM;
+ 	    break;
+ 	case 'q':
+-	    if (query || delkey)
+-		msg_fatal("specify only one of -q or -d");
++	    if (query || delkey || upgrade)
++		msg_fatal("specify only one of -q or -d or -u");
+ 	    query = optarg;
+ 	    break;
+ 	case 'r':
+ 	    dict_flags &= ~(DICT_FLAG_DUP_WARN | DICT_FLAG_DUP_IGNORE);
+ 	    dict_flags |= DICT_FLAG_DUP_REPLACE;
+ 	    break;
++	case 'u':
++	    if (query || delkey || upgrade)
++		msg_fatal("specify only one of -q or -d or -u");
++	    upgrade=1;
++	    break;
+ 	case 'v':
+ 	    msg_verbose++;
+ 	    break;
+@@ -633,6 +653,21 @@
+ 	    optind++;
+ 	}
+ 	exit(1);
++    } else if (upgrade) {			/* Upgrade the map(s) */
++	int success = 1;
++	if (optind + 1 > argc)
++	    usage(argv[0]);
++	while (optind < argc) {
++	    if ((path_name = split_at(argv[optind], ':')) != 0) {
++		success &= postmap_upgrade(argv[optind], path_name);
++	    } else {
++		success &= postmap_upgrade(var_db_type, path_name);
++	    }
++	    if (!success)
++		exit(1);
++	    optind++;
++	}
++	exit(0);
+     } else {					/* create/update map(s) */
+ 	if (optind + 1 > argc)
+ 	    usage(argv[0]);
+diff -urNad postfix-release/src/util/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in
+--- postfix-release/src/util/Makefile.in	2004-12-27 22:28:28.648271210 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in	2004-12-27 22:29:11.322098138 -0700
+@@ -4,6 +4,7 @@
+ 	chroot_uid.c clean_env.c close_on_exec.c concatenate.c ctable.c \
+ 	dict.c dict_alloc.c dict_db.c dict_dbm.c dict_debug.c dict_env.c \
+ 	dict_cidr.c dict_ht.c dict_ni.c dict_nis.c \
++	load_lib.c \
+ 	dict_nisplus.c dict_open.c dict_pcre.c dict_regexp.c \
+ 	dict_static.c dict_tcp.c dict_unix.c dir_forest.c doze.c \
+ 	duplex_pipe.c environ.c events.c exec_command.c fifo_listen.c \
+@@ -34,8 +35,8 @@
+ 	chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
+ 	dict.o dict_alloc.o dict_db.o dict_dbm.o dict_debug.o dict_env.o \
+ 	dict_cidr.o dict_ht.o dict_ni.o dict_nis.o \
+-	dict_nisplus.o dict_open.o dict_pcre.o dict_regexp.o \
+-	dict_static.o dict_tcp.o dict_unix.o dir_forest.o doze.o \
++	dict_nisplus.o dict_open.o dict_regexp.o \
++	dict_static.o dict_unix.o dir_forest.o doze.o \
+ 	duplex_pipe.o environ.o events.o exec_command.o fifo_listen.o \
+ 	fifo_trigger.o file_limit.o find_inet.o fsspace.o fullname.o \
+ 	get_domainname.o get_hostname.o hex_quote.o host_port.o htable.o \
+@@ -58,10 +59,11 @@
+ 	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
+ 	write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
+ 	attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
+-	uppercase.o
++	uppercase.o load_lib.o
+ HDRS	= argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
+ 	connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
+ 	dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
++	load_lib.h \
+ 	dict_nisplus.h dict_pcre.h dict_regexp.h \
+ 	dict_static.h dict_tcp.h dict_unix.h dir_forest.h events.h \
+ 	exec_command.h find_inet.h fsspace.h fullname.h get_domainname.h \
+@@ -72,7 +74,7 @@
+ 	msg_syslog.h msg_vstream.h mvect.h myflock.h mymalloc.h myrand.h \
+ 	name_mask.h netstring.h nvtable.h open_as.h open_lock.h \
+ 	percentm.h posix_signals.h readlline.h ring.h safe.h safe_open.h \
+-	sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h \
++	sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h load_lib.h \
+ 	scan_dir.h set_eugid.h set_ugid.h sigdelay.h spawn_command.h \
+ 	split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
+ 	timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
+@@ -84,6 +86,8 @@
+ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+ FILES	= Makefile $(SRCS) $(HDRS)
+ INCL	=
++PCRESO  = dict_pcre.so
++TCPSO   = dict_tcp.so
+ LIB	= libutil.a
+ TESTPROG= dict_open dup2_pass_on_exec events exec_command fifo_open \
+ 	fifo_rdonly_bug fifo_rdwr_bug fifo_trigger fsspace fullname \
+@@ -96,8 +100,9 @@
+ 
+ LIB_DIR	= ../../lib
+ INC_DIR	= ../../include
++LIBS    = $(LIB_DIR)/$(LIB) $(LIB_DIR)/$(PCRESO) $(LIB_DIR)/$(TCPSO)
+ 
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) -fPIC $(CFLAGS) -c $*.c
+ 
+ all: $(LIB)
+ 
+@@ -106,15 +111,25 @@
+ 
+ test:	$(TESTPROG)
+ 
++$(PCRESO): dict_pcre.o
++	gcc -shared -Wl,-soname,dict_pcre.so -o $@ $? -lpcre -L. -lutil
++
++$(TCPSO): dict_tcp.o
++	gcc -shared -Wl,-soname,dict_tcp.so -o $@ $? -L. -lutil
++
+ $(LIB):	$(OBJS)
+-	$(AR) $(ARFL) $(LIB) $?
+-	$(RANLIB) $(LIB)
++	gcc -shared -Wl,-soname,libpostfix-util.so.1 -o $(LIB) $(OBJS) -ldl $(SYSLIBS)
+ 
+ $(LIB_DIR)/$(LIB): $(LIB)
+ 	cp $(LIB) $(LIB_DIR)
+-	$(RANLIB) $(LIB_DIR)/$(LIB)
+ 
+-update: $(LIB_DIR)/$(LIB) $(HDRS)
++$(LIB_DIR)/$(PCRESO): $(PCRESO)
++	cp $(PCRESO) $(LIB_DIR)
++
++$(LIB_DIR)/$(TCPSO): $(TCPSO)
++	cp $(TCPSO) $(LIB_DIR)
++
++update: $(LIBS) $(HDRS)
+ 	-for i in $(HDRS); \
+ 	do \
+ 	  cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
+@@ -136,7 +151,8 @@
+ 	lint $(SRCS)
+ 
+ clean:
+-	rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAKES) *.tmp
++	rm -f *.o $(LIB) $(PCRESO) $(TCPSO) *core $(TESTPROG) \
++		junk $(MAKES) *.tmp
+ 	rm -rf printfck
+ 
+ tidy:	clean
+diff -urNad postfix-release/src/util/dict.h /tmp/dpep.TxugCA/postfix-release/src/util/dict.h
+--- postfix-release/src/util/dict.h	2004-12-27 22:28:28.649270995 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict.h	2004-12-27 22:29:11.323097923 -0700
+@@ -61,6 +61,7 @@
+ #define DICT_FLAG_NO_REGSUB	(1<<11)	/* disallow regexp substitution */
+ #define DICT_FLAG_NO_PROXY	(1<<12)	/* disallow proxy mapping */
+ #define DICT_FLAG_NO_UNAUTH	(1<<13)	/* disallow unauthenticated data */
++#define DICT_FLAG_UPGRADE	(1<<30) /* Upgrade the db */
+ 
+ #define DICT_FLAG_PARANOID \
+ 	(DICT_FLAG_NO_REGSUB | DICT_FLAG_NO_PROXY | DICT_FLAG_NO_UNAUTH)
+@@ -102,6 +103,11 @@
+ extern DICT *dict_open(const char *, int, int);
+ extern DICT *dict_open3(const char *, const char *, int, int);
+ extern void dict_open_register(const char *, DICT *(*) (const char *, int, int));
++#ifndef NO_DYNAMIC_MAPS
++extern void dict_open_dlinfo(const char *path);
++typedef void* (*dict_mkmap_func_t)(const char *);
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type);
++#endif
+ 
+ #define dict_get(dp, key)	(dp)->lookup((dp), (key))
+ #define dict_put(dp, key, val)	(dp)->update((dp), (key), (val))
+diff -urNad postfix-release/src/util/dict_db.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c
+--- postfix-release/src/util/dict_db.c	2004-12-27 22:28:28.649270995 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c	2004-12-27 22:29:11.323097923 -0700
+@@ -548,6 +548,12 @@
+ 	msg_fatal("set DB cache size %d: %m", dict_db_cache_size);
+     if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
+ 	msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
++    if (dict_flags & DICT_FLAG_UPGRADE) {
++	if (msg_verbose)
++	    msg_info("upgrading database %s",db_path);
++	if ((errno = db->upgrade(db,db_path,0)) != 0)
++	    msg_fatal("upgrade of database %s: %m",db_path);
++    }
+ #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
+     if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
+ 	msg_fatal("open database %s: %m", db_path);
+diff -urNad postfix-release/src/util/dict_dbm.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c
+--- postfix-release/src/util/dict_dbm.c	2004-12-27 22:28:28.650270780 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c	2004-12-27 22:29:11.323097923 -0700
+@@ -371,6 +371,10 @@
+     char   *dbm_path;
+     int     lock_fd;
+ 
++#ifdef HAVE_GDBM
++    msg_error("%s: gdbm maps use locking that is incompatible with postfix.  Use a hash map instead.",
++		 path);
++#endif
+     /*
+      * Note: DICT_FLAG_LOCK is used only by programs that do fine-grained (in
+      * the time domain) locking while accessing individual database records.
+diff -urNad postfix-release/src/util/dict_open.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c
+--- postfix-release/src/util/dict_open.c	2004-12-27 22:28:28.650270780 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c	2004-12-27 22:29:35.775841614 -0700
+@@ -42,6 +42,10 @@
+ /*	dict_open_register(type, open)
+ /*	char	*type;
+ /*	DICT	*(*open) (const char *, int, int);
++/*
++/*	ARGV   *dict_mapnames()
++/*
++/*	void (*)() dict_mkmap_func(const char *dict_type)
+ /* DESCRIPTION
+ /*	This module implements a low-level interface to multiple
+ /*	physical dictionary types.
+@@ -135,6 +139,13 @@
+ /*	associated data structures.
+ /*
+ /*	dict_open_register() adds support for a new dictionary type.
++/*
++/*	dict_mapnames() returns an ARGV list containing all of the known
++/*	map types, including dynamic maps.
++/*
++/*	dict_mkmap_func() returns a pointer to the mkmap setup function
++/*	for the given map type, as given in /etc/dynamicmaps.cf
++/*
+ /* DIAGNOSTICS
+ /*	Fatal error: open error, unsupported dictionary type, attempt to
+ /*	update non-writable dictionary.
+@@ -158,6 +169,9 @@
+ #include <strings.h>
+ #endif
+ 
++#include <sys/stat.h>
++#include <unistd.h>
++
+ /* Utility library. */
+ 
+ #include <argv.h>
+@@ -180,6 +194,27 @@
+ #include <split_at.h>
+ #include <htable.h>
+ 
++#ifndef NO_DYNAMIC_MAPS
++#include <load_lib.h>
++#include <vstring.h>
++#include <vstream.h>
++#include <vstring_vstream.h>
++#include <mvect.h>
++
++ /*
++  * Interface for dynamic map loading.
++  */
++typedef struct {
++    const char  *pattern;
++    const char  *soname;
++    const char  *openfunc;
++    const char  *mkmapfunc;
++} DLINFO;
++
++static DLINFO *dict_dlinfo;
++static DLINFO *dict_open_dlfind(const char *type);
++#endif
++
+  /*
+   * lookup table for available map types.
+   */
+@@ -191,9 +226,11 @@
+ static DICT_OPEN_INFO dict_open_info[] = {
+     DICT_TYPE_ENVIRON, dict_env_open,
+     DICT_TYPE_UNIX, dict_unix_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef SNAPSHOT
+     DICT_TYPE_TCP, dict_tcp_open,
+ #endif
++#endif
+ #ifdef HAS_DBM
+     DICT_TYPE_DBM, dict_dbm_open,
+ #endif
+@@ -210,9 +247,11 @@
+ #ifdef HAS_NETINFO
+     DICT_TYPE_NETINFO, dict_ni_open,
+ #endif
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_PCRE
+     DICT_TYPE_PCRE, dict_pcre_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+ #ifdef HAS_POSIX_REGEXP
+     DICT_TYPE_REGEXP, dict_regexp_open,
+ #endif
+@@ -267,8 +306,31 @@
+ 
+     if (dict_open_hash == 0)
+ 	dict_open_init();
+-    if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0)
+-	msg_fatal("unsupported dictionary type: %s", dict_type);
++    if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0) {
++#ifdef NO_DYNAMIC_MAPS
++	msg_fatal("%s: unsupported dictionary type: %s", myname, dict_type);
++#else
++	struct stat st;
++	LIB_FN fn[2];
++	DICT *(*open) (const char *, int, int);
++	DLINFO *dl=dict_open_dlfind(dict_type);
++	if (!dl)
++	    msg_fatal("%s: unsupported dictionary type: %s:  Is the postfix-%s package installed?", myname, dict_type, dict_type);
++	if (stat(dl->soname,&st) < 0) {
++	    msg_fatal("%s: unsupported dictionary type: %s (%s not found.  Is the postfix-%s package installed?)",
++		myname, dict_type, dl->soname, dict_type);
++	}
++	fn[0].name = dl->openfunc;
++	fn[0].ptr  = (void**)&open;
++	fn[1].name = NULL;
++	load_library_symbols(dl->soname, fn, NULL);
++	dict_open_register(dict_type, open);
++	dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type);
++#endif
++    }
++    if (msg_verbose>1) {
++	msg_info("%s: calling %s open routine",myname,dict_type);
++    }
+     if ((dict = dp->open(dict_name, open_flags, dict_flags)) == 0)
+ 	msg_fatal("opening %s:%s %m", dict_type, dict_name);
+     if (msg_verbose)
+@@ -276,6 +338,36 @@
+     return (dict);
+ }
+ 
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type)
++{
++    char   *myname="dict_mkmap_func";
++    struct stat st;
++    LIB_FN fn[2];
++    dict_mkmap_func_t mkmap;
++    DLINFO *dl;
++#ifndef NO_DYNAMIC_MAPS
++    if (!dict_dlinfo)
++	msg_fatal("dlinfo==NULL");
++    dl=dict_open_dlfind(dict_type);
++    if (!dl)
++	msg_fatal("%s: unsupported dictionary type: %s:  Is the postfix-%s package installed?", myname, dict_type, dict_type);
++    if (stat(dl->soname,&st) < 0) {
++	msg_fatal("%s: unsupported dictionary type: %s (%s not found.  Is the postfix-%s package installed?)",
++	    myname, dict_type, dl->soname, dict_type);
++    }
++    if (!dl->mkmapfunc)
++	msg_fatal("%s: unsupported dictionary type: %s does not allow map creation.", myname, dict_type);
++
++    fn[0].name = dl->mkmapfunc;
++    fn[0].ptr  = (void**)&mkmap;
++    fn[1].name = NULL;
++    load_library_symbols(dl->soname, fn, NULL);
++    return mkmap;
++#else
++    return (void(*)())NULL;
++#endif
++}
++
+ /* dict_open_register - register dictionary type */
+ 
+ void    dict_open_register(const char *type,
+@@ -302,6 +394,9 @@
+     HTABLE_INFO **ht;
+     DICT_OPEN_INFO *dp;
+     ARGV   *mapnames;
++#ifndef NO_DYNAMIC_MAPS
++    DLINFO *dlp;
++#endif
+ 
+     if (dict_open_hash == 0)
+ 	dict_open_init();
+@@ -310,11 +405,99 @@
+ 	dp = (DICT_OPEN_INFO *) ht[0]->value;
+ 	argv_add(mapnames, dp->type, ARGV_END);
+     }
++#ifndef NO_DYNAMIC_MAPS
++    if (!dict_dlinfo)
++	msg_fatal("dlinfo==NULL");
++    for (dlp=dict_dlinfo; dlp->pattern; dlp++) {
++	argv_add(mapnames, dlp->pattern, ARGV_END);
++    }
++#endif
+     myfree((char *) ht_info);
+     argv_terminate(mapnames);
+     return mapnames;
+ }
+ 
++#ifndef NO_DYNAMIC_MAPS
++#define	STREQ(x,y) (x == y || (x[0] == y[0] && strcmp(x,y) == 0))
++
++void dict_open_dlinfo(const char *path)
++{
++    char    *myname="dict_open_dlinfo";
++    VSTREAM *conf_fp=vstream_fopen(path,O_RDONLY,0);
++    VSTRING *buf = vstring_alloc(100);
++    char    *cp;
++    ARGV    *argv;
++    MVECT    vector;
++    int      nelm=0;
++    int      linenum=0;
++
++    dict_dlinfo=(DLINFO*)mvect_alloc(&vector,sizeof(DLINFO),3,NULL,NULL);
++
++    if (!conf_fp) {
++	msg_warn("%s: cannot open %s.  No dynamic maps will be allowed.",
++		myname, path);
++    } else {
++	while (vstring_get_nonl(buf,conf_fp) != VSTREAM_EOF) {
++	    cp = vstring_str(buf);
++	    linenum++;
++	    if (*cp == '#' || *cp == '\0')
++		continue;
++	    argv = argv_split(cp, " \t");
++	    if (argv->argc != 3 && argv->argc != 4) {
++		msg_fatal("%s: Expected \"pattern .so-name open-function [mkmap-function]\" at line %d",
++			  myname, linenum);
++	    }
++	    if (STREQ(argv->argv[0],"*")) {
++		msg_warn("%s: wildcard dynamic map entry no longer supported.",
++			  myname);
++		continue;
++	    }
++	    if (argv->argv[1][0] != '/') {
++		msg_fatal("%s: .so name must begin with a \"/\" at line %d",
++			  myname, linenum);
++	    }
++	    if (nelm >= vector.nelm) {
++		dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+3);
++	    }
++	    dict_dlinfo[nelm].pattern  = mystrdup(argv->argv[0]);
++	    dict_dlinfo[nelm].soname   = mystrdup(argv->argv[1]);
++	    dict_dlinfo[nelm].openfunc = mystrdup(argv->argv[2]);
++	    if (argv->argc==4)
++		dict_dlinfo[nelm].mkmapfunc = mystrdup(argv->argv[3]);
++	    else
++		dict_dlinfo[nelm].mkmapfunc = NULL;
++	    nelm++;
++	    argv_free(argv);
++	}
++    }
++    if (nelm >= vector.nelm) {
++	dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+1);
++    }
++    dict_dlinfo[nelm].pattern  = NULL;
++    dict_dlinfo[nelm].soname   = NULL;
++    dict_dlinfo[nelm].openfunc = NULL;
++    dict_dlinfo[nelm].mkmapfunc = NULL;
++    if (conf_fp)
++	vstream_fclose(conf_fp);
++    vstring_free(buf);
++}
++
++static DLINFO *dict_open_dlfind(const char *type)
++{
++    DLINFO *dp;
++
++    if (!dict_dlinfo)
++	return NULL;
++
++    for (dp=dict_dlinfo; dp->pattern; dp++) {
++	if (STREQ(dp->pattern,type))
++	    return dp;
++    }
++    return NULL;
++}
++
++#endif /* !NO_DYNAMIC_MAPS */
++
+ #ifdef TEST
+ 
+  /*
+diff -urNad postfix-release/src/util/load_lib.c /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c
+--- postfix-release/src/util/load_lib.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c	2004-12-27 22:29:11.324097708 -0700
+@@ -0,0 +1,135 @@
++/*++
++/* NAME
++/*	load_lib 3
++/* SUMMARY
++/*	library loading wrappers
++/* SYNOPSIS
++/*	#include <load_lib.h>
++/*
++/*	extern int  load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++/*	const char *libname;
++/*      LIB_FN     *libfuncs;
++/*      LIB_FN     *libdata;
++/*
++/* DESCRIPTION
++/*	This module loads functions from libraries, returnine pointers
++/*	to the named functions.
++/*
++/*	load_library_symbols() loads all of the desired functions, and
++/*	returns zero for success, or exits via msg_fatal().
++/*
++/* SEE ALSO
++/*	msg(3) diagnostics interface
++/* DIAGNOSTICS
++/*	Problems are reported via the msg(3) diagnostics routines:
++/*	library not found, symbols not found, other fatal errors.
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*	LaMont Jones
++/*	Hewlett-Packard Company
++/*	3404 Harmony Road
++/*	Fort Collins, CO 80528, USA
++/*
++/*	Wietse Venema
++/*	IBM T.J. Watson Research
++/*	P.O. Box 704
++/*	Yorktown Heights, NY 10598, USA
++/*--*/
++
++/* System libraries. */
++
++#include "sys_defs.h"
++#include <stdlib.h>
++#include <stddef.h>
++#include <string.h>
++#if defined(HAS_DLOPEN)
++#include <dlfcn.h>
++#elif defined(HAS_SHL_LOAD)
++#include <dl.h>
++#endif
++
++/* Application-specific. */
++
++#include "msg.h"
++#include "load_lib.h"
++
++extern int  load_library_symbols(const char * libname, LIB_FN * libfuncs, LIB_FN * libdata)
++{
++    char   *myname = "load_library_symbols";
++    LIB_FN *fn;
++
++#if defined(HAS_DLOPEN)
++    void   *handle;
++    char   *emsg;
++
++    handle=dlopen(libname,RTLD_NOW);
++    emsg=dlerror();
++    if (emsg) {
++	msg_fatal("%s: dlopen failure loading %s: %s", myname, libname, emsg);
++    }
++
++    if (libfuncs) {
++	for (fn=libfuncs; fn->name; fn++) {
++	    *(fn->ptr) = dlsym(handle,fn->name);
++	    emsg=dlerror();
++	    if (emsg) {
++		msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++			  fn->name, libname, emsg);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
++    }
++
++    if (libdata) {
++	for (fn=libdata; fn->name; fn++) {
++	    *(fn->ptr) = dlsym(handle,fn->name);
++	    emsg=dlerror();
++	    if (emsg) {
++		msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++			  fn->name, libname, emsg);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
++    }
++#elif defined(HAS_SHL_LOAD)
++    shl_t   handle;
++
++    handle = shl_load(libname,BIND_IMMEDIATE,0);
++
++    if (libfuncs) {
++	for (fn=libfuncs; fn->name; fn++) {
++	    if (shl_findsym(&handle,fn->name,TYPE_PROCEDURE,fn->ptr) != 0) {
++		msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++			  myname, fn->name, libname);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
++    }
++
++    if (libdata) {
++	for (fn=libdata; fn->name; fn++) {
++	    if (shl_findsym(&handle,fn->name,TYPE_DATA,fn->ptr) != 0) {
++		msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++			  myname, fn->name, libname);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
++    }
++
++#else
++    msg_fatal("%s: need dlopen or shl_load support for dynamic libraries",
++		myname);
++#endif
++    return 0;
++}
+diff -urNad postfix-release/src/util/load_lib.h /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h
+--- postfix-release/src/util/load_lib.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h	2004-12-27 22:29:11.324097708 -0700
+@@ -0,0 +1,41 @@
++#ifndef _LOAD_LIB_H_INCLUDED_
++#define _LOAD_LIB_H_INCLUDED_
++
++/*++
++/* NAME
++/*	load_lib 3h
++/* SUMMARY
++/*	library loading wrappers
++/* SYNOPSIS
++/*	#include "load_lib.h"
++/* DESCRIPTION
++/* .nf
++
++ /*
++  * External interface.
++  */
++/* NULL name terminates list */
++typedef struct LIB_FN {
++    const char *name;
++    void       **ptr;
++} LIB_FN;
++
++extern int  load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*	LaMont Jones
++/*	Hewlett-Packard Company
++/*	3404 Harmony Road
++/*	Fort Collins, CO 80528, USA
++/*
++/*	Wietse Venema
++/*	IBM T.J. Watson Research
++/*	P.O. Box 704
++/*	Yorktown Heights, NY 10598, USA
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/util/sys_defs.h /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h
+--- postfix-release/src/util/sys_defs.h	2004-12-27 22:28:28.652270351 -0700
++++ /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h	2004-12-27 22:29:11.325097493 -0700
+@@ -550,11 +550,25 @@
+ #define UNIX_DOMAIN_CONNECT_BLOCKS_FOR_ACCEPT
+ #define PREPEND_PLUS_TO_OPTSTRING
+ #define HAS_POSIX_REGEXP
++#define HAS_DLOPEN
+ #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+ #define NATIVE_COMMAND_DIR "/usr/sbin"
++#ifdef DEBIAN
++#define NATIVE_DAEMON_DIR	"/usr/lib/postfix"
++#ifndef DEF_MANPAGE_DIR
++#define DEF_MANPAGE_DIR		"/usr/share/man"
++#endif
++#ifndef DEF_SAMPLE_DIR
++#define DEF_SAMPLE_DIR		"/usr/share/doc/postfix/examples"
++#endif
++#ifndef DEF_README_DIR
++#define DEF_README_DIR		"/usr/share/doc/postfix"
++#endif
++#else
+ #define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
++#endif
+ #if __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
+ #define SOCKADDR_SIZE	socklen_t
+ #define SOCKOPT_SIZE	socklen_t
+@@ -620,6 +634,7 @@
+ #define USE_STATFS
+ #define STATFS_IN_SYS_VFS_H
+ #define HAS_POSIX_REGEXP
++#define HAS_DLOPEN
+ #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+@@ -655,6 +670,7 @@
+ #define USE_STATFS
+ #define STATFS_IN_SYS_VFS_H
+ #define HAS_POSIX_REGEXP
++#define HAS_SHL_LOAD
+ #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+@@ -692,6 +708,7 @@
+ #define USE_STATFS
+ #define STATFS_IN_SYS_VFS_H
+ #define HAS_POSIX_REGEXP
++#define HAS_SHL_LOAD
+ #define NATIVE_SENDMAIL_PATH "/usr/bin/sendmail"
+ #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"

Added: trunk/postfix/debian/patches/30-kolab.dpatch
===================================================================
--- trunk/postfix/debian/patches/30-kolab.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/30-kolab.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,41 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 30kolab.dpatch by Steffen Joeris <steffen.joeris at skolelinux.de>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+--- postfix-2.1.5/src/pipe/pipe.c.orig	2006-01-09 13:34:33.000000000 +0000
++++ postfix-2.1.5/src/pipe/pipe.c	2006-01-09 13:41:08.000000000 +0000
+@@ -349,6 +349,7 @@
+ #define PIPE_OPT_FOLD_USER	(1<<16)
+ #define PIPE_OPT_FOLD_HOST	(1<<17)
+ #define PIPE_OPT_QUOTE_LOCAL	(1<<18)
++#define PIPE_OPT_ALLOW_NO_SENDER (1<<19)
+ 
+ #define PIPE_OPT_FOLD_FLAGS	(PIPE_OPT_FOLD_USER | PIPE_OPT_FOLD_HOST)
+ 
+@@ -660,6 +661,9 @@
+ 		case 'h':
+ 		    attr->flags |= PIPE_OPT_FOLD_HOST;
+ 		    break;
++		case 'n':
++		    attr->flags |= PIPE_OPT_ALLOW_NO_SENDER;
++		    break;
+ 		case 'q':
+ 		    attr->flags |= PIPE_OPT_QUOTE_LOCAL;
+ 		    break;
+@@ -865,6 +869,13 @@
+ 	get_service_attr(&attr, argv);
+     }
+ 
++   if ((attr.flags & PIPE_OPT_ALLOW_NO_SENDER) == 0 && request->sender[0] == 0) {
++        buf = vstring_alloc(100);
++        canon_addr_internal(buf, MAIL_ADDR_MAIL_DAEMON);
++        myfree(request->sender);
++        request->sender = vstring_export(buf);
++    }
++    
+     /*
+      * The D flag cannot be specified for multi-recipient deliveries.
+      */

Added: trunk/postfix/debian/patches/50tls.dpatch
===================================================================
--- trunk/postfix/debian/patches/50tls.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/50tls.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,30216 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 50tls.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-release/conf/postfix-files /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files
+--- postfix-release/conf/postfix-files	2005-02-03 10:22:12.216284906 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files	2005-02-03 10:22:12.846144411 -0700
+@@ -81,6 +81,7 @@
+ $daemon_directory/smtp:f:root:-:755
+ $daemon_directory/smtpd:f:root:-:755
+ $daemon_directory/spawn:f:root:-:755
++$daemon_directory/tlsmgr:f:root:-:755
+ $daemon_directory/trivial-rewrite:f:root:-:755
+ $daemon_directory/verify:f:root:-:755
+ $daemon_directory/virtual:f:root:-:755
+@@ -173,6 +174,7 @@
+ $manpage_directory/man8/smtp.8:f:root:-:644
+ $manpage_directory/man8/smtpd.8:f:root:-:644
+ $manpage_directory/man8/spawn.8:f:root:-:644
++$manpage_directory/man8/tlsmgr.8:f:root:-:644
+ $manpage_directory/man8/trace.8:f:root:-:644
+ $manpage_directory/man8/trivial-rewrite.8:f:root:-:644
+ $manpage_directory/man8/verify.8:f:root:-:644
+@@ -184,6 +186,7 @@
+ $sample_directory/sample-debug.cf:f:root:-:644:o
+ $sample_directory/sample-filter.cf:f:root:-:644:o:o
+ $sample_directory/sample-flush.cf:f:root:-:644:o
++$sample_directory/sample-ipv6.cf:f:root:-:644:o
+ $sample_directory/sample-ldap.cf:f:root:-:644:o
+ $sample_directory/sample-lmtp.cf:f:root:-:644:o
+ $sample_directory/sample-local.cf:f:root:-:644:o
+@@ -204,6 +207,7 @@
+ $sample_directory/sample-scheduler.cf:f:root:-:644:o
+ $sample_directory/sample-smtp.cf:f:root:-:644:o
+ $sample_directory/sample-smtpd.cf:f:root:-:644:o
++$sample_directory/sample-tls.cf:f:root:-:644:o
+ $sample_directory/sample-transport.cf:f:root:-:644:o
+ $sample_directory/sample-verify.cf:f:root:-:644:o
+ $sample_directory/sample-virtual.cf:f:root:-:644:o
+@@ -222,6 +226,7 @@
+ $readme_directory/FILTER_README:f:root:-:644
+ $readme_directory/HOSTING_README:f:root:-:644:o
+ $readme_directory/INSTALL:f:root:-:644
++$readme_directory/IPV6_README:f:root:-:644
+ $readme_directory/LDAP_README:f:root:-:644
+ $readme_directory/LINUX_README:f:root:-:644
+ $readme_directory/LMTP_README:f:root:-:644
+diff -urNad postfix-release/IPv6-ChangeLog /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog
+--- postfix-release/IPv6-ChangeLog	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog	2005-02-03 10:22:12.847144188 -0700
+@@ -0,0 +1,470 @@
++ChangeLog for Dean Strik's IPv6 patch for Postfix. The patch is based on
++PLD's patch, which in turn seems to be based on KAME's. For more information:
++
++	http://www.ipnet6.org/postfix/
++
++---------------------------------------------------------------------
++
++Version 1.24	Postfix release 2.1.1
++		Postfix release 2.0.20
++		Postfix snapshot 2.0.19-20040312
++		Postfix snapshot 2.2-20040504
++
++	Bugfix: Prefixlen non-noll host portion validation (in CIDR maps
++	for example) yielded incorrect results sometimes because signed
++	arithmetic was used instad of unsigned.
++	File: util/match_ops.c
++
++	Patch correction: The TLS+IPv6 patch for Postfix 2.1.0 missed
++	the master.cf update (used for new installattions). Added it
++	back.
++
++Version 1.23	Postfix release 2.1.0
++		Postfix release 2.0.20
++		Postfix snapshot 2.0.19-20040312
++
++	Patch fixes: Several code fixes to make the patch compile
++	and work correctly when compiled without IPv6 support.
++
++	Bugfix (Solaris only?): address family length was not updated
++	which could cause client hostname validation errors.
++	File: smtpd/smtpd_peer.c
++
++	Portability: added support for Darwin 7.3+. This may need
++	some further testing.
++
++	Cleanup: Restructure and redocument interface address
++	retrieval functions. (This reduced the number of preprocessor
++	statements from 99 to 93 ;)
++	File: util/inet_addr_local.c
++
++	Cleanup: make several explicit casts to have compilers shut
++	their pie holes about uninteresting things.
++
++Version 1.22	Postfix release 2.0.19
++		Postfix snapshot 2.0.19-20040312
++
++	Feature: Support "inet_interfaces = IPv4:all" and
++	"inet_interfaces = IPv6:all", to restrict postfix to use
++	either IPv4-only or IPv6-only. A more complete implementation
++	will be part of a future patch. (Slightly modified) patch by
++	Michal Ludvig, SuSE.
++	Files: util/interfaces_to_af.[ch], util/inet_addr_local.c,
++	global/own_inet_addr.c, global/wildcard_inet_addr.[ch],
++	master/master_ent.ch
++
++	Bugfix: In Postfix snapshots, a #define was misplaced with
++	the effect that IPv6 subnets were not included in auto-
++	generated $mynetworks (i.e., mynetworks not defined in main.cf,
++	when also mynetworks_style=subnet) on Linux 2.x systems.
++	File: utils/sys_defs.h
++
++Version 1.21a	Postfix snapshots 2.0.18-2004{0122,0205,0209}
++				  2.0.19-20040312
++
++	TLS/snapshot version: Update TLS patch to 0.8.18-20040122.
++	Performed as a total repatch. 0.8.18 is cleaner with tls_*
++	variables if TLS is not actually compiled in.
++
++Version 1.21	Postfix releases 2.0.18 - 2.0.19
++		Postfix snapshot 2.0.16-20031231
++
++	Bugfix: The SMTP client could fail to setup a connection,
++	erroring with a bogus "getaddrinfo(...): hostname nor servname
++	provided" warning, because the wrong address was selected.
++	File: smtp/smtp_connect.c
++
++	Safety: in dynamically growing data structures, update the
++	length info after (instead of before) updating the data size.
++	File: util/inet_addr_list.c
++
++Version 1.20	Postfix release 2.0.16
++		Postfix snapshot 2.0.16-20031207
++
++	Bugfix: The SMTP client would abort when binding to specific
++	IPv6 addresses.
++	File: smtp/smtp_connect.c
++
++	Synchronisation/bugfix: LMTP source address binding is identical
++	to the SMTP source binding setup, avoiding the need for
++	lmtp_bind_address(6) if inet_interfaces is set to a single
++	host for an address family.
++	File: lmtp/lmtp_connect.c
++
++Version 1.19	Postfix release 2.0.16
++		Postfix snapshot 2.0.16-20031207
++
++	Bugfix: Synchronisation of TLS patches in snapshots of 1.18[ab]
++	was not complete, causing a crash of smtpd if used with the new
++	proxy agent.
++	File: smtpd/smtpd.c
++
++	Bugfix: SMTP source address binding based on a single hostname
++	in inet_interfaces did not work since the code counted IPv4 and
++	IPv6 addresses instead of only the used address family. Fixed,
++	thereby no longer requiring exact specification of
++	smtp_bind_address(6) in this case.
++	File: smtp/smtp_connect.c
++
++	Bugfix: The QMQP sink server did not compile correctly. This
++	program, part of smtpstone tools, is not compiled or installed
++	by default.
++	File: smtpstone/qmqp-sink.c
++
++	Bugfix: NI_WITHSCOPEID was not correctly defined everywhere,
++	which could result in EAI_BADFLAGS. Changed location of
++	definition to correct it.
++	Files: util/sys_defs.h, util/inet_addr_list.h
++
++Version 1.18b	Postfix snapshot 2.0.16-20030921
++
++	IPv6 support: Added IPv6-enabled code to the new snapshot
++	check_*_{ns,mx}_access restrictions.
++	File: smtpd/smtpd_check.c
++
++Version 1.18a	Postfix release 2.0.16
++
++	Update (TLS patches): Updated Lutz Jaenicke's TLS patch to
++	version 0.8.16. See pfixtls/ChangeLog for details.
++	Diff contributed by Tuomo Soini.
++
++	The TLS+IPv6 patch now contains the original TLS patch
++	documentation from Lutz Jaenicke.
++
++Version 1.18	Postfix releases 2.0.14 - 2.0.15
++		Postfix snapshot 2.0.14-20030812
++
++	Bugfix: Perform actual hostname verification in the SMTP
++	and QMTP servers. This was never supported in the IPv6
++	patch. Reported by Wolfgang S. Rupprecht.
++	Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c
++
++	IPv6 address ranges using address/prefixlength (e.g. in
++	mynetworks and access maps) should be written as
++	[ipv6:addr:ess]/plen (e.g. [fec0:10:20::]/48). The old
++	supported syntax, [ipv6:addr:ess/plen] is deprecated and
++	support will be removed in a later version.
++	Thanks to Dr. Peter Bieringer and Pekka Savola for discussion.
++	Files: util/match_ops.c, global/mynetworks.c
++
++	Explicitly prefer IPv6 over IPv4 addresses when delivering
++	to a host when MX lookups are disabled when SMTP address
++	randomization is on (default).
++	File: smtp/smtp_addr.c
++
++	Compliance: write IPv6 address literals in mail headers 
++	as [IPv6:addr] instead of [addr] as per RFC 2821:4.1.3
++	tagging requirement, for example [IPv6:fec0:10:20::1].
++	Pointed out by Dr. Peter Bieringer.
++	Files: smtpd/smtpd{,_peer,_state}.c, smtpd/smtpd.h
++
++Version 1.17	Postfix release 2.0.13, 2.0.14
++		Postfix snapshot 2.0.13-20030706, 2.0.14-20030812
++
++	Bugfix: Two memory allocation/deallocation bugs were
++	introduced in patch 1.16. The impact of these bugs could
++	be 'arbitrary' memory corruption.
++	File: util/match_ops.c
++
++Version 1.16	Postfix release 2.0.13
++		Postfix snapshot 2.0.13-20030706
++
++	Cleanup: rewrote match_ops.c. This rewrite is partly based on
++	patch by Takahiro Igarashi. The rewrite enables some better
++	handling of scoped addresses, and drops all GPL code from the
++	patch, easying license considerations. Also, allowed for
++	use of this code by the CIDR maps.
++	Files: util/match_ops.[ch]
++
++	Bugfix: correctly relay for scoped unicast addresses when
++	applicable. Until now, while Postfix was able to recognize
++	scoped addresses, it was not able to see e.g. fe80::10%fxp0
++	as local in mynetworks validation.  KAME-only code.
++	(I've never heard of people using scoped addresses (think
++	link-local addresses) for mail relaying though...)
++	Files: util/inet_addr_list.[ch]
++
++	Feature (snapshot only): rewrote CIDR maps code to support
++	IPv6 addresses, using new match_ops code. Allow the use
++	of [::/0] since it allows one to easily disable further
++	checks for IPv6 addresses.
++	File: util/dict_cidr.c
++
++	Consistency: require IPv6 addresses in inet_interfaces to
++	be enclosed in square brackets.
++	File: util/inet_addr_host.c
++
++	Bugfix: (Linux2-only) A #define was misspelled. This could
++	lead to Postfix being unable to read the system's local IPv6
++	addresses (e.g. when using inet_interfaces).
++	Spotted by Jochen Friedrich.
++	File: util/sys_defs.h
++
++	Cleanup: require non-null host portion in CIDR /
++	prefixlength notations for IPv6 (was IPv4-only).
++
++Version 1.15a	Postfix release 2.0.13
++
++	Update (TLS patches): Updated Lutz Jaenicke's TLS patch
++	to version 0.8.15. This version introduces new options
++	for managing SASL mechanisms. More information at:
++	http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
++	Diff contributed by Tuomo Soini.
++
++Version 1.15	Postfix release 2.0.12, 2.0.13
++		Postfix snapshot 2.0.12-20030621
++
++	Bugfix (TLS-snapshots only): a change in Postfix snapshot
++	2.0.11-20030609 broke initialisation of TLS in smtpd,
++	causing TLS to both be unadvertised and unaccepted.
++	This was fixed again by reordering initialisation.
++	File: smtpd/smtpd.c
++
++	Update (TLS patches): Updated Lutz Jaenicke's TLS patch
++	to version 0.8.14. This version introduces a few fixes and
++	uses USE_SSL instead of HAS_SSL. More information at:
++	http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
++	Diff contributed by Tuomo Soini.
++
++	Bugfix (Postfix releases only - this was already added to
++	the snapshots in patch 1.14). KAME derived systems only.
++	Correctly decode scoped addresses, including network
++	interface specifiers.
++	File: util/inet_addr_local.c
++
++Version 1.14	Postfix releases 2.0.9, 2.0.10, 2.0.11, 2.0.12
++		Postfix snapshots 2.0.9-20030424, 2.0.10-20030521,
++				  2.0.11-20030609, 2.0.12-20030611
++
++	Patch change: made the patch available as an IPv6-only
++	patch (i.e., without the TLS code). This on popular
++	request by users and packagers.
++	A TLS+IPv6 version is still available of course.
++
++	Bugfix: correctly decode scoped addresses from now on
++	(KAME derived systems only). I think the original code
++	was written by Itojun, so I'm rather puzzled that it
++	didn't work...
++	File: util/inet_addr_local.c
++
++	Bugfix/portability: Recent KAME snapshots return both
++	TCP and SCTP address information on getaddrinfo() if
++	no protocol was specified. This causes the socket counts
++	to be wrong, confusing child processes.
++	Merged patch by JINMEI Tatuya of KAME to fix this.
++	Files: master/master.h, master/master_{ent,conf}.[ch],
++		util/inet_listen.c
++
++	Documentation: added an IPV6_README file to the patch.
++	This file contains the primary documentation. Also,
++	added a sample-ipv6.cf to describe the (currently few)
++	IPv6 related main.cf parameters.
++
++	Bugfix: the netmask structures for the *unsupported*
++	platforms (boldly assume /64) were added to the wrong
++	list (addresses instead of masks). This bug did not affect
++	any supported platform though.
++	File: util/inet_addr_local.c
++
++	Portability: added support for HP/Compaq Tru64Unix V5.1
++	and later. (compiled with CompaqCC only).
++	Thanks to Sten Spans for providing root access to an
++	IPv6-connected Tru64 testing machine.
++
++Version 1.13	Postfix releases 2.0.4 - 2.0.9
++		Postfix snapshots 2.0.3-20030126 - 2.0.7-20030319
++
++	Bugfix: Due to a missing storage pointer, DNS lookup
++	results in the permit_mx_backups code were not processed,
++	and smtpd would likely crash.
++	Thanks to Wouter de Jong for reporting the crashes.
++	File: smtpd/smtpd_check.c
++
++	Incompatible change: The addresses given to the parameters
++	smtp_bind_address6 and lmtp_bind_address6 now need to be
++	enclosed in square brackets for consistency.
++	Files: [ls]mtp/[ls]mtp_connect.c
++
++Version 1.12	Postfix releases 2.0.2, 2.0.3
++		Postfix snapshots 2.0.2-20030115, 2.0.3-20030126
++
++	Bugfix/workaround (Solaris): A simplified comparison
++	function for Solaris' qsort() function, would result
++	in corruption of network addresses in the SMTP client.
++	Fixed. Reported with possible fix by Edvard Tuinder.
++	File: smtp/smtp_addr.c
++
++Version 1.11	Postfix releases 2.0.0.x, 2.0.1, 2.0.2
++		Postfix snapshots 2.0.0-20030105, 2.0.1-20030112
++			2.0.2-20030115
++
++	Bugfix (Solaris): Properly initialize lifconf structure
++	when requesting host interface addresses. If you get
++	warnings about SIOCGLIFCONF with earlier versions,
++	please upgrade.
++	File: util/inet_addr_local.c
++
++	Patch fix: fixed compilation errors in case the patch is
++	applied but built without IPv6 support (i.e., on unsupported
++	platforms).
++
++Version 1.10	Postfix snapshots 1.1.12-200212{19,21}
++		Postfix releases 2.0.0, 2.0.0.{1,2}
++		Postfix snapshots 2.0.0-20021223 - 2.0.0-20030101
++
++	'Bugfix': don't show spurious warnings on Linux systems
++	about missing /proc/net/if_inet6 unless verbose mode
++	is enabled.
++	File: util/inet_addr_local.c
++
++	Bugfix: If unable to create a socket for a specific adress
++	in the SMTP client (e.g., when trying to create an IPv6
++	connection while the local host has no configured IPv6
++	addresses), then stop the attempt.
++	File: smtp/smtp_connect.c
++
++	Small bugfix: never query DNS for <localpart@[domain.tld]>.
++	This syntax now correctly generates an error immediately.
++	File: global/resolve_local.c
++
++	Updated TLS patch to 0.8.12-1.1.12-20021219-0.9.6h, fixing
++	a bug with "sendmail -bs".
++
++Version 1.9	Postfix version 1.1.11-20021115
++		Postfix version 1.1.12-2002{1124,1209-1213}
++
++	Bugfix: with getifaddrs() code (*BSD, linux-USAGI), IPv4
++	netmasks were set to /32 effectively. Work around broken
++	netmask data structures (*BSD only perhaps).
++
++	Bugfix: same data corruption in another place created
++	entirely wrong IPv4 netmasks. Work around broken
++	SIOCGIFNETMASK structure.
++
++	New code was added for correct IPv6 netmasks. The original
++	code did not contain IPv6 netmask support at all!
++	For Solaris, use SIOCGLIF*; Linux: /proc/net/if_inet6.
++	Getifaddrs() support is used otherwise. This should cover
++	all supported systems. Other systems also work, prefix
++	length is always set to /64 then.
++
++	Since there are no classes (context: Class A, class B etc
++	networks) with IPv6, default to IPv6 subnet style if the
++	mynetworks style is 'class'. I recommend against this style
++	anyway.
++
++	Added support to display IPv6 nets mynetworks output.
++
++Version 1.8	Postfix version 1.1.11-200211{01,15}
++
++	An earlier author of the patch made a typo in the GAI_STRERROR()
++	macro, resulting in bogus error messages when checking for
++	PTR records. Fixed.
++
++	IPv4-mapped addresses in the smtpd are converted to true IPv4
++	addresses just after the connection has been made. This means
++	that all IPv4-mapped addresses are now logged as true IPv4
++	addresses. Hence beside RBL checks, also access maps now treat
++	IPv4-mapped addresses as native IPv4. Note that ::ffff:...
++	entries in your access tables will no longer work.
++
++	You can now specify IPv6 'parent' networks in your access maps,
++	e.g. to reject all mail from 3ffe:200:... nodes, add the line
++		3ffe:200	REJECT
++	Use of trailing colons is discouraged because postmap will
++	warn about it possibly being an alias...
++	NOTE: I'll soon obsolete this again in favor of the more
++	common address/len notation. This was just so trivial to add
++	that it didn't hurt and I needed it :)
++
++	For easy reference, the version of the TLS/IPv6 patch can be
++	dynamically queried using the  tls_ipv6_version  variable.
++	This gives the short version (like, "1.8").
++
++	The service bind address for 'inet' sockets in master.cf (e.g.,
++	smtpd), must be enclosed in square brackets '[..]' for IPv6
++	addresses. The old style (without brackets) still works but is
++	unsupported and may be removed in the future. Example
++	    [::1]:smtp inet n - n - - smtpd
++
++Version 1.7	Postfix version 1.1.11-20021029 - 1.1.11-20021101
++
++	Postfix' SMTP client performs randomization of MX addresses
++	when sending mail. This however could result in A records
++	being used before AAAA records. This has been corrected.
++
++	Note that from Postfix version 1.1.11-20021029 on, there is
++	a  proxy_interfaces  parameter. This has of course not been
++	ported to IPv6 addresses...
++
++Version 1.6	Postfix version 1.1.11-20020928
++
++	Added IPv6 support for backup_mx_networks feature; also the
++	behaviour when DNS lookups fail when checking whether the
++	local host is an MX for a domain conforms to the IPv4 case:
++	defer rather than allow.
++
++Version 1.5	Postfix version 1.1.11-20020917
++
++	I introduced two bugs when I rewrote my older LMTP IPv6 patch.
++	These bugs effectively rendered LMTP useless. Now fixed.
++	Bugs spotted by Kaj Niemi.
++
++	Now supports Solaris 8 and 9. Due to lack of testing equipment,
++	this has been only tested in production on Solaris 9, both
++	with gcc and the Sun Workshop Compiler.
++
++Version 1.4	Postfix version 1.1.11-20020822 - 1.1.11-20020917
++
++	OpenBSD (>=200003) and FreeBSD release 4 and up now use
++        getifaddrs(). This makes for cleaner code. The old code
++	seems to be bug-ridden anyway.
++
++	Got rid of some compiler warnings. Should be cleaner on
++	Alpha as well now. Thanks to Sten Spans for providing me
++	access to an Alpha running FreeBSD4.
++
++	Fixed an old bug in smtpd memory alloation if you compiled
++	without IPv6 support (the wrong buffer size was used. This
++	was harmless for IPv6-enabled compiles since the sizes were
++	equal then).
++
++	Added ChangeLog to the patch (as IPv6-ChangeLog) (this
++	was absent in 1.3 contrary to docs).
++
++Version 1.3	Postfix version 1.1.11-20020613 - 1.1.11-20020718
++
++	FYI: In postfix version 1.1.11-20020718, DNS lookups for
++	AAAA can be done natively. The code matches the code in
++	the patch (though the #ifdef changed from INET6 to T_AAAA).
++	This change causes the patch for 1.1.11-20020718 to be a
++	bit smaller.
++
++Version 1.2	Postfix version 1.1.11-20020613
++
++	Added IPv6 support for the LMTP client.
++
++	Added lmtp_bind_address and lmtp_bind_address6 parameters,
++	similar to those for smtp.
++
++	Added IPv6 support for the QMQP server.
++
++Version 1.1	Postfix version 1.1.11-20020602 - 1.1.11-20020613
++
++	Added parameter smtp_bind_address6. By using this parameter,
++	it is possible to bind to an IPv6 address, independently of
++	IPv4 address binding.
++
++	Lutz fixed a bug in his TLS patch regarding SASL. Incorporated.
++
++Version 1.0.x	Postfix version 1.1.8-20020505 - 1.1.11-20020602
++
++	Patch derived from PLD's IPv6 patch for Postfix, revision 1.10
++	which applied to early Postfix snapshots 1.1.x. Updated this
++	patch to apply to 1.1.8-20020505.
++
++	Added compile-time checks for SS_LEN. Some Linux installations,
++	and maybe other systems, do define SA_LEN, but not SS_LEN.
++
++	Several updates of postfix snapshots.
++
+diff -urNad postfix-release/makedefs /tmp/dpep.cXJuVH/postfix-release/makedefs
+--- postfix-release/makedefs	2005-02-03 10:22:12.217284683 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/makedefs	2005-02-03 10:22:12.847144188 -0700
+@@ -327,6 +327,33 @@
+ 		;;
+ esac
+ 
++# Check for IPv6 support
++
++if [ -z "$NO_IPV6" ] ; then
++if [ -f /usr/include/netinet6/in6.h ] ; then
++	grep __KAME__ /usr/include/netinet6/in6.h 2>&1 >/dev/null
++	if [ $?  = 1 ]; then
++		INET6=
++	else
++		if [ -f /usr/local/v6/lib/libinet6.a ]; then
++			INET6=kame
++		else
++			INET6=kame-merged
++		fi
++	fi
++fi
++if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h ]; then
++	case "$SYSTYPE" in
++	SUNOS5)	INET6=solaris ;;
++	OSF1)	INET6=osf1 ;;
++	*)	;;
++	esac
++fi
++if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h -a -f /usr/include/linux/icmpv6.h ]; then
++	INET6=linux
++fi
++fi # [-z NO_IPV6]
++
+ # Defaults that can be overruled (make makefiles CC=cc OPT=-O6 DEBUG=)
+ # Disable optimizations by default when compiling for Purify. Disable
+ # optimizations by default with gcc 2.8, until the compiler is known to
+@@ -346,6 +373,31 @@
+ 	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
+ 	-Wunused'}
+ 
++case "$INET6" in
++kame)
++	CCARGS="$CCARGS -DINET6 -DINET6_KAME"
++	CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
++	if test -f /usr/local/v6/lib/libinet6.a; then
++		SYSLIBS="$SYSLIBS -L/usr/local/v6/lib -linet6"
++	fi
++	;;
++kame-merged)
++	CCARGS="$CCARGS -DINET6 -DINET6_KAME"
++	CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
++	;;
++solaris|osf1)
++	CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family -D__ss_len=ss_len"
++	;;
++linux)
++	CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family"
++	if test -f /usr/include/libinet6/netinet/ip6.h -a \
++		-f /usr/lib/libinet6.a; then 
++		CCARGS="$CCARGS -I/usr/include/libinet6 -DUSAGI_LIBINET6"
++		SYSLIBS="$SYSLIBS -linet6"
++	fi
++	;;
++esac
++
+ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
+ 
+ sed 's/  / /g' <<EOF
+diff -urNad postfix-release/man/man8/tlsmgr.8 /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8
+--- postfix-release/man/man8/tlsmgr.8	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8	2005-02-03 10:22:12.848143965 -0700
+@@ -0,0 +1,130 @@
++.TH TLSMGR 8 
++.ad
++.fi
++.SH NAME
++tlsmgr
++\-
++Postfix TLS session cache and PRNG handling manager
++.SH SYNOPSIS
++.na
++.nf
++\fBtlsmgr\fR [generic Postfix daemon options]
++.SH DESCRIPTION
++.ad
++.fi
++The tlsmgr process does housekeeping on the session cache database
++files. It runs through the databases and removes expired entries
++and entries written by older (incompatible) versions.
++
++The tlsmgr is responsible for the PRNG handling. The used internal
++OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
++is initially seeded at startup from an external source (EGD or
++/dev/urandom) and additional seed is obtained later during program
++run at a configurable period. The exact time of seed query is
++using random information and is equally distributed in the range of
++[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
++having a default of 1 hour.
++
++Tlsmgr can be run chrooted and with dropped privileges, as it will
++connect to the entropy source at startup.
++
++The PRNG is additionally seeded internally by the data found in the
++session cache and timevalues.
++
++Tlsmgr reads the old value of the exchange file at startup to keep
++entropy already collected during previous runs.
++
++From the PRNG random pool a cryptographically strong 1024 byte random
++sequence is written into the PRNG exchange file. The file is updated
++periodically with the time changing randomly from
++[0-\fBtls_random_prng_update_period\fR].
++.SH STANDARDS
++.na
++.nf
++.SH SECURITY
++.na
++.nf
++.ad
++.fi
++Tlsmgr is not security-sensitive. It only deals with external data
++to be fed into the PRNG, the contents is never trusted. The session
++cache housekeeping will only remove entries if expired and will never
++touch the contents of the cached data.
++.SH DIAGNOSTICS
++.ad
++.fi
++Problems and transactions are logged to the syslog daemon.
++.SH BUGS
++.ad
++.fi
++There is no automatic means to limit the number of entries in the
++session caches and/or the size of the session cache files.
++.SH CONFIGURATION PARAMETERS
++.na
++.nf
++.ad
++.fi
++The following \fBmain.cf\fR parameters are especially relevant to
++this program. See the Postfix \fBmain.cf\fR file for syntax details
++and for default values. Use the \fBpostfix reload\fR command after
++a configuration change.
++.SH Session Cache
++.ad
++.fi
++.IP \fBsmtpd_tls_session_cache_database\fR
++Name of the SDBM file (type sdbm:) containing the SMTP server session
++cache. If the file does not exist, it is created.
++.IP \fBsmtpd_tls_session_cache_timeout\fR
++Expiry time of SMTP server session cache entries in seconds. Entries
++older than this are removed from the session cache. A cleanup-run is
++performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
++seconds. Default is 3600 (= 1 hour).
++.IP \fBsmtp_tls_session_cache_database\fR
++Name of the SDBM file (type sdbm:) containing the SMTP client session
++cache. If the file does not exist, it is created.
++.IP \fBsmtp_tls_session_cache_timeout\fR
++Expiry time of SMTP client session cache entries in seconds. Entries
++older than this are removed from the session cache. A cleanup-run is
++performed periodically every \fBsmtp_tls_session_cache_timeout\fR
++seconds. Default is 3600 (= 1 hour).
++.SH Pseudo Random Number Generator
++.ad
++.fi
++.IP \fBtls_random_source\fR
++Name of the EGD socket or device or regular file to obtain entropy
++from. The type of entropy source must be specified by preceding the
++name with the appropriate type: egd:/path/to/egd_socket,
++dev:/path/to/devicefile, or /path/to/regular/file.
++tlsmgr opens \fBtls_random_source\fR and tries to read
++\fBtls_random_bytes\fR from it.
++.IP \fBtls_random_bytes\fR
++Number of bytes to be read from \fBtls_random_source\fR.
++Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
++.IP \fBtls_random_exchange_name\fR
++Name of the file written by tlsmgr and read by smtp and smtpd at
++startup. The length is 1024 bytes. Default value is
++/etc/postfix/prng_exch.
++.IP \fBtls_random_reseed_period\fR
++Time in seconds until the next reseed from external sources is due.
++This is the maximum value. The actual point in time is calculated
++with a random factor equally distributed between 0 and this maximum
++value. Default is 3600 (= 60 minutes).
++.IP \fBtls_random_prng_update_period\fR
++Time in seconds until the PRNG exchange file is updated with new
++pseude random values. This is the maximum value. The actual point
++in time is calculated with a random factor equally distributed
++between 0 and this maximum value. Default is 60 (= 1 minute).
++.SH SEE ALSO
++.na
++.nf
++smtp(8) SMTP client
++smtpd(8) SMTP server
++.SH LICENSE
++.na
++.nf
++.ad
++.fi
++The Secure Mailer license must be distributed with this software.
++.SH AUTHOR(S)
++.na
++.nf
+diff -urNad postfix-release/proto/Makefile.in /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in
+--- postfix-release/proto/Makefile.in	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in	2005-02-03 10:22:12.848143965 -0700
+@@ -29,6 +29,7 @@
+ 	../html/SMTPD_POLICY_README.html \
+ 	../html/SMTPD_PROXY_README.html \
+ 	../html/STANDARD_CONFIGURATION_README.html \
++	../html/TLS_README.html \
+ 	../html/TUNING_README.html \
+ 	../html/UUCP_README.html ../html/ULTRIX_README.html \
+ 	../html/VERP_README.html ../html/VIRTUAL_README.html \
+@@ -59,6 +60,7 @@
+ 	../README_FILES/SMTPD_ACCESS_README \
+ 	../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
+ 	../README_FILES/STANDARD_CONFIGURATION_README \
++	../README_FILES/TLS_README \
+ 	../README_FILES/TUNING_README \
+ 	../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
+ 	../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
+@@ -233,6 +235,9 @@
+ ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
+ 	$(POSTLINK) $? >$@
+ 
++../html/TLS_README.html: TLS_README.html
++	$(POSTLINK) $? >$@
++
+ ../html/TUNING_README.html: TUNING_README.html
+ 	$(POSTLINK) $? >$@
+ 
+@@ -356,6 +361,9 @@
+ ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
+ 	$(HT2READ) $? >$@
+ 
++../README_FILES/TLS_README: TLS_README.html
++	$(HT2READ) $? >$@
++
+ ../README_FILES/TUNING_README: TUNING_README.html
+ 	$(HT2READ) $? >$@
+ 
+diff -urNad postfix-release/proto/postconf.proto /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto
+--- postfix-release/proto/postconf.proto	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto	2005-02-03 10:22:12.985113413 -0700
+@@ -3814,6 +3814,20 @@
+ <dd>Permit the request when the client IP address matches any
+ network listed in  $mynetworks. </dd>
+ 
++<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
++
++<dd> Permit the request when the remote SMTP client certificate is
++verified successfully.  This option must be used only if a special
++CA issues the certificates and only this CA is listed as trusted
++CA, otherwise all clients with a recognized certificate would be
++allowed to relay.  </dd>
++
++<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
++
++<dd>Permit the request when the remote SMTP client certificate is
++verified successfully, and the certificate fingerprint is listed
++in $relay_clientcerts. </dd>
++
+ <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
+ 
+ <dd>Reject the request when the reversed client network address is
+@@ -6787,3 +6801,618 @@
+ remote domains.  Available before Postfix version 2.0. With Postfix 2.1
+ and later, this is replaced by separate controls: virtual_alias_domains
+ and virtual_alias_maps. </p>
++
++%PARAM smtpd_tls_cert_file
++
++<p> File with the Postfix SMTP server RSA certificate in PEM format.
++This file may also contain the server private key. </p>
++
++<p> Both RSA and DSA certificates are supported.  When both types
++are present, the cipher used determines which certificate will be
++presented to the client.  For Netscape and OpenSSL clients without
++special cipher choices the RSA certificate is preferred. </p>
++
++<p> In order to verify a certificate, the CA certificate (in case
++of a certificate chain, all CA certificates) must be available.
++You should add these certificates to the server certificate, the
++server certificate first, then the issuing CA(s).  </p>
++
++<p> Example: the certificate for "server.dom.ain" was issued by
++"intermediate CA" which itself has a certificate of "root CA".
++Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
++root_CA.pem &gt; server.pem". </p>
++
++<p> If you want to accept certificates issued by these CAs yourself,
++you can also add the CA certificates to the smtpd_tls_CAfile, in
++which case it is not necessary to have them in the smtpd_tls_dcert_file
++or smtpd_tls_cert_file. </p>
++
++<p> A certificate supplied here must be usable as SSL server
++certificate and hence pass the "openssl verify -purpose sslserver
++..." test. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_cert_file = /etc/postfix/server.pem
++</pre>
++
++%PARAM smtpd_tls_key_file $smtpd_tls_cert_file
++
++<p> File with the Postfix SMTP server RSA private key in PEM format.
++This file may be combined with the server certificate file specified
++with $smtpd_tls_cert_file. </p>
++
++<p> The private key must not be encrypted. In other words, the key
++must be accessible without password. </p>
++
++%PARAM smtpd_tls_dcert_file
++
++<p> File with the Postfix SMTP server DSA certificate in PEM format.
++This file may also contain the server private key. <p>
++
++<p> See the discussion under smtpd_tls_cert_file for more details.
++</p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++</pre>
++
++%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file
++
++<p> File with the Postfix SMTP server DSA private key in PEM format.
++This file may be combined with the server certificate file specified
++with $smtpd_tls_dcert_file. </p>
++
++<p> The private key must not be encrypted. In other words, the key
++must be accessible without password. </p>
++
++%PARAM smtpd_tls_CAfile
++
++<p> The file with the certificate of the certification authority
++(CA) that issued the Postfix SMTP server certificate.  This is
++needed only when the CA certificate is not already present in the
++server certificate file.  This file may also contain the CA
++certificates of other trusted CAs.  You must use this file for the
++list of trusted CAs if you want to use chroot-mode. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++
++%PARAM smtpd_tls_CApath
++
++<p> Directory with PEM format certificate authority certificates
++that the Postfix SMTP server offers to remote SMTP clients for the
++purpose of client certificate verification.  Do not forget to create
++the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
++/etc/postfix/certs".  </p>
++
++<p> To use this option in chroot mode, this directory (or a copy)
++must be inside the chroot jail. Please note that in this case the
++CA certificates are not offered to the client, so that e.g.  Netscape
++clients might not offer certificates issued by them.  Use of this
++feature is therefore not recommended. </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_CApath = /etc/postfix/certs
++</pre>
++
++%PARAM smtpd_tls_loglevel 0
++
++<p> Enable additional Postfix SMTP server logging of TLS activity.
++Each logging level also includes the information that is logged at
++a lower logging level.  </p>
++
++<dl compact>
++
++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
++
++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
++
++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
++
++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
++process.  </dd>
++
++<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
++transmission after STARTTLS. </dd>
++
++</dl>
++
++<p> Use "smtpd_tls_loglevel = 3" only in case of problems. Use of
++loglevel 4 is strongly discouraged. </p>
++
++%PARAM smtpd_tls_received_header no
++
++<p> Request that the Postfix SMTP server produces Received:  message
++headers that include information about the protocol and cipher used,
++as well as the client CommonName and client certificate issuer
++CommonName.  This is disabled by default, as the information may
++be modified in transit through other mail servers.  Only information
++that was recorded by the final destination can be trusted. </p>
++
++%PARAM smtpd_use_tls no
++
++<p> Enable TLS support in the Postfix SMTP server. </p>
++
++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
++STARTTLS due to insufficient privileges to access the server private
++key. This is intended behavior. </p>
++
++%PARAM smtpd_enforce_tls no
++
++<p> Require that remote SMTP clients use TLS encryption.  According
++to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
++SMTP server.  This option is off by default and should only rarely
++be used. </p>
++
++<p> This option implies "smtpd_use_tls = yes". </p>
++
++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
++STARTTLS due to insufficient privileges to access the server private  
++key. This is intended behavior. </p>
++
++%PARAM smtpd_tls_wrappermode no
++
++<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
++instead of using the STARTTLS command. </p>
++
++<p> If you want to support this service, enable a special port in
++master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
++server's command line. Port 465 (smtps) was once chosen for this
++purpose. </p>
++
++%PARAM smtpd_tls_ask_ccert no
++
++<p> Ask a remote SMTP client for a client certificate. This
++information is needed for certificate based mail relaying with,
++for example, the permit_tls_clientcerts feature. </p>
++
++<p> Some clients such as Netscape will either complain if no
++certificate is available (for the list of CAs in /etc/postfix/certs)
++or will offer multiple client certificates to choose from. This
++may be annoying, so this option is "off" by default. </p>
++
++%PARAM smtpd_tls_req_ccert no
++
++<p> When TLS encryption is enforced, require a remote SMTP client
++certificate in order to allow TLS connections to proceed.  This
++option implies "smtpd_tls_ask_ccert = yes". </p>
++
++<p> When TLS encryption is optional, remote SMTP clients can bypass
++the restriction by simply not using STARTTLS at all. For this reason
++a TLS connection will be handled as if only "smtpd_tls_ask_ccert
++= yes" is specified.  </p>
++
++%PARAM smtpd_tls_ccert_verifydepth 5
++
++<p> The verification depth for remote SMTP client certificates. A
++depth of 1 is sufficient if the issuing CA is listed in a local CA
++file.  The default value should also suffice for longer chains (the
++root CA issues special CA which then issues the actual certificate...).
++</p>
++
++%PARAM smtpd_tls_auth_only no
++
++<p> When TLS encryption is optional in the Postfix SMTP server, do
++not announce or accept SASL authentication over un-encrypted
++connections. </p>
++
++%PARAM smtpd_tls_session_cache_database
++
++<p> Name of the SDBM file (type sdbm:) containing the optional
++Postfix SMTP server TLS session cache. SDBM is required in order
++to support concurrent updates.  The file is created if it does not
++exist.  </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++</pre>
++
++%PARAM smtpd_tls_session_cache_timeout 3600s
++
++<p> The expiration time of Postfix SMTP server TLS session cache
++information.  A cache cleanup is performed periodically every
++$smtpd_tls_session_cache_timeout seconds.  </p>
++
++%PARAM relay_clientcerts
++
++<p> The list of remote SMTP client certificates for which the
++Postfix SMTP server will allow access with the permit_tls_clientcerts
++feature.  This feature does not use certificate names, because
++Postfix list manipulation routines treat whitespace and some other
++characters as special.  Instead we use certificate fingerprints as
++they are difficult to fake but easy to use for lookup. </p>
++
++<p> Postfix lookup tables are in the form of (key, value) pairs.
++Since we only need the key, the value can be chosen freely, e.g.
++the name of the user or host:
++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
++
++<p> Example: </p>
++
++<pre>
++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++</pre>
++
++%PARAM smtpd_tls_cipherlist
++
++<p> Controls the Postfix SMTP server TLS cipher selection scheme.
++For details, see the OpenSSL documentation. Note: do not use ""
++quotes around the parameter value. </p>
++
++%PARAM smtpd_tls_dh1024_param_file
++
++<p> File with DH parameters that the Postfix SMTP server should
++use with EDH ciphers. </p>
++
++<p> Instead of using the exact same parameter sets as distributed
++with other TLS packages, it is more secure to generate your own
++set of parameters with something like the following command:  </p>
++
++<pre>
++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++</pre>
++
++<p> Your actual source for entropy may differ. Some systems have
++/dev/random; on other system you may consider using the "Entropy
++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
++</p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++</pre>
++
++%PARAM smtpd_tls_dh512_param_file
++
++<p> File with DH parameters that the Postfix SMTP server should
++use with EDH ciphers. </p>
++
++<p> See also the discussion under the smtpd_tls_dh1024_param_file
++configuration parameter.  </p>
++
++<p> Example: </p>
++
++<pre>
++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++</pre>
++
++%PARAM smtpd_starttls_timeout 300s
++
++<p> The time limit for Postfix SMTP server write and read operations
++during TLS startup and shutdown handshake procedures. </p>
++
++%PARAM smtp_tls_cert_file
++
++<p> File with the Postfix SMTP client RSA certificate in PEM format.
++This file may also contain the client private key, and these may
++be the same as the server certificate and key file. </p>
++
++<p> In order to verify certificates, the CA certificate (in case
++of a certificate chain, all CA certificates) must be available.
++You should add these certificates to the server certificate, the
++server certificate first, then the issuing CA(s). </p>
++
++<p> Example: the certificate for "client.dom.ain" was issued by
++"intermediate CA" which itself has a certificate of "root CA".
++Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
++root_CA.pem &gt; client.pem". </p>
++
++<p> If you want to accept remote SMTP server certificates issued
++by these CAs yourself, you can also add the CA certificates to the
++smtp_tls_CAfile, in which case it is not necessary to have them in
++the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
++
++<p> A certificate supplied here must be usable as SSL client certificate and
++hence pass the "openssl verify -purpose sslclient ..." test. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_cert_file = /etc/postfix/client.pem
++</pre>
++
++%PARAM smtp_tls_key_file $smtp_tls_cert_file
++
++<p> File with the Postfix SMTP client RSA private key in PEM format.
++This file may be combined with the client certificate file specified
++with $smtp_tls_cert_file. </p>
++
++<p> The private key must not be encrypted. In other words, the key
++must be accessible without password. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_key_file = $smtp_tls_cert_file
++</pre>
++
++%PARAM smtp_tls_CAfile
++
++<p> The file with the certificate of the certification authority
++(CA) that issued the Postfix SMTP client certificate.  This is
++needed only when the CA certificate is not already present in the
++client certificate file.  </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++
++%PARAM smtp_tls_CApath
++
++<p> Directory with PEM format certificate authority certificates
++that the Postfix SMTP client uses to verify a remote SMTP server
++certificate.  Don't forget to create the necessary "hash" links
++with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
++</p>
++
++<p> To use this option in chroot mode, this directory (or a copy) 
++must be inside the chroot jail. </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_CApath = /etc/postfix/certs
++</pre>
++
++%PARAM smtp_tls_loglevel 0
++
++<p> Enable additional Postfix SMTP client logging of TLS activity.
++Each logging level also includes the information that is logged at
++a lower logging level.  </p>
++
++<dl compact>
++
++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
++
++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
++
++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
++
++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
++process.  </dd>
++
++<dt> </dt> <dd> 4 Log hexadecimal and ASCII dump of complete
++transmission after STARTTLS. </dd>
++
++</dl>
++
++<p> Use "smtp_tls_loglevel = 3" only in case of problems. Use of
++loglevel 4 is strongly discouraged. </p>
++
++%PARAM smtp_tls_session_cache_database
++
++<p> Name of the SDBM file (type sdbm:) containing the optional
++Postfix SMTP client TLS session cache. SDBM is required in order
++to support concurrent updates. The file is created if it does not
++exist.  </p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++</pre>
++
++%PARAM smtp_tls_session_cache_timeout 3600s
++
++<p> The expiration time of Postfix SMTP client TLS session cache
++information.  A cache cleanup is performed periodically every
++$smtp_tls_session_cache_timeout seconds.  </p>
++
++%PARAM smtp_use_tls no
++
++<p> Always use TLS when a remote SMTP server announces STARTTLS
++support.  Beware: some remote SMTP servers offer STARTTLS even if
++it is not configured.  If the TLS handshake fails, and no other
++server is available, delivery is deferred and mail stays in the
++queue.  If this is a concern for you, use the smtp_tls_per_site
++feature instead.  </p>
++
++%PARAM smtp_enforce_tls no
++
++<p> Require that remote SMTP servers use TLS encryption.  This also
++requires that the remote SMTP server hostname matches the information
++in the remote server certificate, and that the remote SMTP server
++certificate was issued by a CA that is trusted by the Postfix SMTP
++client. If the certificate doesn't verify or the hostname doesn't
++match, delivery is deferred and mail stays in the queue.  </p>
++
++<p> The hostname used in the check is performed against all names
++provided as dNSNames in the SubjectAlternativeName.  If no dNSNames
++are specified, the CommonName is checked.  The behavior may be
++changed with the smtp_tls_enforce_peername option.  </p>
++
++<p> This option is useful only if you are definitely sure that you
++will only connect to servers that support RFC 2487 _and_ that
++provide valid server certificates.  It is relatively safe to use
++for local clients that only send email to one mailhub with the
++necessary STARTTLS support.  </p>
++
++%PARAM smtp_tls_enforce_peername yes
++
++<p> When TLS encryption is enforced, require that the remote SMTP
++server hostname matches the information in the remote SMTP server
++certificate.  As of RFC 2487 the requirements for hostname checking
++for MTA clients are not set. </p>
++
++<p> This option can be set to "no" to disable strict peer name
++checking. This setting has no effect on sessions that are controlled
++via the smtp_tls_per_site table.  </p>
++
++<p> Disabling the hostname verification can make sense in closed
++environment where special CAs are created.  If not used carefully,
++this option opens the danger of a "man-in-the-middle" attack (the
++CommonName of this attacker will be logged). </p>
++
++%PARAM smtp_tls_per_site
++
++<p> Optional lookup tables with the Postfix SMTP client TLS usage
++policy by next-hop domain name and by remote SMTP server hostname.
++</p>
++
++<p> Table format:  domain names or server hostnames are specified
++on the left-hand side; no wildcards are allowed.  On the right hand
++side specify one of the following keywords:  </p>
++
++<dl>
++
++<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
++
++<dt> MAY </dt> <dd>Try to use STARTTLS if offered,
++otherwise use the un-encrypted connection. </dd>
++
++<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
++remote SMTP server hostname matches the information in the remote
++SMTP server certificate, and require that the remote SMTP server
++certificate was issued by a trusted CA. </dd>
++
++<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
++not require that the remote SMTP server hostname matches the
++information in the remote SMTP server certificate, or that the
++server certificate was issued by a trusted CA. </dd>
++
++</dl>
++
++<p> Special hint for enforcement mode:  since no secure DNS lookup
++mechanism is available, the recommended setup is:  specify local
++transport(5) table entries for sensitive domains with explicit
++smtp:[mailhost] destinations (since you can assure security of this
++table unlike DNS), then specify MUST for these mail hosts in the
++smtp_tls_per_site table. </p>
++
++%PARAM smtp_tls_scert_verifydepth 5
++
++<p> The verification depth for remote SMTP server certificates. A
++depth of 1 is sufficient, if the certificate is directly issued by
++a CA listed in the CA files.  The default value (5) should suffice
++for longer chains (the root CA issues special CA which then issues
++the actual certificate...). </p>
++
++%PARAM smtp_tls_note_starttls_offer no
++
++<p> Log the hostname of a remote SMTP server that offers STARTTLS,
++when TLS is not already enabled for that server. </p>
++
++<p> The logfile record looks like:  </p>
++
++<pre>
++postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
++</pre>
++
++%PARAM smtp_tls_cipherlist
++
++<p> Controls the Postfix SMTP client TLS cipher selection scheme.
++For details, see the OpenSSL documentation. Note: do not use ""
++quotes around the parameter value. </p>
++
++%PARAM smtp_starttls_timeout 300s
++
++<p> Time limit for Postfix SMTP client write and read operations
++during TLS startup and shutdown handshake procedures. </p>
++
++%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
++
++<p> File with the Postfix SMTP client DSA private key in PEM format.
++The private key must not be encrypted. In other words, the key must
++be accessible without password. </p>
++
++<p> This file may be combined with the server certificate file
++specified with $smtp_tls_cert_file. </p>
++
++%PARAM smtp_tls_dcert_file
++
++<p> File with the Postfix SMTP client DSA certificate in PEM format.
++This file may also contain the server private key. </p>
++
++<p> See the discussion under smtp_tls_cert_file for more details.
++</p>
++
++<p> Example: </p>
++
++<pre>
++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
++</pre>
++
++%PARAM tls_random_exchange_name ${config_directory}/prng_exch
++
++<p> Name of the pseudo random number generator (PRNG) seed file
++that is maintained by tlsmgr(8), and that is read by the smtp(8)
++and smtpd(8) processes upon startup. The file length is fixed at
++1024 bytes, and is created by tlsmgr(8) when it does not exist.
++</p>
++
++<p> Since this file is changed by Postfix, it should probably be
++kept in the /var file system, instead of under $config_directory.
++The location should not be inside the chroot jail. </p>
++
++%PARAM tls_random_source
++
++<p> The external entropy source for the in-memory tlsmgr(8) pseudo
++random number generator (PRNG) pool. Be sure to specify a non-blocking
++source.  If this source is not a regular file, the entropy source
++type must be prepended:  egd:/path/to/egd_socket for a source with
++EGD compatible socket interface, or dev:/path/to/device for a
++device file.  </p>
++
++%PARAM tls_random_bytes 32
++
++<p> The number of bytes that tlsmgr(8) reads from $tls_random_source
++when (re)seeding the in-memory pseudo random number generator (PRNG)
++pool. The default of 32 bytes (256 bits) is good enough for 128bit
++symmetric keys.  If using EGD, a maximum of 255 bytes is read. </p>
++
++%PARAM tls_random_reseed_period 3600s
++
++<p> The maximal time between attempts by tlsmgr(8) to re-seed the
++in-memory pseudo random number generator (PRNG) pool from external
++sources.  The actual time between re-seeding attempts is calculated
++using the PRNG, and is between 0 and the time specified.  </p>
++
++%PARAM tls_random_prng_update_period 60s
++
++<p> The maximal time between attempts by tlsmgr(8) to rewrite the
++pseudo random number generator (PRNG) seed file specified with
++$tls_random_exchange_name. This file is read by smtpd(8) and smtpd(8)
++processes in order to seed their PRNGs.  The actual time between
++rewriting attempts is calculated using the PRNG, and is between 0
++and the time specified.  </p>
++
++%PARAM tls_daemon_random_source
++
++<p> Optional external source of entropy that can be read by smtpd(8)
++and smtpd(8) processes in order to initialize their PRNGs. Be sure
++to specify a non-blocking source.  The entropy source type must be
++prepended to the source name:  egd:/path/to/egd_socket for a source
++with EGD compatible socket interface, or dev:/path/to/device for
++a device file.  </p>
++
++<p> Examples: </p>
++
++<pre>
++tls_daemon_random_source = dev:/dev/urandom
++tls_daemon_random_source = egd:/var/run/egd-pool
++</pre>
++
++%PARAM tls_daemon_random_bytes 32
++
++<p> The amount of data that smtpd(8) and smtpd(8) processes read
++from the entropy source specified with $tls_daemon_random_source.
++The default of 32 bytes (equivalent to 256 bits) is sufficient to
++generate a 128bit (or 168bit) session key. </p>
++
++<p> Usage of this option may drain EGD (consider the case of 50
++smtp(8) processes starting up with a full queue and "postfix start",
++which will request 1600 bytes of entropy). This is however not
+diff -urNad postfix-release/proto/TLS_README.html /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html
+--- postfix-release/proto/TLS_README.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html	2005-02-03 10:22:12.994111406 -0700
+@@ -0,0 +1,1093 @@
++<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
++        "http://www.w3.org/TR/html4/loose.dtd">
++
++<html>
++
++<head>
++
++<title>Postfix TLS Support </title>
++
++<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
++
++</head>
++
++<body>
++
++<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLS Support
++</h1>
++
++<hr>
++
++<h2> Purpose of this document </h2> 
++
++<p> This document describes how to configure the Transport Layer
++Security (TLS) support in the Postfix SMTP client and Postfix SMTP server,
++and how to configure the TLS manager daemon that maintains the
++Pseudo Random Number Generator (PRNG) pool and the TLS session
++cache information. </p>
++
++<p> Topics covered in this document: </p>
++
++<ul>
++
++<li><a href="#server_tls">SMTP Server specific settings</a>
++
++<li> <a href="#client_tls">SMTP Client specific settings</a>
++
++<li><a href="#tlsmgr_controls"> TLS manager specific settings </a>
++
++<li><a href="#problems"> Reporting problems </a>
++
++<li><a href="#credits"> Credits </a>
++
++</ul>
++
++<h2><a name="server_tls">SMTP Server specific settings</a></h2>
++
++<p> Topics covered in this section: </p>
++
++<ul>
++
++<li><a href="#server_cert_key">Server-side certificate and private
++key configuration </a>
++
++<li><a href="#server_logging"> Server-side TLS activity logging
++</a>
++
++<li><a href="#server_enable">Enabling TLS in the Postfix SMTP server </a>
++
++<li><a href="#server_vrfy_client">Client certificate verification</a>
++
++<li><a href="#server_tls_auth">Supporting AUTH over TLS only</a>
++
++<li><a href="#server_tls_cache">Server-side TLS session cache</a>
++
++<li><a href="#server_access">Server access control</a>
++
++<li><a href="#server_cipher">Server-side cipher controls</a>
++
++<li><a href="#server_misc"> Miscellaneous server controls</a>
++
++</ul>
++
++<h3><a name="server_cert_key">Server-side certificate and private
++key configuration </a> </h3>
++
++<p> In order to use TLS, the Postfix SMTP server needs a certificate
++and a private key. Both must be in "pem" format. The private key
++must not be encrypted, meaning:  the key must be accessible without
++password.  Both certificate and private key may be in the same
++file.  </p>
++
++<p> Both RSA and DSA certificates are supported. Typically you will
++only have RSA certificates issued by a commercial CA. In addition,
++the tools supplied with OpenSSL will by default issue RSA certificates.
++You can have both at the same time, in which case the cipher used
++determines which certificate is presented. For Netscape and OpenSSL
++clients without special cipher choices, the RSA certificate is
++preferred. </p>
++
++<p> In order for remote SMTP clients to check the Postfix SMTP
++server certificates, the CA certificate (in case of a certificate
++chain, all CA certificates) must be available.  You should add
++these certificates to the server certificate, the server certificate
++first, then the issuing CA(s).  </p>
++
++<p> Example: the certificate for "server.dom.ain" was issued by
++"intermediate CA" which itself has a certificate issued by "root
++CA".  Create the server.pem file with: </p>
++
++<blockquote>
++<pre>
++cat server_cert.pem intermediate_CA.pem root_CA.pem &gt; server.pem
++</pre>
++</blockquote>
++
++<p> If you want the Postfix SMTP server to accept remote SMTP client
++certificates issued by these CAs, you can also add the CA certificates
++to the smtpd_tls_CAfile, in which case it is not necessary to have
++them in the smtpd_tls_cert_file or smtpd_tls_dcert_file. </p>
++
++<p> A Postfix SMTP server certificate supplied here must be usable
++as SSL server certificate and hence pass the "openssl verify -purpose
++sslserver
++..." test. </p>
++
++<p> RSA key and certificate examples: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_cert_file = /etc/postfix/server.pem
++smtpd_tls_key_file = $smtpd_tls_cert_file
++</pre>
++</blockquote>
++
++<p> Their DSA counterparts: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++smtpd_tls_dkey_file = $smtpd_tls_dcert_file
++</pre>  
++</blockquote>
++
++<p> The Postfix SMTP server certificate was issued by a certification
++authority (CA), the CA-cert of which must be provided with the CA
++file if it is not already provided in the certificate file.  The
++CA file may also contain the CA certificates of other trusted CAs.
++You must use this file for the list of trusted CAs if you want to
++use chroot-mode. No default is supplied for this value as of now.
++</p>
++
++<p> Example: </p>
++<blockquote>
++<pre>
++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++</blockquote>
++
++<p> To verify a remote SMTP client certificate, the Postfix SMTP
++server needs to know the certificates of the issuing certification
++authorities. These certificates in "pem" format are collected in
++a directory. The same CA certificates are offered to clients for
++client verification.  Don't forget to create the necessary "hash"
++links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
++place for the CA certificates may also be $OPENSSL_HOME/certs, so
++there is no default and you explicitly have to set the value here!
++</p>
++
++<p> To use this option in chroot mode, this directory itself or a
++copy of it must be inside the chroot jail. Please note also, that
++the CAs in this directory are not listed to the client, so that
++e.g. Netscape might not offer certificates issued by them.  For
++this reason, the use of this feature is discouraged. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_CApath = /etc/postfix/certs
++</pre>
++</blockquote>
++
++<h3><a name="server_logging"> Server-side TLS activity logging </a> </h3>
++
++<p> To get additional information about Postfix SMTP server TLS
++activity you can increase the loglevel from 0..4. Each logging
++level also includes the information that is logged at a lower
++logging level. </p>
++
++<blockquote>
++
++<table>
++
++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
++
++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
++</td> </tr>
++
++<tr> <td> 2 </td> <td> Log levels during TLS negotiation.  </td>
++</tr>
++
++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
++negotiation process </td> </tr>
++
++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
++transmission after STARTTLS </td> </tr>
++
++</table>
++
++</blockquote>
++
++<p> Use loglevel 3 only in case of problems. Use of loglevel 4 is
++strongly discouraged. </p>
++
++<p> Example: </p>
++
++<blockquote>
++<pre>
++smtpd_tls_loglevel = 0
++</pre>
++</blockquote>
++
++<p> To include information about the protocol and cipher used as
++well as the client and issuer CommonName into the "Received:"
++message header, set the smtpd_tls_received_header variable to true.
++The default is no, as the information is not necessarily authentic.
++Only information recorded at the final destination is reliable,
++since the headers may be changed by intermediate servers. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_received_header = yes
++</pre>
++</blockquote>
++
++<h3><a name="server_enable">Enabling TLS in the Postfix SMTP server </a> </h3>
++
++<p> By default, TLS is disabled in the Postfix SMTP server, so no
++difference to plain Postfix is visible.  Explicitly switch it on
++using "smtpd_use_tls = yes". </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_use_tls = yes
++</pre>
++</blockquote>
++
++<p> Note: when an unprivileged user invokes "sendmail -bs", STARTTLS
++is never offered due to insufficient privileges to access the server
++private key. This is intended behavior. </p>
++
++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
++accepts no commands (except QUIT of course) without TLS encryption,
++by setting "smtpd_enforce_tls = yes". According to RFC 2487 this
++MUST NOT be applied in case of a publicly-referenced Postfix SMTP
++server.  So this option is off by default and should only seldom
++be used.  Using this option implies "smtpd_use_tls = yes". </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_enforce_tls = yes
++</pre>
++</blockquote>
++
++<p> Besides RFC 2487 some clients, namely Outlook [Express] prefer
++to run the non-standard "wrapper" mode, not the STARTTLS enhancement
++to SMTP.  This is true for OE (Win32 &lt; 5.0 and Win32 &gt;=5.0 when
++run on a port&lt;&gt;25 and OE (5.01 Mac on all ports). </p>
++
++<p> It is strictly discouraged to use this mode from main.cf. If
++you want to support this service, enable a special port in master.cf
++and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
++line option.  Port 465 (smtps) was once chosen for this feature.
++</p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_wrappermode = no
++</pre>
++</blockquote>
++
++<h3><a name="server_vrfy_client">Client certificate verification</a> </h3>
++
++<p> To receive a remote SMTP client certificate, the Postfix SMTP
++server must explicitly ask for one by sending the $smtpd_tls_CAfile
++certificates to the client. Unfortunately, Netscape clients will
++either complain if no matching client certificate is available or
++will offer the user client a list of certificates to choose from.
++This might be annoying, so this option is "off" by default.  You
++will however need the certificate if you want to use certificate
++based relaying with, for example, the permit_tls_client_certs
++feature.  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_ask_ccert = no
++</pre>
++</blockquote>
++
++<p> You may also decide to REQUIRE a remote SMTP client certificate
++before allowing TLS connections.  This feature is included for
++completeness, and implies "smtpd_tls_ask_ccert = yes".  </p>
++
++<p> Please be aware, that this will inhibit TLS connections without
++a proper client certificate and that it makes sense only when
++non-TLS submission is disabled (smtpd_enforce_tls = yes). Otherwise,
++clients could bypass the restriction by simply not using STARTTLS
++at all. </p>
++
++<p> When TLS is not enforced, the connection will be handled as
++if only "smtpd_tls_ask_ccert = yes" is specified, and a warning is
++logged. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_req_ccert = no
++</pre>
++</blockquote>
++
++<p> A client certificate verification depth of 1 is sufficient if
++the certificate is directly issued by a CA listed in the CA file.
++The default value (5) should also suffice for longer chains (root
++CA issues special CA which then issues the actual certificate...)
++</p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_ccert_verifydepth = 5
++</pre>
++</blockquote>
++
++<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
++
++<p> Sending AUTH data over an un-encrypted channel poses a security
++risk. When TLS layer encryption is required (smtpd_enforce_tls =
++yes), the Postfix SMTP server will announce and accept AUTH only
++after the TLS layer has been activated with STARTTLS. When TLS
++layer encryption is optional (smtpd_enforce_tls = no), it may
++however still be useful to only offer AUTH when TLS is active. To
++maintain compatibility with non-TLS clients, the default is to
++accept AUTH without encryption. In order to change this behavior,
++set "smtpd_tls_auth_only = yes". </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_auth_only = no
++</pre>
++</blockquote>
++
++<h3><a name="server_tls_cache">Server-side TLS session cache</a> </h3>
++
++<p> The Postfix SMTP server and the remote SMTP client negotiate a
++session, which takes some computer time and network bandwidth. By
++default, this session information is cached only in the smtpd(8)
++process actually using this session and is lost when the process
++terminates.  To share the session information between multiple
++smtpd(8) processes, a persistent session cache can be used based
++on the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++</pre>
++</blockquote>
++
++<p> Cached Postfix SMTP server session information expires after
++a certain amount of time.  Postfix/TLS does not use the OpenSSL
++default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
++recommends a maximum of 24 hours.  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_session_cache_timeout = 3600s
++</pre>
++</blockquote>
++
++<h3><a name="server_access">Server access control</a> </h3>
++
++<p> Postfix TLS support introduces two additional features for
++Postfix SMTP server access control:  </p>
++
++<blockquote>
++
++<dl>
++
++<dt> permit_tls_clientcerts </dt> <dd> <p> Allow the remote SMTP
++client SMTP request if the client certificate passes verification,
++and if its fingerprint is listed in the list of client certificates
++(see relay_clientcerts discussion below). </p> </dd>
++
++<dt> permit_tls_all_clientcerts </dt> <dd> <p> Allow the remote
++client SMTP request if the client certificate passes verification.
++</p> </dd>
++
++</dl>
++
++</blockquote>
++
++<p> The permit_tls_all_clientcerts feature must be used with caution,
++because it can result in too many access permissions.  Use this
++feature only if a special CA issues the client certificates, and
++only if this CA is listed as trusted CA. If other CAs are trusted,
++any owner of a valid client certificate would be authorized.
++The permit_tls_all_clientcerts feature can be practical for a
++specially created email relay server.  </p>
++
++<p> It is however recommended to stay with the permit_tls_clientcerts
++feature and list all certificates via $relay_clientcerts, as
++permit_tls_all_clientcerts does not permit any control when a
++certificate must no longer be used (e.g. an employee leaving). </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_recipient_restrictions = 
++    ... 
++    permit_tls_clientcerts 
++    reject_unauth_destination
++    ...
++</pre>
++</blockquote>
++
++<p> The Postfix list manipulation routines give special treatment
++to whitespace and some other characters, making the use of certificate
++names unpractical.  Instead we use the certificate fingerprints as
++they are difficult to fake but easy to use for lookup.  Postfix
++lookup tables are in the form of (key, value) pairs.  Since we only
++need the key, the value can be chosen freely, e.g.  the name of
++the user or host:</p>
++
++<blockquote>
++<pre>
++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
++</pre>
++</blockquote>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++</pre>
++</blockquote>
++
++<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
++
++<p> To influence the Postfix SMTP server cipher selection scheme,
++you can give cipherlist string.  A detailed description would go
++to far here, please refer to the openssl documentation.  If you
++don't know what to do with it, simply don't touch it and leave the
++(openssl-)compiled in default! </p>
++
++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_cipherlist = DEFAULT
++</pre>
++</blockquote>
++
++<p> If you want to take advantage of ciphers with EDH, DH parameters
++are needed.  Instead of using the built-in DH parameters for both
++1024bit and 512bit, it is better to generate "own" parameters,
++since otherwise it would "pay" for a possible attacker to start a
++brute force attack against parameters that are used by everybody.
++For this reason, the parameters chosen are already different from
++those distributed with other TLS packages. </p>
++
++<p> To generate your own set of DH parameters, use: </p>
++
++<blockquote>
++<pre>
++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
++</pre>
++</blockquote>
++
++<p> Your source for "entropy" might vary; some systems have
++/dev/random; on other systems you might consider the "Entropy
++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
++</p>
++
++<p> Examples: </p>
++ 
++<blockquote>
++<pre>
++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++</pre>
++</blockquote>
++
++<h3><a name="server_misc"> Miscellaneous server controls</a> </h3>
++
++<p> The smtpd_starttls_timeout parameter limits the time of Postfix
++SMTP server write and read operations during TLS startup and shutdown
++handshake procedures.  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtpd_starttls_timeout = 300s
++</pre>
++</blockquote>
++
++<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
++
++<p> Topics covered in this section: </p>
++
++<ul>
++
++<li><a href="#client_cert_key">Client-side certificate and private
++key configuration </a>
++
++<li><a href="#client_logging"> Client-side TLS activity logging
++</a>
++
++<li><a href="#client_tls_cache">Client-side TLS session cache</a>
++
++<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
++
++<li><a href="#client_vrfy_server">Server certificate verification</a>
++
++<li> <a href="#client_cipher">Client-side cipher controls </a>
++
++<li> <a href="#client_misc"> Miscellaneous client controls </a>
++
++</ul>
++
++<h3><a name="client_cert_key">Client-side certificate and private
++key configuration </a> </h3>
++
++During TLS startup negotiation the Postfix SMTP client may present
++a certificate to the remote SMTP server.  The Netscape client is
++rather clever here and lets the user select between only those
++certificates that match CA certificates offered by the remote SMTP
++server. As the Postfix SMTP client uses the "SSL_connect()" function
++from the OpenSSL package, this is not possible and we have to choose
++just one certificate.  So for now the default is to use _no_
++certificate and key unless one is explicitly specified here. </p>
++
++<p> Both RSA and DSA certificates are supported.  You can have both
++at the same time, in which case the cipher used determines which
++certificate is presented.  </p>
++
++<p> It is possible for the Postfix SMTP client to use the same
++key/certificate pair as the Postfix SMTP server.  If a certificate
++is to be presented, it must be in "pem" format. The private key
++must not be encrypted, meaning: it must be accessible without
++password. Both parts (certificate and private key) may be in the
++same file. </p>
++
++<p> In order for remote SMTP servers to verify the Postfix SMTP
++client certificates, the CA certificate (in case of a certificate
++chain, all CA certificates) must be available.  You should add
++these certificates to the client certificate, the client certificate
++first, then the issuing CA(s). </p>
++
++<p> Example: the certificate for "client.dom.ain" was issued by
++"intermediate CA" which itself has a certificate of "root CA".
++Create the client.pem file with: </p>
++
++<blockquote>
++<pre>
++cat client_cert.pem intermediate_CA.pem root_CA.pem &gt; client.pem
++</pre>
++</blockquote>
++
++<p> If you want the Postfix SMTP client to accept certificates
++issued by these CAs, you can also add the CA certificates to the
++smtp_tls_CAfile, in which case it is not necessary to have them in
++the smtp_tls_cert_file or smtp_tls_dcert_file.  </p>
++
++<p> A Postfix SMTP client certificate supplied here must be usable
++as SSL client certificate and hence pass the "openssl verify -purpose
++sslclient
++..." test. </p>
++
++<p> RSA key and certificate examples: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_cert_file = /etc/postfix/client.pem
++smtp_tls_key_file = $smtp_tls_cert_file
++</pre>
++</blockquote>
++
++<p> Their DSA counterparts: </p>
++
++<blockquote>
++<pre>
++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
++smtp_tls_dkey_file = $smtpd_tls_cert_file
++</pre>  
++</blockquote>
++
++<p> The Postfix SMTP client certificate was issued by a certification
++authority (CA), the CA-cert of which must be provided with the CA
++file if it is not already provided in the certificate file.  The
++CA file may also contain the CA certificates of other trusted CAs.
++You must use this file for the list of trusted CAs if you want to
++use chroot-mode. No default is supplied for this value as of now.
++</p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++</blockquote>
++
++<p> To verify a remote SMTP server certificate, the Postfix SMTP
++client needs to know the certificates of the issuing certification
++authorities. These certificates in "pem" format are collected in
++a directory. Don't forget to create the necessary "hash" links with
++$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical place for
++the CA certificates may also be $OPENSSL_HOME/certs, so there is
++no default and you explicitly have to set the value here! </p>
++
++<p> To use this option in chroot mode, this directory itself or a
++copy of it must be inside the chroot jail. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_CApath = /etc/postfix/certs
++</pre>
++</blockquote>
++
++<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
++
++<p> To get additional information about Postfix SMTP client TLS
++activity you can increase the loglevel from 0..4. Each logging
++level also includes the information that is logged at a lower
++logging level. </p>
++
++<blockquote>
++
++<table>
++
++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
++
++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
++</td> </tr>
++
++<tr> <td> 2 </td> <td> Log levels during TLS negotiation.  </td>
++</tr>
++
++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
++negotiation process </td> </tr>
++
++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
++transmission after STARTTLS </td> </tr>
++
++</table>
++
++</blockquote>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_loglevel = 0
++</pre>
++</blockquote>
++
++<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
++
++<p> The remote SMTP server and the Postfix SMTP client negotiate a
++session, which takes some computer time and network bandwidth.  By
++default, this session information is cached only in the smtp(8)
++process actually using this session and is lost when the process
++terminates.  To share the session information between multiple
++smtp(8) processes, a persistent session cache can be used based on
++the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++</pre>
++</blockquote>
++
++<p> Cached Postfix SMTP client session information expires after
++a certain amount of time.  Postfix/TLS does not use the OpenSSL
++default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
++recommends a maximum of 24 hours.  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_session_cache_timeout = 3600s
++</pre>
++</blockquote>
++
++<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
++</h3>
++
++<p> By default, TLS is disabled in the Postfix SMTP client, so no
++difference to plain Postfix is visible.  If you enable TLS, the
++Postfix SMTP client will send STARTTLS when TLS support is announced
++by the remote SMTP server. </p>
++
++<p> WARNING: MS Exchange servers will announce STARTTLS support
++even when the service is not configured, so that the TLS handshake
++will fail.  It may be wise to not use this option on your central
++mail hub, as you don't know in advance whether you are going to
++connect to such a host. Instead, use the smtp_tls_per_site
++recipient/site specific options that are described below. </p>
++
++<p> When the TLS handshake fails and no other server is available,
++the Postfix SMTP client defers the delivery attempt, and the mail
++stays in the queue.  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_use_tls = yes
++</pre>
++</blockquote>
++
++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
++will not deliver mail over un-encrypted connections.  In this mode,
++the remote SMTP server hostname must match the information in the
++remote server certificate, and the server certificate must be issued
++by a CA that is trusted by the Postfix SMTP client.  If the remote
++server certificate doesn't verify or the remote SMTP server hostname
++doesn't match, and no other server is available, the delivery
++attempt is deferred and the mail stays in the queue.  </p>
++
++<p> The remote SMTP server hostname used in the check is beyond
++question, as it must be the principal hostname (no CNAME allowed
++here). Checks are performed against all names provided as dNSNames
++in the SubjectAlternativeName. If no dNSNames are specified, the
++CommonName is checked.  The behavior may be changed with the
++smtp_tls_enforce_peername option which is discussed below. </p>
++
++<p> This option is useful only if you know that you will only
++connect to servers that support RFC 2487 _and_ that present server
++certificates that meet the above requirements.  An example would
++be a client only sends email to one specific mailhub that offers
++the necessary STARTTLS support.  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_enforce_tls = no
++</pre>
++</blockquote>
++
++<p> As of RFC 2487 the requirements for hostname checking for MTA
++clients are not set. When TLS is required (smtp_enforce_tls = yes),
++the option smtp_tls_enforce_peername can be set to "no" to disable
++strict remote SMTP server hostname checking. In this case, the mail
++delivery will proceed regardless of the CommonName etc. listed in
++the certificate. </p>
++
++<p> Note: the smtp_tls_enforce_peername setting has no effect on
++sessions that are controlled via the smtp_tls_per_site table.  </p>
++
++<p>  Disabling the remote SMTP server hostname verification can
++make sense in closed environment where special CAs are created.
++If not used carefully, this option opens the danger of a
++"man-in-the-middle" attack (the CommonName of this possible attacker
++is logged). </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_enforce_peername = yes
++</pre>
++</blockquote>
++
++<p> Generally, trying TLS can be a bad idea, as some servers offer
++STARTTLS but the negotiation will fail leading to unexplainable
++failures. Instead, it may be a good idea to choose the TLS usage
++policy based on the recipient or the mailhub to which you are
++connecting. </p>
++
++<p> Deciding the TLS usage policy per recipient may be difficult,
++since a single email delivery attempt can involve several recipients.
++Instead, use of TLS is controlled by the Postfix next-hop destination
++domain name and by the remote SMTP server hostname.  If either of these
++matches an entry in the smtp_tls_per_site table, appropriate action
++is taken.  </p>
++
++<p> The remote SMTP server hostname is simply the DNS name of the
++server that the Postfix SMTP client connects to.  The next-hop
++destination is Postfix specific.  By default, this is the domain
++name in the recipient address, but this information can be overruled
++by the transport(5) table or by the relayhost parameter setting.
++In these cases the relayhost etc. must be listed in the smtp_tls_per_site
++table, instead of the recipient domain name. </p>
++
++<p> Format of the table: domain or host names are specified on the
++left-hand side; no wildcards are allowed.  On the right hand side
++specify one of the following keywords:  </p>
++
++<blockquote>
++
++<dl>
++
++<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
++
++<dt> MAY </dt> <dd> Try to use STARTTLS if offered,
++otherwise use the un-encrypted connection. </dd>
++
++<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
++remote SMTP server hostname matches the information in the remote
++SMTP server certificate, and require that the remote SMTP server
++certificate was issued by a trusted CA. </dd>
++
++<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
++not require that the remote SMTP server hostname matches the
++information in the remote SMTP server certificate, or that the
++server certificate was issued by a trusted CA. </dd>
++
++</dl>
++
++</blockquote>
++
++<p> The actual TLS usage policy depends not only on whether the
++next-hop destination or remote SMTP server hostname are found in
++the smtp_tls_per_site table, but also on the smtp_enforce_tls
++setting:  </p>
++
++<ul>
++
++<li> <p> If no match was found, the policy is applied as specified
++with smtp_enforce_tls. </p>
++
++<li> <p> If a match was found, and the smtp_enforce_tls policy is
++"enforce", NONE explicitly switches it off; otherwise the "enforce"
++mode is used even for entries that specify MAY. </p>
++
++</ul>
++
++<p> Special hint for TLS enforcement mode:  since no secure DNS
++lookup mechanism is available, mail can be delivered to the wrong
++remote SMTP server. This is not prevented by specifying MUST for
++the next-hop domain name.  The recommended setup is:  specify local
++transport(5) table entries for sensitive domains with explicit
++smtp:[mailhost] destinations (since you can assure security of this
++table unlike DNS), then specify MUST for these mail hosts in the
++smtp_tls_per_site table. </p>
++
++<!-- XXX What it we were to require that each MX host lists the
++domain it is responsible for in its server certificate, and that
++Postfix/TLS includes the next-hop domain name in the peer name
++verification process? -->
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_per_site = hash:/etc/postfix/tls_per_site
++</pre>
++</blockquote>
++
++<p> As we decide on a "per site" basis whether or not to use TLS,
++it would be good to have a list of sites that offered "STARTTLS".
++We can collect it ourselves with this option. </p>
++
++<p> If the smtp_tls_note_starttls_offer feature is enabled and a
++server offers STARTTLS while TLS is not already enabled for that
++server, the Postfix SMTP client logs a line as follows: </p>
++
++<blockquote>
++<pre>
++postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
++</pre>
++</blockquote>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_note_starttls_offer = yes
++</pre>
++</blockquote>
++
++<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
++
++<p> When verifying a remote SMTP server certificate, a verification
++depth of 1 is sufficient if the certificate is directly issued by
++a CA specified with smtp_tls_CAfile or smtp_tls_CApath.  The default
++value of 5 should also suffice for longer chains (root CA issues
++special CA which then issues the actual certificate...) </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_scert_verifydepth = 5
++</pre>
++</blockquote>
++
++<h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
++
++<p> To influence the Postfix SMTP client cipher selection scheme,
++you can give cipherlist string.  A detailed description would go
++to far here, please refer to the openssl documentation.  If you
++don't know what to do with it, simply don't touch it and leave the
++(openssl-)compiled in default! </p>
++
++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_tls_cipherlist = DEFAULT
++</pre>
++</blockquote>
++
++<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
++
++<p> The smtp_starttls_timeout parameter limits the time of Postfix
++SMTP client write and read operations during TLS startup and shutdown
++handshake procedures.  In case of problems the Postfix SMTP client
++tries the next network address on the mail exchanger list, and
++defers delivery if no alternative server is available. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++smtp_starttls_timeout = 300s
++</pre>
++</blockquote>
++
++<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
++
++<p> The security of cryptographic software such as TLS depends
++critically on the ability to generate unpredictable numbers for
++keys and other information. To this end, the tlsmgr(8) process
++maintains a Pseudo Random Number Generator (PRNG) pool.  This is
++a fixed-size 1024-byte exchange file that is read by the smtp(8)
++and smtpd(8) processes when they initialize.  These processes also
++add some more entropy to the file by stirring in their own time
++and process id information.  </p>
++
++<p> The tlsmgr(8) process creates the file if it does not already
++exist, and rewrites the file at random time intervals with information
++from its in-memory PRNG pool.  The default location is under the
++Postfix configuration directory, which is not the proper place for
++information that is modified by Postfix.  Instead, the file location
++should probably be on the /var partition (but _not_ inside the
++chroot jail).  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++tls_random_exchange_name = /etc/postfix/prng_exch
++</pre>
++</blockquote>
++
++<p> In order to feed its in-memory PRNG pool, the tlsmgr(8) reads
++entropy from an external source, both at startup and during run-time.
++Specify a good entropy source, like EGD or /dev/urandom; be sure
++to only use non-blocking sources.  If the entropy source is not a
++regular file, you must prepend the source type to the source name:
++"dev:" for a device special file, or "egd:" for a source with EGD
++compatible socket interface.  </p>
++
++<p> Examples (specify only one in main.cf): </p>
++ 
++<blockquote>
++<pre>
++tls_random_source = dev:/dev/urandom
++tls_random_source = egd:/var/run/egd-pool
++</pre>
++</blockquote>
++
++<p> By default, tlsmgr(8) reads 32 bytes from the external entropy
++source at each seeding event.  This amount (256bits) is more than
++sufficient for generating a 128bit symmetric key.  With EGD and
++device entropy sources, the tlsmgr(8) limits the amount of data
++read at each step to 255 bytes. If you specify a regular file as
++entropy source, a larger amount of data can be read.  </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++tls_random_bytes = 32
++</pre>
++</blockquote>
++
++<p> In order to update its in-memory PRNG pool, the tlsmgr(8)
++queries the external entropy source again after a random amount of
++time. The time is calculated using the PRNG, and is between 0 and
++the maximal time specified with tls_random_reseed_period.  The
++default maximal time interval is 1 hour. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++tls_random_reseed_period = 3600s
++</pre>
++</blockquote>
++
++<p> The tlsmgr(8) re-generates the 1024 byte seed exchange file
++after a random amount of time.  The time is calculated using the
++PRNG, and is between 0 and the maximal time specified with
++tls_random_update_period.  The default maximal time interval is 60
++seconds. </p>
++
++<p> Example: </p>
++ 
++<blockquote>
++<pre>
++tls_random_prng_update_period = 60s
++</pre>
++</blockquote>
++
++<p> If you have an entropy source available that is not easily
++drained (like /dev/urandom), the smtp(8) and smtpd(8) daemons can
++load additional entropy on startup.  By default, an amount of 32
++bytes is read, the equivalent to 256 bits. This is more than
++sufficient to generate a 128bit (or 168bit) session key. However,
++when Postfix needs to generate more than one key it can drain the
++EGD. Consider the case of 50 smtp(8) processes starting up with a
++full queue; this will request 1600bytes of entropy. This is however
++not fatal, as long as "entropy" data can still be read from the
++seed file that is maintained by tlsmgr(8). </p>
++
++<p> Examples: </p>
++ 
++<blockquote>
++<pre>
++tls_daemon_random_source = dev:/dev/urandom
++tls_daemon_random_source = egd:/var/run/egd-pool
++tls_daemon_random_bytes = 32
++</pre>
++</blockquote>
++
++<h2> <a name="problems"> Reporting problems </a> </h2>
++
++<p> When reporting a problem, please be thorough in the report.
++Patches, when possible, are greatly appreciated too. </p>
++
++<p> Please differentiate when possible between: </p>
++
++<ul>
++
++<li> Problems in the IPv6 code: <postfix-ipv6 at stack.nl>
++
++<li> Problems in the TLS code: <postfix_tls at aet.tu-cottbus.de>
++
++<li> Problems in vanilla Postfix: <postfix-users at postfix.org>
++
++</ul>
++
++<h2><a name="credits">Credits </a> </h2>
++
++<ul>
++
++<li> TLS support for Postfix was originally developed by  Lutz
++J&auml;nicke at Cottbus Technical University.
++
++<li> This part of the documentation was compiled by Wietse Venema
++</p>
++
++</ul>
++
++</body>
++
++</html>
+diff -urNad postfix-release/README_FILES/IPV6_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README
+--- postfix-release/README_FILES/IPV6_README	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README	2005-02-03 10:22:13.048099363 -0700
+@@ -0,0 +1,158 @@
++Postfix IPv6 / IPv6+TLS patch
++Maintained by Dean C. Strik <dean at ipnet6.org>
++
++These patches add IPv6 support to Postfix. A combo TLS+IPv6 patch is
++available as a replacement for Lutz Jaenicke's TLS patch.
++
++More information about these IPv6 patches can be found on Dean Strik's
++postfix website at
++	http://www.ipnet6.org/postfix/
++
++CONTENTS
++---------
++ - Supported platforms
++ - Downloads
++ - Installation
++ - Configuration
++ - Mailing list
++ - Known issues
++ - Reporting bugs
++
++SUPPORTED PLATFORMS
++--------------------
++
++Currently, the following platforms are supported:
++	- FreeBSD 4.x/5.x
++	- OpenBSD 2.x/3.x
++	- NetBSD 1.5+
++	- Solaris 8/9
++	- Linux 2.x
++	- Darwin 7.3+
++	- Tru64Unix V5.1+
++Postfix may work on other versions of these operating systems or
++other operating systems entirely. If you find a problem on one
++of the above platforms, please contact me at <dean at ipnet6.org>.
++
++DOWNLOADS
++----------
++
++The official download site is
++
++	http://www.ipnet6.org/postfix/
++
++Patches are offered as HTTP and FTP downloads here. To directly
++access the files on the FTP server, use the following address:
++
++	ftp://ftp.stack.nl/pub/postfix/tls+ipv6/
++
++The patches are in gzipped context diff format.
++
++INSTALLATION
++-------------
++
++The patch is distributed as a gzipped context diff. This used to
++be unified diff (more readable), but it was changed because to
++avoid unidiff limitations.
++
++We assume postfix is already extracted, to the directory
++	postfix-2.1.1
++
++1. Decompress the patch:
++	e.g.	$ gunzip tls+ipv6-1.24-pf-2.1.1.patch.gz
++2. Change directory to the postfix source directory
++	e.g.	$ cd postfix-2.1.1
++3. Apply the patch
++	e.g.	$ patch -s -p 1 < ../tls+ipv6-1.24-pf-2.1.1.patch
++4. Build postfix. The IPv6 patch does not require additional environment
++   variables or arguments to 'make'.
++
++CONFIGURATION
++--------------
++
++In theory, no post-installation configuration of postfix is
++required, although you may want to extend the value of the
++'mynetworks' parameter to include the IPv6 networks the system is
++in.
++
++Also you can restrict Postfix to use IPv6-only or IPv4-only by
++changing the 'inet_interfaces' parameter.
++
++The main.cf parameters regarding IPv6 are documented in the file
++'sample-ipv6.cf' in the samples/ directory.
++
++MAILING LISTS
++--------------
++
++I've created two mailing lists about using IPv6 with Postfix.
++There's a general list (postfix-ipv6) that can be used for discussion.
++Also, there's an announcement-only list (postfix-ipv6-announce)
++for people who only want to get the announcements.
++All announcements are cross-posted to postfix-ipv6 though.
++
++List name:	postfix-ipv6
++List type:	Discussion / general (incl. announcements)
++List info:	http://lists.stack.nl/mailman/listinfo/postfix-ipv6
++List archive:	http://lists.stack.nl/pipermail/postfix-ipv6
++List admin:	Dean Strik <dean at ipnet6.org>
++
++List name:	postfix-ipv6-announce
++List type:	Announcements only, moderated
++List info:	http://lists.stack.nl/mailman/listinfo/postfix-ipv6-announce
++List archive:	http://lists.stack.nl/pipermail/postfix-ipv6-announce
++List admin:	Dean Strik <dean at ipnet6.org>
++
++KNOWN ISSUES
++-------------
++
++The patch comes with an IPv6-ChangeLog file. Please always validate
++whether you have the latest version. You can always download the
++latest ChangeLog at
++
++	ftp://ftp.stack.nl/pub/postfix/tls+ipv6/ChangeLog
++
++The following 'issues' and todo items are known (none critical):
++
++ - It is not currently supported to use Postfix network daemons
++   (such as smtp and smtpd) chrooted on Linux systems without
++   mounting the proc filesystem under /var/spool/postfix/proc
++   This is because the proc filesystem is required on Linux to
++   obtain the system's IPv6 address information.
++
++ - The 'smtp_host_lookup' parameter is not effective with IPv6.
++   This is because a different lookup mechanism is used that
++   cannot easily disable the 'local' (i.e., non-DNS) lookups.
++   Whether local files or the DNS are used first, is determined
++   by your operating system, e.g. in /etc/nsswitch.conf or
++   /etc/host.conf.
++
++ - The order of IPv6/IPv4 outgoing connection attempts is not
++   yet configurable. This will be configurable in a later,
++   soon to be released version. Currently, IPv6 is tried before
++   IPv4.
++
++ - No IPv6 open relay checks. Since there is no IPv6 RBL service
++   around at the moment (I'm considering setting one up but it's
++   not a very hot issue), no lookups for IPv6 clients are ever done.
++   Let's not have a lot of worthless DNS traffic. Of course, when
++   this gets implemented, IPv6 client lookups will only be made
++   to DNSBLs that support these.
++
++ - Tru64Unix: Using 'mynetworks_style = subnet' (which I do not
++   recommend in any case...) causes Postfix to assume a /64 for
++   all IPv6-connected IPv6 subnets. I have yet to find a good way
++   for obtaining the prefixlength. Suggestions are welcome!
++
++REPORTING BUGS
++---------------
++
++Of course there may be bugs in the patch. Please report bugs in the
++patch to <dean at ipnet6.org>. Please be thorough in the report.
++Patches, when possible, are greatly appreciated too!
++
++Please differentiate when possible between
++ - Problems in vanilla Postfix:	<mailto:postfix-users at postfix.org>
++ - Problems in Lutz' TLS patch:	<mailto:postfix_tls at aet.tu-cottbus.de>
++ - Problems in the IPv6 code:	<mailto:postfix-ipv6 at stack.nl>
++
++-- 
++Dean Strik <dean at ipnet6.org>
+diff -urNad postfix-release/README_FILES/SASL_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README
+--- postfix-release/README_FILES/SASL_README	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README	2005-02-03 10:22:13.048099363 -0700
+@@ -12,6 +12,9 @@
+ 
+ HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn iinnffoorrmmaattiioonn
+ 
++Note: To use SASL support on Debian GNU/Linux, you must install the
++postfix-tls package.
++
+ Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP clients
+ to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a
+ remote SMTP server.
+@@ -123,21 +126,21 @@
+         smtpd_recipient_restrictions =
+             permit_mynetworks permit_sasl_authenticated ...
+ 
+-In /usr/local/lib/sasl/smtpd.conf (SASL version 1.5.5) or /usr/local/lib/sasl2/
+-smtpd.conf (SASL version 2.1.1) you need to specify how the server should
+-validate client passwords.
+-
+-In order to authenticate against the UNIX password database, try:
+-
+-(SASL version 1.5.5)
++In /etc/postfix/sasl/smtpd.conf you need to specify how the server
++should validate client passwords. 
+ 
+-    /usr/local/lib/sasl/smtpd.conf:
+-        pwcheck_method: pwcheck
++IMPORTANT: If you configure SASL to use PAM (pluggable authentication
++modules) authentication, the Postfix SMTP server will abort because
++the SASL password file does not exist (default:  /etc/sasldb in
++version 1.5.5, or /etc/sasldb2 in version 2.1.1). To fix, disable
++CRAM-MD5 authentication by specifying 'mech_list: PLAIN LOGIN ANONYMOUS'
++in /etc/postfix/sasl/smtpd.conf, or by deleting /usr/lib/sasl/libcrammd5.so
++(for version 1.5.5).
+ 
+-(SASL version 2.1.1)
++In order to authenticate against the UNIX password database, try:
+ 
+-    /usr/local/lib/sasl2/smtpd.conf:
+-        pwcheck_method: pwcheck
++    /etc/postfix/sasl/smtpd.conf:
++	pwcheck_method: pwcheck
+ 
+ The name of the file in /usr/local/lib/sasl (SASL version 1.5.5) or /usr/local/
+ lib/sasl2 (SASL version 2.1.1) used by the SASL library for configuration can
+@@ -151,16 +154,9 @@
+ IMPORTANT: postfix processes need to have group read+execute permission for the
+ /var/pwcheck directory, otherwise authentication attempts will fail.
+ 
+-Alternately, in SASL 1.5.26 and later (including 2.1.1), try:
+-
+-(SASL version 1.5.26)
+-
+-    /usr/local/lib/sasl/smtpd.conf:
+-        pwcheck_method: saslauthd
+-
+-(SASL version 2.1.1)
++Alternately, in SASL 2.1.1 and later, try:
+ 
+-    /usr/local/lib/sasl2/smtpd.conf:
++    /etc/postfix/sasl/smtpd.conf:
+         pwcheck_method: saslauthd
+ 
+ The saslauthd daemon is also contained in the cyrus-sasl source tarball. It is
+@@ -169,15 +165,8 @@
+ 
+ In order to authenticate against SASL's own password database:
+ 
+-(SASL version 1.5.5)
+-
+-    /usr/local/lib/sasl/smtpd.conf:
+-        pwcheck_method:  sasldb
+-
+-(SASL version 2.1.1)
+-
+-    /usr/local/lib/sasl2/smtpd.conf:
+-        pwcheck_method:  auxprop
++    /etc/postfix/sasl/smtpd.conf:
++	pwcheck_method:  sasldb
+ 
+ This will use the SASL password file (default: /etc/sasldb in version 1.5.5, or
+ /etc/sasldb2 in version 2.1.1), which is maintained with the saslpasswd or
+diff -urNad postfix-release/README_FILES/TLS_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README
+--- postfix-release/README_FILES/TLS_README	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README	2005-02-03 10:22:13.049099140 -0700
+@@ -0,0 +1,731 @@
++PPoossttffiixx TTLLSS SSuuppppoorrtt
++
++-------------------------------------------------------------------------------
++
++PPuurrppoossee ooff tthhiiss ddooccuummeenntt
++
++This document describes how to configure the Transport Layer Security (TLS)
++support in the Postfix SMTP client and Postfix SMTP server, and how to
++configure the TLS manager daemon that maintains the Pseudo Random Number
++Generator (PRNG) pool and the TLS session cache information.
++
++Topics covered in this document:
++
++  * SMTP Server specific settings
++  * SMTP Client specific settings
++  * TLS manager specific settings
++  * Reporting problems
++  * Credits
++
++SSMMTTPP SSeerrvveerr ssppeecciiffiicc sseettttiinnggss
++
++Topics covered in this section:
++
++  * Server-side certificate and private key configuration
++  * Server-side TLS activity logging
++  * Enabling TLS in the Postfix SMTP server
++  * Client certificate verification
++  * Supporting AUTH over TLS only
++  * Server-side TLS session cache
++  * Server access control
++  * Server-side cipher controls
++  * Miscellaneous server controls
++
++SSeerrvveerr--ssiiddee cceerrttiiffiiccaattee aanndd pprriivvaattee kkeeyy ccoonnffiigguurraattiioonn
++
++In order to use TLS, the Postfix SMTP server needs a certificate and a private
++key. Both must be in "pem" format. The private key must not be encrypted,
++meaning: the key must be accessible without password. Both certificate and
++private key may be in the same file.
++
++Both RSA and DSA certificates are supported. Typically you will only have RSA
++certificates issued by a commercial CA. In addition, the tools supplied with
++OpenSSL will by default issue RSA certificates. You can have both at the same
++time, in which case the cipher used determines which certificate is presented.
++For Netscape and OpenSSL clients without special cipher choices, the RSA
++certificate is preferred.
++
++In order for remote SMTP clients to check the Postfix SMTP server certificates,
++the CA certificate (in case of a certificate chain, all CA certificates) must
++be available. You should add these certificates to the server certificate, the
++server certificate first, then the issuing CA(s).
++
++Example: the certificate for "server.dom.ain" was issued by "intermediate CA"
++which itself has a certificate issued by "root CA". Create the server.pem file
++with:
++
++    cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem
++
++If you want the Postfix SMTP server to accept remote SMTP client certificates
++issued by these CAs, you can also add the CA certificates to the
++smtpd_tls_CAfile, in which case it is not necessary to have them in the
++smtpd_tls_cert_file or smtpd_tls_dcert_file.
++
++A Postfix SMTP server certificate supplied here must be usable as SSL server
++certificate and hence pass the "openssl verify -purpose sslserver ..." test.
++
++RSA key and certificate examples:
++
++    smtpd_tls_cert_file = /etc/postfix/server.pem
++    smtpd_tls_key_file = $smtpd_tls_cert_file
++
++Their DSA counterparts:
++
++    smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++    smtpd_tls_dkey_file = $smtpd_tls_dcert_file
++
++The Postfix SMTP server certificate was issued by a certification authority
++(CA), the CA-cert of which must be provided with the CA file if it is not
++already provided in the certificate file. The CA file may also contain the CA
++certificates of other trusted CAs. You must use this file for the list of
++trusted CAs if you want to use chroot-mode. No default is supplied for this
++value as of now.
++
++Example:
++
++    smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++
++To verify a remote SMTP client certificate, the Postfix SMTP server needs to
++know the certificates of the issuing certification authorities. These
++certificates in "pem" format are collected in a directory. The same CA
++certificates are offered to clients for client verification. Don't forget to
++create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
++certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
++so there is no default and you explicitly have to set the value here!
++
++To use this option in chroot mode, this directory itself or a copy of it must
++be inside the chroot jail. Please note also, that the CAs in this directory are
++not listed to the client, so that e.g. Netscape might not offer certificates
++issued by them. For this reason, the use of this feature is discouraged.
++
++Example:
++
++    smtpd_tls_CApath = /etc/postfix/certs
++
++SSeerrvveerr--ssiiddee TTLLSS aaccttiivviittyy llooggggiinngg
++
++To get additional information about Postfix SMTP server TLS activity you can
++increase the loglevel from 0..4. Each logging level also includes the
++information that is logged at a lower logging level.
++
++    0 Disable logging of TLS activity.
++
++    1 Log TLS handshake and certificate information.
++
++    2 Log levels during TLS negotiation.
++
++    3 Log hexadecimal and ASCII dump of TLS negotiation process
++
++    4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
++
++Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
++discouraged.
++
++Example:
++
++    smtpd_tls_loglevel = 0
++
++To include information about the protocol and cipher used as well as the client
++and issuer CommonName into the "Received:" message header, set the
++smtpd_tls_received_header variable to true. The default is no, as the
++information is not necessarily authentic. Only information recorded at the
++final destination is reliable, since the headers may be changed by intermediate
++servers.
++
++Example:
++
++    smtpd_tls_received_header = yes
++
++EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
++
++By default, TLS is disabled in the Postfix SMTP server, so no difference to
++plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
++
++Example:
++
++    smtpd_use_tls = yes
++
++Note: when an unprivileged user invokes "sendmail -bs", STARTTLS is never
++offered due to insufficient privileges to access the server private key. This
++is intended behavior.
++
++You can ENFORCE the use of TLS, so that the Postfix SMTP server accepts no
++commands (except QUIT of course) without TLS encryption, by setting
++"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
++case of a publicly-referenced Postfix SMTP server. So this option is off by
++default and should only seldom be used. Using this option implies
++"smtpd_use_tls = yes".
++
++Example:
++
++    smtpd_enforce_tls = yes
++
++Besides RFC 2487 some clients, namely Outlook [Express] prefer to run the non-
++standard "wrapper" mode, not the STARTTLS enhancement to SMTP. This is true for
++OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all
++ports).
++
++It is strictly discouraged to use this mode from main.cf. If you want to
++support this service, enable a special port in master.cf and specify "-
++o smtpd_tls_wrappermode = yes" as an smtpd(8) command line option. Port 465
++(smtps) was once chosen for this feature.
++
++Example:
++
++    smtpd_tls_wrappermode = no
++
++CClliieenntt cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
++
++To receive a remote SMTP client certificate, the Postfix SMTP server must
++explicitly ask for one by sending the $smtpd_tls_CAfile certificates to the
++client. Unfortunately, Netscape clients will either complain if no matching
++client certificate is available or will offer the user client a list of
++certificates to choose from. This might be annoying, so this option is "off" by
++default. You will however need the certificate if you want to use certificate
++based relaying with, for example, the permit_tls_client_certs feature.
++
++Example:
++
++    smtpd_tls_ask_ccert = no
++
++You may also decide to REQUIRE a remote SMTP client certificate before allowing
++TLS connections. This feature is included for completeness, and implies
++"smtpd_tls_ask_ccert = yes".
++
++Please be aware, that this will inhibit TLS connections without a proper client
++certificate and that it makes sense only when non-TLS submission is disabled
++(smtpd_enforce_tls = yes). Otherwise, clients could bypass the restriction by
++simply not using STARTTLS at all.
++
++When TLS is not enforced, the connection will be handled as if only
++"smtpd_tls_ask_ccert = yes" is specified, and a warning is logged.
++
++Example:
++
++    smtpd_tls_req_ccert = no
++
++A client certificate verification depth of 1 is sufficient if the certificate
++is directly issued by a CA listed in the CA file. The default value (5) should
++also suffice for longer chains (root CA issues special CA which then issues the
++actual certificate...)
++
++Example:
++
++    smtpd_tls_ccert_verifydepth = 5
++
++SSuuppppoorrttiinngg AAUUTTHH oovveerr TTLLSS oonnllyy
++
++Sending AUTH data over an un-encrypted channel poses a security risk. When TLS
++layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
++will announce and accept AUTH only after the TLS layer has been activated with
++STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
++may however still be useful to only offer AUTH when TLS is active. To maintain
++compatibility with non-TLS clients, the default is to accept AUTH without
++encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
++
++Example:
++
++    smtpd_tls_auth_only = no
++
++SSeerrvveerr--ssiiddee TTLLSS sseessssiioonn ccaacchhee
++
++The Postfix SMTP server and the remote SMTP client negotiate a session, which
++takes some computer time and network bandwidth. By default, this session
++information is cached only in the smtpd(8) process actually using this session
++and is lost when the process terminates. To share the session information
++between multiple smtpd(8) processes, a persistent session cache can be used
++based on the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used.
++
++Example:
++
++    smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++
++Cached Postfix SMTP server session information expires after a certain amount
++of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
++time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours.
++
++Example:
++
++    smtpd_tls_session_cache_timeout = 3600s
++
++SSeerrvveerr aacccceessss ccoonnttrrooll
++
++Postfix TLS support introduces two additional features for Postfix SMTP server
++access control:
++
++    permit_tls_clientcerts
++        Allow the remote SMTP client SMTP request if the client certificate
++        passes verification, and if its fingerprint is listed in the list of
++        client certificates (see relay_clientcerts discussion below).
++
++    permit_tls_all_clientcerts
++        Allow the remote client SMTP request if the client certificate passes
++        verification.
++
++The permit_tls_all_clientcerts feature must be used with caution, because it
++can result in too many access permissions. Use this feature only if a special
++CA issues the client certificates, and only if this CA is listed as trusted CA.
++If other CAs are trusted, any owner of a valid client certificate would be
++authorized. The permit_tls_all_clientcerts feature can be practical for a
++specially created email relay server.
++
++It is however recommended to stay with the permit_tls_clientcerts feature and
++list all certificates via $relay_clientcerts, as permit_tls_all_clientcerts
++does not permit any control when a certificate must no longer be used (e.g. an
++employee leaving).
++
++Example:
++
++    smtpd_recipient_restrictions =
++        ...
++        permit_tls_clientcerts
++        reject_unauth_destination
++        ...
++
++The Postfix list manipulation routines give special treatment to whitespace and
++some other characters, making the use of certificate names unpractical. Instead
++we use the certificate fingerprints as they are difficult to fake but easy to
++use for lookup. Postfix lookup tables are in the form of (key, value) pairs.
++Since we only need the key, the value can be chosen freely, e.g. the name of
++the user or host:
++
++    D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
++
++Example:
++
++    relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++
++SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss
++
++To influence the Postfix SMTP server cipher selection scheme, you can give
++cipherlist string. A detailed description would go to far here, please refer to
++the openssl documentation. If you don't know what to do with it, simply don't
++touch it and leave the (openssl-)compiled in default!
++
++DO NOT USE " to enclose the string, specify just the string!!!
++
++Example:
++
++    smtpd_tls_cipherlist = DEFAULT
++
++If you want to take advantage of ciphers with EDH, DH parameters are needed.
++Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
++better to generate "own" parameters, since otherwise it would "pay" for a
++possible attacker to start a brute force attack against parameters that are
++used by everybody. For this reason, the parameters chosen are already different
++from those distributed with other TLS packages.
++
++To generate your own set of DH parameters, use:
++
++    openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++    openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
++
++Your source for "entropy" might vary; some systems have /dev/random; on other
++systems you might consider the "Entropy Gathering Daemon EGD", available at
++http://www.lothar.com/tech/crypto/.
++
++Examples:
++
++    smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++    smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++
++MMiisscceellllaanneeoouuss sseerrvveerr ccoonnttrroollss
++
++The smtpd_starttls_timeout parameter limits the time of Postfix SMTP server
++write and read operations during TLS startup and shutdown handshake procedures.
++
++Example:
++
++    smtpd_starttls_timeout = 300s
++
++SSMMTTPP CClliieenntt ssppeecciiffiicc sseettttiinnggss
++
++Topics covered in this section:
++
++  * Client-side certificate and private key configuration
++  * Client-side TLS activity logging
++  * Client-side TLS session cache
++  * Enabling TLS in the Postfix SMTP client
++  * Server certificate verification
++  * Client-side cipher controls
++  * Miscellaneous client controls
++
++CClliieenntt--ssiiddee cceerrttiiffiiccaattee aanndd pprriivvaattee kkeeyy ccoonnffiigguurraattiioonn
++
++During TLS startup negotiation the Postfix SMTP client may present a
++certificate to the remote SMTP server. The Netscape client is rather clever
++here and lets the user select between only those certificates that match CA
++certificates offered by the remote SMTP server. As the Postfix SMTP client uses
++the "SSL_connect()" function from the OpenSSL package, this is not possible and
++we have to choose just one certificate. So for now the default is to use _no_
++certificate and key unless one is explicitly specified here.
++
++Both RSA and DSA certificates are supported. You can have both at the same
++time, in which case the cipher used determines which certificate is presented.
++
++It is possible for the Postfix SMTP client to use the same key/certificate pair
++as the Postfix SMTP server. If a certificate is to be presented, it must be in
++"pem" format. The private key must not be encrypted, meaning: it must be
++accessible without password. Both parts (certificate and private key) may be in
++the same file.
++
++In order for remote SMTP servers to verify the Postfix SMTP client
++certificates, the CA certificate (in case of a certificate chain, all CA
++certificates) must be available. You should add these certificates to the
++client certificate, the client certificate first, then the issuing CA(s).
++
++Example: the certificate for "client.dom.ain" was issued by "intermediate CA"
++which itself has a certificate of "root CA". Create the client.pem file with:
++
++    cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem
++
++If you want the Postfix SMTP client to accept certificates issued by these CAs,
++you can also add the CA certificates to the smtp_tls_CAfile, in which case it
++is not necessary to have them in the smtp_tls_cert_file or smtp_tls_dcert_file.
++
++A Postfix SMTP client certificate supplied here must be usable as SSL client
++certificate and hence pass the "openssl verify -purpose sslclient ..." test.
++
++RSA key and certificate examples:
++
++    smtp_tls_cert_file = /etc/postfix/client.pem
++    smtp_tls_key_file = $smtp_tls_cert_file
++
++Their DSA counterparts:
++
++    smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
++    smtp_tls_dkey_file = $smtpd_tls_cert_file
++
++The Postfix SMTP client certificate was issued by a certification authority
++(CA), the CA-cert of which must be provided with the CA file if it is not
++already provided in the certificate file. The CA file may also contain the CA
++certificates of other trusted CAs. You must use this file for the list of
++trusted CAs if you want to use chroot-mode. No default is supplied for this
++value as of now.
++
++Example:
++
++    smtp_tls_CAfile = /etc/postfix/CAcert.pem
++
++To verify a remote SMTP server certificate, the Postfix SMTP client needs to
++know the certificates of the issuing certification authorities. These
++certificates in "pem" format are collected in a directory. Don't forget to
++create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
++certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
++so there is no default and you explicitly have to set the value here!
++
++To use this option in chroot mode, this directory itself or a copy of it must
++be inside the chroot jail.
++
++Example:
++
++    smtp_tls_CApath = /etc/postfix/certs
++
++CClliieenntt--ssiiddee TTLLSS aaccttiivviittyy llooggggiinngg
++
++To get additional information about Postfix SMTP client TLS activity you can
++increase the loglevel from 0..4. Each logging level also includes the
++information that is logged at a lower logging level.
++
++    0 Disable logging of TLS activity.
++
++    1 Log TLS handshake and certificate information.
++
++    2 Log levels during TLS negotiation.
++
++    3 Log hexadecimal and ASCII dump of TLS negotiation process
++
++    4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
++
++Example:
++
++    smtp_tls_loglevel = 0
++
++CClliieenntt--ssiiddee TTLLSS sseessssiioonn ccaacchhee
++
++The remote SMTP server and the Postfix SMTP client negotiate a session, which
++takes some computer time and network bandwidth. By default, this session
++information is cached only in the smtp(8) process actually using this session
++and is lost when the process terminates. To share the session information
++between multiple smtp(8) processes, a persistent session cache can be used
++based on the SDBM databases (routines included in Postfix/TLS). Since
++concurrent writing must be supported, only SDBM can be used.
++
++Example:
++
++    smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++
++Cached Postfix SMTP client session information expires after a certain amount
++of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
++time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours.
++
++Example:
++
++    smtp_tls_session_cache_timeout = 3600s
++
++EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
++
++By default, TLS is disabled in the Postfix SMTP client, so no difference to
++plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send
++STARTTLS when TLS support is announced by the remote SMTP server.
++
++WARNING: MS Exchange servers will announce STARTTLS support even when the
++service is not configured, so that the TLS handshake will fail. It may be wise
++to not use this option on your central mail hub, as you don't know in advance
++whether you are going to connect to such a host. Instead, use the
++smtp_tls_per_site recipient/site specific options that are described below.
++
++When the TLS handshake fails and no other server is available, the Postfix SMTP
++client defers the delivery attempt, and the mail stays in the queue.
++
++Example:
++
++    smtp_use_tls = yes
++
++You can ENFORCE the use of TLS, so that the Postfix SMTP client will not
++deliver mail over un-encrypted connections. In this mode, the remote SMTP
++server hostname must match the information in the remote server certificate,
++and the server certificate must be issued by a CA that is trusted by the
++Postfix SMTP client. If the remote server certificate doesn't verify or the
++remote SMTP server hostname doesn't match, and no other server is available,
++the delivery attempt is deferred and the mail stays in the queue.
++
++The remote SMTP server hostname used in the check is beyond question, as it
++must be the principal hostname (no CNAME allowed here). Checks are performed
++against all names provided as dNSNames in the SubjectAlternativeName. If no
++dNSNames are specified, the CommonName is checked. The behavior may be changed
++with the smtp_tls_enforce_peername option which is discussed below.
++
++This option is useful only if you know that you will only connect to servers
++that support RFC 2487 _and_ that present server certificates that meet the
++above requirements. An example would be a client only sends email to one
++specific mailhub that offers the necessary STARTTLS support.
++
++Example:
++
++    smtp_enforce_tls = no
++
++As of RFC 2487 the requirements for hostname checking for MTA clients are not
++set. When TLS is required (smtp_enforce_tls = yes), the option
++smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP
++server hostname checking. In this case, the mail delivery will proceed
++regardless of the CommonName etc. listed in the certificate.
++
++Note: the smtp_tls_enforce_peername setting has no effect on sessions that are
++controlled via the smtp_tls_per_site table.
++
++Disabling the remote SMTP server hostname verification can make sense in closed
++environment where special CAs are created. If not used carefully, this option
++opens the danger of a "man-in-the-middle" attack (the CommonName of this
++possible attacker is logged).
++
++Example:
++
++    smtp_tls_enforce_peername = yes
++
++Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the
++negotiation will fail leading to unexplainable failures. Instead, it may be a
++good idea to choose the TLS usage policy based on the recipient or the mailhub
++to which you are connecting.
++
++Deciding the TLS usage policy per recipient may be difficult, since a single
++email delivery attempt can involve several recipients. Instead, use of TLS is
++controlled by the Postfix next-hop destination domain name and by the remote
++SMTP server hostname. If either of these matches an entry in the
++smtp_tls_per_site table, appropriate action is taken.
++
++The remote SMTP server hostname is simply the DNS name of the server that the
++Postfix SMTP client connects to. The next-hop destination is Postfix specific.
++By default, this is the domain name in the recipient address, but this
++information can be overruled by the transport(5) table or by the relayhost
++parameter setting. In these cases the relayhost etc. must be listed in the
++smtp_tls_per_site table, instead of the recipient domain name.
++
++Format of the table: domain or host names are specified on the left-hand side;
++no wildcards are allowed. On the right hand side specify one of the following
++keywords:
++
++    NONE
++        Don't use TLS at all.
++    MAY
++        Try to use STARTTLS if offered, otherwise use the un-encrypted
++        connection.
++    MUST
++        Require usage of STARTTLS, require that the remote SMTP server hostname
++        matches the information in the remote SMTP server certificate, and
++        require that the remote SMTP server certificate was issued by a trusted
++        CA.
++    MUST_NOPEERMATCH
++        Require usage of STARTTLS, but do not require that the remote SMTP
++        server hostname matches the information in the remote SMTP server
++        certificate, or that the server certificate was issued by a trusted CA.
++
++The actual TLS usage policy depends not only on whether the next-hop
++destination or remote SMTP server hostname are found in the smtp_tls_per_site
++table, but also on the smtp_enforce_tls setting:
++
++  * If no match was found, the policy is applied as specified with
++    smtp_enforce_tls.
++
++  * If a match was found, and the smtp_enforce_tls policy is "enforce", NONE
++    explicitly switches it off; otherwise the "enforce" mode is used even for
++    entries that specify MAY.
++
++Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is
++available, mail can be delivered to the wrong remote SMTP server. This is not
++prevented by specifying MUST for the next-hop domain name. The recommended
++setup is: specify local transport(5) table entries for sensitive domains with
++explicit smtp:[mailhost] destinations (since you can assure security of this
++table unlike DNS), then specify MUST for these mail hosts in the
++smtp_tls_per_site table.
++
++Example:
++
++    smtp_tls_per_site = hash:/etc/postfix/tls_per_site
++
++As we decide on a "per site" basis whether or not to use TLS, it would be good
++to have a list of sites that offered "STARTTLS". We can collect it ourselves
++with this option.
++
++If the smtp_tls_note_starttls_offer feature is enabled and a server offers
++STARTTLS while TLS is not already enabled for that server, the Postfix SMTP
++client logs a line as follows:
++
++    postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
++
++Example:
++
++    smtp_tls_note_starttls_offer = yes
++
++SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
++
++When verifying a remote SMTP server certificate, a verification depth of 1 is
++sufficient if the certificate is directly issued by a CA specified with
++smtp_tls_CAfile or smtp_tls_CApath. The default value of 5 should also suffice
++for longer chains (root CA issues special CA which then issues the actual
++certificate...)
++
++Example:
++
++    smtp_tls_scert_verifydepth = 5
++
++CClliieenntt--ssiiddee cciipphheerr ccoonnttrroollss
++
++To influence the Postfix SMTP client cipher selection scheme, you can give
++cipherlist string. A detailed description would go to far here, please refer to
++the openssl documentation. If you don't know what to do with it, simply don't
++touch it and leave the (openssl-)compiled in default!
++
++DO NOT USE " to enclose the string, specify just the string!!!
++
++Example:
++
++    smtp_tls_cipherlist = DEFAULT
++
++MMiisscceellllaanneeoouuss cclliieenntt ccoonnttrroollss
++
++The smtp_starttls_timeout parameter limits the time of Postfix SMTP client
++write and read operations during TLS startup and shutdown handshake procedures.
++In case of problems the Postfix SMTP client tries the next network address on
++the mail exchanger list, and defers delivery if no alternative server is
++available.
++
++Example:
++
++    smtp_starttls_timeout = 300s
++
++TTLLSS mmaannaaggeerr ssppeecciiffiicc sseettttiinnggss
++
++The security of cryptographic software such as TLS depends critically on the
++ability to generate unpredictable numbers for keys and other information. To
++this end, the tlsmgr(8) process maintains a Pseudo Random Number Generator
++(PRNG) pool. This is a fixed-size 1024-byte exchange file that is read by the
++smtp(8) and smtpd(8) processes when they initialize. These processes also add
++some more entropy to the file by stirring in their own time and process id
++information.
++
++The tlsmgr(8) process creates the file if it does not already exist, and
++rewrites the file at random time intervals with information from its in-memory
++PRNG pool. The default location is under the Postfix configuration directory,
++which is not the proper place for information that is modified by Postfix.
++Instead, the file location should probably be on the /var partition (but _not_
++inside the chroot jail).
++
++Example:
++
++    tls_random_exchange_name = /etc/postfix/prng_exch
++
++In order to feed its in-memory PRNG pool, the tlsmgr(8) reads entropy from an
++external source, both at startup and during run-time. Specify a good entropy
++source, like EGD or /dev/urandom; be sure to only use non-blocking sources. If
++the entropy source is not a regular file, you must prepend the source type to
++the source name: "dev:" for a device special file, or "egd:" for a source with
++EGD compatible socket interface.
++
++Examples (specify only one in main.cf):
++
++    tls_random_source = dev:/dev/urandom
++    tls_random_source = egd:/var/run/egd-pool
++
++By default, tlsmgr(8) reads 32 bytes from the external entropy source at each
++seeding event. This amount (256bits) is more than sufficient for generating a
++128bit symmetric key. With EGD and device entropy sources, the tlsmgr(8) limits
++the amount of data read at each step to 255 bytes. If you specify a regular
++file as entropy source, a larger amount of data can be read.
++
++Example:
++
++    tls_random_bytes = 32
++
++In order to update its in-memory PRNG pool, the tlsmgr(8) queries the external
++entropy source again after a random amount of time. The time is calculated
++using the PRNG, and is between 0 and the maximal time specified with
++tls_random_reseed_period. The default maximal time interval is 1 hour.
++
++Example:
++
++    tls_random_reseed_period = 3600s
++
++The tlsmgr(8) re-generates the 1024 byte seed exchange file after a random
++amount of time. The time is calculated using the PRNG, and is between 0 and the
++maximal time specified with tls_random_update_period. The default maximal time
++interval is 60 seconds.
++
++Example:
++
++    tls_random_prng_update_period = 60s
++
++If you have an entropy source available that is not easily drained (like /dev/
++urandom), the smtp(8) and smtpd(8) daemons can load additional entropy on
++startup. By default, an amount of 32 bytes is read, the equivalent to 256 bits.
++This is more than sufficient to generate a 128bit (or 168bit) session key.
++However, when Postfix needs to generate more than one key it can drain the EGD.
++Consider the case of 50 smtp(8) processes starting up with a full queue; this
++will request 1600bytes of entropy. This is however not fatal, as long as
++"entropy" data can still be read from the seed file that is maintained by
++tlsmgr(8).
++
++Examples:
++
++    tls_daemon_random_source = dev:/dev/urandom
++    tls_daemon_random_source = egd:/var/run/egd-pool
++    tls_daemon_random_bytes = 32
++
++RReeppoorrttiinngg pprroobblleemmss
++
++When reporting a problem, please be thorough in the report. Patches, when
++possible, are greatly appreciated too.
++
++Please differentiate when possible between:
++
++  * Problems in the IPv6 code: stack.nl>
++  * Problems in the TLS code: aet.tu-cottbus.de>
++  * Problems in vanilla Postfix: postfix.org>
++
++CCrreeddiittss
++
++  * TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
++    Technical University.
++  * This part of the documentation was compiled by Wietse Venema
++
+diff -urNad postfix-release/src/global/inet_interfaces_to_af.c /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c
+--- postfix-release/src/global/inet_interfaces_to_af.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c	2005-02-03 10:22:13.050098917 -0700
+@@ -0,0 +1,27 @@
++#include <sys_defs.h>
++#include <stdlib.h>
++#include <sys/socket.h>
++#include <mail_params.h>
++#include <inet_interfaces_to_af.h>
++
++int     inet_interfaces_to_af (char *inet_interfaces)
++{
++    int     af = -1;
++
++    if (inet_interfaces == NULL || *inet_interfaces == '\0')
++	return (af);
++    if (strcasecmp(inet_interfaces, INET_INTERFACES_ALL) == 0 ||
++	strcasecmp(inet_interfaces, INET_INTERFACES_LOCAL) == 0)
++	af = AF_UNSPEC;
++    else if (strcasecmp(inet_interfaces, "IPv6:" DEF_INET_INTERFACES) == 0)
++#ifdef INET6
++	af = AF_INET6;
++#else
++	msg_fatal("unable to bind to IPv6 only (%s=%s): IPv6 not compiled in",
++		  VAR_INET_INTERFACES, inet_interfaces);
++#endif
++    else if (strcasecmp(inet_interfaces, "IPv4:" DEF_INET_INTERFACES) == 0)
++	af = AF_INET;
++
++    return (af);
++}
+diff -urNad postfix-release/src/global/inet_interfaces_to_af.h /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h
+--- postfix-release/src/global/inet_interfaces_to_af.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h	2005-02-03 10:22:13.050098917 -0700
+@@ -0,0 +1,6 @@
++#ifndef _INET_INTERFACES_TO_AF_H_INCLUDED_
++#define _INET_INTERFACES_TO_AF_H_INCLUDED_
++
++extern int inet_interfaces_to_af (char *);
++
++#endif
+diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c
+--- postfix-release/src/global/mail_params.c	2005-02-03 10:22:12.220284014 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c	2005-02-03 10:22:13.050098917 -0700
+@@ -46,6 +46,7 @@
+ /*	int	var_message_limit;
+ /*	char	*var_mail_release;
+ /*	char	*var_mail_version;
++/*	char	*var_tlsipv6_version;
+ /*	int	var_ipc_idle_limit;
+ /*	int	var_ipc_ttl_limit;
+ /*	char	*var_db_type;
+@@ -163,6 +164,7 @@
+ #include "mail_proto.h"
+ #include "verp_sender.h"
+ #include "mail_params.h"
++#include "pfixtls.h"
+ 
+  /*
+   * Special configuration variables.
+@@ -207,6 +209,9 @@
+ int     var_message_limit;
+ char   *var_mail_release;
+ char   *var_mail_version;
++#ifdef INET6
++char   *var_tlsipv6_version;
++#endif
+ int     var_ipc_idle_limit;
+ int     var_ipc_ttl_limit;
+ char   *var_db_type;
+@@ -233,6 +238,31 @@
+ int     var_in_flow_delay;
+ char   *var_par_dom_match;
+ char   *var_config_dirs;
++char   *var_tls_rand_exch_name;
++char   *var_smtpd_tls_cert_file;
++char   *var_smtpd_tls_key_file;
++char   *var_smtpd_tls_dcert_file;
++char   *var_smtpd_tls_dkey_file;
++char   *var_smtpd_tls_CAfile;
++char   *var_smtpd_tls_CApath;
++char   *var_smtpd_tls_cipherlist;
++char   *var_smtpd_tls_dh512_param_file;
++char   *var_smtpd_tls_dh1024_param_file;
++int     var_smtpd_tls_loglevel;
++char   *var_smtpd_tls_scache_db;
++int     var_smtpd_tls_scache_timeout;
++char   *var_smtp_tls_cert_file;
++char   *var_smtp_tls_key_file;
++char   *var_smtp_tls_dcert_file;
++char   *var_smtp_tls_dkey_file;
++char   *var_smtp_tls_CAfile;
++char   *var_smtp_tls_CApath;
++char   *var_smtp_tls_cipherlist;
++int     var_smtp_tls_loglevel;
++char   *var_smtp_tls_scache_db;
++int     var_smtp_tls_scache_timeout;
++char   *var_tls_daemon_rand_source;
++int     var_tls_daemon_rand_bytes;
+ 
+ char   *var_import_environ;
+ char   *var_export_environ;
+@@ -488,6 +518,9 @@
+ 	VAR_ALIAS_DB_MAP, DEF_ALIAS_DB_MAP, &var_alias_db_map, 0, 0,
+ 	VAR_MAIL_RELEASE, DEF_MAIL_RELEASE, &var_mail_release, 1, 0,
+ 	VAR_MAIL_VERSION, DEF_MAIL_VERSION, &var_mail_version, 1, 0,
++#ifdef INET6
++	VAR_TLSIPV6_VERSION, DEF_TLSIPV6_VERSION, &var_tlsipv6_version, 1, 0,
++#endif
+ 	VAR_DB_TYPE, DEF_DB_TYPE, &var_db_type, 1, 0,
+ 	VAR_HASH_QUEUE_NAMES, DEF_HASH_QUEUE_NAMES, &var_hash_queue_names, 1, 0,
+ 	VAR_RCPT_DELIM, DEF_RCPT_DELIM, &var_rcpt_delim, 0, 1,
+@@ -512,6 +545,26 @@
+ 	VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
+ 	VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
+ 	VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
++	VAR_TLS_RAND_EXCH_NAME, DEF_TLS_RAND_EXCH_NAME, &var_tls_rand_exch_name, 0, 0,
++	VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
++	VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
++	VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
++	VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
++	VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
++	VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
++	VAR_SMTPD_TLS_CLIST, DEF_SMTPD_TLS_CLIST, &var_smtpd_tls_cipherlist, 0, 0,
++	VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
++	VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
++	VAR_SMTPD_TLS_SCACHE_DB, DEF_SMTPD_TLS_SCACHE_DB, &var_smtpd_tls_scache_db, 0, 0,
++	VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
++	VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
++	VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
++	VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
++	VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
++	VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
++	VAR_SMTP_TLS_CLIST, DEF_SMTP_TLS_CLIST, &var_smtp_tls_cipherlist, 0, 0,
++	VAR_SMTP_TLS_SCACHE_DB, DEF_SMTP_TLS_SCACHE_DB, &var_smtp_tls_scache_db, 0, 0,
++	VAR_TLS_DAEMON_RAND_SOURCE, DEF_TLS_DAEMON_RAND_SOURCE, &var_tls_daemon_rand_source, 0, 0,
+ 	0,
+     };
+     static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
+@@ -534,6 +587,9 @@
+ 	VAR_TOKEN_LIMIT, DEF_TOKEN_LIMIT, &var_token_limit, 1, 0,
+ 	VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
+ 	VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
++	VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
++	VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
++	VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 0, 0,
+ 	0,
+     };
+     static CONFIG_TIME_TABLE time_defaults[] = {
+@@ -546,6 +602,8 @@
+ 	VAR_FORK_DELAY, DEF_FORK_DELAY, &var_fork_delay, 1, 0,
+ 	VAR_FLOCK_DELAY, DEF_FLOCK_DELAY, &var_flock_delay, 1, 0,
+ 	VAR_FLOCK_STALE, DEF_FLOCK_STALE, &var_flock_stale, 1, 0,
++	VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
++	VAR_SMTP_TLS_SCACHTIME, DEF_SMTP_TLS_SCACHTIME, &var_smtp_tls_scache_timeout, 0, 0,
+ 	VAR_DAEMON_TIMEOUT, DEF_DAEMON_TIMEOUT, &var_daemon_timeout, 1, 0,
+ 	VAR_IN_FLOW_DELAY, DEF_IN_FLOW_DELAY, &var_in_flow_delay, 0, 10,
+ 	0,
+diff -urNad postfix-release/src/global/mail_params.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h
+--- postfix-release/src/global/mail_params.h	2005-02-03 10:22:12.200288474 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h	2005-02-03 10:22:13.052098471 -0700
+@@ -129,7 +129,9 @@
+   * Virtual host support. Default is to listen on all machine interfaces.
+   */
+ #define VAR_INET_INTERFACES	"inet_interfaces"	/* listen addresses */
+-#define DEF_INET_INTERFACES	"all"
++#define INET_INTERFACES_ALL	"all"
++#define INET_INTERFACES_LOCAL	"loopback-only"
++#define DEF_INET_INTERFACES	INET_INTERFACES_ALL
+ extern char *var_inet_interfaces;
+ 
+ #define VAR_PROXY_INTERFACES	"proxy_interfaces"	/* proxies, NATs */
+@@ -519,6 +521,34 @@
+ #define DEF_DUP_FILTER_LIMIT	1000
+ extern int var_dup_filter_limit;
+ 
++#define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"
++#define DEF_TLS_RAND_EXCH_NAME	"${queue_directory}/prng_exch"
++extern char *var_tls_rand_exch_name;
++
++#define VAR_TLS_RAND_SOURCE	"tls_random_source"
++#define DEF_TLS_RAND_SOURCE	""
++extern char *var_tls_rand_source;
++
++#define VAR_TLS_RAND_BYTES	"tls_random_bytes"
++#define DEF_TLS_RAND_BYTES	32
++extern int var_tls_rand_bytes;
++
++#define VAR_TLS_DAEMON_RAND_SOURCE	"tls_daemon_random_source"
++#define DEF_TLS_DAEMON_RAND_SOURCE	""
++extern char *var_tls_daemon_rand_source;
++
++#define VAR_TLS_DAEMON_RAND_BYTES	"tls_daemon_random_bytes"
++#define DEF_TLS_DAEMON_RAND_BYTES	32
++extern int var_tls_daemon_rand_bytes;
++
++#define VAR_TLS_RESEED_PERIOD	"tls_random_reseed_period"
++#define DEF_TLS_RESEED_PERIOD	"3600s"
++extern int var_tls_reseed_period;
++
++#define VAR_TLS_PRNG_UPD_PERIOD	"tls_random_prng_update_period"
++#define DEF_TLS_PRNG_UPD_PERIOD "60s"
++extern int var_tls_prng_upd_period;
++
+  /*
+   * Queue manager: relocated databases.
+   */
+@@ -768,6 +798,10 @@
+ #define DEF_SMTP_XFWD_TMOUT	"300s"
+ extern int var_smtp_xfwd_tmout;
+ 
++#define VAR_SMTP_STARTTLS_TMOUT	"smtp_starttls_timeout"
++#define DEF_SMTP_STARTTLS_TMOUT	"300s"
++extern int var_smtp_starttls_tmout;
++
+ #define VAR_SMTP_MAIL_TMOUT	"smtp_mail_timeout"
+ #define DEF_SMTP_MAIL_TMOUT	"300s"
+ extern int var_smtp_mail_tmout;
+@@ -828,6 +862,10 @@
+ #define DEF_SMTP_BIND_ADDR	""
+ extern char *var_smtp_bind_addr;
+ 
++#define VAR_SMTP_BIND_ADDR6	"smtp_bind_address6"
++#define DEF_SMTP_BIND_ADDR6	""
++extern char *var_smtp_bind_addr6;
++
+ #define VAR_SMTP_HELO_NAME	"smtp_helo_name"
+ #define DEF_SMTP_HELO_NAME	"$myhostname"
+ extern char *var_smtp_helo_name;
+@@ -869,6 +907,10 @@
+ #define DEF_SMTPD_TMOUT		"300s"
+ extern int var_smtpd_tmout;
+ 
++#define VAR_SMTPD_STARTTLS_TMOUT "smtpd_starttls_timeout"
++#define DEF_SMTPD_STARTTLS_TMOUT "300s"
++extern int var_smtpd_starttls_tmout;
++
+ #define VAR_SMTPD_RCPT_LIMIT	"smtpd_recipient_limit"
+ #define DEF_SMTPD_RCPT_LIMIT	1000
+ extern int var_smtpd_rcpt_limit;
+@@ -901,6 +943,150 @@
+ #define DEF_SMTPD_NOOP_CMDS	""
+ extern char *var_smtpd_noop_cmds;
+ 
++#define VAR_SMTPD_TLS_WRAPPER	"smtpd_tls_wrappermode"
++#define DEF_SMTPD_TLS_WRAPPER	0
++extern bool var_smtpd_tls_wrappermode;
++
++#define VAR_SMTPD_USE_TLS	"smtpd_use_tls"
++#define DEF_SMTPD_USE_TLS	0
++extern bool var_smtpd_use_tls;
++
++#define VAR_SMTPD_ENFORCE_TLS	"smtpd_enforce_tls"
++#define DEF_SMTPD_ENFORCE_TLS	0
++extern bool var_smtpd_enforce_tls;
++
++#define VAR_SMTPD_TLS_AUTH_ONLY	"smtpd_tls_auth_only"
++#define DEF_SMTPD_TLS_AUTH_ONLY 0
++extern bool var_smtpd_tls_auth_only;
++
++#define VAR_SMTPD_TLS_ACERT	"smtpd_tls_ask_ccert"
++#define DEF_SMTPD_TLS_ACERT	0
++extern bool var_smtpd_tls_ask_ccert;
++
++#define VAR_SMTPD_TLS_RCERT	"smtpd_tls_req_ccert"
++#define DEF_SMTPD_TLS_RCERT	0
++extern bool var_smtpd_tls_req_ccert;
++
++#define VAR_SMTPD_TLS_CCERT_VD	"smtpd_tls_ccert_verifydepth"
++#define DEF_SMTPD_TLS_CCERT_VD	5
++extern int var_smtpd_tls_ccert_vd;
++
++#define VAR_SMTPD_TLS_CERT_FILE	"smtpd_tls_cert_file"
++#define DEF_SMTPD_TLS_CERT_FILE	""
++extern char *var_smtpd_tls_cert_file;
++
++#define VAR_SMTPD_TLS_KEY_FILE	"smtpd_tls_key_file"
++#define DEF_SMTPD_TLS_KEY_FILE	"$smtpd_tls_cert_file"
++extern char *var_smtpd_tls_key_file;
++
++#define VAR_SMTPD_TLS_DCERT_FILE "smtpd_tls_dcert_file"
++#define DEF_SMTPD_TLS_DCERT_FILE ""
++extern char *var_smtpd_tls_dcert_file;
++
++#define VAR_SMTPD_TLS_DKEY_FILE	"smtpd_tls_dkey_file"
++#define DEF_SMTPD_TLS_DKEY_FILE	"$smtpd_tls_dcert_file"
++extern char *var_smtpd_tls_dkey_file;
++
++#define VAR_SMTPD_TLS_CA_FILE	"smtpd_tls_CAfile"
++#define DEF_SMTPD_TLS_CA_FILE	""
++extern char *var_smtpd_tls_CAfile;
++
++#define VAR_SMTPD_TLS_CA_PATH	"smtpd_tls_CApath"
++#define DEF_SMTPD_TLS_CA_PATH	""
++extern char *var_smtpd_tls_CApath;
++
++#define VAR_SMTPD_TLS_CLIST	"smtpd_tls_cipherlist"
++#define DEF_SMTPD_TLS_CLIST	""
++extern char *var_smtpd_tls_cipherlist;
++
++#define VAR_SMTPD_TLS_512_FILE	"smtpd_tls_dh512_param_file"
++#define DEF_SMTPD_TLS_512_FILE	""
++extern char *var_smtpd_tls_dh512_param_file;
++
++#define VAR_SMTPD_TLS_1024_FILE	"smtpd_tls_dh1024_param_file"
++#define DEF_SMTPD_TLS_1024_FILE	""
++extern char *var_smtpd_tls_dh1024_param_file;
++
++#define VAR_SMTPD_TLS_LOGLEVEL	"smtpd_tls_loglevel"
++#define DEF_SMTPD_TLS_LOGLEVEL	0
++extern int var_smtpd_tls_loglevel;
++
++#define VAR_SMTPD_TLS_RECHEAD	"smtpd_tls_received_header"
++#define DEF_SMTPD_TLS_RECHEAD	0
++extern bool var_smtpd_tls_received_header;
++
++#define VAR_SMTPD_TLS_SCACHE_DB	"smtpd_tls_session_cache_database"
++#define DEF_SMTPD_TLS_SCACHE_DB	""
++extern char *var_smtpd_tls_scache_db;
++
++#define VAR_SMTPD_TLS_SCACHTIME	"smtpd_tls_session_cache_timeout"
++#define DEF_SMTPD_TLS_SCACHTIME	"3600s"
++extern int var_smtpd_tls_scache_timeout;
++
++#define VAR_SMTP_TLS_PER_SITE	"smtp_tls_per_site"
++#define DEF_SMTP_TLS_PER_SITE	""
++extern char *var_smtp_tls_per_site;
++
++#define VAR_SMTP_USE_TLS	"smtp_use_tls"
++#define DEF_SMTP_USE_TLS	0
++extern bool var_smtp_use_tls;
++
++#define VAR_SMTP_ENFORCE_TLS	"smtp_enforce_tls"
++#define DEF_SMTP_ENFORCE_TLS	0
++extern bool var_smtp_enforce_tls;
++
++#define VAR_SMTP_TLS_ENFORCE_PN	"smtp_tls_enforce_peername"
++#define DEF_SMTP_TLS_ENFORCE_PN	1
++extern bool var_smtp_tls_enforce_peername;
++
++#define VAR_SMTP_TLS_SCERT_VD	"smtp_tls_scert_verifydepth"
++#define DEF_SMTP_TLS_SCERT_VD	5
++extern int var_smtp_tls_scert_vd;
++
++#define VAR_SMTP_TLS_CERT_FILE	"smtp_tls_cert_file"
++#define DEF_SMTP_TLS_CERT_FILE	""
++extern char *var_smtp_tls_cert_file;
++
++#define VAR_SMTP_TLS_KEY_FILE	"smtp_tls_key_file"
++#define DEF_SMTP_TLS_KEY_FILE	"$smtp_tls_cert_file"
++extern char *var_smtp_tls_key_file;
++
++#define VAR_SMTP_TLS_DCERT_FILE "smtp_tls_dcert_file"
++#define DEF_SMTP_TLS_DCERT_FILE ""
++extern char *var_smtp_tls_dcert_file;
++
++#define VAR_SMTP_TLS_DKEY_FILE	"smtp_tls_dkey_file"
++#define DEF_SMTP_TLS_DKEY_FILE	"$smtp_tls_dcert_file"
++extern char *var_smtp_tls_dkey_file;
++
++#define VAR_SMTP_TLS_CA_FILE	"smtp_tls_CAfile"
++#define DEF_SMTP_TLS_CA_FILE	""
++extern char *var_smtp_tls_CAfile;
++
++#define VAR_SMTP_TLS_CA_PATH	"smtp_tls_CApath"
++#define DEF_SMTP_TLS_CA_PATH	""
++extern char *var_smtp_tls_CApath;
++
++#define VAR_SMTP_TLS_CLIST	"smtp_tls_cipherlist"
++#define DEF_SMTP_TLS_CLIST	""
++extern char *var_smtp_tls_cipherlist;
++
++#define VAR_SMTP_TLS_LOGLEVEL	"smtp_tls_loglevel"
++#define DEF_SMTP_TLS_LOGLEVEL	0
++extern int var_smtp_tls_loglevel;
++
++#define VAR_SMTP_TLS_NOTEOFFER	"smtp_tls_note_starttls_offer"
++#define DEF_SMTP_TLS_NOTEOFFER	0
++extern bool var_smtp_tls_note_starttls_offer;
++
++#define VAR_SMTP_TLS_SCACHE_DB	"smtp_tls_session_cache_database"
++#define DEF_SMTP_TLS_SCACHE_DB	""
++extern char *var_smtp_tls_scache_db;
++
++#define VAR_SMTP_TLS_SCACHTIME	"smtp_tls_session_cache_timeout"
++#define DEF_SMTP_TLS_SCACHTIME	"3600s"
++extern int var_smtp_tls_scache_timeout;
++
+  /*
+   * SASL authentication support, SMTP server side.
+   */
+@@ -916,6 +1102,10 @@
+ #define DEF_SMTPD_SASL_APPNAME	"smtpd"
+ extern char *var_smtpd_sasl_appname;
+ 
++#define VAR_SMTPD_SASL_TLS_OPTS	"smtpd_sasl_tls_security_options"
++#define DEF_SMTPD_SASL_TLS_OPTS	"$smtpd_sasl_security_options"
++extern char *var_smtpd_sasl_opts;
++
+ #define VAR_SMTPD_SASL_REALM	"smtpd_sasl_local_domain"
+ #define DEF_SMTPD_SASL_REALM	""
+ extern char *var_smtpd_sasl_realm;
+@@ -945,6 +1135,14 @@
+ #define DEF_SMTP_SASL_OPTS	"noplaintext, noanonymous"
+ extern char *var_smtp_sasl_opts;
+ 
++#define VAR_SMTP_SASL_TLS_OPTS	"smtp_sasl_tls_security_options"
++#define DEF_SMTP_SASL_TLS_OPTS	"$var_smtp_sasl_opts"
++extern char *var_smtp_sasl_tls_opts;
++
++#define VAR_SMTP_SASL_TLSV_OPTS	"smtp_sasl_tls_verified_security_options"
++#define DEF_SMTP_SASL_TLSV_OPTS	"$var_smtp_sasl_tls_opts"
++extern char *var_smtp_sasl_tls_verified_opts;
++
+  /*
+   * LMTP server. The soft error limit determines how many errors an LMTP
+   * client may make before we start to slow down; the hard error limit
+@@ -1075,6 +1273,14 @@
+ #define DEF_LMTP_QUIT_TMOUT	"300s"
+ extern int var_lmtp_quit_tmout;
+ 
++#define VAR_LMTP_BIND_ADDR	"lmtp_bind_address"
++#define DEF_LMTP_BIND_ADDR	""
++extern char *var_lmtp_bind_addr;
++
++#define VAR_LMTP_BIND_ADDR6	"lmtp_bind_address6"
++#define DEF_LMTP_BIND_ADDR6	""
++extern char *var_lmtp_bind_addr6;
++
+ #define VAR_LMTP_SEND_XFORWARD	"lmtp_send_xforward_command"
+ #define DEF_LMTP_SEND_XFORWARD	0
+ extern bool var_lmtp_send_xforward;
+@@ -1234,6 +1440,10 @@
+ #define DEF_RELAY_RCPT_CODE	550
+ extern int var_relay_rcpt_code;
+ 
++#define VAR_RELAY_CCERTS	"relay_clientcerts"
++#define DEF_RELAY_CCERTS	""
++extern char *var_relay_ccerts;
++
+ #define VAR_CLIENT_CHECKS	"smtpd_client_restrictions"
+ #define DEF_CLIENT_CHECKS	""
+ extern char *var_client_checks;
+@@ -1352,6 +1562,8 @@
+ #define PERMIT_AUTH_DEST	"permit_auth_destination"
+ #define REJECT_UNAUTH_DEST	"reject_unauth_destination"
+ #define CHECK_RELAY_DOMAINS	"check_relay_domains"
++#define PERMIT_TLS_CLIENTCERTS	"permit_tls_clientcerts"
++#define PERMIT_TLS_ALL_CLIENTCERTS	"permit_tls_all_clientcerts"
+ #define VAR_RELAY_CODE		"relay_domains_reject_code"
+ #define DEF_RELAY_CODE		554
+ extern int var_relay_code;
+diff -urNad postfix-release/src/global/mail_proto.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h
+--- postfix-release/src/global/mail_proto.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h	2005-02-03 10:22:13.052098471 -0700
+@@ -42,6 +42,7 @@
+ #define MAIL_SERVICE_LOCAL	"local"
+ #define MAIL_SERVICE_PICKUP	"pickup"
+ #define MAIL_SERVICE_QUEUE	"qmgr"
++#define MAIL_SERVICE_TLSMGR	"tlsmgr"
+ #define MAIL_SERVICE_RESOLVE	"resolve"
+ #define MAIL_SERVICE_REWRITE	"rewrite"
+ #define MAIL_SERVICE_VIRTUAL	"virtual"
+diff -urNad postfix-release/src/global/mail_version.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h
+--- postfix-release/src/global/mail_version.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h	2005-02-03 10:22:13.052098471 -0700
+@@ -31,6 +31,14 @@
+ #endif
+ extern char *var_mail_version;
+ 
++#define VAR_TLSIPV6_VERSION	"tls_ipv6_version"
++#ifdef INET6
++#define DEF_TLSIPV6_VERSION	"1.24"
++#else
++#define DEF_TLSIPV6_VERSION	""
++#endif
++extern char *var_tlsipv6_version;
++
+  /*
+   * Release date.
+   */
+diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in
+--- postfix-release/src/global/Makefile.in	2005-02-03 10:22:12.218284460 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in	2005-02-03 10:22:13.053098248 -0700
+@@ -23,7 +23,8 @@
+ 	sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
+ 	sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
+ 	tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
+-	verify_clnt.c verp_sender.c virtual8_maps.c xtext.c
++	verify_clnt.c verp_sender.c virtual8_maps.c xtext.c pfixtls.c \
++	wildcard_inet_addr.c inet_interfaces_to_af.c
+ OBJS	= abounce.o been_here.o bounce.o bounce_log.o \
+ 	canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
+ 	clnt_stream.o debug_peer.o debug_process.o defer.o \
+@@ -47,7 +48,8 @@
+ 	sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
+ 	sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
+ 	tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
+-	verify_clnt.o verp_sender.o virtual8_maps.o xtext.o
++	verify_clnt.o verp_sender.o virtual8_maps.o xtext.o \
++	wildcard_inet_addr.o inet_interfaces_to_af.o
+ HDRS	= abounce.h been_here.h bounce.h bounce_log.h \
+ 	canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
+ 	debug_peer.h debug_process.h defer.h deliver_completed.h \
+@@ -69,7 +71,7 @@
+ 	resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
+ 	string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
+ 	trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \
+-	xtext.h
++	xtext.h pfixtls.h wildcard_inet_addr.h inet_interfaces_to_af.h
+ TESTSRC	= rec2stream.c stream2rec.c recdump.c
+ DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+@@ -898,6 +900,7 @@
+ mail_params.o: ../../include/attr.h
+ mail_params.o: verp_sender.h
+ mail_params.o: mail_params.h
++mail_params.o: pfixtls.h
+ mail_pathname.o: mail_pathname.c
+ mail_pathname.o: ../../include/sys_defs.h
+ mail_pathname.o: ../../include/stringops.h
+diff -urNad postfix-release/src/global/mynetworks.c /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c
+--- postfix-release/src/global/mynetworks.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c	2005-02-03 10:22:13.054098025 -0700
+@@ -28,6 +28,13 @@
+ /*	IBM T.J. Watson Research
+ /*	P.O. Box 704
+ /*	Yorktown Heights, NY 10598, USA
++/*
++/*	Dean C. Strik
++/*	Department ICT Services
++/*	Eindhoven University of Technology
++/*	P.O. Box 513
++/*	5600 MB  Eindhoven, Netherlands
++/*	E-mail: <dean at ipnet6.org>
+ /*--*/
+ 
+ /* System library. */
+@@ -42,7 +49,8 @@
+ #define IN_CLASSD_NSHIFT 	28
+ #endif
+ 
+-#define BITS_PER_ADDR		32
++#define BITS_PER_ADDR_V4	32
++#define BITS_PER_ADDR_V6	128
+ 
+ /* Utility library. */
+ 
+@@ -50,6 +58,12 @@
+ #include <vstring.h>
+ #include <inet_addr_list.h>
+ #include <name_mask.h>
++#ifdef INET6
++#include <string.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <netdb.h>
++#endif
+ 
+ /* Global library. */
+ 
+@@ -75,18 +89,25 @@
+ const char *mynetworks(void)
+ {
+     static VSTRING *result;
++    int bits_per_addr;
++#ifdef INET6
++    char hbuf[NI_MAXHOST];
++#endif
+ 
+     if (result == 0) {
+ 	char   *myname = "mynetworks";
+ 	INET_ADDR_LIST *my_addr_list;
+ 	INET_ADDR_LIST *my_mask_list;
+-	unsigned long addr;
+-	unsigned long mask;
++	unsigned long addr = 0;
++	unsigned long mask = 0;
+ 	struct in_addr net;
+-	int     shift;
++	int     shift = 0;
+ 	int     junk;
+ 	int     i;
+ 	int     mask_style;
++#ifdef INET6
++	struct sockaddr *sa;
++#endif
+ 
+ 	mask_style = name_mask("mynetworks mask style", mask_styles,
+ 			       var_mynetworks_style);
+@@ -107,8 +128,23 @@
+ 	my_mask_list = own_inet_mask_list();
+ 
+ 	for (i = 0; i < my_addr_list->used; i++) {
++#ifdef INET6
++	    sa = (struct sockaddr *)&my_addr_list->addrs[i];
++	    if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6) {
++		msg_warn("%s: unknown family in address list", myname);
++		 continue;
++	    }
++	    if (sa->sa_family == AF_INET) {
++		bits_per_addr = BITS_PER_ADDR_V4;
++		addr = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr);
++		mask = ntohl(((struct sockaddr_in *)
++			      &my_mask_list->addrs[i])->sin_addr.s_addr);
++	    } else
++		bits_per_addr = BITS_PER_ADDR_V6;
++#else
+ 	    addr = ntohl(my_addr_list->addrs[i].s_addr);
+ 	    mask = ntohl(my_mask_list->addrs[i].s_addr);
++#endif
+ 
+ 	    switch (mask_style) {
+ 
+@@ -117,6 +153,9 @@
+ 		 * ISP who gave you a small portion of their network.
+ 		 */
+ 	    case MASK_STYLE_CLASS:
++#ifdef INET6
++		if (sa->sa_family == AF_INET) {
++#endif
+ 		if (IN_CLASSA(addr)) {
+ 		    mask = IN_CLASSA_NET;
+ 		    shift = IN_CLASSA_NSHIFT;
+@@ -130,24 +169,73 @@
+ 		    mask = IN_CLASSD_NET;
+ 		    shift = IN_CLASSD_NSHIFT;
+ 		} else {
++#ifdef INET6
++		    if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
++				    NULL, 0, NI_NUMERICHOST))
++			strncpy(hbuf, "???", sizeof(hbuf));
++		    msg_fatal("%s: bad address class: %s", myname, hbuf);
++#else
+ 		    msg_fatal("%s: bad address class: %s",
+ 			      myname, inet_ntoa(my_addr_list->addrs[i]));
++#endif
+ 		}
+ 		break;
++#ifdef INET6
++		} /* if AF_INET */
++		/*
++		 * There are no classes for IPv6, we default to subnets instead.
++		 */
++		/* FALLTHROUGH */
++#endif
+ 
+ 		/*
+ 		 * Subnet mask. This is safe, but breaks backwards
+ 		 * compatibility when used as default setting.
+ 		 */
+ 	    case MASK_STYLE_SUBNET:
+-		for (junk = mask, shift = BITS_PER_ADDR; junk != 0; shift--, (junk <<= 1))
+-		     /* void */ ;
++#ifdef INET6
++		if (sa->sa_family == AF_INET6) {
++		    unsigned char *ac, *end;
++		    ac = (unsigned char *)&(((struct sockaddr_in6 *)&my_mask_list->addrs[i])->sin6_addr);
++		    end = ac + bits_per_addr / 8;
++		    shift = bits_per_addr;
++		    while (ac < end) {
++			switch (*(ac++)) {
++			    case 0xff: shift -= 8; break;
++			    case 0xfe: shift -= 7; break;
++			    case 0xfc: shift -= 6; break;
++			    case 0xf8: shift -= 5; break;
++			    case 0xf0: shift -= 4; break;
++			    case 0xe0: shift -= 3; break;
++			    case 0xc0: shift -= 2; break;
++			    case 0x80: shift -= 1; break;
++			    case 0x00: break;
++			    default: msg_fatal("%s: inconsistent prefixlen",
++				myname);
++			}
++		    }
++		    break;
++		}
++#endif
++		/* AF_INET */
++		junk = mask;
++		shift = bits_per_addr;
++		while (junk != 0) {
++		    shift--;
++		    junk <<= 1;
++		}
+ 		break;
+ 
+ 		/*
+ 		 * Host only. Do not relay authorize other hosts.
+ 		 */
+ 	    case MASK_STYLE_HOST:
++#ifdef INET6
++		if (sa->sa_family == AF_INET6) {
++		    shift = 0;
++		    break;
++		}
++#endif
+ 		mask = ~0;
+ 		shift = 0;
+ 		break;
+@@ -156,9 +244,20 @@
+ 		msg_panic("unknown mynetworks mask style: %s",
+ 			  var_mynetworks_style);
+ 	    }
++#ifdef INET6
++	    if (sa->sa_family == AF_INET6) {
++		if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf), NULL, 0,
++				NI_NUMERICHOST))
++		    msg_fatal("%s: bad address to getnameinfo()", myname);
++		vstring_sprintf_append(result, "[%s]/%d ",
++				       hbuf, bits_per_addr - shift);
++		continue;
++	    }
++#endif
++	    /* AF_INET */
+ 	    net.s_addr = htonl(addr & mask);
+ 	    vstring_sprintf_append(result, "%s/%d ",
+-				   inet_ntoa(net), BITS_PER_ADDR - shift);
++				   inet_ntoa(net), bits_per_addr - shift);
+ 	}
+ 	if (msg_verbose)
+ 	    msg_info("%s: %s", myname, vstring_str(result));
+diff -urNad postfix-release/src/global/own_inet_addr.c /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c
+--- postfix-release/src/global/own_inet_addr.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c	2005-02-03 10:23:37.570246060 -0700
+@@ -50,6 +50,8 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <string.h>
++#include <sys/socket.h>
++#include <netdb.h>
+ 
+ #ifdef STRCASECMP_IN_STRINGS_H
+ #include <strings.h>
+@@ -63,11 +65,13 @@
+ #include <inet_addr_local.h>
+ #include <inet_addr_host.h>
+ #include <stringops.h>
++#include <sock_addr.h>
+ 
+ /* Global library. */
+ 
+ #include <mail_params.h>
+ #include <own_inet_addr.h>
++#include <inet_interfaces_to_af.h>
+ 
+ /* Application-specific. */
+ 
+@@ -88,6 +92,10 @@
+     char   *bufp;
+     int     nvirtual;
+     int     nlocal;
++    int     done = 0;
++    int     af;
++    struct sockaddr_storage *sa;
++    struct sockaddr_storage *ma;
+ 
+     inet_addr_list_init(addr_list);
+     inet_addr_list_init(mask_list);
+@@ -96,27 +104,52 @@
+      * If we are listening on all interfaces (default), ask the system what
+      * the interfaces are.
+      */
+-    if (strcasecmp(var_inet_interfaces, DEF_INET_INTERFACES) == 0) {
+-	if (inet_addr_local(addr_list, mask_list) == 0)
+-	    msg_fatal("could not find any active network interfaces");
+-#if 0
+-	if (addr_list->used == 1)
+-	    msg_warn("found only one active network interface: %s",
+-		     inet_ntoa(addr_list->addrs[0]));
+-#endif
++    af = inet_interfaces_to_af(var_inet_interfaces);
++    if (strcmp(var_inet_interfaces, INET_INTERFACES_ALL) == 0) {
++	if (af > -1) {
++	    if (inet_addr_local(addr_list, mask_list, af) == 0)
++		msg_fatal("could not find any active network interfaces");
++	}
+     }
+ 
+     /*
++     * Select all loopback interfaces from the system's available interface
++     * list.
++     */
++    else if (strcmp(var_inet_interfaces, INET_INTERFACES_LOCAL) == 0) {
++        int found=0;
++        inet_addr_list_init(&local_addrs);
++        inet_addr_list_init(&local_masks);
++        if (inet_addr_local(&local_addrs, &local_masks, af) == 0)
++            msg_fatal("could not find any active network interfaces");
++        for (sa = local_addrs.addrs, ma = local_masks.addrs;
++             sa < local_addrs.addrs + local_addrs.used; sa++, ma++) {
++            if (sock_addr_in_loopback(SOCK_ADDR_PTR(sa))) {
++                inet_addr_list_append(addr_list, SOCK_ADDR_PTR(sa));
++                inet_addr_list_append(mask_list, SOCK_ADDR_PTR(ma));
++		found=1;
++		if (msg_verbose)
++		    msg_info("found one");	/* XXX */
++            }
++        }
++        inet_addr_list_free(&local_addrs);
++        inet_addr_list_free(&local_masks);
++	if (!found)
++	    msg_fatal("could not find any loopback addresses");
++    }
++    
++    /*
+      * If we are supposed to be listening only on specific interface
+      * addresses (virtual hosting), look up the addresses of those
+      * interfaces.
+      */
+     else {
+ 	bufp = hosts = mystrdup(var_inet_interfaces);
+-	while ((host = mystrtok(&bufp, sep)) != 0)
++	while ((host = mystrtok(&bufp, sep)) != 0) {
+ 	    if (inet_addr_host(addr_list, host) == 0)
+ 		msg_fatal("config variable %s: host not found: %s",
+ 			  VAR_INET_INTERFACES, host);
++	}
+ 	myfree(hosts);
+ 
+ 	/*
+@@ -129,19 +162,44 @@
+ 
+ 	inet_addr_list_init(&local_addrs);
+ 	inet_addr_list_init(&local_masks);
+-	if (inet_addr_local(&local_addrs, &local_masks) == 0)
++	if (inet_addr_local(&local_addrs, &local_masks, AF_UNSPEC) == 0)
+ 	    msg_fatal("could not find any active network interfaces");
+ 	for (nvirtual = 0; nvirtual < addr_list->used; nvirtual++) {
+ 	    for (nlocal = 0; /* see below */ ; nlocal++) {
+-		if (nlocal >= local_addrs.used)
++		if (nlocal >= local_addrs.used) {
++#ifdef INET6
++		    char hbuf[NI_MAXHOST];
++		    if (getnameinfo((struct sockaddr *)&addr_list->addrs[nvirtual],
++		        SS_LEN(addr_list->addrs[nvirtual]), hbuf,
++		        sizeof(hbuf), NULL, 0, NI_NUMERICHOST) != 0)
++			strncpy(hbuf, "???", sizeof(hbuf));
++		    msg_fatal("parameter %s: no local interface found for %s",
++			      VAR_INET_INTERFACES, hbuf);
++#else
+ 		    msg_fatal("parameter %s: no local interface found for %s",
+ 			      VAR_INET_INTERFACES,
+ 			      inet_ntoa(addr_list->addrs[nvirtual]));
++#endif
++		}
++#ifdef INET6
++		if (addr_list->addrs[nvirtual].ss_family == 
++		    local_addrs.addrs[nlocal].ss_family &&
++		    SS_LEN(addr_list->addrs[nvirtual]) == 
++		    SS_LEN(local_addrs.addrs[nlocal]) &&
++		    memcmp(&addr_list->addrs[nvirtual],
++			   &local_addrs.addrs[nlocal],
++			   SS_LEN(local_addrs.addrs[nlocal])) == 0) {
++		    inet_addr_list_append(mask_list, (struct sockaddr *)
++			&local_masks.addrs[nlocal]);
++		    break;
++		}
++#else
+ 		if (addr_list->addrs[nvirtual].s_addr
+ 		    == local_addrs.addrs[nlocal].s_addr) {
+ 		    inet_addr_list_append(mask_list, &local_masks.addrs[nlocal]);
+ 		    break;
+ 		}
++#endif
+ 	    }
+ 	}
+ 	inet_addr_list_free(&local_addrs);
+@@ -151,6 +209,49 @@
+ 
+ /* own_inet_addr - is this my own internet address */
+ 
++#ifdef INET6
++
++#ifdef INET6_KAME
++#define SA6_ARE_ADDR_EQUAL(a, b) ( \
++	((a)->sin6_scope_id == 0 || (b)->sin6_scope_id == 0 || \
++	(a)->sin6_scope_id == (b)->sin6_scope_id) && \
++	(memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
++	sizeof(struct in6_addr)) == 0))
++#else
++#define SA6_ARE_ADDR_EQUAL(a, b) \
++	(memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
++	sizeof(struct in6_addr)) == 0)
++#endif
++
++int     own_inet_addr(struct sockaddr *addr)
++{
++    int     i;
++
++    if (addr_list.used == 0)
++	own_inet_addr_init(&addr_list, &mask_list);
++
++    for (i = 0; i < addr_list.used; i++) {
++	if (((struct sockaddr *)&addr_list.addrs[i])->sa_family !=
++		addr->sa_family)
++	    continue;
++	switch (addr->sa_family) {
++	case AF_INET:
++	    if (((struct sockaddr_in *)addr)->sin_addr.s_addr ==
++		((struct sockaddr_in *)&addr_list.addrs[i])->sin_addr.s_addr)
++		return (1);
++	    break;
++	case AF_INET6:
++	    if (SA6_ARE_ADDR_EQUAL((struct sockaddr_in6 *)addr,
++		    (struct sockaddr_in6 *)&addr_list.addrs[i]))
++		return (1);
++	    break;
++	default:
++	    continue;
++	}
++    }
++    return (0);
++}
++#else
+ int     own_inet_addr(struct in_addr * addr)
+ {
+     int     i;
+@@ -163,6 +264,7 @@
+ 	    return (1);
+     return (0);
+ }
++#endif
+ 
+ /* own_inet_addr_list - return list of addresses */
+ 
+@@ -224,8 +326,15 @@
+ 	proxy_inet_addr_init(&proxy_list);
+ 
+     for (i = 0; i < proxy_list.used; i++)
++#ifdef INET6
++	if (proxy_list.addrs[i].ss_family == AF_INET && addr->s_addr ==
++		((struct sockaddr_in *)&(proxy_list.addrs[i]))->
++		sin_addr.s_addr)
++	    return (1);
++#else
+ 	if (addr->s_addr == proxy_list.addrs[i].s_addr)
+ 	    return (1);
++#endif
+     return (0);
+ }
+ 
+diff -urNad postfix-release/src/global/own_inet_addr.h /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h
+--- postfix-release/src/global/own_inet_addr.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h	2005-02-03 10:22:13.054098025 -0700
+@@ -15,11 +15,18 @@
+   * System library.
+   */
+ #include <netinet/in.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
+ 
+  /*
+   * External interface.
+   */
++#ifdef INET6
++extern int own_inet_addr(struct sockaddr *);
++#else
+ extern int own_inet_addr(struct in_addr *);
++#endif
+ extern struct INET_ADDR_LIST *own_inet_addr_list(void);
+ extern struct INET_ADDR_LIST *own_inet_mask_list(void);
+ extern int proxy_inet_addr(struct in_addr *);
+diff -urNad postfix-release/src/global/pfixtls.c /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c
+--- postfix-release/src/global/pfixtls.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c	2005-02-03 10:22:13.059096910 -0700
+@@ -0,0 +1,2824 @@
++#ifdef USE_TLS
++/*++
++/* NAME
++/*	pfixtls
++/* SUMMARY
++/*	interface to openssl routines
++/* SYNOPSIS
++/*	#include <pfixtls.h>
++/*
++/*	const long scache_db_version;
++/*	const long openssl_version;
++/*
++/*	int pfixtls_serverengine;
++/*
++/*	int pfixtls_clientengine;
++/*
++/*	int pfixtls_timed_read(fd, buf, len, timeout, unused_context)
++/*	int fd;
++/*	void *buf;
++/*	unsigned len;
++/*	int timeout;
++/*	void *context;
++/*
++/*	int pfixtls_timed_write(fd, buf, len, timeout, unused_context);
++/*	int fd;
++/*	void *buf;
++/*	unsigned len;
++/*	int timeout;
++/*	void *context;
++/*
++/*	int pfixtls_init_serverengine(verifydepth, askcert);
++/*	int verifydepth;
++/*	int askcert;
++/*
++/*	int pfixtls_start_servertls(stream, timeout, peername, peeraddr,
++/*				    tls_info, requirecert);
++/*	VSTREAM *stream;
++/*	int timeout;
++/*	const char *peername;
++/*	const char *peeraddr;
++/*	tls_info_t *tls_info;
++/*	int requirecert;
++/*
++/*	int pfixtls_stop_servertls(stream, failure, tls_info);
++/*	VSTREAM *stream;
++/*	int failure;
++/*	tls_info_t *tls_info;
++/*	
++/*	int pfixtls_init_clientengine(verifydepth);
++/*	int verifydepth;
++/*
++/*	int pfixtls_start_clienttls(stream, timeout, peername, peeraddr,
++/*				    tls_info);
++/*	VSTREAM *stream;
++/*	int timeout;
++/*	const char *peername;
++/*	const char *peeraddr;
++/*	tls_info_t *tls_info;
++/*
++/*	int pfixtls_stop_clienttls(stream, failure, tls_info);
++/*	VSTREAM *stream;
++/*	int failure;
++/*	tls_info_t *tls_info;
++/*
++/* DESCRIPTION
++/*	This module is the interface between Postfix and the OpenSSL library.
++/*
++/*	pfixtls_timed_read() reads the requested number of bytes calling
++/*	SSL_read(). pfixtls_time_read() will only be called indirect
++/*	as a VSTREAM_FN function.
++/*	pfixtls_timed_write() is the corresponding write function.
++/*
++/*	pfixtls_init_serverengine() is called once when smtpd is started
++/*	in order to initialize as much of the TLS stuff as possible.
++/*	The certificate handling is also decided during the setup phase,
++/*	so that a peer specific handling is not possible.
++/*
++/*	pfixtls_init_clientengine() is the corresponding function called
++/*	in smtp. Here we take the peer's (server's) certificate in any
++/*	case.
++/*
++/*	pfixtls_start_servertls() activates the TLS feature for the VSTREAM
++/*	passed as argument. We expect that all buffers are flushed and the
++/*	TLS handshake can begin	immediately. Information about the peer
++/*	is stored into the tls_info structure passed as argument.
++/*
++/*	pfixtls_stop_servertls() sends the "close notify" alert via
++/*	SSL_shutdown() to the peer and resets all connection specific
++/*	TLS data. As RFC2487 does not specify a seperate shutdown, it
++/*	is supposed that the underlying TCP connection is shut down
++/*	immediately afterwards, so we don't care about additional data
++/*	coming through the channel.
++/*	If the failure flag is set, the session is cleared from the cache.
++/*
++/*	pfixtls_start_clienttls() and pfixtls_stop_clienttls() are the
++/*	corresponding functions for smtp.
++/*
++/*	Once the TLS connection is initiated, information about the TLS
++/*	state is available via the tls_info structure:
++/*	protocol holds the protocol name (SSLv2, SSLv3, TLSv1),
++/*	tls_info->cipher_name the cipher name (e.g. RC4/MD5),
++/*	tls_info->cipher_usebits the number of bits actually used (e.g. 40),
++/*	tls_info->cipher_algbits the number of bits the algorithm is based on
++/*	(e.g. 128).
++/*	The last two values may be different when talking to a crippled
++/*	- ahem - export controled peer (e.g. 40/128).
++/*
++/*	The status of the peer certificate verification is available in
++/*	pfixtls_peer_verified. It is set to 1, when the certificate could
++/*	be verified.
++/*	If the peer offered a certifcate, part of the certificate data are
++/*	available as:
++/*	tls_info->peer_subject X509v3-oneline with the DN of the peer
++/*	tls_info->peer_CN extracted CommonName of the peer
++/*	tls_info->peer_issuer  X509v3-oneline with the DN of the issuer
++/*	tls_info->peer_CN extracted CommonName of the issuer
++/*	tls_info->PEER_FINGERPRINT fingerprint of the certificate
++/*
++/* DESCRIPTION (SESSION CACHING)
++/*	In order to achieve high performance when using a lot of connections
++/*	with TLS, session caching is implemented. It reduces both the CPU load
++/*	(less cryptograpic operations) and the network load (the amount of
++/*	certificate data exchanged is reduced).
++/*	Since postfix uses a setup of independent processes for receiving
++/*	and sending email, the processes must exchange the session information.
++/*	Several connections at the same time between the identical peers can
++/*	occur, so uniqueness and race conditions have to be taken into
++/*	account.
++/*	I have checked both Apache-SSL (Ben Laurie), using a seperate "gcache"
++/*	process and Apache mod_ssl (Ralf S. Engelshall), using shared memory
++/*	between several identical processes spawned from one parent.
++/*
++/*	Postfix/TLS uses a database approach based on the internal "dict"
++/*	interface. Since the session cache information is approximately
++/*	1300 bytes binary data, it will not fit into the dbm/ndbm model.
++/*	It also needs write access to the database, ruling out most other
++/*	interface, leaving Berkeley DB, which however cannot handle concurrent
++/*	access by several processes. Hence a modified SDBM (public domain DBM)
++/*	with enhanced buffer size is used and concurrent write capability
++/*	is used. SDBM is part of Postfix/TLS.
++/*
++/*	Realization:
++/*	Both (client and server) session cache are realized by individual
++/*	cache databases. A common database would not make sense, since the
++/*	key criteria are different (session ID for server, peername for
++/*	client).
++/*
++/*	Server side:
++/*	Session created by OpenSSL have a 32 byte session id, yielding a
++/*	64 char file name. I consider these sessions to be unique. If they
++/*	are not, the last session will win, overwriting the older one in
++/*	the database. Remember: everything that is lost is a temporary
++/*	information and not more than a renegotiation will happen.
++/*	Originating from the same client host, several sessions can come
++/*	in (e.g. from several users sending mail with Netscape at the same
++/*	time), so the session id is the correct identifier; the hostname
++/*	is of no importance, here.
++/*
++/*	Client side:
++/*	We cannot recall sessions based on their session id, because we would
++/*	have to check every session on disk for a matching server name, so
++/*	the lookup has to be done based on the FQDN of the peer (receiving
++/*	host).
++/*	With regard to uniqueness, we might experience several open connections
++/*	to the same server at the same time. This is even very likely to
++/*	happen, since we might have several mails for the same destination
++/*	in the queue, when a queue run is started. So several smtp's might
++/*	negotiate sessions at the same time. We can however only save one
++/*	session for one host.
++/*	Like on the server side, the "last write" wins. The reason is
++/*	quite simple. If we don't want to overwrite old sessions, an old
++/*	session file will just stay in place until it is expired. In the
++/*	meantime we would lose "fresh" session however. So we will keep the
++/*	fresh one instead to avoid unnecessary renegotiations.
++/*
++/*	Session lifetime:
++/*	RFC2246 recommends a session lifetime of less than 24 hours. The
++/*	default is 300 seconds (5 minutes) for OpenSSL and is also used
++/*	this way in e.g. mod_ssl. The typical usage for emails might be
++/*	humans typing in emails and sending them, which might take just
++/*	a while, so I think 3600 seconds (1 hour) is a good compromise.
++/*	If the environment is save (the cached session contains secret
++/*	key data), one might even consider using a longer timeout. Anyway,
++/*	since everlasting sessions must be avoided, the session timeout
++/*	is done based on the creation date of the session and so each
++/*	session will timeout eventually.
++/*
++/*	Connection failures:
++/*	RFC2246 requires us to remove sessions if something went wrong.
++/*	Since the in-memory session cache of other smtp[d] processes cannot
++/*	be controlled by simple means, we completely rely on the disc
++/*	based session caching and remove all sessions from memory after
++/*	connection closure.
++/*
++/*	Cache cleanup:
++/*	Since old entries have to be removed from the session cache, a
++/*	cleanup process is needed that runs through the collected session
++/*	files on regular basis. The task is performed by tlsmgr based on
++/*	the timestamp created by pfixtls and included in the saved session,
++/*	so that tlsmgr has not to care about the SSL_SESSION internal data.
++/*
++/* BUGS
++/*	The memory allocation policy of the OpenSSL library is not well
++/*	documented, especially when loading sessions from disc. Hence there
++/*	might be memory leaks.
++/*
++/* LICENSE
++/* AUTHOR(S)
++/*	Lutz Jaenicke
++/*	BTU Cottbus
++/*	Allgemeine Elektrotechnik
++/*	Universitaetsplatz 3-4
++/*	D-03044 Cottbus, Germany
++/*--*/
++
++/* System library. */
++
++#include <sys_defs.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/time.h>			/* gettimeofday, not in POSIX */
++#include <unistd.h>
++#include <stdio.h>
++#include <string.h>
++#include <errno.h>
++#include <ctype.h>
++
++/* Utility library. */
++
++#include <iostuff.h>
++#include <mymalloc.h>
++#include <vstring.h>
++#include <vstream.h>
++#include <dict.h>
++#include <myflock.h>
++#include <stringops.h>
++#include <msg.h>
++#include <connect.h>
++
++/* Application-specific. */
++
++#include "mail_params.h"
++#include "pfixtls.h"
++
++#define STR	vstring_str
++
++const tls_info_t tls_info_zero = {
++    0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0
++};
++
++#ifdef USE_SSL
++
++/* OpenSSL library. */
++
++#include <openssl/lhash.h>
++#include <openssl/bn.h>
++#include <openssl/err.h>
++#include <openssl/pem.h>
++#include <openssl/x509.h>
++#include <openssl/x509v3.h>
++#include <openssl/rand.h>
++#include <openssl/ssl.h>
++
++/* We must keep some of the info available */
++static const char hexcodes[] = "0123456789ABCDEF";
++
++/*
++ * When saving sessions, we want to make sure, that the lenght of the key
++ * is somehow limited. When saving client sessions, the hostname is used
++ * as key. According to HP-UX 10.20, MAXHOSTNAMELEN=64. Maybe new standards
++ * will increase this value, but as this will break compatiblity with existing
++ * implementations, we won't see this for long. We therefore choose a limit
++ * of 64 bytes.
++ * The length of the (TLS) session id can be up to 32 bytes according to
++ * RFC2246, so it fits well into the 64bytes limit.
++ */
++#define ID_MAXLENGTH	64		/* Max ID length in bytes */
++
++/*
++ * The session_id_context is set, such that the client knows which services
++ * on a host share the same session information (on the postfix host may
++ * as well run a TLS-enabled webserver.
++ */
++static char server_session_id_context[] = "Postfix/TLS"; /* anything will do */
++static int TLScontext_index = -1;
++static int TLSpeername_index = -1;
++static int do_dump = 0;
++static DH *dh_512 = NULL, *dh_1024 = NULL;
++static SSL_CTX *ctx = NULL;
++
++static int rand_exch_fd = -1;
++
++static DICT *scache_db = NULL;
++const long scache_db_version = 0x00000003L;
++const long openssl_version = OPENSSL_VERSION_NUMBER;
++
++
++int     pfixtls_serverengine = 0;
++static int pfixtls_serveractive = 0;	/* available or not */
++
++int     pfixtls_clientengine = 0;
++static int pfixtls_clientactive = 0;	/* available or not */
++
++/*
++ * Define a maxlength for certificate onelines. The length is checked by
++ * all routines when copying.
++ */
++#define CCERT_BUFSIZ 256
++
++typedef struct {
++  SSL *con;
++  BIO *internal_bio;			/* postfix/TLS side of pair */
++  BIO *network_bio;			/* netsork side of pair */
++  char peer_subject[CCERT_BUFSIZ];
++  char peer_issuer[CCERT_BUFSIZ];
++  char peer_CN[CCERT_BUFSIZ];
++  char issuer_CN[CCERT_BUFSIZ];
++  unsigned char md[EVP_MAX_MD_SIZE];
++  char fingerprint[EVP_MAX_MD_SIZE * 3];
++  char peername_save[129];
++  int enforce_verify_errors;
++  int enforce_CN;
++  int hostname_matched;
++} TLScontext_t;
++
++typedef struct {
++    int pid;
++    struct timeval tv;
++} randseed_t;
++
++static randseed_t randseed;
++
++/*
++ * Finally some "backup" DH-Parameters to be loaded, if no parameters are
++ * explicitely loaded from file.
++ */
++static unsigned char dh512_p[] = {
++    0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
++    0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
++    0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
++    0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
++    0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
++    0x4F, 0x70, 0xBA, 0x5B,
++};
++
++static unsigned char dh512_g[] = {
++    0x02,
++};
++
++static unsigned char dh1024_p[] = {
++    0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
++    0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
++    0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
++    0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
++    0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
++    0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
++    0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
++    0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
++    0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
++    0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
++    0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
++};
++
++static unsigned char dh1024_g[] = {
++    0x02,
++};
++
++/*
++ * DESCRIPTION: Keeping control of the network interface using BIO-pairs.
++ *
++ * When the TLS layer is active, all input/output must be filtered through
++ * it. On the other hand to handle timeout conditions, full control over
++ * the network socket must be kept. This rules out the "normal way" of
++ * connecting the TLS layer directly to the socket.
++ * The TLS layer is realized with a BIO-pair:
++ *
++ *     postfix  |   TLS-engine
++ *       |      |
++ *       +--------> SSL_operations()
++ *              |     /\    ||
++ *              |     ||    \/
++ *              |   BIO-pair (internal_bio)
++ *       +--------< BIO-pair (network_bio)
++ *       |      |
++ *     socket   |
++ *
++ * The normal postfix operations connect to the SSL operations to send
++ * and retrieve (cleartext) data. Inside the TLS-engine the data are converted
++ * to/from TLS protocol. The TLS functionality itself is only connected to
++ * the internal_bio and hence only has status information about this internal
++ * interface.
++ * Thus, if the SSL_operations() return successfully (SSL_ERROR_NONE) or want
++ * to read (SSL_ERROR_WANT_READ) there may as well be data inside the buffering
++ * BIO-pair. So whenever an SSL_operation() returns without a fatal error,
++ * the BIO-pair internal buffer must be flushed to the network.
++ * NOTE: This is especially true in the SSL_ERROR_WANT_READ case: the TLS-layer
++ * might want to read handshake data, that will never come since its own
++ * written data will only reach the peer after flushing the buffer!
++ *
++ * The BIO-pair buffer size has been set to 8192 bytes, this is an arbitrary
++ * value that can hold more data than the typical PMTU, so that it does
++ * not force the generation of packets smaller than necessary.
++ * It is also larger than the default VSTREAM_BUFSIZE (4096, see vstream.h),
++ * so that large write operations could be handled within one call.
++ * The internal buffer in the network/network_bio handling layer has been
++ * set to the same value, since this seems to be reasonable. The code is
++ * however able to handle arbitrary values smaller or larger than the
++ * buffer size in the BIO-pair.
++ */
++
++const size_t BIO_bufsiz = 8192;
++
++/*
++ * The interface layer between network and BIO-pair. The BIO-pair buffers
++ * the data to/from the TLS layer. Hence, at any time, there may be data
++ * in the buffer that must be written to the network. This writing has
++ * highest priority because the handshake might fail otherwise.
++ * Only then a read_request can be satisfied.
++ */
++static int network_biopair_interop(int fd, int timeout, BIO *network_bio)
++{
++    int want_write;
++    int num_write;
++    int write_pos;
++    int from_bio;
++    int want_read;
++    int num_read;
++    int to_bio;
++#define NETLAYER_BUFFERSIZE 8192
++    char buffer[8192];
++
++    while ((want_write = BIO_ctrl_pending(network_bio)) > 0) {
++	if (want_write > NETLAYER_BUFFERSIZE)
++	    want_write = NETLAYER_BUFFERSIZE;
++	from_bio = BIO_read(network_bio, buffer, want_write);
++
++	/*
++	 * Write the complete contents of the buffer. Since TLS performs
++	 * underlying handshaking, we cannot afford to leave the buffer
++	 * unflushed, as we could run into a deadlock trap (the peer
++	 * waiting for a final byte and we already waiting for his reply
++	 * in read position).
++	 */
++        write_pos = 0;
++	do {
++	    if (timeout > 0 && write_wait(fd, timeout) < 0)
++		return (-1);
++	    num_write = write(fd, buffer + write_pos, from_bio - write_pos);
++	    if (num_write <= 0) {
++		if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
++		    msg_warn("write() returns EAGAIN on a writable file descriptor!");
++		    msg_warn("pausing to avoid going into a tight select/write loop!");
++		    sleep(1);
++		} else {
++		    msg_warn("Write failed in network_biopair_interop with errno=%d: num_write=%d, provided=%d", errno, num_write, from_bio - write_pos);
++		    return (-1);	/* something happened to the socket */
++		}
++	    } else
++	    	write_pos += num_write;
++	} while (write_pos < from_bio);
++   }
++
++   while ((want_read = BIO_ctrl_get_read_request(network_bio)) > 0) {
++	if (want_read > NETLAYER_BUFFERSIZE)
++	    want_read = NETLAYER_BUFFERSIZE;
++	if (timeout > 0 && read_wait(fd, timeout) < 0)
++	    return (-1);
++	num_read = read(fd, buffer, want_read);
++	if (num_read <= 0) {
++	    if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
++		msg_warn("read() returns EAGAIN on a readable file descriptor!");
++		msg_warn("pausing to avoid going into a tight select/write loop!");
++		sleep(1);
++	    } else {
++		msg_warn("Read failed in network_biopair_interop with errno=%d: num_read=%d, want_read=%d", errno, num_read, want_read);
++		return (-1);	/* something happened to the socket */
++	    }
++	} else {
++	    to_bio = BIO_write(network_bio, buffer, num_read);
++	    if (to_bio != num_read)
++		msg_fatal("to_bio != num_read");
++	}
++    }
++
++    return (0);
++}
++
++static void pfixtls_print_errors(void);
++
++ /*
++  * Function to perform the handshake for SSL_accept(), SSL_connect(),
++  * and SSL_shutdown() and perform the SSL_read(), SSL_write() operations.
++  * Call the underlying network_biopair_interop-layer to make sure the
++  * write buffer is flushed after every operation (that did not fail with
++  * a fatal error).
++  */
++static int do_tls_operation(int fd, int timeout, TLScontext_t *TLScontext,
++			int (*hsfunc)(SSL *),
++			int (*rfunc)(SSL *, void *, int),
++			int (*wfunc)(SSL *, const void *, int),
++			char *buf, int num)
++{
++    int status;
++    int err;
++    int retval = 0;
++    int biop_retval;
++    int done = 0;
++
++    while (!done) {
++	if (hsfunc)
++	    status = hsfunc(TLScontext->con);
++	else if (rfunc)
++	    status = rfunc(TLScontext->con, buf, num);
++	else
++	    status = wfunc(TLScontext->con, (const char *)buf, num);
++	err = SSL_get_error(TLScontext->con, status);
++
++#if (OPENSSL_VERSION_NUMBER <= 0x0090581fL)
++	/*
++	 * There is a bug up to and including OpenSSL-0.9.5a: if an error
++	 * occurs while checking the peers certificate due to some certificate
++	 * error (e.g. as happend with a RSA-padding error), the error is put
++	 * onto the error stack. If verification is not enforced, this error
++	 * should be ignored, but the error-queue is not cleared, so we
++	 * can find this error here. The bug has been fixed on May 28, 2000.
++	 *
++	 * This bug so far has only manifested as
++	 * 4800:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
++	 * 4800:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
++	 * 4800:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
++	 * so that we specifically test for this error. We print the errors
++	 * to the logfile and automatically clear the error queue. Then we
++	 * retry to get another error code. We cannot do better, since we
++	 * can only retrieve the last entry of the error-queue without
++	 * actually cleaning it on the way.
++	 *
++	 * This workaround is secure, as verify_result is set to "failed"
++	 * anyway.
++	 */
++	if (err == SSL_ERROR_SSL) {
++	    if (ERR_peek_error() == 0x0407006AL) {
++		pfixtls_print_errors();	/* Keep information for the logfile */
++		msg_info("OpenSSL <= 0.9.5a workaround called: certificate errors ignored");
++		err = SSL_get_error(TLScontext->con, status);
++	    }
++	}
++#endif
++
++	switch (err) {
++	case SSL_ERROR_NONE:		/* success */
++	    retval = status;
++	    done = 1;			/* no break, flush buffer before */
++					/* leaving */
++	case SSL_ERROR_WANT_WRITE:
++	case SSL_ERROR_WANT_READ:
++	    biop_retval = network_biopair_interop(fd, timeout,
++		TLScontext->network_bio);
++	    if (biop_retval < 0)
++		return (-1);		/* fatal network error */
++	    break;
++	case SSL_ERROR_ZERO_RETURN:	/* connection was closed cleanly */
++	case SSL_ERROR_SYSCALL:		
++	case SSL_ERROR_SSL:
++	default:
++	    retval = status;
++	    done = 1;
++	    ;
++	}
++    };
++    return retval;
++}
++
++int pfixtls_timed_read(int fd, void *buf, unsigned buf_len, int timeout, 
++		       void *context)
++{
++    int     i;
++    int     ret;
++    char    mybuf[40];
++    char   *mybuf2;
++    TLScontext_t *TLScontext;
++
++    TLScontext = (TLScontext_t *)context;
++    if (!TLScontext)
++      msg_fatal("Called tls_timed_read() without TLS-context");
++ 
++    ret = do_tls_operation(fd, timeout, TLScontext, NULL, SSL_read, NULL,
++			  (char *)buf, buf_len);
++    if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
++        (pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
++	mybuf2 = (char *) buf;
++	if (ret > 0) {
++	    i = 0;
++	    while ((i < 39) && (i < ret) && (mybuf2[i] != 0)) {
++		mybuf[i] = mybuf2[i];
++		i++;
++	    }
++	    mybuf[i] = '\0';
++	    msg_info("Read %d chars: %s", ret, mybuf);
++	}
++    }
++    return (ret);
++}
++
++int pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
++			void *context)
++{
++    int     i;
++    char    mybuf[40];
++    char   *mybuf2;
++    TLScontext_t *TLScontext;
++
++    TLScontext = (TLScontext_t *)context;
++    if (!TLScontext)
++      msg_fatal("Called tls_timed_write() without TLS-context");
++
++    if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
++	(pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
++	mybuf2 = (char *) buf;
++	if (len > 0) {
++	    i = 0;
++	    while ((i < 39) && (i < len) && (mybuf2[i] != 0)) {
++		mybuf[i] = mybuf2[i];
++		i++;
++	    }
++	    mybuf[i] = '\0';
++	    msg_info("Write %d chars: %s", len, mybuf);
++	}
++    }
++    return (do_tls_operation(fd, timeout, TLScontext, NULL, NULL, SSL_write,
++			     buf, len));
++}
++
++/* Add some more entropy to the pool by adding the actual time */
++
++static void pfixtls_stir_seed(void)
++{
++    GETTIMEOFDAY(&randseed.tv);
++    RAND_seed(&randseed, sizeof(randseed_t));
++}
++
++/*
++ * Skeleton taken from OpenSSL crypto/err/err_prn.c.
++ * Query the error stack and print the error string into the logging facility.
++ * Clear the error stack on the way.
++ */
++
++static void pfixtls_print_errors(void)
++{
++    unsigned long l;
++    char    buf[256];
++    const char   *file;
++    const char   *data;
++    int     line;
++    int     flags;
++    unsigned long es;
++
++    es = CRYPTO_thread_id();
++    while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
++	if (flags & ERR_TXT_STRING)
++	    msg_info("%lu:%s:%s:%d:%s:", es, ERR_error_string(l, buf),
++		     file, line, data);
++	else
++	    msg_info("%lu:%s:%s:%d:", es, ERR_error_string(l, buf),
++		     file, line);
++    }
++}
++
++ /*
++  * Set up the cert things on the server side. We do need both the
++  * private key (in key_file) and the cert (in cert_file).
++  * Both files may be identical.
++  *
++  * This function is taken from OpenSSL apps/s_cb.c
++  */
++
++static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
++{
++    if (cert_file != NULL) {
++	if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
++	    msg_info("unable to get certificate from '%s'", cert_file);
++	    pfixtls_print_errors();
++	    return (0);
++	}
++	if (key_file == NULL)
++	    key_file = cert_file;
++	if (SSL_CTX_use_PrivateKey_file(ctx, key_file,
++					SSL_FILETYPE_PEM) <= 0) {
++	    msg_info("unable to get private key from '%s'", key_file);
++	    pfixtls_print_errors();
++	    return (0);
++	}
++	/* Now we know that a key and cert have been set against
++         * the SSL context */
++	if (!SSL_CTX_check_private_key(ctx)) {
++	    msg_info("Private key does not match the certificate public key");
++	    return (0);
++	}
++    }
++    return (1);
++}
++
++/* taken from OpenSSL apps/s_cb.c */
++
++static RSA *tmp_rsa_cb(SSL * s, int export, int keylength)
++{
++    static RSA *rsa_tmp = NULL;
++
++    if (rsa_tmp == NULL) {
++	rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
++    }
++    return (rsa_tmp);
++}
++
++
++static DH *get_dh512(void)
++{
++    DH *dh;
++
++    if (dh_512 == NULL) {
++	/* No parameter file loaded, use the compiled in parameters */
++	if ((dh = DH_new()) == NULL) return(NULL);
++	dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
++	dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
++	if ((dh->p == NULL) || (dh->g == NULL))
++	    return(NULL);
++	else
++	    dh_512 = dh;
++    }
++    return (dh_512);
++}
++
++static DH *get_dh1024(void)
++{
++    DH *dh;
++
++    if (dh_1024 == NULL) {
++	/* No parameter file loaded, use the compiled in parameters */
++	if ((dh = DH_new()) == NULL) return(NULL);
++	dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
++	dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
++	if ((dh->p == NULL) || (dh->g == NULL))
++	    return(NULL);
++	else
++	    dh_1024 = dh;
++    }
++    return (dh_1024);
++}
++
++/* partly inspired by mod_ssl */
++
++static DH *tmp_dh_cb(SSL *s, int export, int keylength)
++{
++    DH *dh_tmp = NULL;
++   
++    if (export) {
++	if (keylength == 512)
++	    dh_tmp = get_dh512();	/* export cipher */
++	else if (keylength == 1024)
++	    dh_tmp = get_dh1024();	/* normal */
++	else
++	    dh_tmp = get_dh1024();	/* not on-the-fly (too expensive) */
++					/* so use the 1024bit instead */
++    }
++    else {
++	dh_tmp = get_dh1024();		/* sign-only certificate */
++    }
++    return (dh_tmp);
++}
++
++
++/*
++ * match_hostname: match name provided in "buf" against the expected
++ * hostname. Comparison is case-insensitive, wildcard certificates are
++ * supported.
++ * "buf" may be come from some OpenSSL data structures, so we copy before
++ * modifying.
++ */
++static int match_hostname(const char *buf, TLScontext_t *TLScontext)
++{
++    char   *hostname_lowercase;
++    char   *peername_left;
++    int hostname_matched = 0;
++    int buf_len;
++
++    buf_len = strlen(buf);
++    if (!(hostname_lowercase = (char *)mymalloc(buf_len + 1)))
++	return 0;
++    memcpy(hostname_lowercase, buf, buf_len + 1);
++
++    hostname_lowercase = lowercase(hostname_lowercase);
++    if (!strcmp(TLScontext->peername_save, hostname_lowercase)) {
++        hostname_matched = 1;
++    } else { 
++        if ((buf_len > 2) &&
++            (hostname_lowercase[0] == '*') && (hostname_lowercase[1] == '.')) {
++            /*
++             * Allow wildcard certificate matching. The proposed rules in  
++             * RFCs (2818: HTTP/TLS, 2830: LDAP/TLS) are different, RFC2874
++             * does not specify a rule, so here the strict rule is applied.
++             * An asterisk '*' is allowed as the leftmost component and may
++             * replace the left most part of the hostname. Matching is done
++             * by removing '*.' from the wildcard name and the Name. from
++             * the peername and compare what is left.
++             */
++            peername_left = strchr(TLScontext->peername_save, '.');
++            if (peername_left) {
++                if (!strcmp(peername_left + 1, hostname_lowercase + 2))
++                    hostname_matched = 1;
++            }
++        }
++    }
++    myfree(hostname_lowercase);
++    return hostname_matched;
++}
++                                       
++/*
++ * Skeleton taken from OpenSSL apps/s_cb.c
++ *
++ * The verify_callback is called several times (directly or indirectly) from
++ * crypto/x509/x509_vfy.c. It is called as a last check for several issues,
++ * so this verify_callback() has the famous "last word". If it does return "0",
++ * the handshake is immediately shut down and the connection fails.
++ *
++ * Postfix/TLS has two modes, the "use" mode and the "enforce" mode:
++ *
++ * In the "use" mode we never want the connection to fail just because there is
++ * something wrong with the certificate (as we would have sent happily without
++ * TLS).  Therefore the return value is always "1".
++ *
++ * In the "enforce" mode we can shut down the connection as soon as possible.
++ * In server mode TLS itself may be enforced (e.g. to protect passwords),
++ * but certificates are optional. In this case the handshake must not fail
++ * if we are unhappy with the certificate and return "1" in any case.
++ * Only if a certificate is required the certificate must pass the verification
++ * and failure to do so will result in immediate termination (return 0).
++ * In the client mode the decision is made with respect to the peername
++ * enforcement. If we strictly enforce the matching of the expected peername
++ * the verification must fail immediatly on verification errors. We can also
++ * immediatly check the expected peername, as it is the CommonName at level 0.
++ * In all other cases, the problem is logged, so the SSL_get_verify_result()
++ * will inform about the verification failure, but the handshake (and SMTP
++ * connection will continue).
++ *
++ * The only error condition not handled inside the OpenSSL-Library is the
++ * case of a too-long certificate chain, so we check inside verify_callback().
++ * We only take care of this problem, if "ok = 1", because otherwise the
++ * verification already failed because of another problem and we don't want
++ * to overwrite the other error message. And if the verification failed,
++ * there is no such thing as "more failed", "most failed"... :-)
++ */
++
++static int verify_callback(int ok, X509_STORE_CTX * ctx)
++{
++    char    buf[256];
++    char   *peername_left;
++    X509   *err_cert;
++    int     err;
++    int     depth;
++    int     verify_depth;
++    SSL    *con;
++    TLScontext_t *TLScontext;
++
++    err_cert = X509_STORE_CTX_get_current_cert(ctx);
++    err = X509_STORE_CTX_get_error(ctx);
++    depth = X509_STORE_CTX_get_error_depth(ctx);
++
++    con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
++    TLScontext = SSL_get_ex_data(con, TLScontext_index);
++
++    X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
++    if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
++	((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
++	msg_info("Peer cert verify depth=%d %s", depth, buf);
++
++    verify_depth = SSL_get_verify_depth(con);
++    if (ok && (verify_depth >= 0) && (depth > verify_depth)) {
++	ok = 0;
++	err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
++	X509_STORE_CTX_set_error(ctx, err);
++    }
++    if (!ok) {
++	msg_info("verify error:num=%d:%s", err,
++		 X509_verify_cert_error_string(err));
++    }
++
++    if (ok && (depth == 0) && pfixtls_clientengine) {
++	int i, r;
++        int hostname_matched;
++	int dNSName_found;
++	STACK_OF(GENERAL_NAME) *gens;
++
++	/*
++	 * Check out the name certified against the hostname expected.
++	 * In case it does not match, print an information about the result.
++	 * If a matching is enforced, bump out with a verification error
++	 * immediately.
++	 * Standards are not always clear with respect to the handling of
++	 * dNSNames. RFC3207 does not specify the handling. We therefore follow
++	 * the strict rules in RFC2818 (HTTP over TLS), Section 3.1:
++	 * The Subject Alternative Name/dNSName has precedence over CommonName
++	 * (CN). If dNSName entries are provided, CN is not checked anymore.
++	 */
++	hostname_matched = dNSName_found = 0;
++
++        gens = X509_get_ext_d2i(err_cert, NID_subject_alt_name, 0, 0);
++        if (gens) {
++            for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
++                const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
++                if (gn->type == GEN_DNS) {
++		    dNSName_found++;
++                    if ((hostname_matched =
++			match_hostname((char *)gn->d.ia5->data, TLScontext)))
++			break;
++                }
++            }
++	    sk_GENERAL_NAME_free(gens);
++        }
++	if (dNSName_found) {
++	    if (!hostname_matched)
++		msg_info("Peer verification: %d dNSNames in certificate found, but no one does match %s", dNSName_found, TLScontext->peername_save);
++	} else {
++	    buf[0] = '\0';
++	    if (!X509_NAME_get_text_by_NID(X509_get_subject_name(err_cert),
++                          NID_commonName, buf, 256)) {
++	        msg_info("Could not parse server's subject CN");
++	        pfixtls_print_errors();
++	    }
++	    else {
++	        hostname_matched = match_hostname(buf, TLScontext);
++	        if (!hostname_matched)
++		    msg_info("Peer verification: CommonName in certificate does not match: %s != %s", buf, TLScontext->peername_save);
++	    }
++	}
++
++	if (!hostname_matched) {
++	    if (TLScontext->enforce_verify_errors && TLScontext->enforce_CN) {
++		err = X509_V_ERR_CERT_REJECTED;
++		X509_STORE_CTX_set_error(ctx, err);
++		msg_info("Verify failure: Hostname mismatch");
++		ok = 0;
++	    }
++	}
++	else
++	    TLScontext->hostname_matched = 1;
++    }
++
++    switch (ctx->error) {
++    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
++	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
++	msg_info("issuer= %s", buf);
++	break;
++    case X509_V_ERR_CERT_NOT_YET_VALID:
++    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
++	msg_info("cert not yet valid");
++	break;
++    case X509_V_ERR_CERT_HAS_EXPIRED:
++    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
++	msg_info("cert has expired");
++	break;
++    }
++    if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
++	((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
++	msg_info("verify return:%d", ok);
++
++    if (TLScontext->enforce_verify_errors)
++	return (ok); 
++    else
++	return (1);
++}
++
++/* taken from OpenSSL apps/s_cb.c */
++
++static void apps_ssl_info_callback(const SSL * s, int where, int ret)
++{
++    char   *str;
++    int     w;
++
++    w = where & ~SSL_ST_MASK;
++
++    if (w & SSL_ST_CONNECT)
++	str = "SSL_connect";
++    else if (w & SSL_ST_ACCEPT)
++	str = "SSL_accept";
++    else
++	str = "undefined";
++
++    if (where & SSL_CB_LOOP) {
++	    msg_info("%s:%s", str, SSL_state_string_long(s));
++    } else if (where & SSL_CB_ALERT) {
++	str = (where & SSL_CB_READ) ? "read" : "write";
++	if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
++	msg_info("SSL3 alert %s:%s:%s", str,
++		 SSL_alert_type_string_long(ret),
++		 SSL_alert_desc_string_long(ret));
++    } else if (where & SSL_CB_EXIT) {
++	if (ret == 0)
++	    msg_info("%s:failed in %s",
++		     str, SSL_state_string_long(s));
++	else if (ret < 0) {
++	    msg_info("%s:error in %s",
++		     str, SSL_state_string_long(s));
++	}
++    }
++}
++
++/*
++ * taken from OpenSSL crypto/bio/b_dump.c, modified to save a lot of strcpy
++ * and strcat by Matti Aarnio.
++ */
++
++#define TRUNCATE
++#define DUMP_WIDTH	16
++
++static int pfixtls_dump(const char *s, int len)
++{
++    int     ret = 0;
++    char    buf[160 + 1];
++    char    *ss;
++    int     i;
++    int     j;
++    int     rows;
++    int     trunc;
++    unsigned char ch;
++
++    trunc = 0;
++
++#ifdef TRUNCATE
++    for (; (len > 0) && ((s[len - 1] == ' ') || (s[len - 1] == '\0')); len--)
++	trunc++;
++#endif
++
++    rows = (len / DUMP_WIDTH);
++    if ((rows * DUMP_WIDTH) < len)
++	rows++;
++
++    for (i = 0; i < rows; i++) {
++	buf[0] = '\0';				/* start with empty string */
++	ss = buf;
++
++	sprintf(ss, "%04x ", i * DUMP_WIDTH);
++	ss += strlen(ss);
++	for (j = 0; j < DUMP_WIDTH; j++) {
++	    if (((i * DUMP_WIDTH) + j) >= len) {
++		strcpy(ss, "   ");
++	    } else {
++		ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j))
++		    & 0xff;
++		sprintf(ss, "%02x%c", ch, j == 7 ? '|' : ' ');
++		ss += 3;
++	    }
++	}
++	ss += strlen(ss);
++	*ss++ = ' ';
++	for (j = 0; j < DUMP_WIDTH; j++) {
++	    if (((i * DUMP_WIDTH) + j) >= len)
++		break;
++	    ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j)) & 0xff;
++	    *ss++ = (((ch >= ' ') && (ch <= '~')) ? ch : '.');
++	    if (j == 7) *ss++ = ' ';
++	}
++	*ss = 0;
++	/* 
++	 * if this is the last call then update the ddt_dump thing so that
++         * we will move the selection point in the debug window
++         */
++	msg_info("%s", buf);
++	ret += strlen(buf);
++    }
++#ifdef TRUNCATE
++    if (trunc > 0) {
++	sprintf(buf, "%04x - <SPACES/NULS>\n", len + trunc);
++	msg_info("%s", buf);
++	ret += strlen(buf);
++    }
++#endif
++    return (ret);
++}
++
++
++
++/* taken from OpenSSL apps/s_cb.c */
++
++static long bio_dump_cb(BIO * bio, int cmd, const char *argp, int argi,
++			long argl, long ret)
++{
++    if (!do_dump)
++	return (ret);
++
++    if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
++	msg_info("read from %08lX [%08lX] (%d bytes => %ld (0x%lX))",
++		 (unsigned long)bio, (unsigned long)argp, argi,
++		 ret, (unsigned long)ret);
++	pfixtls_dump(argp, (int) ret);
++	return (ret);
++    } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
++	msg_info("write to %08lX [%08lX] (%d bytes => %ld (0x%lX))",
++		 (unsigned long)bio, (unsigned long)argp, argi,
++	 	 ret, (unsigned long)ret);
++	pfixtls_dump(argp, (int) ret);
++    }
++    return (ret);
++}
++
++
++ /*
++  * Callback to retrieve a session from the external session cache.
++  */
++static SSL_SESSION *get_session_cb(SSL *ssl, unsigned char *SessionID,
++				  int length, int *copy)
++{
++    SSL_SESSION *session;
++    char idstring[2 * ID_MAXLENGTH + 1];
++    int n;
++    int uselength;
++    int hex_length;
++    const char *session_hex;
++    pfixtls_scache_info_t scache_info;
++    unsigned char nibble, *data, *sess_data;
++
++    if (length > ID_MAXLENGTH)
++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
++    else
++	uselength = length;
++
++    for(n=0 ; n < uselength ; n++)
++	sprintf(idstring + 2 * n, "%02x", SessionID[n]);
++    if (var_smtpd_tls_loglevel >= 3)
++	msg_info("Trying to reload Session from disc: %s", idstring);
++
++    session = NULL;
++
++    session_hex = dict_get(scache_db, idstring);
++    if (session_hex) {
++	hex_length = strlen(session_hex);
++	data = (unsigned char *)mymalloc(hex_length / 2);
++	if (!data) {
++	    msg_info("could not allocate memory for session reload");
++	    return(NULL);
++	}
++
++	memset(data, 0, hex_length / 2);
++	for (n = 0; n < hex_length; n++) {
++	    if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
++		nibble = session_hex[n] - '0';
++	    else
++		nibble = session_hex[n] - 'A' + 10;
++	    if (n % 2)
++		data[n / 2] |= nibble;
++	    else
++		data[n / 2] |= (nibble << 4);
++	}
++
++	/*
++	 * First check the version numbers, since wrong session data might
++	 * hit us hard (SEGFAULT). We also have to check for expiry.
++	 */
++	memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
++	if ((scache_info.scache_db_version != scache_db_version) ||
++	    (scache_info.openssl_version != openssl_version) ||
++	    (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
++	    dict_del(scache_db, idstring);
++	else {
++	    sess_data = data + sizeof(pfixtls_scache_info_t);
++	    session = d2i_SSL_SESSION(NULL, &sess_data,
++			      hex_length / 2 - sizeof(pfixtls_scache_info_t));
++	    if (!session)
++		pfixtls_print_errors();
++	}
++	myfree((char *)data);
++    }
++
++    if (session && (var_smtpd_tls_loglevel >= 3))
++	msg_info("Successfully reloaded session from disc");
++
++    return (session);
++}
++
++
++static SSL_SESSION *load_clnt_session(const char *hostname,
++				      int enforce_peername)
++{
++    SSL_SESSION *session = NULL;
++    char idstring[ID_MAXLENGTH + 1];
++    int n;
++    int uselength;
++    int length;
++    int hex_length;
++    const char *session_hex;
++    pfixtls_scache_info_t scache_info;
++    unsigned char nibble, *data, *sess_data;
++
++    length = strlen(hostname); 
++    if (length > ID_MAXLENGTH)
++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
++    else
++	uselength = length;
++
++    for(n=0 ; n < uselength ; n++)
++	idstring[n] = tolower(hostname[n]);
++    idstring[uselength] = '\0';
++    if (var_smtp_tls_loglevel >= 3)
++	msg_info("Trying to reload Session from disc: %s", idstring);
++
++    session_hex = dict_get(scache_db, idstring);
++    if (session_hex) {
++	hex_length = strlen(session_hex);
++	data = (unsigned char *)mymalloc(hex_length / 2);
++	if (!data) {
++	    msg_info("could not allocate memory for session reload");
++	    return(NULL);
++	}
++
++	memset(data, 0, hex_length / 2);
++	for (n = 0; n < hex_length; n++) {
++	    if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
++		nibble = session_hex[n] - '0';
++	    else
++		nibble = session_hex[n] - 'A' + 10;
++	    if (n % 2)
++		data[n / 2] |= nibble;
++	    else
++		data[n / 2] |= (nibble << 4);
++	}
++
++	/*
++	 * First check the version numbers, since wrong session data might
++	 * hit us hard (SEGFAULT). We also have to check for expiry.
++	 * When we enforce_peername, we may find an old session, that was
++	 * saved when enforcement was not set. In this case the session will
++	 * be removed and a fresh session will be negotiated.
++	 */
++	memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
++	if ((scache_info.scache_db_version != scache_db_version) ||
++	    (scache_info.openssl_version != openssl_version) ||
++	    (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
++	    dict_del(scache_db, idstring);
++	else if (enforce_peername && (!scache_info.enforce_peername))
++	    dict_del(scache_db, idstring);
++	else {
++	    sess_data = data + sizeof(pfixtls_scache_info_t);
++	    session = d2i_SSL_SESSION(NULL, &sess_data,
++				      hex_length / 2 - sizeof(time_t));
++	    strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
++		    idstring, ID_MAXLENGTH + 1);
++	    if (!session)
++		pfixtls_print_errors();
++	}
++	myfree((char *)data);
++    }
++
++    if (session && (var_smtp_tls_loglevel >= 3))
++        msg_info("Successfully reloaded session from disc");
++
++    return (session);
++}
++
++
++static void create_client_lookup_id(char *idstring, char *hostname)
++{
++    int n, len, uselength;
++
++    len = strlen(hostname);
++    if (len > ID_MAXLENGTH)
++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
++    else
++	uselength = len;
++
++    for (n = 0 ; n < uselength ; n++)
++	idstring[n] = tolower(hostname[n]);
++    idstring[uselength] = '\0';
++}
++
++
++static void create_server_lookup_id(char *idstring, SSL_SESSION *session)
++{
++    int n, uselength;
++
++    if (session->session_id_length > ID_MAXLENGTH)
++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
++    else
++	uselength = session->session_id_length;
++
++    for(n = 0; n < uselength ; n++)
++	sprintf(idstring + 2 * n, "%02x", session->session_id[n]);
++}
++
++
++static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *session)
++{
++    char idstring[2 * ID_MAXLENGTH + 1];
++    char *hostname;
++
++    if (pfixtls_clientengine) {
++        hostname = SSL_SESSION_get_ex_data(session, TLSpeername_index);
++	create_client_lookup_id(idstring, hostname);
++	if (var_smtp_tls_loglevel >= 3)
++	    msg_info("Trying to remove session from disc: %s", idstring);
++    }
++    else {
++	create_server_lookup_id(idstring, session);
++	if (var_smtpd_tls_loglevel >= 3)
++	    msg_info("Trying to remove session from disc: %s", idstring);
++    }
++
++    if (scache_db)
++	dict_del(scache_db, idstring);
++}
++
++
++/*
++ * We need space to save the peername into the SSL_SESSION, as we must
++ * look up the external database for client sessions by peername, not
++ * by session id. We therefore allocate place for the peername string,
++ * when a new SSL_SESSION is generated. It is filled later.
++ */
++static int new_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
++			     int idx, long argl, void *argp)
++{
++    char *peername;
++
++    peername = (char *)mymalloc(ID_MAXLENGTH + 1);
++    if (!peername)
++	return 0;
++    peername[0] = '\0'; 	/* initialize */
++    return CRYPTO_set_ex_data(ad, idx, peername);
++}
++
++/*
++ * When the SSL_SESSION is removed again, we must free the memory to avoid
++ * leaks.
++ */
++static void free_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
++			       int idx, long argl, void *argp)
++{
++    myfree(CRYPTO_get_ex_data(ad, idx));
++}
++
++/*
++ * Duplicate application data, when a SSL_SESSION is duplicated
++ */
++static int dup_peername_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
++			     void *from_d, int idx, long argl, void *argp)
++{
++    char *peername_old, *peername_new;
++
++    peername_old = CRYPTO_get_ex_data(from, idx);
++    peername_new = CRYPTO_get_ex_data(to, idx);
++    if (!peername_old || !peername_new)
++	return 0;
++    memcpy(peername_new, peername_old, ID_MAXLENGTH + 1);
++    return 1;
++}
++
++
++ /*
++  * Save a new session to the external cache
++  */
++static int new_session_cb(SSL *ssl, SSL_SESSION *session)
++{
++    char idstring[2 * ID_MAXLENGTH + 1];
++    int n;
++    int dsize;
++    int len;
++    unsigned char *data, *sess_data;
++    pfixtls_scache_info_t scache_info;
++    char *hexdata, *hostname;
++    TLScontext_t *TLScontext;
++
++    if (pfixtls_clientengine) {
++        TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
++	hostname = TLScontext->peername_save;
++	create_client_lookup_id(idstring, hostname);
++	strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
++		hostname, ID_MAXLENGTH + 1);
++	/*
++	 * Remember, whether peername matching was enforced when the session
++	 * was created. If later enforce mode is enabled, we do not want to
++	 * reuse a session that was not sufficiently checked.
++	 */
++	scache_info.enforce_peername =
++		(TLScontext->enforce_verify_errors && TLScontext->enforce_CN);
++
++	if (var_smtp_tls_loglevel >= 3)
++	    msg_info("Trying to save session for hostID to disc: %s", idstring);
++
++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
++	    /*
++	     * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
++	     * result in sessions for the client side.
++	     * We modify the session directly which is version specific,
++	     * but this bug is version specific, too.
++	     *
++	     * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
++	     * beta1 have this bug, it has been fixed during development
++	     * of 0.9.6a. The development version of 0.9.7 can have this
++	     * bug, too. It has been fixed on 2000/11/29.
++	     */
++	    session->verify_result = SSL_get_verify_result(TLScontext->con);
++#endif
++
++    }
++    else {
++	create_server_lookup_id(idstring, session);
++	if (var_smtpd_tls_loglevel >= 3)
++	    msg_info("Trying to save Session to disc: %s", idstring);
++    }
++
++
++    /*
++     * Get the session and convert it into some "database" useable form.
++     * First, get the length of the session to allocate the memory.
++     */
++    dsize = i2d_SSL_SESSION(session, NULL);
++    if (dsize < 0) {
++	msg_info("Could not access session");
++	return 0;
++    }
++    data = (unsigned char *)mymalloc(dsize + sizeof(pfixtls_scache_info_t));
++    if (!data) {
++	msg_info("could not allocate memory for SSL session");
++	return 0;
++    }
++
++    /*
++     * OpenSSL is not robust against wrong session data (might SEGFAULT),
++     * so we secure it against version ids (session cache structure as well
++     * as OpenSSL version).
++     */
++    scache_info.scache_db_version = scache_db_version;
++    scache_info.openssl_version = openssl_version;
++
++    /*
++     * Put a timestamp, so that expiration can be checked without
++     * analyzing the session data itself. (We would need OpenSSL funtions,
++     * since the SSL_SESSION is a private structure.)
++     */
++    scache_info.timestamp = time(NULL);
++
++    memcpy(data, &scache_info, sizeof(pfixtls_scache_info_t));
++    sess_data = data + sizeof(pfixtls_scache_info_t);
++
++    /*
++     * Now, obtain the session. Unfortunately, it is binary and dict_update
++     * cannot handle binary data (it could contain '\0' in it) directly.
++     * To save memory we could use base64 encoding. To make handling easier,
++     * we simply use hex format.
++     */
++    len = i2d_SSL_SESSION(session, &sess_data);
++    len += sizeof(pfixtls_scache_info_t);
++
++    hexdata = (char *)mymalloc(2 * len + 1);
++
++    if (!hexdata) {
++	msg_info("could not allocate memory for SSL session (HEX)");
++	myfree((char *)data);
++	return 0;
++    }
++    for (n = 0; n < len; n++) {
++	hexdata[n * 2] = hexcodes[(data[n] & 0xf0) >> 4];
++	hexdata[(n * 2) + 1] = hexcodes[(data[n] & 0x0f)];
++    }
++    hexdata[len * 2] = '\0';
++
++    /*
++     * The session id is a hex string, all uppercase. We are using SDBM as
++     * compiled into Postfix with 8kB maximum entry size, so we set a limit
++     * when caching. If the session is not cached, we have to renegotiate,
++     * not more, not less. For a real session, this limit should never be
++     * met
++     */
++    if (strlen(idstring) + strlen(hexdata) < 8000)
++      dict_put(scache_db, idstring, hexdata);
++
++    myfree(hexdata);
++    myfree((char *)data);
++    return (1);
++}
++
++
++ /*
++  * pfixtls_exchange_seed: read bytes from the seed exchange-file (expect
++  * 1024 bytes)and immediately write back random bytes. Do so with EXCLUSIVE
++  * lock, so * that each process will find a completely different (and
++  * reseeded) file.
++  */
++static void pfixtls_exchange_seed(void)
++{
++    unsigned char buffer[1024];
++
++    if (rand_exch_fd == -1)
++	return;
++
++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
++        msg_info("Could not lock random exchange file: %s",
++                  strerror(errno));
++
++    lseek(rand_exch_fd, 0, SEEK_SET);
++    if (read(rand_exch_fd, buffer, 1024) < 0)
++        msg_fatal("reading exchange file failed");
++    RAND_seed(buffer, 1024);
++
++    RAND_bytes(buffer, 1024);
++    lseek(rand_exch_fd, 0, SEEK_SET);
++    if (write(rand_exch_fd, buffer, 1024) != 1024)
++        msg_fatal("Writing exchange file failed");
++
++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
++        msg_fatal("Could not unlock random exchange file: %s",
++                  strerror(errno));
++}
++
++ /*
++  * This is the setup routine for the SSL server. As smtpd might be called
++  * more than once, we only want to do the initialization one time.
++  *
++  * The skeleton of this function is taken from OpenSSL apps/s_server.c.
++  */
++
++int     pfixtls_init_serverengine(int verifydepth, int askcert)
++{
++    int     off = 0;
++    int     verify_flags = SSL_VERIFY_NONE;
++    int     rand_bytes;
++    int     rand_source_dev_fd;
++    int     rand_source_socket_fd;
++    unsigned char buffer[255];
++    char   *CApath;
++    char   *CAfile;
++    char   *s_cert_file;
++    char   *s_key_file;
++    char   *s_dcert_file;
++    char   *s_dkey_file;
++    FILE   *paramfile;
++
++    if (pfixtls_serverengine)
++	return (0);				/* already running */
++
++    if (var_smtpd_tls_loglevel >= 2)
++	msg_info("starting TLS engine");
++
++    /*
++     * Initialize the OpenSSL library by the book!
++     * To start with, we must initialize the algorithms.
++     * We want cleartext error messages instead of just error codes, so we
++     * load the error_strings.
++     */
++    SSL_load_error_strings();
++    OpenSSL_add_ssl_algorithms();
++
++ /*
++  * Side effect, call a non-existing function to disable TLS usage with an
++  * outdated OpenSSL version. There is a security reason (verify_result
++  * is not stored with the session data).
++  */
++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
++    needs_openssl_095_or_later();
++#endif
++
++    /*
++     * Initialize the PRNG Pseudo Random Number Generator with some seed.
++     */
++    randseed.pid = getpid();
++    GETTIMEOFDAY(&randseed.tv);
++    RAND_seed(&randseed, sizeof(randseed_t));
++
++    /*
++     * Access the external sources for random seed. We will only query them
++     * once, this should be sufficient and we will stir our entropy by using
++     * the prng-exchange file anyway.
++     * For reliability, we don't consider failure to access the additional
++     * source fatal, as we can run happily without it (considering that we
++     * still have the exchange-file). We also don't care how much entropy
++     * we get back, as we must run anyway. We simply stir in the buffer
++     * regardless how many bytes are actually in it.
++     */
++    if (*var_tls_daemon_rand_source) {
++	if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
++	    /*
++	     * Source is a random device
++	     */
++	    rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
++	    if (rand_source_dev_fd == -1) 
++		msg_info("Could not open entropy device %s",
++			  var_tls_daemon_rand_source);
++	    else {
++		if (var_tls_daemon_rand_bytes > 255)
++		    var_tls_daemon_rand_bytes = 255;
++	        read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
++		RAND_seed(buffer, var_tls_daemon_rand_bytes);
++		close(rand_source_dev_fd);
++	    }
++	} else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
++	    /*
++	     * Source is a EGD compatible socket
++	     */
++	    rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
++						 BLOCKING, 10);
++	    if (rand_source_socket_fd == -1)
++		msg_info("Could not connect to %s", var_tls_daemon_rand_source);
++	    else {
++		if (var_tls_daemon_rand_bytes > 255)
++		    var_tls_daemon_rand_bytes = 255;
++		buffer[0] = 1;
++		buffer[1] = var_tls_daemon_rand_bytes;
++		if (write(rand_source_socket_fd, buffer, 2) != 2)
++		    msg_info("Could not talk to %s",
++			     var_tls_daemon_rand_source);
++		else if (read(rand_source_socket_fd, buffer, 1) != 1)
++		    msg_info("Could not read info from %s",
++			     var_tls_daemon_rand_source);
++		else {
++		    rand_bytes = buffer[0];
++		    read(rand_source_socket_fd, buffer, rand_bytes);
++		    RAND_seed(buffer, rand_bytes);
++		}
++		close(rand_source_socket_fd);
++	    }
++	} else {
++	    RAND_load_file(var_tls_daemon_rand_source,
++			   var_tls_daemon_rand_bytes);
++	}
++    }
++
++    if (*var_tls_rand_exch_name) {
++	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
++	if (rand_exch_fd != -1)
++	    pfixtls_exchange_seed();
++    }
++
++    randseed.pid = getpid();
++    GETTIMEOFDAY(&randseed.tv);
++    RAND_seed(&randseed, sizeof(randseed_t));
++
++    /*
++     * The SSL/TLS speficications require the client to send a message in
++     * the oldest specification it understands with the highest level it
++     * understands in the message.
++     * Netscape communicator can still communicate with SSLv2 servers, so it
++     * sends out a SSLv2 client hello. To deal with it, our server must be
++     * SSLv2 aware (even if we don't like SSLv2), so we need to have the
++     * SSLv23 server here. If we want to limit the protocol level, we can
++     * add an option to not use SSLv2/v3/TLSv1 later.
++     */
++    ctx = SSL_CTX_new(SSLv23_server_method());
++    if (ctx == NULL) {
++	pfixtls_print_errors();
++	return (-1);
++    };
++
++    /*
++     * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
++     * Of course, the last one would not make sense, since RFC2487 is only
++     * defined for TLS, but we also want to accept Netscape communicator
++     * requests, and it only supports SSLv3.
++     */
++    off |= SSL_OP_ALL;		/* Work around all known bugs */
++    SSL_CTX_set_options(ctx, off);
++
++    /*
++     * Set the info_callback, that will print out messages during
++     * communication on demand.
++     */
++    if (var_smtpd_tls_loglevel >= 2)
++	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
++
++    /*
++     * Set the list of ciphers, if explicitely given; otherwise the
++     * (reasonable) default list is kept.
++     */
++    if (strlen(var_smtpd_tls_cipherlist) != 0)
++	if (SSL_CTX_set_cipher_list(ctx, var_smtpd_tls_cipherlist) == 0) {
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++
++    /*
++     * Now we must add the necessary certificate stuff: A server key, a
++     * server certificate, and the CA certificates for both the server
++     * cert and the verification of client certificates.
++     * As provided by OpenSSL we support two types of CA certificate handling:
++     * One possibility is to add all CA certificates to one large CAfile,
++     * the other possibility is a directory pointed to by CApath, containing
++     * seperate files for each CA pointed on by softlinks named by the hash
++     * values of the certificate.
++     * The first alternative has the advantage, that the file is opened and
++     * read at startup time, so that you don't have the hassle to maintain
++     * another copy of the CApath directory for chroot-jail. On the other
++     * hand, the file is not really readable.
++     */
++    if (strlen(var_smtpd_tls_CAfile) == 0)
++	CAfile = NULL;
++    else
++	CAfile = var_smtpd_tls_CAfile;
++    if (strlen(var_smtpd_tls_CApath) == 0)
++	CApath = NULL;
++    else
++	CApath = var_smtpd_tls_CApath;
++
++    if (CAfile || CApath) {
++	if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++	    msg_info("TLS engine: cannot load CA data");
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++	if (!SSL_CTX_set_default_verify_paths(ctx)) {
++	    msg_info("TLS engine: cannot set verify paths");
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++    }
++
++    /*
++     * Now we load the certificate and key from the files and check,
++     * whether the cert matches the key (internally done by set_cert_stuff().
++     * We cannot run without (we do not support ADH anonymous Diffie-Hellman
++     * ciphers as of now).
++     * We can use RSA certificates ("cert") and DSA certificates ("dcert"),
++     * both can be made available at the same time. The CA certificates for
++     * both are handled in the same setup already finished.
++     * Which one is used depends on the cipher negotiated (that is: the first
++     * cipher listed by the client which does match the server). A client with
++     * RSA only (e.g. Netscape) will use the RSA certificate only.
++     * A client with openssl-library will use RSA first if not especially
++     * changed in the cipher setup.
++     */
++    if (strlen(var_smtpd_tls_cert_file) == 0)
++	s_cert_file = NULL;
++    else
++	s_cert_file = var_smtpd_tls_cert_file;
++    if (strlen(var_smtpd_tls_key_file) == 0)
++	s_key_file = NULL;
++    else
++	s_key_file = var_smtpd_tls_key_file;
++
++    if (strlen(var_smtpd_tls_dcert_file) == 0)
++	s_dcert_file = NULL;
++    else
++	s_dcert_file = var_smtpd_tls_dcert_file;
++    if (strlen(var_smtpd_tls_dkey_file) == 0)
++	s_dkey_file = NULL;
++    else
++	s_dkey_file = var_smtpd_tls_dkey_file;
++
++    if (s_cert_file) {
++	if (!set_cert_stuff(ctx, s_cert_file, s_key_file)) {
++	    msg_info("TLS engine: cannot load RSA cert/key data");
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++    }
++    if (s_dcert_file) {
++	if (!set_cert_stuff(ctx, s_dcert_file, s_dkey_file)) {
++	    msg_info("TLS engine: cannot load DSA cert/key data");
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++    }
++    if (!s_cert_file && !s_dcert_file) {
++	msg_info("TLS engine: do need at least RSA _or_ DSA cert/key data");
++	return (-1);
++    }
++
++    /*
++     * Sometimes a temporary RSA key might be needed by the OpenSSL
++     * library. The OpenSSL doc indicates, that this might happen when
++     * export ciphers are in use. We have to provide one, so well, we
++     * just do it.
++     */
++    SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
++
++    /*
++     * We might also need dh parameters, which can either be loaded from
++     * file (preferred) or we simply take the compiled in values.
++     * First, set the callback that will select the values when requested,
++     * then load the (possibly) available DH parameters from files.
++     * We are generous with the error handling, since we do have default
++     * values compiled in, so we will not abort but just log the error message.
++     */
++    SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_cb);
++    if (strlen(var_smtpd_tls_dh1024_param_file) != 0) {
++	if ((paramfile = fopen(var_smtpd_tls_dh1024_param_file, "r")) != NULL) {
++	    dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
++	    if (dh_1024 == NULL) {
++		msg_info("TLS engine: cannot load 1024bit DH parameters");
++		pfixtls_print_errors();
++	    }
++	}
++	else {
++	    msg_info("TLS engine: cannot load 1024bit DH parameters: %s: %s",
++		     var_smtpd_tls_dh1024_param_file, strerror(errno));
++	}
++    }
++    if (strlen(var_smtpd_tls_dh512_param_file) != 0) {
++	if ((paramfile = fopen(var_smtpd_tls_dh512_param_file, "r")) != NULL) {
++	    dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
++	    if (dh_512 == NULL) {
++		msg_info("TLS engine: cannot load 512bit DH parameters");
++		pfixtls_print_errors();
++	    }
++	}
++	else {
++	    msg_info("TLS engine: cannot load 512bit DH parameters: %s: %s",
++		     var_smtpd_tls_dh512_param_file, strerror(errno));
++	}
++    }
++
++    /*
++     * If we want to check client certificates, we have to indicate it
++     * in advance. By now we only allow to decide on a global basis.
++     * If we want to allow certificate based relaying, we must ask the
++     * client to provide one with SSL_VERIFY_PEER. The client now can
++     * decide, whether it provides one or not. We can enforce a failure
++     * of the negotiation with SSL_VERIFY_FAIL_IF_NO_PEER_CERT, if we
++     * do not allow a connection without one.
++     * In the "server hello" following the initialization by the "client hello"
++     * the server must provide a list of CAs it is willing to accept.
++     * Some clever clients will then select one from the list of available
++     * certificates matching these CAs. Netscape Communicator will present
++     * the list of certificates for selecting the one to be sent, or it will
++     * issue a warning, if there is no certificate matching the available
++     * CAs.
++     *
++     * With regard to the purpose of the certificate for relaying, we might
++     * like a later negotiation, maybe relaying would already be allowed
++     * for other reasons, but this would involve severe changes in the
++     * internal postfix logic, so we have to live with it the way it is.
++     */
++    if (askcert)
++	verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
++    SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
++    SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
++
++    /*
++     * Initialize the session cache. We only want external caching to
++     * synchronize between server sessions, so we set it to a minimum value
++     * of 1. If the external cache is disabled, we won't cache at all.
++     * The recall of old sessions "get" and save to disk of just created
++     * sessions "new" is handled by the appropriate callback functions.
++     *
++     * We must not forget to set a session id context to identify to which
++     * kind of server process the session was related. In our case, the
++     * context is just the name of the patchkit: "Postfix/TLS".
++     */
++    SSL_CTX_sess_set_cache_size(ctx, 1);
++    SSL_CTX_set_timeout(ctx, var_smtpd_tls_scache_timeout);
++    SSL_CTX_set_session_id_context(ctx, (void*)&server_session_id_context,
++                sizeof(server_session_id_context));
++
++    /*
++     * The session cache is realized by an external database file, that
++     * must be opened before going to chroot jail. Since the session cache
++     * data can become quite large, "[n]dbm" cannot be used as it has a
++     * size limit that is by far to small.
++     */
++    if (*var_smtpd_tls_scache_db) {
++	/*
++	 * Insert a test against other dbms here, otherwise while writing
++	 * a session (content to large), we will receive a fatal error!
++	 */
++	if (strncmp(var_smtpd_tls_scache_db, "sdbm:", 5))
++	    msg_warn("Only sdbm: type allowed for %s",
++		     var_smtpd_tls_scache_db);
++	else
++	    scache_db = dict_open(var_smtpd_tls_scache_db, O_RDWR,
++	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
++	if (scache_db) {
++	    SSL_CTX_set_session_cache_mode(ctx,
++			SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_AUTO_CLEAR);
++	    SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
++	    SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
++	    SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
++	}
++	else
++	    msg_warn("Could not open session cache %s",
++		     var_smtpd_tls_scache_db);
++    }
++
++    /*
++     * Finally create the global index to access TLScontext information
++     * inside verify_callback.
++     */
++    TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
++					    NULL, NULL, NULL);
++
++    pfixtls_serverengine = 1;
++    return (0);
++}
++
++ /*
++  * This is the actual startup routine for the connection. We expect
++  * that the buffers are flushed and the "220 Ready to start TLS" was
++  * send to the client, so that we can immediately can start the TLS
++  * handshake process.
++  */
++int     pfixtls_start_servertls(VSTREAM *stream, int timeout,
++				const char *peername, const char *peeraddr,
++				tls_info_t *tls_info, int requirecert)
++{
++    int     sts;
++    int     j;
++    int verify_flags;
++    unsigned int n;
++    TLScontext_t *TLScontext;
++    SSL_SESSION *session;
++    SSL_CIPHER *cipher;
++    X509   *peer;
++
++    if (!pfixtls_serverengine) {		/* should never happen */
++	msg_info("tls_engine not running");
++	return (-1);
++    }
++    if (var_smtpd_tls_loglevel >= 1)
++	msg_info("setting up TLS connection from %s[%s]", peername, peeraddr);
++
++    /*
++     * Allocate a new TLScontext for the new connection and get an SSL
++     * structure. Add the location of TLScontext to the SSL to later
++     * retrieve the information inside the verify_callback().
++     */
++    TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
++    if (!TLScontext) {
++	msg_fatal("Could not allocate 'TLScontext' with mymalloc");
++    }
++    if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
++	msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
++	pfixtls_print_errors();
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++    if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
++	msg_info("Could not set application data for 'TLScontext->con'");
++	pfixtls_print_errors();
++	SSL_free(TLScontext->con);
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++
++    /*
++     * Set the verification parameters to be checked in verify_callback().
++     */
++    if (requirecert) {
++	verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
++	verify_flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
++	TLScontext->enforce_verify_errors = 1;
++        SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
++    }
++    else {
++	TLScontext->enforce_verify_errors = 0;
++    }
++    TLScontext->enforce_CN = 0;
++
++    /*
++     * The TLS connection is realized by a BIO_pair, so obtain the pair.
++     */
++    if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
++			  &TLScontext->network_bio, BIO_bufsiz)) {
++	msg_info("Could not obtain BIO_pair");
++	pfixtls_print_errors();
++	SSL_free(TLScontext->con);
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++
++    /*
++     * Before really starting anything, try to seed the PRNG a little bit
++     * more.
++     */
++    pfixtls_stir_seed();
++    pfixtls_exchange_seed();
++
++    /*
++     * Initialize the SSL connection to accept state. This should not be
++     * necessary anymore since 0.9.3, but the call is still in the library
++     * and maintaining compatibility never hurts.
++     */
++    SSL_set_accept_state(TLScontext->con);
++
++    /*
++     * Connect the SSL-connection with the postfix side of the BIO-pair for
++     * reading and writing.
++     */
++     SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
++		 TLScontext->internal_bio);
++
++    /*
++     * If the debug level selected is high enough, all of the data is
++     * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
++     *
++     * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
++     * Well there is a BIO below the SSL routines that is automatically
++     * created for us, so we can use it for debugging purposes.
++     */
++    if (var_smtpd_tls_loglevel >= 3)
++	BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
++
++
++    /* Dump the negotiation for loglevels 3 and 4 */
++    if (var_smtpd_tls_loglevel >= 3)
++	do_dump = 1;
++
++    /*
++     * Now we expect the negotiation to begin. This whole process is like a
++     * black box for us. We totally have to rely on the routines build into
++     * the OpenSSL library. The only thing we can do we already have done
++     * by choosing our own callbacks for session caching and certificate
++     * verification.
++     *
++     * Error handling:
++     * If the SSL handhake fails, we print out an error message and remove
++     * everything that might be there. A session has to be removed anyway,
++     * because RFC2246 requires it.
++     */
++    sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++			   SSL_accept, NULL, NULL, NULL, 0);
++    if (sts <= 0) {
++	msg_info("SSL_accept error from %s[%s]: %d", peername, peeraddr, sts);
++	pfixtls_print_errors();
++	SSL_free(TLScontext->con);
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++
++    /* Only loglevel==4 dumps everything */
++    if (var_smtpd_tls_loglevel < 4)
++	do_dump = 0;
++
++    /*
++     * Lets see, whether a peer certificate is available and what is
++     * the actual information. We want to save it for later use.
++     */
++    peer = SSL_get_peer_certificate(TLScontext->con);
++    if (peer != NULL) {
++	if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
++	    tls_info->peer_verified = 1;
++
++	X509_NAME_oneline(X509_get_subject_name(peer),
++			  TLScontext->peer_subject, CCERT_BUFSIZ);
++	if (var_smtpd_tls_loglevel >= 2)
++	    msg_info("subject=%s", TLScontext->peer_subject);
++	tls_info->peer_subject = TLScontext->peer_subject;
++	X509_NAME_oneline(X509_get_issuer_name(peer),
++			  TLScontext->peer_issuer, CCERT_BUFSIZ);
++	if (var_smtpd_tls_loglevel >= 2)
++	    msg_info("issuer=%s", TLScontext->peer_issuer);
++	tls_info->peer_issuer = TLScontext->peer_issuer;
++	if (X509_digest(peer, EVP_md5(), TLScontext->md, &n)) {
++	    for (j = 0; j < (int) n; j++) {
++		TLScontext->fingerprint[j * 3] =
++			hexcodes[(TLScontext->md[j] & 0xf0) >> 4];
++		TLScontext->fingerprint[(j * 3) + 1] =
++			hexcodes[(TLScontext->md[j] & 0x0f)];
++		if (j + 1 != (int) n)
++		    TLScontext->fingerprint[(j * 3) + 2] = ':';
++		else
++		    TLScontext->fingerprint[(j * 3) + 2] = '\0';
++	    }
++	    if (var_smtpd_tls_loglevel >= 1)
++		msg_info("fingerprint=%s", TLScontext->fingerprint);
++	    tls_info->peer_fingerprint = TLScontext->fingerprint;
++	}
++
++	TLScontext->peer_CN[0] = '\0';
++	if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
++			NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
++	    msg_info("Could not parse client's subject CN");
++	    pfixtls_print_errors();
++	}
++	tls_info->peer_CN = TLScontext->peer_CN;
++
++	TLScontext->issuer_CN[0] = '\0';
++	if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++			NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++	    msg_info("Could not parse client's issuer CN");
++	    pfixtls_print_errors();
++	}
++	if (!TLScontext->issuer_CN[0]) {
++	    /* No issuer CN field, use Organization instead */
++	    if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++		NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++		msg_info("Could not parse client's issuer Organization");
++		pfixtls_print_errors();
++	    }
++	}
++	tls_info->issuer_CN = TLScontext->issuer_CN;
++
++	if (var_smtpd_tls_loglevel >= 1) {
++	    if (tls_info->peer_verified)
++		msg_info("Verified: subject_CN=%s, issuer=%s",
++			 TLScontext->peer_CN, TLScontext->issuer_CN);
++	    else
++		msg_info("Unverified: subject_CN=%s, issuer=%s",
++			 TLScontext->peer_CN, TLScontext->issuer_CN);
++	}
++
++	X509_free(peer);
++    }
++
++    /*
++     * At this point we should have a certificate when required.
++     * We may however have a cached session, so the callback would never
++     * be called. We therefore double-check to make sure and remove the
++     * session, if applicable.
++     */
++    if (requirecert) {
++	if (!tls_info->peer_verified || !tls_info->peer_CN) {
++	    msg_info("Re-used session without peer certificate removed");
++	    session = SSL_get_session(TLScontext->con);
++	    SSL_CTX_remove_session(ctx, session);
++	    return (-1);
++	}
++    }
++
++    /*
++     * Finally, collect information about protocol and cipher for logging
++     */
++    tls_info->protocol = SSL_get_version(TLScontext->con);
++    cipher = SSL_get_current_cipher(TLScontext->con);
++    tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
++    tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
++						 &(tls_info->cipher_algbits));
++
++    pfixtls_serveractive = 1;
++
++    /*
++     * The TLS engine is active, switch to the pfixtls_timed_read/write()
++     * functions and store the context.
++     */
++    vstream_control(stream,
++		    VSTREAM_CTL_READ_FN, pfixtls_timed_read,
++		    VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
++		    VSTREAM_CTL_CONTEXT, (void *)TLScontext,
++		    VSTREAM_CTL_END);
++
++    if (var_smtpd_tls_loglevel >= 1)
++   	 msg_info("TLS connection established from %s[%s]: %s with cipher %s (%d/%d bits)",
++		  peername, peeraddr,
++		  tls_info->protocol, tls_info->cipher_name,
++		  tls_info->cipher_usebits, tls_info->cipher_algbits);
++    pfixtls_stir_seed();
++
++    return (0);
++}
++
++ /*
++  * Shut down the TLS connection, that does mean: remove all the information
++  * and reset the flags! This is needed if the actual running smtpd is to
++  * be restarted. We do not give back any value, as there is nothing to
++  * be reported.
++  * Since our session cache is external, we will remove the session from
++  * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
++  * I however want to make sure nothing is left.
++  * RFC2246 requires us to remove sessions if something went wrong, as
++  * indicated by the "failure" value, so we remove it from the external
++  * cache, too. 
++  */
++int     pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
++			       tls_info_t *tls_info)
++{
++    TLScontext_t *TLScontext;
++    int retval;
++
++    if (pfixtls_serveractive) {
++	TLScontext = (TLScontext_t *)vstream_context(stream);
++	/*
++	 * Perform SSL_shutdown() twice, as the first attempt may return
++	 * to early: it will only send out the shutdown alert but it will
++	 * not wait for the peer's shutdown alert. Therefore, when we are
++	 * the first party to send the alert, we must call SSL_shutdown()
++	 * again.
++	 * On failure we don't want to resume the session, so we will not
++	 * perform SSL_shutdown() and the session will be removed as being
++	 * bad.
++	 */
++	if (!failure) {
++            retval = do_tls_operation(vstream_fileno(stream), timeout,
++				TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
++	    if (retval == 0)
++		do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++				SSL_shutdown, NULL, NULL, NULL, 0);
++	}
++	/*
++	 * Free the SSL structure and the BIOs. Warning: the internal_bio is
++	 * connected to the SSL structure and is automatically freed with
++	 * it. Do not free it again (core dump)!!
++	 * Only free the network_bio.
++	 */
++	SSL_free(TLScontext->con);
++	BIO_free(TLScontext->network_bio);
++	myfree((char *)TLScontext);
++        vstream_control(stream,
++		    VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
++		    VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
++		    VSTREAM_CTL_CONTEXT, (void *) NULL,
++		    VSTREAM_CTL_END);
++	SSL_CTX_flush_sessions(ctx, time(NULL));
++
++	pfixtls_stir_seed();
++	pfixtls_exchange_seed();
++
++	*tls_info = tls_info_zero;
++	pfixtls_serveractive = 0;
++
++    }
++
++    return (0);
++}
++
++
++ /*
++  * This is the setup routine for the SSL client. As smtpd might be called
++  * more than once, we only want to do the initialization one time.
++  *
++  * The skeleton of this function is taken from OpenSSL apps/s_client.c.
++  */
++
++int     pfixtls_init_clientengine(int verifydepth)
++{
++    int     off = 0;
++    int     verify_flags = SSL_VERIFY_NONE;
++    int     rand_bytes;
++    int     rand_source_dev_fd;
++    int     rand_source_socket_fd;
++    unsigned char buffer[255];
++    char   *CApath;
++    char   *CAfile;
++    char   *c_cert_file;
++    char   *c_key_file;
++
++
++    if (pfixtls_clientengine)
++	return (0);				/* already running */
++
++    if (var_smtp_tls_loglevel >= 2)
++	msg_info("starting TLS engine");
++
++    /*
++     * Initialize the OpenSSL library by the book!
++     * To start with, we must initialize the algorithms.
++     * We want cleartext error messages instead of just error codes, so we
++     * load the error_strings.
++     */ 
++    SSL_load_error_strings();
++    OpenSSL_add_ssl_algorithms();
++
++ /*
++  * Side effect, call a non-existing function to disable TLS usage with an
++  * outdated OpenSSL version. There is a security reason (verify_result
++  * is not stored with the session data).
++  */
++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
++    needs_openssl_095_or_later();
++#endif
++
++    /*
++     * Initialize the PRNG Pseudo Random Number Generator with some seed.
++     */
++    randseed.pid = getpid();
++    GETTIMEOFDAY(&randseed.tv);
++    RAND_seed(&randseed, sizeof(randseed_t));
++
++    /*
++     * Access the external sources for random seed. We will only query them
++     * once, this should be sufficient and we will stir our entropy by using
++     * the prng-exchange file anyway.
++     * For reliability, we don't consider failure to access the additional
++     * source fatal, as we can run happily without it (considering that we
++     * still have the exchange-file). We also don't care how much entropy
++     * we get back, as we must run anyway. We simply stir in the buffer
++     * regardless how many bytes are actually in it.
++     */
++    if (*var_tls_daemon_rand_source) {
++	if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
++	    /*
++	     * Source is a random device
++	     */
++	    rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
++	    if (rand_source_dev_fd == -1) 
++		msg_info("Could not open entropy device %s",
++			  var_tls_daemon_rand_source);
++	    else {
++		if (var_tls_daemon_rand_bytes > 255)
++		    var_tls_daemon_rand_bytes = 255;
++	        read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
++		RAND_seed(buffer, var_tls_daemon_rand_bytes);
++		close(rand_source_dev_fd);
++	    }
++	} else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
++	    /*
++	     * Source is a EGD compatible socket
++	     */
++	    rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
++						 BLOCKING, 10);
++	    if (rand_source_socket_fd == -1)
++		msg_info("Could not connect to %s", var_tls_daemon_rand_source);
++	    else {
++		if (var_tls_daemon_rand_bytes > 255)
++		    var_tls_daemon_rand_bytes = 255;
++		buffer[0] = 1;
++		buffer[1] = var_tls_daemon_rand_bytes;
++		if (write(rand_source_socket_fd, buffer, 2) != 2)
++		    msg_info("Could not talk to %s",
++			     var_tls_daemon_rand_source);
++		else if (read(rand_source_socket_fd, buffer, 1) != 1)
++		    msg_info("Could not read info from %s",
++			     var_tls_daemon_rand_source);
++		else {
++		    rand_bytes = buffer[0];
++		    read(rand_source_socket_fd, buffer, rand_bytes);
++		    RAND_seed(buffer, rand_bytes);
++		}
++		close(rand_source_socket_fd);
++	    }
++	} else {
++	    RAND_load_file(var_tls_daemon_rand_source,
++			   var_tls_daemon_rand_bytes);
++	}
++    }
++
++    if (*var_tls_rand_exch_name) {
++	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
++	if (rand_exch_fd != -1)
++	    pfixtls_exchange_seed();
++    }
++
++    randseed.pid = getpid();
++    GETTIMEOFDAY(&randseed.tv);
++    RAND_seed(&randseed, sizeof(randseed_t));
++
++    /*
++     * The SSL/TLS speficications require the client to send a message in
++     * the oldest specification it understands with the highest level it
++     * understands in the message.
++     * RFC2487 is only specified for TLSv1, but we want to be as compatible
++     * as possible, so we will start off with a SSLv2 greeting allowing
++     * the best we can offer: TLSv1.
++     * We can restrict this with the options setting later, anyhow.
++     */
++    ctx = SSL_CTX_new(SSLv23_client_method());
++    if (ctx == NULL) {
++	pfixtls_print_errors();
++	return (-1);
++    };
++
++    /*
++     * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
++     * Of course, the last one would not make sense, since RFC2487 is only
++     * defined for TLS, but we don't know what is out there. So leave things
++     * completely open, as of today.
++     */
++    off |= SSL_OP_ALL;		/* Work around all known bugs */
++    SSL_CTX_set_options(ctx, off);
++
++    /*
++     * Set the info_callback, that will print out messages during
++     * communication on demand.
++     */
++    if (var_smtp_tls_loglevel >= 2)
++	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
++
++    /*
++     * Set the list of ciphers, if explicitely given; otherwise the
++     * (reasonable) default list is kept.
++     */
++    if (strlen(var_smtp_tls_cipherlist) != 0)
++	if (SSL_CTX_set_cipher_list(ctx, var_smtp_tls_cipherlist) == 0) {
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++
++    /*
++     * Now we must add the necessary certificate stuff: A client key, a
++     * client certificate, and the CA certificates for both the client
++     * cert and the verification of server certificates.
++     * In fact, we do not need a client certificate,  so the certificates
++     * are only loaded (and checked), if supplied. A clever client would
++     * handle multiple client certificates and decide based on the list
++     * of acceptable CAs, sent by the server, which certificate to submit.
++     * OpenSSL does however not do this and also has no callback hoods to
++     * easily realize it.
++     *
++     * As provided by OpenSSL we support two types of CA certificate handling:
++     * One possibility is to add all CA certificates to one large CAfile,
++     * the other possibility is a directory pointed to by CApath, containing
++     * seperate files for each CA pointed on by softlinks named by the hash
++     * values of the certificate.
++     * The first alternative has the advantage, that the file is opened and
++     * read at startup time, so that you don't have the hassle to maintain
++     * another copy of the CApath directory for chroot-jail. On the other
++     * hand, the file is not really readable.
++     */ 
++    if (strlen(var_smtp_tls_CAfile) == 0)
++	CAfile = NULL;
++    else
++	CAfile = var_smtp_tls_CAfile;
++    if (strlen(var_smtp_tls_CApath) == 0)
++	CApath = NULL;
++    else
++	CApath = var_smtp_tls_CApath;
++    if (CAfile || CApath) {
++	if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
++	    msg_info("TLS engine: cannot load CA data");
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++	if (!SSL_CTX_set_default_verify_paths(ctx)) {
++	    msg_info("TLS engine: cannot set verify paths");
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++    }
++
++    if (strlen(var_smtp_tls_cert_file) == 0)
++	c_cert_file = NULL;
++    else
++	c_cert_file = var_smtp_tls_cert_file;
++    if (strlen(var_smtp_tls_key_file) == 0)
++	c_key_file = NULL;
++    else
++	c_key_file = var_smtp_tls_key_file;
++    if (c_cert_file || c_key_file)
++	if (!set_cert_stuff(ctx, c_cert_file, c_key_file)) {
++	    msg_info("TLS engine: cannot load cert/key data");
++	    pfixtls_print_errors();
++	    return (-1);
++	}
++
++    /*
++     * Sometimes a temporary RSA key might be needed by the OpenSSL
++     * library. The OpenSSL doc indicates, that this might happen when
++     * export ciphers are in use. We have to provide one, so well, we
++     * just do it.
++     */
++    SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
++
++    /*
++     * Finally, the setup for the server certificate checking, done
++     * "by the book".
++     */
++    SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
++
++    /*
++     * Initialize the session cache. We only want external caching to
++     * synchronize between server sessions, so we set it to a minimum value
++     * of 1. If the external cache is disabled, we won't cache at all.
++     *
++     * In case of the client, there is no callback used in OpenSSL, so
++     * we must call the session cache functions manually during the process.
++     */
++    SSL_CTX_sess_set_cache_size(ctx, 1);
++    SSL_CTX_set_timeout(ctx, var_smtp_tls_scache_timeout);
++
++    /*
++     * The session cache is realized by an external database file, that
++     * must be opened before going to chroot jail. Since the session cache
++     * data can become quite large, "[n]dbm" cannot be used as it has a
++     * size limit that is by far to small.
++     */
++    if (*var_smtp_tls_scache_db) {
++	/*
++	 * Insert a test against other dbms here, otherwise while writing
++	 * a session (content to large), we will receive a fatal error!
++	 */
++	if (strncmp(var_smtp_tls_scache_db, "sdbm:", 5))
++	    msg_warn("Only sdbm: type allowed for %s",
++		     var_smtp_tls_scache_db);
++	else
++	    scache_db = dict_open(var_smtp_tls_scache_db, O_RDWR,
++	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
++	if (!scache_db)
++	    msg_warn("Could not open session cache %s",
++		     var_smtp_tls_scache_db);
++	/*
++	 * It is practical to have OpenSSL automatically save newly created
++	 * sessions for us by callback. Therefore we have to enable the
++	 * internal session cache for the client side. Disable automatic
++	 * clearing, as smtp has limited lifetime anyway and we can call
++	 * the cleanup routine at will.
++	 */
++	SSL_CTX_set_session_cache_mode(ctx,
++			SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_NO_AUTO_CLEAR);
++	SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
++    }
++   
++    /*
++     * Finally create the global index to access TLScontext information
++     * inside verify_callback.
++     */
++    TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
++					    NULL, NULL, NULL);
++    TLSpeername_index = SSL_SESSION_get_ex_new_index(0,
++					    "TLSpeername ex_data index",
++					    new_peername_func,
++					    dup_peername_func,
++					    free_peername_func);
++
++    pfixtls_clientengine = 1;
++    return (0);
++}
++
++ /*
++  * This is the actual startup routine for the connection. We expect
++  * that the buffers are flushed and the "220 Ready to start TLS" was
++  * received by us, so that we can immediately can start the TLS
++  * handshake process.
++  */
++int     pfixtls_start_clienttls(VSTREAM *stream, int timeout,
++			        int enforce_peername,
++				const char *peername,
++				tls_info_t *tls_info)
++{
++    int     sts;
++    SSL_SESSION *session, *old_session;
++    SSL_CIPHER *cipher;
++    X509   *peer;
++    int     verify_flags;
++    TLScontext_t *TLScontext;
++
++    if (!pfixtls_clientengine) {		/* should never happen */
++	msg_info("tls_engine not running");
++	return (-1);
++    }
++    if (var_smtpd_tls_loglevel >= 1)
++	msg_info("setting up TLS connection to %s", peername);
++
++    /*
++     * Allocate a new TLScontext for the new connection and get an SSL
++     * structure. Add the location of TLScontext to the SSL to later
++     * retrieve the information inside the verify_callback().
++     */
++    TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
++    if (!TLScontext) {
++	msg_fatal("Could not allocate 'TLScontext' with mymalloc");
++    }
++    if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
++	msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
++	pfixtls_print_errors();
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++    if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
++	msg_info("Could not set application data for 'TLScontext->con'");
++	pfixtls_print_errors();
++	SSL_free(TLScontext->con);
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++
++    /*
++     * Set the verification parameters to be checked in verify_callback().
++     */
++    if (enforce_peername) {
++	verify_flags = SSL_VERIFY_PEER;
++	TLScontext->enforce_verify_errors = 1;
++	TLScontext->enforce_CN = 1;
++        SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
++    }
++    else {
++	TLScontext->enforce_verify_errors = 0;
++	TLScontext->enforce_CN = 0;
++    }
++    TLScontext->hostname_matched = 0;
++
++    /*
++     * The TLS connection is realized by a BIO_pair, so obtain the pair.
++     */
++    if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
++			  &TLScontext->network_bio, BIO_bufsiz)) {
++	msg_info("Could not obtain BIO_pair");
++	pfixtls_print_errors();
++	SSL_free(TLScontext->con);
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++
++    old_session = NULL;
++
++    /*
++     * Find out the hashed HostID for the client cache and try to
++     * load the session from the cache.
++     */
++    strncpy(TLScontext->peername_save, peername, ID_MAXLENGTH + 1);
++    TLScontext->peername_save[ID_MAXLENGTH] = '\0';  /* just in case */
++    (void)lowercase(TLScontext->peername_save);
++    if (scache_db) {
++	old_session = load_clnt_session(peername, enforce_peername);
++	if (old_session) {
++	   SSL_set_session(TLScontext->con, old_session);
++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
++	    /*
++	     * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
++	     * result in sessions for the client side.
++	     * We modify the session directly which is version specific,
++	     * but this bug is version specific, too.
++	     *
++	     * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
++	     * beta1 have this bug, it has been fixed during development
++	     * of 0.9.6a. The development version of 0.9.7 can have this
++	     * bug, too. It has been fixed on 2000/11/29.
++	     */
++	    SSL_set_verify_result(TLScontext->con, old_session->verify_result);
++#endif
++	   
++	}
++    }
++
++    /*
++     * Before really starting anything, try to seed the PRNG a little bit
++     * more.
++     */
++    pfixtls_stir_seed();
++    pfixtls_exchange_seed();
++
++    /*
++     * Initialize the SSL connection to connect state. This should not be
++     * necessary anymore since 0.9.3, but the call is still in the library
++     * and maintaining compatibility never hurts.
++     */
++    SSL_set_connect_state(TLScontext->con);
++
++    /*
++     * Connect the SSL-connection with the postfix side of the BIO-pair for
++     * reading and writing.
++     */
++    SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
++		TLScontext->internal_bio);
++
++    /*
++     * If the debug level selected is high enough, all of the data is
++     * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
++     *
++     * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
++     * Well there is a BIO below the SSL routines that is automatically
++     * created for us, so we can use it for debugging purposes.
++     */
++    if (var_smtp_tls_loglevel >= 3)
++	BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
++
++
++    /* Dump the negotiation for loglevels 3 and 4 */
++    if (var_smtp_tls_loglevel >= 3)
++	do_dump = 1;
++
++    /*
++     * Now we expect the negotiation to begin. This whole process is like a
++     * black box for us. We totally have to rely on the routines build into
++     * the OpenSSL library. The only thing we can do we already have done
++     * by choosing our own callback certificate verification.
++     *
++     * Error handling:
++     * If the SSL handhake fails, we print out an error message and remove
++     * everything that might be there. A session has to be removed anyway,
++     * because RFC2246 requires it. 
++     */
++    sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++			   SSL_connect, NULL, NULL, NULL, 0);
++    if (sts <= 0) {
++	msg_info("SSL_connect error to %s: %d", peername, sts);
++	pfixtls_print_errors();
++	session = SSL_get_session(TLScontext->con);
++	if (session) {
++	    SSL_CTX_remove_session(ctx, session);
++	    if (var_smtp_tls_loglevel >= 2)
++		msg_info("SSL session removed");
++	}
++	if ((old_session) && (!SSL_session_reused(TLScontext->con)))
++	    SSL_SESSION_free(old_session);	/* Must also be removed */
++	SSL_free(TLScontext->con);
++	myfree((char *)TLScontext);
++	return (-1);
++    }
++
++    if (!SSL_session_reused(TLScontext->con)) {
++	SSL_SESSION_free(old_session);	/* Remove unused session */
++    }
++    else if (var_smtp_tls_loglevel >= 3)
++	msg_info("Reusing old session");
++
++    /* Only loglevel==4 dumps everything */
++    if (var_smtp_tls_loglevel < 4)
++	do_dump = 0;
++
++    /*
++     * Lets see, whether a peer certificate is available and what is
++     * the actual information. We want to save it for later use.
++     */
++    peer = SSL_get_peer_certificate(TLScontext->con);
++    if (peer != NULL) {
++	if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
++	    tls_info->peer_verified = 1;
++
++	tls_info->hostname_matched = TLScontext->hostname_matched;
++	TLScontext->peer_CN[0] = '\0';
++	if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
++			NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
++	    msg_info("Could not parse server's subject CN");
++	    pfixtls_print_errors();
++	}
++	tls_info->peer_CN = TLScontext->peer_CN;
++
++	TLScontext->issuer_CN[0] = '\0';
++	if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++			NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++	    msg_info("Could not parse server's issuer CN");
++	    pfixtls_print_errors();
++	}
++	if (!TLScontext->issuer_CN[0]) {
++	    /* No issuer CN field, use Organization instead */
++	    if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
++		NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
++		msg_info("Could not parse server's issuer Organization");
++		pfixtls_print_errors();
++	    }
++	}
++	tls_info->issuer_CN = TLScontext->issuer_CN;
++
++	if (var_smtp_tls_loglevel >= 1) {
++	    if (tls_info->peer_verified)
++		msg_info("Verified: subject_CN=%s, issuer=%s",
++			 TLScontext->peer_CN, TLScontext->issuer_CN);
++	    else
++		msg_info("Unverified: subject_CN=%s, issuer=%s",
++			 TLScontext->peer_CN, TLScontext->issuer_CN);
++	}
++	X509_free(peer);
++    }
++
++    /*
++     * Finally, collect information about protocol and cipher for logging
++     */ 
++    tls_info->protocol = SSL_get_version(TLScontext->con);
++    cipher = SSL_get_current_cipher(TLScontext->con);
++    tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
++    tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
++						 &(tls_info->cipher_algbits));
++
++    pfixtls_clientactive = 1;
++
++    /*
++     * The TLS engine is active, switch to the pfixtls_timed_read/write()
++     * functions.
++     */
++    vstream_control(stream,
++		    VSTREAM_CTL_READ_FN, pfixtls_timed_read,
++		    VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
++		    VSTREAM_CTL_CONTEXT, (void *)TLScontext,
++		    VSTREAM_CTL_END);
++
++    if (var_smtp_tls_loglevel >= 1)
++	msg_info("TLS connection established to %s: %s with cipher %s (%d/%d bits)",
++		 peername, tls_info->protocol, tls_info->cipher_name,
++		 tls_info->cipher_usebits, tls_info->cipher_algbits);
++
++    pfixtls_stir_seed();
++
++    return (0);
++}
++
++ /*
++  * Shut down the TLS connection, that does mean: remove all the information
++  * and reset the flags! This is needed if the actual running smtp is to
++  * be restarted. We do not give back any value, as there is nothing to
++  * be reported.
++  * Since our session cache is external, we will remove the session from
++  * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
++  * I however want to make sure nothing is left.
++  * RFC2246 requires us to remove sessions if something went wrong, as
++  * indicated by the "failure" value,so we remove it from the external
++  * cache, too.
++  */
++int     pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
++			       tls_info_t *tls_info)
++{
++    TLScontext_t *TLScontext;
++    int retval;
++
++    if (pfixtls_clientactive) {
++	TLScontext = (TLScontext_t *)vstream_context(stream);
++	/*
++	 * Perform SSL_shutdown() twice, as the first attempt may return
++	 * to early: it will only send out the shutdown alert but it will
++	 * not wait for the peer's shutdown alert. Therefore, when we are
++	 * the first party to send the alert, we must call SSL_shutdown()
++	 * again.
++	 * On failure we don't want to resume the session, so we will not
++	 * perform SSL_shutdown() and the session will be removed as being
++	 * bad.
++	 */
++	if (!failure) {
++	    retval = do_tls_operation(vstream_fileno(stream), timeout,
++				TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
++	    if (retval == 0)
++		do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
++				SSL_shutdown, NULL, NULL, NULL, 0);
++	}
++	/*
++	 * Free the SSL structure and the BIOs. Warning: the internal_bio is
++	 * connected to the SSL structure and is automatically freed with
++	 * it. Do not free it again (core dump)!!
++	 * Only free the network_bio.
++	 */
++	SSL_free(TLScontext->con);
++	BIO_free(TLScontext->network_bio);
++	myfree((char *)TLScontext);
++	vstream_control(stream,
++		    VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
++		    VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
++		    VSTREAM_CTL_CONTEXT, (void *) NULL,
++		    VSTREAM_CTL_END);
++	SSL_CTX_flush_sessions(ctx, time(NULL));
++
++	pfixtls_stir_seed();
++	pfixtls_exchange_seed();
++
++	*tls_info = tls_info_zero;
++	pfixtls_clientactive = 0;
++
++    }
++
++    return (0);
++}
++
++
++#endif /* USE_SSL */
++#endif
+diff -urNad postfix-release/src/global/pfixtls.h /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.h
+--- postfix-release/src/global/pfixtls.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.h	2005-02-03 10:22:13.060096687 -0700
+@@ -0,0 +1,81 @@
++/*++
++/* NAME
++/*      pfixtls 3h
++/* SUMMARY
++/*      TLS routines
++/* SYNOPSIS
++/*      include "pfixtls.h"
++/* DESCRIPTION
++/* .nf
++/*--*/
++
++#ifndef PFIXTLS_H_INCLUDED
++#define PFIXTLS_H_INCLUDED
++
++#if defined(HAS_SSL) && !defined(USE_SSL)
++#define USE_SSL
++#endif
++
++typedef struct {
++    int     peer_verified;
++    int     hostname_matched;
++    char   *peer_subject;
++    char   *peer_issuer;
++    char   *peer_fingerprint;
++    char   *peer_CN;
++    char   *issuer_CN;
++    const char *protocol;
++    const char *cipher_name;
++    int     cipher_usebits;
++    int     cipher_algbits;
++} tls_info_t;
++
++extern const tls_info_t tls_info_zero;
++
++#ifdef USE_SSL
++
++typedef struct {
++    long scache_db_version;
++    long openssl_version;
++    time_t timestamp;		/* We could add other info here... */
++    int enforce_peername;
++} pfixtls_scache_info_t;
++
++extern const long scache_db_version;
++extern const long openssl_version;
++
++int     pfixtls_timed_read(int fd, void *buf, unsigned len, int timout,
++			   void *unused_timeout);
++int     pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
++			    void *unused_timeout);
++
++extern int pfixtls_serverengine;
++int     pfixtls_init_serverengine(int verifydepth, int askcert);
++int     pfixtls_start_servertls(VSTREAM *stream, int timeout,
++				const char *peername, const char *peeraddr,
++				tls_info_t *tls_info, int require_cert);
++int     pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
++			       tls_info_t *tls_info);
++
++extern int pfixtls_clientengine;
++int     pfixtls_init_clientengine(int verifydepth);
++int     pfixtls_start_clienttls(VSTREAM *stream, int timeout,
++				int enforce_peername,
++				const char *peername,
++				tls_info_t *tls_info);
++int     pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
++			       tls_info_t *tls_info);
++
++#endif /* PFIXTLS_H_INCLUDED */
++#endif
++
++/* LICENSE
++/* .ad
++/* .fi
++/* AUTHOR(S)
++/*	Lutz Jaenicke
++/*	BTU Cottbus
++/*	Allgemeine Elektrotechnik
++/*	Universitaetsplatz 3-4
++/*	D-03044 Cottbus, Germany
++/*--*/
+diff -urNad postfix-release/src/global/resolve_local.c /tmp/dpep.cXJuVH/postfix-release/src/global/resolve_local.c
+--- postfix-release/src/global/resolve_local.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/resolve_local.c	2005-02-03 10:22:13.060096687 -0700
+@@ -43,6 +43,7 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <string.h>
++#include <netdb.h>
+ 
+ #ifndef INADDR_NONE
+ #define INADDR_NONE 0xffffffff
+@@ -80,7 +81,12 @@
+ {
+     char   *saved_addr = mystrdup(addr);
+     char   *dest;
++#ifdef INET6
++    struct addrinfo hints, *res, *res0;
++    int error;
++#else
+     struct in_addr ipaddr;
++#endif
+     int     len;
+ 
+ #define RETURN(x) { myfree(saved_addr); return(x); }
+@@ -118,9 +124,28 @@
+     if (*dest == '[' && dest[len - 1] == ']') {
+ 	dest++;
+ 	dest[len -= 2] = 0;
++#ifdef INET6
++ 	memset(&hints, 0, sizeof(hints));
++ 	hints.ai_family = PF_UNSPEC;
++ 	hints.ai_socktype = SOCK_DGRAM;
++	hints.ai_flags = AI_NUMERICHOST;
++ 	error = getaddrinfo(dest, NULL, &hints, &res0);
++ 	if (!error) {
++ 	    for (res = res0; res; res = res->ai_next) {
++ 		if (own_inet_addr(res->ai_addr) ||
++			(res->ai_family == AF_INET &&
++			proxy_inet_addr((struct in_addr *)&res->ai_addr))) {
++ 		    freeaddrinfo(res0);
++ 		    RETURN(1);
++ 		}
++ 	    }
++ 	    freeaddrinfo(res0);
++ 	}
++#else
+ 	if ((ipaddr.s_addr = inet_addr(dest)) != INADDR_NONE
+ 	    && (own_inet_addr(&ipaddr) || proxy_inet_addr(&ipaddr)))
+ 	    RETURN(1);
++#endif
+     }
+ 
+     /*
+diff -urNad postfix-release/src/global/wildcard_inet_addr.c /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.c
+--- postfix-release/src/global/wildcard_inet_addr.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.c	2005-02-03 10:22:13.060096687 -0700
+@@ -0,0 +1,81 @@
++/* System library. */
++
++#include <sys_defs.h>
++#include <netinet/in.h>
++#include <arpa/inet.h>
++#include <string.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
++#include <netdb.h>
++
++#ifdef STRCASECMP_IN_STRINGS_H
++#include <strings.h>
++#endif
++
++/* Utility library. */
++
++#include <msg.h>
++#include <mymalloc.h>
++#include <inet_addr_list.h>
++#include <inet_addr_local.h>
++#include <inet_addr_host.h>
++#include <stringops.h>
++
++/* Global library. */
++
++#include <mail_params.h>
++#include <wildcard_inet_addr.h>
++
++/* Application-specific. */
++static INET_ADDR_LIST addr_list;
++
++/* wildcard_inet_addr_init - initialize my own address list */
++
++static void wildcard_inet_addr_init(INET_ADDR_LIST *addr_list, int addr_family)
++{
++#ifdef INET6
++    struct addrinfo hints, *res, *res0;
++    char hbuf[NI_MAXHOST];
++    int error;
++    const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
++
++    inet_addr_list_init(addr_list);
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    error = getaddrinfo(NULL, "0", &hints, &res0);
++    if (error)
++	msg_fatal("could not get list of wildcard addresses");
++    for (res = res0; res; res = res->ai_next) {
++	if (addr_family > 0 && res->ai_family != addr_family)
++	    continue;
++	if (addr_family <= 0 && res->ai_family != AF_INET 
++	    && res->ai_family != AF_INET6)
++	    continue;
++	if (getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++	    NULL, 0, niflags) != 0)
++	    continue;
++	if (inet_addr_host(addr_list, hbuf) == 0)
++	    continue; /* msg_fatal("config variable %s: host not found: %s",
++		      VAR_INET_INTERFACES, hbuf); */
++    }
++    freeaddrinfo(res0);
++#else
++    if (inet_addr_host(addr_list, "0.0.0.0") == 0)
++	msg_fatal("config variable %s: host not found: %s",
++		  VAR_INET_INTERFACES, "0.0.0.0");
++#endif
++}
++
++/* wildcard_inet_addr_list - return list of addresses */
++
++INET_ADDR_LIST *wildcard_inet_addr_list(int addr_family)
++{
++    if (addr_list.used == 0)
++	wildcard_inet_addr_init(&addr_list, addr_family);
++
++    return (&addr_list);
++}
+diff -urNad postfix-release/src/global/wildcard_inet_addr.h /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.h
+--- postfix-release/src/global/wildcard_inet_addr.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.h	2005-02-03 10:22:13.061096464 -0700
+@@ -0,0 +1,36 @@
++#ifndef _WILDCARD_INET_ADDR_H_INCLUDED_
++#define _WILDCARD_INET_ADDR_H_INCLUDED_
++
++/*++
++/* NAME
++/*	wildcard_inet_addr_list 3h
++/* SUMMARY
++/*	grab the list of wildcard IP addresses.
++/* SYNOPSIS
++/*	#include <own_inet_addr.h>
++/* DESCRIPTION
++/* .nf
++/*--*/
++
++ /*
++  * System library.
++  */
++#include <netinet/in.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
++
++ /*
++  * External interface.
++  */
++extern struct INET_ADDR_LIST *wildcard_inet_addr_list(int);
++
++/* LICENSE
++/* .ad
++/* .fi
++/*	foo
++/* AUTHOR(S)
++/*	Jun-ichiro itojun Hagino
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/lmtp/lmtp_addr.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_addr.c
+--- postfix-release/src/lmtp/lmtp_addr.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_addr.c	2005-02-03 10:22:13.061096464 -0700
+@@ -166,7 +166,11 @@
+     /*
+      * Append the addresses for this host to the address list.
+      */
++#ifdef INET6
++    switch (dns_lookup_types(host, RES_DEFNAMES, &addr, (VSTRING *) 0, why, T_AAAA, T_A, NULL)) {
++#else
+     switch (dns_lookup(host, T_A, RES_DEFNAMES, &addr, (VSTRING *) 0, why)) {
++#endif
+     case DNS_OK:
+ 	for (rr = addr; rr; rr = rr->next)
+ 	    rr->pref = pref;
+diff -urNad postfix-release/src/lmtp/lmtp.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp.c
+--- postfix-release/src/lmtp/lmtp.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp.c	2005-02-03 10:22:13.061096464 -0700
+@@ -163,6 +163,12 @@
+ /* .IP "\fBlmtp_quit_timeout (300s)\fR"
+ /*	The LMTP client time limit for sending the QUIT command, and for
+ /*	receiving the server response.
++/* .IP "\fBlmtp_bind_address ()\fR"
++/*	Numerical source network address (IPv4) to bind to when making
++/*	a connection.
++/* .IP "\fBlmtp_bind_address6 ()\fR"
++/*	Numerical source network address (IPv6) to bind to when making
++/*	a connection.
+ /* MISCELLANEOUS CONTROLS
+ /* .ad
+ /* .fi
+@@ -293,6 +299,8 @@
+ char   *var_lmtp_sasl_passwd;
+ bool    var_lmtp_sasl_enable;
+ bool    var_lmtp_send_xforward;
++char   *var_lmtp_bind_addr;
++char   *var_lmtp_bind_addr6;
+ 
+  /*
+   * Global variables.
+@@ -554,6 +562,8 @@
+ 	VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
+ 	VAR_LMTP_SASL_PASSWD, DEF_LMTP_SASL_PASSWD, &var_lmtp_sasl_passwd, 0, 0,
+ 	VAR_LMTP_SASL_OPTS, DEF_LMTP_SASL_OPTS, &var_lmtp_sasl_opts, 0, 0,
++	VAR_LMTP_BIND_ADDR, DEF_LMTP_BIND_ADDR, &var_lmtp_bind_addr, 0, 0,
++	VAR_LMTP_BIND_ADDR6, DEF_LMTP_BIND_ADDR6, &var_lmtp_bind_addr6, 0, 0,
+ 	0,
+     };
+     static CONFIG_INT_TABLE int_table[] = {
+diff -urNad postfix-release/src/lmtp/lmtp_connect.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_connect.c
+--- postfix-release/src/lmtp/lmtp_connect.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_connect.c	2005-02-03 10:22:13.062096241 -0700
+@@ -94,16 +94,23 @@
+ #include <stringops.h>
+ #include <host_port.h>
+ #include <sane_connect.h>
++#include <inet_addr_list.h>
+ 
+ /* Global library. */
+ 
+ #include <mail_params.h>
+ #include <mail_proto.h>
++#include <own_inet_addr.h>
+ 
+ /* DNS library. */
+ 
+ #include <dns.h>
+ 
++#ifdef INET6
++#define GAI_STRERROR(error) \
++	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++#endif
++	
+ /* Application-specific. */
+ 
+ #include "lmtp.h"
+@@ -162,19 +169,221 @@
+ 			      addr, addr, destination, why));
+ }
+ 
++/* lmtp_force_bind: bind() address */
++
++static void lmtp_force_bind(const char *bind_addr,
++			    const char *bind_var,
++			    int sock,
++			    int af)
++{
++    /*
++     * If the bind() call fails, this is considered a non-fatal error.
++     * All address conversion errors are fatal.
++     */
++    char   *myname = "lmtp_force_bind";
++#ifdef INET6
++    char    hbuf[NI_MAXHOST];
++    int     aierr;
++    struct addrinfo hints, *res;
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = af;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    snprintf(hbuf, sizeof(hbuf), "%s", bind_addr);
++    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++    if (aierr == EAI_NONAME)
++	msg_fatal("%s: bad %s parameter: \"%s\"",
++		  myname, bind_var, bind_addr);
++    if (aierr != 0) {
++	if (msg_verbose)
++	    msg_warn("%s: getaddrinfo(%s): %s",
++		     myname, hbuf, GAI_STRERROR(aierr));
++	return;
++    }
++    aierr = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++    if (aierr != 0) {
++	msg_warn("%s: getnameinfo(): %s",
++		 myname, GAI_STRERROR(aierr));
++	freeaddrinfo(res);
++	return;
++    }
++    if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++	msg_warn("%s: bind %s: %m", myname, hbuf);
++    else if (msg_verbose)
++	msg_info("%s: bind %s", myname, hbuf);
++    freeaddrinfo(res);
++#else /* INET6 */
++    struct sockaddr_in sin;
++
++    memset(&sin, 0, sizeof(sin));
++    sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++    sin.sin_len = sizeof(sin);
++#endif
++    sin.sin_addr.s_addr = inet_addr(bind_addr);
++    if (sin.sin_addr.s_addr == INADDR_NONE) {
++	msg_fatal("%s: bad %s parameter: \"%s\"",
++		  myname, bind_var, bind_addr);
++	return;
++    }
++    if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
++	msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++    else if (msg_verbose)
++	msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++#endif /* INET6 */
++}
++
++/* lmtp_virtual_bind - bind() when acting as virtual host */
++
++static void lmtp_virtual_bind(int sock, int af)
++{
++    char    *myname = "lmtp_virtual_bind";
++    INET_ADDR_LIST *addr_list;
++    int     count;
++
++#ifdef INET6
++    int     i;
++    char    hbuf[NI_MAXHOST];
++    int     aierr;
++    struct sockaddr *sa;
++    struct addrinfo hints, *loopback = NULL, *res = NULL;
++
++    /*
++     * Check whether we are acting as a virtual host
++     */
++    count = 0;
++    addr_list = own_inet_addr_list();
++    for (i = 0; count < 2 && i < addr_list->used; i++)
++	if (((struct sockaddr *)&addr_list->addrs[i])->sa_family == af)
++	    count++;
++    if (count != 1)
++	return;
++
++    /*
++     * Bind the source address.
++     */
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = af;
++    hints.ai_socktype = SOCK_STREAM;
++    aierr = getaddrinfo(NULL, "0", &hints, &loopback);
++    if (aierr != 0) {
++	loopback = NULL;
++	msg_warn("%s: getaddrinfo(\"0\"): %s",
++		 myname, GAI_STRERROR(aierr));
++    }
++
++    sa = (struct sockaddr *)&addr_list->addrs[i - 1];
++    aierr = getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
++			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++    if (aierr != 0)
++	msg_fatal("%s: getnameinfo() (AF=%d): %s",
++		  myname, af, GAI_STRERROR(aierr));
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = af;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
++    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++    if (aierr != 0)
++	msg_fatal("%s: getaddrinfo(\"%s\"): %s",
++		  myname, hbuf, GAI_STRERROR(aierr));
++
++    if (res->ai_addrlen != loopback->ai_addrlen
++	|| memcmp(res->ai_addr, loopback->ai_addr, res->ai_addrlen) != 0) {
++	if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++	    msg_warn("%s: bind %s: %m", myname, hbuf);
++	else if (msg_verbose)
++	    msg_info("%s: bind %s", myname, hbuf);
++    } else if (msg_verbose) {
++	msg_info("%s: not calling bind(): unusable source "
++		 "address from \"%s\"", myname, hbuf);
++    }
++    if (res)
++	freeaddrinfo(res);
++    if (loopback)
++	freeaddrinfo(loopback);
++
++#else /* INET6 */
++
++    struct sockaddr_in sin;
++    unsigned long inaddr;	/*XXX BAD!*/
++
++    /*
++     * Check whether we are acting as a virtual host
++     */
++    addr_list = own_inet_addr_list();
++    count = addr_list->used;
++    if (count != 1)
++	return;
++
++    /*
++     * Bind the source address.
++     */
++    memset(&sin, 0, sizeof(sin));
++    sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++    sin.sin_len = sizeof(sin);
++#endif
++    memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
++    inaddr = (unsigned long)ntohl(sin.sin_addr.s_addr);
++    if (!IN_CLASSA(inaddr)
++	|| !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
++	if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
++	    msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++	else if (msg_verbose)
++	    msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++    }
++#endif /* INET6 */
++}
++
+ /* lmtp_connect_addr - connect to explicit address */
+ 
+ static LMTP_SESSION *lmtp_connect_addr(DNS_RR *addr, unsigned port,
+ 			              const char *destination, VSTRING *why)
+ {
+     char   *myname = "lmtp_connect_addr";
+-    struct sockaddr_in sin;
+-    int     sock;
++#ifdef INET6
++    struct sockaddr_storage ss;
++#else
++    struct sockaddr ss;
++#endif
++    struct sockaddr *sa;
++    struct sockaddr_in *sin;
++#ifdef INET6
++    struct sockaddr_in6 *sin6;
++#endif
++    SOCKADDR_SIZE salen;
++#ifdef INET6
++    char hbuf[NI_MAXHOST];
++#else
++    char hbuf[sizeof("255.255.255.255") + 1];
++#endif
++    int     sock = -1;
++    INET_ADDR_LIST *addr_list;
++    char    *bind_addr;
++    char    *bind_var;
++#ifdef INET6
++    char    *addr6_ptr = NULL;
++#endif
++
++    sa = (struct sockaddr *)&ss;
++    sin = (struct sockaddr_in *)&ss;
++#ifdef INET6
++    sin6 = (struct sockaddr_in6 *)&ss;
++#endif
+ 
+     /*
+      * Sanity checks.
+      */
+-    if (addr->data_len > sizeof(sin.sin_addr)) {
++#ifdef INET6
++    if (((addr->type==T_A) && (addr->data_len > sizeof(sin->sin_addr))) ||
++	((addr->type==T_AAAA) && (addr->data_len > sizeof(sin6->sin6_addr))))
++#else
++    if (addr->data_len > sizeof(sin->sin_addr))
++#endif
++    {
+ 	msg_warn("%s: skip address with length %d", myname, addr->data_len);
+ 	lmtp_errno = LMTP_RETRY;
+ 	return (0);
+@@ -183,25 +392,93 @@
+     /*
+      * Initialize.
+      */
+-    memset((char *) &sin, 0, sizeof(sin));
+-    sin.sin_family = AF_INET;
++    switch (addr->type) {
++#ifdef INET6
++    case T_AAAA:
++	bind_addr = "";
++	bind_var = VAR_LMTP_BIND_ADDR6;
++	if (*var_lmtp_bind_addr6) {
++	    addr6_ptr = mystrdup(var_lmtp_bind_addr6);
++	    if (*addr6_ptr == '[' && addr6_ptr[strlen(addr6_ptr) - 1] == ']') {
++		addr6_ptr[strlen(addr6_ptr) - 1] = 0;
++		bind_addr = addr6_ptr + 1;
++	    } else {
++		msg_warn("%s: skip incorrectly bracketed IPv6 address in %s",
++		    myname, VAR_LMTP_BIND_ADDR6);
++	    }
++	}
++	memset(sin6, 0, sizeof(*sin6));
++	sin6->sin6_family = AF_INET6;
++	salen = sizeof(*sin6);
++	break;
++#endif
++    default: /* T_A: */
++	bind_addr = var_lmtp_bind_addr;
++	bind_var = VAR_SMTP_BIND_ADDR;
++	memset(sin, 0, sizeof(*sin));
++	sin->sin_family = AF_INET;
++	salen = sizeof(*sin);
++	break;
++    };
++#ifdef HAS_SALEN
++    sa->sa_len = salen;
++#endif
+ 
+-    if ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0)
++    if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0)
+ 	msg_fatal("%s: socket: %m", myname);
+ 
+     /*
++     * Allow the sysadmin to specify the source address
++     */
++
++    if (bind_addr && *bind_addr) {
++	lmtp_force_bind(bind_addr, bind_var, sock, sa->sa_family);
++#ifdef INET6
++	if (addr6_ptr)
++	    myfree(addr6_ptr);
++#endif
++    } else {
++	/*
++	 * When running as a virtual host, bind to the virtual interface so that
++	 * the mail appears to come from the "right" machine address.
++	 */
++	lmtp_virtual_bind(sock, sa->sa_family);
++    }
++
++    /*
+      * Connect to the LMTP server.
+      */
+-    sin.sin_port = port;
+-    memcpy((char *) &sin.sin_addr, addr->data, sizeof(sin.sin_addr));
++    switch (addr->type) {
++#ifdef INET6
++    case T_AAAA:
++	/* XXX scope-unfriendly */
++	memset(sin6, 0, sizeof(*sin6));
++	sin6->sin6_port = port;
++	sin6->sin6_family = AF_INET6;
++	salen = sizeof(*sin6);
++	memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
++	inet_ntop(AF_INET6, &sin6->sin6_addr, hbuf, sizeof(hbuf));
++	break;
++#endif
++    default: /* T_A: */
++	memset(sin, 0, sizeof(*sin));
++	sin->sin_port = port;
++	sin->sin_family = AF_INET;
++	salen = sizeof(*sin);
++	memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
++	inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
++	break;
++    }
++#ifdef HAS_SA_LEN
++    sa->sa_len = salen;
++#endif
+ 
+     if (msg_verbose)
+ 	msg_info("%s: trying: %s[%s] port %d...",
+-		 myname, addr->name, inet_ntoa(sin.sin_addr), ntohs(port));
++		 myname, addr->name, hbuf, ntohs(port));
+ 
+-    return (lmtp_connect_sock(sock, (struct sockaddr *) & sin, sizeof(sin),
+-			      addr->name, inet_ntoa(sin.sin_addr),
+-			      destination, why));
++    return (lmtp_connect_sock(sock, (struct sockaddr *)sa, salen,
++			      addr->name, hbuf, destination, why));
+ }
+ 
+ /* lmtp_connect_sock - connect a socket over some transport */
+diff -urNad postfix-release/src/lmtp/lmtp_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_sasl_glue.c
+--- postfix-release/src/lmtp/lmtp_sasl_glue.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_sasl_glue.c	2005-02-03 10:22:13.062096241 -0700
+@@ -197,6 +197,16 @@
+     return (SASL_OK);
+ }
+ 
++static int lmtp_sasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++    return SASL_OK;
++}
++
+ /* lmtp_sasl_get_user - username lookup call-back routine */
+ 
+ static int lmtp_sasl_get_user(void *context, int unused_id, const char **result,
+@@ -298,6 +308,7 @@
+      */
+     static sasl_callback_t callbacks[] = {
+ 	{SASL_CB_LOG, &lmtp_sasl_log, 0},
++	{SASL_CB_GETPATH,&lmtp_sasl_getpath, 0},
+ 	{SASL_CB_LIST_END, 0, 0}
+     };
+ 
+diff -urNad postfix-release/src/master/master_ent.c /tmp/dpep.cXJuVH/postfix-release/src/master/master_ent.c
+--- postfix-release/src/master/master_ent.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/master/master_ent.c	2005-02-03 10:22:13.063096018 -0700
+@@ -86,6 +86,10 @@
+ #include <inet_addr_list.h>
+ #include <inet_util.h>
+ #include <inet_addr_host.h>
++#include <inet_interfaces_to_af.h>
++#ifdef INET6
++#include <wildcard_inet_addr.h>
++#endif
+ 
+ /* Global library. */
+ 
+@@ -235,6 +239,7 @@
+     char   *bufp;
+     char   *atmp;
+     static char *saved_interfaces = 0;
++    int     af;
+ 
+     if (master_fp == 0)
+ 	msg_panic("get_master_ent: config file not open");
+@@ -308,11 +313,12 @@
+ 			  VSTREAM_PATH(master_fp), master_line, host);
+ 	    inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
+ 	    serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
+-	} else if (strcasecmp(saved_interfaces, DEF_INET_INTERFACES) == 0) {
+-	    MASTER_INET_ADDRLIST(serv) = 0;	/* wild-card */
+-	    serv->listen_fd_count = 1;
+ 	} else {
+-	    MASTER_INET_ADDRLIST(serv) = own_inet_addr_list();	/* virtual */
++	    af = inet_interfaces_to_af(var_inet_interfaces);
++	    MASTER_INET_ADDRLIST(serv) =
++		strcasecmp(saved_interfaces, INET_INTERFACES_ALL) ?
++		own_inet_addr_list() :		/* virtual */
++		wildcard_inet_addr_list(af);	/* wild-card */
+ 	    inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
+ 	    serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
+ 	}
+diff -urNad postfix-release/src/master/master_listen.c /tmp/dpep.cXJuVH/postfix-release/src/master/master_listen.c
+--- postfix-release/src/master/master_listen.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/master/master_listen.c	2005-02-03 10:22:13.063096018 -0700
+@@ -64,13 +64,22 @@
+ 
+ #include "master.h"
+ 
++#ifdef INET6
++#include <netdb.h>
++#include <stdio.h>
++#endif 
++
+ /* master_listen_init - enable connection requests */
+ 
+ void    master_listen_init(MASTER_SERV *serv)
+ {
+     char   *myname = "master_listen_init";
+     char   *end_point;
+-    int     n;
++    int     n,m,tmpfd;
++#ifdef INET6
++    char hbuf[NI_MAXHOST];
++    SOCKADDR_SIZE salen;
++#endif
+ 
+     /*
+      * Find out what transport we should use, then create one or more
+@@ -111,18 +120,31 @@
+ 	    serv->listen_fd[0] =
+ 		inet_listen(MASTER_INET_PORT(serv),
+ 			    serv->max_proc > var_proc_limit ?
+-			    serv->max_proc : var_proc_limit, NON_BLOCKING);
++			    serv->max_proc : var_proc_limit, NON_BLOCKING, 1);
+ 	    close_on_exec(serv->listen_fd[0], CLOSE_ON_EXEC);
+ 	} else {				/* virtual or host:port */
+-	    for (n = 0; n < serv->listen_fd_count; n++) {
++	    for (m = n = 0; n < serv->listen_fd_count; n++) {
++#ifdef INET6
++		if (getnameinfo((struct sockaddr *)&MASTER_INET_ADDRLIST(serv)->addrs[n],
++			SA_LEN((struct sockaddr *)&MASTER_INET_ADDRLIST(serv)->addrs[n]), 
++			hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
++		    strncpy(hbuf, "?????", sizeof(hbuf));
++		}
++		end_point = concatenate(hbuf, ":", MASTER_INET_PORT(serv), (char *) 0);
++#else
+ 		end_point = concatenate(inet_ntoa(MASTER_INET_ADDRLIST(serv)->addrs[n]),
+ 				   ":", MASTER_INET_PORT(serv), (char *) 0);
+-		serv->listen_fd[n]
++#endif
++		tmpfd
+ 		    = inet_listen(end_point, serv->max_proc > var_proc_limit ?
+-			     serv->max_proc : var_proc_limit, NON_BLOCKING);
+-		close_on_exec(serv->listen_fd[n], CLOSE_ON_EXEC);
++			     serv->max_proc : var_proc_limit, NON_BLOCKING, 0);
++		if (tmpfd >= 0) {
++		    serv->listen_fd[m] = tmpfd;
++		    close_on_exec(serv->listen_fd[m++], CLOSE_ON_EXEC);
++		}
+ 		myfree(end_point);
+ 	    }
++	    serv->listen_fd_count=m;
+ 	}
+ 	break;
+     default:
+diff -urNad postfix-release/src/qmqpd/qmqpd_peer.c /tmp/dpep.cXJuVH/postfix-release/src/qmqpd/qmqpd_peer.c
+--- postfix-release/src/qmqpd/qmqpd_peer.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/qmqpd/qmqpd_peer.c	2005-02-03 10:22:13.064095795 -0700
+@@ -70,16 +70,23 @@
+     )
+ #endif
+ 
++#ifdef INET6
++#define GAI_STRERROR(error) \
++	((error = EAI_SYSTEM) ? gai_strerror(error) : strerror(errno))
++#endif
++
+ /* Utility library. */
+ 
+ #include <msg.h>
+ #include <mymalloc.h>
+ #include <valid_hostname.h>
+ #include <stringops.h>
++#ifdef INET6
++#include <inet_addr_list.h>	/* for NI_WITHSCOPEID */
++#endif
+ 
+ /* Global library. */
+ 
+-
+ /* Application-specific. */
+ 
+ #include "qmqpd.h"
+@@ -88,16 +95,24 @@
+ 
+ void    qmqpd_peer_init(QMQPD_STATE *state)
+ {
+-    struct sockaddr_in sin;
+-    SOCKADDR_SIZE len = sizeof(sin);
++    char  *myname = "qmqpd_peer_init";
++#ifdef INET6
++    struct sockaddr_storage ss;
++#else
++    struct sockaddr ss;
++    struct in_addr *in;
+     struct hostent *hp;
+-    int     i;
++#endif
++    struct sockaddr *sa;
++    SOCKADDR_SIZE len;
++
++    sa = (struct sockaddr *)&ss;
++    len = sizeof(ss);
+ 
+     /*
+      * Look up the peer address information.
+      */
+-    if (getpeername(vstream_fileno(state->client),
+-		    (struct sockaddr *) & sin, &len) >= 0) {
++    if (getpeername(vstream_fileno(state->client), sa, &len) >= 0) {
+ 	errno = 0;
+     }
+ 
+@@ -112,16 +127,71 @@
+     /*
+      * Look up and "verify" the client hostname.
+      */
+-    else if (errno == 0 && sin.sin_family == AF_INET) {
+-	state->addr = mystrdup(inet_ntoa(sin.sin_addr));
+-	hp = gethostbyaddr((char *) &(sin.sin_addr),
+-			   sizeof(sin.sin_addr), AF_INET);
+-	if (hp == 0) {
++    else if (errno == 0 && (sa->sa_family == AF_INET
++#ifdef INET6
++			    || sa->sa_family == AF_INET6
++#endif
++             )) {
++#ifdef INET6
++	char hbuf[NI_MAXHOST];
++	char abuf[NI_MAXHOST];
++	char rabuf[NI_MAXHOST];
++	struct addrinfo hints, *res0 = NULL, *res;
++	char *colonp;
++#else
++	char abuf[sizeof("255.255.255.255") + 1];
++	char *hbuf;
++#endif
++	int error = -1;
++
++#ifdef INET6
++	error = getnameinfo(sa, len, abuf, sizeof(abuf), NULL, 0,
++			    NI_NUMERICHOST | NI_WITHSCOPEID);
++	if (error)
++	    msg_fatal("%s: numeric getnameinfo lookup for peer: error %s",
++		      myname, GAI_STRERROR(error));
++	/*
++	 * Convert IPv4-mapped IPv6 address to 'true' IPv4 address
++	 * early on. We have no need for the mapped form in logging
++	 * or access checks.
++	 */
++	if (sa->sa_family == AF_INET6
++	    && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)
++	    && (colonp = strrchr(abuf, ':')) != NULL) {
++	    if (msg_verbose > 1)
++		msg_info("%s: rewriting V4-mapped address \"%s\" to \"%s\"",
++			 myname, abuf, colonp + 1);
++	    state->addr = mystrdup(colonp + 1);
++	} else {
++	    state->addr = mystrdup(abuf);
++	}
++
++	error = getnameinfo(sa, len, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD);
++#else
++	in = &((struct sockaddr_in *)sa)->sin_addr;
++	inet_ntop(AF_INET, in, abuf, sizeof(abuf));
++	state->addr = mystrdup(abuf);
++	hbuf = NULL;
++	hp = gethostbyaddr((char *)in, sizeof(*in), AF_INET);
++	if (hp) {
++	    error = 0;
++	    hbuf = mystrdup(hp->h_name);
+ 	    state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
+-	} else if (!valid_hostname(hp->h_name, DONT_GRIPE)) {
++	} else {
++	    error = 1;
++	}
++#endif
++	if (error) {
++	    state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
++#ifdef INET6
++	    if (error != EAI_NONAME)
++		msg_warn("%s: getnameinfo(%s,,,,,,NI_NAMEREQD) error %s",
++			 myname, abuf, GAI_STRERROR(error));
++#endif
++	} else if (!valid_hostname(hbuf, DONT_GRIPE)) {
+ 	    state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
+ 	} else {
+-	    state->name = mystrdup(hp->h_name);	/* hp->name is clobbered!! */
++	    state->name = mystrdup(hbuf);
+ 
+ 	    /*
+ 	     * Reject the hostname if it does not list the peer address.
+@@ -131,16 +201,52 @@
+ 	state->name = mystrdup(CLIENT_ATTR_UNKNOWN); \
+     }
+ 
++#ifdef INET6
++	    memset(&hints, 0, sizeof(hints));
++	    hints.ai_family = AF_UNSPEC;
++	    hints.ai_socktype = SOCK_STREAM;
++	    error = getaddrinfo(state->name, NULL, &hints, &res0);
++	    if (error) {
++		msg_warn("%s: hostname %s verification failed: %s",
++		         state->addr, state->name, GAI_STRERROR(error));
++		REJECT_PEER_NAME(state);
++	    } else {
++		for (res = res0; res; res = res->ai_next) {
++		    if (res->ai_family != sa->sa_family)
++			continue;
++		    error = getnameinfo(res->ai_addr, res->ai_addrlen,
++			    rabuf, sizeof(rabuf), NULL, 0,
++			    NI_NUMERICHOST | NI_WITHSCOPEID);
++		    if (error) {
++			msg_warn("%s: %s: hostname %s verification failed: %s",
++				 myname, state->addr, state->name,
++				 GAI_STRERROR(error));
++			REJECT_PEER_NAME(state);
++			break;
++		    }
++		    if (strcmp(state->addr, rabuf) == 0)
++			break;	    /* keep peer name */
++		}
++		if (res == NULL) {
++		    msg_warn("%s: %s: address not listed for hostname %s",
++			     myname, state->addr, state->name);
++		    REJECT_PEER_NAME(state);
++		}
++	    }
++	    if (res0)
++		freeaddrinfo(res0);
++#else
+ 	    hp = gethostbyname(state->name);	/* clobbers hp->name!! */
+ 	    if (hp == 0) {
+ 		msg_warn("%s: hostname %s verification failed: %s",
+ 			 state->addr, state->name, HSTRERROR(h_errno));
+ 		REJECT_PEER_NAME(state);
+-	    } else if (hp->h_length != sizeof(sin.sin_addr)) {
++	    } else if (hp->h_length != sizeof(*in)) {
+ 		msg_warn("%s: hostname %s verification failed: bad address size %d",
+ 			 state->addr, state->name, hp->h_length);
+ 		REJECT_PEER_NAME(state);
+ 	    } else {
++		int i;
+ 		for (i = 0; /* void */ ; i++) {
+ 		    if (hp->h_addr_list[i] == 0) {
+ 			msg_warn("%s: address not listed for hostname %s",
+@@ -148,12 +254,12 @@
+ 			REJECT_PEER_NAME(state);
+ 			break;
+ 		    }
+-		    if (memcmp(hp->h_addr_list[i],
+-			       (char *) &sin.sin_addr,
+-			       sizeof(sin.sin_addr)) == 0)
++		    if (memcmp(hp->h_addr_list[i], (char *)in,
++			       sizeof(*in)) == 0)
+ 			break;			/* keep peer name */
+ 		}
+ 	    }
++#endif
+ 	}
+     }
+ 
+diff -urNad postfix-release/src/smtp/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtp/Makefile.in
+--- postfix-release/src/smtp/Makefile.in	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/Makefile.in	2005-02-03 10:22:13.064095795 -0700
+@@ -77,6 +77,7 @@
+ smtp.o: ../../include/debug_peer.h
+ smtp.o: ../../include/flush_clnt.h
+ smtp.o: ../../include/mail_server.h
++smtp.o: ../../include/pfixtls.h
+ smtp.o: smtp.h
+ smtp.o: smtp_sasl.h
+ smtp_addr.o: smtp_addr.c
+@@ -96,6 +97,7 @@
+ smtp_addr.o: ../../include/argv.h
+ smtp_addr.o: ../../include/deliver_request.h
+ smtp_addr.o: ../../include/recipient_list.h
++smtp_addr.o: ../../include/pfixtls.h
+ smtp_addr.o: smtp_addr.h
+ smtp_chat.o: smtp_chat.c
+ smtp_chat.o: ../../include/sys_defs.h
+@@ -116,6 +118,7 @@
+ smtp_chat.o: ../../include/cleanup_user.h
+ smtp_chat.o: ../../include/mail_error.h
+ smtp_chat.o: ../../include/name_mask.h
++smtp_chat.o: ../../include/pfixtls.h
+ smtp_chat.o: smtp.h
+ smtp_connect.o: smtp_connect.c
+ smtp_connect.o: ../../include/sys_defs.h
+@@ -142,8 +145,12 @@
+ smtp_connect.o: ../../include/mail_error.h
+ smtp_connect.o: ../../include/name_mask.h
+ smtp_connect.o: ../../include/dns.h
++smtp_connect.o: ../../include/pfixtls.h
++smtp_connect.o: ../../include/get_port.h
+ smtp_connect.o: smtp.h
+ smtp_connect.o: ../../include/argv.h
++smtp_connect.o: ../../include/deliver_request.h
++smtp_connect.o: ../../include/recipient_list.h
+ smtp_connect.o: smtp_addr.h
+ smtp_proto.o: smtp_proto.c
+ smtp_proto.o: ../../include/sys_defs.h
+@@ -168,12 +175,14 @@
+ smtp_proto.o: ../../include/rec_type.h
+ smtp_proto.o: ../../include/off_cvt.h
+ smtp_proto.o: ../../include/mark_corrupt.h
++smtp_proto.o: ../../include/pfixtls.h
+ smtp_proto.o: ../../include/quote_821_local.h
+ smtp_proto.o: ../../include/quote_flags.h
+ smtp_proto.o: ../../include/mail_proto.h
+ smtp_proto.o: ../../include/attr.h
+ smtp_proto.o: ../../include/mime_state.h
+ smtp_proto.o: ../../include/header_opts.h
++smtp_proto.o: ../../include/pfixtls.h
+ smtp_proto.o: smtp.h
+ smtp_proto.o: ../../include/argv.h
+ smtp_proto.o: smtp_sasl.h
+@@ -231,9 +240,12 @@
+ smtp_session.o: ../../include/stringops.h
+ smtp_session.o: ../../include/vstring.h
+ smtp_session.o: smtp.h
++smtp_session.o: ../../include/mail_params.h
++smtp_session.o: ../../include/pfixtls.h
+ smtp_session.o: ../../include/argv.h
+ smtp_session.o: ../../include/deliver_request.h
+ smtp_session.o: ../../include/recipient_list.h
++smtp_session.o: ../../include/maps.h
+ smtp_state.o: smtp_state.c
+ smtp_state.o: ../../include/sys_defs.h
+ smtp_state.o: ../../include/mymalloc.h
+@@ -247,6 +259,7 @@
+ smtp_state.o: ../../include/argv.h
+ smtp_state.o: ../../include/deliver_request.h
+ smtp_state.o: ../../include/recipient_list.h
++smtp_state.o: ../../include/pfixtls.h
+ smtp_state.o: smtp_sasl.h
+ smtp_trouble.o: smtp_trouble.c
+ smtp_trouble.o: ../../include/sys_defs.h
+@@ -266,6 +279,7 @@
+ smtp_trouble.o: ../../include/name_mask.h
+ smtp_trouble.o: smtp.h
+ smtp_trouble.o: ../../include/argv.h
++smtp_trouble.o: ../../include/pfixtls.h
+ smtp_unalias.o: smtp_unalias.c
+ smtp_unalias.o: ../../include/sys_defs.h
+ smtp_unalias.o: ../../include/htable.h
+@@ -278,3 +292,4 @@
+ smtp_unalias.o: ../../include/argv.h
+ smtp_unalias.o: ../../include/deliver_request.h
+ smtp_unalias.o: ../../include/recipient_list.h
++smtp_unalias.o: ../../include/pfixtls.h
+diff -urNad postfix-release/src/smtp/smtp_addr.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_addr.c
+--- postfix-release/src/smtp/smtp_addr.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_addr.c	2005-02-03 10:22:13.065095572 -0700
+@@ -46,11 +46,11 @@
+ /*
+ /*	All routines either return a DNS_RR pointer, or return a null
+ /*	pointer and set the \fIsmtp_errno\fR global variable accordingly:
+-/* .IP SMTP_RETRY
++/* .IP SMTP_ERR_RETRY
+ /*	The request failed due to a soft error, and should be retried later.
+-/* .IP SMTP_FAIL
++/* .IP SMTP_ERR_FAIL
+ /*	The request attempt failed due to a hard error.
+-/* .IP SMTP_LOOP
++/* .IP SMTP_ERR_LOOP
+ /*	The local machine is the best mail exchanger.
+ /* .PP
+ /*	In addition, a textual description of the problem is made available
+@@ -132,18 +132,74 @@
+ static void smtp_print_addr(char *what, DNS_RR *addr_list)
+ {
+     DNS_RR *addr;
+-    struct in_addr in_addr;
++#ifdef INET6
++    struct sockaddr_storage ss;
++#else
++    struct sockaddr ss;
++#endif
++    struct sockaddr_in *sin;
++#ifdef INET6
++    struct sockaddr_in6 *sin6;
++    char   hbuf[NI_MAXHOST];
++#else
++    char   hbuf[sizeof("255.255.255.255") + 1];
++#endif
+ 
+     msg_info("begin %s address list", what);
+     for (addr = addr_list; addr; addr = addr->next) {
+-	if (addr->data_len > sizeof(addr)) {
+-	    msg_warn("skipping address length %d", addr->data_len);
+-	} else {
+-	    memcpy((char *) &in_addr, addr->data, sizeof(in_addr));
+-	    msg_info("pref %4d host %s/%s",
+-		     addr->pref, addr->name,
+-		     inet_ntoa(in_addr));
++	if (
++#ifdef INET6
++		addr->class && addr->class != C_IN
++#else
++		addr->class != C_IN
++#endif
++		) {
++	    msg_warn("skipping unsupported address (class=%u)", addr->class);
++	    continue;
+ 	}
++	switch (addr->type) {
++	case T_A:
++	    if (addr->data_len != sizeof(sin->sin_addr)) {
++		msg_warn("skipping invalid address (AAAA, len=%u)",
++		    addr->data_len);
++		continue;
++	    }
++	    sin = (struct sockaddr_in *)&ss;
++	    memset(sin, 0, sizeof(*sin));
++	    sin->sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++	    sin->sin_len = sizeof(*sin);
++#endif
++	    memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
++	    break;
++#ifdef INET6
++	case T_AAAA:
++	    if (addr->data_len != sizeof(sin6->sin6_addr)) {
++		msg_warn("skipping invalid address (AAAA, len=%u)",
++		    addr->data_len);
++		continue;
++	    }
++	    sin6 = (struct sockaddr_in6 *)&ss;
++	    memset(sin6, 0, sizeof(*sin6));
++	    sin6->sin6_family = AF_INET6;
++#ifdef HAS_SA_LEN
++	    sin6->sin6_len = sizeof(*sin6);
++#endif
++	    memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
++	    break;
++#endif
++	default:
++	    msg_warn("skipping unsupported address (type=%u)", addr->type);
++	    continue;
++	}
++
++#ifdef INET6
++	(void)getnameinfo((struct sockaddr *)&ss, SS_LEN(ss),
++	    hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
++#else
++	(void)inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
++#endif
++	msg_info("pref %4d host %s/%s", addr->pref, addr->name, hbuf);
+     }
+     msg_info("end %s address list", what);
+ }
+@@ -153,15 +209,23 @@
+ static DNS_RR *smtp_addr_one(DNS_RR *addr_list, char *host, unsigned pref, VSTRING *why)
+ {
+     char   *myname = "smtp_addr_one";
++#ifndef INET6
+     struct in_addr inaddr;
+-    DNS_FIXED fixed;
+     DNS_RR *addr = 0;
+     DNS_RR *rr;
+     struct hostent *hp;
++#else
++    struct addrinfo hints, *res0, *res;
++    int error = -1;
++    char *addr;
++    size_t addrlen;
++#endif
++    DNS_FIXED fixed;
+ 
+     if (msg_verbose)
+ 	msg_info("%s: host %s", myname, host);
+ 
++#ifndef INET6
+     /*
+      * Interpret a numerical name as an address.
+      */
+@@ -228,6 +292,49 @@
+     /*
+      * No further alternatives for host lookup.
+      */
++#else
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    error = getaddrinfo(host, NULL, &hints, &res0);
++    if (error) {
++	switch (error) {
++	case EAI_AGAIN:
++	    smtp_errno = SMTP_ERR_RETRY;
++	    break;
++	default:
++	    vstring_sprintf(why, "[%s]: %s", host,gai_strerror(error));
++	    if (smtp_errno != SMTP_ERR_RETRY)
++		smtp_errno = SMTP_ERR_FAIL;
++	    break;
++	}
++	return (addr_list);
++    }
++    for (res = res0; res; res = res->ai_next) {
++	memset((char *) &fixed, 0, sizeof(fixed));
++	switch (res->ai_family) {
++	case AF_INET6:
++	    /* XXX not scope friendly */
++	    fixed.type = T_AAAA;
++	    addr = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
++	    addrlen = sizeof(struct in6_addr);
++	    break;
++	case AF_INET:
++	    fixed.type = T_A;
++	    addr = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
++	    addrlen = sizeof(struct in_addr);
++	    break;
++	default:
++	    msg_warn("%s: unknown address family %d for %s",
++	        myname, res->ai_family, host);
++	    continue;
++	}
++	addr_list = dns_rr_append(addr_list,
++	    dns_rr_create(host, &fixed, pref, addr, addrlen));
++    }
++    if (res0)
++	freeaddrinfo(res0);
++#endif
+     return (addr_list);
+ }
+ 
+@@ -265,6 +372,9 @@
+     INET_ADDR_LIST *proxy;
+     DNS_RR *addr;
+     int     i;
++#ifdef INET6
++    struct sockaddr *sa;
++#endif
+ 
+ #define INADDRP(x) ((struct in_addr *) (x))
+ 
+@@ -272,27 +382,75 @@
+     proxy = proxy_inet_addr_list();
+ 
+     for (addr = addr_list; addr; addr = addr->next) {
+-
+ 	/*
+ 	 * Find out if this mail system is listening on this address.
+ 	 */
+-	for (i = 0; i < self->used; i++)
++	for (i = 0; i < self->used; i++) {
++#ifdef INET6
++	    sa = (struct sockaddr *)&self->addrs[i];
++	    switch(addr->type) {
++	    case T_AAAA:
++		/* XXX scope */
++		if (sa->sa_family != AF_INET6)
++		    break;
++		if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr,
++			addr->data, sizeof(struct in6_addr)) == 0) {
++		    return(addr);
++		}
++		break;
++	    case T_A:
++		if (sa->sa_family != AF_INET)
++		    break;
++		if (memcmp(&((struct sockaddr_in *)sa)->sin_addr,
++			addr->data, sizeof(struct in_addr)) == 0) {
++		    return(addr);
++		}
++		break;
++	    }
++#else
+ 	    if (INADDRP(addr->data)->s_addr == self->addrs[i].s_addr) {
+ 		if (msg_verbose)
+ 		    msg_info("%s: found self at pref %d", myname, addr->pref);
+ 		return (addr);
+ 	    }
++#endif
++	}
++    }
+ 
++    for (addr = addr_list; addr; addr = addr->next) {
+ 	/*
+ 	 * Find out if this mail system has a proxy listening on this
+ 	 * address.
+ 	 */
+ 	for (i = 0; i < proxy->used; i++)
++#ifdef INET6
++	    sa = (struct sockaddr *)&proxy->addrs[i];
++	    switch(addr->type) {
++	    case T_AAAA:
++		/* XXX scope */
++		if (sa->sa_family != AF_INET6)
++		    break;
++		if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr,
++			addr->data, sizeof(struct in6_addr)) == 0) {
++		    return(addr);
++		}
++		break;
++	    case T_A:
++		if (sa->sa_family != AF_INET)
++		    break;
++		if (memcmp(&((struct sockaddr_in *)sa)->sin_addr,
++			addr->data, sizeof(struct in_addr)) == 0) {
++		    return(addr);
++		}
++		break;
++	    }
++#else
+ 	    if (INADDRP(addr->data)->s_addr == proxy->addrs[i].s_addr) {
+ 		if (msg_verbose)
+ 		    msg_info("%s: found proxy at pref %d", myname, addr->pref);
+ 		return (addr);
+ 	    }
++#endif
+     }
+ 
+     /*
+@@ -333,6 +491,29 @@
+     return (a->pref - b->pref);
+ }
+ 
++#ifdef INET6
++static int smtp_compare_pref_aaaa_first(DNS_RR *a, DNS_RR *b)
++{
++    if (a->pref != b->pref)
++	return (a->pref - b->pref);
++    if (a->type == T_AAAA)
++	return -1;
++    else if (b->type == T_AAAA)
++	return 1;
++    return 0;
++}
++
++static int smtp_compare_host_aaaa_first(DNS_RR *a, DNS_RR *b)
++{
++    if (a->type == b->type)
++	return 0;
++    if (a->type == T_AAAA)
++	return -1;
++    return 1;
++}
++
++#endif
++
+ /* smtp_domain_addr - mail exchanger address lookup */
+ 
+ DNS_RR *smtp_domain_addr(char *name, int misc_flags, VSTRING *why)
+@@ -440,7 +621,11 @@
+ 	}
+ 	if (addr_list && addr_list->next && var_smtp_rand_addr) {
+ 	    addr_list = dns_rr_shuffle(addr_list);
++#ifdef INET6
++	    addr_list = dns_rr_sort(addr_list, smtp_compare_pref_aaaa_first);
++#else
+ 	    addr_list = dns_rr_sort(addr_list, smtp_compare_pref);
++#endif
+ 	}
+ 	break;
+     case DNS_NOTFOUND:
+@@ -478,6 +663,10 @@
+     }
+     if (addr_list && addr_list->next && var_smtp_rand_addr)
+ 	addr_list = dns_rr_shuffle(addr_list);
++#ifdef INET6
++    if (addr_list && addr_list->next)
++	addr_list = dns_rr_sort(addr_list, smtp_compare_host_aaaa_first);
++#endif
+     if (msg_verbose)
+ 	smtp_print_addr(host, addr_list);
+     return (addr_list);
+diff -urNad postfix-release/src/smtp/smtp.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.c
+--- postfix-release/src/smtp/smtp.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.c	2005-02-03 10:22:13.065095572 -0700
+@@ -225,6 +225,9 @@
+ /* .IP "\fBsmtp_bind_address (empty)\fR"
+ /*	An optional numerical network address that the SMTP client should
+ /*	bind to when making a connection.
++/* .IP "\fBsmtp_bind_address6 (empty)\fR"
++/*	An optional numerical IPv6 network address that the SMTP client should
++/*	bind to when making a connection.
+ /* .IP "\fBsmtp_helo_name ($myhostname)\fR"
+ /*	The hostname to send in the SMTP EHLO or HELO command.
+ /* .IP "\fBsmtp_host_lookup (dns)\fR"
+@@ -284,6 +287,9 @@
+ #include <mail_conf.h>
+ #include <debug_peer.h>
+ #include <flush_clnt.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+ 
+ /* Single server skeleton. */
+ 
+@@ -322,6 +328,7 @@
+ char   *var_smtp_sasl_passwd;
+ bool    var_smtp_sasl_enable;
+ char   *var_smtp_bind_addr;
++char   *var_smtp_bind_addr6;
+ bool    var_smtp_rand_addr;
+ int     var_smtp_pix_thresh;
+ int     var_smtp_pix_delay;
+@@ -333,6 +340,19 @@
+ bool    var_smtp_send_xforward;
+ int     var_smtp_mxaddr_limit;
+ int     var_smtp_mxsess_limit;
++#ifdef USE_TLS
++bool    var_smtp_use_tls;
++bool    var_smtp_enforce_tls;
++char   *var_smtp_tls_per_site;
++#ifdef USE_SSL
++int     var_smtp_starttls_tmout;
++char   *var_smtp_sasl_tls_opts;
++char   *var_smtp_sasl_tls_verified_opts;
++bool    var_smtp_tls_enforce_peername;
++int     var_smtp_tls_scert_vd;
++bool    var_smtp_tls_note_starttls_offer;
++#endif
++#endif
+ 
+  /*
+   * Global variables. smtp_errno is set by the address lookup routines and by
+@@ -453,6 +473,18 @@
+ 	msg_warn("%s is true, but SASL support is not compiled in",
+ 		 VAR_SMTP_SASL_ENABLE);
+ #endif
++#ifdef USE_TLS
++    /*
++     * Initialize the TLS data before entering the chroot jail
++     */
++    if (var_smtp_use_tls || var_smtp_enforce_tls || var_smtp_tls_per_site[0])
++#ifdef USE_SSL
++	pfixtls_init_clientengine(var_smtp_tls_scert_vd);
++#else
++	msg_warn("TLS has been selected, but TLS support is not compiled in");
++#endif
++    smtp_tls_list_init();
++#endif
+ 
+     /*
+      * Flush client.
+@@ -493,9 +525,19 @@
+ 	VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
+ 	VAR_SMTP_SASL_PASSWD, DEF_SMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0,
+ 	VAR_SMTP_SASL_OPTS, DEF_SMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++	VAR_SMTP_SASL_TLS_OPTS, DEF_SMTP_SASL_TLS_OPTS, &var_smtp_sasl_tls_opts, 0, 0,
++	VAR_SMTP_SASL_TLSV_OPTS, DEF_SMTP_SASL_TLSV_OPTS, &var_smtp_sasl_tls_verified_opts, 0, 0,
++#endif
++#endif
+ 	VAR_SMTP_BIND_ADDR, DEF_SMTP_BIND_ADDR, &var_smtp_bind_addr, 0, 0,
++	VAR_SMTP_BIND_ADDR6, DEF_SMTP_BIND_ADDR6, &var_smtp_bind_addr6, 0, 0,
+ 	VAR_SMTP_HELO_NAME, DEF_SMTP_HELO_NAME, &var_smtp_helo_name, 1, 0,
+ 	VAR_SMTP_HOST_LOOKUP, DEF_SMTP_HOST_LOOKUP, &var_smtp_host_lookup, 1, 0,
++#ifdef USE_TLS
++	VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0,
++#endif
+ 	0,
+     };
+     static CONFIG_TIME_TABLE time_table[] = {
+@@ -511,12 +553,22 @@
+ 	VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
+ 	VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
+ 	VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++	VAR_SMTP_STARTTLS_TMOUT, DEF_SMTP_STARTTLS_TMOUT, &var_smtp_starttls_tmout, 1, 0,
++#endif
++#endif
+ 	0,
+     };
+     static CONFIG_INT_TABLE int_table[] = {
+ 	VAR_SMTP_LINE_LIMIT, DEF_SMTP_LINE_LIMIT, &var_smtp_line_limit, 0, 0,
+ 	VAR_SMTP_MXADDR_LIMIT, DEF_SMTP_MXADDR_LIMIT, &var_smtp_mxaddr_limit, 0, 0,
+ 	VAR_SMTP_MXSESS_LIMIT, DEF_SMTP_MXSESS_LIMIT, &var_smtp_mxsess_limit, 0, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++	VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
++#endif
++#endif
+ 	0,
+     };
+     static CONFIG_BOOL_TABLE bool_table[] = {
+@@ -530,6 +582,14 @@
+ 	VAR_SMTP_QUOTE_821_ENV, DEF_SMTP_QUOTE_821_ENV, &var_smtp_quote_821_env,
+ 	VAR_SMTP_DEFER_MXADDR, DEF_SMTP_DEFER_MXADDR, &var_smtp_defer_mxaddr,
+ 	VAR_SMTP_SEND_XFORWARD, DEF_SMTP_SEND_XFORWARD, &var_smtp_send_xforward,
++#ifdef USE_TLS
++	VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls,
++	VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls,
++#ifdef USE_SSL
++	VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
++	VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
++#endif
++#endif
+ 	0,
+     };
+ 
+diff -urNad postfix-release/src/smtp/smtp_connect.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_connect.c
+--- postfix-release/src/smtp/smtp_connect.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_connect.c	2005-02-03 10:22:13.066095349 -0700
+@@ -46,6 +46,7 @@
+ /* System library. */
+ 
+ #include <sys_defs.h>
++#include <stdlib.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+@@ -86,37 +87,246 @@
+ #include <debug_peer.h>
+ #include <deliver_pass.h>
+ #include <mail_error.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+ 
+ /* DNS library. */
+ 
+ #include <dns.h>
+ 
++#ifdef INET6
++#define GAI_STRERROR(error) \
++	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++#endif
++
+ /* Application-specific. */
+ 
+ #include "smtp.h"
+ #include "smtp_addr.h"
+ 
++/* smtp_force_bind: bind() address */
++
++static void smtp_force_bind(const char *bind_addr,
++			    const char *bind_var,
++			    int sock,
++			    int af)
++{
++    /*
++     * If the bind() call fails, this is considered a non-fatal error.
++     * All address conversion errors are fatal.
++     */
++    char   *myname = "smtp_force_bind";
++#ifdef INET6
++    char    hbuf[NI_MAXHOST];
++    int     aierr;
++    struct addrinfo hints, *res;
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = af;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    snprintf(hbuf, sizeof(hbuf), "%s", bind_addr);
++    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++    if (aierr == EAI_NONAME)
++	msg_fatal("%s: bad %s parameter: \"%s\"",
++		  myname, bind_var, bind_addr);
++    if (aierr != 0) {
++	if (msg_verbose)
++	    msg_warn("%s: getaddrinfo(%s): %s",
++		     myname, hbuf, GAI_STRERROR(aierr));
++	return;
++    }
++    aierr = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++    if (aierr != 0) {
++	msg_warn("%s: getnameinfo(): %s",
++		 myname, GAI_STRERROR(aierr));
++	freeaddrinfo(res);
++	return;
++    }
++    if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++	msg_warn("%s: bind %s: %m", myname, hbuf);
++    else if (msg_verbose)
++	msg_info("%s: bind %s", myname, hbuf);
++    freeaddrinfo(res);
++#else /* INET6 */
++    struct sockaddr_in sin;
++
++    memset(&sin, 0, sizeof(sin));
++    sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++    sin.sin_len = sizeof(sin);
++#endif
++    sin.sin_addr.s_addr = inet_addr(bind_addr);
++    if (sin.sin_addr.s_addr == INADDR_NONE) {
++	msg_fatal("%s: bad %s parameter: \"%s\"",
++		  myname, bind_var, bind_addr);
++	return;
++    }
++    if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
++	msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++    else if (msg_verbose)
++	msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++#endif /* INET6 */
++}
++
++/* smtp_virtual_bind - bind() when acting as virtual host */
++
++static void smtp_virtual_bind(int sock, int af)
++{
++    char    *myname = "smtp_virtual_bind";
++    INET_ADDR_LIST *addr_list;
++    int     count;
++
++#ifdef INET6
++    int     i, pos;
++    char    hbuf[NI_MAXHOST];
++    int     aierr;
++    struct sockaddr *sa;
++    struct addrinfo hints, *loopback = NULL, *res = NULL;
++
++    /*
++     * Check whether we are acting as a virtual host
++     */
++    count = 0;
++    pos = 0;
++    addr_list = own_inet_addr_list();
++    for (i = 0; count < 2 && i < addr_list->used; i++)
++	if (((struct sockaddr *)&addr_list->addrs[i])->sa_family == af)
++	    count++, pos = i;
++    if (count != 1)
++	return;
++
++    /*
++     * Bind the source address.
++     */
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = af;
++    hints.ai_socktype = SOCK_STREAM;
++    aierr = getaddrinfo(NULL, "0", &hints, &loopback);
++    if (aierr != 0) {
++	loopback = NULL;
++	msg_warn("%s: getaddrinfo(\"0\"): %s",
++		 myname, GAI_STRERROR(aierr));
++    }
++
++    sa = (struct sockaddr *)&addr_list->addrs[pos];
++    aierr = getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
++			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++    if (aierr != 0)
++	msg_fatal("%s: getnameinfo() (AF=%d): %s",
++		  myname, af, GAI_STRERROR(aierr));
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = af;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
++    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
++    if (aierr != 0)
++	msg_fatal("%s: getaddrinfo(\"%s\"): %s",
++		  myname, hbuf, GAI_STRERROR(aierr));
++
++    if (res->ai_addrlen != loopback->ai_addrlen
++	|| memcmp(res->ai_addr, loopback->ai_addr, res->ai_addrlen) != 0) {
++	if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
++	    msg_warn("%s: bind %s: %m", myname, hbuf);
++	else if (msg_verbose)
++	    msg_info("%s: bind %s", myname, hbuf);
++    } else if (msg_verbose) {
++	msg_info("%s: not calling bind(): unusable source "
++		 "address from \"%s\"", myname, hbuf);
++    }
++    if (res)
++	freeaddrinfo(res);
++    if (loopback)
++	freeaddrinfo(loopback);
++
++#else /* INET6 */
++
++    struct sockaddr_in sin;
++    unsigned long inaddr;	/*XXX BAD!*/
++
++    /*
++     * Check whether we are acting as a virtual host
++     */
++    addr_list = own_inet_addr_list();
++    count = addr_list->used;
++    if (count != 1)
++	return;
++
++    /*
++     * Bind the source address.
++     */
++    memset(&sin, 0, sizeof(sin));
++    sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++    sin.sin_len = sizeof(sin);
++#endif
++    memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
++    inaddr = (unsigned long)ntohl(sin.sin_addr.s_addr);
++    if (!IN_CLASSA(inaddr)
++	|| !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
++	if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
++	    msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
++	else if (msg_verbose)
++	    msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
++    }
++#endif /* INET6 */
++}
++
+ /* smtp_connect_addr - connect to explicit address */
+ 
+-static SMTP_SESSION *smtp_connect_addr(DNS_RR *addr, unsigned port,
++static SMTP_SESSION *smtp_connect_addr(char *dest, DNS_RR *addr, unsigned port,
+ 				               VSTRING *why)
+ {
+     char   *myname = "smtp_connect_addr";
+-    struct sockaddr_in sin;
+-    int     sock;
++#ifdef INET6
++    struct sockaddr_storage ss;
++#else
++    struct sockaddr ss;
++#endif
++    struct sockaddr *sa;
++    struct sockaddr_in *sin;
++#ifdef INET6
++    struct sockaddr_in6 *sin6;
++#endif
++    SOCKADDR_SIZE salen;
++#ifdef INET6
++    char hbuf[NI_MAXHOST];
++#else
++    char hbuf[sizeof("255.255.255.255") + 1];
++#endif
++    int     sock = -1;
+     INET_ADDR_LIST *addr_list;
+     int     conn_stat;
+     int     saved_errno;
+     VSTREAM *stream;
+     int     ch;
+-    unsigned long inaddr;
++    char    *bind_addr;
++    char    *bind_var;
++#ifdef INET6
++    char    *addr6_ptr = NULL;
++#endif
++
++    sa = (struct sockaddr *)&ss;
++    sin = (struct sockaddr_in *)&ss;
++#ifdef INET6
++    sin6 = (struct sockaddr_in6 *)&ss;
++#endif
+ 
+     smtp_errno = SMTP_ERR_NONE;			/* Paranoia */
+ 
+     /*
+      * Sanity checks.
+      */
+-    if (addr->data_len > sizeof(sin.sin_addr)) {
++#ifdef INET6
++    if (((addr->type==T_A) && (addr->data_len > sizeof(sin->sin_addr))) ||
++	((addr->type==T_AAAA) && (addr->data_len > sizeof(sin6->sin6_addr))))
++#else
++    if (addr->data_len > sizeof(sin->sin_addr))
++#endif
++    {
+ 	msg_warn("%s: skip address with length %d", myname, addr->data_len);
+ 	smtp_errno = SMTP_ERR_RETRY;
+ 	return (0);
+@@ -125,65 +335,111 @@
+     /*
+      * Initialize.
+      */
+-    memset((char *) &sin, 0, sizeof(sin));
+-    sin.sin_family = AF_INET;
+-
+-    if ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0)
+-	msg_fatal("%s: socket: %m", myname);
+-
++    switch (addr->type) {
++#ifdef INET6
++    case T_AAAA:
++	bind_addr = "";
++	bind_var = VAR_SMTP_BIND_ADDR6;
++	if (*var_smtp_bind_addr6) {
++	    addr6_ptr = mystrdup(var_smtp_bind_addr6);
++	    if (*addr6_ptr == '[' && addr6_ptr[strlen(addr6_ptr) - 1] == ']') {
++		addr6_ptr[strlen(addr6_ptr) - 1] = 0;
++		bind_addr = addr6_ptr + 1;
++	    } else {
++		msg_warn("%s: skip incorrectly bracketed IPv6 address in %s",
++		    myname, VAR_SMTP_BIND_ADDR6);
++	    }
++	}
++	memset(sin6, 0, sizeof(*sin6));
++	sin6->sin6_family = AF_INET6;
++	salen = sizeof(*sin6);
++	break;
++#endif
++    default: /* T_A: */
++	bind_addr = var_smtp_bind_addr;
++	bind_var = VAR_SMTP_BIND_ADDR;
++	memset(sin, 0, sizeof(*sin));
++	sin->sin_family = AF_INET;
++	salen = sizeof(*sin);
++	break;
++    }
++#ifdef HAS_SA_LEN
++    sa->sa_len = salen;
++#endif
++    if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0) {
++#ifdef INET6
++	if (addr6_ptr)
++		myfree(addr6_ptr);
++	vstring_sprintf(why, "socket to %s[%s]: %m",
++                        addr->name, hbuf);
++	if (errno != EAFNOSUPPORT)
++#endif
++	    msg_warn("%s: socket: %m", myname);
++	smtp_errno = SMTP_ERR_RETRY;
++	return (0);
++    }
++		    
+     /*
+      * Allow the sysadmin to specify the source address, for example, as "-o
+      * smtp_bind_address=x.x.x.x" in the master.cf file.
+      */
+-    if (*var_smtp_bind_addr) {
+-	sin.sin_addr.s_addr = inet_addr(var_smtp_bind_addr);
+-	if (sin.sin_addr.s_addr == INADDR_NONE)
+-	    msg_fatal("%s: bad %s parameter: %s",
+-		      myname, VAR_SMTP_BIND_ADDR, var_smtp_bind_addr);
+-	if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
+-	    msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
+-	if (msg_verbose)
+-	    msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
+-    }
+-
+-    /*
+-     * When running as a virtual host, bind to the virtual interface so that
+-     * the mail appears to come from the "right" machine address.
+-     */
+-    else if ((addr_list = own_inet_addr_list())->used == 1) {
+-	memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
+-	inaddr = ntohl(sin.sin_addr.s_addr);
+-	if (!IN_CLASSA(inaddr)
+-	    || !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
+-	    if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
+-		msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
+-	    if (msg_verbose)
+-		msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
+-	}
++    if (bind_addr && *bind_addr) {
++	smtp_force_bind(bind_addr, bind_var, sock, sa->sa_family);
++#ifdef INET6
++	if (addr6_ptr)
++		myfree(addr6_ptr);
++#endif
++    } else {
++	/*
++	 * When running as a virtual host, bind to the virtual interface so that
++	 * the mail appears to come from the "right" machine address.
++	 */
++	smtp_virtual_bind(sock, sa->sa_family);
+     }
+ 
+     /*
+      * Connect to the SMTP server.
+      */
+-    sin.sin_port = port;
+-    memcpy((char *) &sin.sin_addr, addr->data, sizeof(sin.sin_addr));
++    switch (addr->type) {
++#ifdef INET6
++    case T_AAAA:
++	/* XXX scope unfriendly */
++	memset(sin6, 0, sizeof(*sin6));
++	sin6->sin6_port = port;
++	sin6->sin6_family = AF_INET6;
++	salen = sizeof(*sin6);
++	memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
++	inet_ntop(AF_INET6, &sin6->sin6_addr, hbuf, sizeof(hbuf));
++	break;
++#endif
++    default: /* T_A */
++	memset(sin, 0, sizeof(*sin));
++	sin->sin_port = port;
++	sin->sin_family = AF_INET;
++	salen = sizeof(*sin);
++	memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
++	inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
++	break;
++    }
++#ifdef HAS_SA_LEN
++    sa->sa_len = salen;
++#endif
+ 
+     if (msg_verbose)
+ 	msg_info("%s: trying: %s[%s] port %d...",
+-		 myname, addr->name, inet_ntoa(sin.sin_addr), ntohs(port));
++		 myname, addr->name, hbuf, ntohs(port));
+     if (var_smtp_conn_tmout > 0) {
+ 	non_blocking(sock, NON_BLOCKING);
+-	conn_stat = timed_connect(sock, (struct sockaddr *) & sin,
+-				  sizeof(sin), var_smtp_conn_tmout);
++	conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout);
+ 	saved_errno = errno;
+ 	non_blocking(sock, BLOCKING);
+ 	errno = saved_errno;
+     } else {
+-	conn_stat = sane_connect(sock, (struct sockaddr *) & sin, sizeof(sin));
++	conn_stat = sane_connect(sock, sa, salen);
+     }
+     if (conn_stat < 0) {
+ 	vstring_sprintf(why, "connect to %s[%s]: %m",
+-			addr->name, inet_ntoa(sin.sin_addr));
++			addr->name, hbuf);
+ 	smtp_errno = SMTP_ERR_RETRY;
+ 	close(sock);
+ 	return (0);
+@@ -193,8 +449,8 @@
+      * Skip this host if it takes no action within some time limit.
+      */
+     if (read_wait(sock, var_smtp_helo_tmout) < 0) {
+-	vstring_sprintf(why, "connect to %s[%s]: read timeout",
+-			addr->name, inet_ntoa(sin.sin_addr));
++	vstring_sprintf(why, "connect to %s [%s]: read timeout",
++			addr->name, hbuf);
+ 	smtp_errno = SMTP_ERR_RETRY;
+ 	close(sock);
+ 	return (0);
+@@ -206,13 +462,17 @@
+     stream = vstream_fdopen(sock, O_RDWR);
+     if ((ch = VSTREAM_GETC(stream)) == VSTREAM_EOF) {
+ 	vstring_sprintf(why, "connect to %s[%s]: server dropped connection without sending the initial SMTP greeting",
+-			addr->name, inet_ntoa(sin.sin_addr));
++			addr->name, hbuf);
+ 	smtp_errno = SMTP_ERR_RETRY;
+ 	vstream_fclose(stream);
+ 	return (0);
+     }
+     vstream_ungetc(stream, ch);
+-    return (smtp_session_alloc(stream, addr->name, inet_ntoa(sin.sin_addr)));
++#ifndef USE_TLS
++    return (smtp_session_alloc(stream, addr->name, hbuf));
++#else
++    return (smtp_session_alloc(dest, stream, addr->name, hbuf));
++#endif
+ }
+ 
+ /* smtp_parse_destination - parse destination */
+@@ -247,6 +507,7 @@
+ 	    msg_fatal("unknown service: %s/%s", service, protocol);
+ 	*portp = sp->s_port;
+     }
++
+     return (buf);
+ }
+ 
+@@ -348,7 +609,7 @@
+ 	    next = addr->next;
+ 	    if (++addr_count == var_smtp_mxaddr_limit)
+ 		next = 0;
+-	    if ((state->session = smtp_connect_addr(addr, port, why)) != 0) {
++	    if ((state->session = smtp_connect_addr(host, addr, port, why)) != 0) {
+ 		state->features = 0;		/* XXX should be SESSION info */
+ 		if (++sess_count == var_smtp_mxsess_limit)
+ 		    next = 0;
+diff -urNad postfix-release/src/smtp/smtp.h /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.h
+--- postfix-release/src/smtp/smtp.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.h	2005-02-03 10:22:13.066095349 -0700
+@@ -27,6 +27,9 @@
+   * Global library.
+   */
+ #include <deliver_request.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+ 
+  /*
+   * State information associated with each SMTP delivery. We're bundling the
+@@ -113,9 +116,20 @@
+     char   *addr;			/* mail exchanger */
+     char   *namaddr;			/* mail exchanger */
+     int     best;			/* most preferred host */
++#ifdef USE_TLS
++    int     tls_use_tls;		/* can do TLS */
++    int     tls_enforce_tls;		/* must do TLS */
++    int     tls_enforce_peername;	/* cert must match */
++    tls_info_t tls_info;		/* TLS connection state */
++#endif
+ } SMTP_SESSION;
+ 
++#ifndef USE_TLS
+ extern SMTP_SESSION *smtp_session_alloc(VSTREAM *, char *, char *);
++#else
++extern void smtp_tls_list_init(void);
++extern SMTP_SESSION *smtp_session_alloc(char *, VSTREAM *, char *, char *);
++#endif
+ extern void smtp_session_free(SMTP_SESSION *);
+ 
+  /*
+diff -urNad postfix-release/src/smtp/smtp_proto.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_proto.c
+--- postfix-release/src/smtp/smtp_proto.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_proto.c	2005-02-03 10:22:13.067095126 -0700
+@@ -102,6 +102,9 @@
+ #include <quote_821_local.h>
+ #include <mail_proto.h>
+ #include <mime_state.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+ 
+ /* Application-specific. */
+ 
+@@ -184,6 +187,10 @@
+ 	XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
+ 	0, 0,
+     };
++#ifdef USE_TLS
++    int     oldfeatures;
++    int     rval;
++#endif
+ 
+     /*
+      * Prepare for disaster.
+@@ -257,6 +264,10 @@
+ 	return (0);
+     }
+ 
++#ifdef USE_TLS
++    if (var_smtp_always_ehlo)
++	state->features |= SMTP_FEATURE_ESMTP;
++#endif
+     /*
+      * Pick up some useful features offered by the SMTP server. XXX Until we
+      * have a portable routine to convert from string to off_t with proper
+@@ -268,6 +279,9 @@
+      * MicroSoft implemented AUTH based on an old draft.
+      */
+     lines = resp->str;
++#ifdef USE_TLS
++    oldfeatures = state->features;		/* remember */
++#endif
+     while ((words = mystrtok(&lines, "\n")) != 0) {
+ 	if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t=")) != 0) {
+ 	    if (strcasecmp(word, "8BITMIME") == 0)
+@@ -288,6 +302,10 @@
+ 			state->size_limit = off_cvt_string(word);
+ 		}
+ 	    }
++#ifdef USE_TLS
++	    else if (strcasecmp(word, "STARTTLS") == 0)
++		state->features |= SMTP_FEATURE_STARTTLS;
++#endif
+ #ifdef USE_SASL_AUTH
+ 	    else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0)
+ 		smtp_sasl_helo_auth(state, words);
+@@ -307,6 +325,130 @@
+ 	msg_info("server features: 0x%x size %.0f",
+ 		 state->features, (double) state->size_limit);
+ 
++#ifdef USE_TLS
++#ifdef USE_SSL
++    if ((state->features & SMTP_FEATURE_STARTTLS) &&
++	(var_smtp_tls_note_starttls_offer) &&
++	(!(session->tls_enforce_tls || session->tls_use_tls)))
++ 	msg_info("Host offered STARTTLS: [%s]", session->host);
++    if ((session->tls_enforce_tls) &&
++	!(state->features & SMTP_FEATURE_STARTTLS))
++    {
++	/*
++	 * We are enforced to use TLS but it is not offered, so we will give
++	 * up on this host. We won't even try STARTTLS, because we could
++	 * receive a "500 command unrecognized" which would bounce the
++	 * message. We instead want to delay until STARTTLS becomes
++	 * available.
++	 */
++	return (smtp_site_fail(state, 450, "Could not start TLS: not offered"));
++    }
++    if ((session->tls_enforce_tls) && !pfixtls_clientengine) {
++	/*
++	 * We would like to start client TLS, but our own TLS-engine is
++	 * not running.
++	 */
++	return (smtp_site_fail(state, 450,
++		 "Could not start TLS: our TLS-engine not running"));
++    }
++    if ((state->features & SMTP_FEATURE_STARTTLS) &&
++	((session->tls_use_tls && pfixtls_clientengine) ||
++	 (session->tls_enforce_tls))) {
++	/*
++         * Try to use the TLS feature
++         */
++	smtp_chat_cmd(state, "STARTTLS");
++	if ((resp = smtp_chat_resp(state))->code / 100 != 2) {
++	    state->features &= ~SMTP_FEATURE_STARTTLS;
++	    /*
++	     * At this point a political decision is necessary. If we
++	     * enforce usage of tls, we have to close the connection
++	     * now.
++	     */
++	    if (session->tls_enforce_tls)
++		return (smtp_site_fail(state, resp->code,
++					 "host %s refused to start TLS: %s",
++					   session->host,
++					   translit(resp->str, "\n", " ")));
++	} else {
++	    if (rval = pfixtls_start_clienttls(session->stream,
++					       var_smtp_starttls_tmout,
++					       session->tls_enforce_peername,
++					       session->host,
++					       &(session->tls_info)))
++		return (smtp_site_fail(state, 450,
++				 "Could not start TLS: client failure"));
++
++
++	    /*
++	     * Now the connection is established and maybe we do have a
++	     * validated cert with a CommonName in it.
++	     * In enforce_peername state, the handshake would already have
++	     * been terminated so the check here is for logging only!
++	     */
++	    if (session->tls_info.peer_CN != NULL) {
++		if (!session->tls_info.peer_verified) {
++		    msg_info("Peer certificate could not be verified");
++		    if (session->tls_enforce_tls) {
++			pfixtls_stop_clienttls(session->stream,
++					       var_smtp_starttls_tmout, 1,
++					       &(session->tls_info));
++			return(smtp_site_fail(state, 450, "TLS-failure: Could not verify certificate"));
++		    }
++		}
++	    } else if (session->tls_enforce_tls) {
++		pfixtls_stop_clienttls(session->stream,
++				       var_smtp_starttls_tmout, 1,
++				       &(session->tls_info));
++		return (smtp_site_fail(state, 450, "TLS-failure: Cannot verify hostname"));
++	    }
++
++	    /*
++	     * At this point we have to re-negotiate the "EHLO" to reget
++	     * the feature-list
++	     */
++	    state->features = oldfeatures;
++#ifdef USE_SASL_AUTH
++	    if (state->sasl_mechanism_list) {
++		myfree(state->sasl_mechanism_list);
++		state->sasl_mechanism_list = 0;
++	    }
++#endif
++	    if (state->features & SMTP_FEATURE_ESMTP) {
++		smtp_chat_cmd(state, "EHLO %s", var_myhostname);
++		if ((resp = smtp_chat_resp(state))->code / 100 != 2)
++		    state->features &= ~SMTP_FEATURE_ESMTP;
++	    }
++	    lines = resp->str;
++	    (void) mystrtok(&lines, "\n");
++	    while ((words = mystrtok(&lines, "\n")) != 0) {
++		if (mystrtok(&words, "- ") &&
++		    (word = mystrtok(&words, " \t=")) != 0) {
++		    if (strcasecmp(word, "8BITMIME") == 0)
++			state->features |= SMTP_FEATURE_8BITMIME;
++		    else if (strcasecmp(word, "PIPELINING") == 0)
++			state->features |= SMTP_FEATURE_PIPELINING;
++		    else if (strcasecmp(word, "SIZE") == 0)
++			state->features |= SMTP_FEATURE_SIZE;
++		    else if (strcasecmp(word, "STARTTLS") == 0)
++			state->features |= SMTP_FEATURE_STARTTLS;
++#ifdef USE_SASL_AUTH
++		    else if (var_smtp_sasl_enable &&
++			     strcasecmp(word, "AUTH") == 0)
++			smtp_sasl_helo_auth(state, words);
++#endif
++		}
++	    }
++	    /*
++	     * Actually, at this point STARTTLS should not be offered
++	     * anymore, so we could check for a protocol violation, but
++	     * what should we do then?
++	     */
++
++	}
++    }
++#endif
++#endif
+ #ifdef USE_SASL_AUTH
+     if (var_smtp_sasl_enable && (state->features & SMTP_FEATURE_AUTH))
+ 	return (smtp_sasl_helo_login(state));
+diff -urNad postfix-release/src/smtp/smtp_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_sasl_glue.c
+--- postfix-release/src/smtp/smtp_sasl_glue.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_sasl_glue.c	2005-02-03 10:22:13.068094903 -0700
+@@ -197,6 +197,16 @@
+     return (SASL_OK);
+ }
+ 
++static int smtp_sasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++    return SASL_OK;
++}
++
+ /* smtp_sasl_get_user - username lookup call-back routine */
+ 
+ static int smtp_sasl_get_user(void *context, int unused_id, const char **result,
+@@ -298,6 +308,7 @@
+      */
+     static sasl_callback_t callbacks[] = {
+ 	{SASL_CB_LOG, &smtp_sasl_log, 0},
++	{SASL_CB_GETPATH,&smtp_sasl_getpath, 0},
+ 	{SASL_CB_LIST_END, 0, 0}
+     };
+ 
+diff -urNad postfix-release/src/smtp/smtp_session.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_session.c
+--- postfix-release/src/smtp/smtp_session.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_session.c	2005-02-03 10:22:13.068094903 -0700
+@@ -42,15 +42,50 @@
+ #include <vstream.h>
+ #include <stringops.h>
+ 
++#ifdef USE_TLS
++#include <mail_params.h>
++#include <maps.h>
++#include <pfixtls.h>
++#endif
++
+ /* Application-specific. */
+ 
+ #include "smtp.h"
+ 
++#ifdef USE_TLS
++/* static lists */
++static MAPS *tls_per_site;
++
++/* smtp_tls_list_init - initialize lists */
++
++void smtp_tls_list_init(void)
++{
++    tls_per_site = maps_create(VAR_SMTP_TLS_PER_SITE, var_smtp_tls_per_site,
++			       DICT_FLAG_LOCK);
++}
++
++#endif
+ /* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
+ 
++#ifndef USE_TLS
+ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, char *host, char *addr)
++#else
++SMTP_SESSION *smtp_session_alloc(char *dest, VSTREAM *stream, char *host, char *addr)
++#endif
+ {
+     SMTP_SESSION *session;
++#ifdef USE_TLS
++    const char *lookup;
++    char *lookup_key;
++    int host_dont_use = 0;
++    int host_use = 0;
++    int host_enforce = 0;
++    int host_enforce_peername = 0;
++    int recipient_dont_use = 0;
++    int recipient_use = 0;
++    int recipient_enforce = 0;
++    int recipient_enforce_peername = 0;
++#endif
+ 
+     session = (SMTP_SESSION *) mymalloc(sizeof(*session));
+     session->stream = stream;
+@@ -58,6 +93,63 @@
+     session->addr = mystrdup(addr);
+     session->namaddr = concatenate(host, "[", addr, "]", (char *) 0);
+     session->best = 1;
++#ifdef USE_TLS
++    session->tls_use_tls = session->tls_enforce_tls = 0;
++    session->tls_enforce_peername = 0;
++#ifdef USE_SSL
++    lookup_key = lowercase(mystrdup(host));
++    if (lookup = maps_find(tls_per_site, lookup_key, 0)) {
++	if (!strcasecmp(lookup, "NONE"))
++	    host_dont_use = 1;
++	else if (!strcasecmp(lookup, "MAY"))
++	    host_use = 1;
++	else if (!strcasecmp(lookup, "MUST"))
++	    host_enforce = host_enforce_peername = 1;
++	else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
++	    host_enforce = 1;
++	else
++	    msg_warn("Unknown TLS state for receiving host %s: '%s', using default policy", session->host, lookup);
++    }
++    myfree(lookup_key);
++    lookup_key = lowercase(mystrdup(dest));
++    if (lookup = maps_find(tls_per_site, dest, 0)) {
++	if (!strcasecmp(lookup, "NONE"))
++	    recipient_dont_use = 1;
++	else if (!strcasecmp(lookup, "MAY"))
++	    recipient_use = 1;
++	else if (!strcasecmp(lookup, "MUST"))
++	    recipient_enforce = recipient_enforce_peername = 1;
++	else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
++	    recipient_enforce = 1;
++	else
++	    msg_warn("Unknown TLS state for recipient domain %s: '%s', using default policy", dest, lookup);
++    }
++    myfree(lookup_key);
++
++    if ((var_smtp_enforce_tls && !host_dont_use && !recipient_dont_use) || host_enforce ||
++	 recipient_enforce)
++	session->tls_enforce_tls = session->tls_use_tls = 1;
++
++    /*
++     * Set up peername checking. We want to make sure that a MUST* entry in
++     * the tls_per_site table always has precedence. MUST always must lead to
++     * a peername check, MUST_NOPEERMATCH must always disable it. Only when
++     * no explicit setting has been found, the default will be used.
++     * There is the case left, that both "host" and "recipient" settings
++     * conflict. In this case, the "host" setting wins.
++     */
++    if (host_enforce && host_enforce_peername)
++	session->tls_enforce_peername = 1;
++    else if (recipient_enforce && recipient_enforce_peername)
++	session->tls_enforce_peername = 1;
++    else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
++	session->tls_enforce_peername = 1;
++
++    else if ((var_smtp_use_tls && !host_dont_use && !recipient_dont_use) || host_use || recipient_use)
++      session->tls_use_tls = 1;
++#endif
++    session->tls_info = tls_info_zero;
++#endif
+     return (session);
+ }
+ 
+@@ -65,6 +157,13 @@
+ 
+ void    smtp_session_free(SMTP_SESSION *session)
+ {
++#ifdef USE_TLS
++#ifdef USE_SSL
++    vstream_fflush(session->stream);
++    pfixtls_stop_clienttls(session->stream, var_smtp_starttls_tmout, 0,
++			   &(session->tls_info));
++#endif
++#endif
+     vstream_fclose(session->stream);
+     myfree(session->host);
+     myfree(session->addr);
+diff -urNad postfix-release/src/smtp/smtp_unalias.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_unalias.c
+--- postfix-release/src/smtp/smtp_unalias.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_unalias.c	2005-02-03 10:22:13.068094903 -0700
+@@ -86,7 +86,11 @@
+     if ((result = htable_find(cache, name)) == 0) {
+ 	fqdn = vstring_alloc(10);
+ 	if (dns_lookup_types(name, smtp_unalias_flags, (DNS_RR **) 0,
+-			     fqdn, (VSTRING *) 0, T_MX, T_A, 0) != DNS_OK)
++			     fqdn, (VSTRING *) 0, T_MX, T_A,
++#ifdef INET6
++			     T_AAAA,
++#endif
++			     0) != DNS_OK)
+ 	    vstring_strcpy(fqdn, name);
+ 	htable_enter(cache, name, result = vstring_export(fqdn));
+     }
+diff -urNad postfix-release/src/smtpd/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtpd/Makefile.in
+--- postfix-release/src/smtpd/Makefile.in	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/Makefile.in	2005-02-03 10:22:13.069094680 -0700
+@@ -150,6 +150,7 @@
+ smtpd.o: ../../include/namadr_list.h
+ smtpd.o: ../../include/input_transp.h
+ smtpd.o: ../../include/mail_server.h
++smtpd.o: ../../include/pfixtls.h
+ smtpd.o: smtpd_token.h
+ smtpd.o: smtpd.h
+ smtpd.o: smtpd_check.h
+@@ -179,6 +180,7 @@
+ smtpd_chat.o: ../../include/cleanup_user.h
+ smtpd_chat.o: ../../include/mail_error.h
+ smtpd_chat.o: ../../include/name_mask.h
++smtpd_chat.o: ../../include/pfixtls.h
+ smtpd_chat.o: smtpd.h
+ smtpd_chat.o: ../../include/mail_stream.h
+ smtpd_chat.o: smtpd_chat.h
+@@ -233,6 +235,7 @@
+ smtpd_check.o: ../../include/is_header.h
+ smtpd_check.o: smtpd.h
+ smtpd_check.o: ../../include/mail_stream.h
++smtpd_check.o: ../../include/pfixtls.h
+ smtpd_check.o: smtpd_sasl_glue.h
+ smtpd_check.o: smtpd_check.h
+ smtpd_peer.o: smtpd_peer.c
+@@ -247,6 +250,7 @@
+ smtpd_peer.o: ../../include/vstream.h
+ smtpd_peer.o: ../../include/iostuff.h
+ smtpd_peer.o: ../../include/attr.h
++smtpd_peer.o: ../../include/pfixtls.h
+ smtpd_peer.o: smtpd.h
+ smtpd_peer.o: ../../include/argv.h
+ smtpd_peer.o: ../../include/mail_stream.h
+@@ -329,6 +333,7 @@
+ smtpd_state.o: ../../include/vstring.h
+ smtpd_state.o: ../../include/argv.h
+ smtpd_state.o: ../../include/mail_stream.h
++smtpd_state.o: ../../include/pfixtls.h
+ smtpd_state.o: smtpd_chat.h
+ smtpd_state.o: smtpd_sasl_glue.h
+ smtpd_token.o: smtpd_token.c
+@@ -338,6 +343,7 @@
+ smtpd_token.o: smtpd_token.h
+ smtpd_token.o: ../../include/vstring.h
+ smtpd_token.o: ../../include/vbuf.h
++smtpd_token.o: ../../include/pfixtls.h
+ smtpd_xforward.o: smtpd_xforward.c
+ smtpd_xforward.o: ../../include/sys_defs.h
+ smtpd_xforward.o: ../../include/mymalloc.h
+diff -urNad postfix-release/src/smtpd/smtpd.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.c
+--- postfix-release/src/smtpd/smtpd.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.c	2005-02-03 10:22:13.072094011 -0700
+@@ -652,6 +652,9 @@
+ #include <anvil_clnt.h>
+ #endif
+ #include <flush_clnt.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+ 
+ /* Single-threaded server skeleton. */
+ 
+@@ -677,6 +680,9 @@
+   */
+ int     var_smtpd_rcpt_limit;
+ int     var_smtpd_tmout;
++#ifdef USE_TLS
++char   *var_relay_ccerts;
++#endif
+ int     var_smtpd_soft_erlim;
+ int     var_smtpd_hard_erlim;
+ int     var_queue_minfree;		/* XXX use off_t */
+@@ -759,7 +765,21 @@
+ int     var_smtpd_crate_limit;
+ int     var_smtpd_cconn_limit;
+ char   *var_smtpd_hoggers;
++#endif
+ 
++#ifdef USE_TLS
++bool    var_smtpd_use_tls;
++bool    var_smtpd_enforce_tls;
++bool    var_smtpd_tls_wrappermode;
++#ifdef USE_SSL
++int     var_smtpd_starttls_tmout;
++bool    var_smtpd_tls_auth_only;
++bool    var_smtpd_tls_ask_ccert;
++bool    var_smtpd_tls_req_ccert;
++int     var_smtpd_tls_ccert_vd;
++bool    var_smtpd_tls_received_header;
++char   *var_smtpd_sasl_tls_opts;
++#endif
+ #endif
+ 
+  /*
+@@ -943,11 +963,27 @@
+     if (var_disable_vrfy_cmd == 0)
+ 	smtpd_chat_reply(state, "250-VRFY");
+     smtpd_chat_reply(state, "250-ETRN");
++#ifdef USE_TLS
++#ifdef USE_SSL
++    if ((state->tls_use_tls || state->tls_enforce_tls) && (!state->tls_active))
++	smtpd_chat_reply(state, "250-STARTTLS");
++#endif
++#endif
+ #ifdef USE_SASL_AUTH
+     if (var_smtpd_sasl_enable && !sasl_client_exception(state)) {
++#ifdef USE_TLS
++#ifdef USE_SSL
++	if (!state->tls_auth_only || state->tls_active) {
++#endif
++#endif
+ 	smtpd_chat_reply(state, "250-AUTH %s", state->sasl_mechanism_list);
+ 	if (var_broken_auth_clients)
+ 	    smtpd_chat_reply(state, "250-AUTH=%s", state->sasl_mechanism_list);
++#ifdef USE_TLS
++#ifdef USE_SSL
++	}
++#endif
++#endif
+     }
+ #endif
+     if (namadr_list_match(verp_clients, state->name, state->addr))
+@@ -1505,12 +1541,81 @@
+     state->rcpt_overshoot = 0;
+ }
+ 
++#ifdef USE_TLS
++/* CN_sanitize - make sure, the CN-string is well behaved */
++
++static void CN_sanitize(char *CNstring)
++{
++    int i;
++    int len;
++    int parencount;
++
++    /*
++     * The information included in the CN (CommonName) of the peer and its
++     * issuer can be included into the Received: header line. The characters
++     * allowed as well as comment nesting are limited by RFC822.
++     */
++
++    len = strlen(CNstring);
++    /*
++     * The Received: header can only contain characters. Make sure that only
++     * acceptable characters are printed. Maybe we could allow more, but
++     * not everything makes sense inside a CommonName.
++     */
++    for (i = 0; i < len; i++) 
++	if (!((CNstring[i] >= 'A') && (CNstring[i] <='Z')) &&
++	    !((CNstring[i] >= 'a') && (CNstring[i] <='z')) &&
++	    !((CNstring[i] >= '0') && (CNstring[i] <='9')) &&
++	    (CNstring[i] != '(') && (CNstring[i] != ')') &&
++	    (CNstring[i] != '[') && (CNstring[i] != ']') &&
++	    (CNstring[i] != '{') && (CNstring[i] != '}') &&
++	    (CNstring[i] != '<') && (CNstring[i] != '>') &&
++	    (CNstring[i] != '?') && (CNstring[i] != '!') &&
++	    (CNstring[i] != ';') && (CNstring[i] != ':') &&
++	    (CNstring[i] != '"') && (CNstring[i] != '\'') &&
++	    (CNstring[i] != '/') && (CNstring[i] != '|') &&
++	    (CNstring[i] != '+') && (CNstring[i] != '&') &&
++	    (CNstring[i] != '~') && (CNstring[i] != '@') &&
++	    (CNstring[i] != '#') && (CNstring[i] != '$') &&
++	    (CNstring[i] != '%') && (CNstring[i] != '&') &&
++	    (CNstring[i] != '^') && (CNstring[i] != '*') &&
++	    (CNstring[i] != '_') && (CNstring[i] != '-') &&
++	    (CNstring[i] != '.') && (CNstring[i] != ' '))
++	    CNstring[i] = '?';
++
++    /*
++     * This information will go into the Received: header inside a comment.
++     * Since comments can be nested, parentheses '(' and ')' must match.
++     */
++    parencount = 0;
++    for (i = 0; i < len; i++) {
++	if (CNstring[i] == '(')
++	    parencount++;
++	else if (CNstring[i] == ')')
++	    parencount--;
++    }
++    /*
++     * The necessary condition is violated. Do YOU know, where to correct?
++     * I don't know, so I will practically remove all parentheses.
++     */
++    if (parencount != 0) {
++	for (i = 0; i < len; i++)
++	    if ((CNstring[i] == '(') || (CNstring[i] == ')'))
++		CNstring[i] = '/';
++    }
++}
++
++#endif
+ /* data_cmd - process DATA command */
+ 
+ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
+ {
+     char   *err;
+     char   *start;
++#ifdef USE_TLS
++    char   *peer_CN;
++    char   *issuer_CN;
++#endif
+     int     len;
+     int     curr_rec_type;
+     int     prev_rec_type;
+@@ -1601,9 +1706,42 @@
+      */
+     if (!state->proxy || state->xforward.flags == 0) {
+ 	out_fprintf(out_stream, REC_TYPE_NORM,
+-		    "Received: from %s (%s [%s])",
++		    "Received: from %s (%s [%s%s])",
+ 		    state->helo_name ? state->helo_name : state->name,
+-		    state->name, state->addr);
++		    state->name, state->addr_tag, state->addr);
++#ifdef USE_TLS
++#ifdef USE_SSL
++	if (var_smtpd_tls_received_header && state->tls_active) {
++	    out_fprintf(out_stream, REC_TYPE_NORM,
++			"\t(using %s with cipher %s (%d/%d bits))",
++			state->tls_info.protocol, state->tls_info.cipher_name,
++			state->tls_info.cipher_usebits,
++			state->tls_info.cipher_algbits);
++	    if (state->tls_info.peer_CN) {
++		peer_CN = mystrdup(state->tls_info.peer_CN);
++		CN_sanitize(peer_CN);
++		issuer_CN = mystrdup(state->tls_info.issuer_CN);
++		CN_sanitize(issuer_CN);
++		if (state->tls_info.peer_verified)
++		    out_fprintf(out_stream, REC_TYPE_NORM,
++			"\t(Client CN \"%s\", Issuer \"%s\" (verified OK))",
++			peer_CN, issuer_CN);
++		else
++		    out_fprintf(out_stream, REC_TYPE_NORM,
++			"\t(Client CN \"%s\", Issuer \"%s\" (not verified))",
++			peer_CN, issuer_CN);
++		myfree(issuer_CN);
++		myfree(peer_CN);
++	    }
++	    else if (var_smtpd_tls_ask_ccert)
++		out_fprintf(out_stream, REC_TYPE_NORM,
++			    "\t(Client did not present a certificate)");
++	    else
++		out_fprintf(out_stream, REC_TYPE_NORM,
++			    "\t(No client certificate requested)");
++	}
++#endif
++#endif
+ 	if (state->rcpt_count == 1 && state->recipient) {
+ 	    out_fprintf(out_stream, REC_TYPE_NORM,
+ 			state->cleanup ? "\tby %s (%s) with %s id %s" :
+@@ -2310,6 +2448,92 @@
+     }
+ }
+ 
++#ifdef USE_TLS
++static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
++{
++    char   *err;
++
++#ifdef USE_SSL
++    if (argc != 1) {
++	state->error_mask |= MAIL_ERROR_PROTOCOL;
++	smtpd_chat_reply(state, "501 Syntax: STARTTLS");
++	return (-1);
++    }
++    if (state->tls_active != 0) {
++	state->error_mask |= MAIL_ERROR_PROTOCOL;
++	smtpd_chat_reply(state, "554 Error: TLS already active");
++	return (-1);
++    }
++    if (state->tls_use_tls == 0) {
++	state->error_mask |= MAIL_ERROR_PROTOCOL;
++	smtpd_chat_reply(state, "502 Error: command not implemented");
++	return (-1);
++    }
++    if (!pfixtls_serverengine) {
++	smtpd_chat_reply(state, "454 TLS not available due to temporary reason");
++	return (0);
++    }
++    smtpd_chat_reply(state, "220 Ready to start TLS");
++    vstream_fflush(state->client);
++    /*
++     * When deciding about continuing the handshake, we will stop when a
++     * client certificate was _required_ and none was presented or the
++     * verification failed. This however does only make sense when TLS is
++     * enforced. Otherwise we would happily perform perform the SMTP
++     * transaction without any STARTTLS at all! So only have the handshake
++     * fail when TLS is also enforced.
++     */
++    if (pfixtls_start_servertls(state->client, var_smtpd_starttls_tmout,
++				state->name, state->addr, &(state->tls_info),
++			(var_smtpd_tls_req_ccert && state->tls_enforce_tls))) {
++	/*
++         * Typically the connection is hanging at this point, so
++         * we should try to shut it down by force! Unfortunately this
++         * problem is not addressed in postfix!
++         */
++	return (-1);
++    }
++    state->tls_active = 1;
++    helo_reset(state);
++#ifdef USE_SASL_AUTH
++    if (var_smtpd_sasl_enable) {
++	/*
++	 * When TLS is enabled, another set of AUTH methods may be offered,
++	 * for example plain text methods that would not be offered without
++	 * encryption protection. Reconnect with a different set of options.
++	 */
++	smtpd_sasl_disconnect(state);
++	smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
++			   var_smtpd_sasl_tls_opts);
++	smtpd_sasl_auth_reset(state);
++    }
++#endif
++    mail_reset(state);
++    rcpt_reset(state);
++    return (0);
++#else
++    state->error_mask |= MAIL_ERROR_PROTOCOL;
++    smtpd_chat_reply(state, "502 Error: command not implemented");
++    return (-1);
++#endif
++}
++
++static void tls_reset(SMTPD_STATE *state)
++{
++    int failure = 0;
++
++    if (state->reason && state->where && strcmp(state->where, SMTPD_AFTER_DOT))
++	failure = 1;
++#ifdef USE_SSL
++    vstream_fflush(state->client);
++    if (state->tls_active)
++	pfixtls_stop_servertls(state->client, var_smtpd_starttls_tmout,
++			       failure, &(state->tls_info));
++#endif
++    state->tls_active = 0;
++}
++
++#endif
+  /*
+   * The table of all SMTP commands that we know. Set the junk limit flag on
+   * any command that can be repeated an arbitrary number of times without
+@@ -2328,6 +2552,12 @@
+     "HELO", helo_cmd, SMTPD_CMD_FLAG_LIMIT,
+     "EHLO", ehlo_cmd, SMTPD_CMD_FLAG_LIMIT,
+ 
++#ifdef USE_TLS
++#ifdef USE_SSL
++    "STARTTLS", starttls_cmd, 0,
++#endif
++#endif
++
+ #ifdef USE_SASL_AUTH
+     "AUTH", smtpd_sasl_auth_cmd, 0,
+ #endif
+@@ -2488,9 +2718,36 @@
+ 		state->error_count++;
+ 		continue;
+ 	    }
++#ifdef USE_TLS
++	    if (state->tls_enforce_tls &&
++		!state->tls_active &&
++		cmdp->action != starttls_cmd &&
++		cmdp->action != noop_cmd &&
++		cmdp->action != ehlo_cmd &&
++		cmdp->action != quit_cmd) {
++		smtpd_chat_reply(state,
++				 "530 Must issue a STARTTLS command first");
++		state->error_count++;
++		continue;
++	    }
++#endif
+ 	    state->where = cmdp->name;
++#ifndef USE_TLS
+ 	    if (cmdp->action(state, argc, argv) != 0)
++#else
++	    if (cmdp->action(state, argc, argv) != 0) {
++#endif
+ 		state->error_count++;
++#ifdef USE_TLS
++		/*
++		 * Die after TLS negotiation failure, as there is no
++		 * stable way to recover from a possible mixture of
++		 * TLS and SMTP protocol from the client.
++		 */
++		if (cmdp->action == starttls_cmd)
++		    break;
++	    }
++#endif
+ 	    if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
+ 		&& state->junk_cmds++ > var_smtpd_junk_cmd_limit)
+ 		state->error_count++;
+@@ -2530,6 +2787,9 @@
+      * Cleanup whatever information the client gave us during the SMTP
+      * dialog.
+      */
++#ifdef USE_TLS
++    tls_reset(state);
++#endif
+     helo_reset(state);
+ #ifdef USE_SASL_AUTH
+     if (var_smtpd_sasl_enable)
+@@ -2562,6 +2822,60 @@
+      * machines.
+      */
+     smtpd_state_init(&state, stream);
++#ifdef USE_TLS
++
++#ifdef USE_SSL
++    if (SMTPD_STAND_ALONE((&state))) {
++	state.tls_use_tls = 0;
++	state.tls_enforce_tls = 0;
++	state.tls_auth_only = 0;
++    }
++    else {
++	state.tls_use_tls = var_smtpd_use_tls | var_smtpd_enforce_tls;
++	state.tls_enforce_tls = var_smtpd_enforce_tls;
++	if (var_smtpd_tls_wrappermode) {
++	    /*
++	     * TLS has been set to wrapper mode, meaning that we run on a
++	     * seperate port and we must switch to TLS layer before actually
++	     * performing the SMTP protocol. This implies enforce-mode.
++	     */
++	    state.tls_use_tls = state.tls_enforce_tls = 1;
++	    if (pfixtls_start_servertls(state.client, var_smtpd_starttls_tmout,
++					state.name, state.addr, &state.tls_info,
++					var_smtpd_tls_req_ccert)) {
++	    /*
++	     * Typically the connection is hanging at this point, so
++	     * we should try to shut it down by force! Unfortunately this
++	     * problem is not addressed in postfix!
++	     */
++		return;
++	    }
++	    state.tls_active = 1;
++#ifdef USE_SASL_AUTH
++	    if (var_smtpd_sasl_enable) {
++		/*
++		 * When TLS is enabled, another set of AUTH methods may be
++		 * offered, for example plain text methods that would not be
++		 * offered without encryption protection. Reconnect with a
++		 * different set of options.
++		 */
++		smtpd_sasl_disconnect(&state);
++		smtpd_sasl_connect(&state, VAR_SMTPD_SASL_TLS_OPTS,
++				   var_smtpd_sasl_tls_opts);
++		smtpd_sasl_auth_reset(&state);
++    	    }
++#endif
++	}
++	if (var_smtpd_tls_auth_only || state.tls_enforce_tls)
++	    state.tls_auth_only = 1;
++    }
++#else
++    state.tls_use_tls = 0;
++    state.tls_enforce_tls = 0;
++    state.tls_auth_only = 0;
++#endif
++
++#endif
+     msg_info("connect from %s[%s]", state.name, state.addr);
+ 
+     /*
+@@ -2611,7 +2925,9 @@
+ 
+ static void pre_jail_init(char *unused_name, char **unused_argv)
+ {
++#ifndef USE_TLS
+ 
++#endif
+     /*
+      * Initialize blacklist/etc. patterns before entering the chroot jail, in
+      * case they specify a filename pattern.
+@@ -2639,6 +2955,23 @@
+ 	msg_warn("%s is true, but SASL support is not compiled in",
+ 		 VAR_SMTPD_SASL_ENABLE);
+ #endif
++#ifdef USE_TLS
++    /*
++     * Keys can only be loaded when running with superuser permissions.
++     * When called from "sendmail -bs" this is not the case, but STARTTLS
++     * is not used in this scenario anyhow.
++     */
++    if (geteuid() == 0) {
++      if (var_smtpd_use_tls || var_smtpd_enforce_tls
++	  || var_smtpd_tls_wrappermode)
++#ifdef USE_SSL
++	pfixtls_init_serverengine(var_smtpd_tls_ccert_vd,
++				  var_smtpd_tls_ask_ccert);
++#else
++	msg_warn("TLS has been selected but TLS support is not compiled in");
++#endif
++    }
++#endif
+ 
+     /*
+      * flush client.
+@@ -2677,6 +3010,9 @@
+     if (var_smtpd_crate_limit || var_smtpd_cconn_limit)
+ 	anvil_clnt = anvil_clnt_create();
+ #endif
++#ifdef USE_TLS
++
++#endif
+ }
+ 
+ /* main - the main program */
+@@ -2713,6 +3049,11 @@
+ 	VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
+ 	VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
+ #endif
++#ifdef USE_TLS
++#ifdef USE_SSL
++	VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
++#endif
++#endif
+ 	0,
+     };
+     static CONFIG_TIME_TABLE time_table[] = {
+@@ -2723,6 +3064,11 @@
+ 	VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
+ 	VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
+ 	VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
++#ifdef USE_TLS
++#ifdef USE_SSL
++	VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
++#endif
++#endif
+ 	0,
+     };
+     static CONFIG_BOOL_TABLE bool_table[] = {
+@@ -2736,6 +3082,17 @@
+ 	VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
+ 	VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
+ 	VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
++#ifdef USE_TLS
++	VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
++	VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
++	VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
++#ifdef USE_SSL
++	VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
++	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
++	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
++	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
++#endif
++#endif
+ 	0,
+     };
+     static CONFIG_STR_TABLE str_table[] = {
+@@ -2777,6 +3134,12 @@
+ #ifdef SNAPSHOT
+ 	VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
+ #endif
++#ifdef USE_TLS
++#ifdef USE_SSL
++	VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_relay_ccerts, 0, 0,
++	VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
++#endif
++#endif
+ 	0,
+     };
+     static CONFIG_RAW_TABLE raw_table[] = {
+@@ -2799,3 +3162,6 @@
+ 		       MAIL_SERVER_POST_INIT, post_jail_init,
+ 		       0);
+ }
++#ifdef USE_TLS
++
++#endif
+diff -urNad postfix-release/src/smtpd/smtpd_check.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_check.c
+--- postfix-release/src/smtpd/smtpd_check.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_check.c	2005-02-03 10:22:13.074093565 -0700
+@@ -151,6 +151,7 @@
+ #include <setjmp.h>
+ #include <stdlib.h>
+ #include <unistd.h>
++#include <errno.h>
+ 
+ #ifdef STRCASECMP_IN_STRINGS_H
+ #include <strings.h>
+@@ -185,6 +186,9 @@
+ #include <string_list.h>
+ #include <namadr_list.h>
+ #include <domain_list.h>
++#ifdef USE_TLS
++#include <string_list.h>
++#endif
+ #include <mail_params.h>
+ #include <canon_addr.h>
+ #include <resolve_clnt.h>
+@@ -269,6 +273,11 @@
+ static DOMAIN_LIST *relay_domains;
+ static NAMADR_LIST *mynetworks;
+ static NAMADR_LIST *perm_mx_networks;
++#ifdef USE_TLS
++#ifdef USE_SSL
++static MAPS *relay_ccerts;
++#endif
++#endif
+ 
+  /*
+   * How to do parent domain wildcard matching, if any.
+@@ -352,6 +361,8 @@
+     defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2))
+ #define DEFER_IF_REJECT3(state, class, fmt, a1, a2, a3) \
+     defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2), (a3))
++#define DEFER_IF_REJECT4(state, class, fmt, a1, a2, a3, a4) \
++    defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2), (a3), (a4))
+ #define DEFER_IF_PERMIT2(state, class, fmt, a1, a2) do { \
+     if ((state)->warn_if_reject == 0) \
+ 	defer_if(&(state)->defer_if_permit, (class), (fmt), (a1), (a2)); \
+@@ -563,6 +574,12 @@
+     perm_mx_networks =
+ 	namadr_list_init(match_parent_style(VAR_PERM_MX_NETWORKS),
+ 			 var_perm_mx_networks);
++#ifdef USE_TLS
++#ifdef USE_SSL
++    relay_ccerts = maps_create(VAR_RELAY_CCERTS, var_relay_ccerts,
++			       DICT_FLAG_LOCK);
++#endif
++#endif
+ 
+     /*
+      * Pre-parse and pre-open the recipient maps.
+@@ -1056,6 +1073,38 @@
+ 
+ static int permit_auth_destination(SMTPD_STATE *state, char *recipient);
+ 
++#ifdef USE_TLS
++/* permit_tls_clientcerts - OK/DUNNO for message relaying */
++
++#ifdef USE_SSL
++static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
++{
++    char   *low_name;
++    const char *found;
++
++    if (state->tls_info.peer_verified && permit_all_certs) {
++	if (msg_verbose)
++	    msg_info("Relaying allowed for all verified client certificates");
++	return(SMTPD_CHECK_OK);
++    }
++
++    if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
++	low_name = lowercase(mystrdup(state->tls_info.peer_fingerprint));
++	found = maps_find(relay_ccerts, low_name, DICT_FLAG_FIXED);
++	myfree(low_name);
++	if (found) {
++	    if (msg_verbose)
++		msg_info("Relaying allowed for certified client: %s", found);
++	    return (SMTPD_CHECK_OK);
++	} else if (msg_verbose)
++	    msg_info("relay_clientcerts: No match for fingerprint '%s'",
++		     state->tls_info.peer_fingerprint);
++    }
++    return (SMTPD_CHECK_DUNNO);
++}
++#endif
++
++#endif
+ /* check_relay_domains - OK/FAIL for message relaying */
+ 
+ static int check_relay_domains(SMTPD_STATE *state, char *recipient,
+@@ -1196,8 +1245,16 @@
+ static int all_auth_mx_addr(SMTPD_STATE *state, char *host,
+ 		            const char *reply_name, const char *reply_class)
+ {
++    size_t len;
+     char   *myname = "all_auth_mx_addr";
+-    struct in_addr addr;
++    char   *addr;
++    struct in_addr addr4;
++#ifdef INET6
++    struct in6_addr addr6;
++    char   hbuf[NI_MAXHOST];
++#else
++    char   *hbuf;
++#endif
+     DNS_RR *rr;
+     DNS_RR *addr_list;
+     int     dns_status;
+@@ -1214,7 +1271,9 @@
+     /*
+      * Verify that all host addresses are within permit_mx_backup_networks.
+      */
+-    dns_status = dns_lookup(host, T_A, 0, &addr_list, (VSTRING *) 0, (VSTRING *) 0);
++    dns_status = dns_lookup_types(host, 0, (DNS_RR **) &addr_list,
++				  (VSTRING *) 0,
++				  (VSTRING *) 0, RR_ADDR_TYPES, 0);
+     if (dns_status != DNS_OK) {
+ 	DEFER_IF_REJECT3(state, MAIL_ERROR_POLICY,
+ 	"450 <%s>: %s rejected: Unable to look up host %s as mail exchanger",
+@@ -1222,16 +1281,28 @@
+ 	return (NOPE);
+     }
+     for (rr = addr_list; rr != 0; rr = rr->next) {
+-	if (rr->data_len > sizeof(addr)) {
++#ifdef INET6
++	if (rr->type == T_AAAA)
++	    len = sizeof(addr6), addr = (char *) &addr6;
++	else /* T_A */
++#endif
++	    len = sizeof(addr4), addr = (char *) &addr4;
++	if (rr->data_len > len) {
+ 	    msg_warn("%s: skipping address length %d for host %s",
+ 		     state->queue_id, rr->data_len, host);
+ 	    continue;
+ 	}
+-	memcpy((char *) &addr, rr->data, sizeof(addr));
++	memcpy(addr, rr->data, len);
++#ifdef INET6
++	inet_ntop(rr->type == T_AAAA ? AF_INET6 : AF_INET,
++		addr, hbuf, sizeof(hbuf));
++#else
++	hbuf = inet_ntoa(*(struct in_addr *)addr);
++#endif
+ 	if (msg_verbose)
+-	    msg_info("%s: checking: %s", myname, inet_ntoa(addr));
++	    msg_info("%s: checking: %s", myname, hbuf);
+ 
+-	if (!namadr_list_match(perm_mx_networks, host, inet_ntoa(addr))) {
++	if (!namadr_list_match(perm_mx_networks, host, hbuf)) {
+ 
+ 	    /*
+ 	     * Reject: at least one IP address is not listed in
+@@ -1239,7 +1310,7 @@
+ 	     */
+ 	    if (msg_verbose)
+ 		msg_info("%s: address %s for %s does not match %s",
+-		       myname, inet_ntoa(addr), host, VAR_PERM_MX_NETWORKS);
++		       myname, hbuf, host, VAR_PERM_MX_NETWORKS);
+ 	    dns_rr_free(addr_list);
+ 	    return (NOPE);
+ 	}
+@@ -1253,6 +1324,50 @@
+ static int has_my_addr(SMTPD_STATE *state, const char *host,
+ 		            const char *reply_name, const char *reply_class)
+ {
++#ifdef INET6
++    char   *myname = "has_my_addr";
++    struct addrinfo hints, *res, *res0;
++    int error;
++    char hbuf[NI_MAXHOST];
++
++    if (msg_verbose)
++	msg_info("%s: host %s", myname, host);
++
++    /*
++     * If we can't lookup the host, defer rather than reject
++     */
++#define YUP	1
++#define NOPE	0
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_DGRAM;
++    error = getaddrinfo(host, NULL, &hints, &res0);
++    if (error) {
++	DEFER_IF_REJECT4(state, MAIL_ERROR_POLICY,
++	  "450 <%s>: %s rejected: Mail exchanger lookup error for %s: %s",
++			 reply_name, reply_class, host, gai_strerror(error));
++	return (NOPE);
++    }
++    for (res = res0; res; res = res->ai_next) {
++	if (msg_verbose) {
++	    if (getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
++		    NULL, 0, NI_NUMERICHOST)) {
++		strncpy(hbuf, "???", sizeof(hbuf));
++	    }
++	    msg_info("%s: addr %s", myname, hbuf);
++	}
++	if (own_inet_addr(res->ai_addr)) {
++	    freeaddrinfo(res0);
++	    return (YUP);
++	}
++    }
++    freeaddrinfo(res0);
++    if (msg_verbose)
++	msg_info("%s: host %s: no match", myname, host);
++
++    return (NOPE);
++#else
+     char   *myname = "has_my_addr";
+     struct in_addr addr;
+     char  **cpp;
+@@ -1291,6 +1406,7 @@
+ 	msg_info("%s: host %s: no match", myname, host);
+ 
+     return (NOPE);
++#endif
+ }
+ 
+ /* i_am_mx - is this machine listed as MX relay */
+@@ -2029,6 +2145,10 @@
+     char   *addr;
+     const char *value;
+     DICT   *dict;
++    int     delim;
++#ifdef INET6
++    struct in6_addr a6;
++#endif
+ 
+     if (msg_verbose)
+ 	msg_info("%s: %s", myname, address);
+@@ -2039,6 +2159,12 @@
+ #define CHK_ADDR_RETURN(x,y) { *found = y; return(x); }
+ 
+     addr = STR(vstring_strcpy(error_text, address));
++#ifdef INET6
++    if (inet_pton(AF_INET6, addr, &a6) == 1)
++	delim = ':';
++    else
++#endif
++	delim = '.';
+ 
+     if ((dict = dict_handle(table)) == 0)
+ 	msg_panic("%s: dictionary not found: %s", myname, table);
+@@ -2052,7 +2178,7 @@
+ 		msg_fatal("%s: table lookup problem", table);
+ 	}
+ 	flags = PARTIAL;
+-    } while (split_at_right(addr, '.'));
++    } while (split_at_right(addr, delim));
+ 
+     CHK_ADDR_RETURN(SMTPD_CHECK_DUNNO, MISSED);
+ }
+@@ -2110,11 +2236,17 @@
+     DNS_RR *server_list;
+     DNS_RR *server;
+     int     found = 0;
++#ifdef INET6
++    int     error;
++    char   *addr;
++    struct addrinfo hints, *res, *res0;
++#else
+     struct in_addr addr;
+     struct hostent *hp;
++    char  **cpp;
++#endif
+     char   *addr_string;
+     int     status;
+-    char  **cpp;
+     static DNS_FIXED fixed;
+ 
+     /*
+@@ -2175,6 +2307,50 @@
+     /*
+      * Check the hostnames first, then the addresses.
+      */
++#ifdef INET6
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_DGRAM;
++    hints.ai_flags = AI_CANONNAME;
++    for (server = server_list; server != 0; server = server->next) {
++	error = getaddrinfo((char *)server->data, NULL, &hints, &res0);
++	if (error) {
++	    msg_warn("Unable to look up %s host %s for %s %s: %s",
++		dns_strtype(type), (char *) server->data,
++		reply_class, reply_name, GAI_STRERROR(error));
++	    continue;
++	}
++	if (msg_verbose)
++	    msg_info("%s: %s hostname check: %s",
++		     myname, dns_strtype(type), (char *) server->data);
++	if ((status = check_domain_access(state, table, (char *) server->data,
++					  FULL, &found, reply_name, reply_class,
++					  def_acl)) != 0 || found)
++	    CHECK_SERVER_RETURN(status);
++	for (res = res0; res; res = res->ai_next) {
++	    switch (res->ai_family) {
++	    case AF_INET6:
++		addr = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
++		break;
++	    case AF_INET:
++		addr = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
++		break;
++	    default:
++		msg_warn("%s: unknown address family %d for %s",
++			 myname, res->ai_family, (char *) server->data);
++		continue;
++	    }
++	    addr_string = mymalloc(NI_MAXHOST);
++	    inet_ntop(res->ai_family, addr, addr_string, NI_MAXHOST);
++	    status = check_addr_access(state, table, addr_string, FULL,
++				       &found, reply_name, reply_class,
++				       def_acl);
++	    myfree(addr_string);
++	    if (status != 0 || found)
++		CHECK_SERVER_RETURN(status);
++	}
++    }
++#else
+     for (server = server_list; server != 0; server = server->next) {
+ 	if (msg_verbose)
+ 	    msg_info("%s: %s hostname check: %s",
+@@ -2210,6 +2386,7 @@
+ 		CHECK_SERVER_RETURN(status);
+ 	}
+     }
++#endif
+     CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
+ }
+ 
+@@ -2475,6 +2652,7 @@
+      * Do the query. If the DNS lookup produces no definitive reply, give the
+      * requestor the benefit of the doubt. We can't block all email simply
+      * because an RBL server is unavailable.
++     * Don't do this for AAAA records. Yet.
+      */
+     why = vstring_alloc(10);
+     dns_status = dns_lookup(query, T_A, 0, &addr_list, (VSTRING *) 0, why);
+@@ -2644,12 +2822,15 @@
+     int     i;
+     SMTPD_RBL_STATE *rbl;
+     const char *reply_addr;
++#ifdef INET6
++    struct in_addr a;
++#endif
+ 
+     if (msg_verbose)
+ 	msg_info("%s: %s %s", myname, reply_class, addr);
+ 
+     /*
+-     * IPv4 only for now
++     * IPv4 / IPv6-mapped IPv4 (if supported) only for now
+      */
+ #ifdef INET6
+     if (inet_pton(AF_INET, addr, &a) != 1)
+@@ -3238,6 +3419,14 @@
+ #else
+ 		msg_warn("restriction `%s' ignored: no SASL support", name);
+ #endif
++#ifdef USE_TLS
++#ifdef USE_SSL
++	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
++	  status = permit_tls_clientcerts(state, 1);
++	} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
++	  status = permit_tls_clientcerts(state, 0);
++#endif
++#endif
+ 	} else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
+ 	    if (state->recipient)
+ 		status = reject_unknown_address(state, state->recipient,
+@@ -3948,6 +4137,9 @@
+ char   *var_etrn_checks = "";
+ char   *var_data_checks = "";
+ char   *var_relay_domains = "";
++#ifdef USE_TLS
++char   *var_relay_ccerts = "";
++#endif
+ char   *var_mynetworks = "";
+ char   *var_notify_classes = "";
+ 
+diff -urNad postfix-release/src/smtpd/smtpd.h /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.h
+--- postfix-release/src/smtpd/smtpd.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.h	2005-02-03 10:22:13.075093342 -0700
+@@ -32,6 +32,9 @@
+   * Global library.
+   */
+ #include <mail_stream.h>
++#ifdef USE_TLS
++#include <pfixtls.h>
++#endif
+ 
+  /*
+   * Variables that keep track of conversation state. There is only one SMTP
+@@ -62,6 +65,7 @@
+     time_t  time;			/* start of MAIL FROM transaction */
+     char   *name;			/* client hostname */
+     char   *addr;			/* client host address string */
++    char   *addr_tag;			/* address family prefix */
+     char   *namaddr;			/* combined name and address */
+     int     peer_code;			/* 2=ok, 4=soft, 5=hard */
+     int     error_count;		/* reset after DOT */
+@@ -136,6 +140,13 @@
+      * XFORWARD server state.
+      */
+     SMTPD_XFORWARD_ATTR xforward;	/* up-stream logging info */
++#ifdef USE_TLS
++    int     tls_active;
++    int     tls_use_tls;
++    int     tls_enforce_tls;
++    int     tls_auth_only;
++    tls_info_t tls_info;
++#endif
+ } SMTPD_STATE;
+ 
+ #define SMTPD_STATE_XFORWARD_INIT  (1<<0)	/* xforward preset done */
+diff -urNad postfix-release/src/smtpd/smtpd_peer.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_peer.c
+--- postfix-release/src/smtpd/smtpd_peer.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_peer.c	2005-02-03 10:22:13.076093119 -0700
+@@ -63,6 +63,20 @@
+ #include <netdb.h>
+ #include <string.h>
+ 
++/* Utility library. */
++
++#include <msg.h>
++#include <mymalloc.h>
++#include <valid_hostname.h>
++#include <stringops.h>
++#ifdef INET6
++#include <inet_addr_list.h>	/* for NI_WITHSCOPEID */
++#endif
++
++/* Global library. */
++
++#include <mail_proto.h>
++
+  /*
+   * Older systems don't have h_errno. Even modern systems don't have
+   * hstrerror().
+@@ -84,17 +98,11 @@
+     )
+ #endif
+ 
+-/* Utility library. */
+-
+-#include <msg.h>
+-#include <mymalloc.h>
+-#include <valid_hostname.h>
+-#include <stringops.h>
+-
+-/* Global library. */
+-
+-#include <mail_proto.h>
+-
++#ifdef INET6
++#define GAI_STRERROR(error) \
++	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++#endif
++	
+ /* Application-specific. */
+ 
+ #include "smtpd.h"
+@@ -103,21 +111,24 @@
+ 
+ void    smtpd_peer_init(SMTPD_STATE *state)
+ {
+-    struct sockaddr_in sin;
+-    SOCKADDR_SIZE len = sizeof(sin);
++    char  *myname = "smtpd_peer_init";
++#ifdef INET6
++    struct sockaddr_storage ss;
++#else
++    struct sockaddr ss;
++    struct in_addr *in;
+     struct hostent *hp;
+-    int     i;
++#endif
++    struct sockaddr *sa;
++    SOCKADDR_SIZE len;
+ 
+-    /*
+-     * Avoid suprious complaints from Purify on Solaris.
+-     */
+-    memset((char *) &sin, 0, len);
++    sa = (struct sockaddr *)&ss;
++    len = sizeof(ss);
+ 
+     /*
+      * Look up the peer address information.
+      */
+-    if (getpeername(vstream_fileno(state->client),
+-		    (struct sockaddr *) & sin, &len) >= 0) {
++    if (getpeername(vstream_fileno(state->client), sa, &len) >= 0) {
+ 	errno = 0;
+     }
+ 
+@@ -133,24 +144,111 @@
+     /*
+      * Look up and "verify" the client hostname.
+      */
+-    else if (errno == 0 && sin.sin_family == AF_INET) {
+-	state->addr = mystrdup(inet_ntoa(sin.sin_addr));
+-	hp = gethostbyaddr((char *) &(sin.sin_addr),
+-			   sizeof(sin.sin_addr), AF_INET);
+-	if (hp == 0) {
++    else if (errno == 0 && (sa->sa_family == AF_INET
++#ifdef INET6
++			    || sa->sa_family == AF_INET6
++#endif
++	     )) {
++#ifdef INET6
++	char hbuf[NI_MAXHOST];
++	char abuf[NI_MAXHOST];
++	char rabuf[NI_MAXHOST];
++	struct addrinfo hints, *res0 = NULL, *res;
++	char *colonp;
++#else
++	char abuf[sizeof("255.255.255.255") + 1];
++	char *hbuf;
++#endif
++	int error = -1;
++
++#ifdef INET6
++	error = getnameinfo(sa, len, abuf, sizeof(abuf), NULL, 0,
++			    NI_NUMERICHOST | NI_WITHSCOPEID);
++	if (error)
++	    msg_fatal("%s: numeric getnameinfo lookup for peer: error %s",
++		      myname, GAI_STRERROR(error));
++
++	/*
++	 * Convert an IPv4-mapped IPv6-address to 'true' IPv4 address
++	 * early on. We have no need for the mapped form in logging,
++	 * hostname verification and access checks.
++	 */
++	if (sa->sa_family == AF_INET6
++	    && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)
++	    && (colonp = strrchr(abuf, ':')) != NULL) {
++	    struct addrinfo hints, *res0;
++	    if (msg_verbose > 1)
++		msg_info("%s: rewriting V4-mapped address \"%s\" to \"%s\"",
++			 myname, abuf, colonp + 1);
++	    state->addr = mystrdup(colonp + 1);
++	    /*
++	     * We create new socket information so getnameinfo() will be
++	     * performed on the rewritten IPv4 address.
++	     */
++	    memset(&hints, 0, sizeof(hints));
++	    hints.ai_family = AF_INET;
++	    hints.ai_socktype = SOCK_STREAM;
++	    hints.ai_flags = AI_NUMERICHOST;
++	    error = getaddrinfo(state->addr, NULL, &hints, &res0);
++	    if (error)
++		msg_panic("%s: getaddrinfo(\"%s\", NULL, "
++			  "{AF_INET,SOCK_STREAM,AI_NUMERICHOST}, "
++			  "&res0): %s", myname, state->addr,
++			  GAI_STRERROR(error));
++	    len = res0->ai_addrlen;
++	    memcpy((char *)sa, res0->ai_addr, len);
++	} else {
++	    state->addr = mystrdup(abuf);
++	}
++
++	/*
++	 * RFC 2821 section 4.1.3: IPv6 address literals in SMTP
++	 * mail headers are prepended with tag 'IPv6' and a colon.
++	 */
++	if (sa->sa_family == AF_INET6)
++	    state->addr_tag = "IPv6:";
++
++	error = getnameinfo(sa, len, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD);
++#else
++	in = &((struct sockaddr_in *)sa)->sin_addr;
++	inet_ntop(AF_INET, in, abuf, sizeof(abuf));
++	state->addr = mystrdup(abuf);
++	hbuf = NULL;
++	hp = gethostbyaddr((char *)in, sizeof(*in), AF_INET);
++	if (hp) {
++	    error = 0;
++		hbuf = mystrdup(hp->h_name);
++	} else
++	    error = 1;
++#endif
++	if (error) {
+ 	    state->name = mystrdup(CLIENT_NAME_UNKNOWN);
++#ifdef INET6
++	    if (error != EAI_NONAME)
++		msg_warn("%s: getnameinfo(%s,,,,,,NI_NAMEREQD) error %s",
++			 myname, abuf, GAI_STRERROR(error));
++	    /*
++	     * XXX: There are other error codes from GAI that should
++	     * result in only a temporary error code from this daemon.
++	     * This also applies to get{addr,name}info() results
++	     * below.
++	     */
++	    state->peer_code = (error == EAI_AGAIN ?
++				SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM);
++#else
+ 	    state->peer_code = (h_errno == TRY_AGAIN ?
+ 				SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM);
+-	} else if (valid_hostaddr(hp->h_name, DONT_GRIPE)) {
++#endif
++	} else if (valid_hostaddr(hbuf, DONT_GRIPE)) {
+ 	    msg_warn("numeric result %s in address->name lookup for %s",
+-		     hp->h_name, state->addr);
++		     hbuf, state->addr);
+ 	    state->name = mystrdup(CLIENT_NAME_UNKNOWN);
+ 	    state->peer_code = SMTPD_PEER_CODE_PERM;
+-	} else if (!valid_hostname(hp->h_name, DONT_GRIPE)) {
++	} else if (!valid_hostname(hbuf, DONT_GRIPE)) {
+ 	    state->name = mystrdup(CLIENT_NAME_UNKNOWN);
+ 	    state->peer_code = SMTPD_PEER_CODE_PERM;
+ 	} else {
+-	    state->name = mystrdup(hp->h_name);	/* hp->name is clobbered!! */
++	    state->name = mystrdup(hbuf);
+ 	    state->peer_code = SMTPD_PEER_CODE_OK;
+ 
+ 	    /*
+@@ -162,17 +260,55 @@
+ 	state->peer_code = code; \
+     }
+ 
+-	    hp = gethostbyname(state->name);	/* clobbers hp->name!! */
++#ifdef INET6
++	    memset(&hints, 0, sizeof(hints));
++	    hints.ai_family = AF_UNSPEC;
++	    hints.ai_socktype = SOCK_STREAM;
++	    error = getaddrinfo(state->name, NULL, &hints, &res0);
++	    if (error) {
++		msg_warn("%s: %s: hostname %s verification failed: %s",
++			 myname, state->addr, state->name,
++			 GAI_STRERROR(error));
++		REJECT_PEER_NAME(state, (error == EAI_AGAIN ?
++				SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
++	    } else {
++		for (res = res0; res; res = res->ai_next) {
++		    if (res->ai_family != sa->sa_family)
++			continue;
++		    error = getnameinfo(res->ai_addr, res->ai_addrlen,
++					rabuf, sizeof(rabuf), NULL, 0,
++					NI_NUMERICHOST | NI_WITHSCOPEID);
++		    if (error) {
++			msg_warn("%s: %s: hostname %s verification failed: %s",
++				 myname, state->addr, state->name,
++				 GAI_STRERROR(error));
++			REJECT_PEER_NAME(state, SMTPD_PEER_CODE_TEMP);
++			break;
++		    }
++		    if (strcmp(state->addr, rabuf) == 0)
++			break;	    /* keep peer name */
++		}
++		if (res == NULL) {
++		    msg_warn("%s: %s: address not listed for hostname %s",
++			     myname, state->addr, state->name);
++		    REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
++		}
++	    }
++	    if (res0)
++		freeaddrinfo(res0);
++#else
++	    hp = gethostbyname(state->name);
+ 	    if (hp == 0) {
+ 		msg_warn("%s: hostname %s verification failed: %s",
+ 			 state->addr, state->name, HSTRERROR(h_errno));
+ 		REJECT_PEER_NAME(state, (h_errno == TRY_AGAIN ?
+-			      SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
+-	    } else if (hp->h_length != sizeof(sin.sin_addr)) {
++			    SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
++	    } else if (hp->h_length != sizeof(*in)) {
+ 		msg_warn("%s: hostname %s verification failed: bad address size %d",
+ 			 state->addr, state->name, hp->h_length);
+ 		REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
+ 	    } else {
++		int i;
+ 		for (i = 0; /* void */ ; i++) {
+ 		    if (hp->h_addr_list[i] == 0) {
+ 			msg_warn("%s: address not listed for hostname %s",
+@@ -180,12 +316,11 @@
+ 			REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
+ 			break;
+ 		    }
+-		    if (memcmp(hp->h_addr_list[i],
+-			       (char *) &sin.sin_addr,
+-			       sizeof(sin.sin_addr)) == 0)
++		    if (memcmp(hp->h_addr_list[i], (char *)in, sizeof(*in)) == 0)
+ 			break;			/* keep peer name */
+ 		}
+ 	    }
++#endif
+ 	}
+     }
+ 
+diff -urNad postfix-release/src/smtpd/smtpd_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_glue.c
+--- postfix-release/src/smtpd/smtpd_sasl_glue.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_glue.c	2005-02-03 10:22:13.076093119 -0700
+@@ -181,6 +181,16 @@
+     return SASL_OK;
+ }
+ 
++static int smtpd_sasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++    return SASL_OK;
++}
++
+  /*
+   * SASL callback interface structure. These call-backs have no per-session
+   * context.
+@@ -189,6 +199,7 @@
+ 
+ static sasl_callback_t callbacks[] = {
+     {SASL_CB_LOG, &smtpd_sasl_log, NO_CALLBACK_CONTEXT},
++    {SASL_CB_GETPATH,&smtpd_sasl_getpath, NO_CALLBACK_CONTEXT},
+     {SASL_CB_LIST_END, 0, 0}
+ };
+ 
+diff -urNad postfix-release/src/smtpd/smtpd_sasl_proto.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_proto.c
+--- postfix-release/src/smtpd/smtpd_sasl_proto.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_proto.c	2005-02-03 10:22:13.076093119 -0700
+@@ -129,6 +129,15 @@
+ 	smtpd_chat_reply(state, "503 Error: authentication not enabled");
+ 	return (-1);
+     }
++#ifdef USE_TLS
++#ifdef USE_SSL
++    if (state->tls_auth_only && !state->tls_active) {
++	state->error_mask |= MAIL_ERROR_PROTOCOL;
++	smtpd_chat_reply(state, "538 Encryption required for requested authentication mechanism");
++	return (-1);
++    }
++#endif
++#endif
+     if (state->sasl_username) {
+ 	state->error_mask |= MAIL_ERROR_PROTOCOL;
+ 	smtpd_chat_reply(state, "503 Error: already authenticated");
+diff -urNad postfix-release/src/smtpd/smtpd_state.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_state.c
+--- postfix-release/src/smtpd/smtpd_state.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_state.c	2005-02-03 10:22:13.076093119 -0700
+@@ -77,6 +77,7 @@
+     state->notify_mask = name_mask(VAR_NOTIFY_CLASSES, mail_error_masks,
+ 				   var_notify_classes);
+     state->helo_name = 0;
++    state->addr_tag = "";
+     state->queue_id = 0;
+     state->cleanup = 0;
+     state->dest = 0;
+@@ -111,6 +112,13 @@
+     state->saved_flags = 0;
+     state->instance = vstring_alloc(10);
+     state->seqno = 0;
++#ifdef USE_TLS
++    state->tls_active = 0;
++    state->tls_use_tls = 0;
++    state->tls_enforce_tls = 0;
++    state->tls_info = tls_info_zero;
++    state->tls_auth_only = 0;
++#endif
+ 
+ #ifdef USE_SASL_AUTH
+     if (SMTPD_STAND_ALONE(state))
+diff -urNad postfix-release/src/smtpstone/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/Makefile.in
+--- postfix-release/src/smtpstone/Makefile.in	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/Makefile.in	2005-02-03 10:22:13.077092896 -0700
+@@ -33,7 +33,7 @@
+ 
+ tests:	test
+ 
+-update: ../../bin/smtp-source ../../bin/smtp-sink ../../bin/qmqp-source
++update: ../../bin/smtp-source ../../bin/smtp-sink ../../bin/qmqp-source ../../bin/qmqp-sink
+ 
+ ../../bin/smtp-source: smtp-source
+ 	cp $? $@
+diff -urNad postfix-release/src/smtpstone/qmqp-sink.c /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/qmqp-sink.c
+--- postfix-release/src/smtpstone/qmqp-sink.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/qmqp-sink.c	2005-02-03 10:22:13.077092896 -0700
+@@ -275,7 +275,7 @@
+     } else {
+ 	if (strncmp(argv[optind], "inet:", 5) == 0)
+ 	    argv[optind] += 5;
+-	sock = inet_listen(argv[optind], backlog, BLOCKING);
++	sock = inet_listen(argv[optind], backlog, BLOCKING, 1);
+     }
+ 
+     /*
+diff -urNad postfix-release/src/smtpstone/smtp-sink.c /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/smtp-sink.c
+--- postfix-release/src/smtpstone/smtp-sink.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/smtp-sink.c	2005-02-03 10:22:13.077092896 -0700
+@@ -692,7 +692,7 @@
+     } else {
+ 	if (strncmp(argv[optind], "inet:", 5) == 0)
+ 	    argv[optind] += 5;
+-	sock = inet_listen(argv[optind], backlog, BLOCKING);
++	sock = inet_listen(argv[optind], backlog, BLOCKING, 1);
+     }
+ 
+     /*
+diff -urNad postfix-release/src/tlsmgr/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/Makefile.in
+--- postfix-release/src/tlsmgr/Makefile.in	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/Makefile.in	2005-02-03 10:22:13.077092896 -0700
+@@ -0,0 +1,94 @@
++SHELL	= /bin/sh
++SRCS	= ../global/pfixtls.c tlsmgr.c
++OBJS	= tlsmgr.o
++HDRS	=
++TESTSRC	=
++WARN	= -W -Wformat -Wimplicit -Wmissing-prototypes \
++	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
++	-Wunused
++DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
++CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
++TESTPROG= 
++PROG	= tlsmgr
++INC_DIR	= ../../include
++LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libutil.a ../../lib/pfixtls.o
++TLSO    = pfixtls.o
++
++$(TLSO):;	$(CC) $(CFLAGS) -c ../global/pfixtls.c
++
++.c.o:;	$(CC) $(CFLAGS) -c $*.c
++
++$(PROG):	$(OBJS) $(LIBS)
++	$(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
++
++Makefile: Makefile.in
++	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs; cat $?) >$@
++
++test:	$(TESTPROG)
++
++update: ../../lib/$(TLSO) ../../libexec/$(PROG)
++
++../../lib/$(TLSO): $(TLSO)
++	cp $(TLSO) ../../lib
++
++../../libexec/$(PROG): $(PROG)
++	cp $(PROG) ../../libexec
++
++printfck: $(OBJS) $(PROG)
++	rm -rf printfck
++	mkdir printfck
++	cp *.h printfck
++	sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
++	set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
++	cd printfck; make "INC_DIR=../../../../include" `cd ../..; ls *.o`
++
++lint:
++	lint $(DEFS) $(SRCS) $(LINTFIX)
++
++clean:
++	rm -f *.o *core $(PROG) $(TESTPROG) junk pfixtls.c
++	rm -rf printfck
++
++tidy:	clean
++
++depend: $(MAKES)
++	(sed '1,/^# do not edit/!d' Makefile.in; \
++	set -e; for i in [a-z][a-z0-9]*.c; do \
++	    $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
++	    -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
++	done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
++	@make -f Makefile.in Makefile
++
++# do not edit below this line - it is generated by 'make depend'
++tlsmgr.o: tlsmgr.c
++tlsmgr.o: ../../include/sys_defs.h
++tlsmgr.o: ../../include/msg.h
++tlsmgr.o: ../../include/events.h
++tlsmgr.o: ../../include/vstream.h
++tlsmgr.o: ../../include/vbuf.h
++tlsmgr.o: ../../include/dict.h
++tlsmgr.o: ../../include/argv.h
++tlsmgr.o: ../../include/vstring.h
++tlsmgr.o: ../../include/stringops.h
++tlsmgr.o: ../../include/mymalloc.h
++tlsmgr.o: ../../include/connect.h
++tlsmgr.o: ../../include/myflock.h
++tlsmgr.o: ../../include/mail_conf.h
++tlsmgr.o: ../../include/mail_params.h
++tlsmgr.o: ../../include/iostuff.h
++tlsmgr.o: ../../include/master_proto.h
++tlsmgr.o: ../../include/mail_server.h
++tlsmgr.o: ../../include/pfixtls.h
++pfixtls.o: ../global/pfixtls.c
++pfixtls.o: ../../include/sys_defs.h
++pfixtls.o: ../../include/iostuff.h
++pfixtls.o: ../../include/mymalloc.h
++pfixtls.o: ../../include/vstring.h
++pfixtls.o: ../../include/vstream.h
++pfixtls.o: ../../include/dict.h
++pfixtls.o: ../../include/myflock.h
++pfixtls.o: ../../include/stringops.h
++pfixtls.o: ../../include/msg.h
++pfixtls.o: ../../include/connect.h
++pfixtls.o: ../../include/mail_params.h
++pfixtls.o: ../../include/pfixtls.h
+diff -urNad postfix-release/src/tlsmgr/tlsmgr.c /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/tlsmgr.c
+--- postfix-release/src/tlsmgr/tlsmgr.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/tlsmgr.c	2005-02-03 10:22:13.078092673 -0700
+@@ -0,0 +1,600 @@
++#ifdef USE_TLS
++/*++
++/* NAME
++/*	tlsmgr 8
++/* SUMMARY
++/*	Postfix TLS session cache and PRNG handling manager
++/* SYNOPSIS
++/*	\fBtlsmgr\fR [generic Postfix daemon options]
++/* DESCRIPTION
++/*	The tlsmgr process does housekeeping on the session cache database
++/*	files. It runs through the databases and removes expired entries
++/*	and entries written by older (incompatible) versions.
++/*
++/*	The tlsmgr is responsible for the PRNG handling. The used internal
++/*	OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
++/*	is initially seeded at startup from an external source (EGD or
++/*	/dev/urandom) and additional seed is obtained later during program
++/*	run at a configurable period. The exact time of seed query is
++/*	using random information and is equally distributed in the range of
++/*	[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
++/*	having a default of 1 hour.
++/*
++/*	Tlsmgr can be run chrooted and with dropped privileges, as it will
++/*	connect to the entropy source at startup.
++/*
++/*	The PRNG is additionally seeded internally by the data found in the
++/*	session cache and timevalues.
++/*
++/*	Tlsmgr reads the old value of the exchange file at startup to keep
++/*	entropy already collected during previous runs.
++/*
++/*	From the PRNG random pool a cryptographically strong 1024 byte random
++/*	sequence is written into the PRNG exchange file. The file is updated
++/*	periodically with the time changing randomly from
++/*	[0-\fBtls_random_prng_update_period\fR].
++/* STANDARDS
++/* SECURITY
++/* .ad
++/* .fi
++/*	Tlsmgr is not security-sensitive. It only deals with external data
++/*	to be fed into the PRNG, the contents is never trusted. The session
++/*	cache housekeeping will only remove entries if expired and will never
++/*	touch the contents of the cached data.
++/* DIAGNOSTICS
++/*	Problems and transactions are logged to the syslog daemon.
++/* BUGS
++/*	There is no automatic means to limit the number of entries in the
++/*	session caches and/or the size of the session cache files.
++/* CONFIGURATION PARAMETERS
++/* .ad
++/* .fi
++/*	The following \fBmain.cf\fR parameters are especially relevant to
++/*	this program. See the Postfix \fBmain.cf\fR file for syntax details
++/*	and for default values. Use the \fBpostfix reload\fR command after
++/*	a configuration change.
++/* .SH Session Cache
++/* .ad
++/* .fi
++/* .IP \fBsmtpd_tls_session_cache_database\fR
++/*	Name of the SDBM file (type sdbm:) containing the SMTP server session
++/*	cache. If the file does not exist, it is created.
++/* .IP \fBsmtpd_tls_session_cache_timeout\fR
++/*	Expiry time of SMTP server session cache entries in seconds. Entries
++/*	older than this are removed from the session cache. A cleanup-run is
++/*	performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
++/*	seconds. Default is 3600 (= 1 hour).
++/* .IP \fBsmtp_tls_session_cache_database\fR
++/*	Name of the SDBM file (type sdbm:) containing the SMTP client session
++/*	cache. If the file does not exist, it is created.
++/* .IP \fBsmtp_tls_session_cache_timeout\fR
++/*	Expiry time of SMTP client session cache entries in seconds. Entries
++/*	older than this are removed from the session cache. A cleanup-run is
++/*	performed periodically every \fBsmtp_tls_session_cache_timeout\fR
++/*	seconds. Default is 3600 (= 1 hour).
++/* .SH Pseudo Random Number Generator
++/* .ad
++/* .fi
++/* .IP \fBtls_random_source\fR
++/*	Name of the EGD socket or device or regular file to obtain entropy
++/*	from. The type of entropy source must be specified by preceding the
++/*      name with the appropriate type: egd:/path/to/egd_socket,
++/*      dev:/path/to/devicefile, or /path/to/regular/file.
++/*	tlsmgr opens \fBtls_random_source\fR and tries to read
++/*	\fBtls_random_bytes\fR from it.
++/* .IP \fBtls_random_bytes\fR
++/*	Number of bytes to be read from \fBtls_random_source\fR.
++/*	Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
++/* .IP \fBtls_random_exchange_name\fR
++/*	Name of the file written by tlsmgr and read by smtp and smtpd at
++/*	startup. The length is 1024 bytes. Default value is
++/*	/etc/postfix/prng_exch.
++/* .IP \fBtls_random_reseed_period\fR
++/*	Time in seconds until the next reseed from external sources is due.
++/*	This is the maximum value. The actual point in time is calculated
++/*	with a random factor equally distributed between 0 and this maximum
++/*	value. Default is 3600 (= 60 minutes).
++/* .IP \fBtls_random_prng_update_period\fR
++/*	Time in seconds until the PRNG exchange file is updated with new
++/*	pseude random values. This is the maximum value. The actual point
++/*	in time is calculated with a random factor equally distributed
++/*	between 0 and this maximum value. Default is 60 (= 1 minute).
++/* SEE ALSO
++/*	smtp(8) SMTP client
++/*	smtpd(8) SMTP server
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*--*/
++
++/* System library. */
++
++#include <sys_defs.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <ctype.h>
++#include <errno.h>
++#include <string.h>
++#include <sys/time.h>			/* gettimeofday, not POSIX */
++
++/* OpenSSL library. */
++#ifdef USE_SSL
++#include <openssl/rand.h>		/* For the PRNG */
++#endif
++
++/* Utility library. */
++
++#include <msg.h>
++#include <events.h>
++#include <dict.h>
++#include <stringops.h>
++#include <mymalloc.h>
++#include <connect.h>
++#include <myflock.h>
++
++/* Global library. */
++
++#include <mail_conf.h>
++#include <mail_params.h>
++#include <pfixtls.h>
++
++/* Master process interface */
++
++#include <master_proto.h>
++#include <mail_server.h>
++
++/* Application-specific. */
++
++#ifdef USE_SSL
++ /*
++  * Tunables.
++  */
++char   *var_tls_rand_source;
++int	var_tls_rand_bytes;
++int	var_tls_reseed_period;
++int	var_tls_prng_upd_period;
++
++static int rand_exch_fd;
++static int rand_source_dev_fd = -1;
++static int rand_source_socket_fd = -1;
++static int srvr_scache_db_active;
++static int clnt_scache_db_active;
++static DICT *srvr_scache_db = NULL;
++static DICT *clnt_scache_db = NULL;
++
++static void tlsmgr_prng_upd_event(int unused_event, char *dummy)
++{
++    struct timeval tv;
++    unsigned char buffer[1024];
++    int next_period;
++
++    /*
++     * It is time to update the PRNG exchange file. Since other processes might
++     * have added entropy, we do this in a read_stir-back_write cycle.
++     */
++    GETTIMEOFDAY(&tv);
++    RAND_seed(&tv, sizeof(struct timeval));
++
++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
++	msg_fatal("Could not lock random exchange file: %s",
++		  strerror(errno));
++
++    lseek(rand_exch_fd, 0, SEEK_SET);
++    if (read(rand_exch_fd, buffer, 1024) < 0)
++	msg_fatal("reading exchange file failed");
++    RAND_seed(buffer, 1024);
++
++    RAND_bytes(buffer, 1024);
++    lseek(rand_exch_fd, 0, SEEK_SET);
++    if (write(rand_exch_fd, buffer, 1024) != 1024)
++	msg_fatal("Writing exchange file failed");
++
++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
++	msg_fatal("Could not unlock random exchange file: %s",
++		  strerror(errno));
++
++    /*
++     * Make prediction difficult for outsiders and calculate the time for the
++     * next execution randomly.
++     */
++    next_period = (var_tls_prng_upd_period * buffer[0]) / 255;
++    event_request_timer(tlsmgr_prng_upd_event, dummy, next_period);
++}
++
++
++static void tlsmgr_reseed_event(int unused_event, char *dummy)
++{
++    int egd_success;
++    int next_period;
++    int rand_bytes;
++    char buffer[255];
++    struct timeval tv;
++    unsigned char randbyte;
++
++    /*
++     * It is time to reseed the PRNG.
++     */
++
++    GETTIMEOFDAY(&tv);
++    RAND_seed(&tv, sizeof(struct timeval));
++    if (rand_source_dev_fd != -1) {
++	rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
++	if (rand_bytes > 0)
++	    RAND_seed(buffer, rand_bytes);
++	else if (rand_bytes < 0) {
++	    msg_fatal("Read from entropy device %s failed",
++		      var_tls_rand_source);
++	}
++    } else if (rand_source_socket_fd != -1) {
++	egd_success = 0;
++	buffer[0] = 1;
++	buffer[1] = var_tls_rand_bytes;
++	if (write(rand_source_socket_fd, buffer, 2) != 2)
++	    msg_info("Could not talk to %s", var_tls_rand_source);
++	else if (read(rand_source_socket_fd, buffer, 1) != 1)
++	    msg_info("Could not read info from %s", var_tls_rand_source);
++	else {
++	    rand_bytes = buffer[0];
++	    if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
++		msg_info("Could not read data from %s", var_tls_rand_source);
++	    else {
++		egd_success = 1;
++		RAND_seed(buffer, rand_bytes);
++	    }
++	}
++	if (!egd_success) {
++	    msg_info("Lost connection to EGD-device, exiting to reconnect.");
++	    exit(0);
++	}
++    } else if (*var_tls_rand_source) {
++	rand_bytes = RAND_load_file(var_tls_rand_source, var_tls_rand_bytes);
++    }
++
++    /*
++     * Make prediction difficult for outsiders and calculate the time for the
++     * next execution randomly.
++     */
++    RAND_bytes(&randbyte, 1);
++    next_period = (var_tls_reseed_period * randbyte) / 255;
++    event_request_timer(tlsmgr_reseed_event, dummy, next_period);
++}
++
++
++static int tlsmgr_do_scache_check(DICT *scache_db, int scache_timeout,
++				  int start)
++{
++    int func;
++    int len;
++    int n;
++    int delete = 0;
++    int result;
++    struct timeval tv;
++    const char *member;
++    const char *value;
++    char *member_copy;
++    unsigned char nibble, *data;
++    pfixtls_scache_info_t scache_info;
++
++    GETTIMEOFDAY(&tv);
++    RAND_seed(&tv, sizeof(struct timeval));
++
++    /*
++     * Run through the given dictionary and check the stored sessions.
++     * If "start" is set to 1, a new run is initiated, otherwise the next
++     * item is accessed. The state is internally kept in the DICT.
++     */
++    if (start)
++	func = DICT_SEQ_FUN_FIRST;
++    else
++	func = DICT_SEQ_FUN_NEXT;
++    result = dict_seq(scache_db, func, &member, &value);
++
++    if (result > 0)
++	return 0;	/* End of list reached */
++    else if (result < 0)
++	msg_fatal("Database fault, should already be caught.");
++    else {
++	member_copy = mystrdup(member);
++	len = strlen(value);
++	RAND_seed(value, len);		/* Use it to increase entropy */
++	if (len < 2 * sizeof(pfixtls_scache_info_t))
++	    delete = 1;		/* Messed up, delete */
++	else if (len > 2 * sizeof(pfixtls_scache_info_t))
++	    len = 2 * sizeof(pfixtls_scache_info_t);
++	if (!delete) {
++	    data = (unsigned char *)(&scache_info);
++	    memset(data, 0, len / 2);
++	    for (n = 0; n < len; n++) {
++            if ((value[n] >= '0') && (value[n] <= '9'))
++                nibble = value[n] - '0';
++            else
++                nibble = value[n] - 'A' + 10;
++            if (n % 2)
++                data[n / 2] |= nibble;
++            else
++                data[n / 2] |= (nibble << 4);
++        }
++
++        if ((scache_info.scache_db_version != scache_db_version) ||
++            (scache_info.openssl_version != openssl_version) ||
++            (scache_info.timestamp + scache_timeout < time(NULL)))
++	    delete = 1;
++	}
++	if (delete)
++	    result = dict_del(scache_db, member_copy);
++	myfree(member_copy);
++    }
++
++    if (delete && result)
++	msg_info("Could not delete %s", member);
++    return 1;
++
++}
++
++static void tlsmgr_clnt_cache_run_event(int unused_event, char *dummy)
++{
++
++    /*
++     * This routine runs when it is time for another tls session cache scan.
++     * Make sure this routine gets called again in the future.
++     */
++    clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db, 
++				var_smtp_tls_scache_timeout, 1);
++    event_request_timer(tlsmgr_clnt_cache_run_event, dummy,
++		 var_smtp_tls_scache_timeout);
++}
++
++
++static void tlsmgr_srvr_cache_run_event(int unused_event, char *dummy)
++{
++
++    /*
++     * This routine runs when it is time for another tls session cache scan.
++     * Make sure this routine gets called again in the future.
++     */
++    srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
++				var_smtpd_tls_scache_timeout, 1);
++    event_request_timer(tlsmgr_srvr_cache_run_event, dummy,
++		 var_smtpd_tls_scache_timeout);
++}
++
++
++static DICT *tlsmgr_cache_open(const char *dbname)
++{
++    DICT *retval;
++    char *dbpagname;
++    char *dbdirname;
++
++    /*
++     * First, try to find out the real name of the database file, so that
++     * it can be removed.
++     */
++    if (!strncmp(dbname, "sdbm:", 5)) {
++	dbpagname = concatenate(dbname + 5, ".pag", NULL);
++	REMOVE(dbpagname);
++	myfree(dbpagname);
++	dbdirname = concatenate(dbname + 5, ".dir", NULL);
++	REMOVE(dbdirname);
++	myfree(dbdirname);
++    }
++    else {
++	msg_warn("Only type sdbm: supported: %s", dbname);
++	return NULL;
++    }
++
++    /*
++     * Now open the dictionary. Do it with O_EXCL, so that we only open a
++     * fresh file. If we cannot open it with a fresh file, then we won't
++     * touch it.
++     */
++    retval = dict_open(dbname, O_RDWR | O_CREAT | O_EXCL,
++	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
++    if (!retval)
++	msg_warn("Could not create dictionary %s", dbname);
++    return retval;
++}
++
++/* tlsmgr_trigger_event - respond to external trigger(s) */
++
++static void tlsmgr_trigger_event(char *buf, int len,
++			               char *unused_service, char **argv)
++{
++    /*
++     * Sanity check. This service takes no command-line arguments.
++     */
++    if (argv[0])
++	msg_fatal("unexpected command-line argument: %s", argv[0]);
++
++}
++
++/* tlsmgr_loop - queue manager main loop */
++
++static int tlsmgr_loop(char *unused_name, char **unused_argv)
++{
++    /*
++     * This routine runs as part of the event handling loop, after the event
++     * manager has delivered a timer or I/O event (including the completion
++     * of a connection to a delivery process), or after it has waited for a
++     * specified amount of time. The result value of qmgr_loop() specifies
++     * how long the event manager should wait for the next event.
++     */
++#define DONT_WAIT	0
++#define WAIT_FOR_EVENT	(-1)
++
++    if (clnt_scache_db_active)
++	clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db,
++					var_smtp_tls_scache_timeout, 0);
++    if (srvr_scache_db_active)
++	srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
++					var_smtpd_tls_scache_timeout, 0);
++    if (clnt_scache_db_active || srvr_scache_db_active)
++	return (DONT_WAIT);
++    return (WAIT_FOR_EVENT);
++}
++
++/* pre_accept - see if tables have changed */
++
++static void pre_accept(char *unused_name, char **unused_argv)
++{
++    if (dict_changed()) {
++	msg_info("table has changed -- exiting");
++	exit(0);
++    }
++}
++
++/* tlsmgr_pre_init - pre-jail initialization */
++
++static void tlsmgr_pre_init(char *unused_name, char **unused_argv)
++{
++    int rand_bytes;
++    unsigned char buffer[255];
++
++    /*
++     * Access the external sources for random seed. We may not be able to
++     * access them again if we are sent to chroot jail, so we must leave
++     * dev: and egd: type sources open.
++     */
++    if (*var_tls_rand_source) {
++        if (!strncmp(var_tls_rand_source, "dev:", 4)) {
++	    /*
++	     * Source is a random device
++	     */
++	    rand_source_dev_fd = open(var_tls_rand_source + 4, 0, 0);
++	    if (rand_source_dev_fd == -1) 
++		msg_fatal("Could not open entropy device %s",
++			  var_tls_rand_source);
++	    if (var_tls_rand_bytes > 255)
++		var_tls_rand_bytes = 255;
++	    rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
++	    RAND_seed(buffer, rand_bytes);
++	} else if (!strncmp(var_tls_rand_source, "egd:", 4)) {
++	    /*
++	     * Source is a EGD compatible socket
++	     */
++	    rand_source_socket_fd = unix_connect(var_tls_rand_source +4,
++						 BLOCKING, 10);
++	    if (rand_source_socket_fd == -1)
++		msg_fatal("Could not connect to %s", var_tls_rand_source);
++	    if (var_tls_rand_bytes > 255)
++		var_tls_rand_bytes = 255;
++	    buffer[0] = 1;
++	    buffer[1] = var_tls_rand_bytes;
++	    if (write(rand_source_socket_fd, buffer, 2) != 2)
++		msg_fatal("Could not talk to %s", var_tls_rand_source);
++	    if (read(rand_source_socket_fd, buffer, 1) != 1)
++		msg_fatal("Could not read info from %s", var_tls_rand_source);
++	    rand_bytes = buffer[0];
++	    if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
++		msg_fatal("Could not read data from %s", var_tls_rand_source);
++	    RAND_seed(buffer, rand_bytes);
++	} else {
++	    rand_bytes = RAND_load_file(var_tls_rand_source,
++					var_tls_rand_bytes);
++	}
++    }
++
++    /*
++     * Now open the PRNG exchange file
++     */
++    if (*var_tls_rand_exch_name) {
++	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
++    }
++
++    /*
++     * Finally, open the session cache files. Remove old files, if still there.
++     * If we could not remove the old files, something is pretty wrong and we
++     * won't touch it!!
++     */
++    if (*var_smtp_tls_scache_db)
++	clnt_scache_db = tlsmgr_cache_open(var_smtp_tls_scache_db);
++    if (*var_smtpd_tls_scache_db)
++	srvr_scache_db = tlsmgr_cache_open(var_smtpd_tls_scache_db);
++}
++
++/* qmgr_post_init - post-jail initialization */
++
++static void tlsmgr_post_init(char *unused_name, char **unused_argv)
++{
++    unsigned char buffer[1024];
++
++    /*
++     * This routine runs after the skeleton code has entered the chroot jail.
++     * Prevent automatic process suicide after a limited number of client
++     * requests or after a limited amount of idle time.
++     */
++    var_use_limit = 0;
++    var_idle_limit = 0;
++
++    /*
++     * Complete thie initialization by reading the additional seed from the
++     * PRNG exchange file. Don't care how many bytes were actually read, just
++     * seed buffer into the PRNG, regardless of its contents.
++     */
++    if (rand_exch_fd >= 0) {
++	if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) == -1)
++	    msg_fatal("Could not lock random exchange file: %s",
++		      strerror(errno));
++	read(rand_exch_fd, buffer, 1024);
++	if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) == -1)
++	    msg_fatal("Could not unlock random exchange file: %s",
++		      strerror(errno));
++	RAND_seed(buffer, 1024);
++	tlsmgr_prng_upd_event(0, (char *) 0);
++	tlsmgr_reseed_event(0, (char *) 0);
++    }
++
++    clnt_scache_db_active = 0;
++    srvr_scache_db_active = 0;
++    if (clnt_scache_db)
++	tlsmgr_clnt_cache_run_event(0, (char *) 0);
++    if (srvr_scache_db)
++	tlsmgr_srvr_cache_run_event(0, (char *) 0);
++}
++
++
++/* main - the main program */
++
++int     main(int argc, char **argv)
++{
++    static CONFIG_STR_TABLE str_table[] = {
++	VAR_TLS_RAND_SOURCE, DEF_TLS_RAND_SOURCE, &var_tls_rand_source, 0, 0,
++	0,
++    };
++    static CONFIG_TIME_TABLE time_table[] = {
++	VAR_TLS_RESEED_PERIOD, DEF_TLS_RESEED_PERIOD, &var_tls_reseed_period, 0, 0,
++	VAR_TLS_PRNG_UPD_PERIOD, DEF_TLS_PRNG_UPD_PERIOD, &var_tls_prng_upd_period, 0, 0,
++	0,
++    };
++    static CONFIG_INT_TABLE int_table[] = {
++	VAR_TLS_RAND_BYTES, DEF_TLS_RAND_BYTES, &var_tls_rand_bytes, 0, 0,
++	0,
++    };
++
++    /*
++     * Use the trigger service skeleton, because no-one else should be
++     * monitoring our service port while this process runs, and because we do
++     * not talk back to the client.
++     */
++    trigger_server_main(argc, argv, tlsmgr_trigger_event,
++			MAIL_SERVER_TIME_TABLE, time_table,
++			MAIL_SERVER_INT_TABLE, int_table,
++			MAIL_SERVER_STR_TABLE, str_table,
++			MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
++			MAIL_SERVER_POST_INIT, tlsmgr_post_init,
++			MAIL_SERVER_LOOP, tlsmgr_loop,
++			MAIL_SERVER_PRE_ACCEPT, pre_accept,
++			0);
++    trigger_server_main(argc, argv, tlsmgr_trigger_event,
++			MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
++			0);
++}
++
++#else
++int     main(int argc, char **argv)
++{
++    msg_fatal("Do not run tlsmgr with TLS support compiled in\n");
++}
++#endif
++#endif
+diff -urNad postfix-release/src/util/dict_cidr.c /tmp/dpep.cXJuVH/postfix-release/src/util/dict_cidr.c
+--- postfix-release/src/util/dict_cidr.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/dict_cidr.c	2005-02-03 10:22:13.079092450 -0700
+@@ -27,6 +27,13 @@
+ /*	IBM T.J. Watson Research
+ /*	P.O. Box 704
+ /*	Yorktown Heights, NY 10598, USA
++/*
++/*	Dean C. Strik
++/*	Department ICT Services
++/*	Eindhoven University of Technology
++/*	P.O. Box 513
++/*	5600 MB  Eindhoven, Netherlands
++/*	E-mail: <dean at ipnet6.org>
+ /*--*/
+ 
+ /* System library. */
+@@ -39,6 +46,11 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netdb.h>
++
+ #ifndef INADDR_NONE
+ #define INADDR_NONE 0xffffffff
+ #endif
+@@ -53,17 +65,15 @@
+ #include <readlline.h>
+ #include <dict.h>
+ #include <dict_cidr.h>
+-#include <split_at.h>
++#include <match_ops.h>
+ 
+ /* Application-specific. */
+ 
+  /*
+   * Each rule in a CIDR table is parsed and stored in a linked list.
+-  * Obviously all this is IPV4 specific and needs to be redone for IPV6.
+   */
+ typedef struct DICT_CIDR_ENTRY {
+-    unsigned long net_bits;		/* network portion of address */
+-    unsigned long mask_bits;		/* network mask */
++    ADDR_PATTERN *pattern;		/* address pattern structure */
+     char   *value;			/* lookup result */
+     struct DICT_CIDR_ENTRY *next;	/* next entry */
+ } DICT_CIDR_ENTRY;
+@@ -73,27 +83,72 @@
+     DICT_CIDR_ENTRY *head;		/* first entry */
+ } DICT_CIDR;
+ 
+-#define BITS_PER_ADDR   32
++#define BITS_PER_ADDR_V4   32
++#define BITS_PER_ADDR_V6   128
+ 
+ /* dict_cidr_lookup - CIDR table lookup */
+ 
+ static const char *dict_cidr_lookup(DICT *dict, const char *key)
+ {
++    char   *myname = "dict_cidr_lookup";
++
+     DICT_CIDR *dict_cidr = (DICT_CIDR *) dict;
+     DICT_CIDR_ENTRY *entry;
+-    unsigned long addr;
++#ifdef INET6
++    struct addrinfo hints, *res0;
++    int     aierr;
++#else
++    struct sockaddr_in sin;
++#endif
+ 
+     if (msg_verbose)
+-	msg_info("dict_cidr_lookup: %s: %s", dict_cidr->dict.name, key);
++	msg_info("%s: %s: %s", myname, dict_cidr->dict.name, key);
+ 
+-    if ((addr = inet_addr(key)) == INADDR_NONE)
++#ifdef INET6
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_NUMERICHOST;
++    /*
++     * Since access maps call the CIDR map first with the
++     * hostname and only then with the addresses, we just
++     * return 0 when an entry isn't numeric, as expressed
++     * by the EAI_NONAME error.
++     */
++    aierr = getaddrinfo(key, NULL, &hints, &res0);
++    if (aierr == EAI_NONAME) {
++	if (msg_verbose)
++	    msg_info("%s: non-address key \"%s\"",
++		     myname, key);
+ 	return (0);
+-
++    }
++    if (aierr != 0)
++	msg_fatal("%s: getaddrinfo(%s): %s",
++		  myname, key, GAI_STRERROR(aierr));
+     for (entry = dict_cidr->head; entry; entry = entry->next)
+-	if ((addr & entry->mask_bits) == entry->net_bits)
++	if (match_sockaddr(res0->ai_addr,
++			   entry->pattern->addr,
++			   entry->pattern->masklen)) {
++	    freeaddrinfo(res0);
+ 	    return (entry->value);
++	}
++    freeaddrinfo(res0);
++    return (0);
++
++#else /* INET6 */
+ 
++    memset(&sin, 0, sizeof(sin));
++    sin.sin_family = AF_INET;
++    sin.sin_addr.s_addr = inet_addr(key);
++    if (sin.sin_addr.s_addr == INADDR_NONE)
++	return (0);
++    for (entry = dict_cidr->head; entry; entry = entry->next)
++	if (match_sockaddr((struct sockaddr *)&sin, entry->pattern->addr,
++			   entry->pattern->masklen))
++	    return (entry->value);
+     return (0);
++
++#endif
+ }
+ 
+ /* dict_cidr_close - close the CIDR table */
+@@ -106,6 +161,7 @@
+ 
+     for (entry = dict_cidr->head; entry; entry = next) {
+ 	next = entry->next;
++	addr_pattern_free(entry->pattern);
+ 	myfree(entry->value);
+ 	myfree((char *) entry);
+     }
+@@ -120,11 +176,9 @@
+     DICT_CIDR_ENTRY *rule;
+     char   *key;
+     char   *value;
+-    char   *mask;
+-    int     mask_shift;
+-    unsigned long net_bits;
+-    unsigned long mask_bits;
+-    struct in_addr net_addr;
++    ADDR_PATTERN *pattern;
++    VSTRING *lookup_err;
++    int    lookup_res;
+ 
+     /*
+      * Split the rule into key and value. We already eliminated leading
+@@ -152,53 +206,35 @@
+     }
+ 
+     /*
+-     * Parse the key into network and mask, and destroy the key. Treat a bare
+-     * network address as /32.
+-     * 
+-     * We need explicit code for /0. The result of << is undefined when the
+-     * shift is greater or equal to the number of bits in the shifted
+-     * operand.
++     * We rewrite the key to standard notation, and check the validity of
++     * the pattern.
++     * We cannot use MATCH_FLAG_STRICT_ADDR since access checks try not only
++     * the numerical address but the resolved hostname as well.
+      */
+-    if ((mask = split_at(key, '/')) != 0) {
+-	if (!alldig(mask) || (mask_shift = atoi(mask)) > BITS_PER_ADDR
+-	    || (net_bits = inet_addr(key)) == INADDR_NONE) {
+-	    msg_warn("cidr map %s, line %d: bad net/mask pattern: \"%s/%s\": "
+-		     "skipping this rule", mapname, lineno, key, mask);
+-	    return (0);
+-	}
+-	mask_bits = mask_shift > 0 ?
+-	    htonl((0xffffffff) << (BITS_PER_ADDR - mask_shift)) : 0;
+-	if (net_bits & ~mask_bits) {
+-	    net_addr.s_addr = (net_bits & mask_bits);
+-	    msg_warn("cidr map %s, line %d: net/mask pattern \"%s/%s\" with "
+-		     "non-null host portion: skipping this rule",
+-		     mapname, lineno, key, mask);
+-	    msg_warn("specify \"%s/%d\" if this is really what you want",
+-		     inet_ntoa(net_addr), mask_shift);
+-	    return (0);
+-	}
+-    } else {
+-	if ((net_bits = inet_addr(key)) == INADDR_NONE) {
+-	    msg_warn("cidr map %s, line %d: bad address pattern: \"%s\": "
+-		     "skipping this rule", mapname, lineno, key);
+-	    return (0);
+-	}
+-	mask_shift = 32;
+-	mask_bits = htonl(0xffffffff);
++    lookup_err = vstring_alloc(100);
++    lookup_res = std_addr_pattern(MATCH_FLAG_NOLOOKUP |
++				  MATCH_FLAG_NONNULL_HOST,
++				  key, &pattern, lookup_err);
++    if (pattern == NULL) {
++	if (lookup_res == 0 && VSTRING_LEN(lookup_err) != 0)
++	    msg_warn("cidr map %s, line %d: %s: skipping this rule",
++		     mapname, lineno, vstring_str(lookup_err));
++	vstring_free(lookup_err);
++	return (0);
+     }
++    vstring_free(lookup_err);
+ 
+     /*
+      * Bundle up the result.
+      */
+     rule = (DICT_CIDR_ENTRY *) mymalloc(sizeof(DICT_CIDR_ENTRY));
+-    rule->net_bits = net_bits;
+-    rule->mask_bits = mask_bits;
++    rule->pattern = pattern;
+     rule->value = mystrdup(value);
+     rule->next = 0;
+ 
+     if (msg_verbose)
+-	msg_info("dict_cidr_open: %s: %lu/%d %s",
+-		 mapname, rule->net_bits, mask_shift, rule->value);
++	msg_info("dict_cidr_open: %s: %s/%d %s",
++		 mapname, pattern->pattern, pattern->masklen, rule->value);
+ 
+     return (rule);
+ }
+diff -urNad postfix-release/src/util/get_port.c /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.c
+--- postfix-release/src/util/get_port.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.c	2005-02-03 10:22:13.079092450 -0700
+@@ -0,0 +1,65 @@
++/*++
++/* NAME
++/*	get_port 3
++/* SUMMARY
++/*	trivial host and port extracter
++/* SYNOPSIS
++/*	#include <get_port.h>
++/*
++/*	char	*get_port(data)
++/*	char	*data;
++/*
++/* DESCRIPTION
++/* 	get_port() extract host name or ip address from
++/* 	strings such as [3ffe:902:12::10]:25, [::1]
++/* 	or 192.168.0.1:25, and null-terminates the
++/* 	\fIdata\fR at the first occurrence of port separator.
++/* DIAGNOSTICS
++/* 	If port not found return null pointer.
++/* LICENSE
++/* .ad
++/* .fi
++/*	BSD Style (or BSD like) license.
++/* AUTHOR(S)
++/*	Arkadiusz Mi¶kiewicz <misiek at pld.org.pl>
++/*	Wroclaw, POLAND
++/*--*/
++
++/* System libraries */
++
++#include <sys_defs.h>
++#include <string.h>
++
++/* Utility library. */
++
++#include "get_port.h"
++
++/* get_port - extract port number from string */
++
++char *get_port(char *data)
++{
++	const char *escl=strchr(data,'[');
++	const char *sepl=strchr(data,':');
++	char *escr=strrchr(data,']');
++	char *sepr=strrchr(data,':');
++
++	/* extract from "[address]:port" or "[address]"*/
++	if (escl && escr)
++	{
++		memmove(data, data + 1, strlen(data) - strlen(escr));
++		data[strlen(data) - strlen(escr) - 1] = 0;
++		*escr++ = 0;
++		if (*escr == ':')
++			escr++;
++		return (*escr ? escr : NULL);
++	}
++	/* extract from "address:port" or "address" */
++	if ((sepl == sepr) && sepr && sepl)
++	{
++		*sepr++ = 0;
++		return sepr;
++	}
++
++	/* return empty string */
++	return NULL;
++}
+diff -urNad postfix-release/src/util/get_port.h /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.h
+--- postfix-release/src/util/get_port.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.h	2005-02-03 10:22:13.079092450 -0700
+@@ -0,0 +1,28 @@
++#ifndef _GET_PORT_H_INCLUDED_
++#define _GET_PORT_H_INCLUDED_
++
++/*++
++/* NAME
++/*	get_port 3h
++/* SUMMARY
++/*	trivial host and port extracter
++/* SYNOPSIS
++/*	#include <get_port.h>
++/* DESCRIPTION
++/* .nf
++
++ /* External interface. */
++
++extern char *get_port(char *);
++
++
++/* LICENSE
++/* .ad
++/* .fi
++/*	BSD Style (or BSD like) license.
++/* AUTHOR(S)
++/*	Arkadiusz Mi¶kiewicz <misiek at pld.org.pl>
++/*	Wroclaw, POLAND
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/util/inet_addr_host.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_host.c
+--- postfix-release/src/util/inet_addr_host.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_host.c	2005-02-03 10:22:13.080092227 -0700
+@@ -38,7 +38,10 @@
+ #include <sys_defs.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
++#include <sys/socket.h>
+ #include <netdb.h>
++#include <stdlib.h>
++#include <string.h>
+ 
+ #ifndef INADDR_NONE
+ #define INADDR_NONE 0xffffffff
+@@ -46,17 +49,68 @@
+ 
+ /* Utility library. */
+ 
++#include <mymalloc.h>
+ #include <inet_addr_list.h>
+ #include <inet_addr_host.h>
++#ifdef TEST
++#include <msg.h>
++#endif
+ 
+ /* inet_addr_host - look up address list for host */
+ 
+ int     inet_addr_host(INET_ADDR_LIST *addr_list, const char *hostname)
+ {
++#ifdef INET6
++    int s;
++    struct addrinfo hints, *res0, *res;
++    int error;
++    char *hbuf, *hname;
++#else
+     struct hostent *hp;
+     struct in_addr addr;
++#endif
+     int     initial_count = addr_list->used;
+ 
++#ifdef INET6
++
++    /*
++     * The use of square brackets around an IPv6 addresses is
++     * required, even though we don't enforce it as it'd make
++     * the code unnecessarily complicated.
++     */
++    hbuf = mystrdup(hostname);
++    if (*hbuf == '[' && hbuf[strlen(hbuf) - 1] == ']') {
++	hbuf[strlen(hbuf) - 1] = '\0';
++	hname = hbuf + 1;
++    } else {
++	hname = hbuf;
++    }
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_DGRAM;
++    error = getaddrinfo(hname, NULL, &hints, &res0);
++
++    if (error == 0) {
++	for (res = res0; res; res = res->ai_next) {
++	    if (res->ai_family != AF_INET && res->ai_family != AF_INET6)
++		continue;
++	    /*
++	     * filter out address families that are not supported
++	     * XXX is this socket necessary? --dean
++	     */
++	    s = socket(res->ai_family, SOCK_DGRAM, 0);
++	    if (s < 0)
++		continue;
++	    if (close(s))
++		msg_warn("inet_addr_host: close(): %m");
++
++	    inet_addr_list_append(addr_list, res->ai_addr);
++	}
++	freeaddrinfo(res0);
++    }
++    myfree(hbuf);
++#else
+     if ((addr.s_addr = inet_addr(hostname)) != INADDR_NONE) {
+ 	inet_addr_list_append(addr_list, &addr);
+     } else {
+@@ -65,9 +119,12 @@
+ 		inet_addr_list_append(addr_list,
+ 				    (struct in_addr *) * hp->h_addr_list++);
+     }
++#endif
++
+     return (addr_list->used - initial_count);
+ }
+ 
++
+ #ifdef TEST
+ 
+ #include <msg.h>
+@@ -78,6 +135,8 @@
+ {
+     INET_ADDR_LIST addr_list;
+     int     i;
++    struct sockaddr *sa;
++    char hbuf[NI_MAXHOST];
+ 
+     msg_vstream_init(argv[0], VSTREAM_ERR);
+ 
+@@ -89,8 +148,12 @@
+ 	if (inet_addr_host(&addr_list, *argv) == 0)
+ 	    msg_fatal("not found: %s", *argv);
+ 
+-	for (i = 0; i < addr_list.used; i++)
+-	    vstream_printf("%s\n", inet_ntoa(addr_list.addrs[i]));
++	for (i = 0; i < addr_list.used; i++) {
++	    sa = (struct sockaddr *)&addr_list.addrs[i];
++	    getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf), NULL, 0,
++		    NI_NUMERICHOST);
++	    vstream_printf("%s\n", hbuf);
++	}
+ 	vstream_fflush(VSTREAM_OUT);
+     }
+     inet_addr_list_free(&addr_list);
+diff -urNad postfix-release/src/util/inet_addr_list.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.c
+--- postfix-release/src/util/inet_addr_list.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.c	2005-02-03 10:22:13.080092227 -0700
+@@ -51,6 +51,13 @@
+ #include <arpa/inet.h>
+ #include <stdlib.h>
+ 
++#include <netdb.h>
++
++#ifdef INET6
++#include <string.h>
++#include <sys/socket.h>
++#endif
++
+ /* Utility library. */
+ 
+ #include <msg.h>
+@@ -64,14 +71,43 @@
+     int     init_size;
+ 
+     list->used = 0;
+-    list->size = 0;
+     init_size = 2;
+-    list->addrs = (struct in_addr *) mymalloc(sizeof(*list->addrs) * init_size);
++#ifdef INET6
++    list->addrs = (struct sockaddr_storage *)
++#else
++    list->addrs = (struct in_addr *)
++#endif
++	mymalloc(sizeof(*list->addrs) * init_size);
+     list->size = init_size;
+ }
+ 
+ /* inet_addr_list_append - append address to internet address list */
+ 
++#ifdef INET6
++void    inet_addr_list_append(INET_ADDR_LIST *list, 
++                              struct sockaddr * addr)
++{
++    char   *myname = "inet_addr_list_append";
++    char    hbuf[NI_MAXHOST];
++    int     new_size;
++
++    if (msg_verbose > 1) {
++	if (getnameinfo(addr, SA_LEN(addr), hbuf, sizeof(hbuf), NULL, 0,
++	    NI_NUMERICHOST)) {
++	    strncpy(hbuf, "??????", sizeof(hbuf));
++	}
++	msg_info("%s: %s", myname, hbuf);
++    }
++
++    if (list->used >= list->size) {
++	new_size = list->size * 2;
++	list->addrs = (struct sockaddr_storage *)
++	    myrealloc((char *)list->addrs, sizeof(*list->addrs) * new_size);
++	list->size = new_size;
++    }
++    memcpy(&list->addrs[list->used++], addr, SA_LEN(addr));
++}
++#else
+ void    inet_addr_list_append(INET_ADDR_LIST *list, struct in_addr * addr)
+ {
+     char   *myname = "inet_addr_list_append";
+@@ -83,20 +119,39 @@
+     if (list->used >= list->size) {
+ 	new_size = list->size * 2;
+ 	list->addrs = (struct in_addr *)
+-	    myrealloc((char *) list->addrs, sizeof(*list->addrs) * new_size);
++	    myrealloc((char *)list->addrs, sizeof(*list->addrs) * new_size);
+ 	list->size = new_size;
+     }
+     list->addrs[list->used++] = *addr;
+ }
++#endif
+ 
+ /* inet_addr_list_comp - compare addresses */
+ 
+ static int inet_addr_list_comp(const void *a, const void *b)
+ {
++#ifdef INET6
++    char   ha[NI_MAXHOST], hb[NI_MAXHOST];
++    int    nierr;
++    int    niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
++    struct sockaddr *sa, *sb;
++
++    sa = (struct sockaddr *)a, sb = (struct sockaddr *)b;
++    if (sa->sa_family != sb->sa_family)
++	return (sa->sa_family - sb->sa_family);
++    nierr = getnameinfo(sa, SA_LEN(sa), ha, sizeof(ha), NULL, 0, niflags);
++    if (nierr)
++	msg_fatal("inet_addr_list_comp: getnameinfo(ha) error %d", nierr);
++    nierr = getnameinfo(sb, SA_LEN(sb), hb, sizeof(hb), NULL, 0, niflags);
++    if (nierr)
++	msg_fatal("inet_addr_list_comp: getnameinfo(hb) error %d", nierr);
++    return strcmp(ha, hb);
++#else
+     const struct in_addr *a_addr = (const struct in_addr *) a;
+     const struct in_addr *b_addr = (const struct in_addr *) b;
+ 
+     return (a_addr->s_addr - b_addr->s_addr);
++#endif
+ }
+ 
+ /* inet_addr_list_uniq - weed out duplicates */
+@@ -141,7 +196,9 @@
+   */
+ #include <inet_addr_host.h>
+ 
+-static void inet_addr_list_print(INET_ADDR_LIST *list)
++#ifndef DEBUG6
++static
++#endif void inet_addr_list_print(INET_ADDR_LIST *list)
+ {
+     int     n;
+ 
+diff -urNad postfix-release/src/util/inet_addr_list.h /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.h
+--- postfix-release/src/util/inet_addr_list.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.h	2005-02-03 10:22:13.080092227 -0700
+@@ -16,19 +16,55 @@
+   */
+ #include <netinet/in.h>
+ 
++#ifndef SA_LEN
++# ifndef HAS_SA_LEN
++#  define SA_LEN(x)	(((x)->sa_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++#  define SS_LEN(x)	(((x).ss_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++# else
++#  define SA_LEN(x)       ((x)->sa_len)
++#  define SS_LEN(x)       ((x).ss_len)
++# endif
++#else
++# ifndef SS_LEN
++#  define SS_LEN(x)	(((x).ss_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++# endif
++#endif
++
+  /*
+   * External interface.
+   */
+ typedef struct INET_ADDR_LIST {
+     int     used;			/* nr of elements in use */
+     int     size;			/* actual list size */
++#ifdef INET6
++    struct sockaddr_storage *addrs;   /* payload */
++#else
+     struct in_addr *addrs;		/* payload */
++#endif
+ } INET_ADDR_LIST;
+ 
+ extern void inet_addr_list_init(INET_ADDR_LIST *);
+ extern void inet_addr_list_free(INET_ADDR_LIST *);
+ extern void inet_addr_list_uniq(INET_ADDR_LIST *);
++#ifdef INET6
++struct sockaddr;
++extern void inet_addr_list_append(INET_ADDR_LIST *, struct sockaddr *);
++#else
+ extern void inet_addr_list_append(INET_ADDR_LIST *, struct in_addr *);
++#endif
++
++/*
++ * NI_WITHSCOPEID is defined on most systems, but usually not implemented.
++ * Only on KAME? Use without implementation will result in EAI_BADFLAGS.
++ */
++#ifdef INET6
++# ifndef INET6_KAME
++#  ifdef NI_WITHSCOPEID
++#   undef NI_WITHSCOPEID
++#  endif
++#  define NI_WITHSCOPEID 0
++# endif
++#endif
+ 
+ /* LICENSE
+ /* .ad
+diff -urNad postfix-release/src/util/inet_addr_local.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.c
+--- postfix-release/src/util/inet_addr_local.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.c	2005-02-03 10:22:13.081092004 -0700
+@@ -6,9 +6,10 @@
+ /* SYNOPSIS
+ /*	#include <inet_addr_local.h>
+ /*
+-/*	int	inet_addr_local(addr_list, mask_list)
++/*	int	inet_addr_local(addr_list, mask_list, addr_family)
+ /*	INET_ADDR_LIST *addr_list;
+ /*	INET_ADDR_LIST *mask_list;
++/*	int addr_family;
+ /* DESCRIPTION
+ /*	inet_addr_local() determines all active IP interface addresses
+ /*	of the local system. Any address found is appended to the
+@@ -17,6 +18,9 @@
+ /*
+ /*	The mask_list is either a null pointer, or it is a list that
+ /*	receives the netmasks of the interface addresses that were found.
++/*	
++/*	The addr_family is ether AF_UNSPEC, AF_INET or AF_INET6
++/*
+ /* DIAGNOSTICS
+ /*	Fatal errors: out of memory.
+ /* SEE ALSO
+@@ -30,6 +34,13 @@
+ /*	IBM T.J. Watson Research
+ /*	P.O. Box 704
+ /*	Yorktown Heights, NY 10598, USA
++/*
++/*	Dean C. Strik
++/*	Department ICT
++/*	Eindhoven University of Technology
++/*	P.O. Box 513
++/*	5600 MB  Eindhoven, Netherlands
++/*	E-mail: <dean at ipnet6.org>
+ /*--*/
+ 
+ /* System library. */
+@@ -47,6 +58,13 @@
+ #endif
+ #include <errno.h>
+ #include <string.h>
++#ifdef INET6
++#include <netdb.h>
++#include <stdio.h>
++#endif
++#ifdef HAVE_GETIFADDRS
++#include <ifaddrs.h>
++#endif
+ 
+ /* Utility library. */
+ 
+@@ -57,39 +75,300 @@
+ #include <inet_addr_local.h>
+ 
+  /*
++  * IF IPV6 SUPPORT IS ENABLED:
++  *
++  * In the non-getifaddrs() version, we determine the interface addresses
++  * using the SIOCG(L)IFCONF. However, it is operating system dependent
++  * whether this also results in IPv6 addresses configuration. Another
++  * issue is that there is no good method to determine the netmask /
++  * prefixlen for IPv6 addresses.
++  * We will therefore use OS dependent methods. An overview:
++  *  - Use SIOCGLIFCONF when available -> this supports both IPv4/IPv6
++  *    addresses. Also, with SIOCGLIFNETMASK we can obtain the netmask /
++  *    prefixlen for either address family.
++  *  - On Linux, read IPv6 addresses / prefixlengths from a file in the
++  *    /proc filesystem. Linux does not return IPv6 addresses in
++  *    SIOCGIFCONF.
++  *  - On other systems without getifaddrs(), we expect SIOCGIFCONF
++  *    to return IPv6 addresses. Since SIOCGIFNETMASK does not work for
++  *    IPv6 addresses, we will always set the prefixlen to 64 (subnet)
++  *    However, it is suggested you set the mynetworks variable(s)
++  *    manually then.
++  *    XXX: We duplicate some code. In this case, I think this is better
++  *    than really drowning in the #ifdefs...
++  * -- Dean Strik (dcs)
++  */
++
++ /*
+   * Support for variable-length addresses.
+   */
++#ifdef HAS_SIOCGLIF
++#else /* HAS_SIOCGLIF */
++#endif /* HAS_SIOCGLIF */
++
++/* decode_scope - separate scope ID from IPv6 address */
++
++#ifdef INET6
++static struct sockaddr *decode_scope(struct sockaddr *sa,
++				     struct sockaddr_in6 *sin6)
++{
++#ifdef INET6_KAME
++    memcpy(sin6, sa, sa->sa_len);	/* size sin6 >> size sa */
++    /* decode scoped address notation */
++    if ((IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) ||
++	    IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) &&
++	    sin6->sin6_scope_id == 0) {
++	sin6->sin6_scope_id = ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]);
++	sin6->sin6_addr.s6_addr[2] = sin6->sin6_addr.s6_addr[3] = 0;
++    }
++    return (struct sockaddr *)sin6;
++#else
++    return (sa);
++#endif
++}
++#endif
++
++/* ial_socket - make socket for ioctl() operations */
++
++static int ial_socket(int af)
++{
++    char  *myname = "inet_addr_local[socket]";
++    int    sock;
++
++    /*
++     * The host may not be actually configured with IPv6. When
++     * IPv6 support is not actually in the kernel, don't consider
++     * failure to create an IPv6 socket as fatal. This could be
++     * tuned better though. For other families, the error is fatal.
++     */
++    if ((sock = socket(af, SOCK_DGRAM, 0)) < 0) {
++#ifdef INET6
++	if (af == AF_INET6) {
++	    if (msg_verbose)
++		msg_warn("%s: socket: %m", myname);
++	    return (-1);
++	}
++#endif
++	msg_fatal("%s: socket: %m", myname);
++    }
++    return (sock);
++}
++
++
++#ifdef HAVE_GETIFADDRS
++
++/*
++ * The getifaddrs(3) function, introduced by BSD/OS, provides a
++ * platform-independent way of requesting interface addresses,
++ * including IPv6 addresses. The implementation however is not
++ * present in all major operating systems.
++ */
++
++/* ial_getifaddrs - determine IP addresses using getifaddrs(3) */
++
++static int ial_getifaddrs(INET_ADDR_LIST *addr_list,
++			  INET_ADDR_LIST *mask_list,
++			  int af)
++{
++    char *myname = "inet_addr_local[getifaddrs]";
++    struct ifaddrs *ifap, *ifa;
++    struct sockaddr *sa, *sam;
++#ifdef INET6
++    struct sockaddr_in6 addr6;
++#else
++    void *addr,*addrm;
++#endif
++
++    if (getifaddrs(&ifap) < 0)
++	msg_fatal("%s: getifaddrs: %m", myname);
++
++    /*
++     * Get the address of each IP network interface. According to BIND we
++     * must include interfaces that are down because the machine may still
++     * receive packets for that address (yes, via some other interface).
++     * Having no way to verify this claim on every machine, I will give them
++     * the benefit of the doubt.
++     */
++
++    for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
++	if (!(ifa->ifa_flags & IFF_RUNNING) || ifa->ifa_addr == NULL) 
++	    continue;
++	sa = ifa->ifa_addr;
++	sam = ifa->ifa_netmask;
++	if (af != AF_UNSPEC && sa->sa_family != af)
++	    continue;
++	switch (sa->sa_family) {
++	case AF_INET:
++#ifndef INET6
++	    addr = (void *)&((struct sockaddr_in *)sa)->sin_addr;
++	    addrm = (void *)&((struct sockaddr_in *)ifa->ifa_netmask)->sin_addr;
++#endif
++	    break;
++#ifdef INET6
++	case AF_INET6:
++	    sa = decode_scope(sa, &addr6);
++	    break;
++#endif
++	default:
++	    continue;
++	}
++
++#ifdef INET6
++	inet_addr_list_append(addr_list, sa);
++	if (mask_list != NULL) {
++	    /*
++	     * Unfortunately, sa_len/sa_family may be broken in
++	     * the netmask sockaddr structure. We must fix this
++	     * manually to have correct addresses.   --dcs
++	     */
++#ifdef HAS_SA_LEN
++	    sam->sa_len = sa->sa_family == AF_INET6 ?
++			  sizeof(struct sockaddr_in6) :
++			  sizeof(struct sockaddr_in);
++#endif
++	    sam->sa_family = sa->sa_family;
++	    inet_addr_list_append(mask_list, sam);
++	}
++#else
++	inet_addr_list_append(addr_list, (struct in_addr *)addr);
++	if (mask_list != NULL)
++	    inet_addr_list_append(mask_list, (struct in_addr *)addrm);
++#endif
++    }
++
++    freeifaddrs(ifap);
++    return (0);
++}
++#endif /* HAVE_GETIFADDRS */
++
++
++#ifdef HAS_SIOCGLIF
++
++/*
++ * The SIOCLIF* ioctls are the successors of SIOCGIF* on the Solaris
++ * and HP/UX operating systems. The data is stored in sockaddr_storage
++ * structure. Both IPv4 and IPv6 addresses are returned though these
++ * calls.
++ */
++#define NEXT_INTERFACE(lifr) (lifr + 1)
++#define LIFREQ_SIZE(lifr) sizeof(lifr[0])
++#define ial_generic ial_siocglif
++
++/* ial_siocglif - determine IP addresses using ioctl(SIOCGLIF*) */
++
++static int ial_siocglif(INET_ADDR_LIST *addr_list,
++			INET_ADDR_LIST *mask_list,
++			int af)
++{
++    char *myname = "inet_addr_local[siocglif]";
++    struct lifconf lifc;
++    struct lifreq *lifr;
++    struct lifreq *lifr_mask;
++    struct lifreq *the_end;
++    struct sockaddr *sa;
++    struct sockaddr_in6 addr6;
++    int   sock;
++    VSTRING *buf;
++
++    if (af != AF_INET && af != AF_INET6)
++	msg_fatal("%s: address family was %d, must be AF_INET (%d) or "
++		  "AF_INET6 (%d)", myname, af, AF_INET, AF_INET6);
++    sock = ial_socket(af);
++    if (sock < 0)
++	return (0);
++    buf = vstring_alloc(1024);
++    for (;;) {
++	memset(&lifc, 0, sizeof(lifc));
++	lifc.lifc_family = AF_UNSPEC;
++	lifc.lifc_len = vstring_avail(buf);
++	lifc.lifc_buf = vstring_str(buf);
++	if (ioctl(sock, SIOCGLIFCONF, (char *) &lifc) < 0) {
++	    if (errno != EINVAL)
++		msg_fatal("%s: ioctl SIOCGLIFCONF: %m", myname);
++	} else if (lifc.lifc_len < vstring_avail(buf) / 2)
++	    break;
++	VSTRING_SPACE(buf, vstring_avail(buf) * 2);
++    }
++
++    the_end = (struct lifreq *) (lifc.lifc_buf + lifc.lifc_len);
++    for (lifr = lifc.lifc_req; lifr < the_end;) {
++	if (((struct sockaddr *)&lifr->lifr_addr)->sa_family != af) {
++	    lifr = NEXT_INTERFACE(lifr);
++	    continue;
++	}
++	if (af == AF_INET) {
++	    if (((struct sockaddr_in *)&lifr->lifr_addr)->sin_addr.s_addr
++		    == INADDR_ANY) {
++		lifr = NEXT_INTERFACE(lifr);
++		continue;
++	    }
++	    sa = (struct sockaddr *)&lifr->lifr_addr;
++	} else if (af == AF_INET6) {
++	    sa = decode_scope((struct sockaddr *)&lifr->lifr_addr, &addr6);
++	    if (IN6_IS_ADDR_UNSPECIFIED(&addr6.sin6_addr)) {
++		lifr = NEXT_INTERFACE(lifr);
++		continue;
++	    }
++	}
++	inet_addr_list_append(addr_list, sa);
++	if (mask_list) {
++	    lifr_mask = (struct lifreq *) mymalloc(sizeof(struct lifreq));
++	    memcpy((char *)lifr_mask, (char *)lifr, sizeof(struct lifreq));
++	    if (ioctl(sock, SIOCGLIFNETMASK, lifr_mask) < 0)
++		msg_fatal("%s: ioctl(SIOCGLIFNETMASK): %m", myname);
++	    /* XXX: Check whether sa_len/family are honoured --dcs */
++	    inet_addr_list_append(mask_list,
++				 (struct sockaddr *)&lifr_mask->lifr_addr);
++	    myfree((char *)lifr_mask);
++	}
++	lifr = NEXT_INTERFACE(lifr);
++    }
++    vstring_free(buf);
++    (void) close(sock);
++    return (0);
++}
++
++#else /* HAVE_SIOCGLIF */
++
++/*
++ * The classic SIOCGIF* ioctls. Modern BSD operating systems will
++ * also return IPv6 addresses through these structure. Note however
++ * that recent versions of these operating systems have getifaddrs.
++ */
++#define ial_generic ial_siocgif
+ #ifdef _SIZEOF_ADDR_IFREQ
+ #define NEXT_INTERFACE(ifr) ((struct ifreq *) \
+ 	((char *) ifr + _SIZEOF_ADDR_IFREQ(*ifr)))
+ #define IFREQ_SIZE(ifr)	_SIZEOF_ADDR_IFREQ(*ifr)
+-#else
++#else /* _SIZEOF_ADDR_IFREQ */
+ #ifdef HAS_SA_LEN
+ #define NEXT_INTERFACE(ifr) ((struct ifreq *) \
+ 	((char *) ifr + sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len))
+ #define IFREQ_SIZE(ifr)	(sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len)
+-#else
++#else /* HAS_SA_LEN */
+ #define NEXT_INTERFACE(ifr) (ifr + 1)
+ #define IFREQ_SIZE(ifr)	sizeof(ifr[0])
+-#endif
+-#endif
++#endif /* HAS_SA_LEN */
++#endif /* _SIZEOF_ADDR_IFREQ */
+ 
+-/* inet_addr_local - find all IP addresses for this host */
++/* ial_siocgif - determine IP addresses using ioctl(SIOCGIF*) */
+ 
+-int     inet_addr_local(INET_ADDR_LIST *addr_list, INET_ADDR_LIST *mask_list)
++static int ial_siocgif(INET_ADDR_LIST *addr_list,
++			INET_ADDR_LIST *mask_list,
++			int af)
+ {
+-    char   *myname = "inet_addr_local";
++    char *myname = "inet_addr_local[siocgif]";
++    struct in_addr addr;
+     struct ifconf ifc;
+     struct ifreq *ifr;
+-    struct ifreq *the_end;
+-    int     sock;
+-    VSTRING *buf = vstring_alloc(1024);
+-    int     initial_count = addr_list->used;
+-    struct in_addr addr;
+     struct ifreq *ifr_mask;
+-
+-    if ((sock = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
+-	msg_fatal("%s: socket: %m", myname);
++    struct ifreq *the_end;
++#ifdef INET6
++    struct sockaddr *sa;
++    struct sockaddr_in6 addr6;
++#endif
++    int   sock;
++    VSTRING *buf;
+ 
+     /*
+      * Get the network interface list. XXX The socket API appears to have no
+@@ -106,6 +385,11 @@
+      * that the program can run out of memory due to a non-memory problem,
+      * making it more difficult than necessary to diagnose the real problem.
+      */
++
++    sock = ial_socket(af);
++    if (sock < 0)
++	return (0);
++    buf = vstring_alloc(1024);
+     for (;;) {
+ 	ifc.ifc_len = vstring_avail(buf);
+ 	ifc.ifc_buf = vstring_str(buf);
+@@ -117,39 +401,199 @@
+ 	VSTRING_SPACE(buf, vstring_avail(buf) * 2);
+     }
+ 
+-    /*
+-     * Get the address of each IP network interface. According to BIND we
+-     * must include interfaces that are down because the machine may still
+-     * receive packets for that address (yes, via some other interface).
+-     * Having no way to verify this claim on every machine, I will give them
+-     * the benefit of the doubt.
+-     */
+     the_end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len);
+     for (ifr = ifc.ifc_req; ifr < the_end;) {
+-	if (ifr->ifr_addr.sa_family == AF_INET) {	/* IP interface */
+-	    addr = ((struct sockaddr_in *) & ifr->ifr_addr)->sin_addr;
+-	    if (addr.s_addr != INADDR_ANY) {	/* has IP address */
++        if (ifr->ifr_addr.sa_family != af) {
++	    ifr = NEXT_INTERFACE(ifr);
++	    continue;
++        }
++	if (af == AF_INET) {
++	    addr = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr;
++	    if (addr.s_addr != INADDR_ANY) {
++#ifdef INET6
++		inet_addr_list_append(addr_list, &ifr->ifr_addr);
++#else
+ 		inet_addr_list_append(addr_list, &addr);
++#endif
+ 		if (mask_list) {
+ 		    ifr_mask = (struct ifreq *) mymalloc(IFREQ_SIZE(ifr));
+ 		    memcpy((char *) ifr_mask, (char *) ifr, IFREQ_SIZE(ifr));
+ 		    if (ioctl(sock, SIOCGIFNETMASK, ifr_mask) < 0)
+ 			msg_fatal("%s: ioctl SIOCGIFNETMASK: %m", myname);
+-		    addr = ((struct sockaddr_in *) & ifr_mask->ifr_addr)->sin_addr;
++#ifdef INET6
++		    /*
++		     * Note that this SIOCGIFNETMASK has truly screwed up
++		     * the contents of sa_len/sa_family. We must fix this
++		     * manually to have correct addresses.   --dcs
++		     */
++#ifdef HAS_SA_LEN
++		    ifr_mask->ifr_addr.sa_len = sizeof(struct sockaddr_in);
++#endif
++		    ifr_mask->ifr_addr.sa_family = af;
++		    inet_addr_list_append(mask_list, &ifr_mask->ifr_addr);
++#else
++		    addr = ((struct sockaddr_in *) &ifr_mask->ifr_addr)->sin_addr;
+ 		    inet_addr_list_append(mask_list, &addr);
++#endif
+ 		    myfree((char *) ifr_mask);
+ 		}
+ 	    }
+ 	}
++#ifdef INET6
++	else if (af == AF_INET6) {
++	    sa = decode_scope(&ifr->ifr_addr, &addr6);
++	    if (!(IN6_IS_ADDR_UNSPECIFIED(&addr6.sin6_addr))) {
++	        inet_addr_list_append(addr_list, sa);
++		if (mask_list) {
++		    /* We can't know, and assume /64 for everything */
++		    struct sockaddr_in6 mask6;
++		    struct in6_addr *maddr6;
++		    memcpy((char *)&mask6, (char *)&addr6,
++			   sizeof(struct sockaddr_in6));
++		    maddr6 = &mask6.sin6_addr;
++		    maddr6->s6_addr[0]  = maddr6->s6_addr[1]  =
++		    maddr6->s6_addr[2]  = maddr6->s6_addr[3]  =
++		    maddr6->s6_addr[4]  = maddr6->s6_addr[5]  =
++		    maddr6->s6_addr[6]  = maddr6->s6_addr[7]  = 0xff;
++		    maddr6->s6_addr[8]  = maddr6->s6_addr[9]  =
++		    maddr6->s6_addr[10] = maddr6->s6_addr[11] =
++		    maddr6->s6_addr[12] = maddr6->s6_addr[13] =
++		    maddr6->s6_addr[14] = maddr6->s6_addr[15] = 0x0;
++		    inet_addr_list_append(mask_list,
++					  (struct sockaddr *)&mask6);
++		}
++	    }
++	}
++#endif /* INET6 */
+ 	ifr = NEXT_INTERFACE(ifr);
+     }
+     vstring_free(buf);
+     (void) close(sock);
++    return (0);
++}
++#endif /* HAVE_SIOCGLIF */
++
++
++#ifdef HAS_PROCNET_IFINET6
++
++/*
++ * Linux does not provide proper calls to retrieve IPv6 interface
++ * addresses. Instead, the addresses can be read from a file in the
++ * /proc tree. The most important issue with this approach however
++ * is that the /proc tree may not always be available, for example
++ * in a chrooted environment or in "hardened" (sic) installations.
++ */
++
++/* ial_procnet_ifinet6 - determine IPv6 addresses using /proc/net/if_inet6 */
++
++static int ial_procnet_ifinet6(INET_ADDR_LIST *addr_list,
++			       INET_ADDR_LIST *mask_list)
++{
++    char *myname = "inet_addr_local[procnet_ifinet6]";
++    FILE *f;
++    char addr6p[8][5], addr6res[40], devname[20];
++    int plen, scope, dad_status, if_idx, gaierror;
++    struct addrinfo hints, *res, *res0;
++
++    if ((f = fopen(_PATH_PROCNET_IFINET6, "r")) != NULL) {
++	while (fscanf(f, "%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n",
++		addr6p[0], addr6p[1], addr6p[2], addr6p[3], addr6p[4],
++		addr6p[5], addr6p[6], addr6p[7],
++		&if_idx, &plen, &scope, &dad_status, devname) != EOF) {
++	    sprintf(addr6res, "%s:%s:%s:%s:%s:%s:%s:%s",
++		addr6p[0], addr6p[1], addr6p[2], addr6p[3],
++		addr6p[4], addr6p[5], addr6p[6], addr6p[7]);
++	    addr6res[sizeof(addr6res) - 1] = 0;
++	    memset(&hints, 0, sizeof(hints));
++	    hints.ai_flags = AI_NUMERICHOST;
++	    hints.ai_family = AF_INET6;
++	    hints.ai_socktype = SOCK_DGRAM;
++	    gaierror = getaddrinfo(addr6res, NULL, &hints, &res0);
++	    if (!gaierror) {
++		for (res = res0; res; res = res->ai_next) {
++		    struct sockaddr_in6 mask;
++		    int i, rest;
++		    inet_addr_list_append(addr_list, res->ai_addr);
++		    memcpy((char *)&mask, res->ai_addr, res->ai_addrlen);
++		    /* s6_addr32 is available on linux */
++		    mask.sin6_addr.s6_addr32[0] =
++		    mask.sin6_addr.s6_addr32[1] =
++		    mask.sin6_addr.s6_addr32[2] =
++		    mask.sin6_addr.s6_addr32[3] = ~0;
++		    for (i = 3, rest = 128 - plen; i > -1; i--)
++			if (rest > 31) {
++			    mask.sin6_addr.s6_addr32[i] = htonl(0);
++			    rest -= 32;
++			} else {
++			    mask.sin6_addr.s6_addr32[i] =
++				htonl(~((1 << rest) - 1));
++			    break;
++			}
++		    inet_addr_list_append(mask_list, (struct sockaddr *)&mask);
++		}
++		freeaddrinfo(res0);
++	    }
++	}
++    } else if (msg_verbose) {
++	msg_warn("%s: Couldn't open " _PATH_PROCNET_IFINET6
++		 " for reading: %m", myname);
++    }
++    return (0);
++}
++#endif /* HAS_PROCNET_IFINET6 */
++
++
++/* inet_addr_local - find all IP addresses for this host */
++
++int     inet_addr_local(INET_ADDR_LIST *addr_list, INET_ADDR_LIST *mask_list,
++			int addr_family)
++{
++    char   *myname = "inet_addr_local";
++    int     initial_count = addr_list->used;
++    int     count;
++
++    /*
++     * IP Version 4
++     */
++    if (addr_family == AF_INET || addr_family == AF_UNSPEC) {
++	count = addr_list->used;
++#if defined(HAVE_GETIFADDRS)
++	ial_getifaddrs(addr_list, mask_list, AF_INET);
++#else
++	ial_generic(addr_list, mask_list, AF_INET);
++#endif
++	if (msg_verbose)
++	    msg_info("%s: configured %d IPv4 addresses",
++		     myname, addr_list->used - count);
++    }
++
++    /*
++     * IP Version 6
++     */
++    if (addr_family == AF_INET6 || addr_family == AF_UNSPEC) {
++	count = addr_list->used;
++#ifdef INET6
++#if defined(HAS_PROCNET_IFINET6)
++	ial_procnet_ifinet6(addr_list, mask_list);
++#elif defined(HAVE_GETIFADDRS)
++	ial_getifaddrs(addr_list, mask_list, AF_INET6);
++#else
++	ial_generic(addr_list, mask_list, AF_INET6);
++#endif
++	if (msg_verbose)
++	    msg_info("%s: configured %d IPv6 addresses", myname,
++		     addr_list->used - count);
++#endif
++    }
++
+     return (addr_list->used - initial_count);
+ }
+ 
++
+ #ifdef TEST
++/* XXX: Requires INET6 for now */
+ 
++#include <string.h>
+ #include <vstream.h>
+ #include <msg_vstream.h>
+ 
+@@ -158,12 +602,14 @@
+     INET_ADDR_LIST addr_list;
+     INET_ADDR_LIST mask_list;
+     int     i;
++    char abuf[NI_MAXHOST], mbuf[NI_MAXHOST];
++    struct sockaddr *sa;
+ 
+     msg_vstream_init(argv[0], VSTREAM_ERR);
+ 
+     inet_addr_list_init(&addr_list);
+     inet_addr_list_init(&mask_list);
+-    inet_addr_local(&addr_list, &mask_list);
++    inet_addr_local(&addr_list, &mask_list, AF_UNSPEC);
+ 
+     if (addr_list.used == 0)
+ 	msg_fatal("cannot find any active network interfaces");
+@@ -172,8 +618,17 @@
+ 	msg_warn("found only one active network interface");
+ 
+     for (i = 0; i < addr_list.used; i++) {
+-	vstream_printf("%s/", inet_ntoa(addr_list.addrs[i]));
+-	vstream_printf("%s\n", inet_ntoa(mask_list.addrs[i]));
++	sa = (struct sockaddr *)&addr_list.addrs[i];
++	if (getnameinfo(sa, SA_LEN(sa), abuf, sizeof(abuf), NULL, 0,
++		NI_NUMERICHOST)) {
++	    strncpy(abuf, "???", sizeof(abuf));
++	}
++	sa = (struct sockaddr *)&mask_list.addrs[i];
++	if (getnameinfo(sa, SA_LEN(sa), mbuf, sizeof(mbuf), NULL, 0,
++		NI_NUMERICHOST)) {
++	    strncpy(mbuf, "???", sizeof(mbuf));
++	}
++	vstream_printf("%s/%s\n", abuf, mbuf);
+     }
+     vstream_fflush(VSTREAM_OUT);
+     inet_addr_list_free(&addr_list);
+diff -urNad postfix-release/src/util/inet_addr_local.h /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.h
+--- postfix-release/src/util/inet_addr_local.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.h	2005-02-03 10:22:13.081092004 -0700
+@@ -19,7 +19,7 @@
+  /*
+   * External interface.
+   */
+-extern int inet_addr_local(INET_ADDR_LIST *, INET_ADDR_LIST *);
++extern int inet_addr_local(INET_ADDR_LIST *, INET_ADDR_LIST *, int);
+ 
+ /* LICENSE
+ /* .ad
+diff -urNad postfix-release/src/util/inet_connect.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_connect.c
+--- postfix-release/src/util/inet_connect.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_connect.c	2005-02-03 10:22:13.082091781 -0700
+@@ -55,6 +55,9 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#ifdef INET6
++#include <netdb.h>
++#endif
+ 
+ /* Utility library. */
+ 
+@@ -74,7 +77,12 @@
+     char   *buf;
+     char   *host;
+     char   *port;
++#ifdef INET6
++    struct addrinfo hints, *res, *res0;
++    int    error;
++#else
+     struct sockaddr_in sin;
++#endif
+     int     sock;
+ 
+     /*
+@@ -82,14 +90,58 @@
+      * the local host.
+      */
+     buf = inet_parse(addr, &host, &port);
++#ifdef INET6
++    if (*host == 0)
++	host = NULL;
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_NUMERICHOST;	/* find_inet_addr is numeric only */
++    if (getaddrinfo(host, port, &hints, &res0))
++	msg_fatal("host not found: %s", host);
++#else
+     if (*host == 0)
+ 	host = "localhost";
+     memset((char *) &sin, 0, sizeof(sin));
+     sin.sin_family = AF_INET;
+     sin.sin_addr.s_addr = find_inet_addr(host);
+     sin.sin_port = find_inet_port(port, "tcp");
++#endif
+     myfree(buf);
+ 
++#ifdef INET6
++    sock = -1;
++    for (res = res0; res; res = res->ai_next) {
++	if ((res->ai_family != AF_INET) && (res->ai_family != AF_INET6))
++	    continue;
++
++	sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
++	if (sock < 0)
++	    continue;
++	if (timeout > 0) {
++	    non_blocking(sock, NON_BLOCKING);
++	    if (timed_connect(sock, res->ai_addr, res->ai_addrlen, timeout) < 0) {
++		close(sock);
++		sock = -1;
++		continue;
++	    }
++	    if (block_mode != NON_BLOCKING)
++		non_blocking(sock, block_mode);
++	    break;
++	} else {
++	    non_blocking(sock, block_mode);
++	    if (connect(sock, res->ai_addr, res->ai_addrlen) < 0
++		&& errno != EINPROGRESS) {
++		close(sock);
++		sock = -1;
++		continue;
++	    }
++	    break;
++	}
++    }
++    freeaddrinfo(res0);
++    return sock;
++#else
+     /*
+      * Create a client socket.
+      */
+@@ -122,4 +174,5 @@
+ 	}
+ 	return (sock);
+     }
++#endif
+ }
+diff -urNad postfix-release/src/util/inet_listen.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_listen.c
+--- postfix-release/src/util/inet_listen.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_listen.c	2005-02-03 10:22:13.082091781 -0700
+@@ -6,7 +6,7 @@
+ /* SYNOPSIS
+ /*	#include <listen.h>
+ /*
+-/*	int	inet_listen(addr, backlog, block_mode)
++/*	int	inet_listen(addr, backlog, block_mode, addinuse_fatal)
+ /*	const char *addr;
+ /*	int	backlog;
+ /*	int	block_mode;
+@@ -51,11 +51,17 @@
+ #include <sys_defs.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#ifdef INET6
++#if (! __GLIBC__ >= 2 && __GLIBC_MINOR__ >=1 )
++#include <netinet6/in6.h>
++#endif
++#endif
+ #include <arpa/inet.h>
+ #include <netdb.h>
+ #ifndef MAXHOSTNAMELEN
+ #include <sys/param.h>
+ #endif
++#include <errno.h>
+ #include <string.h>
+ #include <unistd.h>
+ 
+@@ -77,35 +83,116 @@
+ 
+ /* inet_listen - create inet-domain listener */
+ 
+-int     inet_listen(const char *addr, int backlog, int block_mode)
++int     inet_listen(const char *addr, int backlog, int block_mode, int addrinuse_fatal)
+ {
++#ifdef INET6
++    struct addrinfo *res, *res0, hints;
++    int error;
++#else
++    struct ai {
++	int ai_family;
++	int ai_socktype;
++	int ai_protocol;
++	struct sockaddr *ai_addr;
++	SOCKADDR_SIZE ai_addrlen;
++	struct ai *ai_next;
++    } *res, *res0, resbody;
+     struct sockaddr_in sin;
++#endif
+     int     sock;
+     int     t = 1;
++    int     addrinuse = 0;
+     char   *buf;
+     char   *host;
+     char   *port;
++#ifdef INET6
++    char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
++#else
++    char hbuf[sizeof("255.255.255.255") + 1];
++    char pbuf[sizeof("255.255.255.255") + 1];
++#endif
++    char *cause = "unknown";
+ 
+     /*
+      * Translate address information to internal form.
+      */
+     buf = inet_parse(addr, &host, &port);
+-    memset((char *) &sin, 0, sizeof(sin));
++#ifdef INET6
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    hints.ai_family = AF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    error = getaddrinfo(*host ? host : NULL, *port ? port : "0", &hints, &res0);
++    if (error) {
++	msg_fatal("getaddrinfo: %s", gai_strerror(error));
++    }
++    myfree(buf);
++#else
++    memset(&sin, 0, sizeof(sin));
+     sin.sin_family = AF_INET;
++#ifdef HAS_SA_LEN
++    sin.sin_len = sizeof(sin);
++#endif
+     sin.sin_port = find_inet_port(port, "tcp");
+     sin.sin_addr.s_addr = (*host ? find_inet_addr(host) : INADDR_ANY);
+-    myfree(buf);
+ 
+-    /*
+-     * Create a listener socket.
+-     */
+-    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+-	msg_fatal("socket: %m");
+-    if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *) &t, sizeof(t)) < 0)
+-	msg_fatal("setsockopt: %m");
+-    if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
+-	msg_fatal("bind %s port %d: %m", sin.sin_addr.s_addr == INADDR_ANY ?
+-	       "INADDR_ANY" : inet_ntoa(sin.sin_addr), ntohs(sin.sin_port));
++    memset(&resbody, 0, sizeof(resbody)); 
++    resbody.ai_socktype = SOCK_STREAM;
++    resbody.ai_family = AF_INET;
++    resbody.ai_addr = (struct sockaddr *)&sin;
++    resbody.ai_addrlen = sizeof(sin);
++
++    res0 = &resbody;
++#endif
++
++    sock = -1;
++    for (res = res0; res; res = res->ai_next) {
++	if ((res->ai_family != AF_INET) && (res->ai_family != AF_INET6))
++	    continue;
++
++	/*
++	 * Create a listener socket.
++	 */
++	if ((sock = socket(res->ai_family, res->ai_socktype, 0)) < 0) {
++	    cause = "socket";
++	    continue;
++	}
++#ifdef IPV6_V6ONLY
++	if (res->ai_family == AF_INET6 && setsockopt(sock,
++	    IPPROTO_IPV6, IPV6_V6ONLY, (char *)&t, sizeof(t)) < 0) {
++#ifdef DEBUG6
++	    cause = "setsockopt(IPV6_V6ONLY)";
++	    close(sock);
++	    sock = -1;
++	    continue;
++#endif
++	    ;
++	}
++#endif
++	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *) &t, sizeof(t)) < 0) {
++	    cause = "setsockopt(SO_REUSEADDR)";
++	    close(sock);
++	    sock = -1;
++	    continue;
++	}
++
++	if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
++	    cause = "bind";
++	    if (errno == EADDRINUSE)
++		addrinuse = 1;
++	    close(sock);
++	    sock = -1;
++	    continue;
++	}
++	break;
++    }
++    if (sock < 0 && (addrinuse_fatal || !addrinuse))
++	msg_fatal("%s: %m", cause);
++#ifdef INET6
++    freeaddrinfo(res0);
++#endif
++    if (sock < 0)
++	return -1;
+     non_blocking(sock, block_mode);
+     if (listen(sock, backlog) < 0)
+ 	msg_fatal("listen: %m");
+diff -urNad postfix-release/src/util/inet_util.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_util.c
+--- postfix-release/src/util/inet_util.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_util.c	2005-02-03 10:22:13.082091781 -0700
+@@ -37,6 +37,7 @@
+ /* System libraries. */
+ 
+ #include <sys_defs.h>
++#include <string.h>
+ 
+ /* Utility library. */
+ 
+@@ -48,14 +49,26 @@
+ 
+ char   *inet_parse(const char *addr, char **hostp, char **portp)
+ {
+-    char   *buf;
+-
+-    buf = mystrdup(addr);
+-    if ((*portp = split_at_right(buf, ':')) != 0) {
++    char   *buf, *brk;
++#ifdef INET6
++    if (*addr == '[') {
++	buf = mystrdup(addr + 1);
++	brk = strchr(buf, ']');
++	if (brk == NULL) 
++	    brk = buf;
++    } else
++#endif
++	brk = buf = mystrdup(addr);
++    if ((*portp = split_at_right(brk, ':')) != 0) {
+ 	*hostp = buf;
++#ifdef INET6
++	if (brk > buf)
++		*brk = '\0';
++#endif
+     } else {
+ 	*portp = buf;
+ 	*hostp = "";
+     }
+     return (buf);
+ }
++
+diff -urNad postfix-release/src/util/listen.h /tmp/dpep.cXJuVH/postfix-release/src/util/listen.h
+--- postfix-release/src/util/listen.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/listen.h	2005-02-03 10:22:13.083091558 -0700
+@@ -20,7 +20,7 @@
+   * Listener external interface.
+   */
+ extern int unix_listen(const char *, int, int);
+-extern int inet_listen(const char *, int, int);
++extern int inet_listen(const char *, int, int, int);
+ extern int fifo_listen(const char *, int, int);
+ extern int stream_listen(const char *, int, int);
+ 
+diff -urNad postfix-release/src/util/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/util/Makefile.in
+--- postfix-release/src/util/Makefile.in	2005-02-03 10:22:12.225282899 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/Makefile.in	2005-02-03 10:22:13.083091558 -0700
+@@ -29,7 +29,8 @@
+ 	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
+ 	write_buf.c write_wait.c auto_clnt.c attr_clnt.c attr_scan_plain.c \
+ 	attr_print_plain.c sane_connect.c neuter.c name_code.c \
+-	uppercase.c
++	uppercase.c \
++	get_port.c sock_addr.c
+ OBJS	= alldig.o argv.o argv_split.o attr_print0.o attr_print64.o \
+ 	attr_scan0.o attr_scan64.o base64_code.o basename.o binhash.o \
+ 	chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
+@@ -59,7 +60,7 @@
+ 	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
+ 	write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
+ 	attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
+-	uppercase.o load_lib.o
++	uppercase.o load_lib.o get_port.o sock_addr.o
+ HDRS	= argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
+ 	connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
+ 	dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
+@@ -79,7 +80,8 @@
+ 	split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
+ 	timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
+ 	vbuf_print.h vstream.h vstring.h vstring_vstream.h watchdog.h \
+-	auto_clnt.h attr_clnt.h sane_connect.h name_code.h
++	auto_clnt.h attr_clnt.h sane_connect.h name_code.h \
++	get_port.h sock_addr.h
+ TESTSRC	= fifo_open.c fifo_rdwr_bug.c fifo_rdonly_bug.c select_bug.c \
+ 	stream_test.c dup2_pass_on_exec.c
+ DEFS	= -I. -D$(SYSTYPE)
+@@ -854,6 +856,7 @@
+ get_domainname.o: mymalloc.h
+ get_domainname.o: get_hostname.h
+ get_domainname.o: get_domainname.h
++get_port.o: sys_defs.h
+ get_hostname.o: get_hostname.c
+ get_hostname.o: sys_defs.h
+ get_hostname.o: mymalloc.h
+@@ -975,6 +978,7 @@
+ match_list.o: stringops.h
+ match_list.o: argv.h
+ match_list.o: dict.h
++match_list.o: inet_util.h
+ match_list.o: match_ops.h
+ match_list.o: match_list.h
+ match_ops.o: match_ops.c
+@@ -1192,6 +1196,8 @@
+ skipblanks.o: stringops.h
+ skipblanks.o: vstring.h
+ skipblanks.o: vbuf.h
++sock_addr.o: msg.h
++sock_addr.o: sock_addr.h
+ spawn_command.o: spawn_command.c
+ spawn_command.o: sys_defs.h
+ spawn_command.o: msg.h
+diff -urNad postfix-release/src/util/match_list.c /tmp/dpep.cXJuVH/postfix-release/src/util/match_list.c
+--- postfix-release/src/util/match_list.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_list.c	2005-02-03 10:22:13.084091335 -0700
+@@ -125,7 +125,7 @@
+ 		    list = match_list_parse(list, vstring_str(buf));
+ 	    if (vstream_fclose(fp))
+ 		msg_fatal("%s: read file %s: %m", myname, pattern);
+-	} else if (strchr(pattern, ':') != 0) {	/* type:table */
++	} else if ((strchr(pattern, ']') == 0) && (strchr(pattern, ':') != 0)) {	/* type:table */
+ 	    if (buf == 0)
+ 		buf = vstring_alloc(10);
+ #define OPEN_FLAGS	O_RDONLY
+diff -urNad postfix-release/src/util/match_ops.c /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.c
+--- postfix-release/src/util/match_ops.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.c	2005-02-03 10:22:13.085091112 -0700
+@@ -54,6 +54,15 @@
+ /*	IBM T.J. Watson Research
+ /*	P.O. Box 704
+ /*	Yorktown Heights, NY 10598, USA
++/*
++/*	Takahiro Igarashi
++/*
++/*	Dean C. Strik
++/*	Department ICT Services
++/*	Eindhoven University of Technology
++/*	P.O. Box 513
++/*	5600 MB  Eindhoven, Netherlands
++/*	E-mail: <dean at ipnet6.org>
+ /*--*/
+ 
+ /* System library. */
+@@ -63,6 +72,11 @@
+ #include <arpa/inet.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <errno.h>
++
++#ifdef INT_MAX_IN_LIMITS_H
++#include <limits.h>
++#endif
+ 
+ #ifdef STRCASECMP_IN_STRINGS_H
+ #include <strings.h>
+@@ -75,12 +89,42 @@
+ /* Utility library. */
+ 
+ #include <msg.h>
++#include <msg_output.h>
+ #include <mymalloc.h>
+ #include <split_at.h>
+ #include <dict.h>
+ #include <match_ops.h>
+ #include <stringops.h>
+ 
++#define BITS_PER_ADDR_V4	32
++#define BITS_PER_ADDR_V6	128
++
++#ifdef INET6
++
++/*
++ * IPv6-enabled code was written by Takahiro Igarashi and Dean Strik.
++ */
++
++#endif /* INET6 */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <syslog.h>
++#include <fcntl.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <string.h>
++#include <netdb.h>
++#include <arpa/inet.h>
++#include <resolv.h>
++
++/* prototypes */
++static PRINTFLIKE(2,3) void warning_msg(VSTRING *, const char *, ...);
++#ifdef INET6
++static int mask_comp(void *, void *, int);
++#endif /* INET6 */
++
+ /* match_string - match a string literal */
+ 
+ int     match_string(int unused_flags, const char *string, const char *pattern)
+@@ -177,6 +221,7 @@
+     return (0);
+ }
+ 
++#ifndef INET6
+ /* match_parse_mask - parse net/mask pattern */
+ 
+ static int match_parse_mask(const char *pattern, unsigned long *net_bits,
+@@ -185,11 +230,9 @@
+     char   *saved_pattern;
+     char   *mask;
+ 
+-#define BITS_PER_ADDR	32
+-
+     saved_pattern = mystrdup(pattern);
+     if ((mask = split_at(saved_pattern, '/')) != 0) {
+-	if (!alldig(mask) || (*mask_shift = atoi(mask)) > BITS_PER_ADDR
++	if (!alldig(mask) || (*mask_shift = atoi(mask)) > BITS_PER_ADDR_V4
+ 	    || (*net_bits = inet_addr(saved_pattern)) == INADDR_NONE) {
+ 	    msg_fatal("bad net/mask pattern: %s", pattern);
+ 	}
+@@ -198,11 +241,357 @@
+     return (mask != 0);
+ }
+ 
++#endif
++
++static void PRINTFLIKE(2,3) warning_msg(VSTRING *vp, const char *fmt,...)
++{
++    va_list ap;
++    if (vp) {
++	va_start(ap, fmt);
++	vstring_vsprintf(vp, fmt, ap);
++	va_end(ap);
++    } else {
++	va_start(ap, fmt);
++	msg_vprintf(MSG_WARN, fmt, ap);
++	va_end(ap);
++    }
++}
++
++/* v6addr_literal - copy IPv6 literal address from bracketed version */
++/*                  Supports both plain addresses and addr/plen's    */
++
++static char *v6addr_literal(const char *pattern)
++{
++    size_t patlen;
++    char *mypattern, *ptr;
++
++    if (pattern == NULL)
++	msg_panic("v6_addr_literal: called with NULL pattern pointer");
++    if (msg_verbose > 1)
++	msg_info("v6addr_literal: input pattern %s", pattern);
++
++    patlen = strlen(pattern);
++
++    /*
++     * Note that we allow two different presentation/configuration
++     * formats for literal IPv6 (address/prefixlen) combinations.
++     * These are [v6addr]/plen and [v6addr/plen]. The second should
++     * be avoided and will be deprecated in later Postfix/v6 versions.
++     */
++    if (*pattern == '[') {
++	mypattern = mystrdup(pattern + 1);
++	if (pattern[patlen - 1] == ']') {
++	    /*
++	     * Format: "[v6addr]" or "[v6addr/plen]".
++	     */
++	    mypattern[patlen - 2] = '\0';
++	} else if ((ptr = strchr(mypattern + 1, '/')) != NULL
++		   && *--ptr == ']') {
++	    /*
++	     * Format: "[v6addr]/plen".
++	     */
++	    while (*ptr)
++		ptr++[0] = ptr[1];
++	}
++    } else {
++	mypattern = mystrdup(pattern);
++    }
++
++    if (msg_verbose > 1)
++	msg_info("v6addr_literal: debracketed to %s", mypattern);
++
++    return (mypattern);
++}
++
++/* std_addr_pattern - standardize address pattern */
++
++int std_addr_pattern(int flags, const char *pattern,
++		     ADDR_PATTERN **result, VSTRING *warnings)
++{
++    char   *myname = "std_addr_pattern";
++    ADDR_PATTERN *res;
++    int     mask;
++#ifdef INET6
++    int     pf;
++    char   *mypattern, *plenp;
++    int     bits_per_addr, aierr;
++    struct addrinfo hints, *res0;
++    struct sockaddr_storage *ss_pattern;
++
++    pf = PF_UNSPEC;
++    *result = NULL;
++
++    if (pattern == NULL)
++	msg_panic("%s: pattern may not be NULL!", myname);
++
++    /*
++     * IPv6 addresses passed as pattern to match_hostaddr should start
++     * with a bracket '[' and have a ']' closing. This is as specific
++     * as it can get.
++     */
++    mypattern = v6addr_literal(pattern);
++    if (*pattern == '[') {
++	pf = PF_INET6;
++    } else if (!(flags & (MATCH_FLAG_STRICT_ADDR|MATCH_FLAG_NOLOOKUP))) {
++	/*
++	 * Return if we find what appears to be a maptype:file entry.
++	 * It's up to the caller of this function to handle this.
++	 */
++	if (strchr(pattern, ':') != NULL) {
++	    myfree(mypattern);
++	    return (1);
++	}
++    }
++    plenp = split_at(mypattern, '/');
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = pf;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_NUMERICHOST;
++    aierr = getaddrinfo(mypattern, NULL, &hints, &res0);
++    /*
++     * EAI_NONAME happens when the pattern was not supplied in a
++     * valid printable form. This is a non-fatal error in strict
++     * address pattern maps like the CIDR dictionary.
++     */
++    if (aierr == EAI_NONAME) {
++	if (msg_verbose || (flags & MATCH_FLAG_STRICT_ADDR))
++	    warning_msg(warnings,
++			"%s: invalid address pattern \"%s\"",
++			myname, mypattern);
++	myfree(mypattern);
++	return (0);
++    }
++    if (aierr != 0 && aierr != EAI_NONAME)
++	msg_fatal("%s: getaddrinfo(%s): %s", myname, mypattern,
++		  GAI_STRERROR(aierr));
++    pf = res0->ai_family;
++    switch (pf) {
++    case AF_INET:
++	bits_per_addr = BITS_PER_ADDR_V4;
++	break;
++    case AF_INET6:
++	bits_per_addr = BITS_PER_ADDR_V6;
++	break;
++    default:
++	warning_msg(warnings,
++		    "%s: unsupported address family %d in lookup result "
++		    "of \"%s\"", myname, pf, pattern);
++	freeaddrinfo(res0);
++	myfree(mypattern);
++	return (0);
++    }
++    ss_pattern = (struct sockaddr_storage *)
++		 mymalloc(sizeof(struct sockaddr_storage));
++    memcpy(ss_pattern, (const void *)res0->ai_addr, res0->ai_addrlen);
++    freeaddrinfo(res0);
++
++    if (plenp != NULL) {
++	/*
++	 * Split the pattern into an address and a prefix length
++	 * We explicitly allow "/0"
++	 */
++	if (strcmp(plenp, "0")) {
++	    mask = atoi(plenp);
++	    if (mask <= 0 || mask > bits_per_addr) {
++		warning_msg(warnings, "%s: bad net/mask pattern: %s",
++			    myname, pattern);
++		myfree(mypattern);
++		myfree((char *)ss_pattern);
++		return (0);
++	    }
++	} else {
++	    mask = 0;
++	}
++    } else {
++	/*
++	 * A single address is considered a prefix with maximum prefix length.
++	 */
++	switch (pf) {
++	    case AF_INET:
++		mask = BITS_PER_ADDR_V4;
++		break;
++	    case AF_INET6:
++		mask = BITS_PER_ADDR_V6;
++		break;
++	    default:
++		msg_panic("%s: address family %d should not occur here",
++			  myname, pf);
++	}
++    }
++
++    if (flags & MATCH_FLAG_NONNULL_HOST) {
++	/*
++	 * We require that the host portion of (address/plen) pairs be zero
++	 * to reduce the impact of configuration errors.
++	 */
++	int non_null = 0;
++
++	if (mask != 0 && mask != bits_per_addr) {
++	    int bytesl, bits;
++	    char *addr = NULL;
++	    unsigned char ac;
++
++	    switch (ss_pattern->ss_family) {
++	    case AF_INET6:
++		addr = (char *)(&((struct sockaddr_in6 *)ss_pattern)->sin6_addr);
++		bits_per_addr = BITS_PER_ADDR_V6;
++		break;
++	    case AF_INET:
++		addr = (char *)(&((struct sockaddr_in *)ss_pattern)->sin_addr);
++		bits_per_addr = BITS_PER_ADDR_V4;
++		break;
++	    default:
++		msg_panic("%s: address family %d should not occur here",
++			  myname, pf);
++	    }
++	    bytesl = mask / 8;
++	    bits = (bits_per_addr - mask) % 8;
++	    if (bytesl == bits_per_addr / 8)
++		non_null = 1;
++	    else
++		ac = addr[bytesl];
++	    if (bits == 0)
++		bits = 8;
++	    if (!non_null && ac != (ac & 0xff << bits))
++		non_null = 1;
++	    while (!non_null && ++bytesl < bits_per_addr / 8)
++		non_null = addr[bytesl] != 0;
++	}
++	if (non_null) {
++	    warning_msg(warnings,
++			"%s: net/mask pattern \"%s/%s\" "
++			"with non-null host pattern",
++			myname, mypattern, plenp);
++	    myfree(mypattern);
++	    return (0);
++	}
++    }
++
++#else /* INET6 */
++
++    char *mypattern, *plenp;
++    int bits;
++    unsigned long addr, addr0;
++    struct sockaddr_in *ss_pattern;
++
++    *result = NULL;
++
++    if (!(flags & MATCH_FLAG_STRICT_ADDR) && strchr(pattern, ':') != 0)
++	return (1);
++
++    mypattern = mystrdup(pattern);
++    plenp = split_at(mypattern, '/');
++    if (plenp == NULL) {
++	bits = BITS_PER_ADDR_V4;
++    } else {
++	bits = atoi(plenp);
++	if (bits <= 0 || bits > BITS_PER_ADDR_V4)
++	warning_msg(warnings,
++		    "%s: bad net/mask pattern: %s",
++		    myname, pattern);
++	myfree(mypattern);
++	myfree((char *)ss_pattern);
++	return (0);
++    }
++
++    addr = inet_addr(mypattern);
++    addr0 = htonl(0xffffffff << (BITS_PER_ADDR_V4 - bits));
++    if ((flags & MATCH_FLAG_NONNULL_HOST) && (addr & ~addr0)) {
++	warning_msg(warnings,
++		    "%s: net/mask pattern \"%s/%s\" with "
++		    "non-null host portion",
++		    myname, mypattern, plenp);
++	myfree(mypattern);
++	return (0);
++    }
++
++    /*
++     * We make a sockaddr_in, but we don't use any of the fields
++     * except the sin_addr member. Sockaddrs are used to create
++     * an API that's closer to AF-independence.
++     */
++    ss_pattern = (struct sockaddr_in *)mymalloc(sizeof(struct sockaddr_in));
++    memset(ss_pattern, 0, sizeof(*ss_pattern));
++    ss_pattern->sin_family = AF_INET;
++    ss_pattern->sin_addr.s_addr = addr;
++
++#endif	/* INET6 */
++
++    res = addr_pattern_init();
++    res->addr = (struct sockaddr *)ss_pattern;
++    res->masklen = mask;
++    res->opattern = mystrdup(pattern);
++    res->pattern = mypattern;
++    *result = res;
++
++    return (1);
++}
++
+ /* match_hostaddr - match host by address */
+ 
++/* XXX: the IPv4-only version does not yet use std_addr_pattern --dean */
++
+ int     match_hostaddr(int unused_flags, const char *addr, const char *pattern)
+ {
+     char   *myname = "match_hostaddr";
++#ifdef INET6
++    size_t  patlen;
++    char   *plenp;
++    int     aierr, res, ret, mask;
++    struct addrinfo hints, *res0;
++    struct sockaddr_storage ss_addr, ss_mask;
++    ADDR_PATTERN *mask_info;
++
++    ret = 0;
++    if (msg_verbose)
++	msg_info("%s: %s ~? %s", myname, addr, pattern);
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_NUMERICHOST;
++    aierr = getaddrinfo(addr, NULL, &hints, &res0);
++    /*
++     * The access maps checks run both hostname and address through this.
++     * E.g. the CIDR map checks both the hostname and address. Checking the
++     * hostname in a CIDR map will yield no result but may not give an
++     * EAI_NONAME error since it is correct that the hostname cannot be
++     * interpreted numerically.
++     */
++    if (aierr != 0 && aierr != EAI_NONAME)
++	msg_fatal("%s: getaddrinfo(%s): %s", myname, addr, GAI_STRERROR(aierr));
++    memcpy(&ss_addr, (const void *)res0->ai_addr, res0->ai_addrlen);
++    freeaddrinfo(res0);
++
++    res = std_addr_pattern(MATCH_FLAG_NONE, pattern, &mask_info, NULL);
++    if (mask_info == NULL) {
++	/*
++	 * Try dictionary lookup. This can be case insensitive.
++	 */
++	if (res && strchr(pattern, ':') != 0) {
++	    if (dict_lookup(pattern, addr) != NULL)
++		return 1;
++	}
++	return 0;
++    }
++    
++    /*
++     * Try an exact match with the host address (IPv4 only)
++     */
++    if (mask_info->addr->sa_family == AF_INET &&
++			    strcasecmp(pattern, addr) == 0) {
++	addr_pattern_free(mask_info);
++	return 1;
++    }
++
++    res = match_sockaddr((struct sockaddr *)&ss_addr,
++			 mask_info->addr, mask_info->masklen);
++    addr_pattern_free(mask_info);
++    return (res != 0);
++    
++
++#else
+     unsigned int mask_shift;
+     unsigned long mask_bits;
+     unsigned long net_bits;
+@@ -219,7 +608,8 @@
+      * Try dictionary lookup. This can be case insensitive. XXX Probably
+      * should also try again after stripping least significant octets.
+      */
+-    if (strchr(pattern, ':') != 0) {
++    if (strchr(pattern, ':') != 0)
++    {
+ 	if (dict_lookup(pattern, addr) != 0)
+ 	    return (1);
+ 	if (dict_errno != 0)
+@@ -238,14 +628,15 @@
+      * In a net/mask pattern, the mask is specified as the number of bits of
+      * the network part.
+      */
++	    
+     if (match_parse_mask(pattern, &net_bits, &mask_shift)) {
+ 	addr_bits = inet_addr(addr);
+ 	if (addr_bits == INADDR_NONE)
+ 	    msg_fatal("%s: bad address argument: %s", myname, addr);
+ 	mask_bits = mask_shift > 0 ?
+-	    htonl((0xffffffff) << (BITS_PER_ADDR - mask_shift)) : 0;
++		htonl((0xffffffff) << (BITS_PER_ADDR_V4 - mask_shift)) : 0;
+ 	if ((addr_bits & mask_bits) == net_bits)
+-	    return (1);
++	    return 1;
+ 	if (net_bits & ~mask_bits) {
+ 	    net_addr.s_addr = (net_bits & mask_bits);
+ 	    msg_fatal("net/mask pattern %s has a non-null host portion; "
+@@ -254,4 +645,120 @@
+ 	}
+     }
+     return (0);
++#endif
+ }
++
++int
++match_sockaddr(const struct sockaddr *addr, const struct sockaddr *mask,
++	       int masklen)
++{
++    /*
++     * I generally hate to do so, but this function just asks for
++     * #ifdef INET6... address comparison in the IPv4 only case is
++     * utterly trivial, completely unlike the mixed AF case.
++     */
++#ifdef INET6
++    if (addr->sa_family == AF_INET) {
++	if (mask->sa_family == AF_INET6) {
++	    if (IN6_IS_ADDR_V4MAPPED(
++			&((struct sockaddr_in6 *)mask)->sin6_addr)) {
++	        /* IPv4 address but IPv4-mapped-IPv6 netmask... */
++		if (masklen < 0 || masklen > BITS_PER_ADDR_V4)
++		    return 0;
++	        return mask_comp(&((struct sockaddr_in *)addr)->sin_addr.s_addr,
++		    &((struct sockaddr_in6 *)mask)->sin6_addr.s6_addr[12],
++		    masklen);
++	    }
++	    /* IPv4 address yet IPv6 mask. No match */
++	    return 0;
++        }
++	/* IPv4 address, IPv4 netmask */
++	if (masklen < 0 || masklen > BITS_PER_ADDR_V4)
++	    return 0;
++	return mask_comp(&((struct sockaddr_in *)addr)->sin_addr.s_addr,
++			 &((struct sockaddr_in *)mask)->sin_addr.s_addr,
++			 masklen);
++    } else if (addr->sa_family == AF_INET6) {
++	/* IPv6 address, IPv6 netmask */
++	struct sockaddr_in6 *addr6, *mask6;
++	addr6 = (struct sockaddr_in6 *)addr;
++	mask6 = (struct sockaddr_in6 *)mask;
++
++	if (IN6_IS_ADDR_V4MAPPED(&addr6->sin6_addr)) {
++	    /* V4-mapped IPv6 address */
++	    struct sockaddr_in addr4;
++	    memset(&addr4, 0, sizeof(addr4));
++#ifdef HAS_SA_LEN
++	    addr4.sin_len = sizeof(addr4);
++#endif
++	    addr4.sin_family = AF_INET;
++	    memcpy(&addr4.sin_addr.s_addr, &addr6->sin6_addr.s6_addr[12], 4);
++	    if (masklen > BITS_PER_ADDR_V4 && masklen <= BITS_PER_ADDR_V6)
++		masklen -= BITS_PER_ADDR_V6 - BITS_PER_ADDR_V4;
++	    return match_sockaddr((struct sockaddr *)&addr4, mask, masklen);
++	}
++	/* True IPv6, finally... */
++        if (masklen < 0 || masklen > BITS_PER_ADDR_V6)
++	    return 0;
++	if (mask->sa_family != AF_INET6 ||
++		IN6_IS_ADDR_V4MAPPED(&mask6->sin6_addr))
++	    return 0;
++#ifdef INET6_KAME
++	if (IN6_IS_ADDR_SITELOCAL(&addr6->sin6_addr))
++	    if (!IN6_IS_ADDR_SITELOCAL(&mask6->sin6_addr) ||
++		    addr6->sin6_scope_id != mask6->sin6_scope_id)
++		return 0;
++	if (IN6_IS_ADDR_LINKLOCAL(&addr6->sin6_addr))
++	    if (!IN6_IS_ADDR_LINKLOCAL(&mask6->sin6_addr) ||
++		    addr6->sin6_scope_id != mask6->sin6_scope_id)
++		return 0;
++#endif
++	return mask_comp(&addr6->sin6_addr.s6_addr,
++			 &mask6->sin6_addr.s6_addr,
++			 masklen);
++    }
++    /* Unsupported address family */
++    return 0;
++#else /* INET6 */
++    /*
++     * Trivial for IPv4...
++     */
++    return (addr->sa_family == mask->sa_family &&
++	    ((struct sockaddr_in *)addr)->sin_addr.s_addr ==
++	    ((struct sockaddr_in *)mask)->sin_addr.s_addr);
++#endif /* INET6 */
++}
++
++static int
++mask_comp(void *addr, void *mask, int masklen)
++{
++    int bytes, bit;
++
++    bytes = masklen / 8;
++    bit = 8 - masklen % 8;
++    if (memcmp(addr, mask, bytes) != 0)
++	return 0;
++    if (bit != 8) {
++	char *a = addr, *b = mask;
++	if ((a[bytes] & (0xff << bit)) != (b[bytes] & (0xff << bit)))
++	    return 0;
++    }
++    return 1;
++}
++
++ADDR_PATTERN *
++addr_pattern_init() {
++    ADDR_PATTERN *p;
++    p = (ADDR_PATTERN *)mymalloc(sizeof(ADDR_PATTERN));
++    memset(p, 0, sizeof(ADDR_PATTERN));
++    return p;
++}
++
++void
++addr_pattern_free(ADDR_PATTERN *p) {
++    if (p->addr) myfree((char *)p->addr);
++    if (p->pattern) myfree(p->pattern);
++    if (p->opattern) myfree(p->opattern);
++    myfree((char *)p);
++}
++
+diff -urNad postfix-release/src/util/match_ops.h /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.h
+--- postfix-release/src/util/match_ops.h	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.h	2005-02-03 10:22:13.085091112 -0700
+@@ -11,15 +11,40 @@
+ /* DESCRIPTION
+ /* .nf
+ 
++ /*
++  * Utility library.
++  */
++#include <vstring.h>
++
+  /* External interface. */
+ 
+ #define MATCH_FLAG_NONE		0
+ #define MATCH_FLAG_PARENT	(1<<0)
+-#define MATCH_FLAG_ALL		(MATCH_FLAG_PARENT)
++#define MATCH_FLAG_STRICT_ADDR	(1<<1)
++#define MATCH_FLAG_NOLOOKUP	(1<<2)
++#define MATCH_FLAG_NONNULL_HOST	(1<<3)
++#define MATCH_FLAG_ALL		(MATCH_FLAG_PARENT | MATCH_FLAG_NOLOOKUP | MATCH_FLAG_NONNULL_HOST)
++
++#define GAI_STRERROR(error) \
++	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
++
++ /* Data structures. */
++
++typedef struct ADDR_PATTERN {
++    struct sockaddr *addr;		/* pointer to sockaddr(_storage) address */
++    size_t masklen;			/* prefix length */
++    char  *pattern;			/* modified pattern */
++    char  *opattern;			/* original string pattern */
++} ADDR_PATTERN;
+ 
+ extern int match_string(int, const char *, const char *);
+ extern int match_hostname(int, const char *, const char *);
+ extern int match_hostaddr(int, const char *, const char *);
++extern int std_addr_pattern(int, const char *, ADDR_PATTERN **, VSTRING *);
++extern int match_sockaddr(const struct sockaddr *, const struct sockaddr *, int);
++
++extern ADDR_PATTERN * addr_pattern_init(void);
++extern void addr_pattern_free(ADDR_PATTERN *);
+ 
+ /* LICENSE
+ /* .ad
+@@ -30,6 +55,13 @@
+ /*	IBM T.J. Watson Research
+ /*	P.O. Box 704
+ /*	Yorktown Heights, NY 10598, USA
++/*
++/*	Dean C. Strik
++/*	Department ICT Services
++/*	Eindhoven University of Technology
++/*	P.O. Box 513
++/*	5600 MB  Eindhoven, Netherlands
++/*	E-mail: <dean at ipnet6.org>
+ /*--*/
+ 
+ #endif
+diff -urNad postfix-release/src/util/sock_addr.c /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.c
+--- postfix-release/src/util/sock_addr.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.c	2005-02-03 10:22:13.085091112 -0700
+@@ -0,0 +1,169 @@
++/*++
++/* NAME
++/*	sock_addr 3
++/* SUMMARY
++/*	sockaddr utilities
++/* SYNOPSIS
++/*	#include <sock_addr.h>
++/*
++/*	int	sock_addr_cmp_addr(sa, sb)
++/*	const struct sockaddr *sa;
++/*	const struct sockaddr *sb;
++/*
++/*	int	sock_addr_cmp_port(sa, sb)
++/*	const struct sockaddr *sa;
++/*	const struct sockaddr *sb;
++/*
++/*	int	SOCK_ADDR_EQ_ADDR(sa, sb)
++/*	const struct sockaddr *sa;
++/*	const struct sockaddr *sb;
++/*
++/*	int	SOCK_ADDR_EQ_PORT(sa, sb)
++/*	const struct sockaddr *sa;
++/*	const struct sockaddr *sb;
++/*
++/*	int	sock_addr_in_loopback(sa)
++/*	const struct sockaddr *sa;
++/* AUXILIARY MACROS
++/*	struct sockaddr *SOCK_ADDR_PTR(ptr)
++/*	unsigned char SOCK_ADDR_FAMILY(ptr)
++/*	unsigned char SOCK_ADDR_LEN(ptr)
++/*
++/*	struct sockaddr_in *SOCK_ADDR_IN_PTR(ptr)
++/*	unsigned char SOCK_ADDR_IN_FAMILY(ptr)
++/*	unsigned short SOCK_ADDR_IN_PORT(ptr)
++/*	struct in_addr SOCK_ADDR_IN_ADDR(ptr)
++/*	struct in_addr IN_ADDR(ptr)
++/*
++/*	struct sockaddr_in6 *SOCK_ADDR_IN6_PTR(ptr)
++/*	unsigned char SOCK_ADDR_IN6_FAMILY(ptr)
++/*	unsigned short SOCK_ADDR_IN6_PORT(ptr)
++/*	struct in6_addr SOCK_ADDR_IN6_ADDR(ptr)
++/*	struct in6_addr IN6_ADDR(ptr)
++/* DESCRIPTION
++/*	These utilities take protocol-independent address structures
++/*	and perform protocol-dependent operations on structure members.
++/*	Some of the macros described here are called unsafe,
++/*	because they evaluate one or more arguments multiple times.
++/*
++/*	sock_addr_cmp_addr() or sock_addr_cmp_port() compare the
++/*	address family and network address or port fields for
++/*	equality, and return indication of the difference between
++/*	their arguments:  < 0 if the first argument is "smaller",
++/*	0 for equality, and > 0 if the first argument is "larger".
++/*
++/*	The unsafe macros SOCK_ADDR_EQ_ADDR() or SOCK_ADDR_EQ_PORT()
++/*	compare compare the address family and network address or
++/*	port fields for equality, and return non-zero when their
++/*	arguments differ.
++/*
++/*	sock_addr_in_loopback() determines if the argument specifies
++/*	a loopback address.
++/*
++/*	The SOCK_ADDR_PTR() macro casts a generic pointer to (struct
++/*	sockaddr *).  The name is upper case for consistency not
++/*	safety.  SOCK_ADDR_FAMILY() and SOCK_ADDR_LEN() return the
++/*	address family and length of the real structure that hides
++/*	inside a generic sockaddr structure. On systems where struct
++/*	sockaddr has no sa_len member, SOCK_ADDR_LEN() cannot be
++/*	used as lvalue.
++/*
++/*	The macros SOCK_ADDR_IN{,6}_{PTR,FAMILY,PORT,ADDR}() cast
++/*	a generic pointer to a specific socket address structure
++/*	pointer, or access a specific socket address structure
++/*	member. These can be used as lvalues.
++/*
++/*	The unsafe INADDR() and IN6_ADDR() macros dereference a
++/*	generic pointer to a specific address structure.
++/* DIAGNOSTICS
++/*	Panic: unsupported address family.
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*	Wietse Venema
++/*	IBM T.J. Watson Research
++/*	P.O. Box 704
++/*	Yorktown Heights, NY 10598, USA
++/*--*/
++
++/* System library. */
++
++#include <sys_defs.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <string.h>
++
++/* Utility library. */
++
++#include <msg.h>
++#include <sock_addr.h>
++
++/* sock_addr_cmp_addr - compare addresses for equality */
++
++int     sock_addr_cmp_addr(const struct sockaddr * sa,
++			           const struct sockaddr * sb)
++{
++    if (sa->sa_family != sb->sa_family)
++	return (sa->sa_family - sb->sa_family);
++
++    /*
++     * With IPv6 address structures, assume a non-hostile implementation that
++     * stores the address as a contiguous sequence of bits. Any holes in the
++     * sequence would invalidate the use of memcmp().
++     */
++    if (sa->sa_family == AF_INET) {
++	return (SOCK_ADDR_IN_ADDR(sa).s_addr - SOCK_ADDR_IN_ADDR(sb).s_addr);
++#ifdef INET6
++    } else if (sa->sa_family == AF_INET6) {
++	return (memcmp((char *) &(SOCK_ADDR_IN6_ADDR(sa)),
++		       (char *) &(SOCK_ADDR_IN6_ADDR(sb)),
++		       sizeof(SOCK_ADDR_IN6_ADDR(sa))));
++#endif
++    } else {
++	msg_panic("sock_addr_cmp_addr: unsupported address family %d",
++		  sa->sa_family);
++    }
++}
++
++/* sock_addr_cmp_port - compare ports for equality */
++
++int     sock_addr_cmp_port(const struct sockaddr * sa,
++			           const struct sockaddr * sb)
++{
++    if (sa->sa_family != sb->sa_family)
++	return (sa->sa_family - sb->sa_family);
++
++    if (sa->sa_family == AF_INET) {
++	return (SOCK_ADDR_IN_PORT(sa) - SOCK_ADDR_IN_PORT(sb));
++#ifdef INET6
++    } else if (sa->sa_family == AF_INET6) {
++	return (SOCK_ADDR_IN6_PORT(sa) - SOCK_ADDR_IN6_PORT(sb));
++#endif
++    } else {
++	msg_panic("sock_addr_cmp_port: unsupported address family %d",
++		  sa->sa_family);
++    }
++}
++
++/* sock_addr_in_loopback - determine if address is loopback */
++
++int sock_addr_in_loopback(const struct sockaddr * sa)
++{
++    unsigned long inaddr;
++
++    if (sa->sa_family == AF_INET) {
++	inaddr = ntohl(SOCK_ADDR_IN_ADDR(sa).s_addr);
++	return (IN_CLASSA(inaddr)
++		&& ((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT)
++		== IN_LOOPBACKNET);
++#ifdef INET6
++    } else if (sa->sa_family == AF_INET6) {
++	return (IN6_IS_ADDR_LOOPBACK(&SOCK_ADDR_IN6_ADDR(sa)));
++#endif
++    } else {
++	msg_panic("sock_addr_in_loopback: unsupported address family %d",
++		  sa->sa_family);
++    }
++}
+diff -urNad postfix-release/src/util/sock_addr.h /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.h
+--- postfix-release/src/util/sock_addr.h	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.h	2005-02-03 10:22:13.085091112 -0700
+@@ -0,0 +1,95 @@
++#ifndef _SOCK_ADDR_EQ_H_INCLUDED_
++#define _SOCK_ADDR_EQ_H_INCLUDED_
++
++/*++
++/* NAME
++/*	sock_addr 3h
++/* SUMMARY
++/*	socket address utilities
++/* SYNOPSIS
++/*	#include <sock_addr.h>
++/* DESCRIPTION
++/* .nf
++
++ /*
++  * System library.
++  */
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <string.h>
++
++ /*
++  * External interface.
++  */
++#define SOCK_ADDR_PTR(ptr)	((struct sockaddr *)(ptr))
++#define SOCK_ADDR_FAMILY(ptr)	SOCK_ADDR_PTR(ptr)->sa_family
++#ifdef HAS_SA_LEN
++#define SOCK_ADDR_LEN(ptr)	SOCK_ADDR_PTR(ptr)->sa_len
++#endif
++
++#define SOCK_ADDR_IN_PTR(sa)	((struct sockaddr_in *)(sa))
++#define SOCK_ADDR_IN_FAMILY(sa)	SOCK_ADDR_IN_PTR(sa)->sin_family
++#define SOCK_ADDR_IN_PORT(sa)	SOCK_ADDR_IN_PTR(sa)->sin_port
++#define SOCK_ADDR_IN_ADDR(sa)	SOCK_ADDR_IN_PTR(sa)->sin_addr
++#define IN_ADDR(ia)		(*((struct in_addr *) (ia)))
++
++extern int sock_addr_cmp_addr(const struct sockaddr *, const struct sockaddr *);
++extern int sock_addr_cmp_port(const struct sockaddr *, const struct sockaddr *);
++extern int sock_addr_in_loopback(const struct sockaddr *);
++
++#ifdef INET6
++
++#ifndef HAS_SA_LEN
++#define SOCK_ADDR_LEN(sa) \
++    (SOCK_ADDR_PTR(sa)->sa_family == AF_INET6 ? \
++     sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
++#endif
++
++#define SOCK_ADDR_IN6_PTR(sa)	((struct sockaddr_in6 *)(sa))
++#define SOCK_ADDR_IN6_FAMILY(sa) SOCK_ADDR_IN6_PTR(sa)->sin6_family
++#define SOCK_ADDR_IN6_PORT(sa)	SOCK_ADDR_IN6_PTR(sa)->sin6_port
++#define SOCK_ADDR_IN6_ADDR(sa)	SOCK_ADDR_IN6_PTR(sa)->sin6_addr
++#define IN6_ADDR(ia)		(*((struct in6_addr *) (ia)))
++
++#define SOCK_ADDR_EQ_ADDR(sa, sb) \
++    ((SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++      && SOCK_ADDR_IN_ADDR(sa).s_addr == SOCK_ADDR_IN_ADDR(sb).s_addr) \
++     || (SOCK_ADDR_FAMILY(sa) == AF_INET6 && SOCK_ADDR_FAMILY(sb) == AF_INET6 \
++         && memcmp((char *) &(SOCK_ADDR_IN6_ADDR(sa)), \
++                   (char *) &(SOCK_ADDR_IN6_ADDR(sb)), \
++                   sizeof(SOCK_ADDR_IN6_ADDR(sa))) == 0))
++
++#define SOCK_ADDR_EQ_PORT(sa, sb) \
++    ((SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++      && SOCK_ADDR_IN_PORT(sa) == SOCK_ADDR_IN_PORT(sb)) \
++     || (SOCK_ADDR_FAMILY(sa) == AF_INET6 && SOCK_ADDR_FAMILY(sb) == AF_INET6 \
++         && SOCK_ADDR_IN6_PORT(sa) == SOCK_ADDR_IN6_PORT(sb)))
++
++#else
++
++#ifndef HAS_SA_LEN
++#define SOCK_ADDR_LEN(sa)	sizeof(struct sockaddr_in)
++#endif
++
++#define SOCK_ADDR_EQ_ADDR(sa, sb) \
++    (SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++     && SOCK_ADDR_IN_ADDR(sa).s_addr == SOCK_ADDR_IN_ADDR(sb).s_addr)
++
++#define SOCK_ADDR_EQ_PORT(sa, sb) \
++    (SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
++     && SOCK_ADDR_IN_PORT(sa) == SOCK_ADDR_IN_PORT(sb))
++
++#endif
++
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*	Wietse Venema
++/*	IBM T.J. Watson Research
++/*	P.O. Box 704
++/*	Yorktown Heights, NY 10598, USA
++/*--*/
++
++#endif
+diff -urNad postfix-release/src/util/sys_defs.h /tmp/dpep.cXJuVH/postfix-release/src/util/sys_defs.h
+--- postfix-release/src/util/sys_defs.h	2005-02-03 10:22:12.228282230 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/sys_defs.h	2005-02-03 10:22:13.086090889 -0700
+@@ -108,6 +108,14 @@
+ #define SOCKOPT_SIZE	socklen_t
+ #endif
+ 
++#if !defined(NOGETIFADDRS) && ( \
++    (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 105000000) \
++    || (defined(__FreeBSD__) && __FreeBSD__ >= 4) \
++    || (defined(OpenBSD) && OpenBSD >= 200003) \
++    || defined(USAGI_LIBINET6))
++#define HAVE_GETIFADDRS
++#endif
++
+  /*
+   * UNIX on MAC.
+   */
+@@ -293,6 +301,7 @@
+ #define FIONREAD_IN_SYS_FILIO_H
+ #define USE_STATVFS
+ #define STATVFS_IN_SYS_STATVFS_H
++#define INT_MAX_IN_LIMITS_H
+ #define STREAM_CONNECTIONS		/* avoid UNIX-domain sockets */
+ #define LOCAL_LISTEN	stream_listen
+ #define LOCAL_ACCEPT	stream_accept
+@@ -300,6 +309,9 @@
+ #define LOCAL_TRIGGER	stream_trigger
+ #define HAS_VOLATILE_LOCKS
+ #define BROKEN_READ_SELECT_ON_TCP_SOCKET
++#ifdef INET6
++#define HAS_SIOCGLIF
++#endif
+ 
+ /*
+  * Allow build environment to override paths.
+@@ -573,6 +585,10 @@
+ #define SOCKADDR_SIZE	socklen_t
+ #define SOCKOPT_SIZE	socklen_t
+ #endif
++#ifdef INET6
++#define HAS_PROCNET_IFINET6
++#define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
++#endif
+ #endif
+ 
+ #ifdef LINUX1
+@@ -601,6 +617,10 @@
+ #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
+ #define NATIVE_COMMAND_DIR "/usr/sbin"
+ #define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
++#ifdef INET6
++#define HAS_PROCNET_IFINET6
++#define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
++#endif
+ #endif
+ 
+  /*
+diff -urNad postfix-release/src/util/valid_hostname.c /tmp/dpep.cXJuVH/postfix-release/src/util/valid_hostname.c
+--- postfix-release/src/util/valid_hostname.c	2004-12-27 22:31:16.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/src/util/valid_hostname.c	2005-02-03 10:22:13.086090889 -0700
+@@ -53,6 +53,13 @@
+ #include <string.h>
+ #include <ctype.h>
+ 
++#ifdef INET6
++#include <netinet/in.h>
++#include <sys/socket.h>
++#include <arpa/inet.h>
++#include <netdb.h>
++#endif
++
+ /* Utility library. */
+ 
+ #include "msg.h"
+@@ -109,7 +116,23 @@
+ 		    msg_warn("%s: misplaced hyphen: %.100s", myname, name);
+ 		return (0);
+ 	    }
+-	} else {
++	}
++#ifdef INET6
++	else if (ch == ':') {
++	    struct addrinfo hints, *res;
++
++	    memset(&hints, 0, sizeof(hints));
++	    hints.ai_family = AF_INET6;
++	    hints.ai_socktype = SOCK_STREAM;	/*dummy*/
++	    hints.ai_flags = AI_NUMERICHOST;
++	    if (getaddrinfo(name, "0", &hints, &res) == 0) {
++		freeaddrinfo(res);
++		return 1;
++	    } else
++		return 0;
++	}
++#endif
++	else {
+ 	    if (gripe)
+ 		msg_warn("%s: invalid character %d(decimal): %.100s",
+ 			 myname, ch, name);
+@@ -131,6 +154,12 @@
+     return (1);
+ }
+ 
++#ifdef INET6_KAME
++#define INET6_ADDR_PRES_CHARS ":./0123456789abcdefABCDEF%"
++#else
++#define INET6_ADDR_PRES_CHARS ":./0123456789abcdefABCDEF"
++#endif
++
+ /* valid_hostaddr - test dotted quad string for correctness */
+ 
+ int     valid_hostaddr(const char *addr, int gripe)
+@@ -141,6 +170,9 @@
+     int     byte_count = 0;
+     int     byte_val = 0;
+     int     ch;
++#ifdef INET6
++    struct addrinfo hints, *res;
++#endif
+ 
+ #define BYTES_NEEDED	4
+ 
+@@ -153,11 +185,22 @@
+ 	return (0);
+     }
+ 
++#ifdef INET6
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = AF_INET6;
++    hints.ai_socktype = SOCK_STREAM;	/*dummy*/
++    hints.ai_flags = AI_NUMERICHOST;
++    if (getaddrinfo(addr, "0", &hints, &res) == 0) {
++	freeaddrinfo(res);
++	return 1;
++    }
++#endif
++
+     /*
+      * Preliminary IPV6 support.
+      */
+     if (strchr(addr, ':')) {
+-	if (*(cp = addr + strspn(addr, ":./0123456789abcdefABCDEF")) != 0) {
++	if (*(cp = addr + strspn(addr, INET6_ADDR_PRES_CHARS)) != 0) {
+ 	    if (gripe)
+ 		msg_warn("%s: invalid character %d(decimal): %.100s",
+ 			 myname, *cp, addr);
+diff -urNad postfix-release/tls/ACKNOWLEDGEMENTS /tmp/dpep.cXJuVH/postfix-release/tls/ACKNOWLEDGEMENTS
+--- postfix-release/tls/ACKNOWLEDGEMENTS	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/ACKNOWLEDGEMENTS	2005-02-03 10:22:13.087090666 -0700
+@@ -0,0 +1,56 @@
++- Walcir Fontanini <walcir at densis.fee.unicamp.br>
++  * tested on Solaris 2.5 and and reported missing "snprintf()"
++    -> was fixed in pfixtls-0.1.2
++  * contributed the script to add fingerprints
++	contributed/fp.csh
++
++- Matti Aarnio <matti.aarnio at sonera.fi> (www.zmailer.org)
++  * updated pfixtls_dump to need fewer strcat and strcpy calls.
++
++- Cerebus <cerebus at sackheads.org>
++  * Missing variable initialization in client mode enable STARTTLS
++    negotiation even when not wanted.
++    -> fixed in pfixtls-0.2.8 
++
++- Bodo Moeller <bode at openssl.org>
++  * The SSL connection was not shut down at the end of the session, because
++    SSL_CTX_set_quiet_shutdown() was set. This however did not mean "do a
++    quiet shutdown" but "do not shutdown SSL".
++    -> fixed in pfixtls-0.3.3
++
++- Jeff Johnson <jeff at websitefactory.net>
++  * noted that the patch code will not compile with SSL disabled anymore,
++    because a ´#ifdef HAS_SSL #endif´ encapsulation was missing in
++    smtp/smtp_connect.c. This must have been in since the very beginning
++    of client mode support (0.2.x).
++    -> fixed in 0.3.6
++
++- Craig Sanders <craig at taz.net.au>
++  * noted that the Received: header does not contain sufficient information
++    whether a client certificate was not requested or not presented.
++    He also reminded me that the session cache must be cleared when
++    experimenting with the setup and certificates, what is not explained
++    in the documenation.
++    -> fixed in 0.4.4
++
++- Claus Assmann <ca+tls at esmtp.org>
++  * pointed out that the Received: header logging about the TLS state violated
++    RFC822. The TLS information must be in comment form "(info)".
++    -> fixed in 0.6.3
++
++- Wietse Venema <wietse at porcupine.org>
++  * uncounted important suggestions to start the integration into the Postfix
++    mainstream code.
++  * code adjustments in the dict_*() database code to allow easier inclusion
++    and use for session caching, and this is only the beginning :-)
++    -> started reprogramming Postfix/TLS to fit both Wietse's and my
++       requirements as of 0.6.0
++
++- Damien Miller <djm at mindrot.org>
++  * Found mismatch between documentation and code with regard to logging.
++    -> fixed in 0.6.6
++
++- Deti Fliegl <fliegl at cs.tum.edu>
++  * Provided an initial patch to support SubjectAlternativeName/dNSName
++    checks.
++    -> added in 0.8.14
+diff -urNad postfix-release/tls/CHANGES /tmp/dpep.cXJuVH/postfix-release/tls/CHANGES
+--- postfix-release/tls/CHANGES	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/CHANGES	2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,2401 @@
++2004/04/27	= Re-release 0.8.18 ==
++
++2004/04/27
++  - Postfix 2.1.0 has been released. Some minor patch conflicts with respect
++    to the actual code and build environment.
++  - Due to the restructuring of the documentation the old sample-*.cf
++    files are no longer available.
++    Took documentation already adopted by Wietse for the 2.1-RC2-IPV6+TLS
++    snapshot.
++
++2004/02/09	== Re-release 0.8.18 ==
++
++2004/02/09
++  - Postfix 2.0.18-20040205 is available, patchkit applies without
++    problems.
++
++2004/02/02	== Release 0.8.18 ==
++
++2004/02/02
++  - Incorporated Luca Berra's information into the patchkit and ran tests
++    with my own versions.
++
++2004/02/01
++  - Reports about server side SMTP failure with Carsten's patch can be
++    found on postfix-users.
++    'Luca Berra' <bluca at comedia.it> informs, that he discoverd another
++    failure of the GNU patch program with a misplaced patch hunk in
++    smtpd.c
++
++2004/01/30
++  - Edited in additional #ifdef USE_SSL conditionals. If the TLS patch
++    is applied but not activated (USE_SSL is not defined), a warning is
++    printed as soon as TLS shall be used.
++
++2004/01/23
++  - Postfix 2.0.18-20040122 is now available. Several patch conflicts occur.
++    Even more: one hunk of the patch (which is provided in unified diff)
++    fails in smtp.c and causes a segmentation violation.
++    Carsten Hoeger <choeger at suse.de> provides an adapted patch kit.
++
++2004/01/02	== Released 0.8.17 ==
++
++2004/01/02
++  - Postfix-2.0.16-20031231 is released. No patch conflicts.
++  - Changed autoresponder for TLS tests to "The Postfix Book" echo
++    responder (provided by Patrick Koetter and Ralf Hildebrandt).
++
++2003/12/30
++  - Postfix-2.0.16-20031226 is released. No patch conflicts.
++
++2003/12/26
++  - Postfix-2.0.16-20031224 is released. Resolved patch conflicts.
++
++2003/12/16
++  - Postfix-2.0.16-20031215 is released. Resolved patch conflicts.
++  - src/global/pfixtls.c: changed occurance of "ssize_t" to "size_t"
++    as some quite old operating systems do no have ssize_t
++    (Reported by Klaus Jaehne <kj at uue.org> for SunOS 4.1.4).
++  - src/global/pfixtls.c: both the client and the server engine did
++    print out messages even when tls_loglevel was set to 0 (reported
++    by Florian Effenberger <florian at effenberger.org>): evaluate loglevel
++    before printing any message.
++
++2003/11/17	== Re-released 0.8.16 ==
++
++2003/11/17
++  - Postfix 2.0.16-20031113 is released. Some minor patch conflicts.
++
++2003/10/27	== Re-released 0.8.16 ==
++
++2003/10/24
++  - Postfix 2.0.16-20031022 is released. Some minor patch conflicts.
++
++2003/09/23	== Re-released 0.8.16 ==
++
++2003/09/23
++  - Postfix 2.0.16 and 2.0.16-20030921 are now available.
++    Resolved some minor patch conflicts.
++
++2003/09/10	== Released 0.8.16 ==
++
++2003/09/09
++  - Postfix 2.0.15 has been released including another workaround for
++    select() on Solaris problems. It contains additional code to catch
++    EAGAIN on read() in the timed_read() routine (and the respective
++    precautions in timed_write()
++  - Note: this fix is not yet part of Postfix 2.0.14-20030812.
++  - Added corresponding code to pfixtls_timed_read()/_write().
++  - Changed SSL wrappermode behaviour: use smtpd_sasl_tls_security_options
++    instead of smtpd_sasl_security_options as is to be expected because TLS
++    is active. (Bug reported by Bob Snyder <rsnyder at toontown.erial.nj.us>.)
++
++2003/08/29      == Re-released 0.8.15 ==
++
++2003/08/29
++  - Adapted patchkit to Postfix 2.0.14. No patch conflicts.
++
++2003/07/17	== Re-released 0.8.15a (-20030715 only) ==
++
++2003/07/16
++  - Experimental version Postfix 2.0.14-20030715 is released, including
++    the SASL changes. Resolved some minor patch conflicts.
++
++2003/07/11	== Released 0.8.15a (-20030706 only) ==
++
++2003/07/11
++  - Received error report about about TLS failing with the new smtpd_proxy
++    feature including instructions on how to reproduce.
++    (Did receive an earlier report on 2003/07/09, that however indicated other
++    setup problems, so that the actual problem was not visible.)
++  - Analysis: when introducing the new smtpd_proxy feature, different mechnisms
++    where introduced to either write to the cleanup daemon (as before) or to
++    the smtpd_proxy connection. Functions and streams are now expressed in
++    out_fprintf() function pointers etc. being assigned accordingly.
++    When updating to 0.8.15/2.0.13-20030706 this change was missed and the
++    routine adding the TLS information to the Received: headers did use the
++    older rec_fprintf() functions etc. This did work fine for the traditional
++    connection to the cleanup service, but naturally failed for smtpd_proxy
++    (with a segmentation violation).
++    Solution: access out_stream via the according pointers.
++  - The 2.0.13 stable version is not affected.
++
++2003/07/08	== Released 0.8.15 ==
++
++2003/07/07
++  - Postfix 2.0.13 and 2.0.13-20030706 are released.
++    Patchkit for 2.0.13 applies cleanly.
++    Patchkit for 2.0.13-20030607 requires several adaptations (patch conflicts,
++    no functional changes).
++  - Slightly modified SASL interface code (smpt[d]_sasl_glue layer) to
++    allow setting the security policy during session setup instead of
++    process start. This allows to actually choose SASL mechanisms available
++    depending on the availability of TLS encryption and authentication.
++    New parameters: smtpd_sasl_tls_security_options,
++    smtp_sasl_tls_security_options, smtp_sasl_tls_verified_security_options
++  - Submitted change to SASL interface to Wietse, who accepted the change
++    as part of the Snapshot line.
++
++2003/06/19	== Released 0.8.14 ==
++
++2003/06/19
++  - Add support for SubjectAlternativeName "dNSName" entries in certificate
++    checking (applies for client mode only).
++    If the client connects to the server, it does check the list of dNSName
++    entries against the expected hostname (therefore allowing the server to
++    have multiple identities). As described in RFC2818 (HTTP over TLS),
++    CommonName (CN) entries are only checked, if no dNSName entries are found
++    at all.
++    Initial patch proposed by Deti Fliegl <fliegl at cs.tum.edu>, reworked to
++    follow the RFC2818 rules and some cleanup.
++
++2003/06/18
++  - Checked out similar settings, found another missing entry:
++    var_smtp_scert_vd was missing src/smtp/smtp.c.
++  - Renamed HAS_SSL to USE_SSL for compilation (have to use -DUSE_SSL
++    in the future). Currently pfixtls.h will take care of setting
++    USE_SSL, when HAS_SSL has been defined.
++
++2003/06/17
++  - Received bug reports about Postfix/TLS failing (connection closing)
++    after having finished the "STARTTLS"/"220 Ready to start TLS"
++    dialogue. (Actually the first report came in via private mail on
++    2003/06/12, but the information was too diffuse to track down).
++    Tracking down became possible after it became clear, that only Solaris
++    systems are affected.
++    Analysis:
++    * As of 2003/06/09 postfix uses non-blocking socket I/O for the SMTP
++      connection on Solaris platforms. This requires using "select()" style
++      waiting before read() or write() access (which are not prepared EAGAIN
++      or EWOULDBLOCK in the Postfix case and therefore indicate error).
++    * As the var_smtpd_starttls_tmout variable is not correctly initialized
++      (value is 0), the select() style function is not called, therefore
++      read() fails with EAGAIN and the connection is closed due to a
++      presumed error condition.
++    * The initialization of the variable should be done in the time_table[]
++      list during main().
++      The entry however was lost during the patch adaptation from 0.7.13e
++      to 0.7.14-snap20020107 on 2002/01/07.
++    Impact:
++    * On Solaris systems, STARTTLS fails during handshake (server only).
++    * On other systems, the TLS negotiation phase is not protected by the
++      smtpd_starttls_tmout (default 300s) value and may hang until the
++      watchdog kills smtpd, if the client does not continue the handshake.
++    Restored var_smtpd_starttls_tmout variable initialization.
++
++2003/06/12	== Re-released 0.8.13 ==
++
++2003/06/11
++  - Adapted to snapshot 2.0.12-20030611. No patch conflicts.
++
++2003/06/11
++  - Adapted to snapshot 2.0.11-20030609. One minor patch conflict.
++
++2003/05/23	== Re-released 0.8.13 ==
++
++2003/05/23
++  - First release against snapshot 2.0.10-20030523.
++
++2003/04/26	== Re-released 0.8.13 ==
++
++2003/04/26
++  - Updated patchkit to apply to Postfix 2.0.9.
++  - Updated patchkit-name to reflect the release of OpenSSL 0.9.7b.
++
++2003/03/06	== Re-released 0.8.13 ==
++
++2003/03/06
++  - Postfix 2.0.6 has been released. No patch conflicts.
++
++2003/03/02	== Re-released 0.8.13 ==
++
++2003/03/02
++  - Postfix 2.0.4 has been released. "patch" should work with some warnings
++    about moved line numbers.
++  - OpenSSL 0.9.7a has been released. No visible changes with respect to
++    Postfix/TLS.
++
++2003/01/26	== Re-released 0.8.13 ==
++
++2003/01/26
++  - Postfix 2.0.3 has been released. One minor patch-conflict.
++
++2003/01/13	== Released 0.8.13 ==
++
++2003/01/13
++  - Postfix 2.0.1 has been released. Some minor patch conflicts resolved.
++  - Added HOWTO documents contributed by Justin Davies <justin at palmcoder.net>
++    to the contribution area.
++  - Added RFC3207 (SMTP Service Extension for Secure SMTP over Transport Layer
++    Security) to the documentation. RFC3207 is the successor of RFC2487.
++  - Updated TODO list to reflect release ideas up to the release of
++    Postfix/TLS 0.9.0. (Or will it finally be 1.0.0? :-)
++
++2002/12/30
++  - OpenSSL 0.9.7 has been released. Postfix/TLS works best with the new
++    0.9.7 release.
++
++2002/12/24	== Re-released 0.8.12 ==
++
++2002/12/24
++  - Postfix 2.0.0.1 has been released. Resolved one minor patch conflict.
++
++2002/12/20	== Re-released 0.8.12 ==
++
++2002/12/20
++  - Postfix snapshot 1.1.12-20021214 has been released. Resolved minor
++    patch conflicts.
++
++2002/12/15	== Re-released 0.8.12 ==
++
++2002/12/15
++  - Postfix snapshot 1.1.12-20021214 has been released. Two minor patch
++    conflicts.
++
++2002/12/06	== Released 0.8.12 ==
++
++2002/12/06
++  - OpenSSL 0.9.6h has been released. Update documentation and filenames
++    to reflect this new release.
++  - Minor bug fix: when calling "sendmail -bs", smtpd is not run with
++    superuser permissions, therefore the loading of the private key fails.
++    STARTTLS is not used anyway, so the key is not needed anyway, but the
++    failure to load creates a misleading warning.
++    Do not initialize TLS engine at all when not started with superuser
++    permissions.
++
++2002/12/03
++  - Postfix snapshot 1.1.12-20021203 has been released. Resolved one patch
++    conflict.
++
++2002/11/01	== Re-released 0.8.11a ==
++
++2002/11/01
++  - Postfix snapshot 1.1.11-20021031 has been released. No patch conflicts.
++
++2002/10/30	== Re-released 0.8.11a ==
++
++2002/10/30
++  - Postfix snapshot 1.1.11-20021029 has been released. No patch conflicts.
++
++2002/09/30      == Re-released 0.8.11a ==
++
++2002/09/30
++  - Postfix snapshot 1.1.11-20020928 has been released. No patch conflices.
++
++2002/09/24
++  - Postfix snapshot 1.1.11-20020923 has been released. Adapt patchkit.
++
++2002/09/19	== Re-released 0.8.11a ==
++
++2002/09/18
++  - Postfix snapshot 1.1.11-20020917 has been released. Adapt patchkit.
++
++2002/08/23	== Re-released 0.8.11a ==
++
++2002/08/23
++  - Postfix snapshot 1.1.11-20020822 has been released. Adapt patchkit.
++
++2002/08/20
++  - Postfix snapshot 1.1.11-20020819 has been released with several
++    enhancements and changes. Adapt patchkit (minor issues).
++
++2002/08/12
++  - OpenSSL has experienced several (security critical) updates.
++
++2002/07/26	== Re-released 0.8.11a ==
++
++2002/07/26
++  - On popular demand, a new diff for the snapshot version of Postfix
++    is created: postfix-1.1.11-20020719.
++
++2002/06/18	== Re-released 0.8.11a ==
++
++2002/06/18
++  - On popular demand, a new diff for the snapshot versions of Postfix
++    is created: postfix-1.1.11-20020613.
++
++2002/06/03	== Released 0.8.11a ==
++
++2002/06/03
++  - When compiling with SSL but without SASL, compilation fails due to
++    the modification of state->sasl_mechanism_list that is not part of the
++    "state" structure when SASL is not compiled in.
++    This bug was introduced in version 0.8.11.
++    Bug reported and patch supplied by Bernd Matthes
++    <bernd.matthes at gemplus.com>.
++
++2002/05/29	== Released 0.8.11 ==
++
++2002/05/29
++  - Postfix 1.1.11 is released.
++
++2002/05/25
++  - Fix processing of options after STARTTLS handshaking: AUTH= was not
++    handled, as the "=" was not recognized as for the extension list for
++    the case without TLS. (The TLS case was a copy of an older version
++    of the code not yet containing the "=" and the change in the main
++    code slipped through without noting the difference, hence the option
++    as not added to the TLS part.
++    Found by "Christoph Vogel" <Christoph.Vogel at Corbach.de>.
++
++2002/05/24
++  - Bug reported by "Christoph Vogel" <Christoph.Vogel at Corbach.de>:
++    Client side AUTH does not work, if STARTTLS is used: if a server
++    announces AUTH and STARTTLS, AUTH is being used if TLS is disabled.
++    Once TLS is enabled, AUTH is still offered by the server, but the
++    client does not use it any longer.
++    Reason: when AUTH is offered, not only the SMTP_REATURE_AUTH flag
++    is set in state->features, but also the available mechanisms are
++    remembered in state->sasl_mechanism_list. As AUTH may be offered
++    twice by some hosts (in the correct "AUTH mech" form and the older
++    and deprecated "AUTH=mech" form), a check against processing the
++    line twice is included in smtp_sasl_helo_auth(). This check now
++    prevented the correct processing in the second evaluation of the
++    ESMTP extensions offered after the STARTTLS activation.
++    Solution: reset state->sasl_mechanism_list before processing the
++    extension list just like state->features.
++
++2002/05/15	== Released 0.8.10 ==
++
++2002/05/15
++  - Postfix 1.1.10 has been released. No changes.
++
++2002/05/14	== Released 0.8.9 ==
++
++2002/05/14
++  - Postfix 1.1.9 has been released. Patchkit requires a small adjustment
++    (supplied by Tuomo Soini <tis at foobar.fi>).
++
++2002/05/10	== Released 0.8.8 ==
++
++2002/05/10
++  - OpenSSL 0.9.6d has been released. Release the unchanged patchkit
++    with a new version number and under a new filename to indicate
++    that it should be built against 0.9.6d (it has the session caching
++    failure of 0.9.6c fixed). Update documentation accordingly.
++
++2002/05/05
++  - Postfix 1.1.8 has been released, the patchkit applies cleanly.
++
++2002/04/03	== Re-released 0.8.7 ==
++
++2002/04/03
++  - Postfix 1.1.7 has been released, the patchkit applies cleanly.
++    Re-released the patchkit.
++
++2002/03/29	== Released 0.8.7 ==
++
++2002/03/29
++  - Postfix/TLS did not honor the per-recipient-switching-off in SMTP
++    client mode via tls_per_site (per-host-switching off was honored).
++    Patch by Will Day <wd at hpgx.net>.
++
++2002/03/27	== Released 0.8.6 ==
++
++2002/03/27
++  - Postfix 1.1.6 has been released. Adapted patchkit to resolve minor
++    patch conflict. (Template provided by Simon Matter
++    <simon.matter at ch.sauter-bc.com>)
++
++2002/03/13	== Released 0.8.5 ==
++
++2002/03/13
++  - Postfix 1.1.5 has been released. The patchkit would apply cleanly, but
++    obviously the "lock_fd" change that applies to dict_dbm.c (Wietse)
++    also has to be applied to dict_sdbm.c. Tuomo Soini <tis at foobar.fi>
++    kindly provided this change.
++
++2002/02/25	== Released 0.8.4 ==
++
++2002/02/25
++  - Postfix 1.1.4 became visible. One patch conflict in a Makefile
++    (Carsten Hoeger <choeger at suse.de>).
++
++2002/02/21
++  - Dates in this CHANGES document were showing 2001 even though 2002 already
++    began :-). Fixed. (Marvin Solomon <solomon at conceptshopping.com>)
++
++2002/02/07
++  - Bug in the documentation (setup.html): the main.cf variables for the
++    SMTP server process have to be named smtpd_* instead of smtp_*.
++    Found by Andreas Piesk <a.piesk at gmx.net>.
++
++2002/02/03	== Released 0.8.3 ==
++
++2002/02/03
++  - Patch from Andreas Piesk <a.piesk at gmx.net>: remove some compiler warnings
++    by using explicit type casts in hexdump print statements.
++  - Re-released otherwise unchanged patchkit against Postfix-1.1.3.
++
++2002/01/30	== Released 0.8.2 ==
++
++2002/01/30
++  - Re-released unchanged patchkit against Postfix-1.1.2.
++
++2002/01/24	== Released 0.8.1 ==
++
++2002/01/24
++  - Postfix-1.1.1 has been released. The patchkit needed some small adjustment.
++  - Both Tuomo Soini <tis at foobar.fi> and Carsten Hoeger <choeger at suse.de>
++    helped out with this small adjustment. As a side effect of Carsten's
++    complete pfixtls.diff, which I compared after applying Tuomo's adjustment,
++    I found that pfixtls.c contained several wrong "'" characters: on the
++    german keyboard there is an accent looking like the apostroph but producing
++    a different binary code. Obviously on Carsten's machine the code was
++    changed which became obvious during the comparison.
++    (Conclusion: I wrote the comments affected on my SuSE-Linux PC at home with
++    german keyboard. In my university-office I do have HP-UX workstations
++    with US keyboards.)
++
++2002/01/22	== Released 0.8.0 ==
++
++2002/01/22
++  - Received a comment from Wietse on the mailing list, that it is better
++    to resolve the "standalone" issue by using the already available
++    SMTPD_STAND_ALONE() macro in smtpd. Undid 0.7.16 change and made
++    new change in smtpd.c.
++  - Updated links in the References section of the documentation.
++
++2002/01/21	== Released 0.7.16 ==
++
++2002/01/21
++  - When calling "sendmail -bs" and STARTTLS is enabled, smtpd tries to
++    read the private key and fails due to insufficient permissions (smtpd
++    is run with the privileges of the user). This case is caught since
++    version 0.6.18 of the Postfix/TLS patchkit: STARTTLS is still being
++    offered but a "465 temporary failure" message is issued. Some mailers
++    (read this: PINE) will then refuse to continue. (And an irritating
++    error message indicating the failure to read the key will be logged.)
++    Experienced by "Lucky Green" <shamrock at cypherpunks.to> .
++  - Solution: Disable STARTTLS when running "sendmail -bs" by adding
++    "-o smtpd_use_tls=no -o smtpd_enforce_tls=no" to smtpd's arguments
++    upon startup. Using STARTTLS does not make sense in simulated
++    SMTP mode.
++
++2002/01/18	== Released 0.7.15 ==
++
++2002/01/18
++  - Postfix 1.1.0 has been released. The patchkit for the former snapshot
++    version applied cleanly and now becomes the patchkit for the stable
++    version.
++
++2002/01/16	== Released 0.7.14a ==
++
++2002/01/16
++  - Snapshot-20020115 is released. Adapted patchkit.
++  - Add Postfix/TLS entries into the new conf/postfix-files
++    (Tuomo Soini <tis at s.foobar.fi>, Carsten Hoeger <choeger at suse.de>).
++
++2002/01/14
++   - OpenSSL: a user reported that session caching stopped working for him
++     with OpenSSL 0.9.6c. I found that this is also true for my own
++     Postfix/TLS installation.
++     Solution: server side session caching is broken in OpenSSL 0.9.6c when
++     using non-blocking semantics (Postfix/TLS is affected as it uses
++     BIO-pairs); sessions are simply not added to the cache. This bug
++     is not security relevant. A fix has been applied to the OpenSSL source
++     tree for the next release.
++
++2002/01/08	== Released 0.7.14 ==
++
++2002/01/07
++  - New snapshots released as release candidates. Adapted the patchkit
++    to snapshot-20020107. Moved our production servers from 20010228-pl08
++    to snapshot-20020107 with the adapted patchkit.
++  - Fix documentation: tlsmgr can be run chrooted since a long time.
++
++2001/12/21
++  - OpenSSL 0.9.6c is released. Postfix/TLS is fully compatible.
++
++2001/12/19	== Released 0.7.13e ==
++
++2001/12/19
++  - Adapted patchkit to snapshot-20011217.
++
++2001/12/12	== Released 0.7.13d ==
++
++2001/12/12
++  - Adapted patchkit to snapshot-20011210. Adaption provided by
++    Tuomo Soini <tis at foobar.fi>.
++
++2001/11/28	== Released 0.7.13c ==
++
++2001/11/28
++  - Adapted patchkit to snapshot-20011127.
++
++2001/11/26	== Released 0.7.13b ==
++
++2001/11/26
++  - Adapted patchkit to snapshot-20011125.
++
++2001/11/22	== Released 0.7.13a ==
++
++2001/11/22
++  - Adapted patchkit to snapshot-20011121.
++
++2001/11/15	== Released 0.7.13 ==
++
++2001/11/15
++  - Adapted patchkit to postfix-20010228-pl08 and snapshot-20011115.
++
++2001/11/06	== Re-released 0.7.12 ==
++
++2001/11/06
++  - Snapshot-20011105 released. No patch conflicts, but in order to have
++    the pfixtls-* filename and home page entry reflect the new version,
++    I'll re-release 0.7.12.
++
++2001/11/05	== Released 0.7.12 ==
++
++2001/11/05
++  - Release of Postfix-20010228-pl06 and snapshot-20011104. The snapshot
++    version had some minor patch conflicts to be resolved.
++
++2001/10/14	== Released 0.7.11 ==
++
++2001/10/14
++  - Bug fix (client mode): when the peername is checked against the CommonName
++    in the certificate, the comparison does not correclty ignore the case
++    (the peername as returned by DNS query or set in the transport map
++    is not transformed to lower case). This bug was introduced in 0.7.5.
++
++2001/10/09	== Released 0.7.10 ==
++
++2001/10/09
++  - Snapshot-20011008 is released. Some minor adaptions are required to
++    sort out patch conflicts.
++
++2001/09/28
++  - Received patch from Uwe Ohse <use at ohse.de>: There is a bug in sdbm's
++    handling of the .dir file, that also applies to Postfix/TLS.
++    The problem only appears for large databases.
++  - The example entries in conf/master.cf for the submission and smtps services
++    use "chroot=y" flags, while the Postfix default is "chroot=n". This could
++    lead to hardly explainable problems when users did not note this fact
++    during setup.
++    Fixed example entries to also use "chroot=n" default.
++
++2001/09/18
++  - Wietse releases Postfix-20010228-pl05. The patch applies cleanly with
++    "patch -p1 ...", so it is not necessary to release a new patchkit.
++
++2001/09/04	== Released 0.7.9 ==
++
++2001/09/04
++  - Due to unititialized variable in smtpd_state.c, AUTH may not be offered
++    without TLS even though smtpd_tls_auth_only was not enabled.
++    (Patch from Nick Simicich <njs at scifi.squawk.com>.)
++
++2001/08/29
++  - In the snapshot-20010808 version of 0.7.9, the "tlsmgr" line in the sample
++    conf/master.cf is missing (reported by Will Day <wd at hpgx.net>). Fixed.
++
++2001/08/27	== Released 0.7.8 ==
++
++2001/08/27
++  - Received bugreport about issuer_CN imprints consisting of long strings
++    of nonsense. This only appeard with certificates issued from a certain
++    CA (RSA Data Security Inc., Secure Server Certification Authority).
++    (Will Day <wd at hpgx.net>)
++  - The problem: the issuer data of this certificate is:
++        Issuer
++          C=US
++          O=RSA Data Security, Inc.
++          OU=Secure Server Certification Authority
++    It does not contain a CN (CommonName) field. OpenSSL's
++    X509_NAME_get_text_by_NID() function does not catch this condition
++    (no error flag set), but it also does not set the name in the memory
++    location specified.
++  - Solution:
++    1. Preset the memory for the string to '\0', so that a string of length
++       0 is obtained on the failure described above.
++    2. When no CN data is available, use the O (Organization) field
++       instead. The data are used for logging only (it is the issuer, not
++       the subject name), so this change does not affect functionality.
++
++2001/08/22	== Released 0.7.7 ==
++
++2001/08/22
++  - Found one more bug: erronously called SSL_get_ex_new_index() instead
++    of SSL_SESSION_get_ex_new_index() (note the _SESSION missing). This
++    could be responsible for the failure at the locations found during
++    debugging. Works fine on HP-UX (did also before), must cross check
++    at home...
++
++2001/08/21
++  - Received report, that smtp (client) fails with signal 11 (platform:
++    linux redhat). Cannot reproduce any problem on HP-UX (did run 1
++    week in production before release). But malloc() and stack strategies
++    are different between platforms.
++  - Can reproduce the failure on my Linux PC at home :-(.
++  - Found one bug in new_session_cb(): on successfull external caching,
++    success is reported by a return value of 1. This however must be another
++    bug, as it has nothing to do with the locations of the failure, when
++    analyzing the core dumps/running under debugger.
++    Still getting SIGSEGV...
++
++2001/08/20	== Released 0.7.6 ==
++
++2001/08/20
++  - Following "popular demand" implemented new feature and configuration option
++    "smtpd_tls_auth_only": Only allow authentication using the AUTH protocol,
++    when the TLS encryption layer is active. Default is "no" in order to
++    keep compatiblity to postfix without TLS patch.
++    This option does not distinguish between different AUTH mechanisms.
++
++2001/08/16	== Released 0.7.5 ==
++
++2001/08/15
++  - The new session cache handling is working now at my site for quite some
++    time.
++  - Client side: modified peername matching code, such that wildcard
++    certificates can be used. Matching is done as in HTTP/TLS: only the
++    leftmost part of the hostname may be replaced by a '*'.
++
++2001/08/09
++  - Further debugged the CRYPTO_set_ex_data() functionality.
++  - Unified "external cache write" and "external cache remove" callbacks
++    for client and server side. The "external cache read" functions are not
++    that easy to combine, as the lookup keys are quite different and do not
++    match the fixed interface to the callback function.
++  - Change shutdown behaviour according to SSL_shutdown(). When SSL_shutdown()
++    returns, the shutdown handshake may not be complete, if we were the first
++    party to send the shutdown alert. We must call SSL_shutdown() again,
++    to wait for the peer's alert.
++
++2001/08/08
++  - Postfix snapshot 20010808 is being released.
++
++2001/08/08
++  - Rewrite server side to remove externally cached sessions via callback.
++  - Rewrite client side to remove externally cached sessions via callback.
++    This turns out to be more difficult as expected, as the client side
++    session cache is sorted by hostnames, but the callbacks are called
++    with the SSL_SESSION objects. The information must be stored into the
++    SSL_SESSION objects by using the CRYPTO_set_ex_data() functionality,
++    the documentation of which, ahem, ...
++  - Reloading sessions stays separate, as the functionality is different.
++
++2001/08/07
++  - Started reworking the session cache code.
++    * On the server side the retrieval from the external cache and the writing
++      to the cache are handled by callback functions. The removal is handled
++      directly.
++    * On the client side, all session cache operations are performed explicitly.
++    * The explicit handling is on the client side is bad, as it requires a
++      quite complicated logic to detect session reuse and the appropriate
++      handling.
++    * The explicit handling of session removal on both sides is bad, as
++      the OpenSSL library will remove sessions (on session failure) according
++      to the TLS specifications automatically, so we want to take advantage
++      of this feature and have the externally cached sessions removed as
++      required via callback.
++  - First step: on the client side, also use the new_session_cb(), so that
++    new sessions are automatically saved to the external cache on creation.
++
++2001/08/01
++  - Postfix-20010228-pl04 is being released.
++
++2001/07/11	== Released 0.7.4 ==
++
++2001/07/10
++  - Postfix snapshot 20010709 was released. Resolved some minor patch
++    conflicts.
++
++2001/07/10
++  - OpenSSL 0.9.6b has been released including a security fix for the
++    libraries internal pseudo random number generator.
++    * Note: to exploit the weakness, an attacker must be able to retrieve
++      single random bytes. As in Postfix/TLS random bytes are only used
++      indirectly during the SSL handshake, an attacker could never access
++      the PRNG in the way required to exploit the weakness.
++    * Postfix/TLS is therefore not vulnerable (as are most (all?) applications
++      utilizing the SSL layer).
++    * The OpenSSL team however recommends to upgrade or install the bugfix
++      included in the announcement in any case.
++    * Details can be found at http://www.openssl.org/
++
++2001/05/31	== Released 0.7.3a ==
++
++2001/05/30
++  - Report from <Andre.Konopka at Presse-Data.de>: TLS logging does not work.
++    Reason: parameters are not evaluated in mail_params.c, as the corresponding
++    lines for other_int_defaults[] were missing from the patch. This
++    only affected the 0.7.3-snapshot version, the version for "stable"
++    is correct.
++    I will release 0.7.3a with this fix only for the snapshot version to keep
++    version numbering consistent with the "stable" version.
++
++2001/05/28	== Released 0.7.3 ==
++
++2001/05/28
++  - Upgraded to snapshot-20010425: resolved some minor patch conflicts.
++    No functional changes.
++
++2001/05/16
++  - Received french documentation (doc_french/) contributed by
++    Etienne Roulland <Etienne.Roulland at univ-poitiers.fr>.
++
++2001/05/03	== Released 0.7.2 ==
++
++2001/05/03
++  - Postfix-Snapshot 20010502 is released. Bernhard Rosenkraenzer
++    <bero at redhat.de> supplies an adapted patch for Postfix/TLS, as the
++    normal patch has several rejections because of code changes;
++    functionality has not changed.
++
++2001/05/01
++  - Patchlevel 02 of Postfix 20010228 is being released. The Postfix/TLS
++    patchkit applies cleanly when using the "-p1" switch to patch.
++
++2001/04/09	== Released 0.7.1 ==
++
++2001/04/06
++  - OpenSSL 0.9.6a is released. It contains several bugfixes and will become
++    the recommended version to be used with Postfix/TLS.
++    I will run some more test and then re-release Postfix/TLS (without
++    additional changes to the source) as 0.7.1 to make people aware of the
++    new versions of Postfix and OpenSSL.
++
++2001/04/05
++  - Hint from Bodo Moeller <moeller at cdc.informatik.tu-darmstadt.de>:
++    the "Known Bugs" section in doc/test.html actually contains bugs
++    of clients and/or interoperatbility problems. Better name it
++    "Known interoperability problems" and rename the entries
++    "Postfix/TLS server" and "Postfix/TLS client" to improve clarity.
++
++2001/03/29
++  - Patchlevel 01 of Postfix 20010228 is being released. The Postfix/TLS
++    patchkit applies cleanly when using the "-p1" switch to patch.
++    OpenSSL 0.9.6a will be out within the next handful of days, so I will
++    delay the release of a new patchlevel until then.
++
++2001/03/01	== Released 0.7.0 ==
++  - IMPORTANT: If you are upgrading from a much older version, you will find
++    that some configuration options have changed over time (fingerprints are
++    now handled with ':'. check_relay_ccerts is now permit_tls_clientcerts.
++    Session caching has been reworked.)
++    It is recommended to re-read the sample-tls.cf file or the html version
++    in the documentation.
++
++2001/03/01
++  - Wietse has announced the _release_ version (non-beta) or postfix:
++    20010228!
++  - Applied the Patchkit to the _release_ version (not the snapshot version).
++    Resolved one minor patch conflict.
++  - So, it's time to call this Postfix/TLS 0.7.0.
++
++2001/02/26	== Released 0.6.38 ==
++
++2001/02/26
++  - Snapshot-20010225 has been released. Resolved one minor patch conflict.
++
++2001/02/23	== Released 0.6.37 ==
++
++2001/02/23
++  - Snapshot-20010222 has been announced as RELEASE CANDIDAT. Resolved one
++    minor patch conflict.
++  - Removed "check_relay_ccerts" restriction which has been replaced
++    by "permit_tls_clientcerts" in 0.6.24. (Was left in until now for
++    transition.)
++  - Do not try to save session data > 8kB, since this cannot be handled
++    by SDBM. (This is more or less academical, since I have never met a
++    session even half that large.)
++
++2001/02/19	== Released 0.6.36 ==
++
++2001/02/05
++  - Snapshot-20010204 has been released. Resolved one minor patch conflict.
++
++2001/02/03	== Released 0.6.35 ==
++
++2001/02/03
++  - Snapshot-20010202 has been released. Resolved one minor patch conflict.
++
++2001/01/29	== Released 0.6.34 ==
++
++2001/01/29
++  - Snapshot-20010128 has been released. Resolved some minor patch conflicts.
++
++2001/01/11	== Released 0.6.33 ==
++
++2001/01/10
++  - Discussion in Thread "When to get peer certificate?" continues and it
++    comes out, that cross references between datastructures are well maintained
++    inside OpenSSL. A fact not well known due to lack of documentation
++    (seems I am facing some more work on the OpenSSL manpages :-).
++  - Moved around data needed for the certificate verification: a lot of
++    "static" entries globally needed inside pfixtls.c could now be moved
++    into the connection specific TLScontext.
++
++2001/01/07	== Released 0.6.32 ==
++
++2001/01/07
++  - Since now the checks at handshake stage (in pfixtls.c) are more strict,
++    some of the checks in smptd.c and smtp_proto.c could be removed.
++    At a later point I can probably move even more checks into pfixtls.c...
++
++2001/01/05
++  - Had a discussion with Ari Pirinen <aripirin at europe.com> on openssl-users
++    (Thread: When to get peer certificate?) about the earliest possible
++    place to check the CommonName of the peer against the expected name.
++    (This is what smtp does when enforcing the peername of the server it
++    is connecting to.)
++    The final result was, that the check can already been done inside the
++    verifiy_callback() routine even before the handshake is completed.
++    The positive side effect is, that since the session is never completly
++    established, it is also not cached on either client or server.
++  - Since this is a good idea, I have extended the verify_callback in
++    src/global/pfixtls.c to check the CommonName of the peer (if applicable)
++    and have the handshake shut down immediatly on failure. I have also
++    changed the behaviour so that whenever a positive certificate verification
++    is required, the handshake is shut down immediatly.
++    (The versions up to now did delay these checks until the session was
++    established and then shut down the connection. I had established this
++    practice while working on BIO-pairs and running into a bug in
++    OpenSSL 0.9.5 (fixed now) and with the verify depth.)
++
++2000/12/23	== Released 0.6.31 ==
++
++2000/12/23
++  - Bug: When only enabling smtpd_tls_wrappermode and not additionally setting
++    smtpd_use_tls or smtpd_enforce_tls, the TLS engine was not fired up on
++    startup of smtpd
++    Fixed: also start TLS engine when only smtpd_tls_wrappermode is enabled.
++    (Experienced by "Fiamingo, Frank" <FiamingF at strsoh.org>)
++
++2000/12/18	== Released 0.6.30 ==
++
++2000/12/18
++  - New snapshot 20001217 has been released. Due to the change of "timeout"
++    parameters now being its own class and table, the old patchkit does not
++    apply cleanly!
++  - Checked out Postfix/TLS parameters being timeout values and put them into
++    the new style time parameter table. This allows to specify time values
++    like 3600s or 1h. Updated sample configuration to reflect this new style.
++  - "Fiamingo, Frank" <FiamingF at strsoh.org> pointed out to me, that there are
++    three parameters in src/global/mail_params.h (namely DEF_TLS_RAND_EXCH_NAME,
++    DEF_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CA_FILE) that are hardcoded as
++    "/etc/postfix/something".
++    This does not match the usual style of postfix, where no paths are
++    hardcoded this way. I have removed the defaults for CERT_FILE and CA_FILE.
++    The RAND_EXCH is needed for good PRNG seeding on systems without
++    /dev/urandom, I however don't know yet, how to rearrange this requirement.
++    I could use the Postfix internal mechanisms to enforce a parameter, but
++    this would annoy people having compiled in TLS but not activated. 
++
++2000/12/13	== Released 0.6.29 ==
++
++2000/12/13
++  - Snapshot-20001212 has been released.
++  - Undid bugfixes for 20001210 which now are included in the new snapshot.
++
++2000/12/12	== Released 0.6.28 ==
++
++2000/12/12
++  - Added bugfix provided by Wietse on postfix-users at postfix.org for
++    "postconf -m" behaviour.
++
++2000/12/11
++  - New snapshot-20001210 released. Some patch conflicts occur. Additionally
++    * adjusted calls to myflock() to changed interface,
++    * fixed bug in smtpd_sasl_glue(), where a change to the name_mask()
++      call was not applied in the original snapshot.
++
++2000/12/05	== Released 0.6.27 ==
++
++2000/12/04
++  - Print informational message "SSL session removed" only when
++    var_smtp[d]_loglevel >= 2. (Proposed by Craig Sanders <cas at taz.net.au>.)
++  - Extend logging of "setting up TLS connection from/to" and corresponding
++    success/failure messages so that they include the hostname/ip address.
++    This way it is much easier to automatically analyze errors by simply
++    grepping for e.g. "SSL_accept error" and immediately get the peer
++    causing the problem without further logfile processing.
++    (Proposed by Craig Sanders <cas at taz.net.au>.)
++  - When experiencing a TLS failure due to TLS-enforced failure in client mode
++    (no certificate or hostname/certificate mismatch etc), immediately shut
++    down the TLS mode with "failure" indication, so that the SSL session is
++    removed immediately. This way a new session is always enforced in the
++    case the peer has fixed the problem; no need to wait for the timeout.
++
++2000/11/29	== Released 0.6.26 ==
++
++2000/11/29
++  - Found security relevant bug in the OpenSSL library: the verify_result
++    stating whether or not the certificate verification succeeded is not
++    stored in the session data to be cached and reused.
++  - This bug was found during the development of Postfix/TLS around one
++    year ago, the bug in the library was however only fixed for the server
++    side. At that time I also tested the server side behaviour but ommitted
++    to check the client side, too.
++  - Versions before Postfix/TLS 0.4.4 experienced this problem for both
++    server and client side. Before 0.6.0 a workaround was active for both
++    sides, which has been removed at 0.6.0 in the believe that the bug
++    was gone (I only tested the server side, which was fixed).
++  - Fixed that bug in OpenSSL also for the client side (I can do this myelf
++    now that I have been invited to join the OpenSSL developers team :-).
++    The fix is availabe as of today and will be part of the 0.9.7 release
++    of OpenSSL (or 0.9.6a, if this release will be published).
++  - Included a workaround inside Postfix/TLS for OpenSSL library versions
++    before 0.9.6a or 0.9.7, respectively.
++
++********************** Begin Description
++
++  - By not caching the verify_result for the client side, the following
++    behaviour could appear:
++  * The problem can only appear when smtp_tls_session_cache_database
++    is activated.
++  * smtp_use_tls = yes
++   X On the first connection, the certificate fails verification, failure
++     is logged:
++      smtp[*]: Unverified: subject_CN=serv01.aet.tu-cottbus.de, issuer_CN=BTU-CA
++     For any following connections until the session times out (default 1 hour),
++     the peer certificate seems to pass verification:
++      smtp[*]: Verified: subject_CN=serv01.aet.tu-cottbus.de, issuer_CN=BTU-CA
++   X Security Impact:
++     Unverified certificates are logged as if verification had succeeded.
++  * smtp_enforce_tls = yes
++   X After the verification failure, the session is never correctly established
++     and hence not reused.
++   X Security impact:
++     None, as the session is never reused.
++  * smtp_enforce_tls = yes after smtp_tls_enforce_tls = yes for a server.
++   X If the session has been recorded with use_tls and then for this server
++     enforce_tls is set, the wrong verify_result could be used within the
++     session cache timeout (default = 1 hour).
++   X Security impact:
++     If TLS shall be enforced for a recipient, there is a window of approx.
++     one hour from setting the "enforce_tls" switch until a verification
++     failure is noted. For this to happen, a TLS session to that server must
++     have been used with use_tls set and the not-verifiable certificate must
++     have been recorded in that session.
++  - Evaluation:
++    Even though this _is_ a security problem, I consider risk to be *low*,
++    given the conditions under which the problem might occur.
++
++********************** End Description
++
++2000/11/27	== Released 0.6.25 ==
++
++2000/11/26
++  - Added "permit_tls_all_clientcerts" for smtpd_recipient_restrictions.
++    When this option is enabled, any valid client certificate allows relaying.
++    This can be practical, if e.g. a company has a special CA to create
++    these certificates and only this CA is "trusted". It however does not
++    allow finer control, so if e.g. an employee leaves, he could still
++    relay. Postfix/TLS does not (yet) allow CRL (certificate revocation lists).
++    (Added on popular demand.)
++  - Make the client behaviour more configurabe: when enforcing TLS connections,
++    the peer's name is checked against the CommonName in its certificate.
++    New configuration variable "smtp_tls_enforce_peername" (default=yes)
++    can now be used to accept peername!=CommonName. The server's certificate
++    must still pass the verifcation process against a trusted CA!
++    In tls_per_site, the according key is MUST_NOPEERMATCH.
++    (Added on demand.)
++
++2000/11/24
++  - If the server requires a client certificate and no certificate is presented
++    or the certificate fails verification, the connection is shut down but
++    no information is logged.
++    -> add according msg_info() in smtpd/smtpd.c:startls_cmd().
++  - If TLS is not enforced, it does not make sense for a server to require a
++    client certificate. If no STARTTLS is issued, the SMTP would continue
++    anyway, so why shut down when TLS is activated without verifyable client
++    certificate?
++    -> ignore smtpd_tls_req_ccert=yes, if TLS is not enforced and only treat
++       like smtpd_tls_ask_ccert = yes with an according information logged.
++
++2000/11/22	== Released 0.6.24 ==
++
++2000/11/22
++  - Installed on my own servers and changed configuration to use the new
++    "permit_tls_clientcerts" option name. Patchkit will be released after
++    some hours of successfull operation.
++
++2000/11/21
++  - New snapshot-20001121 is being released. The patch applies without any
++    conflict when applied with "patch -p1", so no need to rush out an updated
++    patchkit.
++  - Rename the smtpd_recipient_restrictions option from "check_relay_ccerts"
++    to "permit_tls_clientcerts" to better match the naming scheme.
++    Leave in the old option for now to not break existing configurations.
++    The final incompatible removing is scheduled of release 0.7.0 of the
++    patchkit which will be matching the next "stable" release of postfix.
++  - There is no manual page for tlsmgr.8 (pointed out by Terje Elde
++    <terje at thinksec.com>).
++    Fix the comments at the beginning of tlsmgr.c and create tlsmgr.8.
++  - In the session cache code an additional 20 bytes were allocated when
++    converting SSL_SESSION data to binary using i2d_SSL_SESSION().
++    In adding these 20 bytes to the size listed by i2d_SSL_SESSION() I followed
++    the example in the OpenSSL source (PEM_ASN1_write()). These 20 bytes are
++    only added since when writing the PEM, a 20 byte checksum is added, so
++    we don't need it in our case -> removed.
++    (Researched after Carlos Vicente <cvicente at mat.upc.es> asked what these
++    20 bytes are good for :-)
++
++2000/10/30	== Re-Released 0.6.23 ==
++
++2000/10/30
++  - Postfix snapshot-20001030 with an important bug fix is made available.
++    The patchkit applies without any problem (patch -p1).
++    Hence, I re-release the 0.66.23 release for the new snapshot.
++
++2000/10/30	== Released 0.6.23 ==
++
++2000/10/30
++  - New Postfix snapshot 20001029 available with some important bug fix.
++    Adjusted patchkit (only minor conflicts).
++
++2000/10/27
++  - The CN_sanitize function (src/smtpd/smtpd.c) that shall make sure that
++    no illegal sign is included into the Received: header does not work
++    on systems were "char" is unsigned by default.
++    (Linux on s390, found by Carsten Hoeger <choeger at suse.de>)
++    -> Worked out a more precise (even though not looking elegant) solution
++    that checks out all acceptable characters.
++  - Sent new smptd.c to Carsten Hoeger for testing, will wait with new
++    Postfix/TLS release.
++
++2000/10/06	== Released 0.6.22 ==
++
++2000/10/06
++  - snapshot-20001005 has been released, featuring fast ETRN. Only some minor
++    patch conflicts needed to be resolved.
++
++2000/09/28	== Released 0.6.21 ==
++
++2000/09/28
++  - snapshot-20000924 seems to be somewhat longer lasting. I have been asked
++    for a new Postfix/TLS release against snapshot-20000924, hence I will
++    create one.
++  - Running OpenSSL 0.9.6 for a week now to my full satisfaction. I will bump
++    bump up the Postfix/TLS version counting to include "0.9.6", even though
++    it will still run fine with 0.9.5a.
++
++2000/09/25/
++  - snapshot-20000924 is available; only small adjustments.
++  - Wietse seems to release new snaphots on a daily basis, it doesn't make
++    sense to follow with a new Postfix/TLS release every day.
++
++2000/09/23	== Released 0.6.20 ==
++
++2000/09/23
++  - Recompile OpenSSL-0.9.6-beta3 with the change and reinstall old pfixtls.c:
++    works again. Hence, all versions of Postfix/TLS working against 0.9.5a
++    will also work again 0.9.6-final, which shall be released on 2000/09/24!
++  - Wietse releases snapshot-20000923, patchkit adapted.
++  - Went through the "install.html" document to add a remark about
++    OpenSSL-0.9.6. This document is of historic quality but did not fit
++    actual versions of Postfix/TLS, we are far beyond OpenSSL 0.9.2: Updated.
++
++2000/09/22
++  - Wietse releases snapshot-20000922. The source directory hierarchie has
++    changed, so the patch needs to be adjusted at several places.
++  - Run tests against OpenSSL 0.9.6-beta3: problems occur!
++    * Certificates are no longer verified, since an informationa flag about the
++      CA certificate search process is written into the error storage and
++      thus misinterpreted as verification failure.
++    * Changed Postfix/TLS source to maintain its own error storage based on
++      the verify_callback, send out according warning to Postfix/TLS mailing
++      list.
++    * Unfortunately, this will break all older versions of Postfix/TLS.
++      Sent out analysis to OpenSSL-bugs at openssl.org.
++    * Additional change is made to OpenSSL: the new behaviour is only activated
++      when a special flag is set, so compatibility is restored!
++
++2000/09/21
++  - Wietse releases snapshot-20000921. Some minor patch conflicts resolved.
++
++2000/09/14	== Released 0.6.19 ==
++
++2000/09/14
++  - Received a bug report: Postfix/TLS will accept a mail even though
++    smtpd_req_ccert=yes (require use of client certificate) and no
++    client certificate is presented.
++    Reason: when no client certificate is presented SSL_get_verify_result()
++    will return X509_V_OK, since this is the default value.
++    Solution: only set "peer_verified" internal information, if the
++    verify_result is X509_V_OK _and_ a peer certificate is available.
++    Remark: This default value does not make too much sense. I will file
++    a bug report/patch before the next release of OpenSSL...
++
++2000/09/03	== Released 0.6.18 ==
++
++2000/09/03
++  - When calling "sendmail -bs", smtpd is started without root privileges,
++    hence it cannot open the private key file and the session cache database.
++    Since the database routines do not offer a graceful return (only fatal
++    and abort), this leads to a failure when TLS and session caching is
++    activated.
++    This affects PINE users (noted by Craig Sanders <cas at taz.net.au>).
++    Solution: Try to read the private key first; if that fails, we can
++    gracefully recover and won't touch the session cache database at all.
++  - When STARTTLS is configured for smtpd but does not work (e.g. because of
++    unaccessible keys), smtpd answers with "465 TLS not available due to
++    temporary reasons". After that the connection was closed, this is however
++    not necessary, as the client may decide to continue without TLS activated.
++  - Craig Sanders <cas at taz.net.au> contributes a script to automatically
++    generate the keys and certificates for Postfix/TLS usage. Added
++    "make-postfix-cert.sh" to the contributed/ directory.
++
++2000/09/02	== Released 0.6.17 ==
++
++2000/09/02
++  - Craig Sanders <cas at taz.net.au> reports that he has connection problems
++    with a site; the message in the log is:
++    SSL_connect error 0
++    8847:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:956:SSL alert number 10:
++    * This is the error caused by the faulty TLS implementation with
++      CommunigatePro. The bug is fixed in later versions of CommunigatePro,
++      The site shall be contacted, they should update.
++  - More important, he reports a segmentation fault immediately after this
++    problem.
++  - Bug: when not using session caching and an error occurs during the TLS
++    handshake, pfixtls_start_clienttls() tried to remove the erronous
++    session from a non-existant session cache.
++    Fix: check the existence of the session cache before trying to access it.
++    Comment: at all other places in the code this condition was already
++             caught.
++  - Remark: actually session caching was configured, but the configuration
++    variable was mistyped because...
++       it was wrong in conf/sample-tls.cf and doc/conf.html.
++    The correct values are "smtp[d]_tls_session_cache_database" instead of
++    "smtp[d]_tls_use_session_cache_database".
++    Unfortunately this is not flagged by Postfix...
++
++2000/08/25	== Released 0.6.16 ==
++
++2000/08/25
++  - Make sure, that the smtp[d] processes will try to access the "daemon"
++    entropy sources, but will only print an info when not available. Using
++    the PRNG-exchange file, they can happily run without.
++  - Moved HAS_SSL checks, such that the package compiles also when configured
++    without -DHAS_SSL.
++
++2000/08/24
++  - Changed the handling of the PRNG-exchange file. Until now it was written
++    by tlsmgr and read by the smtp[d] daemons. This had the disadvantage, that
++    until tlsmgr rewrote new bytes to the file, all starting daemons read the
++    same seed (to which some more bits, but not too much were added).
++  - Now the file is handled in read->stir into pool->write back mode, so that
++    every daemon will add its own entropy bits.
++  - The smtp[d] processes will do so when starting, when opening a TLS
++    connection and when closing.
++  - The tlsmgr will also read back the file and add it to its pool, so that
++    no entropy is lost.
++  - This change significantly increases the "self seeding" capability of
++    the TLS service.
++
++2000/08/09
++  - Cleaned up the new PRNG-seeding.
++  - When tlsmgr looses connection to an EGD-source (because it was restarted),
++    tlsmgr performes an exit(0), so that a newly started tlsmgr can reconnect.
++    [chroot/dropped privileges].
++
++2000/08/04
++  - Introduced new entropy sources for single daemons:
++    * tls_daemon_random_source
++    Using this source (same style as for tlsmgr), each starting daemon can
++    obtain additional entropy (32 bytes by default). The PRNG-exchange file
++    is still read.
++  - I am not sure about the policy for this feature. If such a source is
++    given, should a failure be considered fatal?
++
++2000/07/23
++  - Started reworking the PRNG seeding:
++    * tlsmgr now recognizes tls_random_source as
++      dev:/dev/urandom		/* Direct read from device file */
++      egd:/path/to/socket       /* Connection via EGD-socket */
++      /path/of/plain-file
++    * If a dev: or egd: is given, tlsmgr will connect and keep the connection
++      open, so that it now can run in chroot-mode with dropped privileges.
++  - Since EGD can be drained, but the connection is permanently open, only
++    suck a small number of bytes (default 32) at a time, but do it more
++    often.
++
++2000/08/09	== Released 0.6.15 ==
++
++2000/08/09
++  - Traced through OpenSSL to learn more about the verify_callback-feature.
++    The callback is called several times. When it returns "1", the handshake
++    will continue, when it calls "0", the handshake will immediately fail
++    (and Postfix/TLS will also close the TCP connection).
++  - Following the sample in the OpenSSL-apps, the verification chain depth
++    was the only property triggering this effect, so this stood hidden until
++    now. Obviously, users having longer chains did set the verifcation
++    depth accordingly or they gave up, since this was never reported...
++  - Changed the behaviour of verify_callback() to never return "0", such that
++    we can deal with the verification result later in a more consistent manner.
++    If we only enable and not enforce, we simply want to ignore problems with
++    the certificate.
++  - verify_callback() did not print out all information, since the wrong
++    state variables (pfixtls_*active instead of pfixtls_*engine) were
++    checked. The *active state variables are only set later.
++    As the verify process now became rather narrative, the normal logging
++    is only done in loglevel 2!
++  - Arrrghhh. The conf/sample-tls.cf _and_ the html-docu (which is actually
++    copied from conf/sample-tls.cf) has wrong names for the verification-
++    depth parameters. *_vd instead of *_verifydepth and ccert<->scert.
++    [Wondering, why this never popped up before...]
++  - Changed the default-verifydepth to "5" which should suffice for most
++    cases. Maybe the limit could also be completely removed, but we should
++    at least receive a warning hint when something goes wild.
++    Since OpenSSL>=0.9.5 is required for Postfix/TLS anyway, certificate chain
++    verification can now be used, so the caution applied before is no longer
++    necessary.
++
++2000/08/08
++  - Tracked down the double-free() call in smtp with Efence. SSL_free()
++    does call SSL_SESSION_free() on the negotiated session. Hence, I must
++    not call SSL_SESSION_free() on the session in question, it will be
++    removed anyway.
++  - Also tracked down the certificate chain feature. Reason is the
++    verify_callback() in global/pfixtls.c. It flags a chain depth that
++    is too long as fatal, hence the connection is immediately closed.
++
++2000/08/04
++  - Received information from Alain Thivillon <Alain.Thivillon at hsc.fr>:
++    FreeBSD-CURRENT offers malloc() with additional checks enabled.
++    After successfully delivering, smtp dumps core with free() called
++    twice in TLS mode.
++  - I noted, that there is a communication problem with his site an my new
++    certificate issued by the universities computer center (which has a chain
++    depth of 2). Step back to the old self certificate for the time being.
++
++2000/07/27	== Released 0.6.14 ==
++
++2000/07/27
++  - Introduced new configuration parameter "smtpd_tls_wrappermode" that
++    enables the (deprecated) old style SSL-wrapping around SMTP. It could
++    be run on a different port (once smtps=465) was recommended for this
++    services.
++    This method is used by old versions of Outlook (Express), the Mac versions
++    and even actual versions, when not run on port 25.
++    [Actually it was only a handful of lines, so it doesn't hurt too much,
++    even though it does not follow any RFC.]
++  - I recommend using this option only from master.cf. Example lines added
++    to conf/master.cf and description added to Postfix/TLS-doc/conf.html.
++  - When having SASL enabled and TLS-enforce mode in "smtpd", only offer
++    AUTH, when TLS has been activated. Otherwise the client might simply
++    send the unencrypted credentials before it receives
++      530 Must issue a STARTTLS command first
++    and an eavesdropper already has what he was looking for.
++
++2000/07/19	== Released 0.6.13 ==
++
++2000/07/19
++  - Changed the library-initializaton call to new naming scheme
++    (SSLeay_add_ssl_algorithms() to OpenSSL_add_ssl_algorithms() :-).
++  - Updated documentation to reflect the use of chain certificates with
++    CAfile and smtp[d]_tls_cert_file (see 2000/07/06).
++  - Documentation: the interoperability problem with CommunigatePro has been
++    solved: CommunigatePro violated the TLS-RFC and has been fixed.
++  - Typo: It is "to stir" not "to stirl" :-)
++
++2000/07/06
++  - Received certificate for our site from our computer center. It's a chain
++    certificate. Now load the cert with SSL_CTX_use_certificate_chain_file(),
++    in order to better load the chain CA certificates.
++
++2000/07/04
++  - Reported Wietse about a possible problem in the SASL code, a relay check
++    may also be performed if sasl was not enabled and might lead to unwanted
++    relay.
++    As the fix is in my own codebase, I will leave it Postfix/TLS until a
++    new snapshot (or final release) is available.
++
++2000/06/02	== Released 0.6.12 ==
++
++2000/06/02
++  - Adapted to Snapshot-20000531 (minor patch conflict).
++  - Cleaned up some old header file dependencies in global/pfixtls.c and
++    global/Makefile.in that are no longer needed due to the interface changes
++    (timed_read()/write()) in 0.6.7.
++
++2000/05/29	== Released 0.6.11 ==
++
++2000/05/29
++  - Following Bodo Moeller's analysis, the error is due to a mismatch between
++    the CA certificate accessible in the smtp[d]_tls_CAfile and the one used
++    in the actual certificate (smtp[d]_tls_cert_file).
++    Daniel Miller fixed his setup and the problem is gone.
++  - Introduced a workaround into Postfix/TLS: if the padding error is found,
++    it is removed from the error-queue by Postfix/TLS, in order to protect
++    more sites from experiencing this problem.
++  - Added a warning to conf/sample-tls.cf
++  - Updated to the latest snapshot-20000528.
++
++2000/05/27
++  - After some fiddling around working through the binary certificate data to
++    see where it is modified at 0.6.10, I actually note, that both 0.6.9 and
++    0.6.10 choke on the data. Now going back up through the functions very
++    fast reveals the problem:
++    * The certificate supplied triggers the "RSA-padding" error in any case.
++      Since the certificate authencity is not enforced on OpenSSL-library level
++      but inside postfix later, the error is not enforced.
++      The error messages generated stay however in the error queue.
++      - For blocking sockets, the SSL_accept()/connect() calls return
++	"success", so the error-queue is never checked.
++      - With BIO-pairs, the error queue is checked to find out, whether the
++	function has just to be called again to continue the handshake, so
++	the error messages are found and the connection is shut down due to
++	the error condition.
++  - Submitted bug report to Bodo Moeller. Bug fix is checked into the OpenSSL
++    CVS archive: if the error is ignored during the handshake, clear the
++    error-queue.
++    * The next release of OpenSSL will behave consistently.
++  - This leaves open the question, why the RSA-padding error is issued in the
++    first place. Sent a query to the OpenSSL-* mailing lists.
++
++2000/05/26
++  - A second site experiencing this problem pops up.
++    -> Issued a warning to the postfix_tls mailing list.
++
++2000/05/24
++  - Contacted Damien Miller <djm at mindrot.org>. He did not change his TLS setup
++    in the last time. He is running Postfix/TLS-0.6.6.
++  - Contacted Bodo Moeller <moeller at cdc.informatik.tu-darmstadt.de>, the author
++    of the BIO-pair part of OpenSSL for some debugging hints. Received several
++    worthful remarks on what to look for.
++  - Checked byte-for-byte the data fed into the OpenSSL-library. It does not
++    differ between 0.6.9 and 0.6.10, so my handling seems to be actually
++    correct.
++
++2000/05/23
++  - A communication error occurs when talking to mail.mindrot.org:
++    SSL_accept error -1
++    10264:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
++    10264:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
++    10264:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
++  - The error occurs both in client and server mode. 0.6.9 does not show
++    this problem.
++  - Tried to connect with several other sites, all connections are fine,
++    this includes sendmail and qmail peers; hence decided to not recall 0.6.10.
++
++2000/05/23	== Released 0.6.10 ==
++
++2000/05/23
++  - Sent a note to openssl-dev at openssl.org about the behaviour of SSL_free()
++    and BIO_free(), hoping for some clarification whether my way of doing
++    it is the recommended way.
++  - Run the software in production mode on my own servers...
++  - Finished writing the in-source documentation.
++  - Updated sample-tls.cf and sample-smtp[d].cf to reflect the new timeout
++    parameters.
++
++2000/05/21
++  - Removed error messages produced by the now non-blocking behaviour of the
++    TLS layer [apps_ssl_info_callback()].
++
++2000/05/20
++  - Took results home and tried to run it on my Linux-box: SEGV after
++    successfully handling the SMTP session!!
++    * It seems that the SSL_free() and BIO_free() functions interact.
++      SSL_free() releases the underlying BIO and it will bomb out when
++      it is then explicitely BIO_free()'ed again and vice versa.
++    * It did not bomb out on HP-UX, but such things happen. I however want to
++      know, why the example program does not fail...
++    * With respect to the bevaviour as is, SSL_free(TLScontext->con);
++      BIO_free(TLScontext->network_bio) and not touching
++      TLScontext->internal_bio works.
++  - Introduced special timeout values for the TLS negotiation stage, as the
++    timeout values may change with protocol state (suggested by Wietse).
++  - Started writing a full description of the BIO-pair concept and its
++    special treatment into the pfixtls.c sourcecode.
++
++2000/05/19
++  - Systematicly implemented a generalized layer handling:
++    * do_tls_operation() is the generic handler for all SSL_*() input/output
++      functions. It deals with the non-blocking behaviour of this functions,
++      requiring appropriate retrys.
++    * network_biopair_interop() handles the interaction between the socket/fd
++      and the buffering BIO-pair.
++
++2000/05/18
++  - Based on the example in openssl-0.9.5a/ssl/ssltest.c realized the first
++    usage of BIO-pairs. (Can do server handshaking.)
++  - Learned, that the BIO-pair has its own buffering that needs its own
++    flushing. It is not enough to relay on the SSL_ERROR_WANT_READ/WRITE
++    state information.
++
++2000/05/17	== Released 0.6.9 ==
++  - Important: the seperator in the relay-fingerprints is now ':'!!!
++    Don't forget to change your relay_clientcerts databases.
++
++2000/05/16
++  - Changed pfixtls.c to only use the interface described in util/vstream.c
++    for handling the VSTREAM.
++    * Added vstream_context() macro to the VSTREAM-interface.
++  - Introduce TLScontext to identify the connection instead of the file
++    descriptor. Move all static data (SSL structure and information gathered
++    about the connection) into the context.
++    The TLScontext is allocated on TLS-start for a connection and saved with
++    the VSTREAM, so several streams can be used at the same time.
++  - Removed "pfixtls_setfd()" as it is no longer needed.
++  - Changed the relay_clientcerts list from string_list_* to maps_* interface
++    to allow usage of ":" in the list.
++    THIS IS AN INCOMPATIBLE CHANGE!!!!
++  - Updated documentation accordingly.
++
++2000/05/12	== Re-released 0.6.8 ==
++
++2000/05/12
++  - Wietse announces snapshot-20000511 with an important bugfix.
++  - Since upgrading from 20000507 to 20000511 is highly recommended,
++    Postfix/TLS 0.6.8 is re-released for this snapshot (the patch applied
++    cleanly, just the name of the toplevel directory has changed).
++
++2000/05/11	== Released 0.6.8 ==
++
++2000/05/11
++  - Unlike expected I found some time to install the latest cyrus-sasl-1.5.21
++    and test some parts the integration. It does, well, work as advertised
++    (and the advertisement in SASL_README is not too optimistic).
++  - When checking all of the rejected patch-snippets for 0.6.6->0.6.7
++    I missed the parameter "smtpd_enforce_tls" (noted since I wanted to
++    enforce TLS encryption while playing around with plaintext passwords)
++    in the static CONFIG_BOOL_TABLE bool_table[] = {..} in smtpd/smtpd.c
++    -> I will immediately release a corrected version 0.6.8.
++
++2000/05/11	== Released 0.6.7 ==
++
++2000/05/11
++  - The latest sendmail.8.11.0.Beta1 includes STARTTLS support; it is available
++    in source code and also uses OpenSSL.
++
++2000/05/10
++  - After having it running at home (Linux) I also install it at work for
++    the field test.
++  - No time to install the SASL kit, so this part stays untested as of now.
++
++2000/05/09
++  - Downloaded snaphot and apply the patchkit.
++  - Straightened out the rejected parts of the patch.
++  - Due to the new layering with timed_read() and timed_write() functions
++    the integration of the TLS layer needed special adjustment.
++    * When TLS is active, the timed_read() and timed_write() functions are
++      replaced by the corresponding pfixtls_timed_read() and
++      pfixtls_timed_write() functions. When the TLS functionality is stopped,
++      the old functions are restored.
++    * The names of the pfixtls_timed_*() functions are looking into the future,
++      because they are working as before, the timeout functionality is not
++      in, yet.
++
++2000/05/08
++  - Wietse announces snapshot-20000507 with a lot of changes. Especially
++    important: the I/O handling of the smtp-stream has been changed to
++    a more layered technique that allows easier integration of the TLS layer.
++
++2000/04/27	== Released 0.6.6 ==
++
++2000/04/27
++  - Fixed inconsistency between documentation and actual behaviour: peer
++    certificate information was not logged at level 1 (found by
++    Damien Miller <djm at mindrot.org>).
++    * While at it: the logged information did not say whether the certificate
++      data logged passed verification or not: fixed. (The information logged
++      in the Received: header already contained that information.)
++  - Backported dict_dbm.c from snapshot-20000309 with the updated
++    dict_delete() behaviour (key not found is not considered fatal).
++    Maintained dict_sdbm.c accordingly.
++
++2000/04/18	== Released 0.6.5 ==
++  - Important:
++    * New session cache mechanism SDBM. Please adapt your main.cf and delete
++      any old ".db" session cache files manually.
++
++2000/04/18
++  - I am using the SDBM session cache for a week right now and did not have
++    any trouble, so I think its worth pushing it out.
++  - I am not completely happy with the dict_del() behaviour of considering
++    a not-found key fatal. It might happen when the smtp[d] processes would
++    be allowed to delete themselves. They are not as of now, so I accept it
++    for now but will reconsider it.
++  - Updated documentation accordingly.
++
++2000/04/17
++  - Received corrections for the HTML-docs from Ralf Hildebrandt
++    <R.Hildebrandt at tu-bs.de>.
++
++2000/04/11
++  - Transfered SDBM from home (Linux-testbed :-) to work [found and fixed some
++    small items when compiling on HP-UX]. Started running it under
++    "real life" conditions.
++
++2000/04/07
++  - Implemented "SDBM" Simple Database Management routines as also utilized in
++    ModSSL. Of course, it requires reopening of the databases, so the
++    routines are changed, that the _file_descriptors_ are left open, but
++    the _in_memory_ database stuff (especially the cached data) is closed
++    and reopened on access. This is what is really needed. The pagesize
++    is increased from standard DBM compatibility to hold the session
++    information.
++    Additionally, this software is in the public domain, so no additional
++    license problems arise.
++  - The access goes through the dict_* interface, hence the locking is
++    performed by myflock().
++
++2000/04/01	== Released 0.6.4 ==
++
++2000/04/01
++  - Updated to the new patchlevel of Postfix (19991231-pl06), some parts of
++    the patch were rejected due to changes in smtpd.
++  - Changed patch name with respect of today's release of OpenSSL-0.9.5a.
++    The code remained unchanged.
++    
++2000/03/25-31
++  - The cached informations are not deleted by "tlsmgr" even though stored
++    and retrieved by the smtp[d] processess. Strange.
++  - Spend some large amount of time digging through the Berkeley DB
++    documentation and code.
++    * It claims that Berkeley DB is multi-process capable. Caveat: it takes
++      the very complicated "transaction model", that I did not use until now.
++      Hence the session cache does not work as is.
++    * Even with transaction model, Berkeley DB requires re-opening of the
++      databases to get rid of cached information. F*ck.
++  - Finally, I give up on Berkeley DB for session caching. It will never
++    work for us. Even if it would, it requires a large amount of helper files
++    and it seems, that the transaction environment is somewhat fragile when it
++    comes to some problem. I won't rely on it.
++
++2000/03/28	== Released 0.6.3 ==
++
++2000/03/28
++  - As has been pointed out to me, the TLS information in the Received:
++    header is not conform to RFC822.
++  - The TLS protocol and peer CN information is now included in '()', so
++    that it is a comment.
++
++2000/03/21	== Released 0.6.2 ==
++
++2000/03/21
++  - I have been running DB based session caching with the changes for some
++    more time now without problems. Am I really confident? No, not really.
++    I remember the trouble I had with Berkeley DB and sendmail on HP-UX.
++    I don't think I really trust it.
++  - Realized single "smtp_tls_per_site" lookup. I cannot use the more or
++    less comfortable "domain_list" lookups as before, since these do not
++    return the value, just found or not :-(.
++    Hence the lookup is realized with maps and exact lookup. I never tried
++    regexp. But if I understand the docs correctly, it should be possible to
++    use it here to realize wildcard lookups, if it would not have been
++    disabled :-(.
++  - Summary:
++    * Session Cache will be cleaned at "postfix reload" or "postfix start"
++    * New table "smtp_tls_per_site"
++    * Gone: "smtp_tls_[use/enforce]_[recipients/sites]"
++
++
++2000/03/16
++  - Changed pfixtls.c, so that it will only open Session Cache databases,
++    that are already available. tlsmgr is responsible for creation.
++  - Change tlsmgr.c, such that session cache databases will be removed before
++    opening, so that fresh databases are used whenever postfix is restarted.
++    This means, that session information is not kept over a postfix stop/start
++    or reload sequence, but it also means, that issuing a postfix reload will
++    clean the session cache.
++    I don't use simple dict_open with O_TRUNC, because this would not help
++    against database files, that are locked by hanging smtp[d] processes.
++    If you think it will also solve the "hang" problem described for
++    2000/03/15: in a certain sense it can, since tlsmgr will be killed by
++    the watchdog and new, fresh cache files are installed, but that is not
++    more than an ugly hack. It must be solved in a clean manner.
++
++2000/03/15
++  - Experienced some strange problem with Berkeley DB based session cache.
++    The DB routines hang while trying to delete an entry. I did save the
++    corresponding "hash:" file and could reproduce it (and walk through
++    the endless loop with a debugger), but I didn't find the reason why.
++    Since during "db->del" the database is exclusively locked all other
++    processes hang however, so this is really bad!!!!!!!!
++
++2000/03/12	== Released 0.6.1 ==
++
++2000/03/12
++  - Created tls_info_t structure to hold all information about the active
++    TLS connection. Remove all global variables except those for the
++    running client/server engines (those might be replaced with global
++    variables in smtpd/smtp, though).
++  - Added field "dNSName" to the structure (still unused). This will be
++    used with X503v3 extensions.
++  - Cleaned up TODO, since some items are now done...
++
++2000/03/11
++  - Added missing #include <sys/time.h> to tlsmgr.c. (Worked without on HP-UX,
++    showed up on Linux.)
++  - Bug: removal of server side sessions from the cache in case of trouble
++    failed, because uppercase hex was used instead of lowercase for the key.
++    This does not affect removal of expired sessions by tlsmgr.
++  - Stepped up to postfix-19991231-pl05.
++
++2000/03/09	== Released 0.6.0 ==
++  - Important:
++    * This release features an additional daemon, the "tlsmgr", please update
++      your master.cf accordingly.
++    * This release does not use the /var/spool/postfix/TLS* directories
++      anymore. Remove them and re-install the original postfix-script.
++    * Check the new/changed configuration parameters tls_random* and
++      smtp[d]_tls_session_cache*.
++    * This release will only work with OpenSSL >= 0.9.5!!!!!
++
++2000/03/09
++  - Testcompilation of Postfix/TLS without -DSSL and the OpenSSL includes and
++    libraries passed.
++  - Worked through tlsmgr.c to remove unneeded header files.
++  - Wrote documentation for tlsmgr.c.
++  - Updated documentation on top of pfixtls.c.
++  - Put (char *) casts into the myfree() calls, where necessary, to make the
++    HP compiler happy.
++  - Updated html PRNG documentation in Postfix/TLS.
++
++2000/03/08
++  - Finished first version of "tlsmgr". Does run through session cache
++    databases and detects and deletes (*) old sessions.
++  * Had to realize SYNC_UPDATES for the dict_db_delete() function and patch
++    the flag handling within the function. Changes sent to Wietse.
++  - Restored qmgr to its original state.
++  - Extended pfixtls.c to need an additional "needs_095_or_later()" function
++    when compiled with an older version of postfix.
++  - The session cache is now enabled, when a database filename is given.
++    smtp[d]_tls_use_session_cache configuration parameters removed,
++    updated documenation accordingly.
++  - Moved the PRNG handling to tlsmgr, applying the new model. tlsmgr will
++    query external sources at startup and will then feed a PRNG exchange
++    file with random data in intervals of configurable (but random driven)
++    length.
++    If running outside chroot, tlsmgr can query the entropy source (e.g.
++    EGD or /dev/urandom) again and so increase entropy with time. If the
++    entropy sources don't limit access, the tlsmgr can run with "postfix"
++    privileges. Mine does.
++    -> master.cf became a new entry.
++  - tlsmgr is realized as a trigger server and has the "fifo" entry. Actually,
++    it does not take any input. One could utilize it to feed back some entropy
++    from running smtp[d] processes, but I think this would overload the
++    issue.
++  - I will release a 0.6.0 pre-version as is. tlsmgr still lacks the detailed
++    information in the header and the interface description in pfixtls.c
++    probably is also not longer up do date.
++
++2000/03/07
++  - Since defective session data can cause SEGFAULTs, it is now armored
++    by a leading structure that does contain a session cache version and
++    the postfix library version before the timestamp. If a session does
++    not match exactly the version numbers, it is immediately discarded
++    and deleted to avoid harm.
++  - Removed the seperate storage of the peer's certificate verify_result,
++    so starting from this moment, Postfix/TLS will only work safely with
++    OpenSSL >= 0.9.5!!!
++  - Ported server side session cache routines to the client side; works.
++  - Analyzed structure of "qmgr" to understand consequences for the planned
++    "tlsmgr" daemon. Transferred the sceleton.
++  - Received word from sendmail, a (at least preliminary) TLS enabled test
++    address is "bounce at esmtp.org".
++
++2000/03/06
++  - Wietse supplied a change to the dict/dict_db mechanism to allow for
++    synchronous updates.
++    Session cache updates for the server side seem to work now, removal of
++    old sessions (when called from the client) integrated.
++
++2000/03/05
++  - Got the database style session cache to run for the server side (at least
++    partial). The removal of old sessions is not yet realized.
++    [There are several man pages for OpenSSL as of 0.9.5, but the i2d etc
++    interfaces are not belong them, so I had to study the source code instead.]
++  * What is not working by now is the synchronization of the memory database
++    to disk. It only is synchronized automatically upon close. It would be
++    necessary to sync after each update or delete, but this is not implemented
++    in Wietse's dict library. I will post an according proposal.
++
++2000/03/04
++  - Wietse posts a patch to select "EHLO" negotiation even if ESMTP is
++    not recognized from the 220 greeting. Activating this flag will however
++    break compatibility with mailers, that simply close the connection
++    upon EHLO. I don't know how the large the number of these broken mailers
++    is, but activating "smtp_always_send_ehlo" is a tradeoff.
++  - Integrated Wietse's patch into Postfix/TLS.
++
++2000/03/03
++  - Received update from Matti Aarnio (Zmailer) is now for some time able
++    to do server _and_ client side TLS. Updated documenation accordingly.
++    When testing, Postfix client to Zmailer server failed, because
++    Zmailer announces with "ESMTP+IDENT" and Postfix does not recognize
++    the ESMTP token (must be seperate), so only HELO is used and STARTTLS
++    is not offered by the Zmailer server. Informed Matti accordingly,
++    will wait until the problem is resolved before actually publishing
++    the update.
++  - Enhanced the documentation by listing automatic reply services at which
++    interoperability can be tested.
++
++2000/03/02
++  - Went through the Postfix source to check out the database routines.
++    It should be possible to move session caching from directory/file-
++    based to database. Since DBM only allows blocks (key+contents) of
++    1024 bytes and a session is larger, only Berkeley DB can be used.
++    Put some first bits into Postfix/TLS.
++
++2000/02/29	== Released 0.5.5 ==
++
++2000/02/29
++  - OpenSSL 0.9.5 has been released. Since I want to promote 0.9.5, as it
++    contains several bugfixes and enhancements, I release a new version
++    of Postfix/TLS. My personal highlights:
++    * The bug with Win32 Netscape not commencing after certificate storage
++      unlocking should be fixed. (I will leave the not in however, as long
++      as I have not positively checked it myself. Reproducibility...)
++    * The bug, that the certificate verifiation result is not stored in the
++      session cache (discovered for Postfix/TLS 0.4.4) is fixed. I will leave
++      the Postfix/TLS workaround in as long as it will run with older versions
++      of OpenSSL.
++    * The OpenSSL commandline tools like "openssl gendh" now support EGD, so
++      that the examples for generating the DH parameters now will really work
++      with high quality random data :-)
++    * The support of 56bit ciphers has lost its importance since 128bit
++      versions of Netscape etc are now easily available...
++  - This version does not feature source code changes but updated documenation
++    when compared with 0.5.4:
++    * List examples on how to generate good entropy for the PRNG seed in
++      /etc/postfix/random_file.
++  - Update the TODO document with respect to the discussion about session
++    caching and other security items. This document is a very short summary,
++    for the full discussion check the mail archive at
++      http://www.aet.tu-cottbus.de/mailman/listinfo/postfix_tls/
++
++2000/02/26-28
++  - Wietse considers including Postfix/TLS into the main release. A discussion
++    about security relevant features, especially the session cache inside
++    the chroot jail takes place.
++    The discussion will definetely lead to some changes; I have however not
++    decided on the first step, yet :-)
++
++2000/02/21	== RELEASED 0.5.4 ==
++  - Important: Another directoy is created in /var/spool/postfix, so don't
++    forget to install the new versions of conf/postfix-script-*sgid.
++
++2000/02/21
++  - Finished the seed-exchange architecture by saving the random seed at exit
++    of smtp and smtpd.
++  - Wrote documentation for the PRNG handling to the documentation.
++  - Tested on HP-UX (with a current OpenSSL-pre-0.9.5 snapshot and 0.9.4)
++    and on SuSE-Linux (with 0.9.4).
++  * THIS VERSION WILL STILL RUN WITH OPENSSL-0.9.4, but it will also run
++    with OpenSSL-0.9.5. Older versions of Postfix/TLS will not, because the
++    PRNG is not seeded!
++
++2000/02/19
++  - Start to implement my own model of collecting entropy. All smtp and smtpd
++    processes will record some items (mainly the time of actions) to add
++    some entropy into the PRNG. The state is saved and used to re-seed by the
++    smtp and smtpd processes, so that entropy adds up into the pool.
++    The seeding by external file is additionally kept in order to be able
++    to inject additional entropy.
++
++2000/02/18
++  - Included routines to add random seed from a configurable file
++    "rand_file_name". I don't want to retrieve the entropy from a real
++    random system source, because the amount of entropy that can be collected
++    is limited. We might hence stall. Let's think about this problem.
++  - The SSL_CTX_load_verify_locations() has been fixed in the latest
++    OpenSSL snapshot.
++
++2000/02/17
++  - Tracked down the SSL_CTX_load_verify_locations() problem in the OpenSSL
++    library. If more than one CA-certificate is loaded, a bogus return value 0
++    is created, because the count of certs is checked to be "1" instead of
++    allowing ">=1". Reported to openssl-dev.
++
++2000/02/16
++  - Downloaded the latest openssl-SNAPSHOT-20000215 and installed it on
++    my development machine, then recompiled Postfix/TLS and try to run it.
++    * Failure: SSL_CTX_load_verify_locations() fails on reading the CAfile with
++      return value 0, but no actual error is displayed.
++      If the return value is not checked, the CA-certificates work, so that
++      they are loaded and the error indicator seems to be bogus.
++      Reported to openssl-dev mailing list.
++    * Failure: OpenSSL has become picky about correct seeding of the PRNG
++      Pseudo Random Number Generator. Installed some "testseed" that is
++      actually not random, but then Postfix/TLS starts to work again. We
++      will need some good random seed setup, probably reading from either
++      /dev/random (if available) or from EGD.
++      Found out during the experiments, that EGD is not that simple to use
++      as described in some of my Postfix/TLS docs. Must be upgraded.
++      Asked in the openssl-dev mailing list about the recommended amount
++      of random data needed for seeding the PRNG. Ulf Moeller recommends
++      a minimum of 128bit.
++
++2000/02/14	== Released 0.5.3 ==
++
++2000/02/14
++  - OpenSSL 0.9.5 is to be released within the next hours/days. Since I intend
++    to use some of its new features soon, I will re-release 0.5.2 as the last
++    version that will run with 0.9.4 but for the latest postfix patchlevel.
++  - No functional changes.
++  - Updated patch for postfix-19991231-pl04.
++
++2000/01/28	== Released 0.5.2 ==
++
++2000/01/28
++  - Stepped up the next postfix patchlevel postfix-19991231-pl03.
++    No functional changes.
++
++2000/01/03	== Released 0.5.1 ==
++
++2000/01/03
++  - Bug fixed: Don't specify a default value for "smtpd_tls_dcert_file",
++    assuming that typically a DSA certificate is not used.
++    Otherwise smtpd will try to read it on startup and the TLS engine won't
++    start since it is not found.
++    I didn't note this bug before today, because I could not install this
++    release in a larger scale on my own servers due to a network failure
++    of our campus backbone lastring from Dec 31 until today.
++  - Stepped up to the just released postfix-19991231-pl01.
++
++2000/01/01	== Released 0.5.0 ==
++
++2000/01/01
++  - Upgraded to the new postfix release 19991231.
++
++1999/12/30
++  - Enabled support for DSA certificate and key for the server side. One
++    can have both at the same time, the selected cipher decides which one
++    is used. OpenSSL clients (like Postfix/TLS) will prefer the RSA cipher
++    suites, if not especially changed in the cipher selection list.
++    Netscape will only use the RSA cert.
++  - The client side can only have one certificate. There is a way out by using
++    a callback function, that will receive the list of acceptable CAs and
++    then do some clever selection: SSL_CTX_set_client_cert_cb().
++    I will however have to figure out, how it has to be prepared, it seems,
++    that there is no example available.
++  - I have been able to successfully generate a DSA CA and certificates for
++    some Postfix hosts and to do authentication and relaying as expected.
++    So now I have to document how it is done in a practical manner...
++  - Moved up prerelease 0.5.0pre02 to the download site.
++
++1999/12/28
++  - Moved up to SNAPSHOT-19991227.
++  - Don't forget to check the return value when calling
++    SSL_CTX_set_cipherlist().
++  - Add code to load DH-parameters from disk.
++  - Add configuration information for the new functionality: DH paramter
++    support, possibility to influence the cipherlist.
++  - Moved up prerelease 0.5.0pre01 to the download site.
++
++1999/12/25
++  - Found some minutes to relax from the christmas business.
++  - Applied the 0.4.7 patch to SNAPSHOT-19991223 and included the new changes
++    of 1999/12/19.
++    Once the new stable release of postfix is out, this minimum state will be
++    the new Postfix/TLS patch: the new functionality will not influence
++    stability, so it can stay in even if still unfinished.
++
++1999/12/23
++  - Wietse announces SNAPSHOT-19991223: if no severe bugs are found, it will
++    be promoted as next stable release soon. Good to have kept everything
++    from yesterday.
++
++1999/12/22
++  - Got a query from a Postfix/TLS user: the patch does not apply cleanly to
++    SNAPSHOT-19991216 and he somehow messed up to integrate the rejected
++    parts (it later turned out he just forgot on reject).
++    Applied the patch myself and generated a diff, sent it to the user
++    and of course kept a copy for myself, since I will have to apply it
++    myself eventually once the next "stable" release of postfix is out.
++
++1999/12/19
++  - Began modifications for 0.5.x:
++    * Added configuration variables for specifying the cipherlist to be used
++      smtpd_tls_cipherlist and smtp_tls_cipherlist. For the format, there
++      is some (however sparse) documentation in the openssl package.
++    * Call SSL_CTX_set_cipherlist() with these data.
++    * Added default temporary DH parameters to pfixtls.c (only server side is
++      necessary) and configuration variables to specify user generated
++      parameters; they are however not used, yet.
++      The default parameters were generated using the presumably good
++      /dev/random source.
++
++1999/12/13	== Released 0.4.7 ==
++
++1999/12/13
++  - Addendum to the last change: do also remove sessions, that could _not_
++    be reused.
++  - Updated configuration information:
++    * As of OpenSSL 0.9.4, certificate chain verification is not sufficient,
++      since the certificate purpose is not checked, so I recommend to add
++      all intermediate CAs the the list of CAs and stay with a verification
++      depth of 1.
++      Work is in progress for 0.9.5.
++  - Stepped up to the just released new patchlevel postfix-19990906-pl09.
++
++1999/12/10	== Released 0.4.6 ==
++
++1999/12/10
++  - Realized changes implied below: Removed SSL_CTX_add_session() in the
++    client startup; remove session on stop with SSL_SESSION_free().
++  - In the morning there is a mail on the list, that Postfix might be
++    crashed with a single "\" on the "CC:" line. Hence, we should expect
++    a new patchlevel soon. Release the actual change anyway.
++
++1999/12/09
++  - Read in the "openssl-users" mailing list, that SSL_CTX_add_session()
++    is only intended for servers. On the client side, SSL_set_session()
++    is sufficient.
++    Additionally, the session should be explicitely freed, since
++    SSL_set_session() will increment the usage count for the session.
++    Explained by Bodo Moeller.
++
++1999/12/xx
++  - Had a discussion (by email) with Bodo Moeller about DH/DSS. It seems
++    I understand better now (after the discussion) how it works :-).
++    Implementing it should not be too difficult but might take some more
++    hours. Mentally scheduled it for Version "0.5.0" whenever this might
++    be (rough guess: christmas vacation).
++    Decided to hence not discuss this topic in the docs, since it might
++    change in the near future anyway.
++
++1999/11/23
++  - Discussion with rch at writeme.com (Richard) about implementing DH ciphers
++    and DSA keys and certificates on the Postfix/TLS list: It does not work
++    as of now.
++
++1999/11/15	== Released 0.4.5 ==
++
++1999/11/15
++  - Applied patch to postfix-19990906-pl07 without problems. Well, let's
++    release new version of Postfix/TLS, so that we look up to date.
++  - Add the "DO NOT EDIT THIS FILE" to conf/sample-tls.cf.
++
++1999/11/08
++  - Applied patch to the fresh release of postfix-19990906-pl06 without
++    problems. Nothing else, so no new release of Postfix/TLS.
++
++1999/11/07	== Released 0.4.4 ==
++
++1999/11/07
++  - Played around some more with the X509_verify_cert() function: when saving
++    a session, neither the verify_result is saved nor the certificate chain
++    necessary to re-verify. So there were two possibilities left: do a full
++    renegotiation negating the benefit of session caching or
++  - save the verify_result into to the session cache file and set the value
++    when rereading from disk. This way the positive result of session caching
++    is kept.
++  - Make sure, the verify_result value is propagated as pfixtls_peer_verified
++    and used where needed.
++  - After experiencing some failures at TLS connection setup, the SSL_sessions
++    are now freed again when closing. It seems, something is left over in the
++    session structures, even though SSL_clear() is called.
++
++1999/11/06
++  - When not asking for a client certificate, the "Received:" header will show
++    the protocol and cipher, but silently omit the client CN (because they
++    where not supplied). Noted by Craig Sanders <craig at taz.net.au>.
++    The same holds, if a certificate is asked for, but none supplied.
++    Now, in any case an appropriate information is added in the "Received:"
++    header.
++  - Added a hint to remove sessions from the cache during testing, since
++    old information may still be in the cache. Also proposed by Craig
++    Sanders <craig at taz.net.au>.
++  - While at it: client CN and issuer CN are printed, but the verification
++    state is not, so that the trust value of this data is not known.
++    * Added (verify OK/not verified) to the Received: header.
++    * Obtained information using the SSL_get_verify_result(SSL *con) call.
++    * Learned, that the state is not saved in the session information, so
++      that a recalled old session will always return "OK" even if the
++      certificate failed the verification! Call it a bug in OpenSSL.
++      Still investigating on a good way to work around this problem.
++  - Fixed a bug in the syslog entries: The client CN is logged, but the
++    issuer CN is not, because of a missing "%s" in the format string.
++
++1999/11/03	== Released 0.4.3 ==
++
++1999/11/03
++  - Added some hints about security to the html documentation.
++  - Tested the changes made two weeks ago at home in the large university
++    setup. I was to a conference in between and didn't want to release
++    the new version without having done some more tests.
++
++1999/10/17
++  - Added another half a ton of comments (this time for the client side),
++    yielding one ton alltogether...
++
++1999/10/16
++  - Rearranged some of the TLS-engine initialization to improve readability.
++  - Do not "free" the SSL connection, when it is not really necessary. Do only
++    reset information about the TLS connection, when there was one. This is
++    the better way instead of the quick fix applied for 0.4.2.
++  - Added half a ton of comments to the TLS code (server side) to document
++    what is done when and why, since there is no real documentation about
++    the OpenSSL library.
++
++1999/10/11	== Released 0.4.2 ==
++
++1999/10/11
++  - Fixed a severe bug introduced in 0.4.0: smtpd and smtp tried to flush
++    old session from the session cache even when TLS was not enabled. Since
++    no SSL-context was allocated, smtp would segfault on connection close.
++
++1999/10/10	== Released 0.4.1 ==
++
++1999/10/10
++  - Added a long description of the session cache handling to the top of
++    global/pfixtls.c.
++  - There is a race condition when cleaning up the session cache in qmgr, that
++    might lead to lost sessions in client mode. The worst consequence is an
++    additional session negotiation, so we can live with it as of now.
++    Bug described in qmgr/qmgr_tls.c.
++  - Implemented immediate removal of session cache files with expired sessions
++    when these are called. No need to first load and then discard them.
++  - Implemented the requirement from RFC2246 to remove sessions, when
++    connection failures occure (well actually, when TLS layer failures
++    occur, but I cannot seperate this from another) for the server side.
++    the client side is under work.
++
++1999/10/09
++  - Set an absolut maximum length of 32 for the IDs used for session caching.
++    This matches the default in OpenSSL, but I don´t want to see surprises
++    when somebody sometimes will run into a longer session id.
++
++1999/10/05	== Released 0.4.0 ==
++  - The new disk based session cache is a major step, so the minor release
++    number is pushed to 0.4.
++  - By now I think all necessary bells and whistles are in the code. What
++    is left is a big code cleanup and some more testing before calling this
++    patchkit "1.0.0".
++  - Initiated Mailing List at
++	http://www.aet.tu-cottbus.de/mailman/listinfo/postfix_tls
++
++1999/10/05
++  - Some code cleanup.
++  - Added new options to the documentation and the hint to update
++    "postfix-script", because otherwise qmgr might fail!
++
++1999/10/03
++  - Realized disc based session caching also for the Postfix/TLS client.
++    Must go to real world testing now between hosts.
++    And, of course, tune up the documentation, because users will have to
++    install a new postfix-script, too.
++
++1999/10/02
++  - The old sessions must be removed once they have timed out, so a process
++    is needed that will scan through the list of old sessions and remove
++    once they have expired.
++    Lucky me: this is what qmgr usually does with deferred messages, so
++    qmgr is extended only a little bit and will now also clean up the
++    old sessions from the cache directory.
++    And hey: it is good to see how easily this thing can be extended and
++    functions can easily be reused. Postfix is an excellent peace of
++    software engineering and there is no line of C++ or other "object
++    oriented modern junk" in it. It should be recommended as an example
++    to computer sience students.
++
++1999/09/28
++  - I cannot use the mod_ssl way for session caching and I don´t want to
++    spend an extra "gcache" daemon as ApacheSSL does. So I follow Wietse´s
++    idea realized for his mail queues and create hash level based subdirectory
++    structures. The good thing: I can cannibalize the mail_queue code.
++    The bad thing: there is a path length of 100 chars fix coded in Wietse´s
++    routines. It does hold for 32byte session ideas.
++    Status: can save sessions to disk and recall them (server side).
++
++1999/09/26
++  - Created new call backs for external session caching for the server side.
++    In a first step, they can print out the session ids for the newly created
++    session and when recalling a session.
++    As the OpenSSL documentation on this is pretty sparse, Ben Laurie´s
++    ApacheSSL code is very helpful, Ralph Engelschall´s Mod_SSL code for
++    session caching is far more complicated.
++
++1999/09/23	== Released 0.3.10 ==
++
++1999/09/23
++  - Debugging for 0.3.8/0.3.9 would have been so much easier, if the error
++    messages put onto the error message stack from the OpenSSL library would
++    have been printed out. The error was clearly stated from the library, I
++    just didn't print it. Added pfixtls_print_errors() calls where missing
++    after calls to the OpenSSL library.
++    Sometimes I feel so old...
++  - Used opportunity to upgrade to the latest postfix patchlevel 05:
++    postfix-19990906-pl05.
++
++1999/09/19	== Released 0.3.9 ==
++
++1999/09/19
++  - Added a "smtp_no_tls_sites" table to allow people to enable TLS negotiation
++    globally and only omit it on a per site basis.
++
++1999/09/18
++  - Finally found the bug described for 0.3.8: In the server setup, the
++    SSL_CTX_set_session_id_context() call was missing. To find this, I
++    had to trace through the OpenSSL library and when I finally found it
++    in ssl/ssl_sess.c, there was an appropriate comment about this. I however
++    have to find out why I didn´t receive the appropriate error message...
++  - This bug was hidden during the first developing stages, as the shutdown
++    sequence was not working correct, so the session was not cached.
++
++1999/09/17	== Released 0.3.8 ==
++
++1999/09/17
++  - Something is strange with the session caching in smtpd server mode
++    with Netscape 4.61 client. The first connection is fine, the next
++    one hangs after the server fails with errors while reading the
++    SSLv3 client hello C. (Found by Michael Stroeder <x_mst at propack-data.de>)
++    Reproducable with OpenSSL 0.9.3a, 0.9.4 and SNAPSHOT 19990915, so
++    the problem seems to be persistent. I will try to figure out the
++    problem myself before reporting it to the developers. If I don't find
++    it, maybe they do :-)
++    Workaround: the cached session is removed after connection is closed.
++    This will impose some time penalty on the negotiation. As the caching
++    is local in the smtp processes and they time out anyway, the penalty
++    should not be significant.
++    The problem does not occure with Postfix/TLS clients.
++
++1999/09/13	== Released 0.3.7 ==
++
++1999/09/13
++  - Ran tests, seems no further conflicts between Wietse's changes and my
++    extensions.
++
++1999/09/09
++  - Applied the patchkit 0.3.6 to postfix-19990906-pl02 and worked out
++    the rejected part of the patch. From this point of view the patch
++    is included. Now everything has to be retested.
++
++1999/09/09	== Released 0.3.6 ==
++
++1999/09/09
++  - Added a missing ´#ifdef HAS_SSL #endif´ in smtp_connect.c.
++    Noted by Jeff Johnson <jeff at websitefactory.net>.
++  - HINT:
++    On 1999/09/06 a new "stable" version of postfix was released.
++    Future Postfix/TLS enhancements will be against this new version 19990906.
++
++1999/08/25	== Released 0.3.5 ==
++
++1999/08/25
++  - Added Wietse's patch for postfix-19990601 to prevent crashing smtpd when
++    VRFY is called without setting the sender with "MAIL FROM:" first.
++
++1999/08/13
++  - Small changes to global/pfixtls.[ch]: Since we also support client STARTLS,
++    we check the peers certificate, which may also be a "server" certificate
++    (not just client). Hence I renamed "*ccert*" to "*peer*".
++  - global/pfixtls.c: add some "const" to "char *" for OpenSSL library calls,
++    to make gcc happy.
++  - Extended comments in pfixtls.[ch] to better match Wietse's style.
++
++1999/08/12	== Released 0.3.4 ==
++
++1999/08/12
++  - Enabled workarounds for known bugs in SSL-engines.
++  - Tested with OpenSSL 0.9.4.
++  - Windows95/NT: Problem with Netscape hanging on first connection when
++    the client certificate database has to be unlocked cannot be reproduced
++    anymore.
++    I am happy, but I am also not sure what caused the problem to go away
++    and I cannot figure out the security settings manually from the files...
++
++1999/08/11
++  - Corrected loglevel handling: At some points smtpd_tls_loglevel was used
++    instead of smtp_tls_loglevel (only noted at loglevels >= 2).
++
++1999/08/09	== Released 0.3.3 ==
++
++1999/08/09
++  - Removed SSL_CTX_set_quiet_shutdown() as it does prevent the shutdown
++    from actually being performed. In order to remove the annoying
++    "SSL3 alert write:warning:close notify" it is now explicitly handled
++    in apps_ssl_info_callback().
++    Bug found by Bodo Moeller <bodo at openssl.org>.
++
++1999/08/06	== Released 0.3.2 ==
++
++1999/08/06
++  - Add option "smtp_tls_note_starttls_offer" to collect information about
++    hosts, that offered the STARTTLS feature without using it.
++  - Shut up smtpd. Only print information about relaying based on certs
++    when msg_verbose is true.
++
++1999/07/20
++  - Added missing "const" in pfixtls.h (found by Juergen Scheiderer
++    <jnschei at suse.de>). HP-UX ANSI-C didn't complain.
++
++1999/07/08	== Released 0.3.1 ==
++
++1999/07/08
++  - New config variable "smtpd_tls_received_header". When "true", the protocol
++    and cipher data as well as subject and issuer CN of the client certificate
++    are included into the "Received:" header.
++
++1999/07/07
++  - "starting TLS engine" message will only be printed when loglevel >=2
++    to reduce unnecessary noise in the log files.
++  - Added code to fetch the protocol (e.g. TLSv1) and the cipher used (by name
++    and bits). Information is printed to the logfile.
++
++1999/07/01	== Released 0.3.0 ==
++
++1999/07/01
++  - (Client mode) Bug fix: Don't try to use STARTTLS if it is not offered. The
++    server we are connected to might not understand it and respond with a
++    "500 command not understood", causing the email to bounce back, even
++    when the lack of STARTTLS is just a temporary problem.
++  - Updated documentation for the new per recipient/site TLS decisions.
++
++1999/06/30
++  - Client mode: Added variables and routines to decide "per recipient" or
++    "per host/site" whether to use/enforce TLS or not.
++
++1999/06/18	== Released 0.2.8 ==
++
++1999/06/18
++  - In client mode the "use_tls" and "enforce_tls" internal variables were
++    not initialized correctly, such that the client could try to use the
++    STARTTLS negotiation even if not wanted. This error was introduced
++    in 0.2.7.
++    Noted by "Cerebus" <cerebus at sackheads.org>.
++
++1999/06/08	== Released 0.2.7 ==
++
++1999/06/08
++  - Studied discussions in the IETF-apps-TLS mailing list: MS Exchange
++    seems to offer STARTTLS even if not configured. Added this info to the
++    documentation.
++  - Updated Documentation regarding the changes made.
++
++1999/06/03
++  - The subject-CommonName (CN) of the server certificate is extracted when
++    connecting to a TLS server.
++  - In "smtp_*_tls" mode, this subject-CommonName is matched against the
++    hostname of the server. In "enforce" mode, the connection is droppend
++    when the certified server name and the real hostname differ.
++  - Added missing dependencies in smtp/Makefile.in (missing pfixtls.h since
++    0.2.0).
++
++1999/06/02	== Released 0.2.6 ==
++
++1999/06/02
++  - Adapted patchkit to postfix-19990601.
++
++1999/06/01	== Released 0.2.5 ==
++
++1999/06/01
++  - Updated OpenSSL API to 0.9.3a -> position of include files has changed
++    from <xxx.h> to <openssl/xxx.h>. No functional changes.
++  - pkcs12 utility is now part of OpenSSL -> changed documentation
++    accordingly.
++
++1999/05/20	== Released 0.2.4 ==
++
++1999/05/20
++  - Updated postfix base 19990317 from pl04 to pl05.
++
++1999/05/14	== Released 0.2.3 ==
++
++1999/05/14
++  - Fixed a bug in pfixtls_stop_*(): there was a ";" to much directly
++    after "if (con);". This check is only done as a safety measure:
++    When SSL is not started you should not stop it. This case could however
++    only happen when the code in smtp[d] would be wrong, so it should never
++    be necessary. (Bug found by Uwe Ohse <uwe at ohse.de>)
++
++1999/05/11	== Released 0.2.2 ==
++
++1999/05/11
++  - Matti Aarnio: Reworked pfixtls_dump() to use fewer strcpy and strcat calls.
++  - Added information about Matti Aarnio (author/maintainer of ZMailer)
++    working on RFC2487 for ZMailer.
++
++1999/05/04	== Released 0.2.1 ==
++
++1999/05/04
++  - Stuffed up the documenation to reflect the actual status. No change
++    in functionality.
++
++1999/04/30	== Released 0.2.0 ==
++
++1999/04/30
++  - Adjusted the changes in smtp*.c to Wietse's indentation style.
++  - Sorry, the documentation about the client side has by now to be
++    taken from sample-tls.conf. The documenation has to be rearranged
++    in a larger scale.
++
++1999/04/29
++  - Finished client support for STARTTLS in smtp; some testing done.
++  - Fixed a race condition in smtpd: When in PIPELINE mode, the connection
++    was switched back from SSL to normal mode before the buffers were
++    flashed.
++  - Adjusted the code in pfixtls.[ch] and additions in smtpd*.c to
++    Wietse's indentation style.
++
++1999/04/28
++  - Incorporated skeleton of STARTTLS support into smtp.
++  - Introduced variables to control client STARTTLS to configuration.
++
++1999/04/15	== Released 0.1.5 ==
++
++1999/04/15
++  - Adjusted pfixtls.diff to postfix-19990317-pl04.
++
++1999/04/14
++  - Ported from OpenSSL the BIO_callback functions to dump out the negotiation
++    and transmission for debugging purposes. The functions are triggered
++    by the the new loglevels 3 and 4.
++  - Call SSL_free() to get rid of the SSL connection structure not used
++    anymore.
++
++1999/04/13	== Released 0.1.4 ==
++
++1999/04/13
++  - Based on a hint in the openssl-users list added an SSL_set_accept_state()
++    before the actual SSL_accept(). I don't really understand why, but the
++    documentation of SSL is a bit short anyway.
++
++1999/04/11
++  - Some more comments on certificates in the documentation.
++
++1999/04/10
++  - Moved initialization of the pfixtls_server_engine to the pre_jail_init()
++    section of smtpd, so that it is called with root privileges to read the
++    key and cert information. The secret key of the server can now be protected
++    by "chown root secretkey.pem; chmod 400 secretkey.pem".
++    Additionally, this makes it possible to run smtpd in chroot jail, even
++    though I didn't test that, yet. All information is read at smtpd startup
++    time except the CAcerts in tls_CApath, which are checked at runtime.
++    I have to look into that.
++  - Updated documentation accordingly.
++  - Rewrote the documentation with regard to the certificate setup and
++    explaining the different types of certificates.
++
++1999/04/09
++  - Introduced pfixtls_print_errors() which imitates BIO_print_errors()
++    (the typical way to print error information in OpenSSL) but writes
++    to syslog instead of a file handle.
++    Hence we can get more informative error information.
++
++1999/04/08	== Released 0.1.3 ==
++
++1999/04/08
++  - Stuffed up the documentation by reworking the references.
++  - Added contributed script for automatic addition of fingerprints.
++  - Added ACKNOWLEDGEMENTS file
++
++1999/04/06	== Released 0.1.2 ==
++
++1999/04/06
++  - Portability: removed call of "snprintf()", as it is not available on
++    some (older) UNIX versions (in this case Solaris 2.5).
++  - Removed calls to "select()" when in TLS mode: Even though no new bytes
++    arrive, there might be bytes left in the SSL buffer -> possible hang.
++
++1999/03/30	== Released 0.1.1 ==
++
++1999/03/30
++  - Added disclaimer about export restrictions.
++  - Fixed a bug in util/match_ops.c:
++    When using dictionary lookup the compare was case sensitive by accident.
++    Effect: Fingerprint matching did not work with databases, only for plain
++    file.
++    Bug report submitted to postfix author.
++
++1999/03/29	== Released first version 0.1.0 ==
+diff -urNad postfix-release/tls/contributed/00README /tmp/dpep.cXJuVH/postfix-release/tls/contributed/00README
+--- postfix-release/tls/contributed/00README	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/00README	2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,22 @@
++All entries in this directory have been contributed from other sources:
++
++- Frederic J. Hirsch <f.hirsch at opengroup.org>
++  * loadcacert.pl:
++	I "took" this one from his excellent introduction
++	"Introducing SSL and Certificates using SSLeay"
++	http://www.camb.opengroup.org/RI/www/prism/wwwj/index.html
++
++- Walcir Fontanini <walcir at densis.fee.unicamp.br>
++  * fp.csh:
++	add fingerprints to the list of client certs;
++	be carefull to a adjust filenames and maptype as necessary
++
++- Craig Sanders <cas at taz.net.au>
++  * make-postfix-cert.sh:
++	automatically create certificates for postfix usage.
++
++- Justin Davies <justin at palmcoder.net>
++  * SSL_CA-HOWTO.pdf/sgml
++	SSL CA howto
++  * Postfix_SSL-HOWTO.pdf/sgml
++	Postfix/TLS howto
+diff -urNad postfix-release/tls/contributed/fp.csh /tmp/dpep.cXJuVH/postfix-release/tls/contributed/fp.csh
+--- postfix-release/tls/contributed/fp.csh	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/fp.csh	2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,20 @@
++#!/bin/csh -f
++
++##      fp.csh <username>
++#               Generate a fingerprint from a X509 certificate
++#               and updates /etc/postfix/relay_clientcerts
++#               It presumes a user certificate in /etc/postfix/certs/
++#               with name <username>-cert.pem
++#       author: walcir fontanini (walcir at densis.fee.unicamp.br) Apr-08-1999
++
++set USER=$1
++set FP=`/usr/local/ssl/bin/openssl x509 -fingerprint -in /etc/postfix/certs/$USER-cert.pem | grep Fingerprint | awk -F= '{print $2}' | tr ":" "_"`
++
++cat >> /etc/postfix/relay_clientcerts <<EOT
++$FP $USER
++EOT
++
++postmap dbm:/etc/postfix/relay_clientcerts
++
++exit
++#
+diff -urNad postfix-release/tls/contributed/loadCAcert.pl /tmp/dpep.cXJuVH/postfix-release/tls/contributed/loadCAcert.pl
+--- postfix-release/tls/contributed/loadCAcert.pl	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/loadCAcert.pl	2005-02-03 10:22:13.091089774 -0700
+@@ -0,0 +1,23 @@
++#!/usr/local/bin/perl -T
++
++require 5.003;
++use strict;
++use CGI;
++
++my $cert_dir = "/usr/local/ssl/certs";
++my $cert_file = "CAcert.pem";
++
++my $query = new CGI;
++
++my $kind = $query->param('FORMAT');
++if($kind eq 'DER') { $cert_file = "CAcert.der"; }
++
++my $cert_path = "$cert_dir/$cert_file";
++
++open(CERT, "<$cert_path");
++my $data = join '', <CERT>;
++close(CERT);
++print "Content-Type: application/x-x509-ca-cert\n";
++print "Content-Length: ", length($data), "\n\n$data";
++
++1;
+diff -urNad postfix-release/tls/contributed/make-postfix-cert.sh /tmp/dpep.cXJuVH/postfix-release/tls/contributed/make-postfix-cert.sh
+--- postfix-release/tls/contributed/make-postfix-cert.sh	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/make-postfix-cert.sh	2005-02-03 10:22:13.092089551 -0700
+@@ -0,0 +1,78 @@
++#! /bin/sh
++
++# make-postfix-cert.sh
++# by Craig Sanders <cas at taz.net.au>    2000-09-02
++# this script is hereby placed in the public domain.
++
++# this script assumes that you already have a CA set up, as the openssl
++# default "demoCA" under the current directory.  if you haven't done it
++# already, run "/usr/lib/ssl/misc/CA.pl -newca" (or where the path to
++# openssl's CA.pl script is on your system).
++#
++# then run this script like so: 
++#
++#    ./make-postfix-cert.sh hostname.your.domain.com
++#
++# it will create the certificate and key files for that host and put
++# them into a subdirectory.
++
++site="$1"
++
++# edit these values to suit your site.
++
++COUNTRY="??"                  # ISO country code
++PROVINCE="YOUR STATE OR PROVINCE"
++LOCALITY="YOUR CITY"
++ORGANISATION="YOUR ORG NAME"
++ORG_UNIT=""
++COMMON_NAME=$site
++EMAIL="someone at your.domain.com"
++
++OPTIONAL_COMPANY_NAME=""
++
++# leave challenge password blank
++CHALLENGE_PASSWORD=""
++
++# generate a certificate valid for 10 years
++# (probably not a good idea if you care about authentication, but should
++# be fine if you only care about encryption of the smtp session)
++DAYS="-days 1825"
++
++# alternatively, make one valid for one year
++#DAYS="-days 365"
++
++# create the certificate request
++cat <<__EOF__ | openssl req -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
++$COUNTRY
++$PROVINCE
++$LOCALITY
++$ORGANISATION
++$ORG_UNIT
++$COMMON_NAME
++$EMAIL
++$CHALLENGE_PASSWORD
++$OPTIONAL_COMPANY_NAME
++__EOF__
++
++# sign it
++openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
++
++# move it
++mkdir -p $site
++mv newreq.pem $site/key.pem
++chmod 400 $site/key.pem
++mv newcert.pem $site/cert.pem
++cd $site
++
++# create server.pem for smtpd
++cat cert.pem ../demoCA/cacert.pem key.pem >server.pem
++chmod 400 server.pem
++
++# create fingerprint file
++openssl x509 -fingerprint -in cert.pem -noout > fingerprint
++
++# create pkcs12 certificate for netscape (probably not needed)
++#openssl pkcs12 -export -in cert.pem -inkey key.pem \
++#  -certfile ../demoCA/cacert.pem -name "$site" -out cert.p12
++
++cd ..
+diff -urNad postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf
+--- postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf	2005-02-03 10:22:13.092089551 -0700
+@@ -0,0 +1,310 @@
++%PDF-1.3
++%âãÏÓ
++1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021210121659+0000)/Title(Postfix SSL HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
++2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
++3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
++4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
++5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
++6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
++7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
++8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
++9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
++10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
++11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
++12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++13 0 obj<</Subtype/Link/Rect[85.2 519.3 265.7 537.2]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++14 0 obj<</Subtype/Link/Rect[108.0 492.0 237.2 505.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 600 0]>>endobj
++15 0 obj<</Subtype/Link/Rect[108.0 478.8 179.8 491.8]/Border[0 0 0]/Dest[98 0 R/XYZ 0 368 0]>>endobj
++16 0 obj<</Subtype/Link/Rect[85.2 447.5 257.8 465.4]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++17 0 obj<</Subtype/Link/Rect[108.0 420.2 221.7 433.2]/Border[0 0 0]/Dest[100 0 R/XYZ 0 501 0]>>endobj
++18 0 obj<</Subtype/Link/Rect[108.0 407.0 239.4 420.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 300 0]>>endobj
++19 0 obj<</Subtype/Link/Rect[85.2 375.7 474.3 393.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++20 0 obj<</Subtype/Link/Rect[108.0 348.4 240.0 361.4]/Border[0 0 0]/Dest[102 0 R/XYZ 0 594 0]>>endobj
++21 0 obj<</Subtype/Link/Rect[85.2 317.1 185.5 335.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++22 0 obj<</Subtype/Link/Rect[85.2 284.9 131.0 302.7]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++23 0 obj<</Subtype/Link/Rect[72.0 255.5 93.4 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++24 0 obj<</Subtype/Link/Rect[176.5 255.5 200.6 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++25 0 obj<</Subtype/Link/Rect[241.9 255.5 283.8 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++26 0 obj<</Subtype/Link/Rect[72.0 74.1 93.4 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++27 0 obj<</Subtype/Link/Rect[134.6 74.1 176.5 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++28 0 obj<</Subtype/Link/Rect[176.5 74.1 200.6 87.1]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++29 0 obj<</Subtype/Link/Rect[200.6 74.1 241.9 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++30 0 obj<</Subtype/Link/Rect[241.9 74.1 283.8 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++31 0 obj[11 0 R
++12 0 R
++13 0 R
++14 0 R
++15 0 R
++16 0 R
++17 0 R
++18 0 R
++19 0 R
++20 0 R
++21 0 R
++22 0 R
++23 0 R
++24 0 R
++25 0 R
++26 0 R
++27 0 R
++28 0 R
++29 0 R
++30 0 R]endobj
++32 0 obj<</Subtype/Link/Rect[72.0 721.0 93.4 734.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++33 0 obj<</Subtype/Link/Rect[93.4 721.0 134.6 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++34 0 obj<</Subtype/Link/Rect[134.6 721.0 176.5 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++35 0 obj<</Subtype/Link/Rect[176.5 721.0 200.6 734.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++36 0 obj<</Subtype/Link/Rect[200.6 721.0 241.9 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++37 0 obj<</Subtype/Link/Rect[241.9 721.0 283.8 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++38 0 obj<</Subtype/Link/Rect[72.0 61.6 93.4 74.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++39 0 obj<</Subtype/Link/Rect[93.4 61.6 134.6 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++40 0 obj<</Subtype/Link/Rect[134.6 61.6 176.5 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++41 0 obj<</Subtype/Link/Rect[176.5 61.6 200.6 74.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++42 0 obj<</Subtype/Link/Rect[200.6 61.6 241.9 74.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++43 0 obj<</Subtype/Link/Rect[241.9 61.6 283.8 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++44 0 obj[32 0 R
++33 0 R
++34 0 R
++35 0 R
++36 0 R
++37 0 R
++38 0 R
++39 0 R
++40 0 R
++41 0 R
++42 0 R
++43 0 R]endobj
++45 0 obj<</Subtype/Link/Rect[72.0 267.6 93.4 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++46 0 obj<</Subtype/Link/Rect[93.4 267.6 134.6 280.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++47 0 obj<</Subtype/Link/Rect[134.6 267.6 176.5 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++48 0 obj<</Subtype/Link/Rect[176.5 267.6 200.6 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++49 0 obj<</Subtype/Link/Rect[200.6 267.6 241.9 280.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++50 0 obj<</Subtype/Link/Rect[241.9 267.6 283.8 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++51 0 obj<</Subtype/Link/Rect[72.0 112.6 93.4 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++52 0 obj<</Subtype/Link/Rect[93.4 112.6 134.6 125.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++53 0 obj<</Subtype/Link/Rect[134.6 112.6 176.5 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++54 0 obj<</Subtype/Link/Rect[200.6 112.6 241.9 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++55 0 obj<</Subtype/Link/Rect[241.9 112.6 283.8 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++56 0 obj[45 0 R
++46 0 R
++47 0 R
++48 0 R
++49 0 R
++50 0 R
++51 0 R
++52 0 R
++53 0 R
++54 0 R
++55 0 R]endobj
++57 0 obj<</S/URI/URI(http://www.postfix.org)>>endobj
++58 0 obj<</Subtype/Link/Rect[108.0 688.8 168.8 701.8]/Border[0 0 0]/A 57 0 R>>endobj
++59 0 obj<</S/URI/URI(http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls)>>endobj
++60 0 obj<</Subtype/Link/Rect[108.0 675.6 191.4 688.6]/Border[0 0 0]/A 59 0 R>>endobj
++61 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
++62 0 obj<</Subtype/Link/Rect[108.0 662.4 269.3 675.4]/Border[0 0 0]/A 61 0 R>>endobj
++63 0 obj<</Subtype/Link/Rect[93.4 634.0 134.6 647.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++64 0 obj<</Subtype/Link/Rect[134.6 634.0 176.5 647.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++65 0 obj[58 0 R
++60 0 R
++62 0 R
++63 0 R
++64 0 R]endobj
++66 0 obj<</Dests 67 0 R>>endobj
++67 0 obj<</Kids[68 0 R]>>endobj
++68 0 obj<</Limits[(postfix_ssl-howto-1.html)(toc6)]/Names[(postfix_ssl-howto-1.html)69 0 R(postfix_ssl-howto-2.html)70 0 R(postfix_ssl-howto-3.html)71 0 R(postfix_ssl-howto-4.html)72 0 R(postfix_ssl-howto-5.html)73 0 R(postfix_ssl-howto-6.html)74 0 R(postfix_ssl-howto.html)75 0 R(s1)76 0 R(s2)77 0 R(s3)78 0 R(s4)79 0 R(s5)80 0 R(s6)81 0 R(ss2.1)82 0 R(ss2.2)83 0 R(ss3.1)84 0 R(ss3.2)85 0 R(ss4.1)86 0 R(toc1)87 0 R(toc2)88 0 R(toc3)89 0 R(toc4)90 0 R(toc5)91 0 R(toc6)92 0 R]>>endobj
++69 0 obj<</D[96 0 R/XYZ 0 268 0]>>endobj
++70 0 obj<</D[96 0 R/XYZ 0 87 0]>>endobj
++71 0 obj<</D[98 0 R/XYZ 0 61 0]>>endobj
++72 0 obj<</D[100 0 R/XYZ 0 74 0]>>endobj
++73 0 obj<</D[102 0 R/XYZ 0 280 0]>>endobj
++74 0 obj<</D[102 0 R/XYZ 0 125 0]>>endobj
++75 0 obj<</D[96 0 R/XYZ 0 734 0]>>endobj
++76 0 obj<</D[96 0 R/XYZ 0 240 0]>>endobj
++77 0 obj<</D[98 0 R/XYZ 0 733 0]>>endobj
++78 0 obj<</D[100 0 R/XYZ 0 705 0]>>endobj
++79 0 obj<</D[102 0 R/XYZ 0 718 0]>>endobj
++80 0 obj<</D[102 0 R/XYZ 0 252 0]>>endobj
++81 0 obj<</D[104 0 R/XYZ 0 733 0]>>endobj
++82 0 obj<</D[98 0 R/XYZ 0 600 0]>>endobj
++83 0 obj<</D[98 0 R/XYZ 0 368 0]>>endobj
++84 0 obj<</D[100 0 R/XYZ 0 501 0]>>endobj
++85 0 obj<</D[100 0 R/XYZ 0 300 0]>>endobj
++86 0 obj<</D[102 0 R/XYZ 0 594 0]>>endobj
++87 0 obj<</D[96 0 R/XYZ 0 569 0]>>endobj
++88 0 obj<</D[96 0 R/XYZ 0 537 0]>>endobj
++89 0 obj<</D[96 0 R/XYZ 0 465 0]>>endobj
++90 0 obj<</D[96 0 R/XYZ 0 393 0]>>endobj
++91 0 obj<</D[96 0 R/XYZ 0 334 0]>>endobj
++92 0 obj<</D[96 0 R/XYZ 0 302 0]>>endobj
++93 0 obj<</Type/Pages/Count 6/Kids[94 0 R
++96 0 R
++98 0 R
++100 0 R
++102 0 R
++104 0 R
++]>>endobj
++94 0 obj<</Type/Page/Parent 93 0 R/Contents 95 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++95 0 obj<</Filter/FlateDecode/Length 90        >>stream
++x
ÂÁ
++@@àû<Åä²fhV{Uä ÐNy R”$Ÿ¾ï"ÿeŽÂc>¨2Êš 	°¢â¼(
++U'AaØ13lN†ó~ÖíEŒÚ~²>µj£‘>!šëendstream
++endobj
++96 0 obj<</Type/Page/Parent 93 0 R/Contents 97 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 31 0 R>>endobj
++97 0 obj<</Filter/FlateDecode/Length 1533      >>stream
++x¥VM“Û6½ï¯À­›¯¢/ëãÐCÛ4i:i“vÉ%Ú¦b6úp%Ù›ý÷} %‘v·{é¬×cè ð >êBüE”Ç”d´kn ēåëÏ7ü„²tÄÔPšÙdÔtã™
EaD(~aï´Èñã¿×TIÀõ:AÀ+ âgë(ÖØ*Š8€µx/Ó"
€y¤ðfƒ1Ïl¨Œ/0Ïä×Aî9ú6Д·ta}h™\ø&/^si ¦ŠÉbœÉ•¤\«¬”J<hÆÔ:Ô†MěÊáÂNX±Oé‚y&‚†9ç³€–¼(f-[b8ò&̲µ`žÉA…¼ôm –<‡z6P¤‡„TªLðP¦ŠÙ²ÆRåŒEa†&;з6æ’<Ô³9¥s¨Ý4çAœ¨MÄp›NXF˜!ú6ÂF9N‡z6Ð,¿ôå¡N at FÎsq1bõÎÄÜ®q|æ™\§‹ÂŽ¾
4g«o-SæhÙÔ·Š“uPz¨o-²‹¤|»¡$,/|}Cüb-û˜Äta_Çþ„W³`ž‰b0ƒHw}hÆrã¡ÌZ\°.5T0f
ÞÒ3ሀk„	GŒO	ÇuÉŽb°#kDœ”ˆy%_Ä¡œ±˜(Cúr¬Ýâä¡o4£qá88TÂBY·þ­£ùÓÏ%?ôOæ˜så,²˜ç–-&R¦b†<sÎOJò’îì'¹:Ì™¼g¾`’x‰¸ÊûÇÍÍË×%æ’6.Ÿ,/‚²Œi³—{'¤ÍîöC7Œ•ùF÷÷ïè—÷Ÿ6ï_lþ²N,#âv—ÄA‘²Ûí¯§a4-½Rg£»2EK§uq$œö·ç(WôJït³Õ=ÅaÛÕ™·º@ã°vs0á£Z2íØwûÓn4]KcGãAÓiÐÔU´ywÿ’s|0ãAžÏ‰ÿ¶ù! ƒi¿ðÚ!̱ïÎf¯g÷Þ:)Î ¤;™8ìÛhÕ¼‹nwýãq”å25íº¶Õ’ÄÊǏµB‚úÛHê„ÌÚÑìgêm¿¢Çî$9¨zè®6ô¼4).¬§­ôžP­BÖæ¬FM_õ#ïªêº{ ɧ׵zDå
u½Á‹A*4F½õè›öFëâPZ4S¦@¶u¯û³îmÔ¹x9¹säýS×VæË©—bé¨zÕ Ï~êÿnêèîA~dzŸã,§Ë¨.Ô#)Úh%iš]ú| Wô	&ú.xIåÉ•íjƒ]æpYYâUÆyð¬ù^ϧ3³uYkÙÝj¦j
++Yá‡îÑÛ9›çã>Sfн%ðé(éb€Ð>™7LÞ¦W§ô’ƒØ˜"`ò]«ÿg[Ö½6­LÅÇ#GÃés™ôδ_¯Ä’Jfeäw>lz}6Ýià9Ñԁž~lÓuòfhÈŽ—¯çò–‹r-g¤Ý‹&Î6ªkE‰xP¨&»ã©V=é;9¥¶8Zhm÷ü§r¤-f¢2ȼê»Æ:wÕDÈ,G³ÃwX¥Õxêõ°¢íii¤ºI«ÁØv›v¡Ì=+D;â? O·þ9ëË@MJ•©ñ£êzÖ5×ÝÕÕþs¡âÆ5Vª1µQ“<ÌÂ}ËúôýYÕ'm	ŸY¼½o·ÅÈB³'=fÕyP"n³ä*Ok—ñ½Jl§ûÑT¬µzÀH¡Ž¦C¦EI"¾*ðá}˜õ
++ä|Õ4€KÑå^«ý…HòÑaG¾mPñ`F-‹‰˜Û2Ó±y©¿,åX­žeÚvyÿØ‚À½ý@j¿G7¹Ÿoû9<¨¾7]?|~aÇC1†ù¸ª|¯wf˜ê{8h¤(‡ÝîÆ	[½r`*+cŽ1\¦bO[ðî<0ͽþbL*0Üèj¾®R8¨×­ÚÖZ2å[m¾/qwrÀƒÂeYcÄÇ­-SZL/±c5F5RmƱִ5#ßï8éýõ
=èÝ©7ããÜ¿œæ§Ïÿ³²P¸÷¼žGqÆ÷ÔÜ[îëòî“aP©½É"¦ãçÍÍ7ÿ .Ý>endstream
++endobj
++98 0 obj<</Type/Page/Parent 93 0 R/Contents 99 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++99 0 obj<</Filter/FlateDecode/Length 1220      >>stream
++x•VÛnÛF}×WÒ°V$uu€u¹à[-E‹´Æš\Z“»ìîÒ®úÐoïÌ’ŒHYISr®gfÎÌŸƒü„°ˆ`2‡¤,€IÈ–0].ðo„_# ¼ã‹Sgø*ÎPg¾ŒX8‡8T	ˆ“aÄàV[—É¿€[à_n`#̳0oãO¨>…0¬•GÑ‚Mæh)¶ZÁ¦Ú¬ Ñ…°ðPÉÜÁ‹t[°UYjã Ó6›Ë1Z=«ç9¸-w -(!R‘Ò¿D«L>V†;‰u†"¬œ¦8…‘o4¡_È(©)‘Že£J&u¨,Õ#ìtå= Hµ÷bw¢k;ÆÉL&ô“O…ã2§Iø]+gtZyd#`ðkÇK¢Ë]×ú“ØWi÷Q×!š 4ÇÂ%㲩@*
&¤ÍŽÁÚøGœ°(;!Ë%Š@RžÉ–«Ç:³R˜BZK˜ bÙ²4ò™Å°ÞÕ¥
à” Í¨‹FÑ”Íæ8ÙêFkÇè§)£tڐ°#H®Ð)L±êRy	/ÒmºŸl¹˜öœ÷Ê]rÃÌØ:ª£
·J%åÛ‡k\p©X’5QEs6%giy¦©S¨r©°=À–¤i±T'U!”cŒ}‘ïà}›}Ÿ>ä|Ü‚âf}\láÊôÞåö!»Ï°£àû^™ÇE`õÐÜkQ“|Q­Å—¼Ÿóu~FöêqWYAb|;ÑÀ?kæÝ×
!
&¾nûðÚ¤jÄÚj
i¨@¹Æqz=Ɲîk°nuF{ïä3ÿÏKg¾¾ÅKØ7º8ïÅYå¶ÚH·ƒŽGø8l(
;
GUf5tDìÇ·ÿWS’àˆ–‰3q9R㈇VÆ«ÜõiÈ–"ñ¤–çè_xŸ9¾eUÏÁ8Û[]å)9ë–¡!oôÙDÛÝ!#Ü4‘´ˆØCXG#†²ýÑÞ~_ܨ¤O¼=ð (s¦\\ÖqÜíŠ!M¶"yªéŽpØ"W?¡j$:Ò¯Ú§Šbü§îÝ??$J8@îÈ™E´Y¢YõѬEÁ“[lv”V°	®S"EôçIŒ–n¬ö1¶²	/ñ²Áj!s`ŠüÞ8ˆü‹¢àP­ï`µ¹Šo[z±­>\Þ qÈ>üÞûhŒ"zõþv}»º\_¯¯ê{%ÝÍú·f!µ=XÅw×GÄâ³»¸©;uÇ
Åaù~_­¯V}•ÍQqDáNð;UC]øWtÀD1’LÓÅØ+%.:|N	Ž/ZNÂÂ÷µå7µÜžµxV—ÇVTn$°CCÝ°÷×Ь|T8f´Wh–ˆúš¨¤gÒÎ<½È7Z×t(•ª/AsãgŒÆ¥Ý_þ„±Pj©Ü	ª~ñżaç!ŒŸ¹çú‘–`~˜)HIá)Èé«v ŒÑ¸¯H¼ÍÅ/Ü(P "ïQ[•çž"xŽgÛ	àe‡b¤‹/‰—𝯠Ž}oBœfnµjXdÙžFl:‡ù®™¤vºê>ÜüßP„£Fn´NëÓ¡†c—êt‰7ÆrŠG.]¤¿Š?þfÉi«endstream
++endobj
++100 0 obj<</Type/Page/Parent 93 0 R/Contents 101 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 44 0 R>>endobj
++101 0 obj<</Filter/FlateDecode/Length 1602      >>stream
++x•W]oÛ6}ϯ¸ÈËR VümGoi»vÚ5k<
++ŒDÙ\$Ò¥8ޯ߹$%3ž—bh›T"ï×¹çRhˆ?#ZŒi2§¬:&C¼é|ýÈoh¾œãgEãQ2
%ÝŸEÍÇÉ<Z‹+
§É,ZŒŸ±:^¾0Ÿ±:¿N®cÛè™3%ËhÕe»˜'cš.ÈyŒµ¤Â•1~?ž#~¨Îý¿/.¬¸bú•ÃSWY¿äV¾ŽÃš+³[sU֏]MýÚÛÕÙÕ‡)F´*ЬùrA«ÜõhH«ìâgùÜÐ]-Ÿ”i-½3º‘º±túõ›ÕŸpvM£Psî“I2žÂãÅ$¡;c›B=“°$hõéž²RÁ›·:¤0/’Éò‹Î"šDÖxKoE—JØFÖø¥J²²~’uB«²„¿»Doîï?]q¬™™JZ´K”åžZ+‹¶L’„£i <\š·D¥¨×’r·úÎõ>Ž`ñ°‡?ö‘Saj’"ÛP.·¢n*”Ð'¥•^S³‘V†Ä,µ[âBdˆ96\¥ÈÚ¶Tv{Z«§`ÜCf÷¨³Bj¹,D[6´–A-K$ãêoLB¿›ÖÅ@`Í©e’sèÜō€lÙ Q™h$‰5Êfï0øzhQ0ç%Bß(“u£
++gÔÁØ•ô«Ûm°®_qûÏ«» ¡1fgi°heÀ~g-úèJtÕrTx²&XÐ5¼àŽi‰l•(™ÚÅðœƒìs§š
×Fä´u­LmÏ/™r}ÔÁ7 ˆ¦Û»£È"Ïkió´ihk¬U%Ü·èqhÌáf#<¶·wÔ٘­‡†T “Ò’²ÐkPVºôUùf‚vÇUç(
++‘µ£jº½¿;Ý’SÍCåeéÑïÀq§^¢Ÿ4×Qn™›©= LèFçG° uæ£nU.I…
++®b?§ôž0U«™O
++Ì¢Ñæ¡–:«÷Û&S4okoàA<
++oÑxs`KÓ¨—¦+[¡ÖmÍD`¯ß•¦×éBTªT¢æl+7’èܝèFîÒyëçÝ´vC`r°z”Æ<¶[ë!é"SÔäTU.‘²²ÝA8ëN/äD²õÈ°îLýYdš×r-êÜ
eÏn { øQÀUÉz°>¡w}¢Ñ‡©sÌ	…X‹Ò}­æ-#f¥$Uàµw{?Š&#Š¸
++è{Τ Ü^º-H5xévØã’Âv„=h¦ÛΦH`€}؍	>Ê 0­ÎB©!$ì µ­(ÙäêÃ,¦tþÕ©3ô…!Ç$ÈüÜoꎻ¡dŽ›¢6UDÆR¯0
'ÉÓJYÊú@ó>›+ÙdW%>ƒ¯xxÂÎ>%Ô¬ TAš
++ï3õN‡tÍGWÁ׺Á·¯9ß.â|žD	á{YìÀmÇeo2áí\à¹ÛwNrOâÁ<qâ×}ã戏‚àµc¶–ÒÓv#°7ÌÒV@òÐXœÉnªðßÌh¨¦Z††Á1ߝOØÁ—æ“–þ8e–r;ùxÕ‚Ê<
++Ê¼–+Û`@ZœàÎÚì4.%'[38‚ë;ú4¦8¼Xç‚<E¦/!æ«L}ZZ{;_UdÕv8Ã/©n=™òαX’…Î_o»ÙJmmIϳá5
â LfrÕœlq‹y™ñ¿Hv¸i[›¼
˜Ïïg'D‚Y“@º·^ýâÈh÷‘iëÃýÿ9ˆèòí"ýw#–'0¹‘VÿА|F�ñ7/»1m™CßAM‹Û¦'q©~e_Gñz–¾¦gér‘¾_¤“iúî&}7MÇ‹ôí0ý0I—Òù<]Þ¤‹Eº|OKXð5ÉLÒ>¾êíp²˜¢•-/_Œ‰ñn0^Ï•U„5ü?%…[n_ω§?”ø:	¸ =™©q£Úí'žûé%"n´£J4ø^Ü›MmÚµŸFu×!|&¹‹þé/˜W?l–AJG×ãdÊ_£ø^õ7:ácƒ~úòÛêsnö
ÈÝë_@Óå0Y.§øã­lÿãêì—³ •»bendstream
++endobj
++102 0 obj<</Type/Page/Parent 93 0 R/Contents 103 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 56 0 R>>endobj
++103 0 obj<</Filter/FlateDecode/Length 1758      >>stream
++x¥WÛŽÛF}Ÿ¯(ø%2 áè6i?8;	¬³±#ØY=dSêÉVØMµ_¿§ªy­ÉÛ¢š]uêrN•þ¼šÓæt· eLIq5‹f¯7ÑŠVë;|^ào¥)“ƒÅí<Z\8€hÖüóëáÕå"Š© Å¦òÓÇ«ÁcA1¿ÒŸ
šÏVÑíàpøŒÓÅúìêð§ñ&ÚïžÑ<ZN9âÅbï.D¼‰/Lww}tò¹®9‘`º“þ©¬;
++Л[y&À›³€»;“BÝ}úûíÕÍû
Íoq´ÍPÜ8Ž£MLÛTŠ4£m2YEôQ{oÊÕò{MNWG]‘·(v®Nô¨œNÉ–”á%]*Sz÷zûl¯h>–¯wÑ2†›tòi¯ËpïOéë|f¾PU—ö+[ïö¤àÅ“Íðm®ñµ¥T{]¦Ôd2‘äF—ž
++•ìå[G*Ïí3 tÈ
++er2£ëùŁóÖAHDŸ4•:Üó:Ï;D~¯<¥!;r˜ÌàES
++	ÿsÀ‘èÊ;d פÀÊÈH‹h‹¨,,Gϸ’¦tàýgŸ»3³xCJo›”NÈþ~® êÀ™À'ç+“xcËQúñ®W^œ/S;qg`Ê(ÉÂ×mÅ&Ñøv¯ ªÒLÕßØà!U‰*éQs¶¤’ƒ®Ð£²q¾Ì°Ú{hªÞ‡I°4Bà«Úy˜>…þ¸ûð:¢÷¶â^)¸J¦D”y®ДBu€ãÑ6Ü@u)‰—3>ÊÅ }ʱe	M’<h-S¦æhÒZå”ØÒW6'ËD‘î‘tž“íz	…\qS®¢9H&¬
++ýû™ÙÕ•Är{*¡(-liŸ™6LS öÙç¤
s®j±ô\ ¤K8à¼A[&4†à 4ø¨gÙRÿ$ÿw¦h•”Ž¸5XG˜Ò°w 	|èœ5a &·7GŸF èZHƒ‹èw[C}òS™¤(ÓÏ”CD=lHãÿk{¡p@2 aԁ„Mº#z—¢¾Õì KD"„1mf[	ƒ×4OÈCfYÌøIbøG@?£
ËXÆøz©ßqÿ°ˆh<éÓgqð†n´OnA[oþ«Ëgm
++¡ÉƒK\ƒotA—¯Ý¿½äéþ-›‹píë[ £¤7tÒ#…º–€âh¶\2¶·ŽN¨*Ë€Óº%3Èt"g
++“+¡4²ß”ƒ	׉<¨ÊSVÙ‚KD™J¸V(Ô¬Ò«9ÊùŠóöj
++Þøl3%ä$}Zò¨ò]Th Ñ_`
++­&®UÁ’Â5‚*¼&hTÛES‰k¯Ž¸ùlG^ƒ–6-±ËÄ9¡™S©:x[C03V=p•ÇˆÈ!œ³­›÷ýt{Ô?tºNH
€³*~ë(˜üõõ€ÀŒ€sì¾R¥;X¤½P"@*®Ug·&4Ô—ÉÑO\eT€dô²¶öˆYFÏX.P¦ååBƤ-õx.}`æ‡Úf’ǯÈÁÎ6´•™ÄŸq=`Ù׏ÓfžŸdR|ãPl“t•³Û§¡Èp£á¹S tæ€Õ ~=L
++UžM¼Òj§JãD…ց‡×ÓvT§´{cIExò–Gr‰v(Ä ©Gô‡$ð¬ˆU¦_¯Ý[“Û‡×ãNL„·Óˆ¬$®c‚MoÊ»Ê3OŠdoí¥¡:HÀ‹MXèdÏqƒŸíÙ5t»¢ñÈ3ñ¯µ¯sYù·ìUÔF‰ê§ÿœGÄfÝŠÍ?õO¿Túhlí裃ÑÑ寃¥áÎ|½„hHInÁuƒ D~’¼°o-«@G€ÌA8@*T	ºô%º¼Éh兏uŽ-´[tHïì<{A*´¨ÈÏâ£ÁLä·s»“AwîlP¸›£ªnðÖ
ß=ÏÞ$L\··už¶|H-à ìð=õÑöÝïu‚
aà=к§$÷•Ý
 4ë¾ñ¡uu’`îguâ;”Š‰Ç>EG¶.Ü	«bñBœêÃ%tøh!Ä6ŸÒ霮ò`ð¾
Jh½_A¥B^…ƒ1^g,ïxNÚ•`QØj¥Α‡ñÁDyÿšö
ä)V±'üœ@ðö‰0óØjKe—í [º¯åG‹³høÍÅD€"žT#ǨöEXÁ\‚ü$¹Æ4æîÂND¡žd(²?Ú¾sô‡}Lž´rFWž­ƒž]¦Û_²pÝü„™oÑ*¦x9‹V‰mõP4úñçíŽáºyïún¶aý¿lWëY´^¯ð‹™í°ñwÛ«]ý±–Iÿendstream
++endobj
++104 0 obj<</Type/Page/Parent 93 0 R/Contents 105 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 65 0 R>>endobj
++105 0 obj<</Filter/FlateDecode/Length 362       >>stream
++x¥QËNÃ0¼û+öXqmÇñã
++z¨h!–¸pkSQ hêç3NLëŠe<³»³ãO&Ià‘d•†V-\àäôyºg¥á‚LUrG-ËUT³¶ä
$£0rcÜ ÎùÈ
 rlIJÏuFŽ…Êâ÷øD0<Ö¬ŽMO\aFF×'.ƒ¨-¯22Ç`½åeÆ"2Òb
í,þÞ}C¦$LUÞ>MÉç/DG¡1oTFò:°é'YÁ~Ø ã—†ÂzH^PXM§ùv÷~¸
++ok„¥¸£;•…ëɲ;ô›í‘f]ÛŒºUÒ–»xµ½(cé²Ë@²ÄUž»Lüþg§èƒº
õ¯
%oc×ÅsXÔqX(ǥǮÃãCsìi¹o¾·Ýׁnº]ßìú”K;K¯¸6".ò©ë9Í¢‡h¡HºÂ
++[çAk'¸sz®ŠêÛÀÙþ¶ªendstream
++endobj
++106 0 obj<</Type/Catalog/Pages 93 0 R/PageLayout/SinglePage/OpenAction[96 0 R/XYZ null null 0]/PageMode/UseOutlines/PageLabels<</Nums[0<</P(title)>>1<</S/D/St 1/P()>>]>>>>endobj
++xref
++0 107 
++0000000000 65535 f 
++0000000015 00000 n 
++0000000210 00000 n 
++0000001776 00000 n 
++0000001850 00000 n 
++0000001928 00000 n 
++0000002005 00000 n 
++0000002084 00000 n 
++0000002160 00000 n 
++0000002241 00000 n 
++0000002299 00000 n 
++0000002357 00000 n 
++0000002441 00000 n 
++0000002541 00000 n 
++0000002640 00000 n 
++0000002741 00000 n 
++0000002842 00000 n 
++0000002941 00000 n 
++0000003043 00000 n 
++0000003145 00000 n 
++0000003245 00000 n 
++0000003347 00000 n 
++0000003448 00000 n 
++0000003549 00000 n 
++0000003648 00000 n 
++0000003748 00000 n 
++0000003849 00000 n 
++0000003945 00000 n 
++0000004044 00000 n 
++0000004142 00000 n 
++0000004241 00000 n 
++0000004340 00000 n 
++0000004496 00000 n 
++0000004594 00000 n 
++0000004694 00000 n 
++0000004795 00000 n 
++0000004896 00000 n 
++0000004996 00000 n 
++0000005097 00000 n 
++0000005194 00000 n 
++0000005291 00000 n 
++0000005390 00000 n 
++0000005490 00000 n 
++0000005588 00000 n 
++0000005687 00000 n 
++0000005787 00000 n 
++0000005887 00000 n 
++0000005986 00000 n 
++0000006087 00000 n 
++0000006189 00000 n 
++0000006290 00000 n 
++0000006391 00000 n 
++0000006491 00000 n 
++0000006591 00000 n 
++0000006692 00000 n 
++0000006794 00000 n 
++0000006895 00000 n 
++0000006988 00000 n 
++0000007041 00000 n 
++0000007126 00000 n 
++0000007211 00000 n 
++0000007296 00000 n 
++0000007351 00000 n 
++0000007436 00000 n 
++0000007537 00000 n 
++0000007638 00000 n 
++0000007689 00000 n 
++0000007721 00000 n 
++0000007753 00000 n 
++0000008240 00000 n 
++0000008281 00000 n 
++0000008321 00000 n 
++0000008361 00000 n 
++0000008402 00000 n 
++0000008444 00000 n 
++0000008486 00000 n 
++0000008527 00000 n 
++0000008568 00000 n 
++0000008609 00000 n 
++0000008651 00000 n 
++0000008693 00000 n 
++0000008735 00000 n 
++0000008777 00000 n 
++0000008818 00000 n 
++0000008859 00000 n 
++0000008901 00000 n 
++0000008943 00000 n 
++0000008985 00000 n 
++0000009026 00000 n 
++0000009067 00000 n 
++0000009108 00000 n 
++0000009149 00000 n 
++0000009190 00000 n 
++0000009231 00000 n 
++0000009321 00000 n 
++0000009474 00000 n 
++0000009637 00000 n 
++0000009831 00000 n 
++0000011437 00000 n 
++0000011626 00000 n 
++0000012919 00000 n 
++0000013124 00000 n 
++0000014800 00000 n 
++0000015005 00000 n 
++0000016837 00000 n 
++0000017024 00000 n 
++0000017460 00000 n 
++trailer
++<</Size 107/Root 106 0 R/Info 1 0 R/ID[<c567b3b845f93fff5790763fa9931d35><c567b3b845f93fff5790763fa9931d35>]>>
++startxref
++17638
++%%EOF
+diff -urNad postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml
+--- postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml	2005-02-03 10:22:13.093089328 -0700
+@@ -0,0 +1,349 @@
++%PDF-1.3
++%âãÏÓ
++1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021211094503+0000)/Title(Postfix SSL HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
++2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
++3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
++4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
++5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
++6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
++7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
++8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
++9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
++10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
++11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
++12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++13 0 obj<</Subtype/Link/Rect[85.2 519.3 265.7 537.2]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++14 0 obj<</Subtype/Link/Rect[108.0 492.0 237.2 505.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 600 0]>>endobj
++15 0 obj<</Subtype/Link/Rect[108.0 478.8 179.8 491.8]/Border[0 0 0]/Dest[98 0 R/XYZ 0 368 0]>>endobj
++16 0 obj<</Subtype/Link/Rect[85.2 447.5 257.8 465.4]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++17 0 obj<</Subtype/Link/Rect[108.0 420.2 221.7 433.2]/Border[0 0 0]/Dest[100 0 R/XYZ 0 501 0]>>endobj
++18 0 obj<</Subtype/Link/Rect[108.0 407.0 239.4 420.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 300 0]>>endobj
++19 0 obj<</Subtype/Link/Rect[85.2 375.7 474.3 393.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++20 0 obj<</Subtype/Link/Rect[108.0 348.4 240.0 361.4]/Border[0 0 0]/Dest[102 0 R/XYZ 0 594 0]>>endobj
++21 0 obj<</Subtype/Link/Rect[85.2 317.1 185.5 335.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++22 0 obj<</Subtype/Link/Rect[85.2 284.9 131.0 302.7]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++23 0 obj<</Subtype/Link/Rect[72.0 255.5 93.4 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++24 0 obj<</Subtype/Link/Rect[176.5 255.5 200.6 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++25 0 obj<</Subtype/Link/Rect[241.9 255.5 283.8 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++26 0 obj<</Subtype/Link/Rect[72.0 74.1 93.4 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++27 0 obj<</Subtype/Link/Rect[134.6 74.1 176.5 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
++28 0 obj<</Subtype/Link/Rect[176.5 74.1 200.6 87.1]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++29 0 obj<</Subtype/Link/Rect[200.6 74.1 241.9 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++30 0 obj<</Subtype/Link/Rect[241.9 74.1 283.8 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++31 0 obj[11 0 R
++12 0 R
++13 0 R
++14 0 R
++15 0 R
++16 0 R
++17 0 R
++18 0 R
++19 0 R
++20 0 R
++21 0 R
++22 0 R
++23 0 R
++24 0 R
++25 0 R
++26 0 R
++27 0 R
++28 0 R
++29 0 R
++30 0 R]endobj
++32 0 obj<</Subtype/Link/Rect[72.0 721.0 93.4 734.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++33 0 obj<</Subtype/Link/Rect[93.4 721.0 134.6 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
++34 0 obj<</Subtype/Link/Rect[134.6 721.0 176.5 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
++35 0 obj<</Subtype/Link/Rect[176.5 721.0 200.6 734.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++36 0 obj<</Subtype/Link/Rect[200.6 721.0 241.9 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++37 0 obj<</Subtype/Link/Rect[241.9 721.0 283.8 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++38 0 obj<</Subtype/Link/Rect[72.0 61.6 93.4 74.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++39 0 obj<</Subtype/Link/Rect[93.4 61.6 134.6 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
++40 0 obj<</Subtype/Link/Rect[134.6 61.6 176.5 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
++41 0 obj<</Subtype/Link/Rect[176.5 61.6 200.6 74.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++42 0 obj<</Subtype/Link/Rect[200.6 61.6 241.9 74.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++43 0 obj<</Subtype/Link/Rect[241.9 61.6 283.8 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++44 0 obj[32 0 R
++33 0 R
++34 0 R
++35 0 R
++36 0 R
++37 0 R
++38 0 R
++39 0 R
++40 0 R
++41 0 R
++42 0 R
++43 0 R]endobj
++45 0 obj<</Subtype/Link/Rect[72.0 267.6 93.4 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++46 0 obj<</Subtype/Link/Rect[93.4 267.6 134.6 280.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
++47 0 obj<</Subtype/Link/Rect[134.6 267.6 176.5 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
++48 0 obj<</Subtype/Link/Rect[176.5 267.6 200.6 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++49 0 obj<</Subtype/Link/Rect[200.6 267.6 241.9 280.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++50 0 obj<</Subtype/Link/Rect[241.9 267.6 283.8 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++51 0 obj<</Subtype/Link/Rect[72.0 112.6 93.4 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
++52 0 obj<</Subtype/Link/Rect[93.4 112.6 134.6 125.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
++53 0 obj<</Subtype/Link/Rect[134.6 112.6 176.5 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
++54 0 obj<</Subtype/Link/Rect[200.6 112.6 241.9 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++55 0 obj<</Subtype/Link/Rect[241.9 112.6 283.8 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++56 0 obj[45 0 R
++46 0 R
++47 0 R
++48 0 R
++49 0 R
++50 0 R
++51 0 R
++52 0 R
++53 0 R
++54 0 R
++55 0 R]endobj
++57 0 obj<</S/URI/URI(http://www.postfix.org)>>endobj
++58 0 obj<</Subtype/Link/Rect[108.0 688.8 168.8 701.8]/Border[0 0 0]/A 57 0 R>>endobj
++59 0 obj<</S/URI/URI(http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls)>>endobj
++60 0 obj<</Subtype/Link/Rect[108.0 675.6 191.4 688.6]/Border[0 0 0]/A 59 0 R>>endobj
++61 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
++62 0 obj<</Subtype/Link/Rect[108.0 662.4 269.3 675.4]/Border[0 0 0]/A 61 0 R>>endobj
++63 0 obj<</Subtype/Link/Rect[93.4 634.0 134.6 647.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
++64 0 obj<</Subtype/Link/Rect[134.6 634.0 176.5 647.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
++65 0 obj[58 0 R
++60 0 R
++62 0 R
++63 0 R
++64 0 R]endobj
++66 0 obj<</Dests 67 0 R>>endobj
++67 0 obj<</Kids[68 0 R]>>endobj
++68 0 obj<</Limits[(postfix_ssl-howto-1.html)(toc6)]/Names[(postfix_ssl-howto-1.html)69 0 R(postfix_ssl-howto-2.html)70 0 R(postfix_ssl-howto-3.html)71 0 R(postfix_ssl-howto-4.html)72 0 R(postfix_ssl-howto-5.html)73 0 R(postfix_ssl-howto-6.html)74 0 R(postfix_ssl-howto.html)75 0 R(s1)76 0 R(s2)77 0 R(s3)78 0 R(s4)79 0 R(s5)80 0 R(s6)81 0 R(ss2.1)82 0 R(ss2.2)83 0 R(ss3.1)84 0 R(ss3.2)85 0 R(ss4.1)86 0 R(toc1)87 0 R(toc2)88 0 R(toc3)89 0 R(toc4)90 0 R(toc5)91 0 R(toc6)92 0 R]>>endobj
++69 0 obj<</D[96 0 R/XYZ 0 268 0]>>endobj
++70 0 obj<</D[96 0 R/XYZ 0 87 0]>>endobj
++71 0 obj<</D[98 0 R/XYZ 0 61 0]>>endobj
++72 0 obj<</D[100 0 R/XYZ 0 74 0]>>endobj
++73 0 obj<</D[102 0 R/XYZ 0 280 0]>>endobj
++74 0 obj<</D[102 0 R/XYZ 0 125 0]>>endobj
++75 0 obj<</D[96 0 R/XYZ 0 734 0]>>endobj
++76 0 obj<</D[96 0 R/XYZ 0 240 0]>>endobj
++77 0 obj<</D[98 0 R/XYZ 0 733 0]>>endobj
++78 0 obj<</D[100 0 R/XYZ 0 705 0]>>endobj
++79 0 obj<</D[102 0 R/XYZ 0 718 0]>>endobj
++80 0 obj<</D[102 0 R/XYZ 0 252 0]>>endobj
++81 0 obj<</D[104 0 R/XYZ 0 733 0]>>endobj
++82 0 obj<</D[98 0 R/XYZ 0 600 0]>>endobj
++83 0 obj<</D[98 0 R/XYZ 0 368 0]>>endobj
++84 0 obj<</D[100 0 R/XYZ 0 501 0]>>endobj
++85 0 obj<</D[100 0 R/XYZ 0 300 0]>>endobj
++86 0 obj<</D[102 0 R/XYZ 0 594 0]>>endobj
++87 0 obj<</D[96 0 R/XYZ 0 569 0]>>endobj
++88 0 obj<</D[96 0 R/XYZ 0 537 0]>>endobj
++89 0 obj<</D[96 0 R/XYZ 0 465 0]>>endobj
++90 0 obj<</D[96 0 R/XYZ 0 393 0]>>endobj
++91 0 obj<</D[96 0 R/XYZ 0 334 0]>>endobj
++92 0 obj<</D[96 0 R/XYZ 0 302 0]>>endobj
++93 0 obj<</Type/Pages/Count 6/Kids[94 0 R
++96 0 R
++98 0 R
++100 0 R
++102 0 R
++104 0 R
++]>>endobj
++94 0 obj<</Type/Page/Parent 93 0 R/Contents 95 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++95 0 obj<</Filter/FlateDecode/Length 90        >>stream
++x
++ÂÁ
++@@àû<Åä²fhV{Uä ÐNy R”$Ÿ¾ï"ÿeŽÂc>¨2Êš 	°¢â¼(
++U'AaØ13lN†ó~ÖíEŒÚ~²>µj£‘>!šëendstream
++endobj
++96 0 obj<</Type/Page/Parent 93 0 R/Contents 97 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 31 0 R>>endobj
++97 0 obj<</Filter/FlateDecode/Length 1533      >>stream
++x¥VM“Û6½ï¯À­›¯¢/ëãÐCÛ4i:i“vÉ%Ú¦b6úp%Ù›ý÷} %‘v·{é¬×cè ð >êBüE”Ç”d´kn ēåëÏ7ü„²tÄÔPšÙdÔtã™
++EaD(~aï´Èñã¿×TIÀõ:AÀ+ âgë(ÖØ*Š8€µx/Ó"
++€y¤ðfƒ1Ïl¨Œ/0Ïä×Aî9ú6Д·ta}h™\ø&/^si ¦ŠÉbœÉ•¤\«¬”J<hÆÔ:Ô†MěÊáÂNX±Oé‚y&‚†9ç³€–¼(f-[b8ò&̲µ`žÉA…¼ôm –<‡z6P¤‡„TªLðP¦ŠÙ²ÆRåŒEa†&;з6æ’<Ô³9¥s¨Ý4çAœ¨MÄp›NXF˜!ú6ÂF9N‡z6Ð,¿ôå¡N at FÎsq1bõÎÄÜ®q|æ™\§‹ÂŽ¾
++4g«o-SæhÙÔ·Š“uPz¨o-²‹¤|»¡$,/|}Cüb-û˜Äta_Çþ„W³`ž‰b0ƒHw}hÆrã¡ÌZ\°.5T0f
++ÞÒ3ሀk„	GŒO	ÇuÉŽb°#kDœ”ˆy%_Ä¡œ±˜(Cúr¬Ýâä¡o4£qá88TÂBY·þ­£ùÓÏ%?ôOæ˜så,²˜ç–-&R¦b†<sÎOJò’îì'¹:Ì™¼g¾`’x‰¸ÊûÇÍÍË×%æ’6.Ÿ,/‚²Œi³—{'¤ÍîöC7Œ•ùF÷÷ïè—÷Ÿ6ï_lþ²N,#âv—ÄA‘²Ûí¯§a4-½Rg£»2EK§uq$œö·ç(WôJït³Õ=ÅaÛÕ™·º@ã°vs0á£Z2íØwûÓn4]KcGãAÓiÐÔU´ywÿ’s|0ãAžÏ‰ÿ¶ù! ƒi¿ðÚ!̱ïÎf¯g÷Þ:)Î ¤;™8ìÛhÕ¼‹nwýãq”å25íº¶Õ’ÄÊǏµB‚úÛHê„ÌÚÑìgêm¿¢Çî$9¨zè®6ô¼4).¬§­ôžP­BÖæ¬FM_õ#ïªêº{ ɧ׵zDå
++u½Á‹A*4F½õè›öFëâPZ4S¦@¶u¯û³îmÔ¹x9¹säýS×VæË©—bé¨zÕ Ï~êÿnêèîA~dzŸã,§Ë¨.Ô#)Úh%iš]ú| Wô	&ú.xIåÉ•íjƒ]æpYYâUÆyð¬ù^ϧ3³uYkÙÝj¦j
++Yá‡îÑÛ9›çã>Sfн%ðé(éb€Ð>™7LÞ¦W§ô’ƒØ˜"`ò]«ÿg[Ö½6­LÅÇ#GÃés™ôδ_¯Ä’Jfeäw>lz}6Ýià9Ñԁž~lÓuòfhÈŽ—¯çò–‹r-g¤Ý‹&Î6ªkE‰xP¨&»ã©V=é;9¥¶8Zhm÷ü§r¤-f¢2ȼê»Æ:wÕDÈ,G³ÃwX¥Õxêõ°¢íii¤ºI«ÁØv›v¡Ì=+D;â? O·þ9ëË@MJ•©ñ£êzÖ5×ÝÕÕþs¡âÆ5Vª1µQ“<ÌÂ}ËúôýYÕ'm	ŸY¼½o·ÅÈB³'=fÕyP"n³ä*Ok—ñ½Jl§ûÑT¬µzÀH¡Ž¦C¦EI"¾*ðá}˜õ
++ä|Õ4€KÑå^«ý…HòÑaG¾mPñ`F-‹‰˜Û2Ó±y©¿,åX­žeÚvyÿØ‚À½ý@j¿G7¹Ÿoû9<¨¾7]?|~aÇC1†ù¸ª|¯wf˜ê{8h¤(‡ÝîÆ	[½r`*+cŽ1\¦bO[ðî<0ͽþbL*0Üèj¾®R8¨×­ÚÖZ2å[m¾/qwrÀƒÂeYcÄÇ­-SZL/±c5F5RmƱִ5#ßï8éýõ
++=èÝ©7ããÜ¿œæ§Ïÿ³²P¸÷¼žGqÆ÷ÔÜ[îëòî“aP©½É"¦ãçÍÍ7ÿ .Ý>endstream
++endobj
++98 0 obj<</Type/Page/Parent 93 0 R/Contents 99 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++99 0 obj<</Filter/FlateDecode/Length 1220      >>stream
++x•VÛnÛF}×WÒ°V$uu€u¹à[-E‹´Æš\Z“»ìîÒ®úÐoïÌ’ŒHYISr®gfÎÌŸƒü„°ˆ`2‡¤,€IÈ–0].ðo„_# ¼ã‹Sgø*ÎPg¾ŒX8‡8T	ˆ“aÄàV[—É¿€[à_n`#̳0oãO¨>…0¬•GÑ‚Mæh)¶ZÁ¦Ú¬ Ñ…°ðPÉÜÁ‹t[°UYjã Ó6›Ë1Z=«ç9¸-w -(!R‘Ò¿D«L>V†;‰u†"¬œ¦8…‘o4¡_È(©)‘Že£J&u¨,Õ#ìtå= Hµ÷bw¢k;ÆÉL&ô“O…ã2§Iø]+gtZyd#`ðkÇK¢Ë]×ú“ØWi÷Q×!š 4ÇÂ%㲩@*
++&¤ÍŽÁÚøGœ°(;!Ë%Š@RžÉ–«Ç:³R˜BZK˜ bÙ²4ò™Å°ÞÕ¥
++à” Í¨‹FÑ”Íæ8ÙêFkÇè§)£tڐ°#H®Ð)L±êRy	/ÒmºŸl¹˜öœ÷Ê]rÃÌØ:ª£
++·J%åÛ‡k\p©X’5QEs6%giy¦©S¨r©°=À–¤i±T'U!”cŒ}‘ïà}›}Ÿ>ä|Ü‚âf}\láÊôÞåö!»Ï°£àû^™ÇE`õÐÜkQ“|Q­Å—¼Ÿóu~FöêqWYAb|;ÑÀ?kæÝ×
++!
++&¾nûðÚ¤jÄÚj
++i¨@¹Æqz=Ɲîk°nuF{ïä3ÿÏKg¾¾ÅKØ7º8ïÅYå¶ÚH·ƒŽGø8l(
++;
++GUf5tDìÇ·ÿWS’àˆ–‰3q9R㈇VÆ«ÜõiÈ–"ñ¤–çè_xŸ9¾eUÏÁ8Û[]å)9ë–¡!oôÙDÛÝ!#Ü4‘´ˆØCXG#†²ýÑÞ~_ܨ¤O¼=ð (s¦\\ÖqÜíŠ!M¶"yªéŽpØ"W?¡j$:Ò¯Ú§Šbü§îÝ??$J8@îÈ™E´Y¢YõѬEÁ“[lv”V°	®S"EôçIŒ–n¬ö1¶²	/ñ²Áj!s`ŠüÞ8ˆü‹¢àP­ï`µ¹Šo[z±­>\Þ qÈ>üÞûhŒ"zõþv}»º\_¯¯ê{%ÝÍú·f!µ=XÅw×GÄâ³»¸©;uÇ
++Åaù~_­¯V}•ÍQqDáNð;UC]øWtÀD1’LÓÅØ+%.:|N	Ž/ZNÂÂ÷µå7µÜžµxV—ÇVTn$°CCÝ°÷×Ь|T8f´Wh–ˆúš¨¤gÒÎ<½È7Z×t(•ª/AsãgŒÆ¥Ý_þ„±Pj©Ü	ª~ñżaç!ŒŸ¹çú‘–`~˜)HIá)Èé«v ŒÑ¸¯H¼ÍÅ/Ü(P "ïQ[•çž"xŽgÛ	àe‡b¤‹/‰—𝯠Ž}oBœfnµjXdÙžFl:‡ù®™¤vºê>ÜüßP„£Fn´NëÓ¡†c—êt‰7ÆrŠG.]¤¿Š?þfÉi«endstream
++endobj
++100 0 obj<</Type/Page/Parent 93 0 R/Contents 101 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 44 0 R>>endobj
++101 0 obj<</Filter/FlateDecode/Length 1598      >>stream
++x•W]oÛ6}ϯ¸ÈËR VümGoi»vÚ5k<
++ŒDÙ\$Ò¥8ޯ߹$%3®—ah›T"ï×¹çRhˆ?#ZŒi2§¬:&C¼é|ýÈoh¾œãgEãQ2
++%ÝŸEÍÇÉ<Z‹+
++§É,ZŒŸ±:^¾0Ÿ±:¿N®cÛè™3%ËhÕe»˜'cš.ÈyŒµ¤Â•1~?ž#~¨Îý¿/.¬¸bú•ÃSWY¿äV¾ŽÃš+³[sU֏]MýÚÛÕÙÕ‡)F´*ЬùrA«ÜõhH«ìâgùÜÐ]-Ÿ”i-½3º‘º±túõ›ÕŸpvM£Psî“I2žÂãÅ$¡;c›B=“°$hõéž²RÁ›·:¤0/’Éò‹Î"šDÖxKoE—JØFÖø¥J²²~’uB«²„¿»Doîï?]q¬™™JZ´K”åžZ+‹¶L’„£i <\š·D¥¨×’r·úÎõ>Ž`ñ°‡?ö‘Saj’"ÛP.·¢n*”Ð'¥•^S³‘V†Ä,µ[âBdˆ96\¥ÈÚ¶Tv{Z«§`ÜCf÷¨³Bj¹,D[6´–A-K$ãêoLB¿›ÖÅ@`Í©e’sèÜō€lÙ Q™h$‰5Êfï0øzhQ0ç%Bß(“u£
++gÔÁØ•ô«Ûm°®_qûÏ«» ¡1fgi°heÀ~g-úèJtÕrTx²&XÐ5¼àŽi‰l•(™ÚÅðœƒìs§š
++×Fä´u­LmÏ/™r}ÔÁ7 ˆ¦Û»£È"Ïkió´ihk¬U%Ü·èqhÌáf#<¶·wÔ٘­‡†T “Ò’²ÐkPVºôUùf‚vÇUç(
++‘µ£jº½¿;Ý’SÍCåeéÑïÀq§^¢Ÿ4×Qn™›©= LèFçG° uæ£nU.I…
++®b?§ôž0U«™O
++Ì¢Ñæ¡–:«÷Û&S4okoàA<
++oÑxs`KÓ¨—¦+[¡ÖmÍD`¯ÿ)M7®Ó…¨T©DÍÙVn$ѹ5:эܥóÖϺ)h#ì†Áä`õ(yl·ÖCÒE¦¨Èÿ¨ª\4"!?d+d»ƒp֝^*ȉd)ê‘a	Ü™ú²È4¯åZԹʞÝ@÷@𣀪’õð„ÖõyF3†.Œ1çê8 -*÷¥b–·˜•’T×ß{?
++#Š´
++È{Îœ Ú^º-H5xéqvØã’Âv„=H¦ÛΦH`ÐׇÝà£
++ÓêüØ)„:ÂZÛŠ’M®>ÌÂYzAç_8CÞYr‚ÌÏý¦î´» œIVà´)jSE\a,%ð
++Ãp’Û1l1§ˆ¥¬4ï³¹’MvUâ#øÊað‡‡'ììSò¡ÁÌ
++B”©ð>SïtH×|r|«Œqùšó¥á"ÎçI”н—ÅÜvÜõ&ÞΞ»}çô(÷$Ì'uÝ7nŒø$Ø	>P;bk)=k7{Ã(mÅ‘ì†
++ÿÍŒ†hzeh8œòÝñ„|w`¾0Y`éOSf)·“OW- ·¡üÀ£ Ì Á‹`¹²
++æ£Åî¬ÍNãNr²e1ƒ#¸þCžÆôgË\P§Èô%Ä|“éoO+Ckoç«Š¬úÂGø%Õ­'saXÕ9+²Ðùëm7[©­-éy6¼¦Ad€ÉL®¢š“-.1/3þŽh‡;¶µÉÛpùü~vB$˜5	”{ëÅ/ŽŒq™¶>ÜÿŸƒˆ.ß.2\q5biq“iõ
++ÉgôþÛñ²Ó–9äÔ´¸lz—ê‘áWöu¯géÛiúq–.éûE:™¦ïnÒwÓt¼HßÓ“tù!ÏÓåMºX¤Ë÷ô·Ô‰_“Ì$íãë ~ÑG ‹Y Ù!Z¹Ñòòظïãõ\YEXÃÿUR¸åöõœxúãA‰o“€Ò“™ª­Ñ~⹟^"âF;ªDƒïŽÙÔ¦]ûiôgPwÂW’»çŸþ€yõ»f¤tt=N¦ü1ŠÏUÿmÓ©¾5è§/¿­¾0çaß`±€Ü½þ4]“årŠ/0ÞÊö?®Î~9ûã7»5endstream
++endobj
++102 0 obj<</Type/Page/Parent 93 0 R/Contents 103 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 56 0 R>>endobj
++103 0 obj<</Filter/FlateDecode/Length 1758      >>stream
++x¥WÛŽÛF}Ÿ¯(ø%2 áè6i?8;	¬³±#ØY=dSêÉVØMµ_¿§ªy­ÉÛ¢š]uêrN•þ¼šÓæt· eLIq5‹f¯7ÑŠVë;|^ào¥)“ƒÅí<Z\8€hÖüóëáÕå"Š© Å¦òÓÇ«ÁcA1¿ÒŸ
++šÏVÑíàpøŒÓÅúìêð§ñ&ÚïžÑ<ZN9âÅbï.D¼‰/Lww}tò¹®9‘`º“þ©¬;
++Л[y&À›³€»;“BÝ}úûíÕÍû
++Íoq´ÍPÜ8Ž£MLÛTŠ4£m2YEôQ{oÊÕò{MNWG]‘·(v®Nô¨œNÉ–”á%]*Sz÷zûl¯h>–¯wÑ2†›tòi¯ËpïOéë|f¾PU—ö+[ïö¤àÅ“Íðm®ñµ¥T{]¦Ôd2‘äF—ž
++•ìå[G*Ïí3 tÈ
++er2£ëùŁóÖAHDŸ4•:Üó:Ï;D~¯<¥!;r˜ÌàES
++	ÿsÀ‘èÊ;d פÀÊÈH‹h‹¨,,Gϸ’¦tàýgŸ»3³xCJo›”NÈþ~® êÀ™À'ç+“xcËQúñ®W^œ/S;qg`Ê(ÉÂ×mÅ&Ñøv¯ ªÒLÕßØà!U‰*éQs¶¤’ƒ®Ð£²q¾Ì°Ú{hªÞ‡I°4Bà«Úy˜>…þ¸ûð:¢÷¶â^)¸J¦D”y®ДBu€ãÑ6Ü@u)‰—3>ÊÅ }ʱe	M’<h-S¦æhÒZå”ØÒW6'ËD‘î‘tž“íz	…\qS®¢9H&¬
++ýû™ÙÕ•Är{*¡(-liŸ™6LS öÙç¤
++s®j±ô\ ¤K8à¼A[&4†à 4ø¨gÙRÿ$ÿw¦h•”Ž¸5XG˜Ò°w 	|èœ5a &·7GŸF èZHƒ‹èw[C}òS™¤(ÓÏ”CD=lHãÿk{¡p@2 aԁ„Mº#z—¢¾Õì KD"„1mf[	ƒ×4OÈCfYÌøIbøG@?£
++ËXÆøz©ßqÿ°ˆh<éÓgqð†n´OnA[oþ«Ëgm
++¡ÉƒK\ƒotA—¯Ý¿½äéþ-›‹píë[ £¤7tÒ#…º–€âh¶\2¶·ŽN¨*Ë€Óº%3Èt"g
++“+¡4²ß”ƒ	׉<¨ÊSVÙ‚KD™J¸V(Ô¬Ò«9ÊùŠóöj
++Þøl3%ä$}Zò¨ò]Th Ñ_`
++­&®UÁ’Â5‚*¼&hTÛES‰k¯Ž¸ùlG^ƒ–6-±ËÄ9¡™S©:x[C03V=p•ÇˆÈ!œ³­›÷ýt{Ô?tºNH
++€³*~ë(˜üõõ€ÀŒ€sì¾R¥;X¤½P"@*®Ug·&4Ô—ÉÑO\eT€dô²¶öˆYFÏX.P¦ååBƤ-õx.}`æ‡Úf’ǯÈÁÎ6´•™ÄŸq=`Ù׏ÓfžŸdR|ãPl“t•³Û§¡Èp£á¹S tæ€Õ ~=L
++UžM¼Òj§JãD…ց‡×ÓvT§´{cIExò–Gr‰v(Ä ©Gô‡$ð¬ˆU¦_¯Ý[“Û‡×ãNL„·Óˆ¬$®c‚MoÊ»Ê3OŠdoí¥¡:HÀ‹MXèdÏqƒŸíÙ5t»¢ñÈ3ñ¯µ¯sYù·ìUÔF‰ê§ÿœGÄfÝŠÍ?õO¿Túhlí裃ÑÑ寃¥áÎ|½„hHInÁuƒ D~’¼°o-«@G€ÌA8@*T	ºô%º¼Éh兏uŽ-´[tHïì<{A*´¨ÈÏâ£ÁLä·s»“AwîlP¸›£ªnðÖ
++ß=ÏÞ$L\··už¶|H-à ìð=õÑöÝïu‚
++aà=к§$÷•Ý
++ 4ë¾ñ¡uu’`îguâ;”Š‰Ç>EG¶.Ü	«bñBœêÃ%tøh!Ä6ŸÒ霮ò`ð¾
++Jh½_A¥B^…ƒ1^g,ïxNÚ•`QØj¥Α‡ñÁDyÿšö
++ä)V±'üœ@ðö‰0óØjKe—í [º¯åG‹³høÍÅD€"žT#ǨöEXÁ\‚ü$¹Æ4æîÂND¡žd(²?Ú¾sô‡}Lž´rFWž­ƒž]¦Û_²pÝü„™oÑ*¦x9‹V‰mõP4úñçíŽáºyïún¶aý¿lWëY´^¯ð‹™í°ñwÛ«]ý±–Iÿendstream
++endobj
++104 0 obj<</Type/Page/Parent 93 0 R/Contents 105 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 65 0 R>>endobj
++105 0 obj<</Filter/FlateDecode/Length 362       >>stream
++x¥QËNÃ0¼û+öXqmÇñã
++z¨h!–¸pkSQ hêç3NLëŠe<³»³ãO&Ià‘d•†V-\àäôyºg¥á‚LUrG-ËUT³¶ä
++$£0rcÜ ÎùÈ
++ rlIJÏuFŽ…Êâ÷øD0<Ö¬ŽMO\aFF×'.ƒ¨-¯22Ç`½åeÆ"2Òb
++í,þÞ}C¦$LUÞ>MÉç/DG¡1oTFò:°é'YÁ~Ø ã—†ÂzH^PXM§ùv÷~¸
++ok„¥¸£;•…ëɲ;ô›í‘f]ÛŒºUÒ–»xµ½(cé²Ë@²ÄUž»Lüþg§èƒº
++õ¯
++%oc×ÅsXÔqX(ǥǮÃãCsìi¹o¾·Ýׁnº]ßìú”K;K¯¸6".ò©ë9Í¢‡h¡HºÂ
++[çAk'¸sz®ŠêÛÀÙþ¶ªendstream
++endobj
++106 0 obj<</Type/Catalog/Pages 93 0 R/PageLayout/SinglePage/OpenAction[96 0 R/XYZ null null 0]/PageMode/UseOutlines/PageLabels<</Nums[0<</P(title)>>1<</S/D/St 1/P()>>]>>>>endobj
++xref
++0 107 
++0000000000 65535 f 
++0000000015 00000 n 
++0000000210 00000 n 
++0000001776 00000 n 
++0000001850 00000 n 
++0000001928 00000 n 
++0000002005 00000 n 
++0000002084 00000 n 
++0000002160 00000 n 
++0000002241 00000 n 
++0000002299 00000 n 
++0000002357 00000 n 
++0000002441 00000 n 
++0000002541 00000 n 
++0000002640 00000 n 
++0000002741 00000 n 
++0000002842 00000 n 
++0000002941 00000 n 
++0000003043 00000 n 
++0000003145 00000 n 
++0000003245 00000 n 
++0000003347 00000 n 
++0000003448 00000 n 
++0000003549 00000 n 
++0000003648 00000 n 
++0000003748 00000 n 
++0000003849 00000 n 
++0000003945 00000 n 
++0000004044 00000 n 
++0000004142 00000 n 
++0000004241 00000 n 
++0000004340 00000 n 
++0000004496 00000 n 
++0000004594 00000 n 
++0000004694 00000 n 
++0000004795 00000 n 
++0000004896 00000 n 
++0000004996 00000 n 
++0000005097 00000 n 
++0000005194 00000 n 
++0000005291 00000 n 
++0000005390 00000 n 
++0000005490 00000 n 
++0000005588 00000 n 
++0000005687 00000 n 
++0000005787 00000 n 
++0000005887 00000 n 
++0000005986 00000 n 
++0000006087 00000 n 
++0000006189 00000 n 
++0000006290 00000 n 
++0000006391 00000 n 
++0000006491 00000 n 
++0000006591 00000 n 
++0000006692 00000 n 
++0000006794 00000 n 
++0000006895 00000 n 
++0000006988 00000 n 
++0000007041 00000 n 
++0000007126 00000 n 
++0000007211 00000 n 
++0000007296 00000 n 
++0000007351 00000 n 
++0000007436 00000 n 
++0000007537 00000 n 
++0000007638 00000 n 
++0000007689 00000 n 
++0000007721 00000 n 
++0000007753 00000 n 
++0000008240 00000 n 
++0000008281 00000 n 
++0000008321 00000 n 
++0000008361 00000 n 
++0000008402 00000 n 
++0000008444 00000 n 
++0000008486 00000 n 
++0000008527 00000 n 
++0000008568 00000 n 
++0000008609 00000 n 
++0000008651 00000 n 
++0000008693 00000 n 
++0000008735 00000 n 
++0000008777 00000 n 
++0000008818 00000 n 
++0000008859 00000 n 
++0000008901 00000 n 
++0000008943 00000 n 
++0000008985 00000 n 
++0000009026 00000 n 
++0000009067 00000 n 
++0000009108 00000 n 
++0000009149 00000 n 
++0000009190 00000 n 
++0000009231 00000 n 
++0000009321 00000 n 
++0000009474 00000 n 
++0000009637 00000 n 
++0000009831 00000 n 
++0000011437 00000 n 
++0000011626 00000 n 
++0000012919 00000 n 
++0000013124 00000 n 
++0000014796 00000 n 
++0000015001 00000 n 
++0000016833 00000 n 
++0000017020 00000 n 
++0000017456 00000 n 
++trailer
++<</Size 107/Root 106 0 R/Info 1 0 R/ID[<52b46cb37099c08d5166c89ce7f49956><52b46cb37099c08d5166c89ce7f49956>]>>
++startxref
++17634
++%%EOF
+diff -urNad postfix-release/tls/contributed/README /tmp/dpep.cXJuVH/postfix-release/tls/contributed/README
+--- postfix-release/tls/contributed/README	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/README	2005-02-03 10:22:13.093089328 -0700
+@@ -0,0 +1,16 @@
++All entries in this directory have been contributed from other sources:
++
++- Frederic J. Hirsch <f.hirsch at opengroup.org>
++  * loadcacert.pl:
++	I "took" this one from his excellent introduction
++	"Introducing SSL and Certificates using SSLeay"
++	http://www.camb.opengroup.org/RI/www/prism/wwwj/index.html
++
++- Walcir Fontanini <walcir at densis.fee.unicamp.br>
++  * fp.csh:
++	add fingerprints to the list of client certs;
++	be carefull to a adjust filenames and maptype as necessary
++
++- Craig Sanders <cas at taz.net.au>
++  * make-postfix-cert.sh:
++	automatically create certificates for postfix usage.
+diff -urNad postfix-release/tls/contributed/SSL_CA-HOWTO.pdf /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.pdf
+--- postfix-release/tls/contributed/SSL_CA-HOWTO.pdf	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.pdf	2005-02-03 10:22:13.094089105 -0700
+@@ -0,0 +1,252 @@
++%PDF-1.3
++%âãÏÓ
++1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021210121816+0000)/Title(TLS CA and server key HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
++2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
++3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
++4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
++5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
++6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
++7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
++8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
++9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
++10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
++11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
++12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++13 0 obj<</Subtype/Link/Rect[85.2 519.3 190.8 537.2]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++14 0 obj<</Subtype/Link/Rect[85.2 487.1 336.9 505.0]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++15 0 obj<</Subtype/Link/Rect[85.2 454.9 249.9 472.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++16 0 obj<</Subtype/Link/Rect[108.0 427.6 159.3 440.6]/Border[0 0 0]/Dest[83 0 R/XYZ 0 707 0]>>endobj
++17 0 obj<</Subtype/Link/Rect[85.2 396.3 131.0 414.2]/Border[0 0 0]/Dest[83 0 R/XYZ 0 534 0]>>endobj
++18 0 obj<</Subtype/Link/Rect[72.0 366.9 93.4 379.9]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++19 0 obj<</Subtype/Link/Rect[176.5 366.9 200.6 379.9]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++20 0 obj<</Subtype/Link/Rect[241.9 366.9 283.8 379.9]/Border[0 0 0]/Dest[77 0 R/XYZ 0 569 0]>>endobj
++21 0 obj<</Subtype/Link/Rect[72.0 119.5 93.4 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++22 0 obj<</Subtype/Link/Rect[134.6 119.5 176.5 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 569 0]>>endobj
++23 0 obj<</Subtype/Link/Rect[176.5 119.5 200.6 132.5]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++24 0 obj<</Subtype/Link/Rect[200.6 119.5 241.9 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++25 0 obj<</Subtype/Link/Rect[241.9 119.5 283.8 132.5]/Border[0 0 0]/Dest[77 0 R/XYZ 0 537 0]>>endobj
++26 0 obj[11 0 R
++12 0 R
++13 0 R
++14 0 R
++15 0 R
++16 0 R
++17 0 R
++18 0 R
++19 0 R
++20 0 R
++21 0 R
++22 0 R
++23 0 R
++24 0 R
++25 0 R]endobj
++27 0 obj<</Subtype/Link/Rect[72.0 607.6 93.4 620.6]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++28 0 obj<</Subtype/Link/Rect[93.4 607.6 134.6 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 379 0]>>endobj
++29 0 obj<</Subtype/Link/Rect[134.6 607.6 176.5 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 537 0]>>endobj
++30 0 obj<</Subtype/Link/Rect[176.5 607.6 200.6 620.6]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++31 0 obj<</Subtype/Link/Rect[200.6 607.6 241.9 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++32 0 obj<</Subtype/Link/Rect[241.9 607.6 283.8 620.6]/Border[0 0 0]/Dest[77 0 R/XYZ 0 504 0]>>endobj
++33 0 obj<</Subtype/Link/Rect[72.0 124.8 93.4 137.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++34 0 obj<</Subtype/Link/Rect[93.4 124.8 134.6 137.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 132 0]>>endobj
++35 0 obj<</Subtype/Link/Rect[134.6 124.8 176.5 137.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 504 0]>>endobj
++36 0 obj<</Subtype/Link/Rect[176.5 124.8 200.6 137.8]/Border[0 0 0]/Dest[83 0 R/XYZ 0 534 0]>>endobj
++37 0 obj<</Subtype/Link/Rect[200.6 124.8 241.9 137.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++38 0 obj<</Subtype/Link/Rect[241.9 124.8 283.8 137.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 472 0]>>endobj
++39 0 obj[27 0 R
++28 0 R
++29 0 R
++30 0 R
++31 0 R
++32 0 R
++33 0 R
++34 0 R
++35 0 R
++36 0 R
++37 0 R
++38 0 R]endobj
++40 0 obj<</Subtype/Link/Rect[72.0 521.8 93.4 534.8]/Border[0 0 0]/Dest[83 0 R/XYZ 0 534 0]>>endobj
++41 0 obj<</Subtype/Link/Rect[93.4 521.8 134.6 534.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 620 0]>>endobj
++42 0 obj<</Subtype/Link/Rect[134.6 521.8 176.5 534.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 472 0]>>endobj
++43 0 obj<</Subtype/Link/Rect[200.6 521.8 241.9 534.8]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++44 0 obj<</Subtype/Link/Rect[241.9 521.8 283.8 534.8]/Border[0 0 0]/Dest[77 0 R/XYZ 0 414 0]>>endobj
++45 0 obj<</S/URI/URI(http://www.openssl.org)>>endobj
++46 0 obj<</Subtype/Link/Rect[108.0 461.2 180.4 474.2]/Border[0 0 0]/A 45 0 R>>endobj
++47 0 obj<</S/URI/URI(http://www.suse.com)>>endobj
++48 0 obj<</Subtype/Link/Rect[108.0 448.0 162.1 461.0]/Border[0 0 0]/A 47 0 R>>endobj
++49 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
++50 0 obj<</Subtype/Link/Rect[108.0 434.8 269.3 447.8]/Border[0 0 0]/A 49 0 R>>endobj
++51 0 obj<</Subtype/Link/Rect[93.4 406.4 134.6 419.4]/Border[0 0 0]/Dest[79 0 R/XYZ 0 137 0]>>endobj
++52 0 obj<</Subtype/Link/Rect[134.6 406.4 176.5 419.4]/Border[0 0 0]/Dest[77 0 R/XYZ 0 414 0]>>endobj
++53 0 obj[40 0 R
++41 0 R
++42 0 R
++43 0 R
++44 0 R
++46 0 R
++48 0 R
++50 0 R
++51 0 R
++52 0 R]endobj
++54 0 obj<</Dests 55 0 R>>endobj
++55 0 obj<</Kids[56 0 R]>>endobj
++56 0 obj<</Limits[(s1)(toc5)]/Names[(s1)57 0 R(s2)58 0 R(s3)59 0 R(s4)60 0 R(s5)61 0 R(ss4.1)62 0 R(ssl_ca-howto-1.html)63 0 R(ssl_ca-howto-2.html)64 0 R(ssl_ca-howto-3.html)65 0 R(ssl_ca-howto-4.html)66 0 R(ssl_ca-howto-5.html)67 0 R(ssl_ca-howto.html)68 0 R(toc1)69 0 R(toc2)70 0 R(toc3)71 0 R(toc4)72 0 R(toc5)73 0 R]>>endobj
++57 0 obj<</D[77 0 R/XYZ 0 351 0]>>endobj
++58 0 obj<</D[79 0 R/XYZ 0 733 0]>>endobj
++59 0 obj<</D[79 0 R/XYZ 0 592 0]>>endobj
++60 0 obj<</D[81 0 R/XYZ 0 733 0]>>endobj
++61 0 obj<</D[83 0 R/XYZ 0 506 0]>>endobj
++62 0 obj<</D[83 0 R/XYZ 0 707 0]>>endobj
++63 0 obj<</D[77 0 R/XYZ 0 379 0]>>endobj
++64 0 obj<</D[77 0 R/XYZ 0 132 0]>>endobj
++65 0 obj<</D[79 0 R/XYZ 0 620 0]>>endobj
++66 0 obj<</D[79 0 R/XYZ 0 137 0]>>endobj
++67 0 obj<</D[83 0 R/XYZ 0 534 0]>>endobj
++68 0 obj<</D[77 0 R/XYZ 0 734 0]>>endobj
++69 0 obj<</D[77 0 R/XYZ 0 569 0]>>endobj
++70 0 obj<</D[77 0 R/XYZ 0 537 0]>>endobj
++71 0 obj<</D[77 0 R/XYZ 0 504 0]>>endobj
++72 0 obj<</D[77 0 R/XYZ 0 472 0]>>endobj
++73 0 obj<</D[77 0 R/XYZ 0 414 0]>>endobj
++74 0 obj<</Type/Pages/Count 5/Kids[75 0 R
++77 0 R
++79 0 R
++81 0 R
++83 0 R
++]>>endobj
++75 0 obj<</Type/Page/Parent 74 0 R/Contents 76 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++76 0 obj<</Filter/FlateDecode/Length 101       >>stream
++x+ä2T0 BCs#c3…ä\.§.}7KCK…4C=K ”©©ž¡¥©BHŠ‚žBH²FˆO°‚³£Bb^ŠBqjQYj‘Bvj¥‚‡xˆ¿fH—kW  öïendstream
++endobj
++77 0 obj<</Type/Page/Parent 74 0 R/Contents 78 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 26 0 R>>endobj
++78 0 obj<</Filter/FlateDecode/Length 1408      >>stream
++x}VÛnÛF}÷WÌ£Ho¢¨GU©{3·ZðE-­­I.Ë]JÑßçÌ.iÒŒ4šÛ™™3³þï& ÿZ‡%”W7¾çã—׏?â_(‰W^Hʼn—ôBI7±¢À½`¢´~~
++ï8]ã3ÄÿVPa®VÎÿ¶
++o…TAÀœÄ¹¬2Nc/b©ãƒ‹c+”b#º‰ÈAS/8º +Ç áb+pЉXÑf“Q7¹ðôãT†vã¿qÊ…Iìm& `ƒ+JÖYMÄЫÎêý‚˜û=:Ne Z¯ß„G›“Ec7èlcGpÖ(sÔY¨QÂM«hµá V`?]´ò1ÈÙˆ­"âºP{€!FV`ŸÀaïd S šhîÉ 
ƒ€q¾úÚ°!ñ|½¯ ˜i‡ýÎ0nD¯q^Uq 8ê,ÞÁÏ‚u£ÈÙú«Ž‘¯co=þÃþæãÝì¡}
MÖ©·Ù„´?ÚåôiŸßîïi·¥¬>’íY´ô"®ôóç¿÷Ÿ?ìÿuî+ä²–Qè¥1¸ýµÓFÖô);K¡eŒÍèíBL9Óñöxþ‚>‰\T}?tÖÉÄš7¶"ï°Ü*†î³+¤¦ŒrUU]-óÌHUkuÞ^þNúª¨<úÅ°%Û©º¼R§Å‘Œ,âdLC¥¬_¨P-#ðiiɇ¼ÚåUõ‚L›Õ:Ëm®:CyVÓA¸¨pG·®sLM«ŒÊU¹ Ýå'Ê€rYe²e-Ì‚îö³¼Âä=>Þs`€­‘	aŠ£Á\dqµ¨ka¡a\Z£žk'¦<Ž	'5¶
ЙڴêØYŸ>?¦úv:¡ËFÞ˺ûò>‚^ú™ºéw#FÚvæ¤Zi®ßxÅíZaÁ-›ÐÊ!h‚§b9ò$Æví²3¼z6å=?–k/åsz
++“5¹ c¹Kì¾Ä‡¶æ•Çż¼CÊÍ@ÊßÅC­8KÕiÚ©ÚˆÚhzÿçyB'Âóýýx7ñ>ó›	ª,Õ…ÌIÐÃÃoT©£(ééö¡;”2ÿøÐÊ3ˆÀËøôÁ£=¨¬M•·À½Hu±+Ü8·~"¿'yyK†åH~õe§åXÅ){@Ôâ
xÎú.PÀnûôYf†œZ>×\3VvËwÇ®÷K­.µÅoZœ^Ý“lÔd­¹â{fˆýf+Â'+ãb[ÐÄ“ÒŽ:“Åæ 2—£"ÎÎŽ	6
«Žò¸t°Ã¶á”AÃÓù¦x	µ@`žìÁ
ûYÁÜ»šÌ¬#ówÉa3*ÄõkÂê1(l©hí™`©B-Ô¨¦+³èxþ°Í{º½\.†EÕX‚ÀëGsÙ2i38WÕQ…ÞRÖ4¸(ÚZrÑ›/Ïø
++†¥V˜ ÷_pP¾{ø*[»Ð2ýƒ ¶šC‰«É}šy#°%žïn» ËIâ8VÖfâÃj«ªÅ°r¾èò„°Ö®Õ¢,°'Ð…“ç¢ám$ðfV«jŸ³ZjûX°¹*
++t=äÀÝu­šR]œj;eKV2‡ªíhi‘»}‡^ô[‡½ž¥×’¸´Rv<ˆm³˜›ë`_në¤T*ZUa.ý:ç•0»ØûR2E¹kM‹¥´t7¼ƧQ"s˜éšó x¤£ÇV¶üBØÜAâ>5ٳЖ ‹,Ë~*è^YØaÍ4+ÿ ™Ö¼'ðfºÛ¾®CÿÜ¿n¿{…Óñ†tå­"·Vßÿ&N}/Mc÷„ŒöÇýÍ7_~½ ¥endstream
++endobj
++79 0 obj<</Type/Page/Parent 74 0 R/Contents 80 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 39 0 R>>endobj
++80 0 obj<</Filter/FlateDecode/Length 1577      >>stream
++xV[WÛ8~çWÌc8Kœ{š¥ôrJÛ„åô,<[NTlÉ•äÐô×ï7²ØY^viK£Hsÿæ›ùq0¢!þŒèlLÇŠóƒa4¤ÓóQ4¦“é>ñÏJJùO·¿¾¾¯žž£	å4E'tÍZÇœ&üdw×:æ4žD§­Ëö·ãiG´}Æíä<:o˶ÎìÑ(š¶nC`°=}%0¸1…ÿÿŽ˜¦ç¨ÃŸ·ÑÕ7!šíÍîÔ„¶½ª"«¥ª@vw!Îæ.„±»Û› ¶wÓ”íyþÇâ`ðîœF§p~‘¢À“é8Mh‘„
++i÷ÆÍç×d4]+]þ<\|‡Ì	F•D|O žô+I¹qž
++S”™°d
++©É™ÒÆ2èPy‘É\j/¼‚>åè/ =¢žJ“‡M=-ý‹±ÏJ/ÉI«¤#“†ëy9¿b7†Ô€0(ç­z*YïA׋Ê2z’”¨4•F)5p	ú-¾Û=w$«­›Ôõ¨ñ³XÊÚv7ì;C§U1yCìQÔU çÆ`Î}1^^4¡²¤ÑÙ†ÄZ¨L<e²‰úª´H˜ÐA[×ňþ&¥dƒ³‰ñ)5ÖïeÃJ/æd°1ÊK­Â¡ö±]=Æ3û(zºµr­LéèÒhè½þui7ýc"(:\¤÷¨•	º”Ö«¾zI³Ò¯ŒU~ÓÍ&§j¢
°lLI+±æÔ8/²L&¡ð5ZšÒQ¼%J”•±7vé”Μ˹r1€$–B¹Øtа—²'á`¹‚é.>#vc»
*¬Y«ÈTH›‘‹­*<|ž–V
++:;F=2€WŒí˜¿FaöìÚÈÕ!µòe句„zt.œZjdmS5Lu—ùSÆ%òÍöR“eæ/ª¤éœ[&eïAª“3®¿5Æ¿ù%õE7}¿S4¸œEEF}-_bÑxæOz—³à”¹DžÑ\€š5AʇÃÎóÏ‚»AvB‰¢ Jîå ôÎñ£ØèT-K[EjM¾«+šD£¾Q¬Sêx/µd	È05ðø¤<}ÏP'µf >Ë
ìý~Ÿê-/ («@¼m9+¼•¹¹œ
j}ƒX°ÆBæ]G®Bn¯>©ÎQ±²@WÈÿ6̿пé†íð0]Býÿ dX¯Ï?µóÕ7ßÐ8cX<™84yáž¹L]¥Áƒy•Ø Ô†(•Ž› Q	¡Ú€ì$ªFg·|÷}nߎ0 at _/|ÿ㪩½#¥r+XýÂPðýæ<ðvPô£T¨žè&(EÐVYâÄŒ2#f’‰ÃhzÊ„~îøüÊÃU-ˆ‰&‚™Š2ó´Y)ècÔVîWíÄ·™L}e¥›…va*X_šÓbSEøÐÃMÏÍ›}Bß}z¼¸ûÔñuŽ1²qË,ôÒóÐKKL6î:œ#Ð~xúxñÜáºIº6H5·‘•KPÎ,úxqmt²£¢Ð7v)´úUá£6„L^ä>2¼1Ÿé^%K‹·Ðí“ÇžƒÕš@wŸø«®3mÝ"£;L¥¶_$f¬\›ßͯöriòÝrêÛÍÝ×m&öÍw’ùꢫ3˜fI‚‰é8!ßK†ãW:Å&*ŸC »}§Xs
™ÃT®È®b÷=rcÞÆhh±O½è¬%°PÍnÍ½‹xº4&9B3•´¹#¬.ÀjR½õ´[KÊc4м2ž8Æ1GÝ<Úo¹MRP$H`&ßØcÚ/ã†öûs#îYnú$¼¸fÍj†øS•aÔñ¶Rͦ†4wS
++1"ªÑV5æ‹ÐƒZÖL• ìu˜={¶›!k0ÓCõŒ­¡}·»ÞvFt_7øÒÀˆ_ÆÿŠa૧•Ì
++‡	!¼ %9Ò
++=‡îÛklÓðØÈÿï5­wÍÑ䀚Ðd4Æaûî-®ç<(?Ø}]ôáæ~qÃÞô‘þÙðœøÊ’~‚…:=ÁRÏ÷,uµ8øóàõ/þendstream
++endobj
++81 0 obj<</Type/Page/Parent 74 0 R/Contents 82 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
++82 0 obj<</Filter/FlateDecode/Length 1815      >>stream
++xW]SÛ8}çWÜÇì,1IHåa§”†]¦´$ÙN§åA±åD‹-¥–œ”þú=W²ÛL»›ÂǺßçž{õíhHüÒÙˆN'çGoçG'ׯiø*:§yŠw“óQ4œÐ<¡A4h÷Æ]R8¥W$ÈÊb+z’Ï¿Íÿð˜†Ã ڝE§èIz÷:–´“´[I1Ë„ÜZÒÕå1¯%?›ê´Æ²p*U1Rj
++voÏ8‘)©}í±šxfñ\<Iöb@ýái4bËxk%)Kò»ˆ]†c8nE.¿þUGG“hÌG?ý‡…üVJë"š¯¡/Da;¾ºµpT´ìÒÖÔJ#<örøÑÆ‘ÐGEéLŽ¤Æ´)L,­=Æ™„¯ñËÊy¨«ÏP†dôËhn´5W6¦D2v¦xFd\:yj5 ×œ¥”‹ß£W“3NDaŒ{óCê‹“Ò'Öf'^˝\]F›ŒúZîdêô–ñªUY £)-LN{%f#5”E±N©%ú§Ô’%<ž†ƒÑ˜–ÊÑÃìaª-C èŠ~þù݈„?[Úw…òªásS'„mdÞv¨ÏŸ–’Ϧ$QHKSºª®Â>Ô‡(‚Ò *W{ìT–qý•ŽM±1ˆÇ•†ÝgS-ˆ·lÕ8k}ù‰¹¶•eK;~ͨCEÐ;e9êRÙ5žï xòmóîŽñ+9ü~+²+ÚѧHTªd–XZ"X6M™ä浚–™ÐO×Ð矪³h,h¬ƒ”ÈT”™£­ÈJyL7©×<nä–ôJöÒ™L]°R7)“JÒkfäûûÊ”ÚØ>¯½Üt\Ø$hqú²xÿx±xßJåÌ1¤àý‡ÂlQY§%
++¦=7Зíû£lÛç[ƒT+·7,WÇã™m>^ܝ˜}‡{×ï‹•ÐêGÀGå­2ùFh/wÃ8ÒÒÑ'•¬,~€þ[—<^ÌJ;¥[¥Ëï´xÏ_µiê-4Ú§a¢ùÊàÚl1›.Þ÷gÓ‡¿§­¼\™<v‚Ÿïû„<^äBe‘-­Œb•Om¦ü–.“¤ wq6ƺ\X„ôæg2€)°sÀ„GÉ2³c"ß]!H8W(€´¨G·~ÙBU×´º¤xÍ¡W’6Âڝ)ö­÷¥&³á!uq¨†šÒ‹OKô!Œp;suƒ­kæzÝ¥˜Ã|ì{ΝDƒÓSFöõKOÙ¾aiNö£¯Qšˆn|§sº®?¾»#“¢ñZiÖÀ4ПuGz…FC>­cØÏHöÕ“‚GZ5Ôó óب®W—óTnü×k”9¤k¥¶R×Sªéjg%x0%àRÙŽu¥žþ˜šqŠÚã<GWYÆ›ÁÅ\$~1¨†1œ÷Cu³É°3,3¤Át&3o¢cº
++	ú¼cTêL=ÉjIàÀ˜º	f.«æ&Ûʤ&¨z‹ÕÉVÙÚ01ˆùï$¬ª\åEHÏÎ.£7
++¼Q	`¯Ò0þ›‰U{Š©+Ym±ç Ì–½Ÿ¥ŸÎœÕ¶<vª6®ß©NêêƒB³ã*5œÞ•©ªƒðÑÝV!ѝŒúR;@Cø~£Íºà¯W¸†qÀ;TÔƒÔ²?31´ýÀ½ƒWø 7p­Ó´”²¿gÔ„G\;R˜Ë°%bÔqñ¼áQrGKì„9
++¾)p
ÜÍYÅ3¸„uE³Þ­,Å'N®'Õ:ÜêÛY\ÐcÞÉA!ñ¢á[¬^‰íFÆuíy…©yîk/xU8,3áE½ˆ÷ÀE!ÕŸ[qn¼'
€j…H0ðM°»EâÐa˜š‘Z˜/¤ïÏF©ò
Ù1Ï»^£ßs‰É¨W¿ÄýçS~ •¿…N]J¬(
ôÇógà1ÜÔKr!u	·,·A½¸¼ g¡Üì"³¸™Í—Í«CÌýPž]!"¿
++¢¸‹QS±’ž8	À¥¡ÄtÁ9:¦J𨲶úÓý$¬ ñ땾ñ¨áþòëìôu¢­×Ýþ:³ˆ1¨Í.ÜÖ8_@?v9ô&n8ôn:På"VÂÙ“	*ÆG¼^‘—ÁMü*¥Q›D8Þv;´7†"îaNo§ÞÜÑÕôa~s}su9ŸÒÃôãb:›‡ƒ{Øóõ©+;½{÷$±f`¬»îE±TòLÕè%½ä†9Œ'Ì&®$8¬º÷áÚ†º@ÿ3©ãr·ŸûŒ€x×Ìì(_êqÐÔÉÃyÕæÃÉ+Ä&gãh2ð—ëù팕sZ—qúëþÓüžeûµHÿlðšW_ÝßÇçƒèü|Œ‹?ž²øt~ôñè_F/
endstream
++endobj
++83 0 obj<</Type/Page/Parent 74 0 R/Contents 84 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 53 0 R>>endobj
++84 0 obj<</Filter/FlateDecode/Length 819       >>stream
++x¥TMoÓ@½çWÌ1²þŒ?*Q¥P¤Šb‰rœMc{ƒwÝ6øí¼Y;‰¡ªVfgÞÌ›7³ûmä‘‹?bŸ‚ˆŠjä
++—¦îT„&1~ûøo$-فÐÃçã[&‘H¨"ß³664
ÌŠ"_Dȶ÷
ÌŠ<7ӁÓó“C0¼Q*Ò¡w`sM厉™z3éêAÄg~$|0Yƒ™Lf“pgôÀцËL­ÁÀYQê
++o೸ M­4è7¥Î°¸£	2!BŽ¾‰œÊ}DÃdŽÎ¡
o‹`àeaPüE;¦ æÙõcꌞgD{_7¦£óU6rÞ„äy”-±?QS¶°ÛáRVŒ[-©¬i§Ú†ôNY‰gÙW at Rò¦èØ‚&'ü¸qñ.ò{™Ý…3O|´±ßԒ̪¬ïðÍ
•šPfÙnÈ(Z×êO¬çf+ëÙìšm­*iÊJj’Õ¨² |®ZC+ăÕy%)§B6¦\–En¤ w†Y¸4Á¬}®¼PH€Òø(.
++À*×+¶6J­ÛíÓÜzN‹²‘…QÍNP¶’ îd-”YÐ|†ºí’T|i$g=©íls³rŒr5ªªòzÁ©9û~­F›r-Ï:5]J¹%ßð‰ûñ´ÆRæÅwYŸý óCurZÝ8ZoœªÔ…³'ƒ9/ƯsýC at -˜¥ØÊŠžŸSÍåtîçØ»ŽÈ~¬K—28¯í¡h0~Èœcaª¹Ú`R›²^³Æò
º§‡Ò@{Ú€¹Ü+˜@RÓ+­–§°^+Èõ€EØ7ÖO˜³í×fSΛ¼ÙÙÑjZª YSip’/xžÐ±›eÁÃe—ù½|4tÛÈûRµš.Tmdm4ýþ¸Óåé­ %›h*è
++œ\	+ÝñNô«~…=ïrý¥œÄ"áÇú~ö1ð§°ÎÃ~ÏÚÙ%ý_
++FS/ú­ÒfY>:ÙõŒ®n>e7³¡ÆBzéßôì2&}³^b™ð\á፼È.Š_¼$\Ò²¹—
­å®£ÃØÉ2‰Ý”ãOÞ 0qE’„€!#.³Ñ‡ÑO„¢ê|endstream
++endobj
++85 0 obj<</Type/Catalog/Pages 74 0 R/PageLayout/SinglePage/OpenAction[77 0 R/XYZ null null 0]/PageMode/UseOutlines/PageLabels<</Nums[0<</P(title)>>1<</S/D/St 1/P()>>]>>>>endobj
++xref
++0 86 
++0000000000 65535 f 
++0000000015 00000 n 
++0000000220 00000 n 
++0000001786 00000 n 
++0000001860 00000 n 
++0000001938 00000 n 
++0000002015 00000 n 
++0000002094 00000 n 
++0000002170 00000 n 
++0000002251 00000 n 
++0000002309 00000 n 
++0000002367 00000 n 
++0000002451 00000 n 
++0000002551 00000 n 
++0000002651 00000 n 
++0000002751 00000 n 
++0000002851 00000 n 
++0000002952 00000 n 
++0000003052 00000 n 
++0000003151 00000 n 
++0000003252 00000 n 
++0000003353 00000 n 
++0000003452 00000 n 
++0000003553 00000 n 
++0000003654 00000 n 
++0000003755 00000 n 
++0000003856 00000 n 
++0000003977 00000 n 
++0000004076 00000 n 
++0000004176 00000 n 
++0000004277 00000 n 
++0000004378 00000 n 
++0000004479 00000 n 
++0000004580 00000 n 
++0000004679 00000 n 
++0000004779 00000 n 
++0000004880 00000 n 
++0000004981 00000 n 
++0000005082 00000 n 
++0000005183 00000 n 
++0000005283 00000 n 
++0000005382 00000 n 
++0000005482 00000 n 
++0000005583 00000 n 
++0000005684 00000 n 
++0000005785 00000 n 
++0000005838 00000 n 
++0000005923 00000 n 
++0000005973 00000 n 
++0000006058 00000 n 
++0000006113 00000 n 
++0000006198 00000 n 
++0000006298 00000 n 
++0000006399 00000 n 
++0000006485 00000 n 
++0000006517 00000 n 
++0000006549 00000 n 
++0000006878 00000 n 
++0000006919 00000 n 
++0000006960 00000 n 
++0000007001 00000 n 
++0000007042 00000 n 
++0000007083 00000 n 
++0000007124 00000 n 
++0000007165 00000 n 
++0000007206 00000 n 
++0000007247 00000 n 
++0000007288 00000 n 
++0000007329 00000 n 
++0000007370 00000 n 
++0000007411 00000 n 
++0000007452 00000 n 
++0000007493 00000 n 
++0000007534 00000 n 
++0000007575 00000 n 
++0000007655 00000 n 
++0000007808 00000 n 
++0000007982 00000 n 
++0000008176 00000 n 
++0000009657 00000 n 
++0000009851 00000 n 
++0000011501 00000 n 
++0000011690 00000 n 
++0000013578 00000 n 
++0000013772 00000 n 
++0000014664 00000 n 
++trailer
++<</Size 86/Root 85 0 R/Info 1 0 R/ID[<aaedfd305bb7c3684a776fbbbf827de8><aaedfd305bb7c3684a776fbbbf827de8>]>>
++startxref
++14841
++%%EOF
+diff -urNad postfix-release/tls/contributed/SSL_CA-HOWTO.sgml /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.sgml
+--- postfix-release/tls/contributed/SSL_CA-HOWTO.sgml	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/SSL_CA-HOWTO.sgml	2005-02-03 10:22:13.095088882 -0700
+@@ -0,0 +1,168 @@
++<!-- This is a comment.  It's ignored when this source file gets converted to other formats.  -->
++<!-- The next required tag implies that this file is in LinuxDoc format -->
++<!doctype linuxdoc system>
++
++<article>
++<title>TLS CA and server key HOWTO
++<author><url url="mailto:justin at palmcoder.net" name="Justin Davies">
++<date>v1.0, December 2002
++<abstract>
++Secure Socket Layer is a communications encryption system.  
++It is commonly used to encrypt a http link for secure on-line transactions, but can be used for any 
++communications protocol,  such as  e-mail, telnet, FTP etc. 
++SSL uses certificates to encrypt and verify a connection session.  
++</abstract>
++
++<!-- The "toc" = Table of Contents.   It will be created here. -->
++<toc>
++
++<!-- Begin the main part of the article (or document) here.  The part 
++above this is sort of a long header. -->
++
++<sect>Introduction
++<p>SSL certificates follow the PPK model (Public/Private key). To establish a 
++connection, a public and private certificate is used to verify and encrypt a session.  
++To verify these certificates, a Certificate Authority (CA) is used to sign them. A CA is a 
++known and trusted third party that signs certificates and allows the hosts participating in 
++the communications to be confident that they are both authorised by a separate entity (the CA).
++
++There are a few CAs on the Internet, the most popular being Verisign (www.verisign.com).  
++The get a CA key, you must apply to a CA and in most cases you must also pay the CA for  
++their service.  You are able to become your own CA, which means you can sign newly created 
++certificates yourself.  This is acceptable if an organisation is offering services to employees as  
++both parties trust the CA (the organisation).  For public SSL sites it is advisable that you apply 
++for a CA certificate from a known authority so that a client can present the server certificate as 
++authentic to the end user. In the following pages, we will create self signed certificates 
++based on a self created CA. 
++
++<sect>SSL on Linux
++<p>The most popular open source SSL implementation is OpenSSL.  It is in the n (networking) series 
++of the SuSE distribution, this will be different for other distributions as the <it>package series</it> is 
++centric to SuSE.   
++<p>
++<it>Note: OpenSSL is only available in the European SuSE distributions.  This is due to 
++American import restrictions on munitions.</it>
++
++
++<sect>Setting up a Certificate Authority
++<p>Once you have installed the OpenSSL package, change directory to /usr/ssl/misc (again, may be different based
++on your distribution).The OpenSSL distribution provides a perl script that greatly simplifies the creation of a 
++CA, certificate requests and certificate signing. In the misc directory execute the following: 
++
++<tscreen><verb>
++root at zen:/usr/ssl/misc > ./CA.pl -newca
++CA certname (or enter to create)
++Making CA certificate ...
++Using configuration from /usr/ssl/openssl.cnf 
++Generating a 1024 bit RSA private key...++++++ ....++++++
++writing new private key to ./DemoCA/private/cakey.pem 
++Enter PEM pass phrase:
++Verifying password - 
++Enter PEM pass phrase:
++
++-----
++
++You are about to be asked to enter information that will be incorporated into your certificate 
++request.
++What you are about to enter is what is called a Distinguished Name or a DN. There are quite a 
++few fields but you can leave some blank
++For some fields there will be a default value, If you enter  the field will be left blank.
++-----
++Country Name (2 letter code) [UK]:UK
++State or Province Name (full name) [Some-State]:Herts 
++Locality Name (eg, city) []:London
++Organization Name (eg, company) [Internet Widgits Pty Ltd]:SuSE Linux UK Ltd 
++Organizational Unit Name (eg, section) []:SUSEUK
++Common Name (eg, YOUR name) []:SuSE Linux UK 
++Certificate Authority Email Address []:justin at suse.co.uk 
++</verb></tscreen>
++
++This creates the CA certificate and a private key.  It is very important to use a good, solid pass 
++phrase for the certificate as anyone who has access to the certificate can fake an authentic 
++certificate from your CA. The default location of the CA files is in the ./DemoCA directory. To change 
++this you  will need to edit the CA.pl script to make the CA in a different directory.  We will go 
++with the default here as it helps  keep things nice and simple. 
++
++<sect>Creating a server key
++<p>Once we have created the CA, we need to create  a certificate for the a server or a client 
++(the way to make these is exactly the same).
++
++We need to create a certificate request.  This creates a certificate that requests to be signed 
++(this is not an automatic process, and is handled by the sign process later on). 
++
++In the misc directory execute: 
++
++<tscreen><verb>
++root at zen:/usr/ssl/misc > ./CA.pl -newreq
++Using configuration from /usr/ssl/openssl.cnf 
++Generating a 1024 bit RSA private key...........................++++++ ....++++++
++writing new private key to newreq.pem 
++-----
++You are about to be asked to enter information that will be incorporated into your certificate 
++request.
++What you are about to enter is what is called a Distinguished Name or a DN. There are quite a 
++few fields but you can leave some blankFor some fields there will be a default value, If you enter  
++the field will be left blank.
++-----
++
++Country Name (2 letter code) [UK]:UK
++State or Province Name (full name) [Some-State]:Herts 
++Locality Name (eg, city) []:London
++Organization Name (eg, company) [Internet Widgits Pty Ltd]:SusE Linux UK Ltd 
++Organizational Unit Name (eg, section) []:SUSEUK-SERVER
++Common Name (eg, YOUR name) []:mail.suse.co.uk 
++Email Address []:postmaster at suse.co.uk 
++Please enter the following extra attributesto be sent with your certificate request 
++A challenge password []:
++An optional company name []:                  
++Request (and private key) is in newreq.pem 
++</verb></tscreen>
++
++Notice the value used for the Common Name.  It is the FQDN of the machine this certificate will be 
++used on.  If this is used as a server machine, the client will lookup the host name given  by the 
++certificate to see if it is indeed connecting to the machine the certificate was made for.  This 
++is not applicable to a certificate for a client as it is unlikely the hostname of the machine can
++be resolved.
++<p>
++It is advisable to still use the host name of the 
++client if it has one to uniquely identify the certificate in transactions. If you are using the 
++certificate in an automated client/server model, it is not going to be possible to setup a pass 
++phrase for the certificates as the connection cannot be initiated until the  pass phrase has been 
++entered. The certificate is always encrypted using a private key that is stored in the certificate 
++request constructed via the <it>CA.pl -newreq</it> command. You will need to specify the new request (<bf>newreq.pem</bf>) 
++as the private key to use in all client transactions regarding this certificate.  It is advisable to 
++rename this file to something meaningful like the host name of the machine it is being used on (in my 
++case I called it <it>zen.suse.co.uk.key</it>).  You can also concatenate the certificate and key together into 
++one manageable file.  To do this, just issue the following command: 
++
++<tscreen><verb>
++cat newcert.pem newreq.pem > zen.suse.co.uk.pem 
++</verb></tscreen>
++
++You now have one file with the private key and the certificate in it.You can edit the new file and take 
++out the data between the <bf>BEGIN CERTIFICATE REQUEST</bf>  and <bf>END CERTIFICATE REQUEST</bf> inclusive to tidy up the 
++file. All certificates must be signed by your CA to provide the authentication of the certificates you use 
++in your system.
++
++<sect1>Caveats
++<p>One thing that is useful to know is that OpenSSL is sometimes emphatic about how you name a certificate.  
++It does this to use a hash to lookup a certificate in a directory.  The hash is generated by issuing 
++the c_rehash /path/to/certificates command.  This generates something like:
++
++<tscreen><verb>
++root at zen:~ > c_rehash /usr/ssl/misc/
++Doing /usr/ssl/misc/
++newcert.pem => 66be5b2a.0 
++</verb></tscreen>
++
++This creates a symbolic link to the certificate with the link being the 8 byte hash of the certificate.  
++This is what the OpenSSL library looks for when it loads the certificate.
++
++<sect>Links
++<p>
++<itemize>
++<item><url url="http://www.openssl.org" name="OpenSSL Home">
++<item><url url="http://www.suse.com" name="SuSE Home">
++<item><url url="http://www.palmcoder.net" name="Home of the Postfix/TLS HOWTOS">
++</itemize>
++</article>
+diff -urNad postfix-release/tls/doc/conf.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/conf.html
+--- postfix-release/tls/doc/conf.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/conf.html	2005-02-03 10:22:13.096088659 -0700
+@@ -0,0 +1,604 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Configuring main.cf and master.cf</title>
++</head>
++<body>
++<h1>Postfix/TLS - Configuring main.cf and master.cf</h1>
++
++To use the TLS extension you need to feed some information to
++postfix. Please see also the <code>conf/sample-tls.cf</code> file. 
++
++<h2>main.cf: smtpd (server) specific variables</h2>
++
++<pre>
++# To use TLS we do need a certificate and a private key. Both must be in
++# "pem" format, the private key must not be encrypted, that does mean:
++# it must be accessable without password. Both parts (certificate and
++# private key) may be in the same file.
++#
++# Both RSA and DSA are certificates are supported. Typically you will only
++# have RSA certificates issued by a commercial CA, also the tools supplied
++# with OpenSSL will by default issue RSA certificates.
++# You can have both at the same time, in this case the cipher used decides,
++# which certificate is presented. For Netscape and OpenSSL clients without
++# special cipher choices, the RSA certificate is preferred.
++#
++# In order to check the certificates, the CA-certificate (in case of a
++# certificate chain, all CA-certificates) must be available.
++# You should add these certificates to the server certificate, the server
++# certificate first, then the issuing CA(s).
++#
++# Example: the certificate for "server.dom.ain" was issued by "intermediate CA"
++# which itself has a certificate of "root CA". Create the server.pem file by
++# 'cat server_cert.pem intemediate_CA.pem root_CA.pem > server.pem'
++#
++# If you want to accept certificates issued by these CAs yourself, you can
++# also add the CA-certificates to the smtpd_tls_CAfile, in which case it is
++# not necessary to have them in the smtpd_tls_[d]cert_file.
++#
++# A certificate supplied here must be useable as SSL server certificate and
++# hence pass the "openssl verify -purpose sslserver ..." test.
++#
++smtpd_tls_cert_file = /etc/postfix/server.pem
++smtpd_tls_key_file = $smtpd_tls_cert_file
++#
++# Its DSA counterparts:
++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
++smtpd_tls_dkey_file = $smtpd_tls_dcert_file
++
++# The certificate was issued by a certification authority (CA), the CA-cert
++# of which must be available, if not in the certificate file.
++# This file may also contain the the CA certificates of other trusted CAs.
++# You must use this file for the list of trusted CAs if you want to use
++# chroot-mode. No default is supplied for this value as of now.
++#
++# smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++
++# To verify the peer certificate, we need to know the certificates of
++# certification authorities. These certificates in "pem" format are
++# collected in a directory. The same CAs are offered to clients for
++# client verification. Don't forget to create the necessary "hash"
++# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
++# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
++# no default and you explicitly have to set the value here!
++#
++# To use this option in chroot mode, this directory itself or a copy of it
++# must be inside the chroot jail. Please note also, that the CAs in this
++# directory are not listed to the client, so that e.g. Netscape might not
++# offer certificates issued by them.
++#
++# I therefore discourage the use of this option.
++#
++smtpd_tls_CApath = /etc/postfix/certs
++
++# To get additional information during the TLS setup and negotiations
++# you can increase the loglevel from 0..4:
++# 0: No output about the TLS subsystem
++# 1: Printout startup and certificate information
++# 2: 1 + Printout of levels during negotiation
++# 3: 2 + Hex and ASCII dump of negotiation process
++# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
++# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
++# discouraged.
++#
++# smtpd_tls_loglevel = 0
++
++# To include information about the protocol and cipher used as well as the
++# client and issuer CommonName into the "Received:" header, set the
++# smtpd_tls_received_header variable to true. The default is no, as the
++# information is not necessarily authentic. Only the final destination
++# is reliable, since the headers might have been changed in between.
++#
++#smtpd_tls_received_header = yes
++
++# By default TLS is disabled, so no difference to plain postfix is visible.
++# Explicitely switch it on using "smtpd_use_tls". (Note: when invoked
++# via "sendmail -bs", STARTTLS is never offered due to insufficient
++# privileges to access the private key. This is intended behaviour.)
++#
++smtpd_use_tls = yes
++
++# You can ENFORCE the use of TLS, so that no commands (except QUIT of course)
++# are allowed without TLS. According to RFC2487 this MUST NOT be applied
++# in case of a publicly-referenced SMTP server. So this option is off
++# by default and should only seldom be used. Using this option implies
++# smtpd_use_tls = yes. (Note: when invoked via "sendmail -bs", STARTTLS
++# is never offered due to insufficient privileges to access the private key.
++# This is intended behaviour.)
++#
++# smtpd_enforce_tls = no
++
++# Besides RFC2487 some clients, namely Outlook [Express] prefer to run the
++# non-standard "wrapper" mode, not the STARTTLS enhancement to SMTP.
++# This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port!=25
++# and OE (5.01 Mac on all ports).
++# It is strictly discouraged to use this mode from main.cf. If you want to
++# support this service, enable a special port in master.cf. Port 465 (smtps)
++# was once chosen for this feature.
++#
++# smtpd_tls_wrappermode = no
++
++# To receive a client certificate, the server must explicitly ask for one.
++# Hence netscape will either complain if no certificate is available (for
++# the list of CAs in /etc/postfix/certs) or will offer you client certificates
++# to choose from. This might be annoying, so this option is "off" by default.
++# You will however need the certificate if you want to to e.g. certificate
++# based relaying.
++#
++# smtpd_tls_ask_ccert = no
++
++# You may also decide to REQUIRE a client certificate to allow TLS connections.
++# I don't think it will be necessary often, it is however included here for
++# completeness. This option implies smtpd_tls_ask_ccert = yes
++#
++# Please be aware, that this will inhibit TLS connections without a proper
++# certificate and only makes sense, when normal submission is disabled and
++# TLS is enforced (smtpd_enforce_tls). Otherwise clients may bypass by simply
++# not using STARTTLS at all. When TLS is not enforced, the connection will be
++# handled, as if only smtpd_tls_ask_ccert = yes would be set and an information
++# is logged.
++#
++# smtpd_tls_req_ccert = no
++
++# The verification depth for client certificates. A depth of 1 is sufficient,
++# if the certificate ist directly issued by a CA listed in the CA locations.
++# The default value (5) should also suffice for longer chains (root CA issues
++# special CA which then issues the actual certificate...)
++#
++# smtpd_tls_ccert_verifydepth = 5
++
++# The server and client negotiate a session, which takes some computer time
++# and network bandwidth. The session is cached only in the smtpd process
++# actually using this session and is lost when the process dies.
++# To share the session information between the smtpd processes, a disc based
++# session cache can be used based on the SDBM databases (routines included
++# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
++# can be used.
++#
++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
++
++# The cached sessions time out after a certain amount of time. For Postfix/TLS
++# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
++# (=1 hour). RFC2246 recommends a maximum of 24 hours.
++#
++# smtpd_tls_session_cache_timeout = 3600s
++
++# Two additional options has been added for relay control to the UCE rules:
++#   permit_tls_clientcerts	(a)
++# and
++#   permit_tls_all_clientcerts. (b)
++#
++# If one of these options is added to
++#   smtpd_recipient_restrictions,
++# postfix will relay if 
++# (a) a valid (it passed the verification) client certificate is presented
++#     and its fingerprint is listed in the list of client certs
++#     (relay_clientcerts),
++# (b) any valid (it passed the verification) client certificate is presented.
++#
++# Option (b) must only be used, if a special CA issues the certificates and
++# only this CA is listed as trusted CA. If other CAs are trusted, any owner
++# of a valid (SSL client)-certificate can relay. Option (b) can be practical
++# for a specically created email relay. It is however recommended to stay with
++# option (a) and list all certificates, as (b) does not permit any control
++# when a certificate must no longer be used (e.g. an employee leaving).
++#
++# smtpd_recipient_restrictions = ... permit_tls_clientcerts ...
++
++# The list of client certificates for which relaying will be allowed.
++# Unfortunately the routines for lists in postfix use whitespaces as
++# seperators and choke on special chars. So using the certificate
++# X509ONELINES is quite impractical. We will use the fingerprints at
++# this point, as they are difficult to fake but easy to use for lookup.
++# As postmap (when using e.g. db) insists of having a pair of key and value,
++# but we only need the key, the value can be chosen freely, e.g. the name
++# of the user or host:
++# D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
++#
++# relay_clientcerts = hash:/etc/postfix/relay_clientcerts
++
++# To influence the cipher selection scheme, you can give cipherlist-string.
++# A detailed description would go to far here, please refer to the openssl
++# documentation.
++# If you don't know what to do with it, simply don't touch it and leave the
++# (openssl-)compiled in default!
++#
++# DO NOT USE " to enclose the string, just the string!!!
++#
++# smtpd_tls_cipherlist = DEFAULT
++
++# If you want to take advantage of ciphers with EDH, DH parameters are needed.
++# There are built in DH parameters for both 1025bit and 512bit available. It
++# is however better to have "own" parameters, since otherwise it would "pay"
++# for a possible attacker to start a brute force attack against these
++# parameters commonly used by everybody. For this reason, the parameters
++# chosen are already different from those distributed with other TLS packages.
++#
++# To generate your own set of parameters, use
++# openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
++# openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
++# (your source for "entropy" might vary; on Linux there is /dev/random, on
++# other system, you might consider the "Entropy Gathering Daemon EGD", 
++# available at http://www.lothar.com/tech/crypto/.
++#
++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
++
++# The smtpd_starttls_timeout parameter limits the time in seconds to write and
++# read operations during TLS start and stop handhake procedures.
++#
++# smtpd_starttls_timeout = 300s
++</pre>
++
++<h2>main.cf: smtp (client) specific variables</h2>
++
++<pre>
++# During the startup negotiation we might present a certificate to the server.
++# Netscape is rather clever here and lets the user select between only those
++# certs that will match the CAs accepted from the server. As I simply use
++# the integrated "SSL_connect()" from the OpenSSL package, this is not
++# possible by now and we have to chose just one cert.
++# So for now the default is to use _no_ cert and key unless explictly
++# set here. It is possible to use the same key/cert pair as for the server.
++# If a cert is to be presented, it must be in "pem" format, the private key
++# must not be encrypted, that does mean: it must be accessable without
++# password. Both parts (certificate and private key) may be in the
++# same file.
++#
++# In order to check the certificates, the CA-certificate (in case of a
++# certificate chain, all CA-certificates) must be available.
++# You should add these certificates to the server certificate, the server
++# certificate first, then the issuing CA(s).
++#
++# Example: the certificate for "client.dom.ain" was issued by "intermediate CA"
++# which itself has a certificate of "root CA". Create the client.pem file by
++# 'cat client_cert.pem intemediate_CA.pem root_CA.pem > client.pem'
++#
++# If you want to accept certificates issued by these CAs yourself, you can
++# also add the CA-certificates to the smtp_tls_CAfile, in which case it is
++# not necessary to have them in the smtp_tls_[d]cert_file.
++#
++# A certificate supplied here must be useable as SSL client certificate and
++# hence pass the "openssl verify -purpose sslclient ..." test.
++#
++smtp_tls_cert_file = /etc/postfix/client.pem
++smtp_tls_key_file = $smtp_tls_cert_file
++
++# The certificate was issued by a certification authority (CA), the CA-cert
++# of which must be available, if not in the certificate file.
++# This file may also contain the the CA certificates of other trusted CAs.
++# You must use this file for the list of trusted CAs if you want to use
++# chroot-mode. No default is supplied for this value as of now.
++#
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++
++# To verify the peer certificate, we need to know the certificates of
++# certification authorities. These certificates in "pem" format are
++# collected in a directory. Don't forget to create the necessary "hash"
++# links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
++# place for the CA-certs may also be $OPENSSL_HOME/certs, so there is
++# no default and you explicitly have to set the value here!
++#
++# To use this option in chroot mode, this directory itself or a copy of it
++# must be inside the chroot jail.
++#
++smtp_tls_CApath = /etc/postfix/certs
++
++# To get additional information during the TLS setup and negotiations
++# you can increase the loglevel from 0..4:
++# 0: No output about the TLS subsystem
++# 1: Printout startup and certificate information
++# 2: 1 + Printout of levels during negotiation
++# 3: 2 + Hex and ASCII dump of negotiation process
++# 4: 3 + Hex and ASCII dump of complete transmission after STARTTLS
++# Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
++# discouraged.
++#
++smtp_tls_loglevel = 0
++
++# The server and client negotiate a session, which takes some computer time
++# and network bandwidth. The session is cached only in the smtpd process
++# actually using this session and is lost when the process dies.
++# To share the session information between the smtp processes, a disc based
++# session cache can be used based on the SDBM databases (routines included
++# in Postfix/TLS). Since concurrent writing must be supported, only SDBM
++# can be used.
++#
++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
++
++# The cached sessions time out after a certain amount of time. For Postfix/TLS
++# I do not use the OpenSSL default of 300sec, but a longer time of 3600sec
++# (=1 hour). RFC2246 recommends a maximum of 24 hours.
++#
++# smtp_tls_session_cache_timeout = 3600s
++
++# By default TLS is disabled, so no difference to plain postfix is visible.
++# If you enable TLS it will be used when offered by the server.
++# WARNING: I didn't have access to other software (except those explicitely
++# listed) to test the interaction. On corresponding mailing list
++# there was a discussion going on about MS exchange servers offering
++# STARTTLS even if it is not configured, so it might be wise to not
++# use this option on your central mail hub, as you don't know in advance
++# whether you are going to hit such host. Use the recipient/site specific
++# options instead.
++# HINT: I have it switched on on my mailservers and did experience one
++# single failure since client side TLS is implemented. (There was one
++# misconfired MS Exchange server; I contacted ths admin.) Hence, I am happy
++# with it running all the time, but I am interested in testing anyway.
++# You have been warned, however :-)
++#
++# In case of failure, a "4xx" code is issued and the mail stays in the queue.
++#
++# Explicitely switch it on here, if you want it.
++#
++smtp_use_tls = yes
++
++# You can ENFORCE the use of TLS, so that only connections with TLS will
++# be accepted. Additionally, the hostname of the receiving host is matched
++# against the CommonName in the certificate. Also, the certificate must
++# be verified "Ok", so that a CA trusted by the client must have issued
++# the certificate. If the certificate doesn't verify or the hostname doesn't
++# match, a "4xx" will be issued and the mail stays in the queue.
++# The hostname used in the check is beyond question, as it must be the
++# principle hostname (no CNAME allowed here). Checks are performed against
++# all names provided as dNSNames in the SubjectAlternativeName. If no
++# dNSNames are specified, the CommonName is checked.
++# The behaviour may be changed with the smtp_tls_enforce_peername option
++#
++# This option is useful only if you are definitely sure that you will only
++# connect to servers supporting RFC2487 _and_ with valid certificates.
++# I use it for my clients which will only send email to one mailhub, which
++# does offer the necessary STARTTLS support.
++#
++# smtp_enforce_tls = no
++
++# As of RFC2487 the requirements for hostname checking for MTA clients are
++# not set. When in smtp_enforce_tls mode, the option smtp_tls_enforce_peername
++# can be set to "no" to disable strict peername checking. In this case, the
++# mail delivery will be continued, if a TLS connection was established
++# _and_ the peer certificate passed verification _but_ regardless of the
++# CommonName listed in the certificate. This option only applies to the
++# default setting smtp_enforce_tls_mode, special settings in the
++# smtp_tls_per_site table override smtp_tls_enforce_peername.
++#
++# This can make sense in closed environment where special CAs are created.
++# If not used carefully, this option opens the danger of a "man-in-the-middle"
++# attack (the CommonName of this attacker is logged).
++#
++# smtp_tls_enforce_peername = yes
++
++# As generally trying TLS can be a bad idea (some hosts offer STARTTLS but
++# the negotiation will fail leading to unexplainable failures, it may be
++# a good idea to decide based on the recipient or the mailhub to which you are
++# connecting.
++#
++# Deciding per recipient may be difficult, since a singe email can have
++# several recipients. We use the "nexthop" mechanism inside postfix.
++# When an email is to be delivered, the "nexthop" is obtained. If it matches
++# an entry in the smtp_tls_per_site list, appropriate action is taken.
++# Since entries in the transport table or the use of a relay_host override
++# the nexthop setting, in these cases the relay_host etc must be listed
++# in the table. In any case, the hostname of the peer to be contacted is
++# looked up (that is: the MX or the name of the host, if no MX is given).
++#
++# Special hint for enforcement mode:
++# Since there is no secure mechanism for DNS lookups available, the
++# recommended setup is: put the sensible domains with their mailhost
++# into the transport table (since you can asure security of this table
++# unlike DNS), then set MUST mode for this mailhost.
++#
++# Format of the table:
++# The keys entries are on the left hand side, no wildcards allowed. On the
++# right hand side the keywords NONE (don't use TLS at all), MAY (try to use
++# STARTTLS if offered, no problem if not), MUST (enforce usage of STARTTLS,
++# check server certificate CommonName against server FQDN), MUST_NOPEERMATCH
++# (enforce usage of STARTTLS and verify certificate, but ignore differences
++# between CommonName and server FQDN).
++# dom.ain		NONE
++# host.dom.ain		MAY
++# important.host	MUST
++# some.host.dom.ain	MUST_NOPEERMATCH
++#
++# If an entry is not matched, the default policy is applied; if the default
++# policy is "enforce", NONE explicitely switches it off, otherwise the
++# "enforce" mode is used even for MAY entries.
++#
++smtp_tls_per_site = hash:/etc/postfix/tls_per_site
++
++# The verification depth for server certificates. A depth of 1 is sufficient,
++# if the certificate ist directly issued by a CA listed in the CA locations.
++# The default value (5) should also suffice for longer chains (root CA issues
++# special CA which then issues the actual certificate...)
++#
++# smtp_tls_scert_verifydepth = 5
++
++# As we decide on a "per site" basis, wether to use TLS or not, it would be
++# good to have a list of sites, that offered "STARTTLS'. We can collect it
++# ourselves with this option.
++#
++# If activated and TLS is not already enabled for this host, a line is added
++# to the logfile:
++# postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
++#
++smtp_tls_note_starttls_offer = yes
++
++# To influence the cipher selection scheme, you can give cipherlist-string.
++# A detailed description would go to far here, please refer to the openssl
++# documentation.
++# If you don't know what to do with it, simply don't touch it and leave the
++# (openssl-)compiled in default!
++#
++# DO NOT USE " to enclose the string, just the string!!!
++#
++# smtp_tls_cipherlist = DEFAULT
++
++# The smtp_starttls_timeout parameter limits the time in seconds to write and
++# read operations during TLS start and stop handhake procedures.
++#
++# In case of problems the client does NOT try the next address on
++# the mail exchanger list.
++#
++# smtp_starttls_timeout = 300s
++</pre>
++
++<h2>SASL related variables</h2>
++
++<pre>
++# The smtpd_sasl_tls_security_options parameter controls what authentication
++# mechanism the Postfix SMTP server will offer to the client, in case the
++# connection is protected by a TLS encrypted session.
++# This parameter allows to provide for example plaintext authentication that
++# otherwise would not be allowed without encryption.
++# The default is to use the same settings as in the unencrypted case.
++#
++# Warning: this option only works against passive (eavesdropping) attackes.
++# An active attacker (man in the middle) may modify the AUTH options offered
++# and/or remove the STARTTLS offer from the EHLO response. Protection against
++# active attackers is only possible by enforcing TLS at the client side.
++#
++#smtpd_sasl_tls_security_options = noanonymous
++smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
++
++# Sending AUTH data over an unencrypted channel poses a security risk. When
++# smtpd_tls_enforce_tls is set, AUTH will only be announced and accepted,
++# once the TLS layer has been activated via the STARTTLS protocol. If
++# TLS layer encryption is optional, it may however still be useful to only
++# offer AUTH, if TLS is active. To not break compatiblity with unpatched
++# postfix versions, the default is to accept AUTH without encryption. In
++# order to change this behaviour, set smtpd_tls_auth_only = yes.
++# THIS OPTION ONLY WORKS WITH SSL/TLS SUPPORT COMPILED IN.
++#
++#smtpd_tls_auth_only = yes
++smtpd_tls_auth_only = no
++
++# The smtp_sasl_tls_security_options parameter controls, what authentication
++# mechanisms the local Postfix SMTP client is allowed to use, if the session
++# is encrypted via TLS. This provides the option to permit plaintext passwords
++# that otherwise could not be used.
++#
++# The settings allowed are the same as for the non-encrypted sessions
++# (smtp_sasl_security_options).
++#
++# Warning, Warning, Warning: This option only works against passive
++# (eavesdropping) attacks. An active attacker (man in the middle) may provide
++# a TLS capabable server (proxy) and in such way obtain the password
++# information. The only way to prevent a man in the middle attack is to check
++# the hostname of the server presented in the certificate. This is assured
++# in the (preferrably used) smtp_sasl_tls_verified_security_options case.
++#
++#smtp_sasl_tls_security_options =
++smtp_sasl_tls_security_options = $smtp_sasl_security_options
++
++# The smtp_sasl_tls_verified_security_options parameter controls, what
++# authentication mechanisms the local Postfix SMTP client is allowed to use,
++# if the session is encrypted via TLS _and_ the server has proven its
++# identity (expected hostname matches certificate, verification successfull).
++# This provides the option to permit plaintext passwords that otherwise could
++# not be used.
++#
++# The settings allowed are the same as for the non-encrypted sessions
++# (smtp_sasl_security_options).
++#
++#smtp_sasl_tls_verified_security_options =
++smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
++</pre>
++
++<h2>main.cf: general variables</h2>
++
++<pre>
++# In order to seed the PRNG Pseude Random Number Generator, random data is
++# needed. The PRNG pool is maintained by the "tlsmgr" daemon and is used
++# (read) by the smtp[d] processes after adding some more entropy by stirring
++# in time and process id.
++# The file, which is from time to time rewritten by the tlsmgr, is created
++# if not existant. A default value is given; the default should probably
++# be on the /var partition but _not_ inside chroot jail.
++#
++# tls_random_exchange_name = /etc/postfix/prng_exch
++
++# To feed the PRNG pool, entropy is being read from an external source,
++# both at startup and during run.
++# Specify a good entropy source here, like EGD or /dev/urandom; make sure
++# to only use non-blocking sources.
++# In both cases, 32 bytes are read at each re-seeding event (which is an
++# amount of 256bits and hence good enough for 128bit symmetric keys).
++# You must specify the type of source: "dev:" for a device special file
++# or "egd:" for a source with EGD compatible socket interface. A maximum
++# 255 bytes is read from these sources in each step.
++# If you specify a normal file, a larger amount of data can be read.
++#
++# The entropy source is queried again after a certain amount of time. The
++# time is calculated using the PRNG, it is between 0 and the time specified,
++# default is a maximum of 1 hour.
++#
++# tls_random_source = dev:/dev/urandom
++tls_random_source = egd:/var/run/egd-pool
++# tls_random_bytes = 32
++# tls_random_reseed_period = 3600s
++
++# The PRNG pool inside tlsmgr is used to re-generate the 1024 byte file
++# being read by smtp[d]. The time, after which the exchange file is
++# rewritten is calculated using the PRNG, it is between 0 and the time
++# specified, default is a maximum of 60 seconds.
++#
++# tls_random_upd_period = 60s
++
++# If you have a entropy source available, that is not easily drained (like
++# /dev/urandom), the daemons can also load additional entropy on startup from
++# the source specified. By default an amount of 32 bytes is read, the
++# equivalent to 256 bits. This is more than enough to generate a 128bit
++# (or 168bit) session key, but we may have to generate more than one.
++# Usage of this option may drain EGD (consider the case of 50 smtp starting
++# up with a full queue and "postfix start", which will request 1600bytes
++# of entropy). This is however not fatal, as long as "entropy" data could
++# be read from the exchange file.
++#
++# tls_daemon_random_source = dev:/dev/urandom
++tls_daemon_random_source = egd:/var/run/egd-pool
++# tls_daemon_random_bytes = 32
++</pre>
++
++<h2>master.cf: tlsmgr daemon</h2>
++
++If you don't have a /dev/urandom device and/or use session caching,
++you must run the "tlsmgr" daemon (see conf/master.cf). The tlsmgr
++will contact entropy sources on startup and keep the connection open,
++so that it can be chrooted and can drop privileges.
++
++<pre>
++# ==========================================================================
++# service type  private unpriv  chroot  wakeup  maxproc command + args
++#               (yes)   (yes)   (yes)   (never) (50)
++# ==========================================================================
++tlsmgr    fifo  -       -       y       300     1       tlsmgr
++</pre>
++
++<h2>master.cf: additional services</h2>
++
++It can be useful to have postfix listen on additional ports, namely
++"submission"=587 for email submission as defined in RFC2476; this
++is especially useful if you want to allow AUTH with plaintext
++passwords (PLAIN, LOGIN) and hence run on a port with encryption
++enforcement. Another useful port may be "smtps"=465 which was
++intended with TLS-wrapping and is still used by Outlook (Express). 
++
++<p>Both example entries already contain the flags to enable SASL
++authentication (which may be disabled on the normal port). Since
++the actual service names are used, smtps and submission must be
++defined in /etc/services (and probably also in
++/var/spool/postfix/etc/services if chrooted)!!! (Use the port
++numbers otherwise.)</p>
++
++<pre>
++# ==========================================================================
++# service type  private unpriv  chroot  wakeup  maxproc command + args
++#               (yes)   (yes)   (yes)   (never) (50)
++# ==========================================================================
++smtps     inet  n       -       y       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
++submission inet n       -       y       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
++</pre>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/index.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/index.html
+--- postfix-release/tls/doc/index.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/index.html	2005-02-03 10:22:13.096088659 -0700
+@@ -0,0 +1,53 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - A TLS extension for POSTFIX</title>
++</head>
++<body>
++<h1>Postfix/TLS - A TLS extension for POSTFIX</h1>
++
++<h2>Contents</h2>
++
++<ul>
++<li><a href="intro.html">Introduction</a></li>
++
++<li><a href="install.html">Installing the patchkit</a></li>
++
++<li><a href="setup.html">Setting up the certificates</a></li>
++
++<li><a href="conf.html">Configuring main.cf</a></li>
++
++<li><a href="security.html">Security considerations</a></li>
++
++<li><a href="test.html">Testing</a></li>
++
++<li><a href="prng.html">PRNG - Pseudo Random Number
++Generator</a></li>
++
++<li><a href="references.html">References</a></li>
++</ul>
++
++Please check also the contents of the <tt>contributions</tt> folder
++including useful scripts and some <b>HOWTO</b> documents.
++
++<pre>
++PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG
++CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST
++COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS
++ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE
++TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL
++TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR
++OTHER PEOPLE YOU ARE STRONGLY ADVICED TO PAY CLOSE ATTENTION TO ANY
++EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHOR OF
++POSTFIX/TLS IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE
++CAREFULLY YOURSELF, IT IS YOUR RESPONSIBILITY.
++</pre>
++
++Lutz J&auml;nicke, <a href=
++"http://www.aet.tu-cottbus.de/personen/jaenicke/">Homepage</a>,
++Email: <a href="mailto:Lutz.Jaenicke at aet.TU-Cottbus.DE"><em>
++Lutz.Jaenicke at aet.TU-Cottbus.DE</em></a>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/install.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/install.html
+--- postfix-release/tls/doc/install.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/install.html	2005-02-03 10:22:13.096088659 -0700
+@@ -0,0 +1,93 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Installation</title>
++</head>
++<body>
++<h1>Postfix/TLS - Installing the patchkit</h1>
++
++<h2>Prerequisits</h2>
++
++This patchkit is prepared for 
++
++<ul>
++<li>Postfix Version 2.1.0<br>
++ <a href="http://www.postfix.org/">http://www.postfix.org/</a> [<a
++href="references.html#postfix">POSTFIX</a>]<br>
++ The use of other versions might lead to patch conflicts or silent
++failures, as we directly change the source code.</li>
++
++<li>OpenSSL Version 0.9.7d (>=0.9.5)<br>
++ <a href="http://www.openssl.org/">http://www.openssl.org/</a> [<a
++href="references.html#openssl">OPENSSL</a>]<br>
++We use OpenSSL as library (and some command line tools to create
++the certificates, if necessary). OpenSSL is the successor of
++SSLeay.
++<p>Postfix/TLS uses properties that are only available starting with
++version 0.9.5 of the OpenSSL library. 0.9.5a and 0.9.6x have proven
++stability over several months.
++
++The release 0.9.7 contains several enhancemants and bugfixes.
++
++OpenSSL 0.9.7d is the latest release and the recommended version.
++</li>
++</ul>
++
++You may also need to update your "patch" utility (see below). 
++
++<h2>Patching</h2>
++
++The changes to the postfix source code as well as the additional
++files are included in the "<code>pfixtls.diff</code>" in the main
++directory of the patch kit. It is a unified diff. 
++
++<p>To apply the patches, go to the directory one level below the
++original postfix source tree (you should see
++"<code>postfix-xxxxxxx</code>" or "<code>snapshot-xxxxxxx</code>"
++when doing an "<code>ls -al</code>"
++at this point. The patch is then applied with:</p>
++
++<pre>
++patch -p0 &lt; path-to/pfixtls.diff
++</pre>
++
++If you experience problems during the patch process (e.g. with the
++HP-UX 10.20 or Solaris included patch), you might need to update your patch
++program, e.g. to an actual GNU-patch. 
++
++<p>If you need to apply the patchkit to a different version of
++patchlevel of postfix, you might try the following:</p>
++
++<pre>
++cd postfix-directory ; patch -p1 &lt; path-to/pfixtls.diff
++</pre>
++
++Since the patch is in unified form, it might also apply to a mildly
++changed source, as long as no conflicts appear. 
++
++<h2>Compiling</h2>
++
++After patching postfix will configure and compile as before. In
++order to enable the TLS functions, you must specify the path to the
++OpenSSL header files as well as the appropriate libraries, and you
++must define <code>USE_SSL</code>. Your command for configuration
++might then be: 
++
++<pre>
++make makefiles CCARGS="-DUSE_SSL -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib -lssl -lcrypto"
++</pre>
++
++You might need additional customization e.g. for using Berkeley-DB
++as listed in the postfix INSTALL instructions. You can then
++continue in the usual way with: 
++
++<pre>
++make
++</pre>
++
++and then follow the instructions in the postfix INSTALL file. 
++
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/intro.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/intro.html
+--- postfix-release/tls/doc/intro.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/intro.html	2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,194 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Introduction</title>
++</head>
++<body>
++<h1>Postfix/TLS - Introduction</h1>
++
++Postfix/TLS is an extension of the Postfix [<a href=
++"references.html#postfix">POSTFIX</a>] MTA software to support the
++TLS protocol. 
++
++<h2>A note about the start of the project</h2>
++
++When I started writing this software, I had a sophisticated way to
++allow <a href="relaycert.html">relaying for roaming users</a> in
++mind. In the meantime, this project is living on its own. 
++
++<h2>RFC2246: The TLS (former SSL) protocol</h2>
++
++By default all communication on the Internet is done without
++encryption and without strong authentication. That does mean that
++everybody with physical access to the communication line along
++which a network packet will travel can eavesdrop on your
++communication. Even worse, it might be possible to redirect or
++alter your communication so that information, that you want to send
++to a party can be lost or changed without your notice. 
++
++<p>In order to solve these security issues, the SSL protocol
++(Secure Socket Layers) was introduced by Netscape, Inc., which now
++has evolved into the standardised TLS protocol (Transportation
++Layer Security) as <a href="rfc2246.txt">RFC2246</a>. It offers
++both encryption of the communication (stopping eavesdropping) and
++strong authentication (making sure that both parties of a
++communication are correctly identified and that the communication
++cannot be altered).</p>
++
++<p>Postfix/TLS does not realize the TLS protocol itself; it rather
++uses the OpenSSL package [<a href=
++"references.html#openssl">OPENSSL</a>] for this task. At the
++OpenSSL WWW-site you can also find links to in-depth documentation
++of the protocol and its features, so that it is not necessary to
++included them here. (And, of course, there is no use of re-writing
++what other people already wrote down, it just introduces additional
++errors.)</p>
++
++<h2>RFC2487: Introducing TLS to SMTP</h2>
++
++The integration of the TLS protocol to Internet mail, SMTP (Simple
++Mail Transport Protocol) is described in <a href="rfc2487.txt">
++RFC2487</a>. 
++
++<p>Unlike the first incarnations of SSL as a <em>wrapper</em>
++around normal network communications [<a href=
++"references.html#stunnel">STUNNEL</a>] [<a href=
++"references.html#jonama">JONAMA</a>], the TLS protocol is now
++completely <em>integrated</em> into the ESMTP: during the startup
++negotiation (EHLO) the server offers the support of TLS by
++advertising the <strong>STARTTLS</strong> feature. The client can
++now send the <strong>STARTTLS</strong> command to do authentication
++and switch to encrypted communication.</p>
++
++<h2>Postfix/TLS: what can it do for you</h2>
++
++The list of features presented here should be understood as a list
++of ideas. Not all of them are realized yet, please see the notes at
++each feature. 
++
++<ul>
++<li>Encrypted email transfer from one host to another.<br>
++Status: realized.<br>
++Comment: Once the STARTTLS negotiation is finished, the
++communication between both parties is encrypted.
++This also includes the MAIL FROM: and RCPT TO: envelop sender
++and recipient negotiation, so that an eavesdropper will not be able
++to get these informations.</li>
++
++<li>Authentication of the receiving host to prevent
++interception.<br>
++Status: realized.<br>
++Comment: This is a quite important feature that is not difficult to
++implement. The problem lies in the fact, that not all hosts (read
++this: by now nearly no one) support this protocol. The sender must
++hence maintain a list of receivers which must identify by TLS,
++otherwise one could just intercept the communication and not offer
++STARTTLS, so that no authentication is done. One must also be
++careful to use the correct name of the host (see CNAMEs), but this
++problem is the same for http-servers.</li>
++
++<li>Authentication of the sending host to prevent forgery.<br>
++Status: Difficult to do.<br>
++Comment: The transmission of emails is just a connection to the
++SMTP port (25) of the receiving host. This is done by either
++another MTA (Mail Transport Agent) or a MUA (Mail User Agent). In
++the first case, the sending MTA should present a client certificate
++issued on the name of the sending host. In the latter case however,
++the user has no access to the host's certificate and will (or not)
++present his own personal certificate. At this point I think that a
++satisfying <em>and</em> reliable solution is hardly possible (do
++you want your users' email bounce without reason?), so it has least
++priority.</li>
++
++<li>Authentication of the sending host to allow relaying.<br>
++Status: realized.<br>
++Comment: This was the intention I had in mind when starting this
++project, so it was realized first. Based on the certificate the
++client MTA or MUA presents to the server, relaying can be
++allowed.</li>
++
++<li>Any more ideas???<br>
++Status: Send me an email.</li>
++</ul>
++
++<h2>Postfix/TLS: what it cannot do for you</h2>
++
++There is one thing that I explicitly want to point out: 
++
++<ul>
++<li>Securing the privacy of your email.<br>
++Status: Cannot be done.<br>
++Comment: RFC2487 only takes care of the transportation between mail
++servers. To assure that nobody can eavesdrop on your private email
++communication, it would be necessary that 
++
++<ul>
++<li>all of the mailhubs in between are enforcing TLS.</li>
++
++<li>all mailhubs themselves are trustworthy, as the email is only
++encrypted during transport, not when queued or spooled.</li>
++
++<li>the destination is trustworthy, as the mail is spooled in clear
++and everybody who can access your mailbox (read this: at least the
++superuser) can read your mail!</li>
++</ul>
++
++Hence, if you want privacy, you have to <em>send out</em> your
++email encrypted, e.g. using S/MIME or the traditional PGP
++package.</li>
++
++<li>Authenticate the sender of an email.<br>
++Status: Cannot be done.<br>
++Comment: A lot of MUAs send out emails by just connecting the SMTP
++port of the sending host or nearest mailhub. There is no way to
++assure that the sender listed in the email is the real sender of
++the email. And even if it would be possible to identify the sender,
++the contents of the email might have been altered in between.<br>
++To ensure the identity of the sender and the integrity of the
++email, you can again use S/MIME or PGP.</li>
++</ul>
++
++<h2>Support by Mail User Agents</h2>
++
++The following MUAs are known to work with RFC2487:
++<ul>
++<li>Netscape >= 4.5 supports STARTTLS and client certificates.
++<li>Outlook (Express) >= 5 supports STARTTLS (only on port 25) and traditional
++SSL-wrapping style (on all other ports). No support for client certificates.
++<li>Eudora >= 5.1 supports STARTTLS. Client certificate status unknown.
++</ul>
++
++<h2>Other OpenSource packages</h2>
++
++As of version sendmail-8.11, sendmail includes RFC2487 support [<a
++href="references.html#sendmail">SENDMAIL</a>]. 
++
++<p>Frederik Vermeulen has realized an RFC2487 extension [<a href=
++"references.html#qmailtls">QMAILTLS</a>] for the Qmail [<a href=
++"references.html#qmail">QMAIL</a>] MTA.</p>
++
++<p>Matti Aarnio has integrated RFC2487 into ZMailer [<a href=
++"references.html#zmailer">ZMAILER</a>].</p>
++
++<p>Michal Trojnara is currently integrating basic SMTP support into
++his stunnel software, starting with stunnel-3.3 [<a href=
++"references.html#stunnel">STUNNEL</a>].</p>
++
++<p>Trey Childs is also working on a "wrapper" solution [<a href=
++"references.html#smtps">SMTPS</a>].</p>
++
++<h2>Commercial implementations</h2>
++
++The commercial version of sendmail includes RFC2487 support [<a
++href="references.html#sendmail.inc">SENDMAIL.INC</a>]. 
++
++<p>Netscape Enterprise Server and Microsoft Exchange Server do offer
++RFC2487 functionality.</p>
++
++<p>The CommunigatePro mailserver software also supports RFC2487
++[<a href="references.html#communigate">COMMUNIGATE</a>].</p>
++
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/loadCAcert.pl /tmp/dpep.cXJuVH/postfix-release/tls/doc/loadCAcert.pl
+--- postfix-release/tls/doc/loadCAcert.pl	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/loadCAcert.pl	2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,23 @@
++#!/usr/local/bin/perl -T
++
++require 5.003;
++use strict;
++use CGI;
++
++my $cert_dir = "/usr/local/ssl/certs";
++my $cert_file = "CAcert.pem";
++
++my $query = new CGI;
++
++my $kind = $query->param('FORMAT');
++if($kind eq 'DER') { $cert_file = "CAcert.der"; }
++
++my $cert_path = "$cert_dir/$cert_file";
++
++open(CERT, "<$cert_path");
++my $data = join '', <CERT>;
++close(CERT);
++print "Content-Type: application/x-x509-ca-cert\n";
++print "Content-Length: ", length($data), "\n\n$data";
++
++1;
+diff -urNad postfix-release/tls/doc/myownca.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/myownca.html
+--- postfix-release/tls/doc/myownca.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/myownca.html	2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,175 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Being your on CA</title>
++</head>
++<body>
++<h1>Postfix/TLS - Lutz's very short course on being your own
++CA</h1>
++
++This section is kept quite short as there are already a lot of
++pages explaining these things (e.g. [<a href=
++"references.html#introcert">INTROCERT</a>]). There are also
++projects under way to make this task easier [<a href=
++"references.html#openca">OPENCA</a>], so I wont't waste your time
++(and mine) by writing a book about it. 
++
++<h2>Be your own CA</h2>
++
++If you want to do relaying based on client certificates you may
++want to issue your own client certificates; hence you want to be
++your own certificate authority (CA). Of course nobody else will
++accept your certificates, so the damage you do is not so high (the
++requirements for a good "professional" CA are very high, as you
++should have the CA key on a private host without network for
++security, be strict about checking the identity of requesters etc).
++
++
++<p>For laziness, we also don't care about the (worthful)
++possibility to generate certificates for specific purposes (e.g.
++for servers, clients, email-signing) and simply generate "unlimited
++general purpose" certificates. So a certificate issued for the
++person "John Doe" is also valid for the "John Doe"-server.</p>
++
++<p>Using OpenSSL it is quite simple to become your own CA. Just
++run</p>
++
++<pre>
++CA.pl -newca
++</pre>
++
++and you are done. Just make sure, that you select a useful CN
++(Common Name)! By just using your name, you might create a lot of
++confusion, as the CA certificate for "Lutz Jaenicke" looks quite
++the same as the personal client certificate for "Lutz Jaenicke" (I
++can tell you). Of course you can further improve this private CA by
++editing the <code>openssl.cnf</code> file, especially the comment. 
++
++<p>If you want the full comfort of being your own CA, you must
++import your CA certificate to Netscape. Unfortunately Netscape does
++not offer an explicit function to perform this task (unlike for
++client certificates). If you have an http-server available (and I
++think you do), you can add the <a href="loadCAcert.pl">
++loadCAcert.pl</a> script to your <code>cgi-bin</code> directory. If
++you call it from Netscape (or Internet Explorer), you can load the
++certificate! (Taken from [<a href=
++"references.html/#introcert">6</a>])</p>
++
++<h2>Create your site certificate</h2>
++
++Ok, you now must create a site certificate for your postfix server.
++As your clients will use it for verification, it must contain the
++name of your host as common name (CN): host.in.domain. 
++
++<p>You want your postfix system to start up at boot time without
++trouble? Then your server private key must not be encrypted. So
++when you create the key you must add the <code>-nodes</code> option
++in <code>CA.pl</code> to the line with the <code>-newcert</code>
++and/or <code>-newreq</code> command:</p>
++
++<pre>
++*** CA.pl   Wed Mar 24 10:30:38 1999
++--- CA1.pl  Sat Mar 27 19:36:47 1999
++***************
++*** 56,67 ****
++        exit 0;
++    } elsif (/^-newcert$/) {
++        # create a certificate
++!       system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
++        $RET=$?;
++        print "Certificate (and private key) is in newreq.pem\n"
++    } elsif (/^-newreq$/) {
++        # create a certificate request
++!       system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
++        $RET=$?;
++        print "Request (and private key) is in newreq.pem\n";
++    } elsif (/^-newca$/) {
++--- 56,67 ----
++        exit 0;
++    } elsif (/^-newcert$/) {
++        # create a certificate
++!       system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
++        $RET=$?;
++        print "Certificate (and private key) is in newreq.pem\n"
++    } elsif (/^-newreq$/) {
++        # create a certificate request
++!       system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
++        $RET=$?;
++        print "Request (and private key) is in newreq.pem\n";
++    } elsif (/^-newca$/) {
++</pre>
++
++For sslwrap or stunnel the authors propose to use self signed certs
++created with <code>-newcert</code>. I rather propose to create an
++ordinary certificate request with 
++
++<pre>
++CA.pl -newreq
++</pre>
++
++and then sign it with your CA: 
++
++<pre>
++CA.pl -sign
++</pre>
++
++Now you can install the cert from <code>cacert.pem</code> to <code>
++/etc/postfix/CAcert.pem</code>, the created certificate from <code>
++newcert.pem</code> to <code>/etc/postfix/cert.pem</code> and the
++key part form <code>newreq.pem</code> to <code>
++/etc/postfix/key.pem</code>. Please be aware, that the <code>
++key.pem</code> is not protected by password, so you have to protect
++it by file access privileges. As the information is read before
++smtpd changes to chroot jail, it still has root privileges, so you
++should 
++
++<pre>
++chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
++</pre>
++
++<h2>Create a client certificate</h2>
++
++Creating a client certificate is as easy as a site certificate. At
++least, if you are doing it as a CA. First you create and sign a
++pair of key and certificate. Be sure to add the correct common name
++(CN) for the client: 
++
++<pre>
++CA.pl -newreq
++CA.pl -sign
++</pre>
++
++If you want to do client certificate based relaying, you do need
++the fingerprint of the certificate, which can be obtained with 
++
++<pre>
++openssl x509 -fingerprint -in newcert.pem
++</pre>
++
++Now this certificate must be imported into netscape. Therefore the
++data you just created must be converted to a ".p12" file in PKCS#12
++format. You do need the <code>pkcs12</code> utility [<a href=
++"references.html#pkcs12">PKCS12</a>], which is included in the
++OpenSSL package as of version 0.9.3. The necessary command is: 
++
++<pre>
++pkcs12 -export -in newcert.pem -inkey newreq.pem \
++  -certfile /usr/local/ssl/CAcert.pem -name "Name" -out newcert.p12
++</pre>
++
++Of course your filenames may vary. Please take special care to
++supply a good name to your certificate. First: The name will be
++listed every time when a client certificate is to be send by
++netcape. As a person may have several certificates, the name might
++include a hint on the CA (e.g. "Lutz Jaenicke (Lutz CA)"). <strong>
++If you want to have a lot of fun, you can just omit the name.
++Netscape will happily import the certificate, but you won't see it
++in the list of user certificates. And as you don't see it, you
++cannot select it. And as Netscape will not overwrite it, if you
++offer the same (corrected) certificate with a name, you want to
++delete it, but as you cannot select it, you cannot delete it. You
++got the point?</strong>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/prng.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/prng.html
+--- postfix-release/tls/doc/prng.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/prng.html	2005-02-03 10:22:13.097088436 -0700
+@@ -0,0 +1,97 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - PRNG Pseudo Random Number Generator</title>
++</head>
++<body>
++<h1>Postfix/TLS - PRNG Pseudo Random Number Generator</h1>
++
++One of the crucial points of encryption is the generation of the
++keys, for which random numbers are required. As of OpenSSL 0.9.5,
++the seeding of the included PRNG Pseudo Random Number Generator is
++checked. Starting with Postfix/TLS 0.5.4, an architecture to
++collect entropy is included. 
++
++<h2>Included PRNG</h2>
++
++OpenSSL features a quite sophisticated PRNG. In order to generate
++random numbers of lengths of more then 1024bit, a 8192bit (=1kB)
++pool is kept and used to generate these random numbers. To achieve
++full complexity for an attacker, it is necessary to have the full
++range of random numbers available and not restrict the search space
++used for searching keys, hence an according amount of entropy is
++necessary. 
++
++<h2>Obtaining Entropy</h2>
++
++To get entropy, unpredictable events are needed. Unfortunately,
++computers and software tend to be very predictable, so that a lot
++of effort is necessary to collect unpredictable events. The
++mathematical techniques are discussed in the excellent book of
++Schneier "Applied Cryptography". 
++
++<p>We use at least one feature: if you have collected a pool of
++data with entropy in it, you can add up more data without losing
++the entropy already there, so that we can mix external sources and
++internal bits to only increase the entropy.</p>
++
++<h2>External sources</h2>
++
++Only few operating systems provide good entropy collection. 
++
++<h3>/dev/random and /dev/urandom</h3>
++
++Linux offers the <tt>/dev/random</tt> and <tt>/dev/urandom</tt>
++devices, some BSD derivatives as well. 
++
++<p><tt>/dev/random</tt> will provide high quality random data, but
++it will block until enough entropy is available, if too much random
++data is requested to fast. <tt>/dev/urandom</tt> will fill up the
++real entropy data with data from an internal PRNG and will never
++block. For a system with automated startup /dev/urandom should be
++used. Reading from /dev/urandom will however trigger kernel
++activity to satisfy the demands. Imagine starting up postfix with a
++large number of emails in the queue. 50 (default) smtp processes
++want to start at the same time and access <tt>
++/dev/urandom</tt>.</p>
++
++<h3>Entropy Gathering Daemon</h3>
++
++A replacement for operating systems without good random number
++collection is the <a href="references.html#egd">EGD</a> Entropy
++Gathering Daemon. It will also extract entropy from a lot of
++sources. 
++
++<p>EGD has a command driven interface, there is a command for
++blocking and one for non-blocking read. Unlike <tt>
++/dev/urandom</tt> the non-blocking command will not trigger an
++internal PRNG to fill up, but will simply return a smaller number
++of bytes than requested, even 0 if totally drained.</p>
++
++<p>EGD should hence not be used for direct feeding of smtp[d]
++processes. Again, imagine 50 smtp processes starting delivery at
++the same time.</p>
++
++<p><em>To circumvent this problem, I have witten my own daemon,
++that has a EGD compatible interface but can never run dry, just
++like <tt>/dev/urandom</tt>. Check out <a href=
++"references.html#prngd">PRNGD</a> for details.</em></p>
++
++<h3>Intermediate File</h3>
++
++Hence, Postfix/TLS maintains its own pool of entropy by means
++of the <em>tlsmgr</em> daemon. It will collect entropy from an
++external source at startup and periodically during runtime to ever
++increase the entropy in the pool. The smtp[d] processes are fed
++from an PRNG exchange file that is updated in short periods. Upon
++restart, tlsmgr will also read entropy from this file, so that the
++large entropy pool is fully utilized.
++
++<p>The single smtp[d] daemons can also access an external source. Their
++collected entropy is also stirred into the intermediate file, so that
++a significant amount of entropy is available alltogether.
++
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/references.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/references.html
+--- postfix-release/tls/doc/references.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/references.html	2005-02-03 10:22:13.098088213 -0700
+@@ -0,0 +1,105 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - References</title>
++</head>
++<body>
++<h1>Postfix/TLS - References</h1>
++
++<ol>
++<li>[<a name="postfix">POSTFIX] The Postfix (formerly VMailer) Home
++Page: <a href="http://www.postfix.org/">
++http://www.postfix.org/</a>.</a></li>
++
++<li>[<a name="openssl">OPENSSL</a>] OpenSSL: The Open Source
++toolkit for SSL/TLS: <a href="http://www.openssl.org/">
++http://www.openssl.org/</a>.</li>
++
++<li>[<a name="pkcs12">PKCS12</a>]OpenSSL PKCS#12 Program FAQ: <a
++href="http://www.drh-consultancy.demon.co.uk/pkcs12faq.html">
++http://www.drh-consultancy.demon.co.uk/pkcs12faq.html</a>.</li>
++
++<li>[<a name="sslwrap">SSLWRAP</a>] SSLwrap Homepage: <a href=
++"http://www.rickk.com/sslwrap/">
++http://www.rickk.com/sslwrap/</a>.</li>
++
++<li>[<a name="stunnel">STUNNEL</a>] Stunnel Homepage: <a href=
++"http://stunnel.mirt.net/">
++http://stunnel.mirt.net/</a>.</li>
++
++<li>[<a name="introcert">INTROCERT</a>] Introducing SSL and
++Certificates using SSLeay: <a href=
++"http://www.ultranet.com/~fhirsch/Papers/wwwj/">
++http://www.ultranet.com/~fhirsch/Papers/wwwj/</a>.</li>
++
++<li>[<a name="imcorg">IMC</a>] Internet Mail Consortium: <a href=
++"http://www.imc.org/">http://www.imc.org/</a>.</li>
++
++<li>[<a name="imcorgappstls">IETF-APPS-TLS</a>] ietf-apps-tls
++mailing list: <a href="http://www.imc.org/ietf-apps-tls/">
++http://www.imc.org/ietf-apps-tls/</a></li>
++
++<li>[<a name="openca">OPENCA</a>] The OpenCA Project: <a href=
++"http://www.openca.org/">http://www.openca.org/</a>.</li>
++
++<li>[<a name="dfnpca">DFNPCA</a>] DFN-PCA: <a href=
++"http://www.dfn-pca.de/">http://www.dfn-pca.de/</a>.</li>
++
++<li>[<a name="sendmail">SENDMAIL</a>] Sendmail: <a href=
++"http://www.sendmail.org/">http://www.sendmail.org/</a>.</li>
++
++<li>[<a name="sendmail.inc">SENDMAIL.INC</a>] Sendmail Inc: <a
++href="http://www.sendmail.com/">http://www.sendmail.com/</a>.</li>
++
++<li>[<a name="qmail">QMAIL</a>] Qmail: <a href=
++"http://www.qmail.org/">http://www.qmail.org/</a>.</li>
++
++<li>[<a name="qmailtls">QMAILTLS</a>] Qmail/TLS: <a href=
++"http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch">
++http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch</a>.</li>
++
++<li>[<a name="zmailer">ZMAILER</a>] ZMailer: <a href=
++"http://www.zmailer.org/">http://www.zmailer.org/</a>.</li>
++
++<li>[<a name="jonama">JONAMA</a>] Jonama: <a href=
++"http://www.multimania.com/jonama/">
++http://www.multimania.com/jonama/</a>.</li>
++
++<li>[<a name="smtps">SMTPS</a>] Trey Child's STARTTLS wrapper: <a
++href="http://blueice.shopkeeper.de/~tchilds/">
++http://blueice.shopkeeper.de/~tchilds/</a>.</li>
++
++<li>[<a name="safegossip">SAFEGOSSIP</a>] Safegossip universal
++TLS-wrapper: <a href="http://www.skygate.co.uk/safegossip/">
++http://www.skygate.co.uk/safegossip/</a>.</li>
++
++<li>[<a name="sendmailtls">SENDMAIL-TLS</a>] Jeremy Beker's
++sendmail-tls wrapper: <a href="http://opensource.3gi.com/">
++http://opensource.3gi.com/</a>.</li>
++
++<li>[<a name="communigate">COMMUNIGATE</a>] Stalker Software's
++CommunigatePro mailserver product: <a href="http://www.stalker.com/">
++http://www.stalker.com/</a>.</li>
++
++<li>[<a name="egd">EGD</a>] Entropy Gathering Daemon: <a href=
++"http://www.lothar.com/tech/crypto/">
++http://www.lothar.com/tech/crypto/</a>.</li>
++
++<li>[<a name="prngd">PRNGD</a>] Pseudo Random Number Generator
++Daemon: <a href=
++"http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html">
++http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html</a>.</li>
++
++<li>[<a name="oe_ssl">Outlook/SSL</a>] Outlook (Express) and
++STARTTLS info: <a href=
++"http://support.microsoft.com/support/kb/articles/Q218/4/30.ASP">
++http://support.microsoft.com/support/kb/articles/Q218/4/30.ASP</a>.</li>
++
++<li>[<a name="justinhowto">TLS/CA Howto</a>] Justin Davis TLS and CA Howtos:
++<a href="http://palmcoder.net/files/howtos/">
++http://palmcoder.net/files/howtos/</a>.</li>
++</ol>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/relaycert.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/relaycert.html
+--- postfix-release/tls/doc/relaycert.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/relaycert.html	2005-02-03 10:22:13.098088213 -0700
+@@ -0,0 +1,124 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Initial Motivation</title>
++</head>
++<body>
++<h1>Postfix/TLS - Initial Motivation</h1>
++
++This introduction shall point out the motivation, why I spend my
++time writing this TLS extension for postfix. 
++
++<h2>Roaming users problem</h2>
++
++It quite often happens that my users want to access their mailboxes
++and to send emails from hosts outside our network. The main reasons
++are the access from home via Internet service providers (ISP) or
++from abroad during business trips (in our case typically to other
++universities around the world). Sending and accessing leads to two
++loosely coupled problems. 
++
++<h2>UCE control</h2>
++
++One problem is sending emails, because from abroad it is seldom
++possible to predict the sending hostname we will have and when
++using an ISP the assigned hostname is typically random. As we of
++course must have UCE control in effect, I either must open up
++relaying complete ISP domains on my users request (Arrgghh!) or
++must introduce an authentication beside the hostname or IP address.
++
++
++<h2>Passwords and insecure networks</h2>
++
++This directly leads to the second problem. Recent versions of
++Netscape do offer password based authentication. This solves the
++UCE problem but introduces another one, which I consider far more
++severe: The users have to send a password in plain text over the
++network. Of course I could solve this problem by issuing special
++passwords just for this reasons, but some of my users don't have a
++clue of what is going on between the keyboard and the screen, so
++they would happily try their real password. 
++
++<p>The same problem of course also applies to the POP and IMAP
++services. I tackled them first, because they are typically attacked
++by port scanners, so I closed them down by tcpwrappers (Hi Wietse!)
++to only allow my local hosts to access them.</p>
++
++<h2>Encryption via SSL</h2>
++
++The solution to the plain text password problem was easily found
++with the use of SSL. You just tunnel the POP or IMAP connection
++through SSL, using either <strong>SSLwrap</strong> [<a href=
++"references.html#sslwrap">SSLWRAP</a>] or <strong>stunnel</strong>
++[<a href="references.html#stunnel">STUNNEL</a>]. 
++
++<p>Netscape supports IMAP with SSL tunneling since version 4, I
++have one user with Outlook Express, who uses POP3 with SSL
++tunneling, so this solves the plain text password problem by
++encryption.</p>
++
++<h2>Netscape 4.5</h2>
++
++Starting with Netscape 4.5, also sending with SSL encryption is
++supported. As Netscape also supports client certificates, this
++seemed to be an easy solution for the UCE control problem. So I
++happily added an "smtps" service with SSL wrapper and client
++certificate verification. Unfortunately it didn't work and the
++connection just hung! After some digging around I found out, that
++Netscape 4.5 seems to realize the protocol described in <a href=
++"rfc2487.txt">RFC 2487</a> [<a href=
++"references.html#imcorg">IMC</a>]. 
++
++<h2>RFC 2487 - SMTP Service Extension for Secure SMTP over TLS</h2>
++
++RFC 2487 describes how to include TLS (the successor of SSL) into
++the normal Extended SMTP protocol. During the normal EHLO start
++negotiation the server offers the STARTTLS option to the client,
++which then issues the STARTTLS command. After the server accepts
++the command (220), the normal SSL handshake will start. 
++
++<p>Unfortunately it is impossible to handle this situation with a
++normal tunneling software, as they are not prepared to do clear
++text negotiation before running SSL and don't have the slightest
++idea on the SMTP protocol. Therefore the way to go was to extend a
++given mail server software. The first candidate was sendmail-8.9.3,
++as I was a long term sendmail user. After digging around some I
++came to the conclusion, that even though possible, the source code
++was quite difficult to understand and adding the necessary
++configuration options didn't look inviting.</p>
++
++<h2>Postfix</h2>
++
++At this point (February 1999) I checked other mail servers and was
++immedideately fascinated by postfix source. It was very good to
++read and understand, so I decided that if I would take the time,
++then postfix would be the way to go. 
++
++<p>I then started to first change our site to postfix. It took some
++hours to do this, because our mail system is running on a common
++network I administrate for several chairs, each of them with its
++own mail server and domain, but a common user base, so a lot of
++rewriting takes place, we need virtual services for symbolic names
++like "webmaster" etc.</p>
++
++<h2>Postfix/TLS</h2>
++
++Some time after having done this I finally found the time to write
++my TLS extensions for postfix. I took the source of the <code>
++s_server</code> of the OpenSSL package and added a simplified
++version of it to postfix, so that by now we can run the SMTP
++protocol encrypted on the server side. This would also allow us to
++use plain text password authentication, but as it is available
++without cost, I rather decided to go with client certificates. If
++you can offer a client certificate to our server, that is included
++in a list on our server, you can relay your emails through our
++server! 
++
++<h2>Summary</h2>
++
++Postfix/TLS is an addition to the smtpd server, which implements the RFC 2487
++ TLS Service Extension and allows UCE control based on client certificates.
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/security.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/security.html
+--- postfix-release/tls/doc/security.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/security.html	2005-02-03 10:22:13.099087990 -0700
+@@ -0,0 +1,78 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Security Considerations</title>
++</head>
++<body>
++<h1>Postfix/TLS - Security Considerations</h1>
++
++The following sections cover some (possible) security issues with
++regard to Postfix/TLS. 
++
++<h2>Server/Client private key file</h2>
++
++Postfix/TLS uses authentication for the server side (mandatory) and
++the client side (optional). In order to authenticate itself, the
++according process (smptd/smtp) must be able to access the private
++key, which must however be kept secret. As these processes are
++started from 'master' without the possibility of user interaction, it is not
++possible to supply a password, so that the private key can not be
++encrypted. 
++
++<p>The only protection can therefore come from filesystem access
++rights, which should be set to 'owner root' and 'readable for owner
++only':</p>
++
++<pre>
++-rw-------   1 root       sys            887 Apr 29  1999 /etc/postfix/key.pem
++</pre>
++
++<p>This protection is only as good as your host is protected
++against root exploits.</p>
++
++<p>You also should be aware, that people having physical access to
++your system might be able to 'steal' the private key if they can
++boot into single user mode without password protection or can move
++the disk to another computer, on which they have root rights. (Yes,
++I know there are such things as encrypted filesystems, but they are
++not in wide spread use today.)</p>
++
++<h2>Disk based session cache</h2>
++
++If you run disk based session caching (the default) people being
++able to get hold of the files might be able to figure out security
++relevant communication parameters. The security situation is
++however not more dramatic than the private key issue explained
++above, so I don't consider any additional danger coming from saving
++session information to stable storage. 
++
++<p>As breaking the code with public key cryptography is just a
++matter of time (even though it might be a very long time), sessions
++should not be used for an infinite duration. The default value for
++Postfix/TLS is 1h; RFC2246 (TLSv1) recommends to not use sessions
++for more than 24h.</p>
++
++<h2>DNS issues</h2>
++
++One weak point in authentication is the use of the DNS to find out
++the MX information. Since we do (E)SMTP, we must use the MX
++information! 
++
++<p>As we have to authenticate the server retrieved via MX, somebody
++able to spoof a wrong MX entry might be able to receive the email,
++if his host can present a certificate issued by an acceptable CA.
++The last part is not too difficult if 'standard' CAs like Verisign,
++Thawte,... are included.</p>
++
++<p>The only way to protect against this problem is that for those
++recipients, for which we want to <strong>enforce</strong>
++encryption and authentication, the MX lookup must be overridden
++with an appropriate entry in the /etc/postfix/transport table:</p>
++
++<pre>
++important.dom.ain smtp:[mailserver.important.dom.ain]
++</pre>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/setup.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/setup.html
+--- postfix-release/tls/doc/setup.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/setup.html	2005-02-03 10:22:13.099087990 -0700
+@@ -0,0 +1,220 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Setting up the certificates</title>
++</head>
++<body>
++<h1>Postfix/TLS - Setting up the certificates</h1>
++
++This section explains what kind of certificates are needed to run
++postfix with TLS. The certificates (and maybe keys) can be obtained
++from a third party, that might be a commercial certification
++authority or your internet service provider. On the long run you do
++need certificates that are accepted by other Internet parties, so
++you have to agree with them on certification authorities, of which
++type they might be. 
++
++<h2>Server certificate</h2>
++
++To run SMTP with TLS in server mode, your server <strong>
++must</strong> have a pair of <em>private key</em> and <em>public
++key</em>. 
++
++<p>As the public key must be distributed to the client somehow, it
++is sent from the server to the client during the startup
++negotiation. The client however cannot know from just the
++negotiation, that the public key really belongs to the server and
++is not faked. Therefore a third component is necessary, a <em>
++certificate</em> from a certificate authority (CA), that is sent
++combined with the public key. This <em>server certificate</em>
++contains the <code>name.of.your.host</code>. The client will then
++check the <em>signature</em> of the CA on the public key to decide,
++whether the certificate (and public key) are authentic.</p>
++
++<p>So for the server we do need:</p>
++
++<ul>
++<li>1 <em>server private key</em></li>
++
++<li>1 server public key signed by a CA, a <em>server
++certificate</em>, certifying that the public key belongs to <code>
++name.of.your.host</code>.</li>
++
++<li>1 <em>CA certificate</em> with the public key of the CA</li>
++</ul>
++
++For this list I definitely want point out the number of components
++used to be <strong>1</strong>, because you must have <strong>
++1</strong>, you cannot have less, you cannot have more! 
++
++<h3>Server certificate policy</h3>
++
++At this point you have to decide about policy. The client which is
++going to connect to your host will check the names in the <em>server
++certificate</em>, the dNSName entries in the SubjectAlternativeName
++or the CN (Common Name) if no dNSName is found, against the FQDN (Fully
++Qualified Domain Name) of your server. If both agree, your server's
++identity is proved. 
++
++<p>To see, whether the certificate itself is authentic, the client
++itself <em>must have</em> the <em>CA certificate</em>. So, if you
++want to make it easily accessible to other, unknown parties, you
++should have your server certificate issued by a well known and well
++trusted CA. Remember, that your server can only have one server
++certificate at a time.</p>
++
++<p>There are commercial providers (Thawte, Verisign, just to name
++some), the CA certificats of which are well distributed. Not
++knowing of other countries, at least in Germany the
++Research Network (DFN) has started a program for universities [<a
++href="references.html#dfnpca">DFNPCA</a>].</p>
++
++<p>If you do not care about that for know (you can change that
++later), you can just become your own CA and distribute your CA cert
++to those parties who should know it, and you are set. It is not
++difficult to do.<br>
++<a href="myownca.html">Lutz's very short course on being your own
++CA</a>.</p>
++
++<h3>Using the certificates with Postfix/TLS</h3>
++
++To make the key and certificates available to Postfix/TLS, they
++must be in "PEM" format. Then you have to tell postfix in main.cf
++where to find them: 
++
++<ul>
++<li>The private key: 
++
++<pre>
++smtpd_tls_key_file = /etc/postfix/key.pem
++</pre>
++
++As the public key is public including the certificate (everybody
++can get a copy), everybody who has a copy of the private key can
++fake your identity. It is not too easy, as he must be able to
++redirect or intercept the IP packages sent to your server, but I
++have seen a lot of things happening. So protect this key with: 
++
++<pre>
++chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
++</pre>
++
++One more possibility for protection is a passphrase. This is
++however a problem, as you have to enter it everytime the server has
++to be started. This has to drawbacks: firstly you would have to
++enter it to postfix everytime you restart it, which I find quite
++impractical for an unattended server which might restart
++automatically after a power outage. Secondly the smtpd processes
++are independently started from master, so that master would have to
++pass the passphrase to the clients somehow. Alltogether I think
++this is impractical and so I don't support by software.</li>
++
++<li>The server certificate: This certificate is not secret, as it
++will be presented to every client anyhow, so you just name it to
++postfix: 
++
++<pre>
++smtpd_tls_cert_file = /etc/postfix/cert.pem
++</pre>
++
++If you like, you can put private key and cert into one file.</li>
++
++<li>The CA certificate: To also have the CA certificate available,
++you put it into a file and name it to Postfix/TLS. We will come
++back to this file later. 
++
++<pre>
++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++</li>
++</ul>
++
++With these certificates you should already have enough to get
++Postfix/TLS running. 
++
++<h3>Postfix/TLS client mode</h3>
++
++When connecting to a server offering TLS, postfix can present a
++client certificate of its own. As realized by now, only one
++certificate can be managed, so it should be issued on your own
++hostname. No default is supplied (no certificate is presented),
++unless you explicitly set the certificate in the configuration. You
++can use the same certificate as for the server side: 
++
++<pre>
++smtp_tls_key_file = /etc/postfix/key.pem
++chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
++</pre>
++
++<pre>
++smtp_tls_cert_file = /etc/postfix/cert.pem
++</pre>
++
++<pre>
++smtp_tls_CAfile = /etc/postfix/CAcert.pem
++</pre>
++
++<h2>Client certificates</h2>
++
++One reason to do all of this work is that I want to do relaying
++based on client certificates. The clients present a certificate
++from a CA, that is unique and cannot be faked. 
++
++<p>Some clients can have several certificates issued by different
++CAs. Upon connection the server will pass the client the list of
++CAs he knows (has the CA certificates) and the client can then pass
++back a certificate of choice. With Netscape this means, a window is
++opened and only those client certificates compatible with the
++server are listed for selection.</p>
++
++<p>So if your clients already have certificates from trustable
++sources, it is not necessary to create a lot of problems. You just
++have to collect the CA certificates and make them available to
++Postfix/TLS. If that is not enough, you can still become your own
++CA to easily create client certificates for your users (which are
++of course of no use outside your scope).</p>
++
++<h3>Listing CA certificates</h3>
++
++<p>You have two possibilities to perform this task.</p>
++
++<ol>
++<li>You just add the CA certificates to the <code>
++smtp[d]_tls_CAfile</code> you already have created, one after the
++other. This file is probably not very readable, but it has the
++advantage that it is read at smtpd before switching to chroot jail
++and hence works in chroot mode.</li>
++
++<li>You can add the CA certificates in single files with adequate
++names to a certificate directory specified in: 
++
++<pre>
++smtpd_tls_CApath = /etc/postfix/certs
++</pre>
++
++Please don't forget to issue a <code>$OPENSSL_HOME/bin/c_rehash
++/etc/postfix/certs</code> after you have made changes, as the
++hashes are use to find the right CA certificate. This method should
++not work in chroot mode.</li>
++</ol>
++
++<h3>Adding client certificates</h3>
++
++The client certificates are issued for a DN (Distinguished Name)
++made up of company, department, name, email... As they may contain
++blanks, @ signs and colons, it is quite difficult to handle them
++with standard postfix tools. 
++
++<p>A quite practical thing is that every client certificate has a
++"fingerprint" that is extremely difficult to fake (read this: from
++my knowledge, it might take years even on fast computers). I have
++to do some more research about the security of the fingerprint, but
++at least for relaying it should be secure enough. I will much
++easier find a host with worse security to send out my SPAM than to
++fake a client certificate with a matching fingerprint (which I also
++don't know to from the outside, even from the inside you might
++protect the fingerprint data with a <code>chmod 400</code>).</p>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc/test.html /tmp/dpep.cXJuVH/postfix-release/tls/doc/test.html
+--- postfix-release/tls/doc/test.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc/test.html	2005-02-03 10:22:13.100087767 -0700
+@@ -0,0 +1,167 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
++<html>
++<head>
++<meta name="generator" content="HTML Tidy, see www.w3.org">
++<title>Postfix/TLS - Testing</title>
++</head>
++<body>
++<h1>Postfix/TLS - Testing</h1>
++
++Testing the package is a little bit difficult, as the communication
++is encrypted, so that you cannot "imitate" the conversation just by
++telnetting to the SMTP port. You also cannot capture the packets
++(well, you can, but if everything is working as advertised, it
++won't help you :-). 
++
++<h2>Included debugging aids</h2>
++
++As all of the messages generated by Postfix are sent to the syslog
++facility, debugging must be done using your normal system logfiles.
++Postfix/TLS supports the logging levels 0 (very quiet) up to 4 (a
++dump of the complete conversation, not recommended). 
++
++<p>As a first step set <code>smpt[d]_tls_loglevel=2</code> and
++watch the logfile. Typically you will have problems with the access
++to the keys or certificates, so you will find error messages
++here.</p>
++
++<p>You can always try to send an email to <tt>
++postfix_tls-bounce at serv01.aet.tu-cottbus.de</tt> with TLS enabled
++at your side and watch, what is going to happen :-)</p>
++
++<p>While testing the interoperability with ZMailer we learned, that
++an incorrect certificate type (must be server for the server :-)
++can lead to connection failures without clear symptoms. It helps to
++use Netscape 4.5x as a client and carefully study the message boxes
++and certificate information. I have yet to find out how to identify
++this problem from postfix to print a suitable warning to the
++logfile. Hopefully it will be possible without changes in the
++OpenSSL library.</p>
++
++<h2>Platforms</h2>
++
++<ul>
++<li>Development Platform: 
++
++<ul>
++<li>OS: HP-UX 10.20</li>
++
++<li>OS: Linux 2.x (SuSE Linux)</li>
++</ul>
++</li>
++
++<li>Test Client: 
++
++<ul>
++<li>Software: Netscape 4.5x, Netscape 4.6x, Netscape 4.7x</li>
++
++<li>OS: HP-UX 10.20, Linux 2.x, Win95</li>
++</ul>
++</li>
++</ul>
++
++Please don't comment on the stability of Netscape, especially not
++on HP-UX... 
++
++<h2>Interoperability</h2>
++
++Besides support by generic wrapper solutions, there exist specially
++crafted extensions for other MTAs: 
++
++<ul>
++<li><strong>Qmail</strong> There is an OpenSource patch available,
++extending the Qmail [<a href="references.html#qmail">QMAIL</a>] MTA
++to support RFC2487, written by Frederik Vermeulen [<a href=
++"references.html#qmailtls">QMAILTLS</a>]. Sending and receiving is
++working from both sides. 
++
++<p>Testing: send mail to <tt>ping at linux.student.kuleuven.ac.be</tt>
++(will send back complete email including headers).</p>
++</li>
++
++<li><strong>Zmailer</strong> The author/maintainer of ZMailer,
++Matti Aarnio, has incorporated both server and client side TLS
++support [<a href="references.html#zmailer">ZMAILER</a>]. 
++
++<p>Zmailer -&gt; Postfix works fine,<br>
++Postfix -&gt; Zmailer does not work, since ESMTP is not recognized
++(problem reported).</p>
++
++<p>Testing: send mail to <tt>autoanswer at mea.tmt.tele.fi</tt> (will
++send back headers).</p>
++</li>
++
++<li><strong>Sendmail</strong> The commercial verson of sendmail
++supports client and server TLS, both sides interoperating with
++Postfix/TLS. As of sendmail-8.11, TLS is also included with the
++opensource version [<a href=
++"references.html#sendmail">SENDMAIL</a>]. 
++
++<p>Testing: send mail to <tt>bounce at esmtp.org</tt> (will bounce
++error message including old headers).</p>
++</li>
++
++<li><strong>Postfix</strong> Can send emails to itself :-). 
++
++<p>Testing: send mail to <tt>
++postfix_tls-bounce at serv01.aet.tu-cottbus.de</tt> (will bounce back,
++includes old headers).</p>
++</li>
++</ul>
++
++Other reports are welcome. 
++
++<h2>Known interoperability problems</h2>
++
++<ul>
++<li>Postfix/TLS server: Under Win95/NT I have some problems with the
++client certificates. When opening the first connection (and
++Netscape asks for the password to access the certificate database),
++the connection hangs. This seems to be caused by Netscape: a dump
++of the communication shows, that Netscape just does not resume the
++TLS handshake.<br>
++<strong>Remark:</strong>I could not reproduce this bug recently
++after upgrading OpenSSL 0.9.4. I hope it has vanished, but maybe it
++is just a consequence of playing around with Netscape's security
++options. More testing required...<br>
++Workarounds: kill this connection, the next one will work
++immediately <strong>or</strong> use SSLv2 only (second workaround
++not recommended). 
++
++<p><strong>Should finally be fixed with OpenSSL 0.9.5.</strong></p>
++</li>
++
++<li>Postfix/TLS server: Outlook Express as of Internet Explorer 5 will
++work with Postfix/TLS, but it will not present any client
++certificate. So you can encrypt your email transfer but you cannot
++authenticate (and relay) with client certificates. It only works on
++port 25 (smtp); on other ports you must use smtpd_tls_wrappermode
++instead. [<a href="references.html#oe_ssl">Microsoft
++Knowledgebase</a>]</li>
++
++<li>Postfix/TLS server: Outlook Express as of Internet Explorer 4 does not
++support RFC2487. Use smtpd_tls_wrappermode=yes on a different
++port(!) (465=smpts?) instead.</li>
++
++<li>Postfix/TLS server: Outlook Express (Mac) seems not to support
++RFC2487, you must use smtpd_tls_wrappermode on a different port(!)
++(465=smtps?) instead.</li>
++
++<li>Postfix/TLS client: MS Exchange also in recent versions (5.5) offers
++STARTTLS even if not configured (from the mailing list [<a href=
++"references.html#imcorgappstls">IETF-APPS-TLS</a>]). I could not
++test this without access to such server, so I cannot predict what
++is going to happen.</li>
++
++<li>Postfix/TLS client: TLS connections to a CommunigatePro server fail
++with a handshake error with older versions of CommunigatePro.
++Reason is a protocol violation of the CommunigatePro server with
++respect to SSL-protocol version numbering. The respective part of
++the protocol is the specification of the client_version in section
++7.4.7.1. of RFC2246.<br>
++This problem has been fixed in CommunigatePro 3.3b?? (don't know
++the exact numbering) around June 09, 2000.</li>
++</ul>
++</body>
++</html>
++
+diff -urNad postfix-release/tls/doc_french/conf.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/conf.html
+--- postfix-release/tls/doc_french/conf.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/conf.html	2005-02-03 10:22:13.101087544 -0700
+@@ -0,0 +1,600 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Configurer main.cf et master.cf </p>
++<p>Afin d'utiliser les extensions TLS vous devez renseigner quelques informations 
++  a Postfix. Regardez &eacute;galement le fichier conf/sample-tls.cf</p>
++<p>main.cf: smtpd (serveur) variables sp&eacute;cifiques<br>
++  # pour utiliser TLS nous avons besoin d'un certificat et d'une clef privée. Tous 
++  les deux doivent être <br>
++  # au format &quot;PEM ",la clé privée ne doit pas être chiffrée, ce qui signifie: 
++  <br>
++  # elle doit être accessible sans mot de passe. Les deux pièces (certificat et<br>
++  # clé privée) peuvent être dans le même fichier <br>
++  # <br>
++  # RSA et DSA sont des formats de certificats supportées <br>
++  # Typiquement vous pouvez seulement vous faire délivrer des certificats de RSA 
++  par un CA commercial<br>
++  # Les outils OpenSSL vont, par defaut, g&eacute;n&eacute;rer des certificats 
++  RSA<br>
++  # Vous pouvez avoir les deux en même temps, dans ce cas-ci le chiffrage du client 
++  utilisé décide<br>
++  # Pour les clients Netscape et OpenSSL  le certificat 
++  de RSA est préféré.<br>
++  #<br>
++  # Afin de contrôler les certificats, le certificat CA (dans le cas d'une chaine 
++  de certificats, tous les certificats CA) doit &ecirc;tre disponible<br>
++  # Vous devez ajouter ces certificats aux certificat du serveur, ce dernier en 
++  premier puis ceux &eacute;mis par par le(s) CA(s)<br>
++  #<br>
++  # exemple: le certificat pour &quot;serveur.chez.moi&quot; a &eacute;t&eacute; 
++  &eacute;mis par &quot;Intermediate CA&quot;<br>
++  # qui lui m&ecirc;me a un certificat de &quot;root CA&quot;. Creez le fichier 
++  server.pem en faisant 'cat server_cert.pem intermediate.pem &gt; server.pem'<br>
++  #<br>
++  # Si vous voulez accepter des certificats délivrés par ces derniers en tant 
++  que vous-même, vous pouvez aussi ajouter les certificats CA <br>
++  # au fichier smtpd_tls_CAfile, dans ce cas ce n'et pas n&eacute;cessaire de les 
++  avoir dans le fichier smtpd_tls_[d]cert_file<br>
++  #<br>
++  # Un certificat fourni ici doit &ecirc;tre utilisable comme SSL certificat serveur 
++  et par cons&eacute;quent passer le test<br>
++  # &quot;openssl verify -purpose sslserver ..." <br>
++  #<br>
++  smtpd_tls_cert_file = /etc/postfix/server.pem <br>
++  smtpd_tls_key_file = $smtpd_tls_cert_file <br>
++  # <br>
++  # Les équivalents DSA<br>
++  smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem <br>
++  smtpd_tls_dkey_file = $smtpd_tls_dcert_file <br>
++  #<br>
++  # le certificat a été délivré par une autorité de certification (CA) le certificat 
++  CA de celui-ci doit &ecirc;tre disponible<br>
++  # si il n'est pas dans le fichier de certificats.<br>
++  # Ce fichier peut également contenir les les certificats de CA d'autres CA de 
++  confiance.<br>
++  # Vous devez utiliser ce fichier pour la liste de CA de confiance si vous voulez 
++  utiliser le mode chroot.<br>
++  # Il n'y a pas de valeurs par defaut<br>
++  #<br>
++  # smtpd_tls_CAfile = /etc/postfix/CAcert.pem <br>
++  <br>
++  # pour vérifier le certificat de pair, nous devons connaître les certificats des 
++  autorités de certification. Ces certificats sont au format PEM<br>
++  # et sont rassemblés dans un répertoire. Les m&ecirc;mes CA sont offerts aux 
++  clients pour la v&eacute;rification. N'oubliez pas de cr&eacute;er<br>
++  # les tables de hachages n&eacute;cessaires avec $OPENSSL_HOME/bin/c_rehash 
++  /etc/postfix/certs. Une place classique<br>
++  # pour les certificats CA peut &ecirc;tre aussi $OPENSSL_HOME/certs, il n'y 
++  a donc aucune valeur par d&eacute;faut et vous avez &agrave;<br>
++  # le sp&eacute;cifier ici<br>
++  #<br>
++  # Pour utiliser cette option en mode chroot&eacute;, ce r&eacute;pertoire ou 
++  une copie de celui-ci doit &ecirc;tre dans la 'cage'. Veuillez noter &eacute;galement<br>
++  # que les CA list&eacute;s dans ce r&eacute;pertoire ne sont pas list&eacute;s 
++  aux clients, Netscape ne peut donc pas offrir de certificats &eacute;mis par 
++  ceux ci.<br>
++  #<br>
++  # Je n'encourage pas &agrave; l'utilisation de cette option<br>
++  <br>
++  smtpd_tls_CApath = /etc/postfix/certs <br>
++  <br>
++  # Pour obtenir des informations suppl&eacute;mentaires pendant la mise en place 
++  et les n&eacute;gociations TLS<br>
++  # vous pouvez augmenter le niveau de journalisation de 0 &agrave; 4:<br>
++  # 0 : rien a propos du TLS<br>
++  # 1 : Notification de mise en route et information de certificat <br>
++  # 2 : 1 + impression des niveaux pendant la négociation <br>
++  # 3 : 2 + hexa et vidage mémoire Ascii du processus de négociation <br>
++  # 4 : 4: 3 + hexa et vidage mémoire Ascii de transmission complète après STARTTLS 
++  <br>
++  # utilisez le niveau 3 uniquement en cas de probl&eacute;mes. L'utilisation 
++  du niveau 4 est fortement d&eacute;conseillée.<br>
++  #<br>
++  # smtpd_tls_loglevel = 0 <br>
++  # Afin d'inclure des informations sur le protocole et le cryptage utilis&eacute; 
++  aussi bien que le client et l'émetteur <br>
++  # dans l'ent&ecirc;te &quot;Received:&quot;, positionnez la variable smtpd_tls_received_header 
++  &agrave; true. Par d&eacute;faut elle est a no, <br>
++  # du fait que cette information n'est pas forc&eacute;ment authentique. Seulement 
++  la destination finale est fiable, <br>
++  # puisque les en-têtes pourraient avoir été modifi&eacute;es entre temps.<br>
++  #<br>
++  # smtpd_tls_received_header = yes<br>
++  <br>
++  # Vous pouvez IMPOSER l'utilisation de TLS, de sorte qu'on ne permette aucune 
++  commande (excepté QUIT naturellement) <br>
++  # sans TLS. Selon la RFC2487 ceci NE DOIT PAS être appliquée dans le cas d'un 
++  serveur SMTP public. Cette option est <br>
++  # donc inactive par defaut et ne doit &ecirc;tre utilisée que rarement. 
++  Cette fonction implique<br>
++  # smtpd_use_tls = yes <br>
++  #<br>
++  #smtpd_enforce_tls = no <br>
++  # <br>
++  # Sans compter que quelques clients, comme outlook express pref&egrave;re utiliser 
++  un mode d'emballage non-standard et non les<br>
++  # am&eacute;liorations STARTTLS de SMTP.<br>
++  # Ceci est vrai pour outlook express ( Win32 &lt; 5.0 et Win 32 &gt;= 5.0 quand 
++  on l'utilise sur un port differents de 25<br>
++  # et sur 5.01 pour Mac sur tous les ports<br>
++  # Il est strictement découragé d'utiliser utiliser ce mode depuis main.cf. Si 
++  vous voulez <br>
++  # supporter ce service, rajoutez un port spécial dans master.cf. Le port 465 
++  (smtps) a été choisi pour ce dispositif. <br>
++  # smtpd_tls_wrappermode = no<br>
++  <br>
++  # Pour recevoir un certificat de client, le serveur doit explicitement en demander 
++  un. Par conséquent Netscape se plaindra <br>
++  # si aucun certificat n'est disponible (pour la liste des CA dans /etc/postfix/certs) 
++  ou vous offrira des certificats clients<br>
++  # pour choisir. Ceci peut être ennuyeux, ainsi cette option est "Off" par défaut 
++  . <br>
++  # Vous aurez peut &ecirc;tre besoin du certificat si vous voulez faire du relayage 
++  &agrave; partir des certificats<br>
++  #<br>
++  # smtpd_tls_ask_ccert = no <br>
++  <br>
++  # Vous pouvez également décider D'EXIGER d'un certificat de client afin de permettre 
++  des connexions de TLS. <br>
++  # Je ne pense pas que ce sera nécessaire souvent, il est cependant inclus ici. 
++  Cette option smtpd_tls_ask_ccert = yes<br>
++  # <br>
++  # Notez bien que ceci empêchera des connexions TLS sans un certificat appropri&eacute;, 
++  et n'a de sens que dans le cas<br>
++  # de soumission normal desactiv&eacute;e (smtpd_enforce_tls). Autrement les 
++  clients peuvent &eacute;viter ceci en n'utilisant pas du tout <br>
++  # STARTTLS. Quand TLS n'est pas imposé, la connexion ne sera trait&eacute;e comme 
++  si smtpd_tls_ask_ccert = yes <br>
++  # &eacute;tait activ&eacute; et une information est journalis&eacute;e.<br>
++  <br>
++  # smtpd_tls_req_ccert = no<br>
++  <br>
++  # la profondeur de vérification pour des certificats de client. Une profondeur 
++  de 1 est suffisante si le certificat<br>
++  # est &eacute;mis directement par un CA list&eacute; dans la liste des CA.<br>
++  # La valeur par defaut (5) suffit également pour de plus longues chaînes (le 
++  root CA émet le CA spécial <br>
++  # qui délivre alors le certificat réel...)<br>
++  <br>
++  # smtpd_tls_ccert_verifydepth = 5 <br>
++  <br>
++  # le serveur et le client négocient une session, qui prend un certain temps 
++  machine  et une largeur de bande passante.<br>
++  # La session est cachée seulement dans le processus de smtpd réellement en utilisant 
++  cette session et est détruite <br>
++  # quand le processus meurt pour partager l'information de session entre les 
++  processus de smtpd, <br>
++  # antémémoire de session peut être utilisée avec des bases de donn&eacute;es 
++  SDBM (sous-programmes inclus dans Postfix/TLS)<br>
++  # Puisque l'écriture concourante doit être supportée seulement SDBM peut être 
++  utilisé. <br>
++  <br>
++  smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache <br>
++  <br>
++  # les sessions cachées ont un delais d'attente. Je n'utilise pas le défaut d'OpenSSL 
++  de 300sec, mais un plus long temps <br>
++  # de 3600sec (= 1 heure). RFC2246 recommande un maximum de 24 heures <br>
++  <br>
++  # smtpd_tls_session_cache_timeout = 3600s <br>
++  <br>
++  # deux options supplémentaires a été ajoutées pour la commande de relais aux 
++  règles d'UCE<br>
++  # permit_tls_clientcerts (a) <br>
++  # et <br>
++  # permit_tls_all_clientcerts. (b) <br>
++  # <br>
++  # Si une de ces options est ajout&eacute;e <br>
++  # smtpd_recipient_restrictions<br>
++  # postfix va relayer si<br>
++  # (a) Un client valide (v&eacute;rification faite) est pr&eacute;sent&eacute; 
++  et que son empreinte est inscrite dans la liste des certificats clients<br>
++  # (relay_clientcerts), <br>
++  # (b) n'importe quel client valide (v&eacute;rification faite) est pr&eacute;sent&eacute;.<br>
++  #<br>
++  # L'option (b) doit seulement être utilisée, si un CA spécial délivre les certificats 
++  et seulement ce CA <br>
++  # est énuméré en tant que CA de confiance. Si on fait confiance &agrave; d'autres 
++  CA tout propriétaire d'un certificat client valide <br>
++  # peut &ecirc;tre relay&eacute;. L'option (b) peut être pratique pour un relais 
++  sp&eacute;cialement cr&eacute;&eacute;. Il est recommande cependant de rester 
++  <br>
++  # avec l'option (a) et d'énumérer tous les certificats, car (b) ne permet aucun 
++  contr&ocirc;le quand un certificat ne doit<br>
++  # plus être utilisé (par exemple un employé partant). <br>
++  <br>
++  # smtpd_recipient_restrictions = ... permit_tls_clientcerts ...<br>
++  <br>
++  # La liste de certificats de client pour lesquels le relais sera permis.<br>
++  # Malheureusement les sous-programmes pour des listes utilise des espaces comme 
++  s&eacute;parateurs <br>
++  # et s'emm&egrave;le sur les caract&egrave;res sp&eacute;ciaux<br>
++  # Ainsi l'utilisation du certificat # du X509ONELINES est tout à fait impraticable. 
++  Nous utiliserons donc <br>
++  # les empreintes digitales à ce point, car il est difficile de les truquer mais 
++  facile à utiliser pour la consultation <br>
++  # pendant que le postmap (en utilisant par exemple le DB) exige d'avoir une 
++  paire de clé et de valeur, <br>
++  # mais nous avons besoin seulement de la clef, la valeur pouvant être choisie 
++  librement, par exemple le nom <br>
++  # de l'utilisateur ou de l'hôte: <br>
++  # D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home<br>
++  <br>
++  # relay_clientcerts = hash:/etc/postfix/relay_clientcerts <br>
++  <br>
++  # Pour influencer la s&eacute;lection du cryptage, vous pouvez donner une liste 
++  de cryptage.<br>
++  # Une description compl&egrave;te irait troin loin ici, allez voir la documentation 
++  sur le site d'OpenSSL<br>
++  # Si vous ne savez pas quoi faire avec, n'y touchez pas et laissez celui d'openssl 
++  par defaut <br>
++  # N'UTILISEZ PAS " pour entourer la chaîne de caractères, juste la chaîne de 
++  caractères!!! <br>
++  #<br>
++  # smtpd_tls_cipherlist = default<br>
++  <br>
++  # Si vous voulez tirer profit du chiffrage avec EDH, les paramètres de DH sont 
++  nécessaires.<br>
++  # Ils sont construits dans les param&egrave;tres DH pour &agrave; la fois le 
++  1025&eacute;me et le 512&eacute;me bit disponible<br>
++  # Il vaut mieux cependant avoir ses &quot;propres&quot; param&egrave;tres, puisqu'autrement 
++  ce serait &quot;payant&quot; pour un<br>
++  # 'pirates' d'attaquer en brute force ces param&egrave;tres qui sont utilis&eacute;s 
++  commun&eacute;ment.<br>
++  # Pour cette raison, les paramètres choisis sont déjà différents de ceux distribués 
++  avec le package TLS<br>
++  <br>
++  # Pour produire de votre propre ensemble de paramètres, faites :<br>
++  # openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024 
++  <br>
++  # openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512 
++  <br>
++  # Votre source pour la g&eacute;n&eacute;ration al&eacute;atoire peut varier; 
++  sur des yst&egrave;mes linux c'est /dev/random<br>
++  # Pour d'autres syst&egrave;mes vous pouvez consulter "Entropy Gathering Daemon 
++  EGD", <br>
++  # disponible sur http://www.lothar.com/tech/crypto/. <br>
++  <br>
++  smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem <br>
++  smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem <br>
++  <br>
++  # le smtpd_starttls_timeout param&egrave;tre la limite de temps en secondes pour 
++  lire et &eacute;crire<br>
++  # les op&eacute;rations pendant les proc&eacute;dures de 'serrages de mains' 
++  (SSL handshake) <br>
++  # <br>
++  # smtpd_starttls_timeout = 300s <br>
++  <br>
++  # Main.cf smtp (client) variables sp&eacute;cifiques<br>
++  # Pendant la négociation de démarrage nous pourrions présenter un certificat 
++  au serveur. Netscape <br>
++  # est plutôt intelligent ici et laisse l'utilisateur choisi entre seulement 
++  ceux qui corresipondront &agrave; ceux reçus du serveur<br>
++  # Comme j'utilise simplement la commande "SSL_connect()" du package OpenSSL, 
++  ceci n'est pas encore possible<br>
++  # et nous ne devons choisir qu'un certificat.<br>
++  # Le param&egrave;tre par defaut est de n'utiliser aucun certificat/clef a moins 
++  de de le d&eacute;finir ici.<br>
++  # Si un certificat est pr&eacute;sent il doit &ecirc;tre au format PEM, la clef 
++  priv&eacute;e ne doit pas &ecirc;tre encrypt&eacute;e : concr&eacute;tement<br>
++  # cela veut dire qu'elle doit &ecirc;tre accessible sans mot de passe. LA clef 
++  et le certificats peuvent &ecirc;tre dans le m&ecirc;me fichier.<br>
++  <br>
++  # Afin de contr&ocirc;ler les certificats, le certificat CA doit &ecirc;tre 
++  disponible (dans le cas d'une chaine de certificats, tous les <br>
++  # certificats CA).<br>
++  # Exemple: le certificat pour &quot;moi.chez.moi.fr&quot; a &eacute;t&eacute; 
++  &eacute;mis par &quot;intermedaire CA&quot; qui lui-m&ecirc;me<br>
++  # a un certificat de &quot;racine CA&quot;. Cr&eacute;ez le client.pem par : 
++  <br>
++  # 'cat client_cert.pem intermediaire_CA.pem racine_CA.pem > client.pem'<br>
++  # <br>
++  # Si vous voulez accepter vous m&ecirc;mes les certificats &eacute;mis par ces 
++  CA, vous pouvez &eacute;galement ajouter<br>
++  # les certificats CA au fichier smtp_tls_CAfile, dans ce cas il n'est pas n&eacute;cessaire 
++  de les avoir <br>
++  # dans le fichier smtp_tls_[d]cert_file<br>
++  <br>
++  # Un certificat fourni ici doit être utilisable en tant que certificat de client 
++  de SSL et passer le test<br>
++  # "openssl verify -purpose sslclient ..." <br>
++  <br>
++  smtp_tls_cert_file = /etc/postfix/client.pem <br>
++  smtp_tls_key_file = $smtp_tls_cert_file <br>
++  <br>
++  # Le certificat a été délivré par une autorité de certification (CA), son certificat 
++  CA doit &ecirc;tre disponible, si il n'est<br>
++  # pas dans le fichier de certificat<br>
++  # Ce fichier peut aussi contenir les certificats CA d'autres CA de confiance.<br>
++  # Vous devez utiliser ce fichier pour lister les CA de confiance si voulez utiiser 
++  le mode chroot<br>
++  # Cette variable n'a aucune valeur fixèe par d&eacute;faut<br>
++  <br>
++  smtp_tls_CAfile = /etc/postfix/CAcert.pem <br>
++  <br>
++  # Pour vérifier le certificat de pair, nous devons connaître les certificats des 
++  autorités de certification. Ces certificats <br>
++  # au format PEM sont rassemblés en répertoire. N'oubliez pas de cr&eacute;er 
++  les tables de hachage n&eacute;cessaires avec<br>
++  # un $OPENSSL_RACINE/bin/c_rehash /etc/postfix/certs, il n'y a pas de valeurs 
++  par defaut et vous devez en <br>
++  # renseigner une ici<br>
++  # Pour utiliser cette option en mode chroot, ce repertoire ou une copie de celui-ci 
++  doit &ecirc;tre dans la cage<br>
++  <br>
++  smtp_tls_CApath = /etc/postfix/certs <br>
++  <br>
++  # Pour obtenir des informations supl&eacute;mentaires pendant la mise en place 
++  et les n&eacute;gociations TLS<br>
++  # vous pouvez augmenter le niveau de journalisation de 0 &agrave; 4:<br>
++  # 0 : rien a propos du TLS<br>
++  # 1 : Notification de mise en route et information de certificat <br>
++  # 2 : 1 + impression des niveaux pendant la négociation <br>
++  # 3 : 2 + hexa et vidage mémoire Ascii du processus de négociation <br>
++  # 4 : 4: 3 + hexa et vidage mémoire Ascii de transmission complète après STARTTLS 
++  <br>
++  # utilisez le niveau 3 uniquement en cas de probl&eacute;mes. L'utilisation 
++  du niveau 4 est fortement d&eacute;conseillée.<br>
++  <br>
++  smtp_tls_loglevel = 0 <br>
++  <br>
++  # le serveur et le client négocient une session, qui prend un certain temps 
++  machine machine et une certaine bande passante.<br>
++  # La session est cachée seulement dans le processus de smtpd réellement en utilisant 
++  cette session et est détruite <br>
++  # quand le processus meurt pour partager l'information de session entre les 
++  processus de smtpd, <br>
++  # antémémoire de session peut être utilisée avec des bases de donn&eacute;es 
++  SDBM (sous-programmes inclus dans Postfix/TLS)<br>
++  # Puisque l'écriture concourante doit être supportée, seulement SDBM peut être 
++  utilisé. <br>
++  <br>
++  smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache <br>
++  <br>
++  # les sessions cachées ont un delais d'attente. Je n'utilise pas le défaut d'OpenSSL 
++  de 300sec, mais un plus long temps <br>
++  # de 3600sec (= 1 heure). RFC2246 recommande un maximum de 24 heures <br>
++  <br>
++  # Par defaut TLS est d&eacute;sactiv&eacute;, ainsi aucune différence au Postfix 
++  ordinaire n'est visible. Si vous l'activez <br>
++  # TLS sera utilis&eacute; quand le serveur l'offrira.<br>
++  # ATTENTION : Je n'ai pas eu accès à d'autres logiciels (autres que ceux énumérés) 
++  pour tester l'interaction.<br>
++  # Sur certaines listes de diffusions il y a eu une discussion a propos des serveurs 
++  MS EXCHANGE qui offre TLS<br>
++  # m&ecirc;me si il n'est pas configur&eacute;, ainsi il pourrait être sage de 
++  ne pas utiliser ceci sur votre serveur central de messagerie<br>
++  # car vous ne savez pas &agrave; l'avance si vous allez rencontrer ce genre 
++  de serveur. Utilisez les options de recipient/site à la place .<br>
++  # Conseil: je l'ai activ&eacute; sur mes serveurs de courrier et je n'a eu qu'une 
++  panne depuis que la version client de TLS <br>
++  # est impl&eacute;ment&eacute;e (c'&eacute;tait un serveur EXCHANGE mal configur&eacute;, 
++  j'ai contact&eacute; l'administrateur).<br>
++  # Par cons&eacute;quent j'en suis satisfait  de l'utiliser tout le temps, mais 
++  je suis toutefois int&eacute;ress&eacute; par des tests.<br>
++  # Cependant vous aurez &eacute;t&eacute; pr&eacute;venu ;-)<br>
++  <br>
++  # Dans le cas d'un echec, un code &quot;4xx&quot; (ndt: erreur temporaire) est 
++  &eacute;mis et le message reste dans la file d'attente<br>
++  # Sp&eacute;cifiez le ici si vous le voulez<br>
++  <br>
++  smtp_use_tls = yes <br>
++  <br>
++  # Vous pouvez IMPOSER l'utilisation de TLS, de sorte que seulement des connexions 
++  avec TLS soient accept&eacute;es<br>
++  # De plus, le nom de l'h&ocirc;te doit &ecirc;tre identique au nom contenu dans 
++  le certificat. En outre, le certtificat doit <br>
++  # passer avec succ&egrave;s la v&eacute;rification, le client doit faire confiance 
++  &agrave; l'entit&eacute; de certification qui a &eacute;mis le certificat.<br>
++  # Si le certificat ne correspond pas au nom de la machine ou si le test de v&eacute;rification 
++  &eacute;choue un code &quot;4xx&quot; <br>
++  # va &ecirc;tre envoy&eacute; et le message va rester en file d'attente.<br>
++  # Le nom d'h&ocirc;te utilis&eacute; est &eacute;vident, en effet il doit &ecirc;tre 
++  le nom principal de la machine (pas de CNAME ici).<br>
++  # Le comportement peut être changé avec l'option de smtp_tls_enforce_peername 
++  <br>
++  <br>
++  # smtp_tls_enforce_peername = yes <br>
++  <br>
++  # Comme offrir TLS par d&eacute;faut peut &ecirc;tre une mauvaise id&eacute;ee 
++  (quelques machines offre STARTTLS mais<br>
++  # la n&eacute;gociation va &eacute;chouer avec des erreurs inexpliquables, il 
++  peut &ecirc;tre une bonne id&eacute;e de d&eacute;cider selon<br>
++  # le destinataire ou la machine distante sur laquelle vous vous connectez<br>
++  <br>
++  # D&eacute;cider par destinataire peut &ecirc;tre difficile, car un seul message 
++  peut avoir plusieurs destinataires.<br>
++  # Nous allons utiliser le m&eacute;canisme &quot;nexthop&quot; (prochain saut) 
++  interne de Postfix.<br>
++  # Quand un message va &ecirc;tre d&eacute;livr&eacute;, the &quot;nexthop&quot; 
++  est obtenu. Si il correspond &agrave; une entr&eacute;e<br>
++  # dans la liste smtp_tls_per_site, une action appropriée est effectu&eacute;e<br>
++  # Une entr&eacute;e dans la table de transport ou l'utilisation de relay_host 
++  r&eacute;ecrivent le param&egrave;tre &quot;nexthop&quot;<br>
++  # dans ce cas l'h&ocirc;te de relayage doit &ecirc;tre indiqu&eacute; dans la 
++  liste. Dans tous les cas le nom <br>
++  # de l'hote &agrave; contacter est r&eacute;solu (en fait l'enregistrement MX 
++  ou le nom de la machine si il n'y a pas de MX)<br>
++  # Conseil sp&eacute;cial pour le renforcement: <br>
++  # puisqu'il n'y a aucun moyen disponible pour s&eacute;curiser les r&eacute;solutions 
++  DNS , le param&egrave;trage recommand&eacute; est:<br>
++  # mettez les domaines sensibles dans une table de transport (vous pouvez ainsi 
++  vous assurer de la s&eacute;curit&eacute;<br>
++  # de cette table &agrave; la diff&eacute;rence de DNS), puis param&eacute;trez 
++  &agrave; MUST cet h&ocirc;te de messagerie.<br>
++  <br>
++  # Format de la table:<br>
++  # Le entr&eacute;es clefs sont sur le cot&eacute; gauche, les jokers ne sont 
++  pas autoris&eacute;s. Sur la partie droite<br>
++  # les mots clefs NONE (n'utilise pas TLS), MAY (essaye d'utiliser TLS si il 
++  est offert, sinon pas de probl&egrave;mes)<br>
++  # MUST (force l'usage de TLS, v&eacute;rifie le nom du certificat server avec 
++  le nom du serveur), MUST_NOPEERMATCH<br>
++  # (force l'usage de TLS et v&eacute;rifie le certificat, mais ignore les diff&eacute;rences 
++  entre le nom commun du certificat et le nom<br>
++  # de la machine).<br>
++  # dom.ain NONE <br>
++  # host.dom.ain MAY <br>
++  # important.host MUST <br>
++  # some.host.dom.ain MUST_NOPEERMATCH </p>
++<p># Si une entr&eacute;e ne correspond pas la politique par d&eacute;faut est 
++  appliqu&eacute;e; si la politique par d&eacute;faut est &quot;enforce&quot;,<br>
++  # NONE la d&eacute;sactive explicitement, sinon le mode &quot;enforce&quot; 
++  est utilis&eacute; m&ecirc;me pour les entr&eacute;es &quot;MAY&quot;<br>
++  # <br>
++  smtp_tls_per_site = hash:/etc/postfix/tls_per_site <br>
++  <br>
++  # la profondeur de vérification pour des certificats de client. Une profondeur 
++  de 1 est suffisante si le certificat<br>
++  # est &eacute;mis directement par un CA list&eacute; dans la liste des CA.<br>
++  # La valeur par defaut (5) suffit également pour de plus longues chaînes (le 
++  root CA émet le CA spécial <br>
++  # qui délivre alors le certificat réel...) <br>
++  <br>
++  # smtp_tls_scert_verifydepth = 5 <br>
++  <br>
++  # Comme nous avons d&eacute;cidé d'opter pour une politique &quot;par site&quot; 
++  afin d'utiliser ou non TLS, il serait interessant<br>
++  # d'avoir une liste de sites offrant STARTTLS. Nous pouvons la r&eacute;cup&eacute;rer 
++  nous m&ecirc;mes avec cette option:<br>
++  # Si ce param&egrave;tre est activ&eacute; et que TLS n'est pas activ&eacute; 
++  pour cet h&ocirc;te, une ligne est ajout&eacute; dans le fichier<br>
++  # de journalisation:<br>
++  # postfix/smtp[pid]: Host offered STARTTLS: [nom.de.la.machine] <br>
++  # smtp_tls_note_starttls_offer = yes <br>
++  <br>
++  # Pour influencer la s&eacute;lection du cryptage, vous pouvez donner une liste 
++  de cryptage.<br>
++  # Une description compl&egrave;te irait troin loin ici, allez voir la documentation 
++  sur le site d'OpenSSL<br>
++  # Si vous ne savez pas quoi faire avec, n'y touchez pas et laissez celui d'openssl 
++  par defaut <br>
++  # N'UTILISEZ PAS " pour entourer la chaîne de caractères, juste la chaîne de 
++  caractères!!! <br>
++  #<br>
++  # smtp_tls_cipherlist = DEFAULT <br>
++  <br>
++  # le smtp_starttls_timeout param&egrave;tre limite le temps en secondes pour 
++  lire et &eacute;crire<br>
++  # les op&eacute;rations pendant les proc&eacute;dures de 'serrages de mains' 
++  (SSL handshake) <br>
++  # <br>
++  # smtp_starttls_timeout = 300s <br>
++</p>
++<p>main.cf : variables g&eacute;n&eacute;rales</p>
++<p># Afin d'alimenter le PRNG Pseude Random Number Generator (pseudo g&eacute;n&eacute;rateur 
++  de nombres al&eacute;atoires),<br>
++  # des donn&eacute;es al&eacute;atoires sont n&eacute;c&eacute;ssaires. Le 'stock' 
++  de PRNG est mis &agrave; jour par le d&eacute;mon &quot;tlsmgr&quot; et est 
++  utilis&eacute; (lu) <br>
++  # par les process smtp(d) après avoir ajouté encore plus d'entropie par l'agitation 
++  du temps et de l'identifiant du process.<br>
++  # le fichier, qui est de temps en temps r&eacute;&eacute;crit par tlsmgr, est 
++  cr&eacute;&eacute; si il n'existe pas. Une valeur par d&eacute;faut est donn&eacute;e<br>
++  # et doit s&ucirc;rement &ecirc;tre dans la partition /var mais PAS dans la 
++  cage de chroot.<br>
++  <br>
++  # tls_random_exchange_name = /etc/postfix/prng_exch <br>
++  <br>
++  # Pour alimenter le stock PRNG, l'entropie est lue depuis une source externe, 
++  &agrave; la fois au d&eacute;marrage et pendant l'&eacute;xecution<br>
++  # Sp&eacute;cifiez ici une bonne source, comme EGD ou /dev/urandom, soyez certains 
++  de ne pas utiliser des sources bloquantes<br>
++  # Dans les deux cas, 32 octets sont lus &agrave; chaque 'alimentation' (qui 
++  est une quantit&eacute; de 256 bits et par conséquent <br>
++  # assez bon pour des clefs sym&eacute;triques de 128bits)<br>
++  # Vous devez sp&eacute;cifier la type de sources : &quot;dev:&quot; pour un 
++  pour un fichier spécial de p&eacute;riph&eacute;rique ou &quot;egd:&quot; pour<br>
++  # une source avec un port de communication (socket) compatible avec l'interface 
++  EGD. Un maximum de 255 octets<br>
++  # est lu depuis ces sources &agrave; chaque &eacute;tape.<br>
++  # Si vous sp&eacute;cifiez un fichier normal, un plus grand nombre de donn&eacute;es 
++  peut &ecirc;tre lu.<br>
++  <br>
++  # La source d'entropie est interrog&eacute;e de nouveau apr&egrave;s un certains 
++  temps. ce temps est calcul&eacute; en utilisant le PRNG,<br>
++  # il est compris entre 0 et le temps sp&eacute;cifi&eacute;, un defaut est sp&eacute;cifi&eacute; 
++  &agrave; 1 heure<br>
++  <br>
++  # tls_random_source = dev:/dev/urandom <br>
++  tls_random_source = egd:/var/run/egd-pool <br>
++  # tls_random_bytes = 32 <br>
++  # tls_random_reseed_period = 3600s <br>
++  <br>
++  # Le stock PRNG dans tlsmgr est utilis&eacute; pour reg&eacute;n&eacute;rer 
++  le fichier de 1024 octets qui est lu par smtp(d). Le temps, apr&egrave;s lequel<br>
++  # le fichier d'&eacute;change se trouve reg&eacute;n&eacute;r&eacute; est calcul&eacute; 
++  en utilisant le PRNG, il est compris entre 0 et le temps sp&eacute;cifi&eacute;, 
++  <br>
++  # le defaut est un maximum de 60 secondes<br>
++  <br>
++  # tls_random_upd_period = 60s<br>
++  <br>
++  # Si vous avez une source d'entropie disponible, qui n'est pas facilement vid&eacute;e 
++  (comme /dev/urandom), les d&eacute;mons<br>
++  # peuvent aussi charger une entropie suppl&eacute;mentaire au d&eacute;marrage 
++  depuis une source sp&eacute;cifi&eacute;e. Par défaut une quantité<br>
++  # de 32 octets est lue, équivalent à 256 bits. Ceci est plus que suffisant pour 
++  g&eacute;n&eacute;rer une clef de session de 128 (ou 168) bits<br>
++  # mais nous avons &agrave; en g&eacute;n&eacute;rer plus d'une. L'utilisation 
++  de cette option peut vider EGD (en prenant le cas de 50 smtp <br>
++  # d&eacute;marrant avec une file d'attente pleine en faisant &quot;postfix start&quot;, 
++  ceci devrait requ&eacute;rir 1600 octets d'entropie). Ceci<br>
++  # n'est cependant pas une cause d'arr&ecirc;t, du fait que les donn&eacute;es 
++  d'entropie peuvent &ecirc;tre lues depuis le fichier d'&eacute;change.<br>
++  <br>
++  # tls_daemon_random_source = dev:/dev/urandom <br>
++  tls_daemon_random_source = egd:/var/run/egd-pool <br>
++  # tls_daemon_random_bytes = 32 </p>
++<p>master.cf: le d&eacute;mon tlsmgr</p>
++<p>Si vous n'avez pas de p&eacute;riph&eacute;rique /dev/urandom ou si vous n'utilisez 
++  pas le syst&egrave;me de cache de session, vous devez lancer <br>
++  le d&eacute;mon tlsmgr (voir conf/master.cf). Tlsmgr a besoin d'avoir acc&eacute;s 
++  &agrave; la source d'entropie et ne peut (encore) &ecirc;tre &eacute;x&eacute;cut&eacute; 
++  <br>
++  dans une cage. Il peut restreindre ses privilèges, si les sources d'entropie 
++  (par exemple /dev/urandom ou un port de communication<br>
++  (socket) EGD) n'ont pas des restrictions d'accès.<br>
++  <br>
++  # ========================================================================== 
++  <br>
++  # service type private unpriv chroot wakeup maxproc command + args <br>
++  # (yes) (yes) (yes) (never) (50) <br>
++  # ========================================================================== 
++  <br>
++  tlsmgr fifo - - n 300 1 tlsmgr </p>
++<p>master.cf: services suppl&eacute;menentaires</p>
++<p> Il peut &ecirc;tre pratique d'avoir postfix écoutant sur des ports suppl&eacute;mentaires, 
++  nomm&eacute;s &quot;submission&quot;=587 pour la <br>
++  soumission d'email comme défini dans la RFC2476; c'est particulièrement utile 
++  si vous voulez permettre une authentification<br>
++  avec des mots de passes en clair (PLAIN,LOGIN) et par conséquent exécuter sur 
++  un port avec l'application de <br>
++  chiffrement. Un autre port utile peut être "smtps"=465 qui a été destiné pour 
++  l'emballage TLS et qui est toujours<br>
++  utlis&eacute; par outlook (express)<br>
++  <br>
++  Les deux entrées d'exemple contiennent déjà les indicateurs pour permettre l'authentification 
++  de SASL (qui peut être <br>
++  desactiv&eacute; sur le port normal). Puisque les noms réels de service sont 
++  utilisés, les smtps et la soumission doivent être définis<br>
++  dans /etc/services (et probablement aussi dans / var/spool/postfix/etc/services 
++  si &eacute;xecut&eacute; dans une cage)!!! <br>
++  (utilisez les num&eacute;ros de ports autrement.) <br>
++  <br>
++  # ========================================================================== 
++  <br>
++  # service type private unpriv chroot wakeup maxproc command + args <br>
++  # (yes) (yes) (yes) (never) (50)<br>
++  # ========================================================================== 
++  <br>
++  smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes 
++  <br>
++  submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes 
++</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/index.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/index.html
+--- postfix-release/tls/doc_french/index.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/index.html	2005-02-03 10:22:13.101087544 -0700
+@@ -0,0 +1,35 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p><b>Postfix/tls - Une extension TLS pour Postfix </b></p>
++<p><b>Contenu : </b></p>
++<p><a href="intro.html">Introduction </a></p>
++<p><a href="install.html">Installation de la mise à jour </a></p>
++<p><a href="setup.html">Configurer les certificats </a></p>
++<p><a href="conf.html">Configurer main.cf </a></p>
++<p><a href="security.html">Considérations de sécurité </a></p>
++<p><a href="test.html">Tester </a></p>
++<p>RAPPELEZ VOUS QU'IMPORTER/EXPORTER ET/OU L'USAGE DE LOGICIELS USANT<br>
++  DE CHIFFREMENT FORT, FOURNIR DES POINTS D'ENTREE POUR DES FONCTIONS <br>
++  CRYPTOGRAPHIQUES OU DIVULGUER DES TECHNIQUES DE CRYPTOGRAPHIE EST<br>
++  ILLEGAL DANS CERTAINES PARTIES DU MONDE. DONC SI VOUS IMPORTEZ CE <br>
++  PAQUET DANS VOTRE PAYS, LE REDISTRIBUEZ DEPUIS ICI OU MEME JUSTE<br>
++  ENVOYER DES SUGGESTIONS TECHNIQUES PAR COURRIER ELECTRONIQUE OU <br>
++  MEME DES CORRECTIONS DE SOURCES A L'AUTEUR OU D'AUTRES PERSONNES<br>
++  VOUS ETES LARGEMENT INVITE A FAIRE ATTENTION A TOUTES LES LOIS<br>
++  CONCERNANT L'IMPORT/EXPORT QUI S'APPLIQUENT DANS VOTRE PAYS.<br>
++  L'AUTEUR DE POSTFIX/TLS NE PEUT PAS ETRE TENU POUR RESPONSABLE EN CAS<br>
++  DE VIOLATION. DONC FAITES TRES ATTENTION, IL EN VA DE VOTRE RESPONSABILITE.</p>
++<p>&nbsp;</p>
++<p>Lutz Jänicke,<a href="http://www.aet.tu-cottbus.de/personen/jaenicke/"> Homepage</a>, 
++  Email: <a href="mailto:Lutz.Jaenicke at aet.TU-Cottbus.DE">Lutz.Jaenicke at aet.TU-Cottbus.DE</a> 
++</p>
++Merci a tous ceux qui m'ont aidé sur #linuxfr  ;-)
++</body>
++</html>
++
++
+diff -urNad postfix-release/tls/doc_french/install.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/install.html
+--- postfix-release/tls/doc_french/install.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/install.html	2005-02-03 10:22:13.101087544 -0700
+@@ -0,0 +1,57 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>postfix/TLS - Installation de la mise a jour</p>
++<p>Pr&eacute;requis:<br>
++  Postfix Version 2.1.0<br>
++  http://www.postfix.org </p>
++<p>L'utilisation d'autres versions pourrait mener à des conflits ou à des pannes 
++  silencieuses du fait que nous intervenons directement sur le code source.<br>
++  OpenSSL Version 0.9.5 ou plus (0.9.7d recommand&eacute;e)<br>
++  http://www.openssl.org</p>
++<p>Nous utilisons OpenSSL comme bibliothèque (et quelques outils en ligne de commande 
++  pour créer les certificats, au besoin). OpenSSL est le successeur de SSLeay. 
++</p>
++<p>Postfix/TLS utilise les propriétés qui sont seulement disponibles &agrave; 
++  partir de la version 0.9.5 des bibliothèque OpenSSL. 0.9.5a a prouvé une stabilité 
++  au del&agrave; de plusieurs mois. La dernière version 0.9.7d contient plusieurs 
++  améliorations et a prouvé sa stabilité jusqu'ici. <br>
++  Vous pouvez également avoir à  mettre à jour votre utilitaire 'patch'(voir ci-dessous). 
++</p>
++<p>Mettre à jour:</p>
++<p>Les modifications du code source de Postfix tout comme les fichiers supplementaires 
++  sont inclus dans le fichier &quot;pfixtls.diff&quot; dans le r&eacute;pertoire 
++  principal du kit de mise à jour.<br>
++  Pour appliquer la mise à jour, allez dans le r&eacute;pertoire parent de l'arborescence 
++  des sources originales de Postfix (vous devez voir &quot;postfix-xxxxxx&quot; 
++  ou &quot;snapshot-xxxxxx&quot; quand vous faites un &quot;ls -al&quot; depuis 
++  ce repertoire. La mise à jour est alors appliquee par:</p>
++<p>patch -p0 < chemin-de/pfixtls.diff </p>
++<p>Si vous avez des problèmes pendant le processus de mise à jour (par exemple avec les 
++  includes de HP-UX 10.20 ou de Solaris), vous devriez mettre à jour votre utilitaire de patch, 
++  par exemple un GNU-patch plus r&eacute;cent.<br>
++  Si vous avez besoin d'appliquer la mise à jour sur une autre version de postfix, vous 
++  pouvez essayer:<br>
++  cd repertoire-postfix; patch -p1 < chemin-de/pfixtls.diff <br>
++  Puisque la mise à jour est sous forme unifi&eacute;e, elle peut &ecirc;tre &eacute;galement 
++  appliqu&eacute; &agrave; un code source mod&eacute;r&eacute;ment modifi&eacute; 
++  sans que des conflits apparaissent.</p>
++<p>Compiler</p>
++<p>Apres &ecirc;tre mis à jour; postfix va se configurer et se compiler comme 
++  avant. Dans le but d'activer les fonctions TLS, vous devez sp&eacute;cifier 
++  le chemin des headers OpenSSL ainsi que les biblioth&eacute;ques appropri&eacute;es, 
++  et vous devez d&eacute;finir USE_SSL. Votre commande pour la configuration doit 
++  &ecirc;tre :<br>
++  make makefiles CCARGS="-DUSE_SSL -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib 
++  -lssl -lcrypto" <br>
++  Vous pourriez avoir besoin de personnalisation supplémentaire par exemple pour 
++  l'usage des Berkeley-DB comme &eacute;numér&eacute; dans les instructions INSTALL de postfix 
++  . Vous pouvez alors continuer de la mani&egrave;re habituelle avec: <br>
++  make</p>
++<p>et ensuite suivre les instructions du fichier INSTALL de postfix</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/intro.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/intro.html
+--- postfix-release/tls/doc_french/intro.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/intro.html	2005-02-03 10:22:13.102087321 -0700
+@@ -0,0 +1,116 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Introduction</p>
++<p>Postfix/PLS est une extension du MTA Postfix dans le but de supporter le protocole 
++  TLS</p>
++<p>Une note &agrave;  propos du d&eacute;marrage du projet</p>
++<p>Quand j'ai commenc&eacute; a &eacute;crire ce programme, j'avais en t&ecirc;te un un moyen sophistiqu&eacute; 
++  pour autoriser le relayage de mes utilisateurs itin&eacute;rants. En 
++  attendant ce projet vit de lui-m&ecirc;me.</p>
++<p>RFC2246 : le protocol TLS (anciennement SSL)</p>
++<p>Par d&eacute;faut toutes les communications sur internet sont faites sans cryptage 
++  et sans authentification forte. Cela signifie que toute personne avec un acc&egrave;s 
++  physique au chemin de communication qu'emprunte un paquet peut &eacute;couter vos communications. 
++  Pire, il est m&ecirc;me possible de rediriger ou de modifier vos communications donc 
++  l'information que vous voulez envoyer &agrave; quelqu'un peut &ecirc;tre perdue ou modifi&eacute;e 
++  &agrave; votre insu.</p>
++<p>Dans le but de r&eacute;soudre ces probl&egrave;mes de s&eacute;curit&eacute;, le protocole SSL (Secure 
++  Socket Layers), pr&eacute;sent&eacute; par Netscape inc., 
++  a maintenant &eacute;volu&eacute; en protocole TLS (Transportation Layer Security) 
++  standardis&eacute; par la <a href="http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/rfc2246.txt">RFC2246</a>.
++ Cela permet &agrave; la fois le cryptage de la communication (arr&ecirc;t des 
++  &eacute;coutes) et l'authentification forte (&ecirc;tre s&ucirc;r que les deux parties de 
++  la communication sont correctement identifi&eacute;es et que la communication 
++  ne peut pas &ecirc;tre alt&eacute;r&eacute;e)</p>
++<p>Postfix/TLS ne r&eacute;alise pas le protocole TLS lui-m&ecirc;me, il utilise 
++  plut&ocirc;t le package OpenSSL pour cette t&acirc;che. Sur le site d'OpenSSL, vous 
++  trouverez aussi des liens vers une documentation plus approfondie sur le 
++  protocole et ses dispositifs, il n'est donc pas n&eacute;cessaire de les inclure 
++  ici. (Et, bien s&ucirc;r il n'y a aucune utilit&eacute; de ré&eacute;crire ce 
++  que d'autres ont déjà ecrits, cela pr&eacute;sente juste l'int&eacute;r&ecirc;t 
++  de rajouter des erreurs)</p>
++<p>&nbsp;</p>
++<p>RFC2487: Pr&eacute;sentation de TLS a SMTP</p>
++<p>L'int&eacute;gration du protocole TLS au protocole SMTP (Simple Mail Transport Protocol) 
++  est d&eacute;crit dans la RFC2487</p>
++<p>À la différence des premi&egrave;res incarnations du SSL comme 'emballage' 
++  d'une communication normale [STUNNEL] [JONAMA], le protocole TLS est maintenant 
++  compl&eacute;tement int&eacute;gr&eacute; dans SMTP : pendant la n&eacute;gociation 
++  de d&eacute;part (EHLO) le serveur offre le support de TLS avec la commande 
++  STARTTLS. Le client peut maintenant envoyer la commande STARTTLS pour permettre 
++  l'authentification et passer en mode crypt&eacute;.</p>
++<p>Postfix/TLS : Ce qu'il peut faire pour vous </p>
++<p>La liste de fonctions pr&eacute;sent&eacute;e ici doit &ecirc;tre comprise 
++  comme une liste d'id&eacute;es. Toutes ne sont pas encore r&eacute;alis&eacute;es, 
++  regardez bien les notes pour chaque fonction.</p>
++<p>Encryption de message d'une machine &agrave; une autre:<br>
++  Etat: Fait<br>
++  Commentaire: une fois que la negociation STARTTLS est r&eacute;alis&eacute;e, 
++  la communication entre les deux machines est crypt&eacute;e. Ceci inclue aussi 
++  les enveloppes MAIL FROM: et RCPT TO:, les 'sniffeurs' ne seront pas capables 
++  d'avoir ces informations.</p>
++<p>Authentification de l'h&ocirc;te r&eacute;cepteur afin d'&eacute;viter une interception<br>
++  Etat: Fait<br>
++  Commentaire: Ceci est une fonction importante qui n'est pas difficile a implementer. 
++  Le probl&egrave;me est en fait que toutes les machines (en fait presque aucune) ne 
++  supportent pas ce protocole. L'expéditeur doit par conséquent mettre à jour une liste 
++  de récepteurs qui doivent s'identifier par TLS, sinon quelqu'un peut intercepter 
++  la session et ne pas pr&egrave;senter la commande STARTTLS, dans ce cas, aucune authentification 
++  n'est faite. On doit également faire attention &agrave; utiliser le nom correct du 
++  serveur (voir le CNAME), mais ce probl&egrave;me est le même pour des serveurs HTTP.</p>
++<p>Authentification de l'hote &eacute;metteur afin d'&eacute;viter la contrefa&ccedil;on<br>
++  Etat: Fait<br>
++  Commentaire: Ceci est l'id&eacute;e &agrave; l'origine de ce projet, ce fut 
++  donc la premi&egrave;re r&eacute;alisation. Bas&eacute; sur le certificat du 
++  client MTA (ou MUA) pr&eacute;sent&eacute; au serveur, le relayage peut &ecirc;tre 
++  ainsi autoris&eacute;.</p>
++<p>D'autres id&eacute;es:<br>
++  Etat: envoyez moi un message</p>
++<p>Postfix/TLS: ce qu'il ne peut pas faire pour vous</p>
++<p>Voici un point sur lequel je veux insister:</p>
++<p>Garantir l'intimit&eacute; de votre correspondance<br>
++  Etat: ne peut pas etre fait<br>
++  Commentaire: La RFC2487 ne prend en compte uniquement le transport entre deux 
++  serveurs de courrier. Pour vous assurer que personne ne peut 'sniffer' votre 
++  correspondance il faudrait que:<br>
++  - Tous les serveurs de courrier soient forc&eacute;s en TLS<br>
++  - Tous les serveurs eux-m&ecirc;mes soient dignes de confiance, car l'email est seulement 
++  chiffr&eacute; pendant le transport, pas en spool ni en queue.<br>
++  - La destination soit digne de confiance, car le courrier est spool&eacute; en 
++  clair et toute personne pouvant acc&eacute;der &agrave; votre boite aux lettres (root par exemple) 
++  peut lire votre courrier! <br>
++  Par cons&eacute;quent, si vous voulez une intimit&eacute; plus cons&eacute;quente, vous devez 
++  envoyer votre email chiffr&eacute;, par exemple en utilisant S/MIME ou le module traditionnel 
++  de PGP</p>
++<p>Authentifier l'&eacute;metteur du message<br>
++  Etat: ne peut &ecirc;tre fait<br>
++  Commentaire: Beaucoup de MUA envoient les messages juste en se connectant sur 
++  le port SMTP de l'h&ocirc;te local ou du mailhub le plus proche. il n'y a aucun moyen 
++  de s'assurer que l'&eacute;metteur list&eacute; dans le message est bien l'&eacute;metteur 
++  r&eacute;el. Et m&ecirc;me si il &eacute;tait possible d'identifier l'&eacute;metteur, 
++  le contenu du message pourrait avoir &eacute;t&eacute; modifi&eacute; entre 
++  temps.<br>
++  Pour assurer l'identit&eacute; de l'exp&eacute;diteur et l'int&eacute;grit&eacute; de l'email, vous pouvez 
++  encore employer S/MIME ou PGP. </p>
++<p>D'autres packages Opensource:<br>
++  Depuis la version 8.11 sendmail int&egrave;gre le support de la RFC2487.<br>
++  Frederik Vermeulen a r&eacute;alis&eacute; une extension de la RFC2487 pour 
++  le MTA Qmail.<br>
++  Matti Aarnio a int&eacute;gr&eacute; la RFC2487 dans ZMailer.<br>
++  Michal Trojnara est actuellement en train d'int&eacute;grer un syst&egrave;me basique 
++  d'authentification SMTP dans son logiciel stunnel depuis la version stunnel-3.3.<br>
++  Trey Childs travaille sur une solution d'emballage.</p>
++<p>Impl&eacute;mentations commerciales:</p>
++<p>La version commerciale de sendmail supporte la RFC2487.<br>
++  Netscape Enterprise Server et Microsoft exchange server supportent aussi la 
++  RFC 2487.<br>
++  CommunigatePro mailserver software supporte aussi la RFC2487.</p>
++<p>&nbsp;</p>
++<p>&nbsp;</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/security.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/security.html
+--- postfix-release/tls/doc_french/security.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/security.html	2005-02-03 10:22:13.102087321 -0700
+@@ -0,0 +1,67 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Consid&eacute;rations de S&eacute;curit&eacute;</p>
++<p>Les sections suivantes couvrent quelques consid&eacute;rations de s&eacute;curit&eacute;s 
++  (possibles) en ce qui concerne Postfix/TLS.</p>
++<p>Clef priv&eacute;e du client/serveur<br>
++  Postfix/TLS utilise l'authentification du côté serveur (obligatoire) et du côté 
++  client (facultatif). Afin de s'authentifier, <br>
++  le processus d&eacute;fini (smptd/smtp) doit pouvoir acc&eacute;der à la clef priv&eacute;e, 
++  qui doit cependant être maintenue secrète.<br>
++  Car ces processus sont lanc&eacute;s à partir de 'master' sans possibilité d'interaction 
++  d'utilisateur, il n'est pas possible <br>
++  de fournir un mot de passe, de sorte que la clef priv&eacute;e ne puisse pas être chiffr&eacute;e. 
++</p>
++<p>La seule protection peut donc venu des droits d'accès de syst&eacute;me de 
++  fichiers, qui devraient être plac&eacute;s <br>
++  à 'root' et ' lisible pour le propri&eacute;taire seulement <br>
++  -rw------- 1 root sys 887 Apr 29 1999 /etc/postfix/key.pem <br>
++  <br>
++  Cette protection n'est valable que si votre syst&egrave;me est prot&eacute;g&eacute; 
++  contre les failles de s&eacute;curit&eacute;s concernant root<br>
++  <br>
++  Vous devez aussi vous rendre compte que des personnes ayant un acc&eacute;s physique 
++  &agrave; la machine peuvent voler<br>
++  la clef priv&eacute;e si ils peuvent d&eacute;marrer la machine en mode 'superutilisateur' 
++  (single-user) sans mot de passe<br>
++  ou peuvent voler le disque et le monter sur un autre syst&egrave;me o&ugrave; 
++  ils sont super-utilisateur. (Oui je sais qu'il existe <br>
++  des syst&eacute;mes de fichiers encrypt&eacute;s mais ils n'ont pas encore une 
++  large diffusion)</p>
++<p>Ant&eacute;memoire de session sur le disque</p>
++<p>Si vous utilisez l'ant&eacute;memoire de session sur le disque (par d&eacute;faut) 
++  des personnes capables mettre la main sur les fichiers <br>
++  devraient pouvoir &eacute;viter les param&egrave;tres de transmission s&eacute;curis&eacute;e. 
++  Cette situation n'est cependant pas plus grave que le cas<br>
++  de la clef priv&eacute;e d&eacute;crit ci-dessus, ainsi je ne considère aucun 
++  danger supplémentaire venant de l'enregistrement information <br>
++  de session sur un peripherique de stockage <br>
++  <br>
++  Casser le cryptage avec un syst&egrave;me de clefs n'est qu'une affaire de temps 
++  (m&ecirc;me si ce temps peut &ecirc;tre tr&egrave;s long), les sessions<br>
++  ne devraient pas &ecirc;tre utilis&eacute;es indéfiniment. La valeur par d&eacute;faut 
++  pour Postfix/TLS est 1 heure, la RFC 2246 recommande <br>
++  de ne pas utiliser les sessions plus de 24 heures</p>
++<p>Solutions pour le DNS<br>
++  Un point faible dans l'authentification est l'utilisation du DNS pour découvrir 
++  le MX. Comme nous faisons du (E)SMTP<br>
++  nous avons &agrave; utiliser les enregistrements MX.<br>
++  Comme nous avons &agrave; authentifier le server d&eacute;couvert par le MX, 
++  quelqu'un est capable d'usurper un faux enregistrement MX<br>
++  pour &ecirc;tre capable de recevoir le mail, si son serveur peut présenter un 
++  certificat délivré par un CA acceptable. La derni&egrave;re <br>
++  partie n'est pas difficile si les certificat 'standarts' sont inclus (Verisign, 
++  Thawte,...)<br>
++  Le seul moyen de se prot&eacute;ger contre ce probl&egrave;me est que, pour 
++  les destinataires pour lesquels nous voulons imposer le <br>
++  chiffrement et l'authentification, la consultation de MX doit être ignorée avec 
++  une entrée appropriée dans la table /etc/postfix/transport<br>
++  <br>
++  domaine.tres.important smtp:[server.du.domaine.important]</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/setup.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/setup.html
+--- postfix-release/tls/doc_french/setup.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/setup.html	2005-02-03 10:22:13.102087321 -0700
+@@ -0,0 +1,162 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>Postfix/TLS - Paramétrer les certificats</p>
++<p>Ce paragraphe explique quels types de certificats sont nécessaires pour utiliser 
++  postfix avec TLS. Les certificats (et peut &ecirc;tre les clefs) peuvent &ecirc;tre 
++  obtenus auprès de tierces parties, qui peuvent &ecirc;tre une autorit&eacute; 
++  de certification commerciale ou votre FAI. Tout le long vous aurez besoin de 
++  certificats accept&eacute;s par d'autres entit&eacute;s sur internet, vous avez 
++  donc &agrave; &ecirc;tre d'accord sur les entit&eacute;s de certifications, 
++  quelque soit leurs types.</p>
++<p>certificat serveur</p>
++<p>Pour utiliser SMTP avec TLS en mode serveur, votre serveur DOIT avoir une paire 
++  de clefs (priv&eacute;e et publique).<br>
++  Puisque la clé publique doit être distribuée de façon ou d'autre au client, 
++  elle est envoyée du serveur au client pendant la négociation de d&eacute;part. 
++  Cependant,au d&eacute;but de la négociation, le client ne peut pas savoir que 
++  la clef publique appartient r&eacute;ellement au serveur et n'est pas contrefaite. 
++  Par conséquent un troisième composant est nécessaire : le certificat d'une autorité 
++  de certification (CA), qui est envoyé combiné avec la clef publique. Ce certificat 
++  de serveur contient le nom de votre hote. Le client contrôlera alors la signature 
++  du CA sur la clef publique pour décider si le certificat (et la clef publique) 
++  sont authentiques. <br>
++  Ainsi pour le serveur nous avons besoin: <br>
++  - 1 clef priv&eacute;e de serveur<br>
++  - 1 clef publique de serveur sign&eacute;e par une autorit&eacute; de certification, 
++  certifiant que la clef publique appartient à votre hôte
++<br>
++  - 1 certificat CA avec la clef publique du CA<br>
++  Pour cette liste je veux absolument préciser que le nombre de composants utilis&eacute;s 
++  est 1, parce que vous devez en avoir 1, vous ne pouvez pas en avoir ni moins 
++  ni plus!</p>
++<p>Politique de certificat serveur</p>
++<p>A partir de maintenant vous avez &agrave; vous d&eacute;cider sur la politique. 
++  Le client qui va se connecter sur votre h&ocirc;te va comparer le nom dans le 
++  certificat de votre serveur à  son FQDN (Fully Qualified Domain Name). Si ils 
++  correspondent, l'identit&eacute; de votre serveur est prouv&eacute;e.<br>
++  Pour voir, si le certificat lui-même est authentique, le client lui-même doit 
++  avoir le certificat du CA. Ainsi, si vous voulez le rendre facilement accessible 
++  à d'autres, parties inconnues, vous devez avoir un certificat issu d'un CA connu 
++  et digne de confiance. Rappelez vous que votre serveur ne peut avoir qu'un certificat 
++  &agrave; la fois.<br>
++  Il y a des fournisseurs commerciaux (Thawte, Verisign, pour n'en citer que quelques 
++  uns), leurs certificats CA sont bien distribu&eacute;s. Je ne sais pas pour 
++  les autres pays mais en Allemagne le organisation de la recherche reseaux (DFN) a commenc&eacute; 
++  un programme pour les universit&eacute;s.<br>
++  Si vous ne portez pas d'importance à ceci (vous pourrez le changer plus 
++  tard), vous pouvez devenir votre propre CA et distribuer vos certificat de CA 
++  aux parties qui devront le connaitre, et vous &ecirc;tes pr&ecirc;ts. Ce n'est 
++  pas difficile de le faire.<br>
++  <a href="http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html">Le 
++  cours tres bref de Lutz pour &ecirc;tre votre propre CA</a> (toujours en anglais  ..)</p>
++<p>Utiliser les certificats</p>
++<p>Pour rendre la clef et les certificats utilisables par Postfix/TLS, ils doivent 
++  &ecirc;tre au format &quot;PEM&quot;. Puis vous avez &agrave; indiquer &agrave; 
++  postfix o&ugrave; les trouver:<br>
++  - La clef priv&eacute;e:<br>
++  <br>
++  smtpd_tls_key_file = /etc/postfix/key.pem<br>
++  <br>
++  comme la clef publique est publique y compris le certificat (tout le monde peut 
++  la r&eacute;cup&eacute;rer), une personne disposant d'une copie de votre clef 
++  priv&eacute;e peut usurper votre identit&eacute;e. Ce n'est pas si facile que 
++  &ccedil;a, du fait qu'il doit &ecirc;tre capable d'intercepter ou de rediriger 
++  les paquets envoy&eacute;s vers votre serveur, mais j'ai d&eacute;ja vu bien 
++  de choses arriver. Donc prot&eacute;gez cette clef avec :<br>
++  <br>
++  chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem <br>
++  <br>
++  Une autre possibilit&eacute; de protection est la 'phrase clef'. Ceci est toutefois 
++  un probl&egrave;me, du fait que vous ayez &agrave; le taper à chaque fois que 
++  le server est d&eacute;marr&eacute;. Ceci a des inconvenients : premi&egrave;rement 
++  vous devez le taper dans postfix &agrave; chaque fois que vous le red&eacute;marrez. 
++  Deuxi&egrave;mement les process smtpd sont lanc&eacute;s ind&eacute;pendamment 
++  &agrave; partir de master, dans ce cas master doit passer la 'phrase clef' aux 
++  clients d'une fa&ccedil;on ou d'une autre. Tout cela fait que je pense que cette 
++  méthode n'est pas pratique et donc n'est pas support&eacute;e par le programme.<br>
++  <br>
++  - Le certificat serveur : ce certificat n'est pas secret, du fait qu'il est 
++  pr&eacute;sent&eacute; &agrave; chaque client de toutes fa&ccedil;ons, ainsi 
++  nommez le juste a postfix :<br>
++  <br>
++  smtpd_tls_cert_file = /etc/postfix/cert.pem<br>
++  <br>
++  Si vous voulez vous pouvez concat&eacute;ner la clef priv&eacute;e et le certificat 
++  dans le m&ecirc;me fichier.<br>
++  <br>
++  - Le certificat CA: pour avoir &eacute;galement le certificat CA disponible, 
++écrivez le dans un fichier et donnez  le nom à postfix/TLS. Nous reviendrons 
++  plus tard sur ce fichier.<br>
++  <br>
++  smtpd_tls_CAfile = /etc/postfix/CAcert.pem <br>
++  <br>
++  Avec ces certificats vous devez &ecirc;tre en mesure de faire tourner Postfix/TLS.</p>
++<p>Postfix/TLS en mode client<br>
++  <br>
++  Quand il se connecte &agrave; un serveur offrant TLS postfix peut pr&eacute;senter 
++  un certificat client de lui m&ecirc;me. Du fait de la r&eacute;alisation actuelle, 
++  seulement un certificat ne peut être contrôlé, ainsi il devrait être émis depuis 
++  votre propre nom d'hôte. Par d&eacute;faut aucun certificat n'est présenté, 
++  à moins que vous placiez explicitement le certificat dans la configuration. 
++  Vous pouvez utiliser le même certificat que pour le serveur: <br>
++  <br>
++  smtp_tls_key_file = /etc/postfix/key.pem <br>
++  chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem <br>
++  <br>
++  smtp_tls_cert_file = /etc/postfix/cert.pem <br>
++  smtp_tls_CAfile = /etc/postfix/CAcert.pem<br>
++</p>
++<p>Certificats clients:<br>
++  <br>
++  Une des raisons pour laquelle j'ai fait ce travail est que je voulais faire 
++  du relayage bas&eacute; sur les certificats clients. Le client pr&eacute;sente 
++  un certificat d'un CA, qui est unique et ne peut &ecirc;tre usurp&eacute;.<br>
++  Des clients peuvent avoir plusieus certificats &eacute;mis par diffèrents CA. 
++  Lors de la connexion  le serveur passera au client la liste de CA qu'il connait 
++  (les certificats de CA) et le client peut alors choisir le certificat &agrave; 
++  passer. Avec Netscape cela signifie qu'une fen&ecirc;tre est ouverte et seulement 
++  le certificat client est list&eacute;.<br>
++  Donc si vos clients ont d&eacute;j&agrave; des certificats &eacute;manant de 
++  sources de confiances ce n'est pas n&eacute;cessaire de se cr&eacute;er des 
++  probl&eacute;mes. Vous avez juste &agrave; r&eacute;cup&eacute;rer les certificats 
++  CA et les rendre disponibles &agrave; Postfix/TLS. Si ce n'est pas suffisant, 
++  vous pouvez toujours devenir votre propre CA pour cr&eacute;er facilement vos 
++  certificats clients pour vos usagers (qui sont naturellement inutiles en dehors 
++  de votre port&eacute;e)</p>
++<p>Lister les certificats CA<br>
++  <br>
++  Vous avez deux possibilit&eacute; de faire ceci:<br>
++  1- Concat&eacute;nez les certificats CA au fichier smtp[d]_tls_CAfile que vous 
++  avez cr&eacute;&eacute;. Ce fichier n'est certainement pas tr&egrave;s lisible 
++  mais a l'avantage d'&ecirc;tre lu par smtpd avant le changement dans la cage 
++  chroot et par conséquent fonctionne en mode chroot&eacute;.<br>
++  2- Vous pouvez ajouter les certificats CA dans plusieurs fichiers avec des noms 
++  ad&eacute;quats dans un r&eacute;pertoire de certificats sp&eacute;cifi&eacute; 
++  par:<br>
++  smtpd_tls_CApath = /etc/postfix/certs<br>
++  N'oubliez pas de faire un $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs apr&egrave;s 
++  tout changement, car les tables de hachages sont utilis&eacute;es pour trouver 
++  le bon certificat CA. Cette methode ne doit pas fonctionner en mode chroot&eacute;.</p>
++<p>Ajouter des certificats client:<br>
++  <br>
++  Les certificats de client sont délivrés pour un DN (Distinguished Name) (Nom 
++  Complet) composé de la compagnie, service, le nom, l'email... Du fait qu'ils 
++  peuvent contenir des blancs, des @, des signes et des colonnes, il est tout à fait 
++  difficile de les manipuler avec les outils standards de postfix. <br>
++  Une chose tout à fait pratique est que chaque certificat de client a une " empreinte 
++  digitale " il est extrêmement difficile truquer que (&agrave; ma connaissance, 
++  elle pourrait prendre des années même sur les ordinateurs rapides). Je dois 
++  faire encore plus de recherche au sujet de la sécurité de l'empreinte digitale, 
++  mais au moins pour relayer cela doit &ecirc;tre suffisament s&eacute;curis&eacute;. 
++  Je trouverai plus facilement une machine avec une mauvaise s&eacute;curit&eacute; 
++  pour envoyer mon spam au lieu de truquer un certificat de client avec une empreinte 
++  digitale assortie (que d'ailleurs je ne connais pas depuis l'ext&eacute;rieur, 
++  m&ecirc;me depuis l'interieur vous pouvez prot&eacute;ger la base &quot;d'empreintes 
++  digitales" par un chmod 400)</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/doc_french/test.html /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/test.html
+--- postfix-release/tls/doc_french/test.html	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/doc_french/test.html	2005-02-03 10:22:13.103087098 -0700
+@@ -0,0 +1,118 @@
++<html>
++<head>
++<title>Untitled Document</title>
++<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
++</head>
++
++<body bgcolor="#FFFFFF">
++<p>tester Postfix/TLS</p>
++<p>Le test du module est un peu difficile, car la transmission est chiffrée, de 
++  sorte que vous ne puissiez pas "imiter" la <br>
++  conversation juste par un telnet sur le port smtp. Vous ne pouvez pas également 
++  capturer les paquets (vous pouvez, <br>
++  mais si tout fonctionne comme annoncé, cela ne vous aidera pas :-). <br>
++  <br>
++  Outils de mise au point inclus:<br>
++  Comme tous les messages g&eacute;n&eacute;r&eacute;s par postfix sont envoyés 
++  au syst&egrave;me de journalisation, la mise au point doit &ecirc;tre faite<br>
++  en utilisant vos fichier de journalisation. Postfix/TLS supporte les niveaux 
++  de journalisation de 0 (tr&egrave;s calme) &agrave; 4 (vidange<br>
++  mémoire de la conversation complète, non recommandé). Dans un premier temps 
++  placez smpt[d]_tls_loglevel=2 et <br>
++  observez le fichier journal. Typiquement vous aurez des problèmes avec l'accès 
++  aux clés ou aux certificats, ainsi vous <br>
++  trouverez des messages d'erreur ici. Vous pouvez toujours essayer d'envoyer 
++  un email à postfix_tls-bounce at serv01.aet.tu-cottbus.de <br>
++  avec le TLS activ&eacute; de votre c&ocirc;t&eacute; et regardez ce qui se produit 
++  :-).<br>
++  Tout en testant l'interopérabilité avec ZMailer nous avons appris qu'un certificat 
++  incorrect (qui doit être le serveur pour le serveur :-) peut <br>
++  mener &agrave; des erreurs de connexions sans messages clairs. cela peut nous 
++  aider d'utiliser Netscape 4.5x en tant que client et d'&eacute;tudier<br>
++  soigneusement les informations ainsi que les boites de dialogue.<br>
++  Je n'ai pas encore trouv&eacute; comment identifier le probl&egrave;me de postfix 
++  &agrave; afficher un message appropri&eacute; dans le fichier de journalisation.<br>
++  Si tout va bien ce sera possible sans modifier les biblioth&egrave;ques d'OpenSSL.</p>
++<p>Plateformes:</p>
++<p>Plateformes de d&eacute;veloppement:<br>
++  OS: HP-UX 10.20 <br>
++  OS: Linux 2.x (SuSE Linux) <br>
++  <br>
++  Succ&eacute;s enregistr&eacute;s:<br>
++  OS: Solaris 2.5 - Walcir Fontanini <walcir at densis.fee.unicamp.br> </p>
++<p>Clients de test:<br>
++  Software: Netscape 4.5x, Netscape 4.6x, Netscape 4.7x <br>
++  OS: HP-UX 10.20, Linux 2.x, Win95 </p>
++<p>Int&eacute;rop&eacute;rabilit&eacute;:<br>
++  Sans compter le support par les solutions génériques d'emballage, il existe 
++  des extensions particuli&egrave;rement travaill&eacute;s pour<br>
++  d'autres MTA:</p>
++<p>Qmail il y a un patch en sources libres disponible, étendant le MTA de Qmail 
++  pour supporter la RFC2487,<br>
++  écrit par Frederik Vermeulen . L'envoi et la réception fonctionne des deux côtés.<br>
++  Test: envoyez le courrier à ping at linux.student.kuleuven.ac.be (renverra l'email 
++  complet comprenant des en-têtes).<br>
++  Zmailer l'autheur/d&eacute;veloppeur de ZMailer, Matti Aarnio, a incorporé le 
++  support serveur et client de TLS .<br>
++  Zmailer - > Postfix très bien, <br>
++  Postfix - > Zmailer ne fonctionne pas, puisqu'Esmtp n'est pas identifié (problème 
++  signalé). <br>
++  Test: envoyez un courrier à autoanswer at mea.tmt.tele.fi (renverra des en-têtes). 
++  <br>
++  Sendmail la verson commerciale  supporte le client et le serveur TLS, 
++  les deux côtés fonctionnent avec Postfix/TLS.<br>
++  En date de sendmail-8.11, TLS est également inclus avec la version opensource 
++  . <br>
++  Test: envoyez le courrier à bounce at esmtp.org (reverra le message d'erreur comprenant 
++  de vieux en-têtes). <br>
++  Postfix: peut s'envoyer des messages &agrave; lui-m&ecirc;me :-)<br>
++  Test: envoyez le courrier à postfix_tls-bounce at serv01.aet.tu-cottbus.de (reviendra, 
++  en incluant de vieux en-têtes). <br>
++  <br>
++  D'autres retour sont les bienvenus</p>
++<p>Probl&egrave;mes connus:<br>
++  Ce logiciel en est qu'&agrave; ses d&eacute;buts, soyez donc patients. À ce 
++  jour j'ai ces points: </p>
++<p>Côté de serveur: Sous Win95/NT j'ai quelques problèmes avec les certificats 
++  de client. En ouvrant la première connexion <br>
++  (Netscape demande le mot de passe pour accéder à la base de données de certificat), 
++  la connexion s'arrête. Ceci semble <br>
++  être provoqué par Netscape: une vidange mémoire de la transmission montre que 
++  Netscape ne reprend pas la poignée de main<br>
++  (TLS handshake) de TLS.<br>
++  Remarque: je n'ai pas pu reproduire cette anomalie récemment après évolution 
++  d'OpenSSL 0.9.4. J'espère qu'elle a disparue,<br>
++  mais peut-être est elle juste une conséquence du jeu autour avec les options 
++  de la sécurité de Netscape. Plus de test exigé... <br>
++  Solution: détruisez cette connexion, la prochaine fonctionnera immédiatement 
++  ou utilisez SSLv2 seulement (deuxième solution<br>
++  non recommandée).</p>
++<p>Doit &ecirc;tre r&eacute;solu avec OpenSSL 0.9.5<br>
++  Cot&eacute; serveur: Outlook Express tout comme Internet explorer 5 fonctionneront 
++  avec Postfix/TLS mais aucun certificat<br>
++  client ne seront pr&eacute;sent&eacute;s. Ainsi vous pouvez chiffrer votre transfert 
++  de courrier mais vous ne pouvez pas vous authentifier <br>
++  (et relayer) avec des certificats clients. Cela fonctionne seulement sur le 
++  port 25 (smtp); sur d'autres ports vous devez <br>
++  utiliser le smtpd_tls_wrappermode à la place. <br>
++  Cot&eacute; serveur: Outlook Express tout comme Internet explorer 4 semble 
++  ne pas supporter la RFC2487. Utilisez <br>
++  smtpd_tls_wrappermode=yes sur un autre port.<br>
++  Cot&eacute; serveur: Outlook Express (Mac) semble ne pas supporter la RFC2487. 
++  Utilisez smtpd_tls_wrappermode=yes<br>
++  sur un autre port.<br>
++  Cot&eacute; client: MS Exchange m&ecirc;me en version r&eacute;cente offre STARTTLS 
++  m&ecirc;me si ce dernier n'est pas configur&eacute; (la liste <br>
++  de diffusion[IETF-APPS-TLS]). Je ne pourrais pas tester ceci sans accès à un 
++  tel serveur, je ne peux donc pas prévoir<br>
++  ce qui va se produire. <br>
++  Cot&eacute; client: Les connexions de TLS à un serveur de CommunigatePro échouent 
++  avec une erreur de poignée de main <br>
++  avec des versions plus anciennes de CommunigatePro. La raison est une violation 
++  de protocole de CommunigatePro <br>
++  en ce qui concerne la numérotation de version de protocole SSL. (cf RFC 2246 
++  section 7.4.7.1)<br>
++  Ce problème a été fixé dans CommunigatePro 3.3b?? (je ne connais pas la numérotation 
++  exacte) autour du 9 juin 2000. .</p>
++</body>
++</html>
+diff -urNad postfix-release/tls/INSTALL /tmp/dpep.cXJuVH/postfix-release/tls/INSTALL
+--- postfix-release/tls/INSTALL	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/INSTALL	2005-02-03 10:22:13.103087098 -0700
+@@ -0,0 +1,2 @@
++For installation instructions please read the HTML documentation in the
++"doc/" subdirectory.
+diff -urNad postfix-release/tls/pfixtls.diff /tmp/dpep.cXJuVH/postfix-release/tls/pfixtls.diff
+--- postfix-release/tls/pfixtls.diff	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/pfixtls.diff	2005-02-03 10:22:13.115084422 -0700
+@@ -0,0 +1,8752 @@
++diff -ruN postfix-2.1.0-vanilla/Makefile.in postfix-2.1.0/Makefile.in
++--- postfix-2.1.0-vanilla/Makefile.in	Wed Apr 14 20:57:00 2004
+++++ postfix-2.1.0/Makefile.in	Sat Apr 24 14:38:26 2004
++@@ -7,7 +7,7 @@
++ 	src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \
++ 	src/postkick src/postlock src/postlog src/postmap src/postqueue \
++ 	src/postsuper src/qmqpd src/spawn src/flush src/verify \
++-	src/virtual src/proxymap
+++	src/virtual src/proxymap src/tlsmgr
++ MANDIRS	= proto man html
++ 
++ default: update
++diff -ruN postfix-2.1.0-vanilla/conf/master.cf postfix-2.1.0/conf/master.cf
++--- postfix-2.1.0-vanilla/conf/master.cf	Wed Apr 21 13:35:32 2004
+++++ postfix-2.1.0/conf/master.cf	Sun Apr 25 01:47:52 2004
++@@ -80,11 +80,17 @@
++ smtp      inet  n       -       n       -       -       smtpd
++ #submission inet n      -       n       -       -       smtpd
++ #	-o smtpd_etrn_restrictions=reject
+++#smtps    inet  n       -       n       -       -       smtpd
+++#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
+++#submission   inet    n       -       n       -       -       smtpd
+++#  -o smtpd_etrn_restrictions=reject
+++#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
++ #628      inet  n       -       n       -       -       qmqpd
++ pickup    fifo  n       -       n       60      1       pickup
++ cleanup   unix  n       -       n       -       0       cleanup
++ qmgr      fifo  n       -       n       300     1       qmgr
++ #qmgr     fifo  n       -       n       300     1       oqmgr
+++#tlsmgr   fifo  -       -       n       300     1       tlsmgr
++ rewrite   unix  -       -       n       -       -       trivial-rewrite
++ bounce    unix  -       -       n       -       0       bounce
++ defer     unix  -       -       n       -       0       bounce
++diff -ruN postfix-2.1.0-vanilla/conf/postfix-files postfix-2.1.0/conf/postfix-files
++--- postfix-2.1.0-vanilla/conf/postfix-files	Thu Apr 22 19:20:50 2004
+++++ postfix-2.1.0/conf/postfix-files	Sun Apr 25 01:48:34 2004
++@@ -78,6 +78,7 @@
++ $daemon_directory/smtp:f:root:-:755
++ $daemon_directory/smtpd:f:root:-:755
++ $daemon_directory/spawn:f:root:-:755
+++$daemon_directory/tlsmgr:f:root:-:755
++ $daemon_directory/trivial-rewrite:f:root:-:755
++ $daemon_directory/verify:f:root:-:755
++ $daemon_directory/virtual:f:root:-:755
++@@ -165,6 +166,7 @@
++ $manpage_directory/man8/smtp.8:f:root:-:644
++ $manpage_directory/man8/smtpd.8:f:root:-:644
++ $manpage_directory/man8/spawn.8:f:root:-:644
+++$manpage_directory/man8/tlsmgr.8:f:root:-:644
++ $manpage_directory/man8/trace.8:f:root:-:644
++ $manpage_directory/man8/trivial-rewrite.8:f:root:-:644
++ $manpage_directory/man8/verify.8:f:root:-:644
++@@ -196,6 +198,7 @@
++ $sample_directory/sample-scheduler.cf:f:root:-:644:o
++ $sample_directory/sample-smtp.cf:f:root:-:644:o
++ $sample_directory/sample-smtpd.cf:f:root:-:644:o
+++$sample_directory/sample-tls.cf:f:root:-:644:o
++ $sample_directory/sample-transport.cf:f:root:-:644:o
++ $sample_directory/sample-verify.cf:f:root:-:644:o
++ $sample_directory/sample-virtual.cf:f:root:-:644:o
++diff -ruN postfix-2.1.0-vanilla/man/man8/tlsmgr.8 postfix-2.1.0/man/man8/tlsmgr.8
++--- postfix-2.1.0-vanilla/man/man8/tlsmgr.8	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/man/man8/tlsmgr.8	Sat Apr 24 14:35:26 2004
++@@ -0,0 +1,130 @@
+++.TH TLSMGR 8 
+++.ad
+++.fi
+++.SH NAME
+++tlsmgr
+++\-
+++Postfix TLS session cache and PRNG handling manager
+++.SH SYNOPSIS
+++.na
+++.nf
+++\fBtlsmgr\fR [generic Postfix daemon options]
+++.SH DESCRIPTION
+++.ad
+++.fi
+++The tlsmgr process does housekeeping on the session cache database
+++files. It runs through the databases and removes expired entries
+++and entries written by older (incompatible) versions.
+++
+++The tlsmgr is responsible for the PRNG handling. The used internal
+++OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
+++is initially seeded at startup from an external source (EGD or
+++/dev/urandom) and additional seed is obtained later during program
+++run at a configurable period. The exact time of seed query is
+++using random information and is equally distributed in the range of
+++[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
+++having a default of 1 hour.
+++
+++Tlsmgr can be run chrooted and with dropped privileges, as it will
+++connect to the entropy source at startup.
+++
+++The PRNG is additionally seeded internally by the data found in the
+++session cache and timevalues.
+++
+++Tlsmgr reads the old value of the exchange file at startup to keep
+++entropy already collected during previous runs.
+++
+++From the PRNG random pool a cryptographically strong 1024 byte random
+++sequence is written into the PRNG exchange file. The file is updated
+++periodically with the time changing randomly from
+++[0-\fBtls_random_prng_update_period\fR].
+++.SH STANDARDS
+++.na
+++.nf
+++.SH SECURITY
+++.na
+++.nf
+++.ad
+++.fi
+++Tlsmgr is not security-sensitive. It only deals with external data
+++to be fed into the PRNG, the contents is never trusted. The session
+++cache housekeeping will only remove entries if expired and will never
+++touch the contents of the cached data.
+++.SH DIAGNOSTICS
+++.ad
+++.fi
+++Problems and transactions are logged to the syslog daemon.
+++.SH BUGS
+++.ad
+++.fi
+++There is no automatic means to limit the number of entries in the
+++session caches and/or the size of the session cache files.
+++.SH CONFIGURATION PARAMETERS
+++.na
+++.nf
+++.ad
+++.fi
+++The following \fBmain.cf\fR parameters are especially relevant to
+++this program. See the Postfix \fBmain.cf\fR file for syntax details
+++and for default values. Use the \fBpostfix reload\fR command after
+++a configuration change.
+++.SH Session Cache
+++.ad
+++.fi
+++.IP \fBsmtpd_tls_session_cache_database\fR
+++Name of the SDBM file (type sdbm:) containing the SMTP server session
+++cache. If the file does not exist, it is created.
+++.IP \fBsmtpd_tls_session_cache_timeout\fR
+++Expiry time of SMTP server session cache entries in seconds. Entries
+++older than this are removed from the session cache. A cleanup-run is
+++performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
+++seconds. Default is 3600 (= 1 hour).
+++.IP \fBsmtp_tls_session_cache_database\fR
+++Name of the SDBM file (type sdbm:) containing the SMTP client session
+++cache. If the file does not exist, it is created.
+++.IP \fBsmtp_tls_session_cache_timeout\fR
+++Expiry time of SMTP client session cache entries in seconds. Entries
+++older than this are removed from the session cache. A cleanup-run is
+++performed periodically every \fBsmtp_tls_session_cache_timeout\fR
+++seconds. Default is 3600 (= 1 hour).
+++.SH Pseudo Random Number Generator
+++.ad
+++.fi
+++.IP \fBtls_random_source\fR
+++Name of the EGD socket or device or regular file to obtain entropy
+++from. The type of entropy source must be specified by preceding the
+++name with the appropriate type: egd:/path/to/egd_socket,
+++dev:/path/to/devicefile, or /path/to/regular/file.
+++tlsmgr opens \fBtls_random_source\fR and tries to read
+++\fBtls_random_bytes\fR from it.
+++.IP \fBtls_random_bytes\fR
+++Number of bytes to be read from \fBtls_random_source\fR.
+++Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
+++.IP \fBtls_random_exchange_name\fR
+++Name of the file written by tlsmgr and read by smtp and smtpd at
+++startup. The length is 1024 bytes. Default value is
+++/etc/postfix/prng_exch.
+++.IP \fBtls_random_reseed_period\fR
+++Time in seconds until the next reseed from external sources is due.
+++This is the maximum value. The actual point in time is calculated
+++with a random factor equally distributed between 0 and this maximum
+++value. Default is 3600 (= 60 minutes).
+++.IP \fBtls_random_prng_update_period\fR
+++Time in seconds until the PRNG exchange file is updated with new
+++pseude random values. This is the maximum value. The actual point
+++in time is calculated with a random factor equally distributed
+++between 0 and this maximum value. Default is 60 (= 1 minute).
+++.SH SEE ALSO
+++.na
+++.nf
+++smtp(8) SMTP client
+++smtpd(8) SMTP server
+++.SH LICENSE
+++.na
+++.nf
+++.ad
+++.fi
+++The Secure Mailer license must be distributed with this software.
+++.SH AUTHOR(S)
+++.na
+++.nf
++diff -ruN postfix-2.1.0-vanilla/proto/Makefile.in postfix-2.1.0/proto/Makefile.in
++--- postfix-2.1.0-vanilla/proto/Makefile.in	Wed Apr 14 17:05:40 2004
+++++ postfix-2.1.0/proto/Makefile.in	Mon Apr 26 13:39:34 2004
++@@ -29,6 +29,7 @@
++ 	../html/SMTPD_POLICY_README.html \
++ 	../html/SMTPD_PROXY_README.html \
++ 	../html/STANDARD_CONFIGURATION_README.html \
+++	../html/TLS_README.html \
++ 	../html/TUNING_README.html \
++ 	../html/UUCP_README.html ../html/ULTRIX_README.html \
++ 	../html/VERP_README.html ../html/VIRTUAL_README.html \
++@@ -59,6 +60,7 @@
++ 	../README_FILES/SMTPD_ACCESS_README \
++ 	../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
++ 	../README_FILES/STANDARD_CONFIGURATION_README \
+++	../README_FILES/TLS_README \
++ 	../README_FILES/TUNING_README \
++ 	../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
++ 	../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
++diff -ruN postfix-2.1.0-vanilla/proto/TLS_README.html postfix-2.1.0/proto/TLS_README.html
++--- postfix-2.1.0-vanilla/proto/TLS_README.html	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/proto/TLS_README.html	Mon Apr 26 13:40:28 2004
++@@ -0,0 +1,1093 @@
+++<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+++        "http://www.w3.org/TR/html4/loose.dtd">
+++
+++<html>
+++
+++<head>
+++
+++<title>Postfix TLS Support </title>
+++
+++<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+++
+++</head>
+++
+++<body>
+++
+++<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLS Support
+++</h1>
+++
+++<hr>
+++
+++<h2> Purpose of this document </h2> 
+++
+++<p> This document describes how to configure the Transport Layer
+++Security (TLS) support in the Postfix SMTP client and Postfix SMTP server,
+++and how to configure the TLS manager daemon that maintains the
+++Pseudo Random Number Generator (PRNG) pool and the TLS session
+++cache information. </p>
+++
+++<p> Topics covered in this document: </p>
+++
+++<ul>
+++
+++<li><a href="#server_tls">SMTP Server specific settings</a>
+++
+++<li> <a href="#client_tls">SMTP Client specific settings</a>
+++
+++<li><a href="#tlsmgr_controls"> TLS manager specific settings </a>
+++
+++<li><a href="#problems"> Reporting problems </a>
+++
+++<li><a href="#credits"> Credits </a>
+++
+++</ul>
+++
+++<h2><a name="server_tls">SMTP Server specific settings</a></h2>
+++
+++<p> Topics covered in this section: </p>
+++
+++<ul>
+++
+++<li><a href="#server_cert_key">Server-side certificate and private
+++key configuration </a>
+++
+++<li><a href="#server_logging"> Server-side TLS activity logging
+++</a>
+++
+++<li><a href="#server_enable">Enabling TLS in the Postfix SMTP server </a>
+++
+++<li><a href="#server_vrfy_client">Client certificate verification</a>
+++
+++<li><a href="#server_tls_auth">Supporting AUTH over TLS only</a>
+++
+++<li><a href="#server_tls_cache">Server-side TLS session cache</a>
+++
+++<li><a href="#server_access">Server access control</a>
+++
+++<li><a href="#server_cipher">Server-side cipher controls</a>
+++
+++<li><a href="#server_misc"> Miscellaneous server controls</a>
+++
+++</ul>
+++
+++<h3><a name="server_cert_key">Server-side certificate and private
+++key configuration </a> </h3>
+++
+++<p> In order to use TLS, the Postfix SMTP server needs a certificate
+++and a private key. Both must be in "pem" format. The private key
+++must not be encrypted, meaning:  the key must be accessible without
+++password.  Both certificate and private key may be in the same
+++file.  </p>
+++
+++<p> Both RSA and DSA certificates are supported. Typically you will
+++only have RSA certificates issued by a commercial CA. In addition,
+++the tools supplied with OpenSSL will by default issue RSA certificates.
+++You can have both at the same time, in which case the cipher used
+++determines which certificate is presented. For Netscape and OpenSSL
+++clients without special cipher choices, the RSA certificate is
+++preferred. </p>
+++
+++<p> In order for remote SMTP clients to check the Postfix SMTP
+++server certificates, the CA certificate (in case of a certificate
+++chain, all CA certificates) must be available.  You should add
+++these certificates to the server certificate, the server certificate
+++first, then the issuing CA(s).  </p>
+++
+++<p> Example: the certificate for "server.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate issued by "root
+++CA".  Create the server.pem file with: </p>
+++
+++<blockquote>
+++<pre>
+++cat server_cert.pem intermediate_CA.pem root_CA.pem &gt; server.pem
+++</pre>
+++</blockquote>
+++
+++<p> If you want the Postfix SMTP server to accept remote SMTP client
+++certificates issued by these CAs, you can also add the CA certificates
+++to the smtpd_tls_CAfile, in which case it is not necessary to have
+++them in the smtpd_tls_cert_file or smtpd_tls_dcert_file. </p>
+++
+++<p> A Postfix SMTP server certificate supplied here must be usable
+++as SSL server certificate and hence pass the "openssl verify -purpose
+++sslserver
+++..." test. </p>
+++
+++<p> RSA key and certificate examples: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_cert_file = /etc/postfix/server.pem
+++smtpd_tls_key_file = $smtpd_tls_cert_file
+++</pre>
+++</blockquote>
+++
+++<p> Their DSA counterparts: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
+++smtpd_tls_dkey_file = $smtpd_tls_dcert_file
+++</pre>  
+++</blockquote>
+++
+++<p> The Postfix SMTP server certificate was issued by a certification
+++authority (CA), the CA-cert of which must be provided with the CA
+++file if it is not already provided in the certificate file.  The
+++CA file may also contain the CA certificates of other trusted CAs.
+++You must use this file for the list of trusted CAs if you want to
+++use chroot-mode. No default is supplied for this value as of now.
+++</p>
+++
+++<p> Example: </p>
+++<blockquote>
+++<pre>
+++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++</blockquote>
+++
+++<p> To verify a remote SMTP client certificate, the Postfix SMTP
+++server needs to know the certificates of the issuing certification
+++authorities. These certificates in "pem" format are collected in
+++a directory. The same CA certificates are offered to clients for
+++client verification.  Don't forget to create the necessary "hash"
+++links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
+++place for the CA certificates may also be $OPENSSL_HOME/certs, so
+++there is no default and you explicitly have to set the value here!
+++</p>
+++
+++<p> To use this option in chroot mode, this directory itself or a
+++copy of it must be inside the chroot jail. Please note also, that
+++the CAs in this directory are not listed to the client, so that
+++e.g. Netscape might not offer certificates issued by them.  For
+++this reason, the use of this feature is discouraged. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_CApath = /etc/postfix/certs
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_logging"> Server-side TLS activity logging </a> </h3>
+++
+++<p> To get additional information about Postfix SMTP server TLS
+++activity you can increase the loglevel from 0..4. Each logging
+++level also includes the information that is logged at a lower
+++logging level. </p>
+++
+++<blockquote>
+++
+++<table>
+++
+++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
+++
+++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
+++</td> </tr>
+++
+++<tr> <td> 2 </td> <td> Log levels during TLS negotiation.  </td>
+++</tr>
+++
+++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
+++negotiation process </td> </tr>
+++
+++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS </td> </tr>
+++
+++</table>
+++
+++</blockquote>
+++
+++<p> Use loglevel 3 only in case of problems. Use of loglevel 4 is
+++strongly discouraged. </p>
+++
+++<p> Example: </p>
+++
+++<blockquote>
+++<pre>
+++smtpd_tls_loglevel = 0
+++</pre>
+++</blockquote>
+++
+++<p> To include information about the protocol and cipher used as
+++well as the client and issuer CommonName into the "Received:"
+++message header, set the smtpd_tls_received_header variable to true.
+++The default is no, as the information is not necessarily authentic.
+++Only information recorded at the final destination is reliable,
+++since the headers may be changed by intermediate servers. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_received_header = yes
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_enable">Enabling TLS in the Postfix SMTP server </a> </h3>
+++
+++<p> By default, TLS is disabled in the Postfix SMTP server, so no
+++difference to plain Postfix is visible.  Explicitly switch it on
+++using "smtpd_use_tls = yes". </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_use_tls = yes
+++</pre>
+++</blockquote>
+++
+++<p> Note: when an unprivileged user invokes "sendmail -bs", STARTTLS
+++is never offered due to insufficient privileges to access the server
+++private key. This is intended behavior. </p>
+++
+++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
+++accepts no commands (except QUIT of course) without TLS encryption,
+++by setting "smtpd_enforce_tls = yes". According to RFC 2487 this
+++MUST NOT be applied in case of a publicly-referenced Postfix SMTP
+++server.  So this option is off by default and should only seldom
+++be used.  Using this option implies "smtpd_use_tls = yes". </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_enforce_tls = yes
+++</pre>
+++</blockquote>
+++
+++<p> Besides RFC 2487 some clients, namely Outlook [Express] prefer
+++to run the non-standard "wrapper" mode, not the STARTTLS enhancement
+++to SMTP.  This is true for OE (Win32 &lt; 5.0 and Win32 &gt;=5.0 when
+++run on a port&lt;&gt;25 and OE (5.01 Mac on all ports). </p>
+++
+++<p> It is strictly discouraged to use this mode from main.cf. If
+++you want to support this service, enable a special port in master.cf
+++and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
+++line option.  Port 465 (smtps) was once chosen for this feature.
+++</p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_wrappermode = no
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_vrfy_client">Client certificate verification</a> </h3>
+++
+++<p> To receive a remote SMTP client certificate, the Postfix SMTP
+++server must explicitly ask for one by sending the $smtpd_tls_CAfile
+++certificates to the client. Unfortunately, Netscape clients will
+++either complain if no matching client certificate is available or
+++will offer the user client a list of certificates to choose from.
+++This might be annoying, so this option is "off" by default.  You
+++will however need the certificate if you want to use certificate
+++based relaying with, for example, the permit_tls_client_certs
+++feature.  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_ask_ccert = no
+++</pre>
+++</blockquote>
+++
+++<p> You may also decide to REQUIRE a remote SMTP client certificate
+++before allowing TLS connections.  This feature is included for
+++completeness, and implies "smtpd_tls_ask_ccert = yes".  </p>
+++
+++<p> Please be aware, that this will inhibit TLS connections without
+++a proper client certificate and that it makes sense only when
+++non-TLS submission is disabled (smtpd_enforce_tls = yes). Otherwise,
+++clients could bypass the restriction by simply not using STARTTLS
+++at all. </p>
+++
+++<p> When TLS is not enforced, the connection will be handled as
+++if only "smtpd_tls_ask_ccert = yes" is specified, and a warning is
+++logged. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_req_ccert = no
+++</pre>
+++</blockquote>
+++
+++<p> A client certificate verification depth of 1 is sufficient if
+++the certificate is directly issued by a CA listed in the CA file.
+++The default value (5) should also suffice for longer chains (root
+++CA issues special CA which then issues the actual certificate...)
+++</p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_ccert_verifydepth = 5
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
+++
+++<p> Sending AUTH data over an un-encrypted channel poses a security
+++risk. When TLS layer encryption is required (smtpd_enforce_tls =
+++yes), the Postfix SMTP server will announce and accept AUTH only
+++after the TLS layer has been activated with STARTTLS. When TLS
+++layer encryption is optional (smtpd_enforce_tls = no), it may
+++however still be useful to only offer AUTH when TLS is active. To
+++maintain compatibility with non-TLS clients, the default is to
+++accept AUTH without encryption. In order to change this behavior,
+++set "smtpd_tls_auth_only = yes". </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_auth_only = no
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_tls_cache">Server-side TLS session cache</a> </h3>
+++
+++<p> The Postfix SMTP server and the remote SMTP client negotiate a
+++session, which takes some computer time and network bandwidth. By
+++default, this session information is cached only in the smtpd(8)
+++process actually using this session and is lost when the process
+++terminates.  To share the session information between multiple
+++smtpd(8) processes, a persistent session cache can be used based
+++on the SDBM databases (routines included in Postfix/TLS). Since
+++concurrent writing must be supported, only SDBM can be used. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
+++</pre>
+++</blockquote>
+++
+++<p> Cached Postfix SMTP server session information expires after
+++a certain amount of time.  Postfix/TLS does not use the OpenSSL
+++default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
+++recommends a maximum of 24 hours.  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_session_cache_timeout = 3600s
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_access">Server access control</a> </h3>
+++
+++<p> Postfix TLS support introduces two additional features for
+++Postfix SMTP server access control:  </p>
+++
+++<blockquote>
+++
+++<dl>
+++
+++<dt> permit_tls_clientcerts </dt> <dd> <p> Allow the remote SMTP
+++client SMTP request if the client certificate passes verification,
+++and if its fingerprint is listed in the list of client certificates
+++(see relay_clientcerts discussion below). </p> </dd>
+++
+++<dt> permit_tls_all_clientcerts </dt> <dd> <p> Allow the remote
+++client SMTP request if the client certificate passes verification.
+++</p> </dd>
+++
+++</dl>
+++
+++</blockquote>
+++
+++<p> The permit_tls_all_clientcerts feature must be used with caution,
+++because it can result in too many access permissions.  Use this
+++feature only if a special CA issues the client certificates, and
+++only if this CA is listed as trusted CA. If other CAs are trusted,
+++any owner of a valid client certificate would be authorized.
+++The permit_tls_all_clientcerts feature can be practical for a
+++specially created email relay server.  </p>
+++
+++<p> It is however recommended to stay with the permit_tls_clientcerts
+++feature and list all certificates via $relay_clientcerts, as
+++permit_tls_all_clientcerts does not permit any control when a
+++certificate must no longer be used (e.g. an employee leaving). </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_recipient_restrictions = 
+++    ... 
+++    permit_tls_clientcerts 
+++    reject_unauth_destination
+++    ...
+++</pre>
+++</blockquote>
+++
+++<p> The Postfix list manipulation routines give special treatment
+++to whitespace and some other characters, making the use of certificate
+++names unpractical.  Instead we use the certificate fingerprints as
+++they are difficult to fake but easy to use for lookup.  Postfix
+++lookup tables are in the form of (key, value) pairs.  Since we only
+++need the key, the value can be chosen freely, e.g.  the name of
+++the user or host:</p>
+++
+++<blockquote>
+++<pre>
+++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
+++</pre>
+++</blockquote>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
+++
+++<p> To influence the Postfix SMTP server cipher selection scheme,
+++you can give cipherlist string.  A detailed description would go
+++to far here, please refer to the openssl documentation.  If you
+++don't know what to do with it, simply don't touch it and leave the
+++(openssl-)compiled in default! </p>
+++
+++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_cipherlist = DEFAULT
+++</pre>
+++</blockquote>
+++
+++<p> If you want to take advantage of ciphers with EDH, DH parameters
+++are needed.  Instead of using the built-in DH parameters for both
+++1024bit and 512bit, it is better to generate "own" parameters,
+++since otherwise it would "pay" for a possible attacker to start a
+++brute force attack against parameters that are used by everybody.
+++For this reason, the parameters chosen are already different from
+++those distributed with other TLS packages. </p>
+++
+++<p> To generate your own set of DH parameters, use: </p>
+++
+++<blockquote>
+++<pre>
+++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
+++openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
+++</pre>
+++</blockquote>
+++
+++<p> Your source for "entropy" might vary; some systems have
+++/dev/random; on other systems you might consider the "Entropy
+++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+++</p>
+++
+++<p> Examples: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
+++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
+++</pre>
+++</blockquote>
+++
+++<h3><a name="server_misc"> Miscellaneous server controls</a> </h3>
+++
+++<p> The smtpd_starttls_timeout parameter limits the time of Postfix
+++SMTP server write and read operations during TLS startup and shutdown
+++handshake procedures.  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtpd_starttls_timeout = 300s
+++</pre>
+++</blockquote>
+++
+++<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
+++
+++<p> Topics covered in this section: </p>
+++
+++<ul>
+++
+++<li><a href="#client_cert_key">Client-side certificate and private
+++key configuration </a>
+++
+++<li><a href="#client_logging"> Client-side TLS activity logging
+++</a>
+++
+++<li><a href="#client_tls_cache">Client-side TLS session cache</a>
+++
+++<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
+++
+++<li><a href="#client_vrfy_server">Server certificate verification</a>
+++
+++<li> <a href="#client_cipher">Client-side cipher controls </a>
+++
+++<li> <a href="#client_misc"> Miscellaneous client controls </a>
+++
+++</ul>
+++
+++<h3><a name="client_cert_key">Client-side certificate and private
+++key configuration </a> </h3>
+++
+++During TLS startup negotiation the Postfix SMTP client may present
+++a certificate to the remote SMTP server.  The Netscape client is
+++rather clever here and lets the user select between only those
+++certificates that match CA certificates offered by the remote SMTP
+++server. As the Postfix SMTP client uses the "SSL_connect()" function
+++from the OpenSSL package, this is not possible and we have to choose
+++just one certificate.  So for now the default is to use _no_
+++certificate and key unless one is explicitly specified here. </p>
+++
+++<p> Both RSA and DSA certificates are supported.  You can have both
+++at the same time, in which case the cipher used determines which
+++certificate is presented.  </p>
+++
+++<p> It is possible for the Postfix SMTP client to use the same
+++key/certificate pair as the Postfix SMTP server.  If a certificate
+++is to be presented, it must be in "pem" format. The private key
+++must not be encrypted, meaning: it must be accessible without
+++password. Both parts (certificate and private key) may be in the
+++same file. </p>
+++
+++<p> In order for remote SMTP servers to verify the Postfix SMTP
+++client certificates, the CA certificate (in case of a certificate
+++chain, all CA certificates) must be available.  You should add
+++these certificates to the client certificate, the client certificate
+++first, then the issuing CA(s). </p>
+++
+++<p> Example: the certificate for "client.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate of "root CA".
+++Create the client.pem file with: </p>
+++
+++<blockquote>
+++<pre>
+++cat client_cert.pem intermediate_CA.pem root_CA.pem &gt; client.pem
+++</pre>
+++</blockquote>
+++
+++<p> If you want the Postfix SMTP client to accept certificates
+++issued by these CAs, you can also add the CA certificates to the
+++smtp_tls_CAfile, in which case it is not necessary to have them in
+++the smtp_tls_cert_file or smtp_tls_dcert_file.  </p>
+++
+++<p> A Postfix SMTP client certificate supplied here must be usable
+++as SSL client certificate and hence pass the "openssl verify -purpose
+++sslclient
+++..." test. </p>
+++
+++<p> RSA key and certificate examples: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_cert_file = /etc/postfix/client.pem
+++smtp_tls_key_file = $smtp_tls_cert_file
+++</pre>
+++</blockquote>
+++
+++<p> Their DSA counterparts: </p>
+++
+++<blockquote>
+++<pre>
+++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
+++smtp_tls_dkey_file = $smtpd_tls_cert_file
+++</pre>  
+++</blockquote>
+++
+++<p> The Postfix SMTP client certificate was issued by a certification
+++authority (CA), the CA-cert of which must be provided with the CA
+++file if it is not already provided in the certificate file.  The
+++CA file may also contain the CA certificates of other trusted CAs.
+++You must use this file for the list of trusted CAs if you want to
+++use chroot-mode. No default is supplied for this value as of now.
+++</p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++</blockquote>
+++
+++<p> To verify a remote SMTP server certificate, the Postfix SMTP
+++client needs to know the certificates of the issuing certification
+++authorities. These certificates in "pem" format are collected in
+++a directory. Don't forget to create the necessary "hash" links with
+++$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical place for
+++the CA certificates may also be $OPENSSL_HOME/certs, so there is
+++no default and you explicitly have to set the value here! </p>
+++
+++<p> To use this option in chroot mode, this directory itself or a
+++copy of it must be inside the chroot jail. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_CApath = /etc/postfix/certs
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
+++
+++<p> To get additional information about Postfix SMTP client TLS
+++activity you can increase the loglevel from 0..4. Each logging
+++level also includes the information that is logged at a lower
+++logging level. </p>
+++
+++<blockquote>
+++
+++<table>
+++
+++<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
+++
+++<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
+++</td> </tr>
+++
+++<tr> <td> 2 </td> <td> Log levels during TLS negotiation.  </td>
+++</tr>
+++
+++<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
+++negotiation process </td> </tr>
+++
+++<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS </td> </tr>
+++
+++</table>
+++
+++</blockquote>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_loglevel = 0
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
+++
+++<p> The remote SMTP server and the Postfix SMTP client negotiate a
+++session, which takes some computer time and network bandwidth.  By
+++default, this session information is cached only in the smtp(8)
+++process actually using this session and is lost when the process
+++terminates.  To share the session information between multiple
+++smtp(8) processes, a persistent session cache can be used based on
+++the SDBM databases (routines included in Postfix/TLS). Since
+++concurrent writing must be supported, only SDBM can be used. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
+++</pre>
+++</blockquote>
+++
+++<p> Cached Postfix SMTP client session information expires after
+++a certain amount of time.  Postfix/TLS does not use the OpenSSL
+++default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
+++recommends a maximum of 24 hours.  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_session_cache_timeout = 3600s
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
+++</h3>
+++
+++<p> By default, TLS is disabled in the Postfix SMTP client, so no
+++difference to plain Postfix is visible.  If you enable TLS, the
+++Postfix SMTP client will send STARTTLS when TLS support is announced
+++by the remote SMTP server. </p>
+++
+++<p> WARNING: MS Exchange servers will announce STARTTLS support
+++even when the service is not configured, so that the TLS handshake
+++will fail.  It may be wise to not use this option on your central
+++mail hub, as you don't know in advance whether you are going to
+++connect to such a host. Instead, use the smtp_tls_per_site
+++recipient/site specific options that are described below. </p>
+++
+++<p> When the TLS handshake fails and no other server is available,
+++the Postfix SMTP client defers the delivery attempt, and the mail
+++stays in the queue.  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_use_tls = yes
+++</pre>
+++</blockquote>
+++
+++<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
+++will not deliver mail over un-encrypted connections.  In this mode,
+++the remote SMTP server hostname must match the information in the
+++remote server certificate, and the server certificate must be issued
+++by a CA that is trusted by the Postfix SMTP client.  If the remote
+++server certificate doesn't verify or the remote SMTP server hostname
+++doesn't match, and no other server is available, the delivery
+++attempt is deferred and the mail stays in the queue.  </p>
+++
+++<p> The remote SMTP server hostname used in the check is beyond
+++question, as it must be the principal hostname (no CNAME allowed
+++here). Checks are performed against all names provided as dNSNames
+++in the SubjectAlternativeName. If no dNSNames are specified, the
+++CommonName is checked.  The behavior may be changed with the
+++smtp_tls_enforce_peername option which is discussed below. </p>
+++
+++<p> This option is useful only if you know that you will only
+++connect to servers that support RFC 2487 _and_ that present server
+++certificates that meet the above requirements.  An example would
+++be a client only sends email to one specific mailhub that offers
+++the necessary STARTTLS support.  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_enforce_tls = no
+++</pre>
+++</blockquote>
+++
+++<p> As of RFC 2487 the requirements for hostname checking for MTA
+++clients are not set. When TLS is required (smtp_enforce_tls = yes),
+++the option smtp_tls_enforce_peername can be set to "no" to disable
+++strict remote SMTP server hostname checking. In this case, the mail
+++delivery will proceed regardless of the CommonName etc. listed in
+++the certificate. </p>
+++
+++<p> Note: the smtp_tls_enforce_peername setting has no effect on
+++sessions that are controlled via the smtp_tls_per_site table.  </p>
+++
+++<p>  Disabling the remote SMTP server hostname verification can
+++make sense in closed environment where special CAs are created.
+++If not used carefully, this option opens the danger of a
+++"man-in-the-middle" attack (the CommonName of this possible attacker
+++is logged). </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_enforce_peername = yes
+++</pre>
+++</blockquote>
+++
+++<p> Generally, trying TLS can be a bad idea, as some servers offer
+++STARTTLS but the negotiation will fail leading to unexplainable
+++failures. Instead, it may be a good idea to choose the TLS usage
+++policy based on the recipient or the mailhub to which you are
+++connecting. </p>
+++
+++<p> Deciding the TLS usage policy per recipient may be difficult,
+++since a single email delivery attempt can involve several recipients.
+++Instead, use of TLS is controlled by the Postfix next-hop destination
+++domain name and by the remote SMTP server hostname.  If either of these
+++matches an entry in the smtp_tls_per_site table, appropriate action
+++is taken.  </p>
+++
+++<p> The remote SMTP server hostname is simply the DNS name of the
+++server that the Postfix SMTP client connects to.  The next-hop
+++destination is Postfix specific.  By default, this is the domain
+++name in the recipient address, but this information can be overruled
+++by the transport(5) table or by the relayhost parameter setting.
+++In these cases the relayhost etc. must be listed in the smtp_tls_per_site
+++table, instead of the recipient domain name. </p>
+++
+++<p> Format of the table: domain or host names are specified on the
+++left-hand side; no wildcards are allowed.  On the right hand side
+++specify one of the following keywords:  </p>
+++
+++<blockquote>
+++
+++<dl>
+++
+++<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
+++
+++<dt> MAY </dt> <dd> Try to use STARTTLS if offered,
+++otherwise use the un-encrypted connection. </dd>
+++
+++<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
+++remote SMTP server hostname matches the information in the remote
+++SMTP server certificate, and require that the remote SMTP server
+++certificate was issued by a trusted CA. </dd>
+++
+++<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
+++not require that the remote SMTP server hostname matches the
+++information in the remote SMTP server certificate, or that the
+++server certificate was issued by a trusted CA. </dd>
+++
+++</dl>
+++
+++</blockquote>
+++
+++<p> The actual TLS usage policy depends not only on whether the
+++next-hop destination or remote SMTP server hostname are found in
+++the smtp_tls_per_site table, but also on the smtp_enforce_tls
+++setting:  </p>
+++
+++<ul>
+++
+++<li> <p> If no match was found, the policy is applied as specified
+++with smtp_enforce_tls. </p>
+++
+++<li> <p> If a match was found, and the smtp_enforce_tls policy is
+++"enforce", NONE explicitly switches it off; otherwise the "enforce"
+++mode is used even for entries that specify MAY. </p>
+++
+++</ul>
+++
+++<p> Special hint for TLS enforcement mode:  since no secure DNS
+++lookup mechanism is available, mail can be delivered to the wrong
+++remote SMTP server. This is not prevented by specifying MUST for
+++the next-hop domain name.  The recommended setup is:  specify local
+++transport(5) table entries for sensitive domains with explicit
+++smtp:[mailhost] destinations (since you can assure security of this
+++table unlike DNS), then specify MUST for these mail hosts in the
+++smtp_tls_per_site table. </p>
+++
+++<!-- XXX What it we were to require that each MX host lists the
+++domain it is responsible for in its server certificate, and that
+++Postfix/TLS includes the next-hop domain name in the peer name
+++verification process? -->
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_per_site = hash:/etc/postfix/tls_per_site
+++</pre>
+++</blockquote>
+++
+++<p> As we decide on a "per site" basis whether or not to use TLS,
+++it would be good to have a list of sites that offered "STARTTLS".
+++We can collect it ourselves with this option. </p>
+++
+++<p> If the smtp_tls_note_starttls_offer feature is enabled and a
+++server offers STARTTLS while TLS is not already enabled for that
+++server, the Postfix SMTP client logs a line as follows: </p>
+++
+++<blockquote>
+++<pre>
+++postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
+++</pre>
+++</blockquote>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_note_starttls_offer = yes
+++</pre>
+++</blockquote>
+++
+++<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
+++
+++<p> When verifying a remote SMTP server certificate, a verification
+++depth of 1 is sufficient if the certificate is directly issued by
+++a CA specified with smtp_tls_CAfile or smtp_tls_CApath.  The default
+++value of 5 should also suffice for longer chains (root CA issues
+++special CA which then issues the actual certificate...) </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_scert_verifydepth = 5
+++</pre>
+++</blockquote>
+++
+++<h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
+++
+++<p> To influence the Postfix SMTP client cipher selection scheme,
+++you can give cipherlist string.  A detailed description would go
+++to far here, please refer to the openssl documentation.  If you
+++don't know what to do with it, simply don't touch it and leave the
+++(openssl-)compiled in default! </p>
+++
+++<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_tls_cipherlist = DEFAULT
+++</pre>
+++</blockquote>
+++
+++<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
+++
+++<p> The smtp_starttls_timeout parameter limits the time of Postfix
+++SMTP client write and read operations during TLS startup and shutdown
+++handshake procedures.  In case of problems the Postfix SMTP client
+++tries the next network address on the mail exchanger list, and
+++defers delivery if no alternative server is available. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++smtp_starttls_timeout = 300s
+++</pre>
+++</blockquote>
+++
+++<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
+++
+++<p> The security of cryptographic software such as TLS depends
+++critically on the ability to generate unpredictable numbers for
+++keys and other information. To this end, the tlsmgr(8) process
+++maintains a Pseudo Random Number Generator (PRNG) pool.  This is
+++a fixed-size 1024-byte exchange file that is read by the smtp(8)
+++and smtpd(8) processes when they initialize.  These processes also
+++add some more entropy to the file by stirring in their own time
+++and process id information.  </p>
+++
+++<p> The tlsmgr(8) process creates the file if it does not already
+++exist, and rewrites the file at random time intervals with information
+++from its in-memory PRNG pool.  The default location is under the
+++Postfix configuration directory, which is not the proper place for
+++information that is modified by Postfix.  Instead, the file location
+++should probably be on the /var partition (but _not_ inside the
+++chroot jail).  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++tls_random_exchange_name = /etc/postfix/prng_exch
+++</pre>
+++</blockquote>
+++
+++<p> In order to feed its in-memory PRNG pool, the tlsmgr(8) reads
+++entropy from an external source, both at startup and during run-time.
+++Specify a good entropy source, like EGD or /dev/urandom; be sure
+++to only use non-blocking sources.  If the entropy source is not a
+++regular file, you must prepend the source type to the source name:
+++"dev:" for a device special file, or "egd:" for a source with EGD
+++compatible socket interface.  </p>
+++
+++<p> Examples (specify only one in main.cf): </p>
+++ 
+++<blockquote>
+++<pre>
+++tls_random_source = dev:/dev/urandom
+++tls_random_source = egd:/var/run/egd-pool
+++</pre>
+++</blockquote>
+++
+++<p> By default, tlsmgr(8) reads 32 bytes from the external entropy
+++source at each seeding event.  This amount (256bits) is more than
+++sufficient for generating a 128bit symmetric key.  With EGD and
+++device entropy sources, the tlsmgr(8) limits the amount of data
+++read at each step to 255 bytes. If you specify a regular file as
+++entropy source, a larger amount of data can be read.  </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++tls_random_bytes = 32
+++</pre>
+++</blockquote>
+++
+++<p> In order to update its in-memory PRNG pool, the tlsmgr(8)
+++queries the external entropy source again after a random amount of
+++time. The time is calculated using the PRNG, and is between 0 and
+++the maximal time specified with tls_random_reseed_period.  The
+++default maximal time interval is 1 hour. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++tls_random_reseed_period = 3600s
+++</pre>
+++</blockquote>
+++
+++<p> The tlsmgr(8) re-generates the 1024 byte seed exchange file
+++after a random amount of time.  The time is calculated using the
+++PRNG, and is between 0 and the maximal time specified with
+++tls_random_update_period.  The default maximal time interval is 60
+++seconds. </p>
+++
+++<p> Example: </p>
+++ 
+++<blockquote>
+++<pre>
+++tls_random_prng_update_period = 60s
+++</pre>
+++</blockquote>
+++
+++<p> If you have an entropy source available that is not easily
+++drained (like /dev/urandom), the smtp(8) and smtpd(8) daemons can
+++load additional entropy on startup.  By default, an amount of 32
+++bytes is read, the equivalent to 256 bits. This is more than
+++sufficient to generate a 128bit (or 168bit) session key. However,
+++when Postfix needs to generate more than one key it can drain the
+++EGD. Consider the case of 50 smtp(8) processes starting up with a
+++full queue; this will request 1600bytes of entropy. This is however
+++not fatal, as long as "entropy" data can still be read from the
+++seed file that is maintained by tlsmgr(8). </p>
+++
+++<p> Examples: </p>
+++ 
+++<blockquote>
+++<pre>
+++tls_daemon_random_source = dev:/dev/urandom
+++tls_daemon_random_source = egd:/var/run/egd-pool
+++tls_daemon_random_bytes = 32
+++</pre>
+++</blockquote>
+++
+++<h2> <a name="problems"> Reporting problems </a> </h2>
+++
+++<p> When reporting a problem, please be thorough in the report.
+++Patches, when possible, are greatly appreciated too. </p>
+++
+++<p> Please differentiate when possible between: </p>
+++
+++<ul>
+++
+++<li> Problems in the IPv6 code: <postfix-ipv6 at stack.nl>
+++
+++<li> Problems in the TLS code: <postfix_tls at aet.tu-cottbus.de>
+++
+++<li> Problems in vanilla Postfix: <postfix-users at postfix.org>
+++
+++</ul>
+++
+++<h2><a name="credits">Credits </a> </h2>
+++
+++<ul>
+++
+++<li> TLS support for Postfix was originally developed by  Lutz
+++J&auml;nicke at Cottbus Technical University.
+++
+++<li> This part of the documentation was compiled by Wietse Venema
+++</p>
+++
+++</ul>
+++
+++</body>
+++
+++</html>
++diff -ruN postfix-2.1.0-vanilla/proto/postconf.proto postfix-2.1.0/proto/postconf.proto
++--- postfix-2.1.0-vanilla/proto/postconf.proto	Fri Apr 23 01:10:02 2004
+++++ postfix-2.1.0/proto/postconf.proto	Mon Apr 26 13:44:06 2004
++@@ -3820,6 +3820,19 @@
++ <dd>Permit the request when the client IP address matches any
++ network listed in  $mynetworks. </dd>
++ 
+++<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
+++
+++<dd> Permit the request when the remote SMTP client certificate is
+++verified successfully.  This option must be used only if a special
+++CA issues the certificates and only this CA is listed as trusted
+++CA, otherwise all clients with a recognized certificate would be
+++allowed to relay.  </dd>
+++
+++<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
+++
+++<dd>Permit the request when the remote SMTP client certificate is
+++verified successfully, and the certificate fingerprint is listed
+++in $relay_clientcerts. </dd>
++ <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
++ 
++ <dd>Reject the request when the reversed client network address is
++@@ -6796,3 +6809,618 @@
++ remote domains.  Available before Postfix version 2.0. With Postfix 2.1
++ and later, this is replaced by separate controls: virtual_alias_domains
++ and virtual_alias_maps. </p>
+++
+++%PARAM smtpd_tls_cert_file
+++
+++<p> File with the Postfix SMTP server RSA certificate in PEM format.
+++This file may also contain the server private key. </p>
+++
+++<p> Both RSA and DSA certificates are supported.  When both types
+++are present, the cipher used determines which certificate will be
+++presented to the client.  For Netscape and OpenSSL clients without
+++special cipher choices the RSA certificate is preferred. </p>
+++
+++<p> In order to verify a certificate, the CA certificate (in case
+++of a certificate chain, all CA certificates) must be available.
+++You should add these certificates to the server certificate, the
+++server certificate first, then the issuing CA(s).  </p>
+++
+++<p> Example: the certificate for "server.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate of "root CA".
+++Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
+++root_CA.pem &gt; server.pem". </p>
+++
+++<p> If you want to accept certificates issued by these CAs yourself,
+++you can also add the CA certificates to the smtpd_tls_CAfile, in
+++which case it is not necessary to have them in the smtpd_tls_dcert_file
+++or smtpd_tls_cert_file. </p>
+++
+++<p> A certificate supplied here must be usable as SSL server
+++certificate and hence pass the "openssl verify -purpose sslserver
+++..." test. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_cert_file = /etc/postfix/server.pem
+++</pre>
+++
+++%PARAM smtpd_tls_key_file $smtpd_tls_cert_file
+++
+++<p> File with the Postfix SMTP server RSA private key in PEM format.
+++This file may be combined with the server certificate file specified
+++with $smtpd_tls_cert_file. </p>
+++
+++<p> The private key must not be encrypted. In other words, the key
+++must be accessible without password. </p>
+++
+++%PARAM smtpd_tls_dcert_file
+++
+++<p> File with the Postfix SMTP server DSA certificate in PEM format.
+++This file may also contain the server private key. <p>
+++
+++<p> See the discussion under smtpd_tls_cert_file for more details.
+++</p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
+++</pre>
+++
+++%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file
+++
+++<p> File with the Postfix SMTP server DSA private key in PEM format.
+++This file may be combined with the server certificate file specified
+++with $smtpd_tls_dcert_file. </p>
+++
+++<p> The private key must not be encrypted. In other words, the key
+++must be accessible without password. </p>
+++
+++%PARAM smtpd_tls_CAfile
+++
+++<p> The file with the certificate of the certification authority
+++(CA) that issued the Postfix SMTP server certificate.  This is
+++needed only when the CA certificate is not already present in the
+++server certificate file.  This file may also contain the CA
+++certificates of other trusted CAs.  You must use this file for the
+++list of trusted CAs if you want to use chroot-mode. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++
+++%PARAM smtpd_tls_CApath
+++
+++<p> Directory with PEM format certificate authority certificates
+++that the Postfix SMTP server offers to remote SMTP clients for the
+++purpose of client certificate verification.  Do not forget to create
+++the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
+++/etc/postfix/certs".  </p>
+++
+++<p> To use this option in chroot mode, this directory (or a copy)
+++must be inside the chroot jail. Please note that in this case the
+++CA certificates are not offered to the client, so that e.g.  Netscape
+++clients might not offer certificates issued by them.  Use of this
+++feature is therefore not recommended. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_CApath = /etc/postfix/certs
+++</pre>
+++
+++%PARAM smtpd_tls_loglevel 0
+++
+++<p> Enable additional Postfix SMTP server logging of TLS activity.
+++Each logging level also includes the information that is logged at
+++a lower logging level.  </p>
+++
+++<dl compact>
+++
+++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+++
+++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
+++
+++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
+++
+++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
+++process.  </dd>
+++
+++<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS. </dd>
+++
+++</dl>
+++
+++<p> Use "smtpd_tls_loglevel = 3" only in case of problems. Use of
+++loglevel 4 is strongly discouraged. </p>
+++
+++%PARAM smtpd_tls_received_header no
+++
+++<p> Request that the Postfix SMTP server produces Received:  message
+++headers that include information about the protocol and cipher used,
+++as well as the client CommonName and client certificate issuer
+++CommonName.  This is disabled by default, as the information may
+++be modified in transit through other mail servers.  Only information
+++that was recorded by the final destination can be trusted. </p>
+++
+++%PARAM smtpd_use_tls no
+++
+++<p> Enable TLS support in the Postfix SMTP server. </p>
+++
+++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
+++STARTTLS due to insufficient privileges to access the server private
+++key. This is intended behavior. </p>
+++
+++%PARAM smtpd_enforce_tls no
+++
+++<p> Require that remote SMTP clients use TLS encryption.  According
+++to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
+++SMTP server.  This option is off by default and should only rarely
+++be used. </p>
+++
+++<p> This option implies "smtpd_use_tls = yes". </p>
+++
+++<p> Note: when invoked via "sendmail -bs", Postfix will never offer
+++STARTTLS due to insufficient privileges to access the server private  
+++key. This is intended behavior. </p>
+++
+++%PARAM smtpd_tls_wrappermode no
+++
+++<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
+++instead of using the STARTTLS command. </p>
+++
+++<p> If you want to support this service, enable a special port in
+++master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
+++server's command line. Port 465 (smtps) was once chosen for this
+++purpose. </p>
+++
+++%PARAM smtpd_tls_ask_ccert no
+++
+++<p> Ask a remote SMTP client for a client certificate. This
+++information is needed for certificate based mail relaying with,
+++for example, the permit_tls_clientcerts feature. </p>
+++
+++<p> Some clients such as Netscape will either complain if no
+++certificate is available (for the list of CAs in /etc/postfix/certs)
+++or will offer multiple client certificates to choose from. This
+++may be annoying, so this option is "off" by default. </p>
+++
+++%PARAM smtpd_tls_req_ccert no
+++
+++<p> When TLS encryption is enforced, require a remote SMTP client
+++certificate in order to allow TLS connections to proceed.  This
+++option implies "smtpd_tls_ask_ccert = yes". </p>
+++
+++<p> When TLS encryption is optional, remote SMTP clients can bypass
+++the restriction by simply not using STARTTLS at all. For this reason
+++a TLS connection will be handled as if only "smtpd_tls_ask_ccert
+++= yes" is specified.  </p>
+++
+++%PARAM smtpd_tls_ccert_verifydepth 5
+++
+++<p> The verification depth for remote SMTP client certificates. A
+++depth of 1 is sufficient if the issuing CA is listed in a local CA
+++file.  The default value should also suffice for longer chains (the
+++root CA issues special CA which then issues the actual certificate...).
+++</p>
+++
+++%PARAM smtpd_tls_auth_only no
+++
+++<p> When TLS encryption is optional in the Postfix SMTP server, do
+++not announce or accept SASL authentication over un-encrypted
+++connections. </p>
+++
+++%PARAM smtpd_tls_session_cache_database
+++
+++<p> Name of the SDBM file (type sdbm:) containing the optional
+++Postfix SMTP server TLS session cache. SDBM is required in order
+++to support concurrent updates.  The file is created if it does not
+++exist.  </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
+++</pre>
+++
+++%PARAM smtpd_tls_session_cache_timeout 3600s
+++
+++<p> The expiration time of Postfix SMTP server TLS session cache
+++information.  A cache cleanup is performed periodically every
+++$smtpd_tls_session_cache_timeout seconds.  </p>
+++
+++%PARAM relay_clientcerts
+++
+++<p> The list of remote SMTP client certificates for which the
+++Postfix SMTP server will allow access with the permit_tls_clientcerts
+++feature.  This feature does not use certificate names, because
+++Postfix list manipulation routines treat whitespace and some other
+++characters as special.  Instead we use certificate fingerprints as
+++they are difficult to fake but easy to use for lookup. </p>
+++
+++<p> Postfix lookup tables are in the form of (key, value) pairs.
+++Since we only need the key, the value can be chosen freely, e.g.
+++the name of the user or host:
+++D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++relay_clientcerts = hash:/etc/postfix/relay_clientcerts
+++</pre>
+++
+++%PARAM smtpd_tls_cipherlist
+++
+++<p> Controls the Postfix SMTP server TLS cipher selection scheme.
+++For details, see the OpenSSL documentation. Note: do not use ""
+++quotes around the parameter value. </p>
+++
+++%PARAM smtpd_tls_dh1024_param_file
+++
+++<p> File with DH parameters that the Postfix SMTP server should
+++use with EDH ciphers. </p>
+++
+++<p> Instead of using the exact same parameter sets as distributed
+++with other TLS packages, it is more secure to generate your own
+++set of parameters with something like the following command:  </p>
+++
+++<pre>
+++openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
+++</pre>
+++
+++<p> Your actual source for entropy may differ. Some systems have
+++/dev/random; on other system you may consider using the "Entropy
+++Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
+++</p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
+++</pre>
+++
+++%PARAM smtpd_tls_dh512_param_file
+++
+++<p> File with DH parameters that the Postfix SMTP server should
+++use with EDH ciphers. </p>
+++
+++<p> See also the discussion under the smtpd_tls_dh1024_param_file
+++configuration parameter.  </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
+++</pre>
+++
+++%PARAM smtpd_starttls_timeout 300s
+++
+++<p> The time limit for Postfix SMTP server write and read operations
+++during TLS startup and shutdown handshake procedures. </p>
+++
+++%PARAM smtp_tls_cert_file
+++
+++<p> File with the Postfix SMTP client RSA certificate in PEM format.
+++This file may also contain the client private key, and these may
+++be the same as the server certificate and key file. </p>
+++
+++<p> In order to verify certificates, the CA certificate (in case
+++of a certificate chain, all CA certificates) must be available.
+++You should add these certificates to the server certificate, the
+++server certificate first, then the issuing CA(s). </p>
+++
+++<p> Example: the certificate for "client.dom.ain" was issued by
+++"intermediate CA" which itself has a certificate of "root CA".
+++Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
+++root_CA.pem &gt; client.pem". </p>
+++
+++<p> If you want to accept remote SMTP server certificates issued
+++by these CAs yourself, you can also add the CA certificates to the
+++smtp_tls_CAfile, in which case it is not necessary to have them in
+++the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
+++
+++<p> A certificate supplied here must be usable as SSL client certificate and
+++hence pass the "openssl verify -purpose sslclient ..." test. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_cert_file = /etc/postfix/client.pem
+++</pre>
+++
+++%PARAM smtp_tls_key_file $smtp_tls_cert_file
+++
+++<p> File with the Postfix SMTP client RSA private key in PEM format.
+++This file may be combined with the client certificate file specified
+++with $smtp_tls_cert_file. </p>
+++
+++<p> The private key must not be encrypted. In other words, the key
+++must be accessible without password. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_key_file = $smtp_tls_cert_file
+++</pre>
+++
+++%PARAM smtp_tls_CAfile
+++
+++<p> The file with the certificate of the certification authority
+++(CA) that issued the Postfix SMTP client certificate.  This is
+++needed only when the CA certificate is not already present in the
+++client certificate file.  </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_CAfile = /etc/postfix/CAcert.pem
+++</pre>
+++
+++%PARAM smtp_tls_CApath
+++
+++<p> Directory with PEM format certificate authority certificates
+++that the Postfix SMTP client uses to verify a remote SMTP server
+++certificate.  Don't forget to create the necessary "hash" links
+++with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
+++</p>
+++
+++<p> To use this option in chroot mode, this directory (or a copy) 
+++must be inside the chroot jail. </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_CApath = /etc/postfix/certs
+++</pre>
+++
+++%PARAM smtp_tls_loglevel 0
+++
+++<p> Enable additional Postfix SMTP client logging of TLS activity.
+++Each logging level also includes the information that is logged at
+++a lower logging level.  </p>
+++
+++<dl compact>
+++
+++<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+++
+++<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
+++
+++<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
+++
+++<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
+++process.  </dd>
+++
+++<dt> </dt> <dd> 4 Log hexadecimal and ASCII dump of complete
+++transmission after STARTTLS. </dd>
+++
+++</dl>
+++
+++<p> Use "smtp_tls_loglevel = 3" only in case of problems. Use of
+++loglevel 4 is strongly discouraged. </p>
+++
+++%PARAM smtp_tls_session_cache_database
+++
+++<p> Name of the SDBM file (type sdbm:) containing the optional
+++Postfix SMTP client TLS session cache. SDBM is required in order
+++to support concurrent updates. The file is created if it does not
+++exist.  </p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
+++</pre>
+++
+++%PARAM smtp_tls_session_cache_timeout 3600s
+++
+++<p> The expiration time of Postfix SMTP client TLS session cache
+++information.  A cache cleanup is performed periodically every
+++$smtp_tls_session_cache_timeout seconds.  </p>
+++
+++%PARAM smtp_use_tls no
+++
+++<p> Always use TLS when a remote SMTP server announces STARTTLS
+++support.  Beware: some remote SMTP servers offer STARTTLS even if
+++it is not configured.  If the TLS handshake fails, and no other
+++server is available, delivery is deferred and mail stays in the
+++queue.  If this is a concern for you, use the smtp_tls_per_site
+++feature instead.  </p>
+++
+++%PARAM smtp_enforce_tls no
+++
+++<p> Require that remote SMTP servers use TLS encryption.  This also
+++requires that the remote SMTP server hostname matches the information
+++in the remote server certificate, and that the remote SMTP server
+++certificate was issued by a CA that is trusted by the Postfix SMTP
+++client. If the certificate doesn't verify or the hostname doesn't
+++match, delivery is deferred and mail stays in the queue.  </p>
+++
+++<p> The hostname used in the check is performed against all names
+++provided as dNSNames in the SubjectAlternativeName.  If no dNSNames
+++are specified, the CommonName is checked.  The behavior may be
+++changed with the smtp_tls_enforce_peername option.  </p>
+++
+++<p> This option is useful only if you are definitely sure that you
+++will only connect to servers that support RFC 2487 _and_ that
+++provide valid server certificates.  It is relatively safe to use
+++for local clients that only send email to one mailhub with the
+++necessary STARTTLS support.  </p>
+++
+++%PARAM smtp_tls_enforce_peername yes
+++
+++<p> When TLS encryption is enforced, require that the remote SMTP
+++server hostname matches the information in the remote SMTP server
+++certificate.  As of RFC 2487 the requirements for hostname checking
+++for MTA clients are not set. </p>
+++
+++<p> This option can be set to "no" to disable strict peer name
+++checking. This setting has no effect on sessions that are controlled
+++via the smtp_tls_per_site table.  </p>
+++
+++<p> Disabling the hostname verification can make sense in closed
+++environment where special CAs are created.  If not used carefully,
+++this option opens the danger of a "man-in-the-middle" attack (the
+++CommonName of this attacker will be logged). </p>
+++
+++%PARAM smtp_tls_per_site
+++
+++<p> Optional lookup tables with the Postfix SMTP client TLS usage
+++policy by next-hop domain name and by remote SMTP server hostname.
+++</p>
+++
+++<p> Table format:  domain names or server hostnames are specified
+++on the left-hand side; no wildcards are allowed.  On the right hand
+++side specify one of the following keywords:  </p>
+++
+++<dl>
+++
+++<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
+++
+++<dt> MAY </dt> <dd>Try to use STARTTLS if offered,
+++otherwise use the un-encrypted connection. </dd>
+++
+++<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
+++remote SMTP server hostname matches the information in the remote
+++SMTP server certificate, and require that the remote SMTP server
+++certificate was issued by a trusted CA. </dd>
+++
+++<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
+++not require that the remote SMTP server hostname matches the
+++information in the remote SMTP server certificate, or that the
+++server certificate was issued by a trusted CA. </dd>
+++
+++</dl>
+++
+++<p> Special hint for enforcement mode:  since no secure DNS lookup
+++mechanism is available, the recommended setup is:  specify local
+++transport(5) table entries for sensitive domains with explicit
+++smtp:[mailhost] destinations (since you can assure security of this
+++table unlike DNS), then specify MUST for these mail hosts in the
+++smtp_tls_per_site table. </p>
+++
+++%PARAM smtp_tls_scert_verifydepth 5
+++
+++<p> The verification depth for remote SMTP server certificates. A
+++depth of 1 is sufficient, if the certificate is directly issued by
+++a CA listed in the CA files.  The default value (5) should suffice
+++for longer chains (the root CA issues special CA which then issues
+++the actual certificate...). </p>
+++
+++%PARAM smtp_tls_note_starttls_offer no
+++
+++<p> Log the hostname of a remote SMTP server that offers STARTTLS,
+++when TLS is not already enabled for that server. </p>
+++
+++<p> The logfile record looks like:  </p>
+++
+++<pre>
+++postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
+++</pre>
+++
+++%PARAM smtp_tls_cipherlist
+++
+++<p> Controls the Postfix SMTP client TLS cipher selection scheme.
+++For details, see the OpenSSL documentation. Note: do not use ""
+++quotes around the parameter value. </p>
+++
+++%PARAM smtp_starttls_timeout 300s
+++
+++<p> Time limit for Postfix SMTP client write and read operations
+++during TLS startup and shutdown handshake procedures. </p>
+++
+++%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
+++
+++<p> File with the Postfix SMTP client DSA private key in PEM format.
+++The private key must not be encrypted. In other words, the key must
+++be accessible without password. </p>
+++
+++<p> This file may be combined with the server certificate file
+++specified with $smtp_tls_cert_file. </p>
+++
+++%PARAM smtp_tls_dcert_file
+++
+++<p> File with the Postfix SMTP client DSA certificate in PEM format.
+++This file may also contain the server private key. </p>
+++
+++<p> See the discussion under smtp_tls_cert_file for more details.
+++</p>
+++
+++<p> Example: </p>
+++
+++<pre>
+++smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
+++</pre>
+++
+++%PARAM tls_random_exchange_name ${config_directory}/prng_exch
+++
+++<p> Name of the pseudo random number generator (PRNG) seed file
+++that is maintained by tlsmgr(8), and that is read by the smtp(8)
+++and smtpd(8) processes upon startup. The file length is fixed at
+++1024 bytes, and is created by tlsmgr(8) when it does not exist.
+++</p>
+++
+++<p> Since this file is changed by Postfix, it should probably be
+++kept in the /var file system, instead of under $config_directory.
+++The location should not be inside the chroot jail. </p>
+++
+++%PARAM tls_random_source
+++
+++<p> The external entropy source for the in-memory tlsmgr(8) pseudo
+++random number generator (PRNG) pool. Be sure to specify a non-blocking
+++source.  If this source is not a regular file, the entropy source
+++type must be prepended:  egd:/path/to/egd_socket for a source with
+++EGD compatible socket interface, or dev:/path/to/device for a
+++device file.  </p>
+++
+++%PARAM tls_random_bytes 32
+++
+++<p> The number of bytes that tlsmgr(8) reads from $tls_random_source
+++when (re)seeding the in-memory pseudo random number generator (PRNG)
+++pool. The default of 32 bytes (256 bits) is good enough for 128bit
+++symmetric keys.  If using EGD, a maximum of 255 bytes is read. </p>
+++
+++%PARAM tls_random_reseed_period 3600s
+++
+++<p> The maximal time between attempts by tlsmgr(8) to re-seed the
+++in-memory pseudo random number generator (PRNG) pool from external
+++sources.  The actual time between re-seeding attempts is calculated
+++using the PRNG, and is between 0 and the time specified.  </p>
+++
+++%PARAM tls_random_prng_update_period 60s
+++
+++<p> The maximal time between attempts by tlsmgr(8) to rewrite the
+++pseudo random number generator (PRNG) seed file specified with
+++$tls_random_exchange_name. This file is read by smtpd(8) and smtpd(8)
+++processes in order to seed their PRNGs.  The actual time between
+++rewriting attempts is calculated using the PRNG, and is between 0
+++and the time specified.  </p>
+++
+++%PARAM tls_daemon_random_source
+++
+++<p> Optional external source of entropy that can be read by smtpd(8)
+++and smtpd(8) processes in order to initialize their PRNGs. Be sure
+++to specify a non-blocking source.  The entropy source type must be
+++prepended to the source name:  egd:/path/to/egd_socket for a source
+++with EGD compatible socket interface, or dev:/path/to/device for
+++a device file.  </p>
+++
+++<p> Examples: </p>
+++
+++<pre>
+++tls_daemon_random_source = dev:/dev/urandom
+++tls_daemon_random_source = egd:/var/run/egd-pool
+++</pre>
+++
+++%PARAM tls_daemon_random_bytes 32
+++
+++<p> The amount of data that smtpd(8) and smtpd(8) processes read
+++from the entropy source specified with $tls_daemon_random_source.
+++The default of 32 bytes (equivalent to 256 bits) is sufficient to
+++generate a 128bit (or 168bit) session key. </p>
+++
+++<p> Usage of this option may drain EGD (consider the case of 50
+++smtp(8) processes starting up with a full queue and "postfix start",
+++which will request 1600 bytes of entropy). This is however not
++diff -ruN postfix-2.1.0-vanilla/src/global/Makefile.in postfix-2.1.0/src/global/Makefile.in
++--- postfix-2.1.0-vanilla/src/global/Makefile.in	Thu Apr 22 21:37:34 2004
+++++ postfix-2.1.0/src/global/Makefile.in	Sat Apr 24 14:44:19 2004
++@@ -22,7 +22,7 @@
++ 	sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
++ 	sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
++ 	tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
++-	verify_clnt.c verp_sender.c virtual8_maps.c xtext.c
+++	verify_clnt.c verp_sender.c virtual8_maps.c xtext.c pfixtls.c
++ OBJS	= abounce.o been_here.o bounce.o bounce_log.o \
++ 	canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
++ 	clnt_stream.o debug_peer.o debug_process.o defer.o \
++@@ -46,7 +46,7 @@
++ 	sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
++ 	sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
++ 	tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
++-	verify_clnt.o verp_sender.o virtual8_maps.o xtext.o
+++	verify_clnt.o verp_sender.o virtual8_maps.o xtext.o pfixtls.o
++ HDRS	= abounce.h been_here.h bounce.h bounce_log.h \
++ 	canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
++ 	debug_peer.h debug_process.h defer.h deliver_completed.h \
++@@ -67,7 +67,7 @@
++ 	resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
++ 	string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
++ 	trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \
++-	xtext.h
+++	xtext.h pfixtls.h
++ TESTSRC	= rec2stream.c stream2rec.c recdump.c
++ DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
++ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
++@@ -862,6 +862,7 @@
++ mail_params.o: ../../include/attr.h
++ mail_params.o: verp_sender.h
++ mail_params.o: mail_params.h
+++mail_params.o: pfixtls.h
++ mail_pathname.o: mail_pathname.c
++ mail_pathname.o: ../../include/sys_defs.h
++ mail_pathname.o: ../../include/stringops.h
++@@ -1394,3 +1395,16 @@
++ xtext.o: ../../include/vstring.h
++ xtext.o: ../../include/vbuf.h
++ xtext.o: xtext.h
+++pfixtls.o: pfixtls.c
+++pfixtls.o: ../../include/sys_defs.h
+++pfixtls.o: ../../include/iostuff.h
+++pfixtls.o: ../../include/mymalloc.h
+++pfixtls.o: ../../include/vstring.h
+++pfixtls.o: ../../include/vstream.h
+++pfixtls.o: ../../include/dict.h
+++pfixtls.o: ../../include/myflock.h
+++pfixtls.o: ../../include/stringops.h
+++pfixtls.o: ../../include/msg.h
+++pfixtls.o: ../../include/connect.h
+++pfixtls.o: mail_params.h
+++pfixtls.o: pfixtls.h
++diff -ruN postfix-2.1.0-vanilla/src/global/mail_params.c postfix-2.1.0/src/global/mail_params.c
++--- postfix-2.1.0-vanilla/src/global/mail_params.c	Mon Jan 26 16:43:42 2004
+++++ postfix-2.1.0/src/global/mail_params.c	Sat Apr 24 14:35:26 2004
++@@ -161,6 +161,7 @@
++ #include "mail_proto.h"
++ #include "verp_sender.h"
++ #include "mail_params.h"
+++#include "pfixtls.h"
++ 
++  /*
++   * Special configuration variables.
++@@ -231,6 +232,33 @@
++ int     var_in_flow_delay;
++ char   *var_par_dom_match;
++ char   *var_config_dirs;
+++#ifdef USE_SSL
+++char   *var_tls_rand_exch_name;
+++char   *var_smtpd_tls_cert_file;
+++char   *var_smtpd_tls_key_file;
+++char   *var_smtpd_tls_dcert_file;
+++char   *var_smtpd_tls_dkey_file;
+++char   *var_smtpd_tls_CAfile;
+++char   *var_smtpd_tls_CApath;
+++char   *var_smtpd_tls_cipherlist;
+++char   *var_smtpd_tls_dh512_param_file;
+++char   *var_smtpd_tls_dh1024_param_file;
+++int     var_smtpd_tls_loglevel;
+++char   *var_smtpd_tls_scache_db;
+++int     var_smtpd_tls_scache_timeout;
+++char   *var_smtp_tls_cert_file;
+++char   *var_smtp_tls_key_file;
+++char   *var_smtp_tls_dcert_file;
+++char   *var_smtp_tls_dkey_file;
+++char   *var_smtp_tls_CAfile;
+++char   *var_smtp_tls_CApath;
+++char   *var_smtp_tls_cipherlist;
+++int     var_smtp_tls_loglevel;
+++char   *var_smtp_tls_scache_db;
+++int     var_smtp_tls_scache_timeout;
+++char   *var_tls_daemon_rand_source;
+++int     var_tls_daemon_rand_bytes;
+++#endif
++ 
++ char   *var_import_environ;
++ char   *var_export_environ;
++@@ -478,6 +506,28 @@
++ 	VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
++ 	VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
++ 	VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
+++#ifdef USE_SSL
+++	VAR_TLS_RAND_EXCH_NAME, DEF_TLS_RAND_EXCH_NAME, &var_tls_rand_exch_name, 0, 0,
+++	VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
+++	VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
+++	VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
+++	VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
+++	VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
+++	VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
+++	VAR_SMTPD_TLS_CLIST, DEF_SMTPD_TLS_CLIST, &var_smtpd_tls_cipherlist, 0, 0,
+++	VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
+++	VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
+++	VAR_SMTPD_TLS_SCACHE_DB, DEF_SMTPD_TLS_SCACHE_DB, &var_smtpd_tls_scache_db, 0, 0,
+++	VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
+++	VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
+++	VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
+++	VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
+++	VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
+++	VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
+++	VAR_SMTP_TLS_CLIST, DEF_SMTP_TLS_CLIST, &var_smtp_tls_cipherlist, 0, 0,
+++	VAR_SMTP_TLS_SCACHE_DB, DEF_SMTP_TLS_SCACHE_DB, &var_smtp_tls_scache_db, 0, 0,
+++	VAR_TLS_DAEMON_RAND_SOURCE, DEF_TLS_DAEMON_RAND_SOURCE, &var_tls_daemon_rand_source, 0, 0,
+++#endif
++ 	0,
++     };
++     static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
++@@ -500,6 +550,11 @@
++ 	VAR_TOKEN_LIMIT, DEF_TOKEN_LIMIT, &var_token_limit, 1, 0,
++ 	VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
++ 	VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
+++#ifdef USE_SSL
+++	VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
+++	VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
+++	VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 0, 0,
+++#endif
++ 	0,
++     };
++     static CONFIG_TIME_TABLE time_defaults[] = {
++@@ -512,6 +567,10 @@
++ 	VAR_FORK_DELAY, DEF_FORK_DELAY, &var_fork_delay, 1, 0,
++ 	VAR_FLOCK_DELAY, DEF_FLOCK_DELAY, &var_flock_delay, 1, 0,
++ 	VAR_FLOCK_STALE, DEF_FLOCK_STALE, &var_flock_stale, 1, 0,
+++#ifdef USE_SSL
+++	VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
+++	VAR_SMTP_TLS_SCACHTIME, DEF_SMTP_TLS_SCACHTIME, &var_smtp_tls_scache_timeout, 0, 0,
+++#endif
++ 	VAR_DAEMON_TIMEOUT, DEF_DAEMON_TIMEOUT, &var_daemon_timeout, 1, 0,
++ 	VAR_IN_FLOW_DELAY, DEF_IN_FLOW_DELAY, &var_in_flow_delay, 0, 10,
++ 	0,
++diff -ruN postfix-2.1.0-vanilla/src/global/mail_params.h postfix-2.1.0/src/global/mail_params.h
++--- postfix-2.1.0-vanilla/src/global/mail_params.h	Wed Apr 21 20:56:04 2004
+++++ postfix-2.1.0/src/global/mail_params.h	Sat Apr 24 14:35:27 2004
++@@ -519,6 +519,34 @@
++ #define DEF_DUP_FILTER_LIMIT	1000
++ extern int var_dup_filter_limit;
++ 
+++#define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"
+++#define DEF_TLS_RAND_EXCH_NAME	"${config_directory}/prng_exch"
+++extern char *var_tls_rand_exch_name;
+++
+++#define VAR_TLS_RAND_SOURCE	"tls_random_source"
+++#define DEF_TLS_RAND_SOURCE	""
+++extern char *var_tls_rand_source;
+++
+++#define VAR_TLS_RAND_BYTES	"tls_random_bytes"
+++#define DEF_TLS_RAND_BYTES	32
+++extern int var_tls_rand_bytes;
+++
+++#define VAR_TLS_DAEMON_RAND_SOURCE	"tls_daemon_random_source"
+++#define DEF_TLS_DAEMON_RAND_SOURCE	""
+++extern char *var_tls_daemon_rand_source;
+++
+++#define VAR_TLS_DAEMON_RAND_BYTES	"tls_daemon_random_bytes"
+++#define DEF_TLS_DAEMON_RAND_BYTES	32
+++extern int var_tls_daemon_rand_bytes;
+++
+++#define VAR_TLS_RESEED_PERIOD	"tls_random_reseed_period"
+++#define DEF_TLS_RESEED_PERIOD	"3600s"
+++extern int var_tls_reseed_period;
+++
+++#define VAR_TLS_PRNG_UPD_PERIOD	"tls_random_prng_update_period"
+++#define DEF_TLS_PRNG_UPD_PERIOD "60s"
+++extern int var_tls_prng_upd_period;
+++
++  /*
++   * Queue manager: relocated databases.
++   */
++@@ -768,6 +796,10 @@
++ #define DEF_SMTP_XFWD_TMOUT	"300s"
++ extern int var_smtp_xfwd_tmout;
++ 
+++#define VAR_SMTP_STARTTLS_TMOUT	"smtp_starttls_timeout"
+++#define DEF_SMTP_STARTTLS_TMOUT	"300s"
+++extern int var_smtp_starttls_tmout;
+++
++ #define VAR_SMTP_MAIL_TMOUT	"smtp_mail_timeout"
++ #define DEF_SMTP_MAIL_TMOUT	"300s"
++ extern int var_smtp_mail_tmout;
++@@ -869,6 +901,10 @@
++ #define DEF_SMTPD_TMOUT		"300s"
++ extern int var_smtpd_tmout;
++ 
+++#define VAR_SMTPD_STARTTLS_TMOUT "smtpd_starttls_timeout"
+++#define DEF_SMTPD_STARTTLS_TMOUT "300s"
+++extern int var_smtpd_starttls_tmout;
+++
++ #define VAR_SMTPD_RCPT_LIMIT	"smtpd_recipient_limit"
++ #define DEF_SMTPD_RCPT_LIMIT	1000
++ extern int var_smtpd_rcpt_limit;
++@@ -901,6 +937,150 @@
++ #define DEF_SMTPD_NOOP_CMDS	""
++ extern char *var_smtpd_noop_cmds;
++ 
+++#define VAR_SMTPD_TLS_WRAPPER	"smtpd_tls_wrappermode"
+++#define DEF_SMTPD_TLS_WRAPPER	0
+++extern bool var_smtpd_tls_wrappermode;
+++
+++#define VAR_SMTPD_USE_TLS	"smtpd_use_tls"
+++#define DEF_SMTPD_USE_TLS	0
+++extern bool var_smtpd_use_tls;
+++
+++#define VAR_SMTPD_ENFORCE_TLS	"smtpd_enforce_tls"
+++#define DEF_SMTPD_ENFORCE_TLS	0
+++extern bool var_smtpd_enforce_tls;
+++
+++#define VAR_SMTPD_TLS_AUTH_ONLY	"smtpd_tls_auth_only"
+++#define DEF_SMTPD_TLS_AUTH_ONLY 0
+++extern bool var_smtpd_tls_auth_only;
+++
+++#define VAR_SMTPD_TLS_ACERT	"smtpd_tls_ask_ccert"
+++#define DEF_SMTPD_TLS_ACERT	0
+++extern bool var_smtpd_tls_ask_ccert;
+++
+++#define VAR_SMTPD_TLS_RCERT	"smtpd_tls_req_ccert"
+++#define DEF_SMTPD_TLS_RCERT	0
+++extern bool var_smtpd_tls_req_ccert;
+++
+++#define VAR_SMTPD_TLS_CCERT_VD	"smtpd_tls_ccert_verifydepth"
+++#define DEF_SMTPD_TLS_CCERT_VD	5
+++extern int var_smtpd_tls_ccert_vd;
+++
+++#define VAR_SMTPD_TLS_CERT_FILE	"smtpd_tls_cert_file"
+++#define DEF_SMTPD_TLS_CERT_FILE	""
+++extern char *var_smtpd_tls_cert_file;
+++
+++#define VAR_SMTPD_TLS_KEY_FILE	"smtpd_tls_key_file"
+++#define DEF_SMTPD_TLS_KEY_FILE	"$smtpd_tls_cert_file"
+++extern char *var_smtpd_tls_key_file;
+++
+++#define VAR_SMTPD_TLS_DCERT_FILE "smtpd_tls_dcert_file"
+++#define DEF_SMTPD_TLS_DCERT_FILE ""
+++extern char *var_smtpd_tls_dcert_file;
+++
+++#define VAR_SMTPD_TLS_DKEY_FILE	"smtpd_tls_dkey_file"
+++#define DEF_SMTPD_TLS_DKEY_FILE	"$smtpd_tls_dcert_file"
+++extern char *var_smtpd_tls_dkey_file;
+++
+++#define VAR_SMTPD_TLS_CA_FILE	"smtpd_tls_CAfile"
+++#define DEF_SMTPD_TLS_CA_FILE	""
+++extern char *var_smtpd_tls_CAfile;
+++
+++#define VAR_SMTPD_TLS_CA_PATH	"smtpd_tls_CApath"
+++#define DEF_SMTPD_TLS_CA_PATH	""
+++extern char *var_smtpd_tls_CApath;
+++
+++#define VAR_SMTPD_TLS_CLIST	"smtpd_tls_cipherlist"
+++#define DEF_SMTPD_TLS_CLIST	""
+++extern char *var_smtpd_tls_cipherlist;
+++
+++#define VAR_SMTPD_TLS_512_FILE	"smtpd_tls_dh512_param_file"
+++#define DEF_SMTPD_TLS_512_FILE	""
+++extern char *var_smtpd_tls_dh512_param_file;
+++
+++#define VAR_SMTPD_TLS_1024_FILE	"smtpd_tls_dh1024_param_file"
+++#define DEF_SMTPD_TLS_1024_FILE	""
+++extern char *var_smtpd_tls_dh1024_param_file;
+++
+++#define VAR_SMTPD_TLS_LOGLEVEL	"smtpd_tls_loglevel"
+++#define DEF_SMTPD_TLS_LOGLEVEL	0
+++extern int var_smtpd_tls_loglevel;
+++
+++#define VAR_SMTPD_TLS_RECHEAD	"smtpd_tls_received_header"
+++#define DEF_SMTPD_TLS_RECHEAD	0
+++extern bool var_smtpd_tls_received_header;
+++
+++#define VAR_SMTPD_TLS_SCACHE_DB	"smtpd_tls_session_cache_database"
+++#define DEF_SMTPD_TLS_SCACHE_DB	""
+++extern char *var_smtpd_tls_scache_db;
+++
+++#define VAR_SMTPD_TLS_SCACHTIME	"smtpd_tls_session_cache_timeout"
+++#define DEF_SMTPD_TLS_SCACHTIME	"3600s"
+++extern int var_smtpd_tls_scache_timeout;
+++
+++#define VAR_SMTP_TLS_PER_SITE	"smtp_tls_per_site"
+++#define DEF_SMTP_TLS_PER_SITE	""
+++extern char *var_smtp_tls_per_site;
+++
+++#define VAR_SMTP_USE_TLS	"smtp_use_tls"
+++#define DEF_SMTP_USE_TLS	0
+++extern bool var_smtp_use_tls;
+++
+++#define VAR_SMTP_ENFORCE_TLS	"smtp_enforce_tls"
+++#define DEF_SMTP_ENFORCE_TLS	0
+++extern bool var_smtp_enforce_tls;
+++
+++#define VAR_SMTP_TLS_ENFORCE_PN	"smtp_tls_enforce_peername"
+++#define DEF_SMTP_TLS_ENFORCE_PN	1
+++extern bool var_smtp_tls_enforce_peername;
+++
+++#define VAR_SMTP_TLS_SCERT_VD	"smtp_tls_scert_verifydepth"
+++#define DEF_SMTP_TLS_SCERT_VD	5
+++extern int var_smtp_tls_scert_vd;
+++
+++#define VAR_SMTP_TLS_CERT_FILE	"smtp_tls_cert_file"
+++#define DEF_SMTP_TLS_CERT_FILE	""
+++extern char *var_smtp_tls_cert_file;
+++
+++#define VAR_SMTP_TLS_KEY_FILE	"smtp_tls_key_file"
+++#define DEF_SMTP_TLS_KEY_FILE	"$smtp_tls_cert_file"
+++extern char *var_smtp_tls_key_file;
+++
+++#define VAR_SMTP_TLS_DCERT_FILE "smtp_tls_dcert_file"
+++#define DEF_SMTP_TLS_DCERT_FILE ""
+++extern char *var_smtp_tls_dcert_file;
+++
+++#define VAR_SMTP_TLS_DKEY_FILE	"smtp_tls_dkey_file"
+++#define DEF_SMTP_TLS_DKEY_FILE	"$smtp_tls_dcert_file"
+++extern char *var_smtp_tls_dkey_file;
+++
+++#define VAR_SMTP_TLS_CA_FILE	"smtp_tls_CAfile"
+++#define DEF_SMTP_TLS_CA_FILE	""
+++extern char *var_smtp_tls_CAfile;
+++
+++#define VAR_SMTP_TLS_CA_PATH	"smtp_tls_CApath"
+++#define DEF_SMTP_TLS_CA_PATH	""
+++extern char *var_smtp_tls_CApath;
+++
+++#define VAR_SMTP_TLS_CLIST	"smtp_tls_cipherlist"
+++#define DEF_SMTP_TLS_CLIST	""
+++extern char *var_smtp_tls_cipherlist;
+++
+++#define VAR_SMTP_TLS_LOGLEVEL	"smtp_tls_loglevel"
+++#define DEF_SMTP_TLS_LOGLEVEL	0
+++extern int var_smtp_tls_loglevel;
+++
+++#define VAR_SMTP_TLS_NOTEOFFER	"smtp_tls_note_starttls_offer"
+++#define DEF_SMTP_TLS_NOTEOFFER	0
+++extern bool var_smtp_tls_note_starttls_offer;
+++
+++#define VAR_SMTP_TLS_SCACHE_DB	"smtp_tls_session_cache_database"
+++#define DEF_SMTP_TLS_SCACHE_DB	""
+++extern char *var_smtp_tls_scache_db;
+++
+++#define VAR_SMTP_TLS_SCACHTIME	"smtp_tls_session_cache_timeout"
+++#define DEF_SMTP_TLS_SCACHTIME	"3600s"
+++extern int var_smtp_tls_scache_timeout;
+++
++  /*
++   * SASL authentication support, SMTP server side.
++   */
++@@ -916,6 +1096,10 @@
++ #define DEF_SMTPD_SASL_APPNAME	"smtpd"
++ extern char *var_smtpd_sasl_appname;
++ 
+++#define VAR_SMTPD_SASL_TLS_OPTS	"smtpd_sasl_tls_security_options"
+++#define DEF_SMTPD_SASL_TLS_OPTS	"$smtpd_sasl_security_options"
+++extern char *var_smtpd_sasl_opts;
+++
++ #define VAR_SMTPD_SASL_REALM	"smtpd_sasl_local_domain"
++ #define DEF_SMTPD_SASL_REALM	""
++ extern char *var_smtpd_sasl_realm;
++@@ -945,6 +1129,14 @@
++ #define DEF_SMTP_SASL_OPTS	"noplaintext, noanonymous"
++ extern char *var_smtp_sasl_opts;
++ 
+++#define VAR_SMTP_SASL_TLS_OPTS	"smtp_sasl_tls_security_options"
+++#define DEF_SMTP_SASL_TLS_OPTS	"$var_smtp_sasl_opts"
+++extern char *var_smtp_sasl_tls_opts;
+++
+++#define VAR_SMTP_SASL_TLSV_OPTS	"smtp_sasl_tls_verified_security_options"
+++#define DEF_SMTP_SASL_TLSV_OPTS	"$var_smtp_sasl_tls_opts"
+++extern char *var_smtp_sasl_tls_verified_opts;
+++
++  /*
++   * LMTP server. The soft error limit determines how many errors an LMTP
++   * client may make before we start to slow down; the hard error limit
++@@ -1234,6 +1426,10 @@
++ #define DEF_RELAY_RCPT_CODE	550
++ extern int var_relay_rcpt_code;
++ 
+++#define VAR_RELAY_CCERTS	"relay_clientcerts"
+++#define DEF_RELAY_CCERTS	""
+++extern char *var_relay_ccerts;
+++
++ #define VAR_CLIENT_CHECKS	"smtpd_client_restrictions"
++ #define DEF_CLIENT_CHECKS	""
++ extern char *var_client_checks;
++@@ -1352,6 +1548,8 @@
++ #define PERMIT_AUTH_DEST	"permit_auth_destination"
++ #define REJECT_UNAUTH_DEST	"reject_unauth_destination"
++ #define CHECK_RELAY_DOMAINS	"check_relay_domains"
+++#define PERMIT_TLS_CLIENTCERTS	"permit_tls_clientcerts"
+++#define PERMIT_TLS_ALL_CLIENTCERTS	"permit_tls_all_clientcerts"
++ #define VAR_RELAY_CODE		"relay_domains_reject_code"
++ #define DEF_RELAY_CODE		554
++ extern int var_relay_code;
++diff -ruN postfix-2.1.0-vanilla/src/global/mail_proto.h postfix-2.1.0/src/global/mail_proto.h
++--- postfix-2.1.0-vanilla/src/global/mail_proto.h	Sun Feb  1 19:51:03 2004
+++++ postfix-2.1.0/src/global/mail_proto.h	Sat Apr 24 14:35:27 2004
++@@ -42,6 +42,7 @@
++ #define MAIL_SERVICE_LOCAL	"local"
++ #define MAIL_SERVICE_PICKUP	"pickup"
++ #define MAIL_SERVICE_QUEUE	"qmgr"
+++#define MAIL_SERVICE_TLSMGR	"tlsmgr"
++ #define MAIL_SERVICE_RESOLVE	"resolve"
++ #define MAIL_SERVICE_REWRITE	"rewrite"
++ #define MAIL_SERVICE_VIRTUAL	"virtual"
++diff -ruN postfix-2.1.0-vanilla/src/global/pfixtls.c postfix-2.1.0/src/global/pfixtls.c
++--- postfix-2.1.0-vanilla/src/global/pfixtls.c	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/global/pfixtls.c	Sat Apr 24 14:35:27 2004
++@@ -0,0 +1,2822 @@
+++/*++
+++/* NAME
+++/*	pfixtls
+++/* SUMMARY
+++/*	interface to openssl routines
+++/* SYNOPSIS
+++/*	#include <pfixtls.h>
+++/*
+++/*	const long scache_db_version;
+++/*	const long openssl_version;
+++/*
+++/*	int pfixtls_serverengine;
+++/*
+++/*	int pfixtls_clientengine;
+++/*
+++/*	int pfixtls_timed_read(fd, buf, len, timeout, unused_context)
+++/*	int fd;
+++/*	void *buf;
+++/*	unsigned len;
+++/*	int timeout;
+++/*	void *context;
+++/*
+++/*	int pfixtls_timed_write(fd, buf, len, timeout, unused_context);
+++/*	int fd;
+++/*	void *buf;
+++/*	unsigned len;
+++/*	int timeout;
+++/*	void *context;
+++/*
+++/*	int pfixtls_init_serverengine(verifydepth, askcert);
+++/*	int verifydepth;
+++/*	int askcert;
+++/*
+++/*	int pfixtls_start_servertls(stream, timeout, peername, peeraddr,
+++/*				    tls_info, requirecert);
+++/*	VSTREAM *stream;
+++/*	int timeout;
+++/*	const char *peername;
+++/*	const char *peeraddr;
+++/*	tls_info_t *tls_info;
+++/*	int requirecert;
+++/*
+++/*	int pfixtls_stop_servertls(stream, failure, tls_info);
+++/*	VSTREAM *stream;
+++/*	int failure;
+++/*	tls_info_t *tls_info;
+++/*	
+++/*	int pfixtls_init_clientengine(verifydepth);
+++/*	int verifydepth;
+++/*
+++/*	int pfixtls_start_clienttls(stream, timeout, peername, peeraddr,
+++/*				    tls_info);
+++/*	VSTREAM *stream;
+++/*	int timeout;
+++/*	const char *peername;
+++/*	const char *peeraddr;
+++/*	tls_info_t *tls_info;
+++/*
+++/*	int pfixtls_stop_clienttls(stream, failure, tls_info);
+++/*	VSTREAM *stream;
+++/*	int failure;
+++/*	tls_info_t *tls_info;
+++/*
+++/* DESCRIPTION
+++/*	This module is the interface between Postfix and the OpenSSL library.
+++/*
+++/*	pfixtls_timed_read() reads the requested number of bytes calling
+++/*	SSL_read(). pfixtls_time_read() will only be called indirect
+++/*	as a VSTREAM_FN function.
+++/*	pfixtls_timed_write() is the corresponding write function.
+++/*
+++/*	pfixtls_init_serverengine() is called once when smtpd is started
+++/*	in order to initialize as much of the TLS stuff as possible.
+++/*	The certificate handling is also decided during the setup phase,
+++/*	so that a peer specific handling is not possible.
+++/*
+++/*	pfixtls_init_clientengine() is the corresponding function called
+++/*	in smtp. Here we take the peer's (server's) certificate in any
+++/*	case.
+++/*
+++/*	pfixtls_start_servertls() activates the TLS feature for the VSTREAM
+++/*	passed as argument. We expect that all buffers are flushed and the
+++/*	TLS handshake can begin	immediately. Information about the peer
+++/*	is stored into the tls_info structure passed as argument.
+++/*
+++/*	pfixtls_stop_servertls() sends the "close notify" alert via
+++/*	SSL_shutdown() to the peer and resets all connection specific
+++/*	TLS data. As RFC2487 does not specify a seperate shutdown, it
+++/*	is supposed that the underlying TCP connection is shut down
+++/*	immediately afterwards, so we don't care about additional data
+++/*	coming through the channel.
+++/*	If the failure flag is set, the session is cleared from the cache.
+++/*
+++/*	pfixtls_start_clienttls() and pfixtls_stop_clienttls() are the
+++/*	corresponding functions for smtp.
+++/*
+++/*	Once the TLS connection is initiated, information about the TLS
+++/*	state is available via the tls_info structure:
+++/*	protocol holds the protocol name (SSLv2, SSLv3, TLSv1),
+++/*	tls_info->cipher_name the cipher name (e.g. RC4/MD5),
+++/*	tls_info->cipher_usebits the number of bits actually used (e.g. 40),
+++/*	tls_info->cipher_algbits the number of bits the algorithm is based on
+++/*	(e.g. 128).
+++/*	The last two values may be different when talking to a crippled
+++/*	- ahem - export controled peer (e.g. 40/128).
+++/*
+++/*	The status of the peer certificate verification is available in
+++/*	pfixtls_peer_verified. It is set to 1, when the certificate could
+++/*	be verified.
+++/*	If the peer offered a certifcate, part of the certificate data are
+++/*	available as:
+++/*	tls_info->peer_subject X509v3-oneline with the DN of the peer
+++/*	tls_info->peer_CN extracted CommonName of the peer
+++/*	tls_info->peer_issuer  X509v3-oneline with the DN of the issuer
+++/*	tls_info->peer_CN extracted CommonName of the issuer
+++/*	tls_info->PEER_FINGERPRINT fingerprint of the certificate
+++/*
+++/* DESCRIPTION (SESSION CACHING)
+++/*	In order to achieve high performance when using a lot of connections
+++/*	with TLS, session caching is implemented. It reduces both the CPU load
+++/*	(less cryptograpic operations) and the network load (the amount of
+++/*	certificate data exchanged is reduced).
+++/*	Since postfix uses a setup of independent processes for receiving
+++/*	and sending email, the processes must exchange the session information.
+++/*	Several connections at the same time between the identical peers can
+++/*	occur, so uniqueness and race conditions have to be taken into
+++/*	account.
+++/*	I have checked both Apache-SSL (Ben Laurie), using a seperate "gcache"
+++/*	process and Apache mod_ssl (Ralf S. Engelshall), using shared memory
+++/*	between several identical processes spawned from one parent.
+++/*
+++/*	Postfix/TLS uses a database approach based on the internal "dict"
+++/*	interface. Since the session cache information is approximately
+++/*	1300 bytes binary data, it will not fit into the dbm/ndbm model.
+++/*	It also needs write access to the database, ruling out most other
+++/*	interface, leaving Berkeley DB, which however cannot handle concurrent
+++/*	access by several processes. Hence a modified SDBM (public domain DBM)
+++/*	with enhanced buffer size is used and concurrent write capability
+++/*	is used. SDBM is part of Postfix/TLS.
+++/*
+++/*	Realization:
+++/*	Both (client and server) session cache are realized by individual
+++/*	cache databases. A common database would not make sense, since the
+++/*	key criteria are different (session ID for server, peername for
+++/*	client).
+++/*
+++/*	Server side:
+++/*	Session created by OpenSSL have a 32 byte session id, yielding a
+++/*	64 char file name. I consider these sessions to be unique. If they
+++/*	are not, the last session will win, overwriting the older one in
+++/*	the database. Remember: everything that is lost is a temporary
+++/*	information and not more than a renegotiation will happen.
+++/*	Originating from the same client host, several sessions can come
+++/*	in (e.g. from several users sending mail with Netscape at the same
+++/*	time), so the session id is the correct identifier; the hostname
+++/*	is of no importance, here.
+++/*
+++/*	Client side:
+++/*	We cannot recall sessions based on their session id, because we would
+++/*	have to check every session on disk for a matching server name, so
+++/*	the lookup has to be done based on the FQDN of the peer (receiving
+++/*	host).
+++/*	With regard to uniqueness, we might experience several open connections
+++/*	to the same server at the same time. This is even very likely to
+++/*	happen, since we might have several mails for the same destination
+++/*	in the queue, when a queue run is started. So several smtp's might
+++/*	negotiate sessions at the same time. We can however only save one
+++/*	session for one host.
+++/*	Like on the server side, the "last write" wins. The reason is
+++/*	quite simple. If we don't want to overwrite old sessions, an old
+++/*	session file will just stay in place until it is expired. In the
+++/*	meantime we would lose "fresh" session however. So we will keep the
+++/*	fresh one instead to avoid unnecessary renegotiations.
+++/*
+++/*	Session lifetime:
+++/*	RFC2246 recommends a session lifetime of less than 24 hours. The
+++/*	default is 300 seconds (5 minutes) for OpenSSL and is also used
+++/*	this way in e.g. mod_ssl. The typical usage for emails might be
+++/*	humans typing in emails and sending them, which might take just
+++/*	a while, so I think 3600 seconds (1 hour) is a good compromise.
+++/*	If the environment is save (the cached session contains secret
+++/*	key data), one might even consider using a longer timeout. Anyway,
+++/*	since everlasting sessions must be avoided, the session timeout
+++/*	is done based on the creation date of the session and so each
+++/*	session will timeout eventually.
+++/*
+++/*	Connection failures:
+++/*	RFC2246 requires us to remove sessions if something went wrong.
+++/*	Since the in-memory session cache of other smtp[d] processes cannot
+++/*	be controlled by simple means, we completely rely on the disc
+++/*	based session caching and remove all sessions from memory after
+++/*	connection closure.
+++/*
+++/*	Cache cleanup:
+++/*	Since old entries have to be removed from the session cache, a
+++/*	cleanup process is needed that runs through the collected session
+++/*	files on regular basis. The task is performed by tlsmgr based on
+++/*	the timestamp created by pfixtls and included in the saved session,
+++/*	so that tlsmgr has not to care about the SSL_SESSION internal data.
+++/*
+++/* BUGS
+++/*	The memory allocation policy of the OpenSSL library is not well
+++/*	documented, especially when loading sessions from disc. Hence there
+++/*	might be memory leaks.
+++/*
+++/* LICENSE
+++/* AUTHOR(S)
+++/*	Lutz Jaenicke
+++/*	BTU Cottbus
+++/*	Allgemeine Elektrotechnik
+++/*	Universitaetsplatz 3-4
+++/*	D-03044 Cottbus, Germany
+++/*--*/
+++
+++/* System library. */
+++
+++#include <sys_defs.h>
+++#include <sys/types.h>
+++#include <sys/stat.h>
+++#include <sys/time.h>			/* gettimeofday, not in POSIX */
+++#include <unistd.h>
+++#include <stdio.h>
+++#include <string.h>
+++#include <errno.h>
+++#include <ctype.h>
+++
+++/* Utility library. */
+++
+++#include <iostuff.h>
+++#include <mymalloc.h>
+++#include <vstring.h>
+++#include <vstream.h>
+++#include <dict.h>
+++#include <myflock.h>
+++#include <stringops.h>
+++#include <msg.h>
+++#include <connect.h>
+++
+++/* Application-specific. */
+++
+++#include "mail_params.h"
+++#include "pfixtls.h"
+++
+++#define STR	vstring_str
+++
+++const tls_info_t tls_info_zero = {
+++    0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0
+++};
+++
+++#ifdef USE_SSL
+++
+++/* OpenSSL library. */
+++
+++#include <openssl/lhash.h>
+++#include <openssl/bn.h>
+++#include <openssl/err.h>
+++#include <openssl/pem.h>
+++#include <openssl/x509.h>
+++#include <openssl/x509v3.h>
+++#include <openssl/rand.h>
+++#include <openssl/ssl.h>
+++
+++/* We must keep some of the info available */
+++static const char hexcodes[] = "0123456789ABCDEF";
+++
+++/*
+++ * When saving sessions, we want to make sure, that the lenght of the key
+++ * is somehow limited. When saving client sessions, the hostname is used
+++ * as key. According to HP-UX 10.20, MAXHOSTNAMELEN=64. Maybe new standards
+++ * will increase this value, but as this will break compatiblity with existing
+++ * implementations, we won't see this for long. We therefore choose a limit
+++ * of 64 bytes.
+++ * The length of the (TLS) session id can be up to 32 bytes according to
+++ * RFC2246, so it fits well into the 64bytes limit.
+++ */
+++#define ID_MAXLENGTH	64		/* Max ID length in bytes */
+++
+++/*
+++ * The session_id_context is set, such that the client knows which services
+++ * on a host share the same session information (on the postfix host may
+++ * as well run a TLS-enabled webserver.
+++ */
+++static char server_session_id_context[] = "Postfix/TLS"; /* anything will do */
+++static int TLScontext_index = -1;
+++static int TLSpeername_index = -1;
+++static int do_dump = 0;
+++static DH *dh_512 = NULL, *dh_1024 = NULL;
+++static SSL_CTX *ctx = NULL;
+++
+++static int rand_exch_fd = -1;
+++
+++static DICT *scache_db = NULL;
+++const long scache_db_version = 0x00000003L;
+++const long openssl_version = OPENSSL_VERSION_NUMBER;
+++
+++
+++int     pfixtls_serverengine = 0;
+++static int pfixtls_serveractive = 0;	/* available or not */
+++
+++int     pfixtls_clientengine = 0;
+++static int pfixtls_clientactive = 0;	/* available or not */
+++
+++/*
+++ * Define a maxlength for certificate onelines. The length is checked by
+++ * all routines when copying.
+++ */
+++#define CCERT_BUFSIZ 256
+++
+++typedef struct {
+++  SSL *con;
+++  BIO *internal_bio;			/* postfix/TLS side of pair */
+++  BIO *network_bio;			/* netsork side of pair */
+++  char peer_subject[CCERT_BUFSIZ];
+++  char peer_issuer[CCERT_BUFSIZ];
+++  char peer_CN[CCERT_BUFSIZ];
+++  char issuer_CN[CCERT_BUFSIZ];
+++  unsigned char md[EVP_MAX_MD_SIZE];
+++  char fingerprint[EVP_MAX_MD_SIZE * 3];
+++  char peername_save[129];
+++  int enforce_verify_errors;
+++  int enforce_CN;
+++  int hostname_matched;
+++} TLScontext_t;
+++
+++typedef struct {
+++    int pid;
+++    struct timeval tv;
+++} randseed_t;
+++
+++static randseed_t randseed;
+++
+++/*
+++ * Finally some "backup" DH-Parameters to be loaded, if no parameters are
+++ * explicitely loaded from file.
+++ */
+++static unsigned char dh512_p[] = {
+++    0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
+++    0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
+++    0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
+++    0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
+++    0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
+++    0x4F, 0x70, 0xBA, 0x5B,
+++};
+++
+++static unsigned char dh512_g[] = {
+++    0x02,
+++};
+++
+++static unsigned char dh1024_p[] = {
+++    0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
+++    0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
+++    0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
+++    0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
+++    0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
+++    0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
+++    0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
+++    0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
+++    0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
+++    0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
+++    0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
+++};
+++
+++static unsigned char dh1024_g[] = {
+++    0x02,
+++};
+++
+++/*
+++ * DESCRIPTION: Keeping control of the network interface using BIO-pairs.
+++ *
+++ * When the TLS layer is active, all input/output must be filtered through
+++ * it. On the other hand to handle timeout conditions, full control over
+++ * the network socket must be kept. This rules out the "normal way" of
+++ * connecting the TLS layer directly to the socket.
+++ * The TLS layer is realized with a BIO-pair:
+++ *
+++ *     postfix  |   TLS-engine
+++ *       |      |
+++ *       +--------> SSL_operations()
+++ *              |     /\    ||
+++ *              |     ||    \/
+++ *              |   BIO-pair (internal_bio)
+++ *       +--------< BIO-pair (network_bio)
+++ *       |      |
+++ *     socket   |
+++ *
+++ * The normal postfix operations connect to the SSL operations to send
+++ * and retrieve (cleartext) data. Inside the TLS-engine the data are converted
+++ * to/from TLS protocol. The TLS functionality itself is only connected to
+++ * the internal_bio and hence only has status information about this internal
+++ * interface.
+++ * Thus, if the SSL_operations() return successfully (SSL_ERROR_NONE) or want
+++ * to read (SSL_ERROR_WANT_READ) there may as well be data inside the buffering
+++ * BIO-pair. So whenever an SSL_operation() returns without a fatal error,
+++ * the BIO-pair internal buffer must be flushed to the network.
+++ * NOTE: This is especially true in the SSL_ERROR_WANT_READ case: the TLS-layer
+++ * might want to read handshake data, that will never come since its own
+++ * written data will only reach the peer after flushing the buffer!
+++ *
+++ * The BIO-pair buffer size has been set to 8192 bytes, this is an arbitrary
+++ * value that can hold more data than the typical PMTU, so that it does
+++ * not force the generation of packets smaller than necessary.
+++ * It is also larger than the default VSTREAM_BUFSIZE (4096, see vstream.h),
+++ * so that large write operations could be handled within one call.
+++ * The internal buffer in the network/network_bio handling layer has been
+++ * set to the same value, since this seems to be reasonable. The code is
+++ * however able to handle arbitrary values smaller or larger than the
+++ * buffer size in the BIO-pair.
+++ */
+++
+++const size_t BIO_bufsiz = 8192;
+++
+++/*
+++ * The interface layer between network and BIO-pair. The BIO-pair buffers
+++ * the data to/from the TLS layer. Hence, at any time, there may be data
+++ * in the buffer that must be written to the network. This writing has
+++ * highest priority because the handshake might fail otherwise.
+++ * Only then a read_request can be satisfied.
+++ */
+++static int network_biopair_interop(int fd, int timeout, BIO *network_bio)
+++{
+++    int want_write;
+++    int num_write;
+++    int write_pos;
+++    int from_bio;
+++    int want_read;
+++    int num_read;
+++    int to_bio;
+++#define NETLAYER_BUFFERSIZE 8192
+++    char buffer[8192];
+++
+++    while ((want_write = BIO_ctrl_pending(network_bio)) > 0) {
+++	if (want_write > NETLAYER_BUFFERSIZE)
+++	    want_write = NETLAYER_BUFFERSIZE;
+++	from_bio = BIO_read(network_bio, buffer, want_write);
+++
+++	/*
+++	 * Write the complete contents of the buffer. Since TLS performs
+++	 * underlying handshaking, we cannot afford to leave the buffer
+++	 * unflushed, as we could run into a deadlock trap (the peer
+++	 * waiting for a final byte and we already waiting for his reply
+++	 * in read position).
+++	 */
+++        write_pos = 0;
+++	do {
+++	    if (timeout > 0 && write_wait(fd, timeout) < 0)
+++		return (-1);
+++	    num_write = write(fd, buffer + write_pos, from_bio - write_pos);
+++	    if (num_write <= 0) {
+++		if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
+++		    msg_warn("write() returns EAGAIN on a writable file descriptor!");
+++		    msg_warn("pausing to avoid going into a tight select/write loop!");
+++		    sleep(1);
+++		} else {
+++		    msg_warn("Write failed in network_biopair_interop with errno=%d: num_write=%d, provided=%d", errno, num_write, from_bio - write_pos);
+++		    return (-1);	/* something happened to the socket */
+++		}
+++	    } else
+++	    	write_pos += num_write;
+++	} while (write_pos < from_bio);
+++   }
+++
+++   while ((want_read = BIO_ctrl_get_read_request(network_bio)) > 0) {
+++	if (want_read > NETLAYER_BUFFERSIZE)
+++	    want_read = NETLAYER_BUFFERSIZE;
+++	if (timeout > 0 && read_wait(fd, timeout) < 0)
+++	    return (-1);
+++	num_read = read(fd, buffer, want_read);
+++	if (num_read <= 0) {
+++	    if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
+++		msg_warn("read() returns EAGAIN on a readable file descriptor!");
+++		msg_warn("pausing to avoid going into a tight select/write loop!");
+++		sleep(1);
+++	    } else {
+++		msg_warn("Read failed in network_biopair_interop with errno=%d: num_read=%d, want_read=%d", errno, num_read, want_read);
+++		return (-1);	/* something happened to the socket */
+++	    }
+++	} else {
+++	    to_bio = BIO_write(network_bio, buffer, num_read);
+++	    if (to_bio != num_read)
+++		msg_fatal("to_bio != num_read");
+++	}
+++    }
+++
+++    return (0);
+++}
+++
+++static void pfixtls_print_errors(void);
+++
+++ /*
+++  * Function to perform the handshake for SSL_accept(), SSL_connect(),
+++  * and SSL_shutdown() and perform the SSL_read(), SSL_write() operations.
+++  * Call the underlying network_biopair_interop-layer to make sure the
+++  * write buffer is flushed after every operation (that did not fail with
+++  * a fatal error).
+++  */
+++static int do_tls_operation(int fd, int timeout, TLScontext_t *TLScontext,
+++			int (*hsfunc)(SSL *),
+++			int (*rfunc)(SSL *, void *, int),
+++			int (*wfunc)(SSL *, const void *, int),
+++			char *buf, int num)
+++{
+++    int status;
+++    int err;
+++    int retval = 0;
+++    int biop_retval;
+++    int done = 0;
+++
+++    while (!done) {
+++	if (hsfunc)
+++	    status = hsfunc(TLScontext->con);
+++	else if (rfunc)
+++	    status = rfunc(TLScontext->con, buf, num);
+++	else
+++	    status = wfunc(TLScontext->con, (const char *)buf, num);
+++	err = SSL_get_error(TLScontext->con, status);
+++
+++#if (OPENSSL_VERSION_NUMBER <= 0x0090581fL)
+++	/*
+++	 * There is a bug up to and including OpenSSL-0.9.5a: if an error
+++	 * occurs while checking the peers certificate due to some certificate
+++	 * error (e.g. as happend with a RSA-padding error), the error is put
+++	 * onto the error stack. If verification is not enforced, this error
+++	 * should be ignored, but the error-queue is not cleared, so we
+++	 * can find this error here. The bug has been fixed on May 28, 2000.
+++	 *
+++	 * This bug so far has only manifested as
+++	 * 4800:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
+++	 * 4800:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
+++	 * 4800:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
+++	 * so that we specifically test for this error. We print the errors
+++	 * to the logfile and automatically clear the error queue. Then we
+++	 * retry to get another error code. We cannot do better, since we
+++	 * can only retrieve the last entry of the error-queue without
+++	 * actually cleaning it on the way.
+++	 *
+++	 * This workaround is secure, as verify_result is set to "failed"
+++	 * anyway.
+++	 */
+++	if (err == SSL_ERROR_SSL) {
+++	    if (ERR_peek_error() == 0x0407006AL) {
+++		pfixtls_print_errors();	/* Keep information for the logfile */
+++		msg_info("OpenSSL <= 0.9.5a workaround called: certificate errors ignored");
+++		err = SSL_get_error(TLScontext->con, status);
+++	    }
+++	}
+++#endif
+++
+++	switch (err) {
+++	case SSL_ERROR_NONE:		/* success */
+++	    retval = status;
+++	    done = 1;			/* no break, flush buffer before */
+++					/* leaving */
+++	case SSL_ERROR_WANT_WRITE:
+++	case SSL_ERROR_WANT_READ:
+++	    biop_retval = network_biopair_interop(fd, timeout,
+++		TLScontext->network_bio);
+++	    if (biop_retval < 0)
+++		return (-1);		/* fatal network error */
+++	    break;
+++	case SSL_ERROR_ZERO_RETURN:	/* connection was closed cleanly */
+++	case SSL_ERROR_SYSCALL:		
+++	case SSL_ERROR_SSL:
+++	default:
+++	    retval = status;
+++	    done = 1;
+++	    ;
+++	}
+++    };
+++    return retval;
+++}
+++
+++int pfixtls_timed_read(int fd, void *buf, unsigned buf_len, int timeout, 
+++		       void *context)
+++{
+++    int     i;
+++    int     ret;
+++    char    mybuf[40];
+++    char   *mybuf2;
+++    TLScontext_t *TLScontext;
+++
+++    TLScontext = (TLScontext_t *)context;
+++    if (!TLScontext)
+++      msg_fatal("Called tls_timed_read() without TLS-context");
+++ 
+++    ret = do_tls_operation(fd, timeout, TLScontext, NULL, SSL_read, NULL,
+++			  (char *)buf, buf_len);
+++    if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
+++        (pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
+++	mybuf2 = (char *) buf;
+++	if (ret > 0) {
+++	    i = 0;
+++	    while ((i < 39) && (i < ret) && (mybuf2[i] != 0)) {
+++		mybuf[i] = mybuf2[i];
+++		i++;
+++	    }
+++	    mybuf[i] = '\0';
+++	    msg_info("Read %d chars: %s", ret, mybuf);
+++	}
+++    }
+++    return (ret);
+++}
+++
+++int pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
+++			void *context)
+++{
+++    int     i;
+++    char    mybuf[40];
+++    char   *mybuf2;
+++    TLScontext_t *TLScontext;
+++
+++    TLScontext = (TLScontext_t *)context;
+++    if (!TLScontext)
+++      msg_fatal("Called tls_timed_write() without TLS-context");
+++
+++    if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
+++	(pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
+++	mybuf2 = (char *) buf;
+++	if (len > 0) {
+++	    i = 0;
+++	    while ((i < 39) && (i < len) && (mybuf2[i] != 0)) {
+++		mybuf[i] = mybuf2[i];
+++		i++;
+++	    }
+++	    mybuf[i] = '\0';
+++	    msg_info("Write %d chars: %s", len, mybuf);
+++	}
+++    }
+++    return (do_tls_operation(fd, timeout, TLScontext, NULL, NULL, SSL_write,
+++			     buf, len));
+++}
+++
+++/* Add some more entropy to the pool by adding the actual time */
+++
+++static void pfixtls_stir_seed(void)
+++{
+++    GETTIMEOFDAY(&randseed.tv);
+++    RAND_seed(&randseed, sizeof(randseed_t));
+++}
+++
+++/*
+++ * Skeleton taken from OpenSSL crypto/err/err_prn.c.
+++ * Query the error stack and print the error string into the logging facility.
+++ * Clear the error stack on the way.
+++ */
+++
+++static void pfixtls_print_errors(void)
+++{
+++    unsigned long l;
+++    char    buf[256];
+++    const char   *file;
+++    const char   *data;
+++    int     line;
+++    int     flags;
+++    unsigned long es;
+++
+++    es = CRYPTO_thread_id();
+++    while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
+++	if (flags & ERR_TXT_STRING)
+++	    msg_info("%lu:%s:%s:%d:%s:", es, ERR_error_string(l, buf),
+++		     file, line, data);
+++	else
+++	    msg_info("%lu:%s:%s:%d:", es, ERR_error_string(l, buf),
+++		     file, line);
+++    }
+++}
+++
+++ /*
+++  * Set up the cert things on the server side. We do need both the
+++  * private key (in key_file) and the cert (in cert_file).
+++  * Both files may be identical.
+++  *
+++  * This function is taken from OpenSSL apps/s_cb.c
+++  */
+++
+++static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
+++{
+++    if (cert_file != NULL) {
+++	if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
+++	    msg_info("unable to get certificate from '%s'", cert_file);
+++	    pfixtls_print_errors();
+++	    return (0);
+++	}
+++	if (key_file == NULL)
+++	    key_file = cert_file;
+++	if (SSL_CTX_use_PrivateKey_file(ctx, key_file,
+++					SSL_FILETYPE_PEM) <= 0) {
+++	    msg_info("unable to get private key from '%s'", key_file);
+++	    pfixtls_print_errors();
+++	    return (0);
+++	}
+++	/* Now we know that a key and cert have been set against
+++         * the SSL context */
+++	if (!SSL_CTX_check_private_key(ctx)) {
+++	    msg_info("Private key does not match the certificate public key");
+++	    return (0);
+++	}
+++    }
+++    return (1);
+++}
+++
+++/* taken from OpenSSL apps/s_cb.c */
+++
+++static RSA *tmp_rsa_cb(SSL * s, int export, int keylength)
+++{
+++    static RSA *rsa_tmp = NULL;
+++
+++    if (rsa_tmp == NULL) {
+++	rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
+++    }
+++    return (rsa_tmp);
+++}
+++
+++
+++static DH *get_dh512(void)
+++{
+++    DH *dh;
+++
+++    if (dh_512 == NULL) {
+++	/* No parameter file loaded, use the compiled in parameters */
+++	if ((dh = DH_new()) == NULL) return(NULL);
+++	dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+++	dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+++	if ((dh->p == NULL) || (dh->g == NULL))
+++	    return(NULL);
+++	else
+++	    dh_512 = dh;
+++    }
+++    return (dh_512);
+++}
+++
+++static DH *get_dh1024(void)
+++{
+++    DH *dh;
+++
+++    if (dh_1024 == NULL) {
+++	/* No parameter file loaded, use the compiled in parameters */
+++	if ((dh = DH_new()) == NULL) return(NULL);
+++	dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+++	dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+++	if ((dh->p == NULL) || (dh->g == NULL))
+++	    return(NULL);
+++	else
+++	    dh_1024 = dh;
+++    }
+++    return (dh_1024);
+++}
+++
+++/* partly inspired by mod_ssl */
+++
+++static DH *tmp_dh_cb(SSL *s, int export, int keylength)
+++{
+++    DH *dh_tmp = NULL;
+++   
+++    if (export) {
+++	if (keylength == 512)
+++	    dh_tmp = get_dh512();	/* export cipher */
+++	else if (keylength == 1024)
+++	    dh_tmp = get_dh1024();	/* normal */
+++	else
+++	    dh_tmp = get_dh1024();	/* not on-the-fly (too expensive) */
+++					/* so use the 1024bit instead */
+++    }
+++    else {
+++	dh_tmp = get_dh1024();		/* sign-only certificate */
+++    }
+++    return (dh_tmp);
+++}
+++
+++
+++/*
+++ * match_hostname: match name provided in "buf" against the expected
+++ * hostname. Comparison is case-insensitive, wildcard certificates are
+++ * supported.
+++ * "buf" may be come from some OpenSSL data structures, so we copy before
+++ * modifying.
+++ */
+++static int match_hostname(const char *buf, TLScontext_t *TLScontext)
+++{
+++    char   *hostname_lowercase;
+++    char   *peername_left;
+++    int hostname_matched = 0;
+++    int buf_len;
+++
+++    buf_len = strlen(buf);
+++    if (!(hostname_lowercase = (char *)mymalloc(buf_len + 1)))
+++	return 0;
+++    memcpy(hostname_lowercase, buf, buf_len + 1);
+++
+++    hostname_lowercase = lowercase(hostname_lowercase);
+++    if (!strcmp(TLScontext->peername_save, hostname_lowercase)) {
+++        hostname_matched = 1;
+++    } else { 
+++        if ((buf_len > 2) &&
+++            (hostname_lowercase[0] == '*') && (hostname_lowercase[1] == '.')) {
+++            /*
+++             * Allow wildcard certificate matching. The proposed rules in  
+++             * RFCs (2818: HTTP/TLS, 2830: LDAP/TLS) are different, RFC2874
+++             * does not specify a rule, so here the strict rule is applied.
+++             * An asterisk '*' is allowed as the leftmost component and may
+++             * replace the left most part of the hostname. Matching is done
+++             * by removing '*.' from the wildcard name and the Name. from
+++             * the peername and compare what is left.
+++             */
+++            peername_left = strchr(TLScontext->peername_save, '.');
+++            if (peername_left) {
+++                if (!strcmp(peername_left + 1, hostname_lowercase + 2))
+++                    hostname_matched = 1;
+++            }
+++        }
+++    }
+++    myfree(hostname_lowercase);
+++    return hostname_matched;
+++}
+++                                       
+++/*
+++ * Skeleton taken from OpenSSL apps/s_cb.c
+++ *
+++ * The verify_callback is called several times (directly or indirectly) from
+++ * crypto/x509/x509_vfy.c. It is called as a last check for several issues,
+++ * so this verify_callback() has the famous "last word". If it does return "0",
+++ * the handshake is immediately shut down and the connection fails.
+++ *
+++ * Postfix/TLS has two modes, the "use" mode and the "enforce" mode:
+++ *
+++ * In the "use" mode we never want the connection to fail just because there is
+++ * something wrong with the certificate (as we would have sent happily without
+++ * TLS).  Therefore the return value is always "1".
+++ *
+++ * In the "enforce" mode we can shut down the connection as soon as possible.
+++ * In server mode TLS itself may be enforced (e.g. to protect passwords),
+++ * but certificates are optional. In this case the handshake must not fail
+++ * if we are unhappy with the certificate and return "1" in any case.
+++ * Only if a certificate is required the certificate must pass the verification
+++ * and failure to do so will result in immediate termination (return 0).
+++ * In the client mode the decision is made with respect to the peername
+++ * enforcement. If we strictly enforce the matching of the expected peername
+++ * the verification must fail immediatly on verification errors. We can also
+++ * immediatly check the expected peername, as it is the CommonName at level 0.
+++ * In all other cases, the problem is logged, so the SSL_get_verify_result()
+++ * will inform about the verification failure, but the handshake (and SMTP
+++ * connection will continue).
+++ *
+++ * The only error condition not handled inside the OpenSSL-Library is the
+++ * case of a too-long certificate chain, so we check inside verify_callback().
+++ * We only take care of this problem, if "ok = 1", because otherwise the
+++ * verification already failed because of another problem and we don't want
+++ * to overwrite the other error message. And if the verification failed,
+++ * there is no such thing as "more failed", "most failed"... :-)
+++ */
+++
+++static int verify_callback(int ok, X509_STORE_CTX * ctx)
+++{
+++    char    buf[256];
+++    char   *peername_left;
+++    X509   *err_cert;
+++    int     err;
+++    int     depth;
+++    int     verify_depth;
+++    SSL    *con;
+++    TLScontext_t *TLScontext;
+++
+++    err_cert = X509_STORE_CTX_get_current_cert(ctx);
+++    err = X509_STORE_CTX_get_error(ctx);
+++    depth = X509_STORE_CTX_get_error_depth(ctx);
+++
+++    con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+++    TLScontext = SSL_get_ex_data(con, TLScontext_index);
+++
+++    X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
+++    if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
+++	((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
+++	msg_info("Peer cert verify depth=%d %s", depth, buf);
+++
+++    verify_depth = SSL_get_verify_depth(con);
+++    if (ok && (verify_depth >= 0) && (depth > verify_depth)) {
+++	ok = 0;
+++	err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+++	X509_STORE_CTX_set_error(ctx, err);
+++    }
+++    if (!ok) {
+++	msg_info("verify error:num=%d:%s", err,
+++		 X509_verify_cert_error_string(err));
+++    }
+++
+++    if (ok && (depth == 0) && pfixtls_clientengine) {
+++	int i, r;
+++        int hostname_matched;
+++	int dNSName_found;
+++	STACK_OF(GENERAL_NAME) *gens;
+++
+++	/*
+++	 * Check out the name certified against the hostname expected.
+++	 * In case it does not match, print an information about the result.
+++	 * If a matching is enforced, bump out with a verification error
+++	 * immediately.
+++	 * Standards are not always clear with respect to the handling of
+++	 * dNSNames. RFC3207 does not specify the handling. We therefore follow
+++	 * the strict rules in RFC2818 (HTTP over TLS), Section 3.1:
+++	 * The Subject Alternative Name/dNSName has precedence over CommonName
+++	 * (CN). If dNSName entries are provided, CN is not checked anymore.
+++	 */
+++	hostname_matched = dNSName_found = 0;
+++
+++        gens = X509_get_ext_d2i(err_cert, NID_subject_alt_name, 0, 0);
+++        if (gens) {
+++            for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
+++                const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+++                if (gn->type == GEN_DNS) {
+++		    dNSName_found++;
+++                    if ((hostname_matched =
+++			match_hostname((char *)gn->d.ia5->data, TLScontext)))
+++			break;
+++                }
+++            }
+++	    sk_GENERAL_NAME_free(gens);
+++        }
+++	if (dNSName_found) {
+++	    if (!hostname_matched)
+++		msg_info("Peer verification: %d dNSNames in certificate found, but no one does match %s", dNSName_found, TLScontext->peername_save);
+++	} else {
+++	    buf[0] = '\0';
+++	    if (!X509_NAME_get_text_by_NID(X509_get_subject_name(err_cert),
+++                          NID_commonName, buf, 256)) {
+++	        msg_info("Could not parse server's subject CN");
+++	        pfixtls_print_errors();
+++	    }
+++	    else {
+++	        hostname_matched = match_hostname(buf, TLScontext);
+++	        if (!hostname_matched)
+++		    msg_info("Peer verification: CommonName in certificate does not match: %s != %s", buf, TLScontext->peername_save);
+++	    }
+++	}
+++
+++	if (!hostname_matched) {
+++	    if (TLScontext->enforce_verify_errors && TLScontext->enforce_CN) {
+++		err = X509_V_ERR_CERT_REJECTED;
+++		X509_STORE_CTX_set_error(ctx, err);
+++		msg_info("Verify failure: Hostname mismatch");
+++		ok = 0;
+++	    }
+++	}
+++	else
+++	    TLScontext->hostname_matched = 1;
+++    }
+++
+++    switch (ctx->error) {
+++    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+++	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+++	msg_info("issuer= %s", buf);
+++	break;
+++    case X509_V_ERR_CERT_NOT_YET_VALID:
+++    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+++	msg_info("cert not yet valid");
+++	break;
+++    case X509_V_ERR_CERT_HAS_EXPIRED:
+++    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+++	msg_info("cert has expired");
+++	break;
+++    }
+++    if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
+++	((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
+++	msg_info("verify return:%d", ok);
+++
+++    if (TLScontext->enforce_verify_errors)
+++	return (ok); 
+++    else
+++	return (1);
+++}
+++
+++/* taken from OpenSSL apps/s_cb.c */
+++
+++static void apps_ssl_info_callback(SSL * s, int where, int ret)
+++{
+++    char   *str;
+++    int     w;
+++
+++    w = where & ~SSL_ST_MASK;
+++
+++    if (w & SSL_ST_CONNECT)
+++	str = "SSL_connect";
+++    else if (w & SSL_ST_ACCEPT)
+++	str = "SSL_accept";
+++    else
+++	str = "undefined";
+++
+++    if (where & SSL_CB_LOOP) {
+++	    msg_info("%s:%s", str, SSL_state_string_long(s));
+++    } else if (where & SSL_CB_ALERT) {
+++	str = (where & SSL_CB_READ) ? "read" : "write";
+++	if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
+++	msg_info("SSL3 alert %s:%s:%s", str,
+++		 SSL_alert_type_string_long(ret),
+++		 SSL_alert_desc_string_long(ret));
+++    } else if (where & SSL_CB_EXIT) {
+++	if (ret == 0)
+++	    msg_info("%s:failed in %s",
+++		     str, SSL_state_string_long(s));
+++	else if (ret < 0) {
+++	    msg_info("%s:error in %s",
+++		     str, SSL_state_string_long(s));
+++	}
+++    }
+++}
+++
+++/*
+++ * taken from OpenSSL crypto/bio/b_dump.c, modified to save a lot of strcpy
+++ * and strcat by Matti Aarnio.
+++ */
+++
+++#define TRUNCATE
+++#define DUMP_WIDTH	16
+++
+++static int pfixtls_dump(const char *s, int len)
+++{
+++    int     ret = 0;
+++    char    buf[160 + 1];
+++    char    *ss;
+++    int     i;
+++    int     j;
+++    int     rows;
+++    int     trunc;
+++    unsigned char ch;
+++
+++    trunc = 0;
+++
+++#ifdef TRUNCATE
+++    for (; (len > 0) && ((s[len - 1] == ' ') || (s[len - 1] == '\0')); len--)
+++	trunc++;
+++#endif
+++
+++    rows = (len / DUMP_WIDTH);
+++    if ((rows * DUMP_WIDTH) < len)
+++	rows++;
+++
+++    for (i = 0; i < rows; i++) {
+++	buf[0] = '\0';				/* start with empty string */
+++	ss = buf;
+++
+++	sprintf(ss, "%04x ", i * DUMP_WIDTH);
+++	ss += strlen(ss);
+++	for (j = 0; j < DUMP_WIDTH; j++) {
+++	    if (((i * DUMP_WIDTH) + j) >= len) {
+++		strcpy(ss, "   ");
+++	    } else {
+++		ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j))
+++		    & 0xff;
+++		sprintf(ss, "%02x%c", ch, j == 7 ? '|' : ' ');
+++		ss += 3;
+++	    }
+++	}
+++	ss += strlen(ss);
+++	*ss++ = ' ';
+++	for (j = 0; j < DUMP_WIDTH; j++) {
+++	    if (((i * DUMP_WIDTH) + j) >= len)
+++		break;
+++	    ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j)) & 0xff;
+++	    *ss++ = (((ch >= ' ') && (ch <= '~')) ? ch : '.');
+++	    if (j == 7) *ss++ = ' ';
+++	}
+++	*ss = 0;
+++	/* 
+++	 * if this is the last call then update the ddt_dump thing so that
+++         * we will move the selection point in the debug window
+++         */
+++	msg_info("%s", buf);
+++	ret += strlen(buf);
+++    }
+++#ifdef TRUNCATE
+++    if (trunc > 0) {
+++	sprintf(buf, "%04x - <SPACES/NULS>\n", len + trunc);
+++	msg_info("%s", buf);
+++	ret += strlen(buf);
+++    }
+++#endif
+++    return (ret);
+++}
+++
+++
+++
+++/* taken from OpenSSL apps/s_cb.c */
+++
+++static long bio_dump_cb(BIO * bio, int cmd, const char *argp, int argi,
+++			long argl, long ret)
+++{
+++    if (!do_dump)
+++	return (ret);
+++
+++    if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
+++	msg_info("read from %08X [%08lX] (%d bytes => %ld (0x%X))",
+++		 (unsigned int)bio, (unsigned long)argp, argi,
+++		 ret, (unsigned int)ret);
+++	pfixtls_dump(argp, (int) ret);
+++	return (ret);
+++    } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
+++	msg_info("write to %08X [%08lX] (%d bytes => %ld (0x%X))",
+++		 (unsigned int)bio, (unsigned long)argp, argi,
+++	 	 ret, (unsigned int)ret);
+++	pfixtls_dump(argp, (int) ret);
+++    }
+++    return (ret);
+++}
+++
+++
+++ /*
+++  * Callback to retrieve a session from the external session cache.
+++  */
+++static SSL_SESSION *get_session_cb(SSL *ssl, unsigned char *SessionID,
+++				  int length, int *copy)
+++{
+++    SSL_SESSION *session;
+++    char idstring[2 * ID_MAXLENGTH + 1];
+++    int n;
+++    int uselength;
+++    int hex_length;
+++    const char *session_hex;
+++    pfixtls_scache_info_t scache_info;
+++    unsigned char nibble, *data, *sess_data;
+++
+++    if (length > ID_MAXLENGTH)
+++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
+++    else
+++	uselength = length;
+++
+++    for(n=0 ; n < uselength ; n++)
+++	sprintf(idstring + 2 * n, "%02x", SessionID[n]);
+++    if (var_smtpd_tls_loglevel >= 3)
+++	msg_info("Trying to reload Session from disc: %s", idstring);
+++
+++    session = NULL;
+++
+++    session_hex = dict_get(scache_db, idstring);
+++    if (session_hex) {
+++	hex_length = strlen(session_hex);
+++	data = (unsigned char *)mymalloc(hex_length / 2);
+++	if (!data) {
+++	    msg_info("could not allocate memory for session reload");
+++	    return(NULL);
+++	}
+++
+++	memset(data, 0, hex_length / 2);
+++	for (n = 0; n < hex_length; n++) {
+++	    if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
+++		nibble = session_hex[n] - '0';
+++	    else
+++		nibble = session_hex[n] - 'A' + 10;
+++	    if (n % 2)
+++		data[n / 2] |= nibble;
+++	    else
+++		data[n / 2] |= (nibble << 4);
+++	}
+++
+++	/*
+++	 * First check the version numbers, since wrong session data might
+++	 * hit us hard (SEGFAULT). We also have to check for expiry.
+++	 */
+++	memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
+++	if ((scache_info.scache_db_version != scache_db_version) ||
+++	    (scache_info.openssl_version != openssl_version) ||
+++	    (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
+++	    dict_del(scache_db, idstring);
+++	else {
+++	    sess_data = data + sizeof(pfixtls_scache_info_t);
+++	    session = d2i_SSL_SESSION(NULL, &sess_data,
+++			      hex_length / 2 - sizeof(pfixtls_scache_info_t));
+++	    if (!session)
+++		pfixtls_print_errors();
+++	}
+++	myfree((char *)data);
+++    }
+++
+++    if (session && (var_smtpd_tls_loglevel >= 3))
+++	msg_info("Successfully reloaded session from disc");
+++
+++    return (session);
+++}
+++
+++
+++static SSL_SESSION *load_clnt_session(const char *hostname,
+++				      int enforce_peername)
+++{
+++    SSL_SESSION *session = NULL;
+++    char idstring[ID_MAXLENGTH + 1];
+++    int n;
+++    int uselength;
+++    int length;
+++    int hex_length;
+++    const char *session_hex;
+++    pfixtls_scache_info_t scache_info;
+++    unsigned char nibble, *data, *sess_data;
+++
+++    length = strlen(hostname); 
+++    if (length > ID_MAXLENGTH)
+++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
+++    else
+++	uselength = length;
+++
+++    for(n=0 ; n < uselength ; n++)
+++	idstring[n] = tolower(hostname[n]);
+++    idstring[uselength] = '\0';
+++    if (var_smtp_tls_loglevel >= 3)
+++	msg_info("Trying to reload Session from disc: %s", idstring);
+++
+++    session_hex = dict_get(scache_db, idstring);
+++    if (session_hex) {
+++	hex_length = strlen(session_hex);
+++	data = (unsigned char *)mymalloc(hex_length / 2);
+++	if (!data) {
+++	    msg_info("could not allocate memory for session reload");
+++	    return(NULL);
+++	}
+++
+++	memset(data, 0, hex_length / 2);
+++	for (n = 0; n < hex_length; n++) {
+++	    if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
+++		nibble = session_hex[n] - '0';
+++	    else
+++		nibble = session_hex[n] - 'A' + 10;
+++	    if (n % 2)
+++		data[n / 2] |= nibble;
+++	    else
+++		data[n / 2] |= (nibble << 4);
+++	}
+++
+++	/*
+++	 * First check the version numbers, since wrong session data might
+++	 * hit us hard (SEGFAULT). We also have to check for expiry.
+++	 * When we enforce_peername, we may find an old session, that was
+++	 * saved when enforcement was not set. In this case the session will
+++	 * be removed and a fresh session will be negotiated.
+++	 */
+++	memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
+++	if ((scache_info.scache_db_version != scache_db_version) ||
+++	    (scache_info.openssl_version != openssl_version) ||
+++	    (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
+++	    dict_del(scache_db, idstring);
+++	else if (enforce_peername && (!scache_info.enforce_peername))
+++	    dict_del(scache_db, idstring);
+++	else {
+++	    sess_data = data + sizeof(pfixtls_scache_info_t);
+++	    session = d2i_SSL_SESSION(NULL, &sess_data,
+++				      hex_length / 2 - sizeof(time_t));
+++	    strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
+++		    idstring, ID_MAXLENGTH + 1);
+++	    if (!session)
+++		pfixtls_print_errors();
+++	}
+++	myfree((char *)data);
+++    }
+++
+++    if (session && (var_smtp_tls_loglevel >= 3))
+++        msg_info("Successfully reloaded session from disc");
+++
+++    return (session);
+++}
+++
+++
+++static void create_client_lookup_id(char *idstring, char *hostname)
+++{
+++    int n, len, uselength;
+++
+++    len = strlen(hostname);
+++    if (len > ID_MAXLENGTH)
+++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
+++    else
+++	uselength = len;
+++
+++    for (n = 0 ; n < uselength ; n++)
+++	idstring[n] = tolower(hostname[n]);
+++    idstring[uselength] = '\0';
+++}
+++
+++
+++static void create_server_lookup_id(char *idstring, SSL_SESSION *session)
+++{
+++    int n, uselength;
+++
+++    if (session->session_id_length > ID_MAXLENGTH)
+++	uselength = ID_MAXLENGTH;	/* Limit length of ID */
+++    else
+++	uselength = session->session_id_length;
+++
+++    for(n = 0; n < uselength ; n++)
+++	sprintf(idstring + 2 * n, "%02x", session->session_id[n]);
+++}
+++
+++
+++static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *session)
+++{
+++    char idstring[2 * ID_MAXLENGTH + 1];
+++    char *hostname;
+++
+++    if (pfixtls_clientengine) {
+++        hostname = SSL_SESSION_get_ex_data(session, TLSpeername_index);
+++	create_client_lookup_id(idstring, hostname);
+++	if (var_smtp_tls_loglevel >= 3)
+++	    msg_info("Trying to remove session from disc: %s", idstring);
+++    }
+++    else {
+++	create_server_lookup_id(idstring, session);
+++	if (var_smtpd_tls_loglevel >= 3)
+++	    msg_info("Trying to remove session from disc: %s", idstring);
+++    }
+++
+++    if (scache_db)
+++	dict_del(scache_db, idstring);
+++}
+++
+++
+++/*
+++ * We need space to save the peername into the SSL_SESSION, as we must
+++ * look up the external database for client sessions by peername, not
+++ * by session id. We therefore allocate place for the peername string,
+++ * when a new SSL_SESSION is generated. It is filled later.
+++ */
+++static int new_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+++			     int idx, long argl, void *argp)
+++{
+++    char *peername;
+++
+++    peername = (char *)mymalloc(ID_MAXLENGTH + 1);
+++    if (!peername)
+++	return 0;
+++    peername[0] = '\0'; 	/* initialize */
+++    return CRYPTO_set_ex_data(ad, idx, peername);
+++}
+++
+++/*
+++ * When the SSL_SESSION is removed again, we must free the memory to avoid
+++ * leaks.
+++ */
+++static void free_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+++			       int idx, long argl, void *argp)
+++{
+++    myfree(CRYPTO_get_ex_data(ad, idx));
+++}
+++
+++/*
+++ * Duplicate application data, when a SSL_SESSION is duplicated
+++ */
+++static int dup_peername_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
+++			     void *from_d, int idx, long argl, void *argp)
+++{
+++    char *peername_old, *peername_new;
+++
+++    peername_old = CRYPTO_get_ex_data(from, idx);
+++    peername_new = CRYPTO_get_ex_data(to, idx);
+++    if (!peername_old || !peername_new)
+++	return 0;
+++    memcpy(peername_new, peername_old, ID_MAXLENGTH + 1);
+++    return 1;
+++}
+++
+++
+++ /*
+++  * Save a new session to the external cache
+++  */
+++static int new_session_cb(SSL *ssl, SSL_SESSION *session)
+++{
+++    char idstring[2 * ID_MAXLENGTH + 1];
+++    int n;
+++    int dsize;
+++    int len;
+++    unsigned char *data, *sess_data;
+++    pfixtls_scache_info_t scache_info;
+++    char *hexdata, *hostname;
+++    TLScontext_t *TLScontext;
+++
+++    if (pfixtls_clientengine) {
+++        TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
+++	hostname = TLScontext->peername_save;
+++	create_client_lookup_id(idstring, hostname);
+++	strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
+++		hostname, ID_MAXLENGTH + 1);
+++	/*
+++	 * Remember, whether peername matching was enforced when the session
+++	 * was created. If later enforce mode is enabled, we do not want to
+++	 * reuse a session that was not sufficiently checked.
+++	 */
+++	scache_info.enforce_peername =
+++		(TLScontext->enforce_verify_errors && TLScontext->enforce_CN);
+++
+++	if (var_smtp_tls_loglevel >= 3)
+++	    msg_info("Trying to save session for hostID to disc: %s", idstring);
+++
+++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
+++	    /*
+++	     * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
+++	     * result in sessions for the client side.
+++	     * We modify the session directly which is version specific,
+++	     * but this bug is version specific, too.
+++	     *
+++	     * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
+++	     * beta1 have this bug, it has been fixed during development
+++	     * of 0.9.6a. The development version of 0.9.7 can have this
+++	     * bug, too. It has been fixed on 2000/11/29.
+++	     */
+++	    session->verify_result = SSL_get_verify_result(TLScontext->con);
+++#endif
+++
+++    }
+++    else {
+++	create_server_lookup_id(idstring, session);
+++	if (var_smtpd_tls_loglevel >= 3)
+++	    msg_info("Trying to save Session to disc: %s", idstring);
+++    }
+++
+++
+++    /*
+++     * Get the session and convert it into some "database" useable form.
+++     * First, get the length of the session to allocate the memory.
+++     */
+++    dsize = i2d_SSL_SESSION(session, NULL);
+++    if (dsize < 0) {
+++	msg_info("Could not access session");
+++	return 0;
+++    }
+++    data = (unsigned char *)mymalloc(dsize + sizeof(pfixtls_scache_info_t));
+++    if (!data) {
+++	msg_info("could not allocate memory for SSL session");
+++	return 0;
+++    }
+++
+++    /*
+++     * OpenSSL is not robust against wrong session data (might SEGFAULT),
+++     * so we secure it against version ids (session cache structure as well
+++     * as OpenSSL version).
+++     */
+++    scache_info.scache_db_version = scache_db_version;
+++    scache_info.openssl_version = openssl_version;
+++
+++    /*
+++     * Put a timestamp, so that expiration can be checked without
+++     * analyzing the session data itself. (We would need OpenSSL funtions,
+++     * since the SSL_SESSION is a private structure.)
+++     */
+++    scache_info.timestamp = time(NULL);
+++
+++    memcpy(data, &scache_info, sizeof(pfixtls_scache_info_t));
+++    sess_data = data + sizeof(pfixtls_scache_info_t);
+++
+++    /*
+++     * Now, obtain the session. Unfortunately, it is binary and dict_update
+++     * cannot handle binary data (it could contain '\0' in it) directly.
+++     * To save memory we could use base64 encoding. To make handling easier,
+++     * we simply use hex format.
+++     */
+++    len = i2d_SSL_SESSION(session, &sess_data);
+++    len += sizeof(pfixtls_scache_info_t);
+++
+++    hexdata = (char *)mymalloc(2 * len + 1);
+++
+++    if (!hexdata) {
+++	msg_info("could not allocate memory for SSL session (HEX)");
+++	myfree((char *)data);
+++	return 0;
+++    }
+++    for (n = 0; n < len; n++) {
+++	hexdata[n * 2] = hexcodes[(data[n] & 0xf0) >> 4];
+++	hexdata[(n * 2) + 1] = hexcodes[(data[n] & 0x0f)];
+++    }
+++    hexdata[len * 2] = '\0';
+++
+++    /*
+++     * The session id is a hex string, all uppercase. We are using SDBM as
+++     * compiled into Postfix with 8kB maximum entry size, so we set a limit
+++     * when caching. If the session is not cached, we have to renegotiate,
+++     * not more, not less. For a real session, this limit should never be
+++     * met
+++     */
+++    if (strlen(idstring) + strlen(hexdata) < 8000)
+++      dict_put(scache_db, idstring, hexdata);
+++
+++    myfree(hexdata);
+++    myfree((char *)data);
+++    return (1);
+++}
+++
+++
+++ /*
+++  * pfixtls_exchange_seed: read bytes from the seed exchange-file (expect
+++  * 1024 bytes)and immediately write back random bytes. Do so with EXCLUSIVE
+++  * lock, so * that each process will find a completely different (and
+++  * reseeded) file.
+++  */
+++static void pfixtls_exchange_seed(void)
+++{
+++    unsigned char buffer[1024];
+++
+++    if (rand_exch_fd == -1)
+++	return;
+++
+++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
+++        msg_info("Could not lock random exchange file: %s",
+++                  strerror(errno));
+++
+++    lseek(rand_exch_fd, 0, SEEK_SET);
+++    if (read(rand_exch_fd, buffer, 1024) < 0)
+++        msg_fatal("reading exchange file failed");
+++    RAND_seed(buffer, 1024);
+++
+++    RAND_bytes(buffer, 1024);
+++    lseek(rand_exch_fd, 0, SEEK_SET);
+++    if (write(rand_exch_fd, buffer, 1024) != 1024)
+++        msg_fatal("Writing exchange file failed");
+++
+++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
+++        msg_fatal("Could not unlock random exchange file: %s",
+++                  strerror(errno));
+++}
+++
+++ /*
+++  * This is the setup routine for the SSL server. As smtpd might be called
+++  * more than once, we only want to do the initialization one time.
+++  *
+++  * The skeleton of this function is taken from OpenSSL apps/s_server.c.
+++  */
+++
+++int     pfixtls_init_serverengine(int verifydepth, int askcert)
+++{
+++    int     off = 0;
+++    int     verify_flags = SSL_VERIFY_NONE;
+++    int     rand_bytes;
+++    int     rand_source_dev_fd;
+++    int     rand_source_socket_fd;
+++    unsigned char buffer[255];
+++    char   *CApath;
+++    char   *CAfile;
+++    char   *s_cert_file;
+++    char   *s_key_file;
+++    char   *s_dcert_file;
+++    char   *s_dkey_file;
+++    FILE   *paramfile;
+++
+++    if (pfixtls_serverengine)
+++	return (0);				/* already running */
+++
+++    if (var_smtpd_tls_loglevel >= 2)
+++	msg_info("starting TLS engine");
+++
+++    /*
+++     * Initialize the OpenSSL library by the book!
+++     * To start with, we must initialize the algorithms.
+++     * We want cleartext error messages instead of just error codes, so we
+++     * load the error_strings.
+++     */
+++    SSL_load_error_strings();
+++    OpenSSL_add_ssl_algorithms();
+++
+++ /*
+++  * Side effect, call a non-existing function to disable TLS usage with an
+++  * outdated OpenSSL version. There is a security reason (verify_result
+++  * is not stored with the session data).
+++  */
+++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+++    needs_openssl_095_or_later();
+++#endif
+++
+++    /*
+++     * Initialize the PRNG Pseudo Random Number Generator with some seed.
+++     */
+++    randseed.pid = getpid();
+++    GETTIMEOFDAY(&randseed.tv);
+++    RAND_seed(&randseed, sizeof(randseed_t));
+++
+++    /*
+++     * Access the external sources for random seed. We will only query them
+++     * once, this should be sufficient and we will stir our entropy by using
+++     * the prng-exchange file anyway.
+++     * For reliability, we don't consider failure to access the additional
+++     * source fatal, as we can run happily without it (considering that we
+++     * still have the exchange-file). We also don't care how much entropy
+++     * we get back, as we must run anyway. We simply stir in the buffer
+++     * regardless how many bytes are actually in it.
+++     */
+++    if (*var_tls_daemon_rand_source) {
+++	if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
+++	    /*
+++	     * Source is a random device
+++	     */
+++	    rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
+++	    if (rand_source_dev_fd == -1) 
+++		msg_info("Could not open entropy device %s",
+++			  var_tls_daemon_rand_source);
+++	    else {
+++		if (var_tls_daemon_rand_bytes > 255)
+++		    var_tls_daemon_rand_bytes = 255;
+++	        read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
+++		RAND_seed(buffer, var_tls_daemon_rand_bytes);
+++		close(rand_source_dev_fd);
+++	    }
+++	} else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
+++	    /*
+++	     * Source is a EGD compatible socket
+++	     */
+++	    rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
+++						 BLOCKING, 10);
+++	    if (rand_source_socket_fd == -1)
+++		msg_info("Could not connect to %s", var_tls_daemon_rand_source);
+++	    else {
+++		if (var_tls_daemon_rand_bytes > 255)
+++		    var_tls_daemon_rand_bytes = 255;
+++		buffer[0] = 1;
+++		buffer[1] = var_tls_daemon_rand_bytes;
+++		if (write(rand_source_socket_fd, buffer, 2) != 2)
+++		    msg_info("Could not talk to %s",
+++			     var_tls_daemon_rand_source);
+++		else if (read(rand_source_socket_fd, buffer, 1) != 1)
+++		    msg_info("Could not read info from %s",
+++			     var_tls_daemon_rand_source);
+++		else {
+++		    rand_bytes = buffer[0];
+++		    read(rand_source_socket_fd, buffer, rand_bytes);
+++		    RAND_seed(buffer, rand_bytes);
+++		}
+++		close(rand_source_socket_fd);
+++	    }
+++	} else {
+++	    RAND_load_file(var_tls_daemon_rand_source,
+++			   var_tls_daemon_rand_bytes);
+++	}
+++    }
+++
+++    if (*var_tls_rand_exch_name) {
+++	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
+++	if (rand_exch_fd != -1)
+++	    pfixtls_exchange_seed();
+++    }
+++
+++    randseed.pid = getpid();
+++    GETTIMEOFDAY(&randseed.tv);
+++    RAND_seed(&randseed, sizeof(randseed_t));
+++
+++    /*
+++     * The SSL/TLS speficications require the client to send a message in
+++     * the oldest specification it understands with the highest level it
+++     * understands in the message.
+++     * Netscape communicator can still communicate with SSLv2 servers, so it
+++     * sends out a SSLv2 client hello. To deal with it, our server must be
+++     * SSLv2 aware (even if we don't like SSLv2), so we need to have the
+++     * SSLv23 server here. If we want to limit the protocol level, we can
+++     * add an option to not use SSLv2/v3/TLSv1 later.
+++     */
+++    ctx = SSL_CTX_new(SSLv23_server_method());
+++    if (ctx == NULL) {
+++	pfixtls_print_errors();
+++	return (-1);
+++    };
+++
+++    /*
+++     * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
+++     * Of course, the last one would not make sense, since RFC2487 is only
+++     * defined for TLS, but we also want to accept Netscape communicator
+++     * requests, and it only supports SSLv3.
+++     */
+++    off |= SSL_OP_ALL;		/* Work around all known bugs */
+++    SSL_CTX_set_options(ctx, off);
+++
+++    /*
+++     * Set the info_callback, that will print out messages during
+++     * communication on demand.
+++     */
+++    if (var_smtpd_tls_loglevel >= 2)
+++	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+++
+++    /*
+++     * Set the list of ciphers, if explicitely given; otherwise the
+++     * (reasonable) default list is kept.
+++     */
+++    if (strlen(var_smtpd_tls_cipherlist) != 0)
+++	if (SSL_CTX_set_cipher_list(ctx, var_smtpd_tls_cipherlist) == 0) {
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++
+++    /*
+++     * Now we must add the necessary certificate stuff: A server key, a
+++     * server certificate, and the CA certificates for both the server
+++     * cert and the verification of client certificates.
+++     * As provided by OpenSSL we support two types of CA certificate handling:
+++     * One possibility is to add all CA certificates to one large CAfile,
+++     * the other possibility is a directory pointed to by CApath, containing
+++     * seperate files for each CA pointed on by softlinks named by the hash
+++     * values of the certificate.
+++     * The first alternative has the advantage, that the file is opened and
+++     * read at startup time, so that you don't have the hassle to maintain
+++     * another copy of the CApath directory for chroot-jail. On the other
+++     * hand, the file is not really readable.
+++     */
+++    if (strlen(var_smtpd_tls_CAfile) == 0)
+++	CAfile = NULL;
+++    else
+++	CAfile = var_smtpd_tls_CAfile;
+++    if (strlen(var_smtpd_tls_CApath) == 0)
+++	CApath = NULL;
+++    else
+++	CApath = var_smtpd_tls_CApath;
+++
+++    if (CAfile || CApath) {
+++	if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+++	    msg_info("TLS engine: cannot load CA data");
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++	if (!SSL_CTX_set_default_verify_paths(ctx)) {
+++	    msg_info("TLS engine: cannot set verify paths");
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++    }
+++
+++    /*
+++     * Now we load the certificate and key from the files and check,
+++     * whether the cert matches the key (internally done by set_cert_stuff().
+++     * We cannot run without (we do not support ADH anonymous Diffie-Hellman
+++     * ciphers as of now).
+++     * We can use RSA certificates ("cert") and DSA certificates ("dcert"),
+++     * both can be made available at the same time. The CA certificates for
+++     * both are handled in the same setup already finished.
+++     * Which one is used depends on the cipher negotiated (that is: the first
+++     * cipher listed by the client which does match the server). A client with
+++     * RSA only (e.g. Netscape) will use the RSA certificate only.
+++     * A client with openssl-library will use RSA first if not especially
+++     * changed in the cipher setup.
+++     */
+++    if (strlen(var_smtpd_tls_cert_file) == 0)
+++	s_cert_file = NULL;
+++    else
+++	s_cert_file = var_smtpd_tls_cert_file;
+++    if (strlen(var_smtpd_tls_key_file) == 0)
+++	s_key_file = NULL;
+++    else
+++	s_key_file = var_smtpd_tls_key_file;
+++
+++    if (strlen(var_smtpd_tls_dcert_file) == 0)
+++	s_dcert_file = NULL;
+++    else
+++	s_dcert_file = var_smtpd_tls_dcert_file;
+++    if (strlen(var_smtpd_tls_dkey_file) == 0)
+++	s_dkey_file = NULL;
+++    else
+++	s_dkey_file = var_smtpd_tls_dkey_file;
+++
+++    if (s_cert_file) {
+++	if (!set_cert_stuff(ctx, s_cert_file, s_key_file)) {
+++	    msg_info("TLS engine: cannot load RSA cert/key data");
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++    }
+++    if (s_dcert_file) {
+++	if (!set_cert_stuff(ctx, s_dcert_file, s_dkey_file)) {
+++	    msg_info("TLS engine: cannot load DSA cert/key data");
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++    }
+++    if (!s_cert_file && !s_dcert_file) {
+++	msg_info("TLS engine: do need at least RSA _or_ DSA cert/key data");
+++	return (-1);
+++    }
+++
+++    /*
+++     * Sometimes a temporary RSA key might be needed by the OpenSSL
+++     * library. The OpenSSL doc indicates, that this might happen when
+++     * export ciphers are in use. We have to provide one, so well, we
+++     * just do it.
+++     */
+++    SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
+++
+++    /*
+++     * We might also need dh parameters, which can either be loaded from
+++     * file (preferred) or we simply take the compiled in values.
+++     * First, set the callback that will select the values when requested,
+++     * then load the (possibly) available DH parameters from files.
+++     * We are generous with the error handling, since we do have default
+++     * values compiled in, so we will not abort but just log the error message.
+++     */
+++    SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_cb);
+++    if (strlen(var_smtpd_tls_dh1024_param_file) != 0) {
+++	if ((paramfile = fopen(var_smtpd_tls_dh1024_param_file, "r")) != NULL) {
+++	    dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+++	    if (dh_1024 == NULL) {
+++		msg_info("TLS engine: cannot load 1024bit DH parameters");
+++		pfixtls_print_errors();
+++	    }
+++	}
+++	else {
+++	    msg_info("TLS engine: cannot load 1024bit DH parameters: %s: %s",
+++		     var_smtpd_tls_dh1024_param_file, strerror(errno));
+++	}
+++    }
+++    if (strlen(var_smtpd_tls_dh512_param_file) != 0) {
+++	if ((paramfile = fopen(var_smtpd_tls_dh512_param_file, "r")) != NULL) {
+++	    dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+++	    if (dh_512 == NULL) {
+++		msg_info("TLS engine: cannot load 512bit DH parameters");
+++		pfixtls_print_errors();
+++	    }
+++	}
+++	else {
+++	    msg_info("TLS engine: cannot load 512bit DH parameters: %s: %s",
+++		     var_smtpd_tls_dh512_param_file, strerror(errno));
+++	}
+++    }
+++
+++    /*
+++     * If we want to check client certificates, we have to indicate it
+++     * in advance. By now we only allow to decide on a global basis.
+++     * If we want to allow certificate based relaying, we must ask the
+++     * client to provide one with SSL_VERIFY_PEER. The client now can
+++     * decide, whether it provides one or not. We can enforce a failure
+++     * of the negotiation with SSL_VERIFY_FAIL_IF_NO_PEER_CERT, if we
+++     * do not allow a connection without one.
+++     * In the "server hello" following the initialization by the "client hello"
+++     * the server must provide a list of CAs it is willing to accept.
+++     * Some clever clients will then select one from the list of available
+++     * certificates matching these CAs. Netscape Communicator will present
+++     * the list of certificates for selecting the one to be sent, or it will
+++     * issue a warning, if there is no certificate matching the available
+++     * CAs.
+++     *
+++     * With regard to the purpose of the certificate for relaying, we might
+++     * like a later negotiation, maybe relaying would already be allowed
+++     * for other reasons, but this would involve severe changes in the
+++     * internal postfix logic, so we have to live with it the way it is.
+++     */
+++    if (askcert)
+++	verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+++    SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
+++    SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
+++
+++    /*
+++     * Initialize the session cache. We only want external caching to
+++     * synchronize between server sessions, so we set it to a minimum value
+++     * of 1. If the external cache is disabled, we won't cache at all.
+++     * The recall of old sessions "get" and save to disk of just created
+++     * sessions "new" is handled by the appropriate callback functions.
+++     *
+++     * We must not forget to set a session id context to identify to which
+++     * kind of server process the session was related. In our case, the
+++     * context is just the name of the patchkit: "Postfix/TLS".
+++     */
+++    SSL_CTX_sess_set_cache_size(ctx, 1);
+++    SSL_CTX_set_timeout(ctx, var_smtpd_tls_scache_timeout);
+++    SSL_CTX_set_session_id_context(ctx, (void*)&server_session_id_context,
+++                sizeof(server_session_id_context));
+++
+++    /*
+++     * The session cache is realized by an external database file, that
+++     * must be opened before going to chroot jail. Since the session cache
+++     * data can become quite large, "[n]dbm" cannot be used as it has a
+++     * size limit that is by far to small.
+++     */
+++    if (*var_smtpd_tls_scache_db) {
+++	/*
+++	 * Insert a test against other dbms here, otherwise while writing
+++	 * a session (content to large), we will receive a fatal error!
+++	 */
+++	if (strncmp(var_smtpd_tls_scache_db, "sdbm:", 5))
+++	    msg_warn("Only sdbm: type allowed for %s",
+++		     var_smtpd_tls_scache_db);
+++	else
+++	    scache_db = dict_open(var_smtpd_tls_scache_db, O_RDWR,
+++	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
+++	if (scache_db) {
+++	    SSL_CTX_set_session_cache_mode(ctx,
+++			SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_AUTO_CLEAR);
+++	    SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
+++	    SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
+++	    SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
+++	}
+++	else
+++	    msg_warn("Could not open session cache %s",
+++		     var_smtpd_tls_scache_db);
+++    }
+++
+++    /*
+++     * Finally create the global index to access TLScontext information
+++     * inside verify_callback.
+++     */
+++    TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
+++					    NULL, NULL, NULL);
+++
+++    pfixtls_serverengine = 1;
+++    return (0);
+++}
+++
+++ /*
+++  * This is the actual startup routine for the connection. We expect
+++  * that the buffers are flushed and the "220 Ready to start TLS" was
+++  * send to the client, so that we can immediately can start the TLS
+++  * handshake process.
+++  */
+++int     pfixtls_start_servertls(VSTREAM *stream, int timeout,
+++				const char *peername, const char *peeraddr,
+++				tls_info_t *tls_info, int requirecert)
+++{
+++    int     sts;
+++    int     j;
+++    int verify_flags;
+++    unsigned int n;
+++    TLScontext_t *TLScontext;
+++    SSL_SESSION *session;
+++    SSL_CIPHER *cipher;
+++    X509   *peer;
+++
+++    if (!pfixtls_serverengine) {		/* should never happen */
+++	msg_info("tls_engine not running");
+++	return (-1);
+++    }
+++    if (var_smtpd_tls_loglevel >= 1)
+++	msg_info("setting up TLS connection from %s[%s]", peername, peeraddr);
+++
+++    /*
+++     * Allocate a new TLScontext for the new connection and get an SSL
+++     * structure. Add the location of TLScontext to the SSL to later
+++     * retrieve the information inside the verify_callback().
+++     */
+++    TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
+++    if (!TLScontext) {
+++	msg_fatal("Could not allocate 'TLScontext' with mymalloc");
+++    }
+++    if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
+++	msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
+++	pfixtls_print_errors();
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++    if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
+++	msg_info("Could not set application data for 'TLScontext->con'");
+++	pfixtls_print_errors();
+++	SSL_free(TLScontext->con);
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++
+++    /*
+++     * Set the verification parameters to be checked in verify_callback().
+++     */
+++    if (requirecert) {
+++	verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+++	verify_flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+++	TLScontext->enforce_verify_errors = 1;
+++        SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
+++    }
+++    else {
+++	TLScontext->enforce_verify_errors = 0;
+++    }
+++    TLScontext->enforce_CN = 0;
+++
+++    /*
+++     * The TLS connection is realized by a BIO_pair, so obtain the pair.
+++     */
+++    if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
+++			  &TLScontext->network_bio, BIO_bufsiz)) {
+++	msg_info("Could not obtain BIO_pair");
+++	pfixtls_print_errors();
+++	SSL_free(TLScontext->con);
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++
+++    /*
+++     * Before really starting anything, try to seed the PRNG a little bit
+++     * more.
+++     */
+++    pfixtls_stir_seed();
+++    pfixtls_exchange_seed();
+++
+++    /*
+++     * Initialize the SSL connection to accept state. This should not be
+++     * necessary anymore since 0.9.3, but the call is still in the library
+++     * and maintaining compatibility never hurts.
+++     */
+++    SSL_set_accept_state(TLScontext->con);
+++
+++    /*
+++     * Connect the SSL-connection with the postfix side of the BIO-pair for
+++     * reading and writing.
+++     */
+++     SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
+++		 TLScontext->internal_bio);
+++
+++    /*
+++     * If the debug level selected is high enough, all of the data is
+++     * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
+++     *
+++     * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
+++     * Well there is a BIO below the SSL routines that is automatically
+++     * created for us, so we can use it for debugging purposes.
+++     */
+++    if (var_smtpd_tls_loglevel >= 3)
+++	BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
+++
+++
+++    /* Dump the negotiation for loglevels 3 and 4 */
+++    if (var_smtpd_tls_loglevel >= 3)
+++	do_dump = 1;
+++
+++    /*
+++     * Now we expect the negotiation to begin. This whole process is like a
+++     * black box for us. We totally have to rely on the routines build into
+++     * the OpenSSL library. The only thing we can do we already have done
+++     * by choosing our own callbacks for session caching and certificate
+++     * verification.
+++     *
+++     * Error handling:
+++     * If the SSL handhake fails, we print out an error message and remove
+++     * everything that might be there. A session has to be removed anyway,
+++     * because RFC2246 requires it.
+++     */
+++    sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++			   SSL_accept, NULL, NULL, NULL, 0);
+++    if (sts <= 0) {
+++	msg_info("SSL_accept error from %s[%s]: %d", peername, peeraddr, sts);
+++	pfixtls_print_errors();
+++	SSL_free(TLScontext->con);
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++
+++    /* Only loglevel==4 dumps everything */
+++    if (var_smtpd_tls_loglevel < 4)
+++	do_dump = 0;
+++
+++    /*
+++     * Lets see, whether a peer certificate is available and what is
+++     * the actual information. We want to save it for later use.
+++     */
+++    peer = SSL_get_peer_certificate(TLScontext->con);
+++    if (peer != NULL) {
+++	if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
+++	    tls_info->peer_verified = 1;
+++
+++	X509_NAME_oneline(X509_get_subject_name(peer),
+++			  TLScontext->peer_subject, CCERT_BUFSIZ);
+++	if (var_smtpd_tls_loglevel >= 2)
+++	    msg_info("subject=%s", TLScontext->peer_subject);
+++	tls_info->peer_subject = TLScontext->peer_subject;
+++	X509_NAME_oneline(X509_get_issuer_name(peer),
+++			  TLScontext->peer_issuer, CCERT_BUFSIZ);
+++	if (var_smtpd_tls_loglevel >= 2)
+++	    msg_info("issuer=%s", TLScontext->peer_issuer);
+++	tls_info->peer_issuer = TLScontext->peer_issuer;
+++	if (X509_digest(peer, EVP_md5(), TLScontext->md, &n)) {
+++	    for (j = 0; j < (int) n; j++) {
+++		TLScontext->fingerprint[j * 3] =
+++			hexcodes[(TLScontext->md[j] & 0xf0) >> 4];
+++		TLScontext->fingerprint[(j * 3) + 1] =
+++			hexcodes[(TLScontext->md[j] & 0x0f)];
+++		if (j + 1 != (int) n)
+++		    TLScontext->fingerprint[(j * 3) + 2] = ':';
+++		else
+++		    TLScontext->fingerprint[(j * 3) + 2] = '\0';
+++	    }
+++	    if (var_smtpd_tls_loglevel >= 1)
+++		msg_info("fingerprint=%s", TLScontext->fingerprint);
+++	    tls_info->peer_fingerprint = TLScontext->fingerprint;
+++	}
+++
+++	TLScontext->peer_CN[0] = '\0';
+++	if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
+++			NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
+++	    msg_info("Could not parse client's subject CN");
+++	    pfixtls_print_errors();
+++	}
+++	tls_info->peer_CN = TLScontext->peer_CN;
+++
+++	TLScontext->issuer_CN[0] = '\0';
+++	if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++			NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++	    msg_info("Could not parse client's issuer CN");
+++	    pfixtls_print_errors();
+++	}
+++	if (!TLScontext->issuer_CN[0]) {
+++	    /* No issuer CN field, use Organization instead */
+++	    if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++		NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++		msg_info("Could not parse client's issuer Organization");
+++		pfixtls_print_errors();
+++	    }
+++	}
+++	tls_info->issuer_CN = TLScontext->issuer_CN;
+++
+++	if (var_smtpd_tls_loglevel >= 1) {
+++	    if (tls_info->peer_verified)
+++		msg_info("Verified: subject_CN=%s, issuer=%s",
+++			 TLScontext->peer_CN, TLScontext->issuer_CN);
+++	    else
+++		msg_info("Unverified: subject_CN=%s, issuer=%s",
+++			 TLScontext->peer_CN, TLScontext->issuer_CN);
+++	}
+++
+++	X509_free(peer);
+++    }
+++
+++    /*
+++     * At this point we should have a certificate when required.
+++     * We may however have a cached session, so the callback would never
+++     * be called. We therefore double-check to make sure and remove the
+++     * session, if applicable.
+++     */
+++    if (requirecert) {
+++	if (!tls_info->peer_verified || !tls_info->peer_CN) {
+++	    msg_info("Re-used session without peer certificate removed");
+++	    session = SSL_get_session(TLScontext->con);
+++	    SSL_CTX_remove_session(ctx, session);
+++	    return (-1);
+++	}
+++    }
+++
+++    /*
+++     * Finally, collect information about protocol and cipher for logging
+++     */
+++    tls_info->protocol = SSL_get_version(TLScontext->con);
+++    cipher = SSL_get_current_cipher(TLScontext->con);
+++    tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
+++    tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
+++						 &(tls_info->cipher_algbits));
+++
+++    pfixtls_serveractive = 1;
+++
+++    /*
+++     * The TLS engine is active, switch to the pfixtls_timed_read/write()
+++     * functions and store the context.
+++     */
+++    vstream_control(stream,
+++		    VSTREAM_CTL_READ_FN, pfixtls_timed_read,
+++		    VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
+++		    VSTREAM_CTL_CONTEXT, (void *)TLScontext,
+++		    VSTREAM_CTL_END);
+++
+++    if (var_smtpd_tls_loglevel >= 1)
+++   	 msg_info("TLS connection established from %s[%s]: %s with cipher %s (%d/%d bits)",
+++		  peername, peeraddr,
+++		  tls_info->protocol, tls_info->cipher_name,
+++		  tls_info->cipher_usebits, tls_info->cipher_algbits);
+++    pfixtls_stir_seed();
+++
+++    return (0);
+++}
+++
+++ /*
+++  * Shut down the TLS connection, that does mean: remove all the information
+++  * and reset the flags! This is needed if the actual running smtpd is to
+++  * be restarted. We do not give back any value, as there is nothing to
+++  * be reported.
+++  * Since our session cache is external, we will remove the session from
+++  * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
+++  * I however want to make sure nothing is left.
+++  * RFC2246 requires us to remove sessions if something went wrong, as
+++  * indicated by the "failure" value, so we remove it from the external
+++  * cache, too. 
+++  */
+++int     pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
+++			       tls_info_t *tls_info)
+++{
+++    TLScontext_t *TLScontext;
+++    int retval;
+++
+++    if (pfixtls_serveractive) {
+++	TLScontext = (TLScontext_t *)vstream_context(stream);
+++	/*
+++	 * Perform SSL_shutdown() twice, as the first attempt may return
+++	 * to early: it will only send out the shutdown alert but it will
+++	 * not wait for the peer's shutdown alert. Therefore, when we are
+++	 * the first party to send the alert, we must call SSL_shutdown()
+++	 * again.
+++	 * On failure we don't want to resume the session, so we will not
+++	 * perform SSL_shutdown() and the session will be removed as being
+++	 * bad.
+++	 */
+++	if (!failure) {
+++            retval = do_tls_operation(vstream_fileno(stream), timeout,
+++				TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
+++	    if (retval == 0)
+++		do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++				SSL_shutdown, NULL, NULL, NULL, 0);
+++	}
+++	/*
+++	 * Free the SSL structure and the BIOs. Warning: the internal_bio is
+++	 * connected to the SSL structure and is automatically freed with
+++	 * it. Do not free it again (core dump)!!
+++	 * Only free the network_bio.
+++	 */
+++	SSL_free(TLScontext->con);
+++	BIO_free(TLScontext->network_bio);
+++	myfree((char *)TLScontext);
+++        vstream_control(stream,
+++		    VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
+++		    VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
+++		    VSTREAM_CTL_CONTEXT, (void *) NULL,
+++		    VSTREAM_CTL_END);
+++	SSL_CTX_flush_sessions(ctx, time(NULL));
+++
+++	pfixtls_stir_seed();
+++	pfixtls_exchange_seed();
+++
+++	*tls_info = tls_info_zero;
+++	pfixtls_serveractive = 0;
+++
+++    }
+++
+++    return (0);
+++}
+++
+++
+++ /*
+++  * This is the setup routine for the SSL client. As smtpd might be called
+++  * more than once, we only want to do the initialization one time.
+++  *
+++  * The skeleton of this function is taken from OpenSSL apps/s_client.c.
+++  */
+++
+++int     pfixtls_init_clientengine(int verifydepth)
+++{
+++    int     off = 0;
+++    int     verify_flags = SSL_VERIFY_NONE;
+++    int     rand_bytes;
+++    int     rand_source_dev_fd;
+++    int     rand_source_socket_fd;
+++    unsigned char buffer[255];
+++    char   *CApath;
+++    char   *CAfile;
+++    char   *c_cert_file;
+++    char   *c_key_file;
+++
+++
+++    if (pfixtls_clientengine)
+++	return (0);				/* already running */
+++
+++    if (var_smtp_tls_loglevel >= 2)
+++	msg_info("starting TLS engine");
+++
+++    /*
+++     * Initialize the OpenSSL library by the book!
+++     * To start with, we must initialize the algorithms.
+++     * We want cleartext error messages instead of just error codes, so we
+++     * load the error_strings.
+++     */ 
+++    SSL_load_error_strings();
+++    OpenSSL_add_ssl_algorithms();
+++
+++ /*
+++  * Side effect, call a non-existing function to disable TLS usage with an
+++  * outdated OpenSSL version. There is a security reason (verify_result
+++  * is not stored with the session data).
+++  */
+++#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+++    needs_openssl_095_or_later();
+++#endif
+++
+++    /*
+++     * Initialize the PRNG Pseudo Random Number Generator with some seed.
+++     */
+++    randseed.pid = getpid();
+++    GETTIMEOFDAY(&randseed.tv);
+++    RAND_seed(&randseed, sizeof(randseed_t));
+++
+++    /*
+++     * Access the external sources for random seed. We will only query them
+++     * once, this should be sufficient and we will stir our entropy by using
+++     * the prng-exchange file anyway.
+++     * For reliability, we don't consider failure to access the additional
+++     * source fatal, as we can run happily without it (considering that we
+++     * still have the exchange-file). We also don't care how much entropy
+++     * we get back, as we must run anyway. We simply stir in the buffer
+++     * regardless how many bytes are actually in it.
+++     */
+++    if (*var_tls_daemon_rand_source) {
+++	if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
+++	    /*
+++	     * Source is a random device
+++	     */
+++	    rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
+++	    if (rand_source_dev_fd == -1) 
+++		msg_info("Could not open entropy device %s",
+++			  var_tls_daemon_rand_source);
+++	    else {
+++		if (var_tls_daemon_rand_bytes > 255)
+++		    var_tls_daemon_rand_bytes = 255;
+++	        read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
+++		RAND_seed(buffer, var_tls_daemon_rand_bytes);
+++		close(rand_source_dev_fd);
+++	    }
+++	} else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
+++	    /*
+++	     * Source is a EGD compatible socket
+++	     */
+++	    rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
+++						 BLOCKING, 10);
+++	    if (rand_source_socket_fd == -1)
+++		msg_info("Could not connect to %s", var_tls_daemon_rand_source);
+++	    else {
+++		if (var_tls_daemon_rand_bytes > 255)
+++		    var_tls_daemon_rand_bytes = 255;
+++		buffer[0] = 1;
+++		buffer[1] = var_tls_daemon_rand_bytes;
+++		if (write(rand_source_socket_fd, buffer, 2) != 2)
+++		    msg_info("Could not talk to %s",
+++			     var_tls_daemon_rand_source);
+++		else if (read(rand_source_socket_fd, buffer, 1) != 1)
+++		    msg_info("Could not read info from %s",
+++			     var_tls_daemon_rand_source);
+++		else {
+++		    rand_bytes = buffer[0];
+++		    read(rand_source_socket_fd, buffer, rand_bytes);
+++		    RAND_seed(buffer, rand_bytes);
+++		}
+++		close(rand_source_socket_fd);
+++	    }
+++	} else {
+++	    RAND_load_file(var_tls_daemon_rand_source,
+++			   var_tls_daemon_rand_bytes);
+++	}
+++    }
+++
+++    if (*var_tls_rand_exch_name) {
+++	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
+++	if (rand_exch_fd != -1)
+++	    pfixtls_exchange_seed();
+++    }
+++
+++    randseed.pid = getpid();
+++    GETTIMEOFDAY(&randseed.tv);
+++    RAND_seed(&randseed, sizeof(randseed_t));
+++
+++    /*
+++     * The SSL/TLS speficications require the client to send a message in
+++     * the oldest specification it understands with the highest level it
+++     * understands in the message.
+++     * RFC2487 is only specified for TLSv1, but we want to be as compatible
+++     * as possible, so we will start off with a SSLv2 greeting allowing
+++     * the best we can offer: TLSv1.
+++     * We can restrict this with the options setting later, anyhow.
+++     */
+++    ctx = SSL_CTX_new(SSLv23_client_method());
+++    if (ctx == NULL) {
+++	pfixtls_print_errors();
+++	return (-1);
+++    };
+++
+++    /*
+++     * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
+++     * Of course, the last one would not make sense, since RFC2487 is only
+++     * defined for TLS, but we don't know what is out there. So leave things
+++     * completely open, as of today.
+++     */
+++    off |= SSL_OP_ALL;		/* Work around all known bugs */
+++    SSL_CTX_set_options(ctx, off);
+++
+++    /*
+++     * Set the info_callback, that will print out messages during
+++     * communication on demand.
+++     */
+++    if (var_smtp_tls_loglevel >= 2)
+++	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+++
+++    /*
+++     * Set the list of ciphers, if explicitely given; otherwise the
+++     * (reasonable) default list is kept.
+++     */
+++    if (strlen(var_smtp_tls_cipherlist) != 0)
+++	if (SSL_CTX_set_cipher_list(ctx, var_smtp_tls_cipherlist) == 0) {
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++
+++    /*
+++     * Now we must add the necessary certificate stuff: A client key, a
+++     * client certificate, and the CA certificates for both the client
+++     * cert and the verification of server certificates.
+++     * In fact, we do not need a client certificate,  so the certificates
+++     * are only loaded (and checked), if supplied. A clever client would
+++     * handle multiple client certificates and decide based on the list
+++     * of acceptable CAs, sent by the server, which certificate to submit.
+++     * OpenSSL does however not do this and also has no callback hoods to
+++     * easily realize it.
+++     *
+++     * As provided by OpenSSL we support two types of CA certificate handling:
+++     * One possibility is to add all CA certificates to one large CAfile,
+++     * the other possibility is a directory pointed to by CApath, containing
+++     * seperate files for each CA pointed on by softlinks named by the hash
+++     * values of the certificate.
+++     * The first alternative has the advantage, that the file is opened and
+++     * read at startup time, so that you don't have the hassle to maintain
+++     * another copy of the CApath directory for chroot-jail. On the other
+++     * hand, the file is not really readable.
+++     */ 
+++    if (strlen(var_smtp_tls_CAfile) == 0)
+++	CAfile = NULL;
+++    else
+++	CAfile = var_smtp_tls_CAfile;
+++    if (strlen(var_smtp_tls_CApath) == 0)
+++	CApath = NULL;
+++    else
+++	CApath = var_smtp_tls_CApath;
+++    if (CAfile || CApath) {
+++	if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+++	    msg_info("TLS engine: cannot load CA data");
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++	if (!SSL_CTX_set_default_verify_paths(ctx)) {
+++	    msg_info("TLS engine: cannot set verify paths");
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++    }
+++
+++    if (strlen(var_smtp_tls_cert_file) == 0)
+++	c_cert_file = NULL;
+++    else
+++	c_cert_file = var_smtp_tls_cert_file;
+++    if (strlen(var_smtp_tls_key_file) == 0)
+++	c_key_file = NULL;
+++    else
+++	c_key_file = var_smtp_tls_key_file;
+++    if (c_cert_file || c_key_file)
+++	if (!set_cert_stuff(ctx, c_cert_file, c_key_file)) {
+++	    msg_info("TLS engine: cannot load cert/key data");
+++	    pfixtls_print_errors();
+++	    return (-1);
+++	}
+++
+++    /*
+++     * Sometimes a temporary RSA key might be needed by the OpenSSL
+++     * library. The OpenSSL doc indicates, that this might happen when
+++     * export ciphers are in use. We have to provide one, so well, we
+++     * just do it.
+++     */
+++    SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
+++
+++    /*
+++     * Finally, the setup for the server certificate checking, done
+++     * "by the book".
+++     */
+++    SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
+++
+++    /*
+++     * Initialize the session cache. We only want external caching to
+++     * synchronize between server sessions, so we set it to a minimum value
+++     * of 1. If the external cache is disabled, we won't cache at all.
+++     *
+++     * In case of the client, there is no callback used in OpenSSL, so
+++     * we must call the session cache functions manually during the process.
+++     */
+++    SSL_CTX_sess_set_cache_size(ctx, 1);
+++    SSL_CTX_set_timeout(ctx, var_smtp_tls_scache_timeout);
+++
+++    /*
+++     * The session cache is realized by an external database file, that
+++     * must be opened before going to chroot jail. Since the session cache
+++     * data can become quite large, "[n]dbm" cannot be used as it has a
+++     * size limit that is by far to small.
+++     */
+++    if (*var_smtp_tls_scache_db) {
+++	/*
+++	 * Insert a test against other dbms here, otherwise while writing
+++	 * a session (content to large), we will receive a fatal error!
+++	 */
+++	if (strncmp(var_smtp_tls_scache_db, "sdbm:", 5))
+++	    msg_warn("Only sdbm: type allowed for %s",
+++		     var_smtp_tls_scache_db);
+++	else
+++	    scache_db = dict_open(var_smtp_tls_scache_db, O_RDWR,
+++	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
+++	if (!scache_db)
+++	    msg_warn("Could not open session cache %s",
+++		     var_smtp_tls_scache_db);
+++	/*
+++	 * It is practical to have OpenSSL automatically save newly created
+++	 * sessions for us by callback. Therefore we have to enable the
+++	 * internal session cache for the client side. Disable automatic
+++	 * clearing, as smtp has limited lifetime anyway and we can call
+++	 * the cleanup routine at will.
+++	 */
+++	SSL_CTX_set_session_cache_mode(ctx,
+++			SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_NO_AUTO_CLEAR);
+++	SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
+++    }
+++   
+++    /*
+++     * Finally create the global index to access TLScontext information
+++     * inside verify_callback.
+++     */
+++    TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
+++					    NULL, NULL, NULL);
+++    TLSpeername_index = SSL_SESSION_get_ex_new_index(0,
+++					    "TLSpeername ex_data index",
+++					    new_peername_func,
+++					    dup_peername_func,
+++					    free_peername_func);
+++
+++    pfixtls_clientengine = 1;
+++    return (0);
+++}
+++
+++ /*
+++  * This is the actual startup routine for the connection. We expect
+++  * that the buffers are flushed and the "220 Ready to start TLS" was
+++  * received by us, so that we can immediately can start the TLS
+++  * handshake process.
+++  */
+++int     pfixtls_start_clienttls(VSTREAM *stream, int timeout,
+++			        int enforce_peername,
+++				const char *peername,
+++				tls_info_t *tls_info)
+++{
+++    int     sts;
+++    SSL_SESSION *session, *old_session;
+++    SSL_CIPHER *cipher;
+++    X509   *peer;
+++    int     verify_flags;
+++    TLScontext_t *TLScontext;
+++
+++    if (!pfixtls_clientengine) {		/* should never happen */
+++	msg_info("tls_engine not running");
+++	return (-1);
+++    }
+++    if (var_smtpd_tls_loglevel >= 1)
+++	msg_info("setting up TLS connection to %s", peername);
+++
+++    /*
+++     * Allocate a new TLScontext for the new connection and get an SSL
+++     * structure. Add the location of TLScontext to the SSL to later
+++     * retrieve the information inside the verify_callback().
+++     */
+++    TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
+++    if (!TLScontext) {
+++	msg_fatal("Could not allocate 'TLScontext' with mymalloc");
+++    }
+++    if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
+++	msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
+++	pfixtls_print_errors();
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++    if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
+++	msg_info("Could not set application data for 'TLScontext->con'");
+++	pfixtls_print_errors();
+++	SSL_free(TLScontext->con);
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++
+++    /*
+++     * Set the verification parameters to be checked in verify_callback().
+++     */
+++    if (enforce_peername) {
+++	verify_flags = SSL_VERIFY_PEER;
+++	TLScontext->enforce_verify_errors = 1;
+++	TLScontext->enforce_CN = 1;
+++        SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
+++    }
+++    else {
+++	TLScontext->enforce_verify_errors = 0;
+++	TLScontext->enforce_CN = 0;
+++    }
+++    TLScontext->hostname_matched = 0;
+++
+++    /*
+++     * The TLS connection is realized by a BIO_pair, so obtain the pair.
+++     */
+++    if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
+++			  &TLScontext->network_bio, BIO_bufsiz)) {
+++	msg_info("Could not obtain BIO_pair");
+++	pfixtls_print_errors();
+++	SSL_free(TLScontext->con);
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++
+++    old_session = NULL;
+++
+++    /*
+++     * Find out the hashed HostID for the client cache and try to
+++     * load the session from the cache.
+++     */
+++    strncpy(TLScontext->peername_save, peername, ID_MAXLENGTH + 1);
+++    TLScontext->peername_save[ID_MAXLENGTH] = '\0';  /* just in case */
+++    (void)lowercase(TLScontext->peername_save);
+++    if (scache_db) {
+++	old_session = load_clnt_session(peername, enforce_peername);
+++	if (old_session) {
+++	   SSL_set_session(TLScontext->con, old_session);
+++#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
+++	    /*
+++	     * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
+++	     * result in sessions for the client side.
+++	     * We modify the session directly which is version specific,
+++	     * but this bug is version specific, too.
+++	     *
+++	     * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
+++	     * beta1 have this bug, it has been fixed during development
+++	     * of 0.9.6a. The development version of 0.9.7 can have this
+++	     * bug, too. It has been fixed on 2000/11/29.
+++	     */
+++	    SSL_set_verify_result(TLScontext->con, old_session->verify_result);
+++#endif
+++	   
+++	}
+++    }
+++
+++    /*
+++     * Before really starting anything, try to seed the PRNG a little bit
+++     * more.
+++     */
+++    pfixtls_stir_seed();
+++    pfixtls_exchange_seed();
+++
+++    /*
+++     * Initialize the SSL connection to connect state. This should not be
+++     * necessary anymore since 0.9.3, but the call is still in the library
+++     * and maintaining compatibility never hurts.
+++     */
+++    SSL_set_connect_state(TLScontext->con);
+++
+++    /*
+++     * Connect the SSL-connection with the postfix side of the BIO-pair for
+++     * reading and writing.
+++     */
+++    SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
+++		TLScontext->internal_bio);
+++
+++    /*
+++     * If the debug level selected is high enough, all of the data is
+++     * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
+++     *
+++     * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
+++     * Well there is a BIO below the SSL routines that is automatically
+++     * created for us, so we can use it for debugging purposes.
+++     */
+++    if (var_smtp_tls_loglevel >= 3)
+++	BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
+++
+++
+++    /* Dump the negotiation for loglevels 3 and 4 */
+++    if (var_smtp_tls_loglevel >= 3)
+++	do_dump = 1;
+++
+++    /*
+++     * Now we expect the negotiation to begin. This whole process is like a
+++     * black box for us. We totally have to rely on the routines build into
+++     * the OpenSSL library. The only thing we can do we already have done
+++     * by choosing our own callback certificate verification.
+++     *
+++     * Error handling:
+++     * If the SSL handhake fails, we print out an error message and remove
+++     * everything that might be there. A session has to be removed anyway,
+++     * because RFC2246 requires it. 
+++     */
+++    sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++			   SSL_connect, NULL, NULL, NULL, 0);
+++    if (sts <= 0) {
+++	msg_info("SSL_connect error to %s: %d", peername, sts);
+++	pfixtls_print_errors();
+++	session = SSL_get_session(TLScontext->con);
+++	if (session) {
+++	    SSL_CTX_remove_session(ctx, session);
+++	    if (var_smtp_tls_loglevel >= 2)
+++		msg_info("SSL session removed");
+++	}
+++	if ((old_session) && (!SSL_session_reused(TLScontext->con)))
+++	    SSL_SESSION_free(old_session);	/* Must also be removed */
+++	SSL_free(TLScontext->con);
+++	myfree((char *)TLScontext);
+++	return (-1);
+++    }
+++
+++    if (!SSL_session_reused(TLScontext->con)) {
+++	SSL_SESSION_free(old_session);	/* Remove unused session */
+++    }
+++    else if (var_smtp_tls_loglevel >= 3)
+++	msg_info("Reusing old session");
+++
+++    /* Only loglevel==4 dumps everything */
+++    if (var_smtp_tls_loglevel < 4)
+++	do_dump = 0;
+++
+++    /*
+++     * Lets see, whether a peer certificate is available and what is
+++     * the actual information. We want to save it for later use.
+++     */
+++    peer = SSL_get_peer_certificate(TLScontext->con);
+++    if (peer != NULL) {
+++	if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
+++	    tls_info->peer_verified = 1;
+++
+++	tls_info->hostname_matched = TLScontext->hostname_matched;
+++	TLScontext->peer_CN[0] = '\0';
+++	if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
+++			NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
+++	    msg_info("Could not parse server's subject CN");
+++	    pfixtls_print_errors();
+++	}
+++	tls_info->peer_CN = TLScontext->peer_CN;
+++
+++	TLScontext->issuer_CN[0] = '\0';
+++	if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++			NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++	    msg_info("Could not parse server's issuer CN");
+++	    pfixtls_print_errors();
+++	}
+++	if (!TLScontext->issuer_CN[0]) {
+++	    /* No issuer CN field, use Organization instead */
+++	    if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
+++		NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
+++		msg_info("Could not parse server's issuer Organization");
+++		pfixtls_print_errors();
+++	    }
+++	}
+++	tls_info->issuer_CN = TLScontext->issuer_CN;
+++
+++	if (var_smtp_tls_loglevel >= 1) {
+++	    if (tls_info->peer_verified)
+++		msg_info("Verified: subject_CN=%s, issuer=%s",
+++			 TLScontext->peer_CN, TLScontext->issuer_CN);
+++	    else
+++		msg_info("Unverified: subject_CN=%s, issuer=%s",
+++			 TLScontext->peer_CN, TLScontext->issuer_CN);
+++	}
+++	X509_free(peer);
+++    }
+++
+++    /*
+++     * Finally, collect information about protocol and cipher for logging
+++     */ 
+++    tls_info->protocol = SSL_get_version(TLScontext->con);
+++    cipher = SSL_get_current_cipher(TLScontext->con);
+++    tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
+++    tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
+++						 &(tls_info->cipher_algbits));
+++
+++    pfixtls_clientactive = 1;
+++
+++    /*
+++     * The TLS engine is active, switch to the pfixtls_timed_read/write()
+++     * functions.
+++     */
+++    vstream_control(stream,
+++		    VSTREAM_CTL_READ_FN, pfixtls_timed_read,
+++		    VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
+++		    VSTREAM_CTL_CONTEXT, (void *)TLScontext,
+++		    VSTREAM_CTL_END);
+++
+++    if (var_smtp_tls_loglevel >= 1)
+++	msg_info("TLS connection established to %s: %s with cipher %s (%d/%d bits)",
+++		 peername, tls_info->protocol, tls_info->cipher_name,
+++		 tls_info->cipher_usebits, tls_info->cipher_algbits);
+++
+++    pfixtls_stir_seed();
+++
+++    return (0);
+++}
+++
+++ /*
+++  * Shut down the TLS connection, that does mean: remove all the information
+++  * and reset the flags! This is needed if the actual running smtp is to
+++  * be restarted. We do not give back any value, as there is nothing to
+++  * be reported.
+++  * Since our session cache is external, we will remove the session from
+++  * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
+++  * I however want to make sure nothing is left.
+++  * RFC2246 requires us to remove sessions if something went wrong, as
+++  * indicated by the "failure" value,so we remove it from the external
+++  * cache, too.
+++  */
+++int     pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
+++			       tls_info_t *tls_info)
+++{
+++    TLScontext_t *TLScontext;
+++    int retval;
+++
+++    if (pfixtls_clientactive) {
+++	TLScontext = (TLScontext_t *)vstream_context(stream);
+++	/*
+++	 * Perform SSL_shutdown() twice, as the first attempt may return
+++	 * to early: it will only send out the shutdown alert but it will
+++	 * not wait for the peer's shutdown alert. Therefore, when we are
+++	 * the first party to send the alert, we must call SSL_shutdown()
+++	 * again.
+++	 * On failure we don't want to resume the session, so we will not
+++	 * perform SSL_shutdown() and the session will be removed as being
+++	 * bad.
+++	 */
+++	if (!failure) {
+++	    retval = do_tls_operation(vstream_fileno(stream), timeout,
+++				TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
+++	    if (retval == 0)
+++		do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
+++				SSL_shutdown, NULL, NULL, NULL, 0);
+++	}
+++	/*
+++	 * Free the SSL structure and the BIOs. Warning: the internal_bio is
+++	 * connected to the SSL structure and is automatically freed with
+++	 * it. Do not free it again (core dump)!!
+++	 * Only free the network_bio.
+++	 */
+++	SSL_free(TLScontext->con);
+++	BIO_free(TLScontext->network_bio);
+++	myfree((char *)TLScontext);
+++	vstream_control(stream,
+++		    VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
+++		    VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
+++		    VSTREAM_CTL_CONTEXT, (void *) NULL,
+++		    VSTREAM_CTL_END);
+++	SSL_CTX_flush_sessions(ctx, time(NULL));
+++
+++	pfixtls_stir_seed();
+++	pfixtls_exchange_seed();
+++
+++	*tls_info = tls_info_zero;
+++	pfixtls_clientactive = 0;
+++
+++    }
+++
+++    return (0);
+++}
+++
+++
+++#endif /* USE_SSL */
++diff -ruN postfix-2.1.0-vanilla/src/global/pfixtls.h postfix-2.1.0/src/global/pfixtls.h
++--- postfix-2.1.0-vanilla/src/global/pfixtls.h	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/global/pfixtls.h	Sat Apr 24 14:35:27 2004
++@@ -0,0 +1,81 @@
+++/*++
+++/* NAME
+++/*      pfixtls 3h
+++/* SUMMARY
+++/*      TLS routines
+++/* SYNOPSIS
+++/*      include "pfixtls.h"
+++/* DESCRIPTION
+++/* .nf
+++/*--*/
+++
+++#ifndef PFIXTLS_H_INCLUDED
+++#define PFIXTLS_H_INCLUDED
+++
+++#if defined(HAS_SSL) && !defined(USE_SSL)
+++#define USE_SSL
+++#endif
+++
+++typedef struct {
+++    int     peer_verified;
+++    int     hostname_matched;
+++    char   *peer_subject;
+++    char   *peer_issuer;
+++    char   *peer_fingerprint;
+++    char   *peer_CN;
+++    char   *issuer_CN;
+++    const char *protocol;
+++    const char *cipher_name;
+++    int     cipher_usebits;
+++    int     cipher_algbits;
+++} tls_info_t;
+++
+++extern const tls_info_t tls_info_zero;
+++
+++#ifdef USE_SSL
+++
+++typedef struct {
+++    long scache_db_version;
+++    long openssl_version;
+++    time_t timestamp;		/* We could add other info here... */
+++    int enforce_peername;
+++} pfixtls_scache_info_t;
+++
+++extern const long scache_db_version;
+++extern const long openssl_version;
+++
+++int     pfixtls_timed_read(int fd, void *buf, unsigned len, int timout,
+++			   void *unused_timeout);
+++int     pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
+++			    void *unused_timeout);
+++
+++extern int pfixtls_serverengine;
+++int     pfixtls_init_serverengine(int verifydepth, int askcert);
+++int     pfixtls_start_servertls(VSTREAM *stream, int timeout,
+++				const char *peername, const char *peeraddr,
+++				tls_info_t *tls_info, int require_cert);
+++int     pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
+++			       tls_info_t *tls_info);
+++
+++extern int pfixtls_clientengine;
+++int     pfixtls_init_clientengine(int verifydepth);
+++int     pfixtls_start_clienttls(VSTREAM *stream, int timeout,
+++				int enforce_peername,
+++				const char *peername,
+++				tls_info_t *tls_info);
+++int     pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
+++			       tls_info_t *tls_info);
+++
+++#endif /* PFIXTLS_H_INCLUDED */
+++#endif
+++
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/* AUTHOR(S)
+++/*	Lutz Jaenicke
+++/*	BTU Cottbus
+++/*	Allgemeine Elektrotechnik
+++/*	Universitaetsplatz 3-4
+++/*	D-03044 Cottbus, Germany
+++/*--*/
++diff -ruN postfix-2.1.0-vanilla/src/smtp/Makefile.in postfix-2.1.0/src/smtp/Makefile.in
++--- postfix-2.1.0-vanilla/src/smtp/Makefile.in	Thu Apr 22 21:37:45 2004
+++++ postfix-2.1.0/src/smtp/Makefile.in	Sat Apr 24 14:35:27 2004
++@@ -77,6 +77,7 @@
++ smtp.o: ../../include/debug_peer.h
++ smtp.o: ../../include/flush_clnt.h
++ smtp.o: ../../include/mail_server.h
+++smtp.o: ../../include/pfixtls.h
++ smtp.o: smtp.h
++ smtp.o: smtp_sasl.h
++ smtp_addr.o: smtp_addr.c
++@@ -96,6 +97,7 @@
++ smtp_addr.o: ../../include/argv.h
++ smtp_addr.o: ../../include/deliver_request.h
++ smtp_addr.o: ../../include/recipient_list.h
+++smtp_addr.o: ../../include/pfixtls.h
++ smtp_addr.o: smtp_addr.h
++ smtp_chat.o: smtp_chat.c
++ smtp_chat.o: ../../include/sys_defs.h
++@@ -116,6 +118,7 @@
++ smtp_chat.o: ../../include/cleanup_user.h
++ smtp_chat.o: ../../include/mail_error.h
++ smtp_chat.o: ../../include/name_mask.h
+++smtp_chat.o: ../../include/pfixtls.h
++ smtp_chat.o: smtp.h
++ smtp_connect.o: smtp_connect.c
++ smtp_connect.o: ../../include/sys_defs.h
++@@ -142,6 +145,7 @@
++ smtp_connect.o: ../../include/mail_error.h
++ smtp_connect.o: ../../include/name_mask.h
++ smtp_connect.o: ../../include/dns.h
+++smtp_connect.o: ../../include/pfixtls.h
++ smtp_connect.o: smtp.h
++ smtp_connect.o: ../../include/argv.h
++ smtp_connect.o: smtp_addr.h
++@@ -174,6 +178,7 @@
++ smtp_proto.o: ../../include/attr.h
++ smtp_proto.o: ../../include/mime_state.h
++ smtp_proto.o: ../../include/header_opts.h
+++smtp_proto.o: ../../include/pfixtls.h
++ smtp_proto.o: smtp.h
++ smtp_proto.o: ../../include/argv.h
++ smtp_proto.o: smtp_sasl.h
++@@ -231,9 +236,12 @@
++ smtp_session.o: ../../include/stringops.h
++ smtp_session.o: ../../include/vstring.h
++ smtp_session.o: smtp.h
+++smtp_session.o: ../../include/mail_params.h
+++smtp_session.o: ../../include/pfixtls.h
++ smtp_session.o: ../../include/argv.h
++ smtp_session.o: ../../include/deliver_request.h
++ smtp_session.o: ../../include/recipient_list.h
+++smtp_session.o: ../../include/maps.h
++ smtp_state.o: smtp_state.c
++ smtp_state.o: ../../include/sys_defs.h
++ smtp_state.o: ../../include/mymalloc.h
++@@ -247,6 +255,7 @@
++ smtp_state.o: ../../include/argv.h
++ smtp_state.o: ../../include/deliver_request.h
++ smtp_state.o: ../../include/recipient_list.h
+++smtp_state.o: ../../include/pfixtls.h
++ smtp_state.o: smtp_sasl.h
++ smtp_trouble.o: smtp_trouble.c
++ smtp_trouble.o: ../../include/sys_defs.h
++@@ -266,6 +275,7 @@
++ smtp_trouble.o: ../../include/name_mask.h
++ smtp_trouble.o: smtp.h
++ smtp_trouble.o: ../../include/argv.h
+++smtp_trouble.o: ../../include/pfixtls.h
++ smtp_unalias.o: smtp_unalias.c
++ smtp_unalias.o: ../../include/sys_defs.h
++ smtp_unalias.o: ../../include/htable.h
++@@ -278,3 +288,4 @@
++ smtp_unalias.o: ../../include/argv.h
++ smtp_unalias.o: ../../include/deliver_request.h
++ smtp_unalias.o: ../../include/recipient_list.h
+++smtp_unalias.o: ../../include/pfixtls.h
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp.c postfix-2.1.0/src/smtp/smtp.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp.c	Wed Apr 14 16:25:42 2004
+++++ postfix-2.1.0/src/smtp/smtp.c	Sat Apr 24 14:35:27 2004
++@@ -284,6 +284,7 @@
++ #include <mail_conf.h>
++ #include <debug_peer.h>
++ #include <flush_clnt.h>
+++#include <pfixtls.h>
++ 
++ /* Single server skeleton. */
++ 
++@@ -333,6 +334,17 @@
++ bool    var_smtp_send_xforward;
++ int     var_smtp_mxaddr_limit;
++ int     var_smtp_mxsess_limit;
+++bool    var_smtp_use_tls;
+++bool    var_smtp_enforce_tls;
+++char   *var_smtp_tls_per_site;
+++#ifdef USE_SSL
+++int     var_smtp_starttls_tmout;
+++char   *var_smtp_sasl_tls_opts;
+++char   *var_smtp_sasl_tls_verified_opts;
+++bool    var_smtp_tls_enforce_peername;
+++int     var_smtp_tls_scert_vd;
+++bool    var_smtp_tls_note_starttls_offer;
+++#endif
++ 
++  /*
++   * Global variables. smtp_errno is set by the address lookup routines and by
++@@ -453,6 +465,16 @@
++ 	msg_warn("%s is true, but SASL support is not compiled in",
++ 		 VAR_SMTP_SASL_ENABLE);
++ #endif
+++    /*
+++     * Initialize the TLS data before entering the chroot jail
+++     */
+++    if (var_smtp_use_tls || var_smtp_enforce_tls || var_smtp_tls_per_site[0])
+++#ifdef USE_SSL
+++	pfixtls_init_clientengine(var_smtp_tls_scert_vd);
+++#else
+++	msg_warn("TLS has been selected, but TLS support is not compiled in");
+++#endif
+++    smtp_tls_list_init();
++ 
++     /*
++      * Flush client.
++@@ -493,9 +515,14 @@
++ 	VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
++ 	VAR_SMTP_SASL_PASSWD, DEF_SMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0,
++ 	VAR_SMTP_SASL_OPTS, DEF_SMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0,
+++#ifdef USE_SSL
+++	VAR_SMTP_SASL_TLS_OPTS, DEF_SMTP_SASL_TLS_OPTS, &var_smtp_sasl_tls_opts, 0, 0,
+++	VAR_SMTP_SASL_TLSV_OPTS, DEF_SMTP_SASL_TLSV_OPTS, &var_smtp_sasl_tls_verified_opts, 0, 0,
+++#endif
++ 	VAR_SMTP_BIND_ADDR, DEF_SMTP_BIND_ADDR, &var_smtp_bind_addr, 0, 0,
++ 	VAR_SMTP_HELO_NAME, DEF_SMTP_HELO_NAME, &var_smtp_helo_name, 1, 0,
++ 	VAR_SMTP_HOST_LOOKUP, DEF_SMTP_HOST_LOOKUP, &var_smtp_host_lookup, 1, 0,
+++	VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0,
++ 	0,
++     };
++     static CONFIG_TIME_TABLE time_table[] = {
++@@ -511,12 +538,18 @@
++ 	VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
++ 	VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
++ 	VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
+++#ifdef USE_SSL
+++	VAR_SMTP_STARTTLS_TMOUT, DEF_SMTP_STARTTLS_TMOUT, &var_smtp_starttls_tmout, 1, 0,
+++#endif
++ 	0,
++     };
++     static CONFIG_INT_TABLE int_table[] = {
++ 	VAR_SMTP_LINE_LIMIT, DEF_SMTP_LINE_LIMIT, &var_smtp_line_limit, 0, 0,
++ 	VAR_SMTP_MXADDR_LIMIT, DEF_SMTP_MXADDR_LIMIT, &var_smtp_mxaddr_limit, 0, 0,
++ 	VAR_SMTP_MXSESS_LIMIT, DEF_SMTP_MXSESS_LIMIT, &var_smtp_mxsess_limit, 0, 0,
+++#ifdef USE_SSL
+++	VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
+++#endif
++ 	0,
++     };
++     static CONFIG_BOOL_TABLE bool_table[] = {
++@@ -530,6 +563,12 @@
++ 	VAR_SMTP_QUOTE_821_ENV, DEF_SMTP_QUOTE_821_ENV, &var_smtp_quote_821_env,
++ 	VAR_SMTP_DEFER_MXADDR, DEF_SMTP_DEFER_MXADDR, &var_smtp_defer_mxaddr,
++ 	VAR_SMTP_SEND_XFORWARD, DEF_SMTP_SEND_XFORWARD, &var_smtp_send_xforward,
+++	VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls,
+++	VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls,
+++#ifdef USE_SSL
+++	VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
+++	VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+++#endif
++ 	0,
++     };
++ 
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp.h postfix-2.1.0/src/smtp/smtp.h
++--- postfix-2.1.0-vanilla/src/smtp/smtp.h	Fri Dec 26 20:17:29 2003
+++++ postfix-2.1.0/src/smtp/smtp.h	Sat Apr 24 14:35:27 2004
++@@ -27,6 +27,7 @@
++   * Global library.
++   */
++ #include <deliver_request.h>
+++#include <pfixtls.h>
++ 
++  /*
++   * State information associated with each SMTP delivery. We're bundling the
++@@ -113,9 +114,14 @@
++     char   *addr;			/* mail exchanger */
++     char   *namaddr;			/* mail exchanger */
++     int     best;			/* most preferred host */
+++    int     tls_use_tls;		/* can do TLS */
+++    int     tls_enforce_tls;		/* must do TLS */
+++    int     tls_enforce_peername;	/* cert must match */
+++    tls_info_t tls_info;		/* TLS connection state */
++ } SMTP_SESSION;
++ 
++-extern SMTP_SESSION *smtp_session_alloc(VSTREAM *, char *, char *);
+++extern void smtp_tls_list_init(void);
+++extern SMTP_SESSION *smtp_session_alloc(char *, VSTREAM *, char *, char *);
++ extern void smtp_session_free(SMTP_SESSION *);
++ 
++  /*
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp_connect.c postfix-2.1.0/src/smtp/smtp_connect.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp_connect.c	Thu Mar 25 19:07:35 2004
+++++ postfix-2.1.0/src/smtp/smtp_connect.c	Sat Apr 24 14:46:23 2004
++@@ -86,6 +86,7 @@
++ #include <debug_peer.h>
++ #include <deliver_pass.h>
++ #include <mail_error.h>
+++#include <pfixtls.h>
++ 
++ /* DNS library. */
++ 
++@@ -98,7 +99,7 @@
++ 
++ /* smtp_connect_addr - connect to explicit address */
++ 
++-static SMTP_SESSION *smtp_connect_addr(DNS_RR *addr, unsigned port,
+++static SMTP_SESSION *smtp_connect_addr(char *dest, DNS_RR *addr, unsigned port,
++ 				               VSTRING *why)
++ {
++     char   *myname = "smtp_connect_addr";
++@@ -212,7 +213,7 @@
++ 	return (0);
++     }
++     vstream_ungetc(stream, ch);
++-    return (smtp_session_alloc(stream, addr->name, inet_ntoa(sin.sin_addr)));
+++    return (smtp_session_alloc(dest, stream, addr->name, inet_ntoa(sin.sin_addr)));
++ }
++ 
++ /* smtp_parse_destination - parse destination */
++@@ -348,7 +349,7 @@
++ 	    next = addr->next;
++ 	    if (++addr_count == var_smtp_mxaddr_limit)
++ 		next = 0;
++-	    if ((state->session = smtp_connect_addr(addr, port, why)) != 0) {
+++	    if ((state->session = smtp_connect_addr(host, addr, port, why)) != 0) {
++ 		if (++sess_count == var_smtp_mxsess_limit)
++ 		    next = 0;
++ 		state->final_server = (cpp[1] == 0 && next == 0);
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp_proto.c postfix-2.1.0/src/smtp/smtp_proto.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp_proto.c	Wed Apr 14 22:02:20 2004
+++++ postfix-2.1.0/src/smtp/smtp_proto.c	Sat Apr 24 14:35:27 2004
++@@ -102,6 +102,7 @@
++ #include <quote_821_local.h>
++ #include <mail_proto.h>
++ #include <mime_state.h>
+++#include <pfixtls.h>
++ 
++ /* Application-specific. */
++ 
++@@ -184,6 +185,8 @@
++ 	XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
++ 	0, 0,
++     };
+++    int     oldfeatures;
+++    int     rval;
++ 
++     /*
++      * Prepare for disaster.
++@@ -256,7 +259,8 @@
++ 				   translit(resp->str, "\n", " ")));
++ 	return (0);
++     }
++-
+++    if (var_smtp_always_ehlo)
+++	state->features |= SMTP_FEATURE_ESMTP;
++     /*
++      * Pick up some useful features offered by the SMTP server. XXX Until we
++      * have a portable routine to convert from string to off_t with proper
++@@ -268,6 +272,7 @@
++      * MicroSoft implemented AUTH based on an old draft.
++      */
++     lines = resp->str;
+++    oldfeatures = state->features;		/* remember */
++     while ((words = mystrtok(&lines, "\n")) != 0) {
++ 	if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t=")) != 0) {
++ 	    if (strcasecmp(word, "8BITMIME") == 0)
++@@ -288,6 +293,8 @@
++ 			state->size_limit = off_cvt_string(word);
++ 		}
++ 	    }
+++	    else if (strcasecmp(word, "STARTTLS") == 0)
+++		state->features |= SMTP_FEATURE_STARTTLS;
++ #ifdef USE_SASL_AUTH
++ 	    else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0)
++ 		smtp_sasl_helo_auth(state, words);
++@@ -307,6 +314,128 @@
++ 	msg_info("server features: 0x%x size %.0f",
++ 		 state->features, (double) state->size_limit);
++ 
+++#ifdef USE_SSL
+++    if ((state->features & SMTP_FEATURE_STARTTLS) &&
+++	(var_smtp_tls_note_starttls_offer) &&
+++	(!(session->tls_enforce_tls || session->tls_use_tls)))
+++ 	msg_info("Host offered STARTTLS: [%s]", session->host);
+++    if ((session->tls_enforce_tls) &&
+++	!(state->features & SMTP_FEATURE_STARTTLS))
+++    {
+++	/*
+++	 * We are enforced to use TLS but it is not offered, so we will give
+++	 * up on this host. We won't even try STARTTLS, because we could
+++	 * receive a "500 command unrecognized" which would bounce the
+++	 * message. We instead want to delay until STARTTLS becomes
+++	 * available.
+++	 */
+++	return (smtp_site_fail(state, 450, "Could not start TLS: not offered"));
+++    }
+++    if ((session->tls_enforce_tls) && !pfixtls_clientengine) {
+++	/*
+++	 * We would like to start client TLS, but our own TLS-engine is
+++	 * not running.
+++	 */
+++	return (smtp_site_fail(state, 450,
+++		 "Could not start TLS: our TLS-engine not running"));
+++    }
+++    if ((state->features & SMTP_FEATURE_STARTTLS) &&
+++	((session->tls_use_tls && pfixtls_clientengine) ||
+++	 (session->tls_enforce_tls))) {
+++	/*
+++         * Try to use the TLS feature
+++         */
+++	smtp_chat_cmd(state, "STARTTLS");
+++	if ((resp = smtp_chat_resp(state))->code / 100 != 2) {
+++	    state->features &= ~SMTP_FEATURE_STARTTLS;
+++	    /*
+++	     * At this point a political decision is necessary. If we
+++	     * enforce usage of tls, we have to close the connection
+++	     * now.
+++	     */
+++	    if (session->tls_enforce_tls)
+++		return (smtp_site_fail(state, resp->code,
+++					 "host %s refused to start TLS: %s",
+++					   session->host,
+++					   translit(resp->str, "\n", " ")));
+++	} else {
+++	    if (rval = pfixtls_start_clienttls(session->stream,
+++					       var_smtp_starttls_tmout,
+++					       session->tls_enforce_peername,
+++					       session->host,
+++					       &(session->tls_info)))
+++		return (smtp_site_fail(state, 450,
+++				 "Could not start TLS: client failure"));
+++
+++
+++	    /*
+++	     * Now the connection is established and maybe we do have a
+++	     * validated cert with a CommonName in it.
+++	     * In enforce_peername state, the handshake would already have
+++	     * been terminated so the check here is for logging only!
+++	     */
+++	    if (session->tls_info.peer_CN != NULL) {
+++		if (!session->tls_info.peer_verified) {
+++		    msg_info("Peer certficate could not be verified");
+++		    if (session->tls_enforce_tls) {
+++			pfixtls_stop_clienttls(session->stream,
+++					       var_smtp_starttls_tmout, 1,
+++					       &(session->tls_info));
+++			return(smtp_site_fail(state, 450, "TLS-failure: Could not verify certificate"));
+++		    }
+++		}
+++	    } else if (session->tls_enforce_tls) {
+++		pfixtls_stop_clienttls(session->stream,
+++				       var_smtp_starttls_tmout, 1,
+++				       &(session->tls_info));
+++		return (smtp_site_fail(state, 450, "TLS-failure: Cannot verify hostname"));
+++	    }
+++
+++	    /*
+++	     * At this point we have to re-negotiate the "EHLO" to reget
+++	     * the feature-list
+++	     */
+++	    state->features = oldfeatures;
+++#ifdef USE_SASL_AUTH
+++	    if (state->sasl_mechanism_list) {
+++		myfree(state->sasl_mechanism_list);
+++		state->sasl_mechanism_list = 0;
+++	    }
+++#endif
+++	    if (state->features & SMTP_FEATURE_ESMTP) {
+++		smtp_chat_cmd(state, "EHLO %s", var_myhostname);
+++		if ((resp = smtp_chat_resp(state))->code / 100 != 2)
+++		    state->features &= ~SMTP_FEATURE_ESMTP;
+++	    }
+++	    lines = resp->str;
+++	    (void) mystrtok(&lines, "\n");
+++	    while ((words = mystrtok(&lines, "\n")) != 0) {
+++		if (mystrtok(&words, "- ") &&
+++		    (word = mystrtok(&words, " \t=")) != 0) {
+++		    if (strcasecmp(word, "8BITMIME") == 0)
+++			state->features |= SMTP_FEATURE_8BITMIME;
+++		    else if (strcasecmp(word, "PIPELINING") == 0)
+++			state->features |= SMTP_FEATURE_PIPELINING;
+++		    else if (strcasecmp(word, "SIZE") == 0)
+++			state->features |= SMTP_FEATURE_SIZE;
+++		    else if (strcasecmp(word, "STARTTLS") == 0)
+++			state->features |= SMTP_FEATURE_STARTTLS;
+++#ifdef USE_SASL_AUTH
+++		    else if (var_smtp_sasl_enable &&
+++			     strcasecmp(word, "AUTH") == 0)
+++			smtp_sasl_helo_auth(state, words);
+++#endif
+++		}
+++	    }
+++	    /*
+++	     * Actually, at this point STARTTLS should not be offered
+++	     * anymore, so we could check for a protocol violation, but
+++	     * what should we do then?
+++	     */
+++
+++	}
+++    }
+++#endif
++ #ifdef USE_SASL_AUTH
++     if (var_smtp_sasl_enable && (state->features & SMTP_FEATURE_AUTH))
++ 	return (smtp_sasl_helo_login(state));
++diff -ruN postfix-2.1.0-vanilla/src/smtp/smtp_session.c postfix-2.1.0/src/smtp/smtp_session.c
++--- postfix-2.1.0-vanilla/src/smtp/smtp_session.c	Mon Nov 20 19:06:05 2000
+++++ postfix-2.1.0/src/smtp/smtp_session.c	Sat Apr 24 14:35:27 2004
++@@ -42,15 +42,40 @@
++ #include <vstream.h>
++ #include <stringops.h>
++ 
+++#include <mail_params.h>
+++#include <maps.h>
+++#include <pfixtls.h>
+++
++ /* Application-specific. */
++ 
++ #include "smtp.h"
++ 
+++/* static lists */
+++static MAPS *tls_per_site;
+++
+++/* smtp_tls_list_init - initialize lists */
+++
+++void smtp_tls_list_init(void)
+++{
+++    tls_per_site = maps_create(VAR_SMTP_TLS_PER_SITE, var_smtp_tls_per_site,
+++			       DICT_FLAG_LOCK);
+++}
+++
++ /* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
++ 
++-SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, char *host, char *addr)
+++SMTP_SESSION *smtp_session_alloc(char *dest, VSTREAM *stream, char *host, char *addr)
++ {
++     SMTP_SESSION *session;
+++    const char *lookup;
+++    char *lookup_key;
+++    int host_dont_use = 0;
+++    int host_use = 0;
+++    int host_enforce = 0;
+++    int host_enforce_peername = 0;
+++    int recipient_dont_use = 0;
+++    int recipient_use = 0;
+++    int recipient_enforce = 0;
+++    int recipient_enforce_peername = 0;
++ 
++     session = (SMTP_SESSION *) mymalloc(sizeof(*session));
++     session->stream = stream;
++@@ -58,6 +83,61 @@
++     session->addr = mystrdup(addr);
++     session->namaddr = concatenate(host, "[", addr, "]", (char *) 0);
++     session->best = 1;
+++    session->tls_use_tls = session->tls_enforce_tls = 0;
+++    session->tls_enforce_peername = 0;
+++#ifdef USE_SSL
+++    lookup_key = lowercase(mystrdup(host));
+++    if (lookup = maps_find(tls_per_site, lookup_key, 0)) {
+++	if (!strcasecmp(lookup, "NONE"))
+++	    host_dont_use = 1;
+++	else if (!strcasecmp(lookup, "MAY"))
+++	    host_use = 1;
+++	else if (!strcasecmp(lookup, "MUST"))
+++	    host_enforce = host_enforce_peername = 1;
+++	else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
+++	    host_enforce = 1;
+++	else
+++	    msg_warn("Unknown TLS state for receiving host %s: '%s', using default policy", session->host, lookup);
+++    }
+++    myfree(lookup_key);
+++    lookup_key = lowercase(mystrdup(dest));
+++    if (lookup = maps_find(tls_per_site, dest, 0)) {
+++	if (!strcasecmp(lookup, "NONE"))
+++	    recipient_dont_use = 1;
+++	else if (!strcasecmp(lookup, "MAY"))
+++	    recipient_use = 1;
+++	else if (!strcasecmp(lookup, "MUST"))
+++	    recipient_enforce = recipient_enforce_peername = 1;
+++	else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
+++	    recipient_enforce = 1;
+++	else
+++	    msg_warn("Unknown TLS state for recipient domain %s: '%s', using default policy", dest, lookup);
+++    }
+++    myfree(lookup_key);
+++
+++    if ((var_smtp_enforce_tls && !host_dont_use && !recipient_dont_use) || host_enforce ||
+++	 recipient_enforce)
+++	session->tls_enforce_tls = session->tls_use_tls = 1;
+++
+++    /*
+++     * Set up peername checking. We want to make sure that a MUST* entry in
+++     * the tls_per_site table always has precedence. MUST always must lead to
+++     * a peername check, MUST_NOPEERMATCH must always disable it. Only when
+++     * no explicit setting has been found, the default will be used.
+++     * There is the case left, that both "host" and "recipient" settings
+++     * conflict. In this case, the "host" setting wins.
+++     */
+++    if (host_enforce && host_enforce_peername)
+++	session->tls_enforce_peername = 1;
+++    else if (recipient_enforce && recipient_enforce_peername)
+++	session->tls_enforce_peername = 1;
+++    else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
+++	session->tls_enforce_peername = 1;
+++
+++    else if ((var_smtp_use_tls && !host_dont_use && !recipient_dont_use) || host_use || recipient_use)
+++      session->tls_use_tls = 1;
+++#endif
+++    session->tls_info = tls_info_zero;
++     return (session);
++ }
++ 
++@@ -65,6 +145,11 @@
++ 
++ void    smtp_session_free(SMTP_SESSION *session)
++ {
+++#ifdef USE_SSL
+++    vstream_fflush(session->stream);
+++    pfixtls_stop_clienttls(session->stream, var_smtp_starttls_tmout, 0,
+++			   &(session->tls_info));
+++#endif
++     vstream_fclose(session->stream);
++     myfree(session->host);
++     myfree(session->addr);
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/Makefile.in postfix-2.1.0/src/smtpd/Makefile.in
++--- postfix-2.1.0-vanilla/src/smtpd/Makefile.in	Thu Apr 22 21:37:39 2004
+++++ postfix-2.1.0/src/smtpd/Makefile.in	Sat Apr 24 14:35:27 2004
++@@ -150,6 +150,7 @@
++ smtpd.o: ../../include/namadr_list.h
++ smtpd.o: ../../include/input_transp.h
++ smtpd.o: ../../include/mail_server.h
+++smtpd.o: ../../include/pfixtls.h
++ smtpd.o: smtpd_token.h
++ smtpd.o: smtpd.h
++ smtpd.o: smtpd_check.h
++@@ -179,6 +180,7 @@
++ smtpd_chat.o: ../../include/cleanup_user.h
++ smtpd_chat.o: ../../include/mail_error.h
++ smtpd_chat.o: ../../include/name_mask.h
+++smtpd_chat.o: ../../include/pfixtls.h
++ smtpd_chat.o: smtpd.h
++ smtpd_chat.o: ../../include/mail_stream.h
++ smtpd_chat.o: smtpd_chat.h
++@@ -233,6 +235,7 @@
++ smtpd_check.o: ../../include/is_header.h
++ smtpd_check.o: smtpd.h
++ smtpd_check.o: ../../include/mail_stream.h
+++smtpd_check.o: ../../include/pfixtls.h
++ smtpd_check.o: smtpd_sasl_glue.h
++ smtpd_check.o: smtpd_check.h
++ smtpd_peer.o: smtpd_peer.c
++@@ -250,6 +253,7 @@
++ smtpd_peer.o: smtpd.h
++ smtpd_peer.o: ../../include/argv.h
++ smtpd_peer.o: ../../include/mail_stream.h
+++smtpd_peer.o: ../../include/pfixtls.h
++ smtpd_proxy.o: smtpd_proxy.c
++ smtpd_proxy.o: ../../include/sys_defs.h
++ smtpd_proxy.o: ../../include/msg.h
++@@ -329,6 +333,7 @@
++ smtpd_state.o: ../../include/vstring.h
++ smtpd_state.o: ../../include/argv.h
++ smtpd_state.o: ../../include/mail_stream.h
+++smtpd_state.o: ../../include/pfixtls.h
++ smtpd_state.o: smtpd_chat.h
++ smtpd_state.o: smtpd_sasl_glue.h
++ smtpd_token.o: smtpd_token.c
++@@ -338,6 +343,7 @@
++ smtpd_token.o: smtpd_token.h
++ smtpd_token.o: ../../include/vstring.h
++ smtpd_token.o: ../../include/vbuf.h
+++smtpd_token.o: ../../include/pfixtls.h
++ smtpd_xforward.o: smtpd_xforward.c
++ smtpd_xforward.o: ../../include/sys_defs.h
++ smtpd_xforward.o: ../../include/mymalloc.h
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd.c postfix-2.1.0/src/smtpd/smtpd.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd.c	Wed Apr 21 23:10:01 2004
+++++ postfix-2.1.0/src/smtpd/smtpd.c	Sat Apr 24 14:47:36 2004
++@@ -653,6 +653,7 @@
++ #include <anvil_clnt.h>
++ #endif
++ #include <flush_clnt.h>
+++#include <pfixtls.h>
++ 
++ /* Single-threaded server skeleton. */
++ 
++@@ -678,6 +679,7 @@
++   */
++ int     var_smtpd_rcpt_limit;
++ int     var_smtpd_tmout;
+++char   *var_relay_ccerts;
++ int     var_smtpd_soft_erlim;
++ int     var_smtpd_hard_erlim;
++ int     var_queue_minfree;		/* XXX use off_t */
++@@ -760,7 +762,19 @@
++ int     var_smtpd_crate_limit;
++ int     var_smtpd_cconn_limit;
++ char   *var_smtpd_hoggers;
+++#endif
++ 
+++bool    var_smtpd_use_tls;
+++bool    var_smtpd_enforce_tls;
+++bool    var_smtpd_tls_wrappermode;
+++#ifdef USE_SSL
+++int     var_smtpd_starttls_tmout;
+++bool    var_smtpd_tls_auth_only;
+++bool    var_smtpd_tls_ask_ccert;
+++bool    var_smtpd_tls_req_ccert;
+++int     var_smtpd_tls_ccert_vd;
+++bool    var_smtpd_tls_received_header;
+++char   *var_smtpd_sasl_tls_opts;
++ #endif
++ 
++  /*
++@@ -939,11 +953,21 @@
++     if (var_disable_vrfy_cmd == 0)
++ 	smtpd_chat_reply(state, "250-VRFY");
++     smtpd_chat_reply(state, "250-ETRN");
+++#ifdef USE_SSL
+++    if ((state->tls_use_tls || state->tls_enforce_tls) && (!state->tls_active))
+++	smtpd_chat_reply(state, "250-STARTTLS");
+++#endif
++ #ifdef USE_SASL_AUTH
++     if (var_smtpd_sasl_enable && !sasl_client_exception(state)) {
+++#ifdef USE_SSL
+++	if (!state->tls_auth_only || state->tls_active) {
+++#endif
++ 	smtpd_chat_reply(state, "250-AUTH %s", state->sasl_mechanism_list);
++ 	if (var_broken_auth_clients)
++ 	    smtpd_chat_reply(state, "250-AUTH=%s", state->sasl_mechanism_list);
+++#ifdef USE_SSL
+++	}
+++#endif
++     }
++ #endif
++     if (namadr_list_match(verp_clients, state->name, state->addr))
++@@ -1501,12 +1525,77 @@
++     state->rcpt_overshoot = 0;
++ }
++ 
+++/* CN_sanitize - make sure, the CN-string is well behaved */
+++
+++static void CN_sanitize(char *CNstring)
+++{
+++    int i;
+++    int len;
+++    int parencount;
+++
+++    /*
+++     * The information included in the CN (CommonName) of the peer and its
+++     * issuer can be included into the Received: header line. The characters
+++     * allowed as well as comment nesting are limited by RFC822.
+++     */
+++
+++    len = strlen(CNstring);
+++    /*
+++     * The Received: header can only contain characters. Make sure that only
+++     * acceptable characters are printed. Maybe we could allow more, but
+++     * not everything makes sense inside a CommonName.
+++     */
+++    for (i = 0; i < len; i++) 
+++	if (!((CNstring[i] >= 'A') && (CNstring[i] <='Z')) &&
+++	    !((CNstring[i] >= 'a') && (CNstring[i] <='z')) &&
+++	    !((CNstring[i] >= '0') && (CNstring[i] <='9')) &&
+++	    (CNstring[i] != '(') && (CNstring[i] != ')') &&
+++	    (CNstring[i] != '[') && (CNstring[i] != ']') &&
+++	    (CNstring[i] != '{') && (CNstring[i] != '}') &&
+++	    (CNstring[i] != '<') && (CNstring[i] != '>') &&
+++	    (CNstring[i] != '?') && (CNstring[i] != '!') &&
+++	    (CNstring[i] != ';') && (CNstring[i] != ':') &&
+++	    (CNstring[i] != '"') && (CNstring[i] != '\'') &&
+++	    (CNstring[i] != '/') && (CNstring[i] != '|') &&
+++	    (CNstring[i] != '+') && (CNstring[i] != '&') &&
+++	    (CNstring[i] != '~') && (CNstring[i] != '@') &&
+++	    (CNstring[i] != '#') && (CNstring[i] != '$') &&
+++	    (CNstring[i] != '%') && (CNstring[i] != '&') &&
+++	    (CNstring[i] != '^') && (CNstring[i] != '*') &&
+++	    (CNstring[i] != '_') && (CNstring[i] != '-') &&
+++	    (CNstring[i] != '.') && (CNstring[i] != ' '))
+++	    CNstring[i] = '?';
+++
+++    /*
+++     * This information will go into the Received: header inside a comment.
+++     * Since comments can be nested, parentheses '(' and ')' must match.
+++     */
+++    parencount = 0;
+++    for (i = 0; i < len; i++) {
+++	if (CNstring[i] == '(')
+++	    parencount++;
+++	else if (CNstring[i] == ')')
+++	    parencount--;
+++    }
+++    /*
+++     * The necessary condition is violated. Do YOU know, where to correct?
+++     * I don't know, so I will practically remove all parentheses.
+++     */
+++    if (parencount != 0) {
+++	for (i = 0; i < len; i++)
+++	    if ((CNstring[i] == '(') || (CNstring[i] == ')'))
+++		CNstring[i] = '/';
+++    }
+++}
+++
++ /* data_cmd - process DATA command */
++ 
++ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
++ {
++     char   *err;
++     char   *start;
+++    char   *peer_CN;
+++    char   *issuer_CN;
++     int     len;
++     int     curr_rec_type;
++     int     prev_rec_type;
++@@ -1600,6 +1689,37 @@
++ 		    "Received: from %s (%s [%s])",
++ 		    state->helo_name ? state->helo_name : state->name,
++ 		    state->name, state->addr);
+++#ifdef USE_SSL
+++	if (var_smtpd_tls_received_header && state->tls_active) {
+++	    out_fprintf(out_stream, REC_TYPE_NORM,
+++			"\t(using %s with cipher %s (%d/%d bits))",
+++			state->tls_info.protocol, state->tls_info.cipher_name,
+++			state->tls_info.cipher_usebits,
+++			state->tls_info.cipher_algbits);
+++	    if (state->tls_info.peer_CN) {
+++		peer_CN = mystrdup(state->tls_info.peer_CN);
+++		CN_sanitize(peer_CN);
+++		issuer_CN = mystrdup(state->tls_info.issuer_CN);
+++		CN_sanitize(issuer_CN);
+++		if (state->tls_info.peer_verified)
+++		    out_fprintf(out_stream, REC_TYPE_NORM,
+++			"\t(Client CN \"%s\", Issuer \"%s\" (verified OK))",
+++			peer_CN, issuer_CN);
+++		else
+++		    out_fprintf(out_stream, REC_TYPE_NORM,
+++			"\t(Client CN \"%s\", Issuer \"%s\" (not verified))",
+++			peer_CN, issuer_CN);
+++		myfree(issuer_CN);
+++		myfree(peer_CN);
+++	    }
+++	    else if (var_smtpd_tls_ask_ccert)
+++		out_fprintf(out_stream, REC_TYPE_NORM,
+++			    "\t(Client did not present a certificate)");
+++	    else
+++		out_fprintf(out_stream, REC_TYPE_NORM,
+++			    "\t(No client certificate requested)");
+++	}
+++#endif
++ 	if (state->rcpt_count == 1 && state->recipient) {
++ 	    out_fprintf(out_stream, REC_TYPE_NORM,
++ 			state->cleanup ? "\tby %s (%s) with %s id %s" :
++@@ -2307,6 +2427,90 @@
++     }
++ }
++ 
+++static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+++{
+++    char   *err;
+++
+++#ifdef USE_SSL
+++    if (argc != 1) {
+++	state->error_mask |= MAIL_ERROR_PROTOCOL;
+++	smtpd_chat_reply(state, "501 Syntax: STARTTLS");
+++	return (-1);
+++    }
+++    if (state->tls_active != 0) {
+++	state->error_mask |= MAIL_ERROR_PROTOCOL;
+++	smtpd_chat_reply(state, "554 Error: TLS already active");
+++	return (-1);
+++    }
+++    if (state->tls_use_tls == 0) {
+++	state->error_mask |= MAIL_ERROR_PROTOCOL;
+++	smtpd_chat_reply(state, "502 Error: command not implemented");
+++	return (-1);
+++    }
+++    if (!pfixtls_serverengine) {
+++	smtpd_chat_reply(state, "454 TLS not available due to temporary reason");
+++	return (0);
+++    }
+++    smtpd_chat_reply(state, "220 Ready to start TLS");
+++    vstream_fflush(state->client);
+++    /*
+++     * When deciding about continuing the handshake, we will stop when a
+++     * client certificate was _required_ and none was presented or the
+++     * verification failed. This however does only make sense when TLS is
+++     * enforced. Otherwise we would happily perform perform the SMTP
+++     * transaction without any STARTTLS at all! So only have the handshake
+++     * fail when TLS is also enforced.
+++     */
+++    if (pfixtls_start_servertls(state->client, var_smtpd_starttls_tmout,
+++				state->name, state->addr, &(state->tls_info),
+++			(var_smtpd_tls_req_ccert && state->tls_enforce_tls))) {
+++	/*
+++         * Typically the connection is hanging at this point, so
+++         * we should try to shut it down by force! Unfortunately this
+++         * problem is not addressed in postfix!
+++         */
+++	return (-1);
+++    }
+++    state->tls_active = 1;
+++    helo_reset(state);
+++#ifdef USE_SASL_AUTH
+++    if (var_smtpd_sasl_enable) {
+++	/*
+++	 * When TLS is enabled, another set of AUTH methods may be offered,
+++	 * for example plain text methods that would not be offered without
+++	 * encryption protection. Reconnect with a different set of options.
+++	 */
+++	smtpd_sasl_disconnect(state);
+++	smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
+++			   var_smtpd_sasl_tls_opts);
+++	smtpd_sasl_auth_reset(state);
+++    }
+++#endif
+++    mail_reset(state);
+++    rcpt_reset(state);
+++    return (0);
+++#else
+++    state->error_mask |= MAIL_ERROR_PROTOCOL;
+++    smtpd_chat_reply(state, "502 Error: command not implemented");
+++    return (-1);
+++#endif
+++}
+++
+++static void tls_reset(SMTPD_STATE *state)
+++{
+++    int failure = 0;
+++
+++    if (state->reason && state->where && strcmp(state->where, SMTPD_AFTER_DOT))
+++	failure = 1;
+++#ifdef USE_SSL
+++    vstream_fflush(state->client);
+++    if (state->tls_active)
+++	pfixtls_stop_servertls(state->client, var_smtpd_starttls_tmout,
+++			       failure, &(state->tls_info));
+++#endif
+++    state->tls_active = 0;
+++}
+++
++  /*
++   * The table of all SMTP commands that we know. Set the junk limit flag on
++   * any command that can be repeated an arbitrary number of times without
++@@ -2325,6 +2529,10 @@
++     "HELO", helo_cmd, SMTPD_CMD_FLAG_LIMIT,
++     "EHLO", ehlo_cmd, SMTPD_CMD_FLAG_LIMIT,
++ 
+++#ifdef USE_SSL
+++    "STARTTLS", starttls_cmd, 0,
+++#endif
+++
++ #ifdef USE_SASL_AUTH
++     "AUTH", smtpd_sasl_auth_cmd, 0,
++ #endif
++@@ -2483,9 +2691,28 @@
++ 		state->error_count++;
++ 		continue;
++ 	    }
+++	    if (state->tls_enforce_tls &&
+++		!state->tls_active &&
+++		cmdp->action != starttls_cmd &&
+++		cmdp->action != noop_cmd &&
+++		cmdp->action != ehlo_cmd &&
+++		cmdp->action != quit_cmd) {
+++		smtpd_chat_reply(state,
+++				 "530 Must issue a STARTTLS command first");
+++		state->error_count++;
+++		continue;
+++	    }
++ 	    state->where = cmdp->name;
++-	    if (cmdp->action(state, argc, argv) != 0)
+++	    if (cmdp->action(state, argc, argv) != 0) {
++ 		state->error_count++;
+++		/*
+++		 * Die after TLS negotiation failure, as there is no
+++		 * stable way to recover from a possible mixture of
+++		 * TLS and SMTP protocol from the client.
+++		 */
+++		if (cmdp->action == starttls_cmd)
+++		    break;
+++	    }
++ 	    if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
++ 		&& state->junk_cmds++ > var_smtpd_junk_cmd_limit)
++ 		state->error_count++;
++@@ -2525,6 +2752,7 @@
++      * Cleanup whatever information the client gave us during the SMTP
++      * dialog.
++      */
+++    tls_reset(state);
++     helo_reset(state);
++ #ifdef USE_SASL_AUTH
++     if (var_smtpd_sasl_enable)
++@@ -2557,6 +2785,58 @@
++      * machines.
++      */
++     smtpd_state_init(&state, stream);
+++
+++#ifdef USE_SSL
+++    if (SMTPD_STAND_ALONE((&state))) {
+++	state.tls_use_tls = 0;
+++	state.tls_enforce_tls = 0;
+++	state.tls_auth_only = 0;
+++    }
+++    else {
+++	state.tls_use_tls = var_smtpd_use_tls | var_smtpd_enforce_tls;
+++	state.tls_enforce_tls = var_smtpd_enforce_tls;
+++	if (var_smtpd_tls_wrappermode) {
+++	    /*
+++	     * TLS has been set to wrapper mode, meaning that we run on a
+++	     * seperate port and we must switch to TLS layer before actually
+++	     * performing the SMTP protocol. This implies enforce-mode.
+++	     */
+++	    state.tls_use_tls = state.tls_enforce_tls = 1;
+++	    if (pfixtls_start_servertls(state.client, var_smtpd_starttls_tmout,
+++					state.name, state.addr, &state.tls_info,
+++					var_smtpd_tls_req_ccert)) {
+++	    /*
+++	     * Typically the connection is hanging at this point, so
+++	     * we should try to shut it down by force! Unfortunately this
+++	     * problem is not addressed in postfix!
+++	     */
+++		return;
+++	    }
+++	    state.tls_active = 1;
+++#ifdef USE_SASL_AUTH
+++	    if (var_smtpd_sasl_enable) {
+++		/*
+++		 * When TLS is enabled, another set of AUTH methods may be
+++		 * offered, for example plain text methods that would not be
+++		 * offered without encryption protection. Reconnect with a
+++		 * different set of options.
+++		 */
+++		smtpd_sasl_disconnect(&state);
+++		smtpd_sasl_connect(&state, VAR_SMTPD_SASL_TLS_OPTS,
+++				   var_smtpd_sasl_tls_opts);
+++		smtpd_sasl_auth_reset(&state);
+++    	    }
+++#endif
+++	}
+++	if (var_smtpd_tls_auth_only || state.tls_enforce_tls)
+++	    state.tls_auth_only = 1;
+++    }
+++#else
+++    state.tls_use_tls = 0;
+++    state.tls_enforce_tls = 0;
+++    state.tls_auth_only = 0;
+++#endif
+++
++     msg_info("connect from %s[%s]", state.name, state.addr);
++ 
++     /*
++@@ -2606,7 +2886,6 @@
++ 
++ static void pre_jail_init(char *unused_name, char **unused_argv)
++ {
++-
++     /*
++      * Initialize blacklist/etc. patterns before entering the chroot jail, in
++      * case they specify a filename pattern.
++@@ -2634,6 +2913,21 @@
++ 	msg_warn("%s is true, but SASL support is not compiled in",
++ 		 VAR_SMTPD_SASL_ENABLE);
++ #endif
+++    /*
+++     * Keys can only be loaded when running with superuser permissions.
+++     * When called from "sendmail -bs" this is not the case, but STARTTLS
+++     * is not used in this scenario anyhow.
+++     */
+++    if (geteuid() == 0) {
+++      if (var_smtpd_use_tls || var_smtpd_enforce_tls
+++	  || var_smtpd_tls_wrappermode)
+++#ifdef USE_SSL
+++	pfixtls_init_serverengine(var_smtpd_tls_ccert_vd,
+++				  var_smtpd_tls_ask_ccert);
+++#else
+++	msg_warn("TLS has been selected but TLS support is not compiled in");
+++#endif
+++    }
++ 
++     /*
++      * flush client.
++@@ -2672,6 +2966,7 @@
++     if (var_smtpd_crate_limit || var_smtpd_cconn_limit)
++ 	anvil_clnt = anvil_clnt_create();
++ #endif
+++
++ }
++ 
++ /* main - the main program */
++@@ -2708,6 +3003,9 @@
++ 	VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
++ 	VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
++ #endif
+++#ifdef USE_SSL
+++	VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
+++#endif
++ 	0,
++     };
++     static CONFIG_TIME_TABLE time_table[] = {
++@@ -2718,6 +3016,9 @@
++ 	VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
++ 	VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
++ 	VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
+++#ifdef USE_SSL
+++	VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
+++#endif
++ 	0,
++     };
++     static CONFIG_BOOL_TABLE bool_table[] = {
++@@ -2731,6 +3032,15 @@
++ 	VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
++ 	VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
++ 	VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
+++	VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
+++	VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
+++	VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
+++#ifdef USE_SSL
+++	VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
+++	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
+++	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
+++	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
+++#endif
++ 	0,
++     };
++     static CONFIG_STR_TABLE str_table[] = {
++@@ -2772,6 +3082,10 @@
++ #ifdef SNAPSHOT
++ 	VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
++ #endif
+++#ifdef USE_SSL
+++	VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_relay_ccerts, 0, 0,
+++	VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
+++#endif
++ 	0,
++     };
++     static CONFIG_RAW_TABLE raw_table[] = {
++@@ -2794,3 +3108,4 @@
++ 		       MAIL_SERVER_POST_INIT, post_jail_init,
++ 		       0);
++ }
+++
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd.h postfix-2.1.0/src/smtpd/smtpd.h
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd.h	Wed Apr 21 20:23:33 2004
+++++ postfix-2.1.0/src/smtpd/smtpd.h	Sat Apr 24 14:35:28 2004
++@@ -32,6 +32,7 @@
++   * Global library.
++   */
++ #include <mail_stream.h>
+++#include <pfixtls.h>
++ 
++  /*
++   * Variables that keep track of conversation state. There is only one SMTP
++@@ -136,6 +137,11 @@
++      * XFORWARD server state.
++      */
++     SMTPD_XFORWARD_ATTR xforward;	/* up-stream logging info */
+++    int     tls_active;
+++    int     tls_use_tls;
+++    int     tls_enforce_tls;
+++    int     tls_auth_only;
+++    tls_info_t tls_info;
++ } SMTPD_STATE;
++ 
++ #define SMTPD_STATE_XFORWARD_INIT  (1<<0)	/* xforward preset done */
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd_check.c postfix-2.1.0/src/smtpd/smtpd_check.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd_check.c	Mon Apr 19 21:31:20 2004
+++++ postfix-2.1.0/src/smtpd/smtpd_check.c	Sat Apr 24 14:35:28 2004
++@@ -185,6 +185,7 @@
++ #include <string_list.h>
++ #include <namadr_list.h>
++ #include <domain_list.h>
+++#include <string_list.h>
++ #include <mail_params.h>
++ #include <canon_addr.h>
++ #include <resolve_clnt.h>
++@@ -269,6 +270,9 @@
++ static DOMAIN_LIST *relay_domains;
++ static NAMADR_LIST *mynetworks;
++ static NAMADR_LIST *perm_mx_networks;
+++#ifdef USE_SSL
+++static MAPS *relay_ccerts;
+++#endif
++ 
++  /*
++   * How to do parent domain wildcard matching, if any.
++@@ -563,6 +567,10 @@
++     perm_mx_networks =
++ 	namadr_list_init(match_parent_style(VAR_PERM_MX_NETWORKS),
++ 			 var_perm_mx_networks);
+++#ifdef USE_SSL
+++    relay_ccerts = maps_create(VAR_RELAY_CCERTS, var_relay_ccerts,
+++			       DICT_FLAG_LOCK);
+++#endif
++ 
++     /*
++      * Pre-parse and pre-open the recipient maps.
++@@ -1056,6 +1064,36 @@
++ 
++ static int permit_auth_destination(SMTPD_STATE *state, char *recipient);
++ 
+++/* permit_tls_clientcerts - OK/DUNNO for message relaying */
+++
+++#ifdef USE_SSL
+++static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
+++{
+++    char   *low_name;
+++    const char *found;
+++
+++    if (state->tls_info.peer_verified && permit_all_certs) {
+++	if (msg_verbose)
+++	    msg_info("Relaying allowed for all verified client certificates");
+++	return(SMTPD_CHECK_OK);
+++    }
+++
+++    if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
+++	low_name = lowercase(mystrdup(state->tls_info.peer_fingerprint));
+++	found = maps_find(relay_ccerts, low_name, DICT_FLAG_FIXED);
+++	myfree(low_name);
+++	if (found) {
+++	    if (msg_verbose)
+++		msg_info("Relaying allowed for certified client: %s", found);
+++	    return (SMTPD_CHECK_OK);
+++	} else if (msg_verbose)
+++	    msg_info("relay_clientcerts: No match for fingerprint '%s'",
+++		     state->tls_info.peer_fingerprint);
+++    }
+++    return (SMTPD_CHECK_DUNNO);
+++}
+++#endif
+++
++ /* check_relay_domains - OK/FAIL for message relaying */
++ 
++ static int check_relay_domains(SMTPD_STATE *state, char *recipient,
++@@ -3235,6 +3273,12 @@
++ #else
++ 		msg_warn("restriction `%s' ignored: no SASL support", name);
++ #endif
+++#ifdef USE_SSL
+++	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
+++	  status = permit_tls_clientcerts(state, 1);
+++	} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
+++	  status = permit_tls_clientcerts(state, 0);
+++#endif
++ 	} else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
++ 	    if (state->recipient)
++ 		status = reject_unknown_address(state, state->recipient,
++@@ -3945,6 +3989,7 @@
++ char   *var_etrn_checks = "";
++ char   *var_data_checks = "";
++ char   *var_relay_domains = "";
+++char   *var_relay_ccerts = "";
++ char   *var_mynetworks = "";
++ char   *var_notify_classes = "";
++ 
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd_sasl_proto.c postfix-2.1.0/src/smtpd/smtpd_sasl_proto.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd_sasl_proto.c	Mon Mar 29 21:40:52 2004
+++++ postfix-2.1.0/src/smtpd/smtpd_sasl_proto.c	Sat Apr 24 14:35:28 2004
++@@ -129,6 +129,13 @@
++ 	smtpd_chat_reply(state, "503 Error: authentication not enabled");
++ 	return (-1);
++     }
+++#ifdef USE_SSL
+++    if (state->tls_auth_only && !state->tls_active) {
+++	state->error_mask |= MAIL_ERROR_PROTOCOL;
+++	smtpd_chat_reply(state, "538 Encryption required for requested authentication mechanism");
+++	return (-1);
+++    }
+++#endif
++     if (state->sasl_username) {
++ 	state->error_mask |= MAIL_ERROR_PROTOCOL;
++ 	smtpd_chat_reply(state, "503 Error: already authenticated");
++diff -ruN postfix-2.1.0-vanilla/src/smtpd/smtpd_state.c postfix-2.1.0/src/smtpd/smtpd_state.c
++--- postfix-2.1.0-vanilla/src/smtpd/smtpd_state.c	Wed Apr 21 20:23:49 2004
+++++ postfix-2.1.0/src/smtpd/smtpd_state.c	Sat Apr 24 14:48:22 2004
++@@ -111,6 +111,11 @@
++     state->saved_flags = 0;
++     state->instance = vstring_alloc(10);
++     state->seqno = 0;
+++    state->tls_active = 0;
+++    state->tls_use_tls = 0;
+++    state->tls_enforce_tls = 0;
+++    state->tls_info = tls_info_zero;
+++    state->tls_auth_only = 0;
++ 
++ #ifdef USE_SASL_AUTH
++     if (SMTPD_STAND_ALONE(state))
++diff -ruN postfix-2.1.0-vanilla/src/tlsmgr/Makefile.in postfix-2.1.0/src/tlsmgr/Makefile.in
++--- postfix-2.1.0-vanilla/src/tlsmgr/Makefile.in	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/tlsmgr/Makefile.in	Sat Apr 24 14:35:28 2004
++@@ -0,0 +1,75 @@
+++SHELL	= /bin/sh
+++SRCS	= tlsmgr.c
+++OBJS	= tlsmgr.o
+++HDRS	=
+++TESTSRC	=
+++WARN	= -W -Wformat -Wimplicit -Wmissing-prototypes \
+++	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
+++	-Wunused
+++DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
+++CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+++TESTPROG= 
+++PROG	= tlsmgr
+++INC_DIR	= ../../include
+++LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libutil.a
+++
+++.c.o:;	$(CC) $(CFLAGS) -c $*.c
+++
+++$(PROG):	$(OBJS) $(LIBS)
+++	$(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
+++
+++Makefile: Makefile.in
+++	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs; cat $?) >$@
+++
+++test:	$(TESTPROG)
+++
+++update: ../../libexec/$(PROG)
+++
+++../../libexec/$(PROG): $(PROG)
+++	cp $(PROG) ../../libexec
+++
+++printfck: $(OBJS) $(PROG)
+++	rm -rf printfck
+++	mkdir printfck
+++	cp *.h printfck
+++	sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
+++	set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
+++	cd printfck; make "INC_DIR=../../../../include" `cd ../..; ls *.o`
+++
+++lint:
+++	lint $(DEFS) $(SRCS) $(LINTFIX)
+++
+++clean:
+++	rm -f *.o *core $(PROG) $(TESTPROG) junk 
+++	rm -rf printfck
+++
+++tidy:	clean
+++
+++depend: $(MAKES)
+++	(sed '1,/^# do not edit/!d' Makefile.in; \
+++	set -e; for i in [a-z][a-z0-9]*.c; do \
+++	    $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
+++	    -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
+++	done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
+++	@make -f Makefile.in Makefile
+++
+++# do not edit below this line - it is generated by 'make depend'
+++tlsmgr.o: tlsmgr.c
+++tlsmgr.o: ../../include/sys_defs.h
+++tlsmgr.o: ../../include/msg.h
+++tlsmgr.o: ../../include/events.h
+++tlsmgr.o: ../../include/vstream.h
+++tlsmgr.o: ../../include/vbuf.h
+++tlsmgr.o: ../../include/dict.h
+++tlsmgr.o: ../../include/argv.h
+++tlsmgr.o: ../../include/vstring.h
+++tlsmgr.o: ../../include/stringops.h
+++tlsmgr.o: ../../include/mymalloc.h
+++tlsmgr.o: ../../include/connect.h
+++tlsmgr.o: ../../include/myflock.h
+++tlsmgr.o: ../../include/mail_conf.h
+++tlsmgr.o: ../../include/mail_params.h
+++tlsmgr.o: ../../include/iostuff.h
+++tlsmgr.o: ../../include/master_proto.h
+++tlsmgr.o: ../../include/mail_server.h
+++tlsmgr.o: ../../include/pfixtls.h
++diff -ruN postfix-2.1.0-vanilla/src/tlsmgr/tlsmgr.c postfix-2.1.0/src/tlsmgr/tlsmgr.c
++--- postfix-2.1.0-vanilla/src/tlsmgr/tlsmgr.c	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/tlsmgr/tlsmgr.c	Sat Apr 24 14:35:28 2004
++@@ -0,0 +1,598 @@
+++/*++
+++/* NAME
+++/*	tlsmgr 8
+++/* SUMMARY
+++/*	Postfix TLS session cache and PRNG handling manager
+++/* SYNOPSIS
+++/*	\fBtlsmgr\fR [generic Postfix daemon options]
+++/* DESCRIPTION
+++/*	The tlsmgr process does housekeeping on the session cache database
+++/*	files. It runs through the databases and removes expired entries
+++/*	and entries written by older (incompatible) versions.
+++/*
+++/*	The tlsmgr is responsible for the PRNG handling. The used internal
+++/*	OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
+++/*	is initially seeded at startup from an external source (EGD or
+++/*	/dev/urandom) and additional seed is obtained later during program
+++/*	run at a configurable period. The exact time of seed query is
+++/*	using random information and is equally distributed in the range of
+++/*	[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
+++/*	having a default of 1 hour.
+++/*
+++/*	Tlsmgr can be run chrooted and with dropped privileges, as it will
+++/*	connect to the entropy source at startup.
+++/*
+++/*	The PRNG is additionally seeded internally by the data found in the
+++/*	session cache and timevalues.
+++/*
+++/*	Tlsmgr reads the old value of the exchange file at startup to keep
+++/*	entropy already collected during previous runs.
+++/*
+++/*	From the PRNG random pool a cryptographically strong 1024 byte random
+++/*	sequence is written into the PRNG exchange file. The file is updated
+++/*	periodically with the time changing randomly from
+++/*	[0-\fBtls_random_prng_update_period\fR].
+++/* STANDARDS
+++/* SECURITY
+++/* .ad
+++/* .fi
+++/*	Tlsmgr is not security-sensitive. It only deals with external data
+++/*	to be fed into the PRNG, the contents is never trusted. The session
+++/*	cache housekeeping will only remove entries if expired and will never
+++/*	touch the contents of the cached data.
+++/* DIAGNOSTICS
+++/*	Problems and transactions are logged to the syslog daemon.
+++/* BUGS
+++/*	There is no automatic means to limit the number of entries in the
+++/*	session caches and/or the size of the session cache files.
+++/* CONFIGURATION PARAMETERS
+++/* .ad
+++/* .fi
+++/*	The following \fBmain.cf\fR parameters are especially relevant to
+++/*	this program. See the Postfix \fBmain.cf\fR file for syntax details
+++/*	and for default values. Use the \fBpostfix reload\fR command after
+++/*	a configuration change.
+++/* .SH Session Cache
+++/* .ad
+++/* .fi
+++/* .IP \fBsmtpd_tls_session_cache_database\fR
+++/*	Name of the SDBM file (type sdbm:) containing the SMTP server session
+++/*	cache. If the file does not exist, it is created.
+++/* .IP \fBsmtpd_tls_session_cache_timeout\fR
+++/*	Expiry time of SMTP server session cache entries in seconds. Entries
+++/*	older than this are removed from the session cache. A cleanup-run is
+++/*	performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
+++/*	seconds. Default is 3600 (= 1 hour).
+++/* .IP \fBsmtp_tls_session_cache_database\fR
+++/*	Name of the SDBM file (type sdbm:) containing the SMTP client session
+++/*	cache. If the file does not exist, it is created.
+++/* .IP \fBsmtp_tls_session_cache_timeout\fR
+++/*	Expiry time of SMTP client session cache entries in seconds. Entries
+++/*	older than this are removed from the session cache. A cleanup-run is
+++/*	performed periodically every \fBsmtp_tls_session_cache_timeout\fR
+++/*	seconds. Default is 3600 (= 1 hour).
+++/* .SH Pseudo Random Number Generator
+++/* .ad
+++/* .fi
+++/* .IP \fBtls_random_source\fR
+++/*	Name of the EGD socket or device or regular file to obtain entropy
+++/*	from. The type of entropy source must be specified by preceding the
+++/*      name with the appropriate type: egd:/path/to/egd_socket,
+++/*      dev:/path/to/devicefile, or /path/to/regular/file.
+++/*	tlsmgr opens \fBtls_random_source\fR and tries to read
+++/*	\fBtls_random_bytes\fR from it.
+++/* .IP \fBtls_random_bytes\fR
+++/*	Number of bytes to be read from \fBtls_random_source\fR.
+++/*	Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
+++/* .IP \fBtls_random_exchange_name\fR
+++/*	Name of the file written by tlsmgr and read by smtp and smtpd at
+++/*	startup. The length is 1024 bytes. Default value is
+++/*	/etc/postfix/prng_exch.
+++/* .IP \fBtls_random_reseed_period\fR
+++/*	Time in seconds until the next reseed from external sources is due.
+++/*	This is the maximum value. The actual point in time is calculated
+++/*	with a random factor equally distributed between 0 and this maximum
+++/*	value. Default is 3600 (= 60 minutes).
+++/* .IP \fBtls_random_prng_update_period\fR
+++/*	Time in seconds until the PRNG exchange file is updated with new
+++/*	pseude random values. This is the maximum value. The actual point
+++/*	in time is calculated with a random factor equally distributed
+++/*	between 0 and this maximum value. Default is 60 (= 1 minute).
+++/* SEE ALSO
+++/*	smtp(8) SMTP client
+++/*	smtpd(8) SMTP server
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/*	The Secure Mailer license must be distributed with this software.
+++/* AUTHOR(S)
+++/*--*/
+++
+++/* System library. */
+++
+++#include <sys_defs.h>
+++#include <stdlib.h>
+++#include <unistd.h>
+++#include <ctype.h>
+++#include <errno.h>
+++#include <string.h>
+++#include <sys/time.h>			/* gettimeofday, not POSIX */
+++
+++/* OpenSSL library. */
+++#ifdef USE_SSL
+++#include <openssl/rand.h>		/* For the PRNG */
+++#endif
+++
+++/* Utility library. */
+++
+++#include <msg.h>
+++#include <events.h>
+++#include <dict.h>
+++#include <stringops.h>
+++#include <mymalloc.h>
+++#include <connect.h>
+++#include <myflock.h>
+++
+++/* Global library. */
+++
+++#include <mail_conf.h>
+++#include <mail_params.h>
+++#include <pfixtls.h>
+++
+++/* Master process interface */
+++
+++#include <master_proto.h>
+++#include <mail_server.h>
+++
+++/* Application-specific. */
+++
+++#ifdef USE_SSL
+++ /*
+++  * Tunables.
+++  */
+++char   *var_tls_rand_source;
+++int	var_tls_rand_bytes;
+++int	var_tls_reseed_period;
+++int	var_tls_prng_upd_period;
+++
+++static int rand_exch_fd;
+++static int rand_source_dev_fd = -1;
+++static int rand_source_socket_fd = -1;
+++static int srvr_scache_db_active;
+++static int clnt_scache_db_active;
+++static DICT *srvr_scache_db = NULL;
+++static DICT *clnt_scache_db = NULL;
+++
+++static void tlsmgr_prng_upd_event(int unused_event, char *dummy)
+++{
+++    struct timeval tv;
+++    unsigned char buffer[1024];
+++    int next_period;
+++
+++    /*
+++     * It is time to update the PRNG exchange file. Since other processes might
+++     * have added entropy, we do this in a read_stir-back_write cycle.
+++     */
+++    GETTIMEOFDAY(&tv);
+++    RAND_seed(&tv, sizeof(struct timeval));
+++
+++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
+++	msg_fatal("Could not lock random exchange file: %s",
+++		  strerror(errno));
+++
+++    lseek(rand_exch_fd, 0, SEEK_SET);
+++    if (read(rand_exch_fd, buffer, 1024) < 0)
+++	msg_fatal("reading exchange file failed");
+++    RAND_seed(buffer, 1024);
+++
+++    RAND_bytes(buffer, 1024);
+++    lseek(rand_exch_fd, 0, SEEK_SET);
+++    if (write(rand_exch_fd, buffer, 1024) != 1024)
+++	msg_fatal("Writing exchange file failed");
+++
+++    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
+++	msg_fatal("Could not unlock random exchange file: %s",
+++		  strerror(errno));
+++
+++    /*
+++     * Make prediction difficult for outsiders and calculate the time for the
+++     * next execution randomly.
+++     */
+++    next_period = (var_tls_prng_upd_period * buffer[0]) / 255;
+++    event_request_timer(tlsmgr_prng_upd_event, dummy, next_period);
+++}
+++
+++
+++static void tlsmgr_reseed_event(int unused_event, char *dummy)
+++{
+++    int egd_success;
+++    int next_period;
+++    int rand_bytes;
+++    char buffer[255];
+++    struct timeval tv;
+++    unsigned char randbyte;
+++
+++    /*
+++     * It is time to reseed the PRNG.
+++     */
+++
+++    GETTIMEOFDAY(&tv);
+++    RAND_seed(&tv, sizeof(struct timeval));
+++    if (rand_source_dev_fd != -1) {
+++	rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
+++	if (rand_bytes > 0)
+++	    RAND_seed(buffer, rand_bytes);
+++	else if (rand_bytes < 0) {
+++	    msg_fatal("Read from entropy device %s failed",
+++		      var_tls_rand_source);
+++	}
+++    } else if (rand_source_socket_fd != -1) {
+++	egd_success = 0;
+++	buffer[0] = 1;
+++	buffer[1] = var_tls_rand_bytes;
+++	if (write(rand_source_socket_fd, buffer, 2) != 2)
+++	    msg_info("Could not talk to %s", var_tls_rand_source);
+++	else if (read(rand_source_socket_fd, buffer, 1) != 1)
+++	    msg_info("Could not read info from %s", var_tls_rand_source);
+++	else {
+++	    rand_bytes = buffer[0];
+++	    if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
+++		msg_info("Could not read data from %s", var_tls_rand_source);
+++	    else {
+++		egd_success = 1;
+++		RAND_seed(buffer, rand_bytes);
+++	    }
+++	}
+++	if (!egd_success) {
+++	    msg_info("Lost connection to EGD-device, exiting to reconnect.");
+++	    exit(0);
+++	}
+++    } else if (*var_tls_rand_source) {
+++	rand_bytes = RAND_load_file(var_tls_rand_source, var_tls_rand_bytes);
+++    }
+++
+++    /*
+++     * Make prediction difficult for outsiders and calculate the time for the
+++     * next execution randomly.
+++     */
+++    RAND_bytes(&randbyte, 1);
+++    next_period = (var_tls_reseed_period * randbyte) / 255;
+++    event_request_timer(tlsmgr_reseed_event, dummy, next_period);
+++}
+++
+++
+++static int tlsmgr_do_scache_check(DICT *scache_db, int scache_timeout,
+++				  int start)
+++{
+++    int func;
+++    int len;
+++    int n;
+++    int delete = 0;
+++    int result;
+++    struct timeval tv;
+++    const char *member;
+++    const char *value;
+++    char *member_copy;
+++    unsigned char nibble, *data;
+++    pfixtls_scache_info_t scache_info;
+++
+++    GETTIMEOFDAY(&tv);
+++    RAND_seed(&tv, sizeof(struct timeval));
+++
+++    /*
+++     * Run through the given dictionary and check the stored sessions.
+++     * If "start" is set to 1, a new run is initiated, otherwise the next
+++     * item is accessed. The state is internally kept in the DICT.
+++     */
+++    if (start)
+++	func = DICT_SEQ_FUN_FIRST;
+++    else
+++	func = DICT_SEQ_FUN_NEXT;
+++    result = dict_seq(scache_db, func, &member, &value);
+++
+++    if (result > 0)
+++	return 0;	/* End of list reached */
+++    else if (result < 0)
+++	msg_fatal("Database fault, should already be caught.");
+++    else {
+++	member_copy = mystrdup(member);
+++	len = strlen(value);
+++	RAND_seed(value, len);		/* Use it to increase entropy */
+++	if (len < 2 * sizeof(pfixtls_scache_info_t))
+++	    delete = 1;		/* Messed up, delete */
+++	else if (len > 2 * sizeof(pfixtls_scache_info_t))
+++	    len = 2 * sizeof(pfixtls_scache_info_t);
+++	if (!delete) {
+++	    data = (unsigned char *)(&scache_info);
+++	    memset(data, 0, len / 2);
+++	    for (n = 0; n < len; n++) {
+++            if ((value[n] >= '0') && (value[n] <= '9'))
+++                nibble = value[n] - '0';
+++            else
+++                nibble = value[n] - 'A' + 10;
+++            if (n % 2)
+++                data[n / 2] |= nibble;
+++            else
+++                data[n / 2] |= (nibble << 4);
+++        }
+++
+++        if ((scache_info.scache_db_version != scache_db_version) ||
+++            (scache_info.openssl_version != openssl_version) ||
+++            (scache_info.timestamp + scache_timeout < time(NULL)))
+++	    delete = 1;
+++	}
+++	if (delete)
+++	    result = dict_del(scache_db, member_copy);
+++	myfree(member_copy);
+++    }
+++
+++    if (delete && result)
+++	msg_info("Could not delete %s", member);
+++    return 1;
+++
+++}
+++
+++static void tlsmgr_clnt_cache_run_event(int unused_event, char *dummy)
+++{
+++
+++    /*
+++     * This routine runs when it is time for another tls session cache scan.
+++     * Make sure this routine gets called again in the future.
+++     */
+++    clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db, 
+++				var_smtp_tls_scache_timeout, 1);
+++    event_request_timer(tlsmgr_clnt_cache_run_event, dummy,
+++		 var_smtp_tls_scache_timeout);
+++}
+++
+++
+++static void tlsmgr_srvr_cache_run_event(int unused_event, char *dummy)
+++{
+++
+++    /*
+++     * This routine runs when it is time for another tls session cache scan.
+++     * Make sure this routine gets called again in the future.
+++     */
+++    srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
+++				var_smtpd_tls_scache_timeout, 1);
+++    event_request_timer(tlsmgr_srvr_cache_run_event, dummy,
+++		 var_smtpd_tls_scache_timeout);
+++}
+++
+++
+++static DICT *tlsmgr_cache_open(const char *dbname)
+++{
+++    DICT *retval;
+++    char *dbpagname;
+++    char *dbdirname;
+++
+++    /*
+++     * First, try to find out the real name of the database file, so that
+++     * it can be removed.
+++     */
+++    if (!strncmp(dbname, "sdbm:", 5)) {
+++	dbpagname = concatenate(dbname + 5, ".pag", NULL);
+++	REMOVE(dbpagname);
+++	myfree(dbpagname);
+++	dbdirname = concatenate(dbname + 5, ".dir", NULL);
+++	REMOVE(dbdirname);
+++	myfree(dbdirname);
+++    }
+++    else {
+++	msg_warn("Only type sdbm: supported: %s", dbname);
+++	return NULL;
+++    }
+++
+++    /*
+++     * Now open the dictionary. Do it with O_EXCL, so that we only open a
+++     * fresh file. If we cannot open it with a fresh file, then we won't
+++     * touch it.
+++     */
+++    retval = dict_open(dbname, O_RDWR | O_CREAT | O_EXCL,
+++	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
+++    if (!retval)
+++	msg_warn("Could not create dictionary %s", dbname);
+++    return retval;
+++}
+++
+++/* tlsmgr_trigger_event - respond to external trigger(s) */
+++
+++static void tlsmgr_trigger_event(char *buf, int len,
+++			               char *unused_service, char **argv)
+++{
+++    /*
+++     * Sanity check. This service takes no command-line arguments.
+++     */
+++    if (argv[0])
+++	msg_fatal("unexpected command-line argument: %s", argv[0]);
+++
+++}
+++
+++/* tlsmgr_loop - queue manager main loop */
+++
+++static int tlsmgr_loop(char *unused_name, char **unused_argv)
+++{
+++    /*
+++     * This routine runs as part of the event handling loop, after the event
+++     * manager has delivered a timer or I/O event (including the completion
+++     * of a connection to a delivery process), or after it has waited for a
+++     * specified amount of time. The result value of qmgr_loop() specifies
+++     * how long the event manager should wait for the next event.
+++     */
+++#define DONT_WAIT	0
+++#define WAIT_FOR_EVENT	(-1)
+++
+++    if (clnt_scache_db_active)
+++	clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db,
+++					var_smtp_tls_scache_timeout, 0);
+++    if (srvr_scache_db_active)
+++	srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
+++					var_smtpd_tls_scache_timeout, 0);
+++    if (clnt_scache_db_active || srvr_scache_db_active)
+++	return (DONT_WAIT);
+++    return (WAIT_FOR_EVENT);
+++}
+++
+++/* pre_accept - see if tables have changed */
+++
+++static void pre_accept(char *unused_name, char **unused_argv)
+++{
+++    if (dict_changed()) {
+++	msg_info("table has changed -- exiting");
+++	exit(0);
+++    }
+++}
+++
+++/* tlsmgr_pre_init - pre-jail initialization */
+++
+++static void tlsmgr_pre_init(char *unused_name, char **unused_argv)
+++{
+++    int rand_bytes;
+++    unsigned char buffer[255];
+++
+++    /*
+++     * Access the external sources for random seed. We may not be able to
+++     * access them again if we are sent to chroot jail, so we must leave
+++     * dev: and egd: type sources open.
+++     */
+++    if (*var_tls_rand_source) {
+++        if (!strncmp(var_tls_rand_source, "dev:", 4)) {
+++	    /*
+++	     * Source is a random device
+++	     */
+++	    rand_source_dev_fd = open(var_tls_rand_source + 4, 0, 0);
+++	    if (rand_source_dev_fd == -1) 
+++		msg_fatal("Could not open entropy device %s",
+++			  var_tls_rand_source);
+++	    if (var_tls_rand_bytes > 255)
+++		var_tls_rand_bytes = 255;
+++	    rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
+++	    RAND_seed(buffer, rand_bytes);
+++	} else if (!strncmp(var_tls_rand_source, "egd:", 4)) {
+++	    /*
+++	     * Source is a EGD compatible socket
+++	     */
+++	    rand_source_socket_fd = unix_connect(var_tls_rand_source +4,
+++						 BLOCKING, 10);
+++	    if (rand_source_socket_fd == -1)
+++		msg_fatal("Could not connect to %s", var_tls_rand_source);
+++	    if (var_tls_rand_bytes > 255)
+++		var_tls_rand_bytes = 255;
+++	    buffer[0] = 1;
+++	    buffer[1] = var_tls_rand_bytes;
+++	    if (write(rand_source_socket_fd, buffer, 2) != 2)
+++		msg_fatal("Could not talk to %s", var_tls_rand_source);
+++	    if (read(rand_source_socket_fd, buffer, 1) != 1)
+++		msg_fatal("Could not read info from %s", var_tls_rand_source);
+++	    rand_bytes = buffer[0];
+++	    if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
+++		msg_fatal("Could not read data from %s", var_tls_rand_source);
+++	    RAND_seed(buffer, rand_bytes);
+++	} else {
+++	    rand_bytes = RAND_load_file(var_tls_rand_source,
+++					var_tls_rand_bytes);
+++	}
+++    }
+++
+++    /*
+++     * Now open the PRNG exchange file
+++     */
+++    if (*var_tls_rand_exch_name) {
+++	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
+++    }
+++
+++    /*
+++     * Finally, open the session cache files. Remove old files, if still there.
+++     * If we could not remove the old files, something is pretty wrong and we
+++     * won't touch it!!
+++     */
+++    if (*var_smtp_tls_scache_db)
+++	clnt_scache_db = tlsmgr_cache_open(var_smtp_tls_scache_db);
+++    if (*var_smtpd_tls_scache_db)
+++	srvr_scache_db = tlsmgr_cache_open(var_smtpd_tls_scache_db);
+++}
+++
+++/* qmgr_post_init - post-jail initialization */
+++
+++static void tlsmgr_post_init(char *unused_name, char **unused_argv)
+++{
+++    unsigned char buffer[1024];
+++
+++    /*
+++     * This routine runs after the skeleton code has entered the chroot jail.
+++     * Prevent automatic process suicide after a limited number of client
+++     * requests or after a limited amount of idle time.
+++     */
+++    var_use_limit = 0;
+++    var_idle_limit = 0;
+++
+++    /*
+++     * Complete thie initialization by reading the additional seed from the
+++     * PRNG exchange file. Don't care how many bytes were actually read, just
+++     * seed buffer into the PRNG, regardless of its contents.
+++     */
+++    if (rand_exch_fd >= 0) {
+++	if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) == -1)
+++	    msg_fatal("Could not lock random exchange file: %s",
+++		      strerror(errno));
+++	read(rand_exch_fd, buffer, 1024);
+++	if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) == -1)
+++	    msg_fatal("Could not unlock random exchange file: %s",
+++		      strerror(errno));
+++	RAND_seed(buffer, 1024);
+++	tlsmgr_prng_upd_event(0, (char *) 0);
+++	tlsmgr_reseed_event(0, (char *) 0);
+++    }
+++
+++    clnt_scache_db_active = 0;
+++    srvr_scache_db_active = 0;
+++    if (clnt_scache_db)
+++	tlsmgr_clnt_cache_run_event(0, (char *) 0);
+++    if (srvr_scache_db)
+++	tlsmgr_srvr_cache_run_event(0, (char *) 0);
+++}
+++
+++
+++/* main - the main program */
+++
+++int     main(int argc, char **argv)
+++{
+++    static CONFIG_STR_TABLE str_table[] = {
+++	VAR_TLS_RAND_SOURCE, DEF_TLS_RAND_SOURCE, &var_tls_rand_source, 0, 0,
+++	0,
+++    };
+++    static CONFIG_TIME_TABLE time_table[] = {
+++	VAR_TLS_RESEED_PERIOD, DEF_TLS_RESEED_PERIOD, &var_tls_reseed_period, 0, 0,
+++	VAR_TLS_PRNG_UPD_PERIOD, DEF_TLS_PRNG_UPD_PERIOD, &var_tls_prng_upd_period, 0, 0,
+++	0,
+++    };
+++    static CONFIG_INT_TABLE int_table[] = {
+++	VAR_TLS_RAND_BYTES, DEF_TLS_RAND_BYTES, &var_tls_rand_bytes, 0, 0,
+++	0,
+++    };
+++
+++    /*
+++     * Use the trigger service skeleton, because no-one else should be
+++     * monitoring our service port while this process runs, and because we do
+++     * not talk back to the client.
+++     */
+++    trigger_server_main(argc, argv, tlsmgr_trigger_event,
+++			MAIL_SERVER_TIME_TABLE, time_table,
+++			MAIL_SERVER_INT_TABLE, int_table,
+++			MAIL_SERVER_STR_TABLE, str_table,
+++			MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
+++			MAIL_SERVER_POST_INIT, tlsmgr_post_init,
+++			MAIL_SERVER_LOOP, tlsmgr_loop,
+++			MAIL_SERVER_PRE_ACCEPT, pre_accept,
+++			0);
+++    trigger_server_main(argc, argv, tlsmgr_trigger_event,
+++			MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
+++			0);
+++}
+++
+++#else
+++int     main(int argc, char **argv)
+++{
+++    msg_fatal("Do not run tlsmgr with TLS support compiled in\n");
+++}
+++#endif
++diff -ruN postfix-2.1.0-vanilla/src/util/Makefile.in postfix-2.1.0/src/util/Makefile.in
++--- postfix-2.1.0-vanilla/src/util/Makefile.in	Thu Apr 22 21:37:28 2004
+++++ postfix-2.1.0/src/util/Makefile.in	Sat Apr 24 14:35:28 2004
++@@ -28,7 +28,7 @@
++ 	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
++ 	write_buf.c write_wait.c auto_clnt.c attr_clnt.c attr_scan_plain.c \
++ 	attr_print_plain.c sane_connect.c neuter.c name_code.c \
++-	uppercase.c
+++	uppercase.c dict_sdbm.c sdbm.c
++ OBJS	= alldig.o argv.o argv_split.o attr_print0.o attr_print64.o \
++ 	attr_scan0.o attr_scan64.o base64_code.o basename.o binhash.o \
++ 	chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
++@@ -58,7 +58,7 @@
++ 	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
++ 	write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
++ 	attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
++-	uppercase.o
+++	uppercase.o dict_sdbm.o sdbm.o
++ HDRS	= argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
++ 	connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
++ 	dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
++@@ -77,7 +77,7 @@
++ 	split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
++ 	timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
++ 	vbuf_print.h vstream.h vstring.h vstring_vstream.h watchdog.h \
++-	auto_clnt.h attr_clnt.h sane_connect.h name_code.h
+++	auto_clnt.h attr_clnt.h sane_connect.h name_code.h dict_sdbm.h sdbm.h
++ TESTSRC	= fifo_open.c fifo_rdwr_bug.c fifo_rdonly_bug.c select_bug.c \
++ 	stream_test.c dup2_pass_on_exec.c
++ DEFS	= -I. -D$(SYSTYPE)
++@@ -690,6 +690,7 @@
++ dict_open.o: dict_unix.h
++ dict_open.o: dict_tcp.h
++ dict_open.o: dict_dbm.h
+++dict_open.o: dict_sdbm.h
++ dict_open.o: dict_db.h
++ dict_open.o: dict_nis.h
++ dict_open.o: dict_nisplus.h
++@@ -1365,3 +1366,9 @@
++ write_wait.o: sys_defs.h
++ write_wait.o: msg.h
++ write_wait.o: iostuff.h
+++sdbm.o: sdbm.c
+++sdbm.o: sdbm.h
+++dict_sdbm.o: sdbm.h
+++dict_sdbm.o: dict_sdbm.c
+++dict_sdbm.o: dict_sdbm.h
+++dict_sdbm.o: sys_defs.h
++diff -ruN postfix-2.1.0-vanilla/src/util/dict_open.c postfix-2.1.0/src/util/dict_open.c
++--- postfix-2.1.0-vanilla/src/util/dict_open.c	Mon Jan  5 21:55:18 2004
+++++ postfix-2.1.0/src/util/dict_open.c	Sat Apr 24 14:35:29 2004
++@@ -167,6 +167,7 @@
++ #include <dict_env.h>
++ #include <dict_unix.h>
++ #include <dict_tcp.h>
+++#include <dict_sdbm.h>
++ #include <dict_dbm.h>
++ #include <dict_db.h>
++ #include <dict_nis.h>
++@@ -194,6 +195,7 @@
++ #ifdef SNAPSHOT
++     DICT_TYPE_TCP, dict_tcp_open,
++ #endif
+++    DICT_TYPE_SDBM, dict_sdbm_open,
++ #ifdef HAS_DBM
++     DICT_TYPE_DBM, dict_dbm_open,
++ #endif
++diff -ruN postfix-2.1.0-vanilla/src/util/dict_sdbm.c postfix-2.1.0/src/util/dict_sdbm.c
++--- postfix-2.1.0-vanilla/src/util/dict_sdbm.c	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/util/dict_sdbm.c	Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,408 @@
+++/*++
+++/* NAME
+++/*	dict_sdbm 3
+++/* SUMMARY
+++/*	dictionary manager interface to SDBM files
+++/* SYNOPSIS
+++/*	#include <dict_sdbm.h>
+++/*
+++/*	DICT	*dict_sdbm_open(path, open_flags, dict_flags)
+++/*	const char *name;
+++/*	const char *path;
+++/*	int	open_flags;
+++/*	int	dict_flags;
+++/* DESCRIPTION
+++/*	dict_sdbm_open() opens the named SDBM database and makes it available
+++/*	via the generic interface described in dict_open(3).
+++/* DIAGNOSTICS
+++/*	Fatal errors: cannot open file, file write error, out of memory.
+++/* SEE ALSO
+++/*	dict(3) generic dictionary manager
+++/*	sdbm(3) data base subroutines
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/*	The Secure Mailer license must be distributed with this software.
+++/* AUTHOR(S)
+++/*	Wietse Venema
+++/*	IBM T.J. Watson Research
+++/*	P.O. Box 704
+++/*	Yorktown Heights, NY 10598, USA
+++/*--*/
+++
+++#include "sys_defs.h"
+++
+++/* System library. */
+++
+++#include <sys/stat.h>
+++#include <string.h>
+++#include <unistd.h>
+++
+++/* Utility library. */
+++
+++#include "msg.h"
+++#include "mymalloc.h"
+++#include "htable.h"
+++#include "iostuff.h"
+++#include "vstring.h"
+++#include "myflock.h"
+++#include "stringops.h"
+++#include "dict.h"
+++#include "dict_sdbm.h"
+++#include "sdbm.h"
+++
+++/* Application-specific. */
+++
+++typedef struct {
+++    DICT    dict;			/* generic members */
+++    SDBM   *dbm;			/* open database */
+++    char   *path;			/* pathname */
+++} DICT_SDBM;
+++
+++/* dict_sdbm_lookup - find database entry */
+++
+++static const char *dict_sdbm_lookup(DICT *dict, const char *name)
+++{
+++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++    datum   dbm_key;
+++    datum   dbm_value;
+++    static VSTRING *buf;
+++    const char *result = 0;
+++
+++    dict_errno = 0;
+++
+++    /*
+++     * Acquire an exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
+++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++    /*
+++     * See if this DBM file was written with one null byte appended to key
+++     * and value.
+++     */
+++    if (dict->flags & DICT_FLAG_TRY1NULL) {
+++	dbm_key.dptr = (void *) name;
+++	dbm_key.dsize = strlen(name) + 1;
+++	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
+++	if (dbm_value.dptr != 0) {
+++	    dict->flags &= ~DICT_FLAG_TRY0NULL;
+++	    result = dbm_value.dptr;
+++	}
+++    }
+++
+++    /*
+++     * See if this DBM file was written with no null byte appended to key and
+++     * value.
+++     */
+++    if (result == 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
+++	dbm_key.dptr = (void *) name;
+++	dbm_key.dsize = strlen(name);
+++	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
+++	if (dbm_value.dptr != 0) {
+++	    if (buf == 0)
+++		buf = vstring_alloc(10);
+++	    vstring_strncpy(buf, dbm_value.dptr, dbm_value.dsize);
+++	    dict->flags &= ~DICT_FLAG_TRY1NULL;
+++	    result = vstring_str(buf);
+++	}
+++    }
+++
+++    /*
+++     * Release the exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++
+++    return (result);
+++}
+++
+++/* dict_sdbm_update - add or update database entry */
+++
+++static void dict_sdbm_update(DICT *dict, const char *name, const char *value)
+++{
+++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++    datum   dbm_key;
+++    datum   dbm_value;
+++    int     status;
+++
+++    dbm_key.dptr = (void *) name;
+++    dbm_value.dptr = (void *) value;
+++    dbm_key.dsize = strlen(name);
+++    dbm_value.dsize = strlen(value);
+++
+++    /*
+++     * If undecided about appending a null byte to key and value, choose a
+++     * default depending on the platform.
+++     */
+++    if ((dict->flags & DICT_FLAG_TRY1NULL)
+++	&& (dict->flags & DICT_FLAG_TRY0NULL)) {
+++#ifdef DBM_NO_TRAILING_NULL
+++	dict->flags &= ~DICT_FLAG_TRY1NULL;
+++#else
+++	dict->flags &= ~DICT_FLAG_TRY0NULL;
+++#endif
+++    }
+++
+++    /*
+++     * Optionally append a null byte to key and value.
+++     */
+++    if (dict->flags & DICT_FLAG_TRY1NULL) {
+++	dbm_key.dsize++;
+++	dbm_value.dsize++;
+++    }
+++
+++    /*
+++     * Acquire an exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
+++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++    /*
+++     * Do the update.
+++     */
+++    if ((status = sdbm_store(dict_sdbm->dbm, dbm_key, dbm_value,
+++     (dict->flags & DICT_FLAG_DUP_REPLACE) ? DBM_REPLACE : DBM_INSERT)) < 0)
+++	msg_fatal("error writing SDBM database %s: %m", dict_sdbm->path);
+++    if (status) {
+++	if (dict->flags & DICT_FLAG_DUP_IGNORE)
+++	     /* void */ ;
+++	else if (dict->flags & DICT_FLAG_DUP_WARN)
+++	    msg_warn("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
+++	else
+++	    msg_fatal("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
+++    }
+++
+++    /*
+++     * Release the exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++}
+++
+++
+++/* dict_sdbm_delete - delete one entry from the dictionary */
+++
+++static int dict_sdbm_delete(DICT *dict, const char *name)
+++{
+++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++    datum   dbm_key;
+++    int     status = 1;
+++    int     flags = 0;
+++
+++    /*
+++     * Acquire an exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
+++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++    /*
+++     * See if this DBM file was written with one null byte appended to key
+++     * and value.
+++     */
+++    if (dict->flags & DICT_FLAG_TRY1NULL) {
+++	dbm_key.dptr = (void *) name;
+++	dbm_key.dsize = strlen(name) + 1;
+++	sdbm_clearerr(dict_sdbm->dbm);
+++	if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
+++	    if (sdbm_error(dict_sdbm->dbm) != 0)	/* fatal error */
+++		msg_fatal("error deleting from %s: %m", dict_sdbm->path);
+++	    status = 1;				/* not found */
+++	} else {
+++	    dict->flags &= ~DICT_FLAG_TRY0NULL;	/* found */
+++	}
+++    }
+++
+++    /*
+++     * See if this DBM file was written with no null byte appended to key and
+++     * value.
+++     */
+++    if (status > 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
+++	dbm_key.dptr = (void *) name;
+++	dbm_key.dsize = strlen(name);
+++	sdbm_clearerr(dict_sdbm->dbm);
+++	if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
+++	    if (sdbm_error(dict_sdbm->dbm) != 0)	/* fatal error */
+++		msg_fatal("error deleting from %s: %m", dict_sdbm->path);
+++	    status = 1;				/* not found */
+++	} else {
+++	    dict->flags &= ~DICT_FLAG_TRY1NULL;	/* found */
+++	}
+++    }
+++
+++    /*
+++     * Release the exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++
+++    return (status);
+++}
+++
+++/* traverse the dictionary */
+++
+++static int dict_sdbm_sequence(DICT *dict, const int function,
+++			             const char **key, const char **value)
+++{
+++    char   *myname = "dict_sdbm_sequence";
+++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++    datum   dbm_key;
+++    datum   dbm_value;
+++    int     status = 0;
+++    static VSTRING *key_buf;
+++    static VSTRING *value_buf;
+++
+++    /*
+++     * Acquire an exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
+++	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
+++
+++    /*
+++     * Determine and execute the seek function. It returns the key.
+++     */
+++    switch (function) {
+++    case DICT_SEQ_FUN_FIRST:
+++	dbm_key = sdbm_firstkey(dict_sdbm->dbm);
+++	break;
+++    case DICT_SEQ_FUN_NEXT:
+++	dbm_key = sdbm_nextkey(dict_sdbm->dbm);
+++	break;
+++    default:
+++	msg_panic("%s: invalid function: %d", myname, function);
+++    }
+++
+++    /*
+++     * Release the exclusive lock.
+++     */
+++    if ((dict->flags & DICT_FLAG_LOCK)
+++	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+++
+++    if (dbm_key.dptr != 0 && dbm_key.dsize > 0) {
+++
+++	/*
+++	 * See if this DB file was written with one null byte appended to key
+++	 * an d value or not. If necessary, copy the key.
+++	 */
+++	if (((char *) dbm_key.dptr)[dbm_key.dsize - 1] == 0) {
+++	    *key = dbm_key.dptr;
+++	} else {
+++	    if (key_buf == 0)
+++		key_buf = vstring_alloc(10);
+++	    vstring_strncpy(key_buf, dbm_key.dptr, dbm_key.dsize);
+++	    *key = vstring_str(key_buf);
+++	}
+++
+++	/*
+++	 * Fetch the corresponding value.
+++	 */
+++	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
+++
+++	if (dbm_value.dptr != 0 && dbm_value.dsize > 0) {
+++
+++	    /*
+++	     * See if this DB file was written with one null byte appended to
+++	     * key and value or not. If necessary, copy the key.
+++	     */
+++	    if (((char *) dbm_value.dptr)[dbm_value.dsize - 1] == 0) {
+++		*value = dbm_value.dptr;
+++	    } else {
+++		if (value_buf == 0)
+++		    value_buf = vstring_alloc(10);
+++		vstring_strncpy(value_buf, dbm_value.dptr, dbm_value.dsize);
+++		*value = vstring_str(value_buf);
+++	    }
+++	} else {
+++
+++	    /*
+++	     * Determine if we have hit the last record or an error
+++	     * condition.
+++	     */
+++	    if (sdbm_error(dict_sdbm->dbm))
+++		msg_fatal("error seeking %s: %m", dict_sdbm->path);
+++	    return (1);				/* no error: eof/not found
+++						 * (should not happen!) */
+++	}
+++    } else {
+++
+++	/*
+++	 * Determine if we have hit the last record or an error condition.
+++	 */
+++	if (sdbm_error(dict_sdbm->dbm))
+++	    msg_fatal("error seeking %s: %m", dict_sdbm->path);
+++	return (1);				/* no error: eof/not found */
+++    }
+++    return (0);
+++}
+++
+++/* dict_sdbm_close - disassociate from data base */
+++
+++static void dict_sdbm_close(DICT *dict)
+++{
+++    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
+++
+++    sdbm_close(dict_sdbm->dbm);
+++    myfree(dict_sdbm->path);
+++    myfree((char *) dict_sdbm);
+++}
+++
+++/* dict_sdbm_open - open SDBM data base */
+++
+++DICT   *dict_sdbm_open(const char *path, int open_flags, int dict_flags)
+++{
+++    DICT_SDBM *dict_sdbm;
+++    struct stat st;
+++    SDBM   *dbm;
+++    char   *dbm_path;
+++    int     lock_fd;
+++
+++    if (dict_flags & DICT_FLAG_LOCK) {
+++	dbm_path = concatenate(path, ".pag", (char *) 0);
+++	if ((lock_fd = open(dbm_path, open_flags, 0644)) < 0)
+++	    msg_fatal("open database %s: %m", dbm_path);
+++	if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
+++	    msg_fatal("shared-lock database %s for open: %m", dbm_path);
+++    }
+++
+++    /*
+++     * XXX SunOS 5.x has no const in dbm_open() prototype.
+++     */
+++    if ((dbm = sdbm_open((char *) path, open_flags, 0644)) == 0)
+++	msg_fatal("open database %s.{dir,pag}: %m", path);
+++
+++    if (dict_flags & DICT_FLAG_LOCK) {
+++	if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
+++	    msg_fatal("unlock database %s for open: %m", dbm_path);
+++	if (close(lock_fd) < 0)
+++	    msg_fatal("close database %s: %m", dbm_path);
+++	myfree(dbm_path);
+++    }
+++    dict_sdbm = (DICT_SDBM *) mymalloc(sizeof(*dict_sdbm));
+++    dict_sdbm->dict.lookup = dict_sdbm_lookup;
+++    dict_sdbm->dict.update = dict_sdbm_update;
+++    dict_sdbm->dict.delete = dict_sdbm_delete;
+++    dict_sdbm->dict.sequence = dict_sdbm_sequence;
+++    dict_sdbm->dict.close = dict_sdbm_close;
+++    dict_sdbm->dict.lock_fd = sdbm_dirfno(dbm);
+++    dict_sdbm->dict.stat_fd = sdbm_pagfno(dbm);
+++    if (fstat(dict_sdbm->dict.stat_fd, &st) < 0)
+++	msg_fatal("dict_sdbm_open: fstat: %m");
+++    dict_sdbm->dict.mtime = st.st_mtime;
+++    close_on_exec(sdbm_pagfno(dbm), CLOSE_ON_EXEC);
+++    close_on_exec(sdbm_dirfno(dbm), CLOSE_ON_EXEC);
+++    dict_sdbm->dict.flags = dict_flags | DICT_FLAG_FIXED;
+++    if ((dict_flags & (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL)) == 0)
+++	dict_sdbm->dict.flags |= (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL);
+++    dict_sdbm->dbm = dbm;
+++    dict_sdbm->path = mystrdup(path);
+++
+++    return (&dict_sdbm->dict);
+++}
++diff -ruN postfix-2.1.0-vanilla/src/util/dict_sdbm.h postfix-2.1.0/src/util/dict_sdbm.h
++--- postfix-2.1.0-vanilla/src/util/dict_sdbm.h	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/util/dict_sdbm.h	Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,37 @@
+++#ifndef _DICT_SDBM_H_INCLUDED_
+++#define _DICT_SDBM_H_INCLUDED_
+++
+++/*++
+++/* NAME
+++/*	dict_dbm 3h
+++/* SUMMARY
+++/*	dictionary manager interface to DBM files
+++/* SYNOPSIS
+++/*	#include <dict_dbm.h>
+++/* DESCRIPTION
+++/* .nf
+++
+++ /*
+++  * Utility library.
+++  */
+++#include <dict.h>
+++
+++ /*
+++  * External interface.
+++  */
+++#define DICT_TYPE_SDBM "sdbm"
+++
+++extern DICT *dict_sdbm_open(const char *, int, int);
+++
+++/* LICENSE
+++/* .ad
+++/* .fi
+++/*	The Secure Mailer license must be distributed with this software.
+++/* AUTHOR(S)
+++/*	Wietse Venema
+++/*	IBM T.J. Watson Research
+++/*	P.O. Box 704
+++/*	Yorktown Heights, NY 10598, USA
+++/*--*/
+++
+++#endif
++diff -ruN postfix-2.1.0-vanilla/src/util/sdbm.c postfix-2.1.0/src/util/sdbm.c
++--- postfix-2.1.0-vanilla/src/util/sdbm.c	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/util/sdbm.c	Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,971 @@
+++/*++
+++/* NAME
+++/*      sdbm 3h
+++/* SUMMARY
+++/*      SDBM Simple DBM: ndbm work-alike hashed database library
+++/* SYNOPSIS
+++/*      include "sdbm.h"
+++/* DESCRIPTION
+++/*	This file includes the public domain SDBM (ndbm work-alike hashed
+++/*	database library), based on Per-Aake Larson's Dynamic Hashing
+++/*	algorithms. BIT 18 (1978).
+++/*	author: oz at nexus.yorku.ca
+++/*	status: public domain
+++/*	The file has been patched following the advice of Uwe Ohse
+++/*	<uwe at ohse.de>:
+++/*	--------------------------------------------------------------
+++/*	this patch fixes a problem with sdbms .dir file, which arrises when
+++/*	a second .dir block is needed for the first time. read() returns 0
+++/*	in that case, and the library forgot to initialize that new block.
+++/*
+++/*	A related problem is that the calculation of db->maxbno is wrong.
+++/*	It just appends 4096*BYTESIZ bits, which is not enough except for
+++/*	small databases (.dir basically doubles everytime it's too small).
+++/*	--------------------------------------------------------------
+++/*	According to Uwe Ohse, the patch has also been submitted to the
+++/*	author of SDBM. (The 4096*BYTESIZ bits comment may apply with a
+++/*	different size for Postfix/TLS, as the patch was sent against the
+++/*	original SDBM distributiona and for Postfix/TLS I have changed the
+++/*	default sizes.
+++/* .nf
+++/*--*/
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain.
+++ *
+++ * core routines
+++ */
+++
+++#include <stdio.h>
+++#include <stdlib.h>
+++#ifdef WIN32
+++#include <io.h>
+++#include <errno.h>
+++#else
+++#include <unistd.h>
+++#endif
+++#include <sys/types.h>
+++#include <sys/stat.h>
+++#include <fcntl.h>
+++#include <errno.h>
+++#include <string.h>
+++#ifdef __STDC__
+++#include <stddef.h>
+++#endif
+++
+++#include <sdbm.h>
+++
+++/*
+++ * useful macros
+++ */
+++#define bad(x)          ((x).dptr == NULL || (x).dsize <= 0)
+++#define exhash(item)    sdbm_hash((item).dptr, (item).dsize)
+++#define ioerr(db)       ((db)->flags |= DBM_IOERR)
+++
+++#define OFF_PAG(off)    (long) (off) * PBLKSIZ
+++#define OFF_DIR(off)    (long) (off) * DBLKSIZ
+++
+++static long masks[] =
+++{
+++    000000000000, 000000000001, 000000000003, 000000000007,
+++    000000000017, 000000000037, 000000000077, 000000000177,
+++    000000000377, 000000000777, 000000001777, 000000003777,
+++    000000007777, 000000017777, 000000037777, 000000077777,
+++    000000177777, 000000377777, 000000777777, 000001777777,
+++    000003777777, 000007777777, 000017777777, 000037777777,
+++    000077777777, 000177777777, 000377777777, 000777777777,
+++    001777777777, 003777777777, 007777777777, 017777777777
+++};
+++
+++datum   nullitem =
+++{NULL, 0};
+++
+++typedef struct
+++{
+++    int     dirf;			/* directory file descriptor */
+++    int     pagf;			/* page file descriptor */
+++    int     flags;			/* status/error flags, see below */
+++    long    maxbno;			/* size of dirfile in bits */
+++    long    curbit;			/* current bit number */
+++    long    hmask;			/* current hash mask */
+++    long    blkptr;			/* current block for nextkey */
+++    int     keyptr;			/* current key for nextkey */
+++    long    blkno;			/* current page to read/write */
+++    long    pagbno;			/* current page in pagbuf */
+++    char   *pagbuf;			/* page file block buffer */
+++    long    dirbno;			/* current block in dirbuf */
+++    char   *dirbuf;			/* directory file block buffer */
+++}       DBM;
+++
+++
+++/* ************************* */
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain. keep it that way.
+++ *
+++ * hashing routine
+++ */
+++
+++/*
+++ * polynomial conversion ignoring overflows
+++ * [this seems to work remarkably well, in fact better
+++ * then the ndbm hash function. Replace at your own risk]
+++ * use: 65599   nice.
+++ *      65587   even better.
+++ */
+++static long sdbm_hash (char *str, int len)
+++{
+++    unsigned long n = 0;
+++
+++#ifdef DUFF
+++#define HASHC   n = *str++ + 65599 * n
+++    if (len > 0)
+++      {
+++	  int     loop = (len + 8 - 1) >> 3;
+++
+++	  switch (len & (8 - 1))
+++	    {
+++	    case 0:
+++		do
+++		  {
+++		      HASHC;
+++	    case 7:
+++		      HASHC;
+++	    case 6:
+++		      HASHC;
+++	    case 5:
+++		      HASHC;
+++	    case 4:
+++		      HASHC;
+++	    case 3:
+++		      HASHC;
+++	    case 2:
+++		      HASHC;
+++	    case 1:
+++		      HASHC;
+++		  }
+++		while (--loop);
+++	    }
+++
+++      }
+++#else
+++    while (len--)
+++	n = *str++ + 65599 * n;
+++#endif
+++    return n;
+++}
+++
+++/*
+++ * check page sanity:
+++ * number of entries should be something
+++ * reasonable, and all offsets in the index should be in order.
+++ * this could be made more rigorous.
+++ */
+++static int chkpage (char *pag)
+++{
+++    int     n;
+++    int     off;
+++    short  *ino = (short *) pag;
+++
+++    if ((n = ino[0]) < 0 || n > PBLKSIZ / sizeof (short))
+++	        return 0;
+++
+++    if (n > 0)
+++      {
+++	  off = PBLKSIZ;
+++	  for (ino++; n > 0; ino += 2)
+++	    {
+++		if (ino[0] > off || ino[1] > off ||
+++		    ino[1] > ino[0])
+++		    return 0;
+++		off = ino[1];
+++		n -= 2;
+++	    }
+++      }
+++    return 1;
+++}
+++
+++/*
+++ * search for the key in the page.
+++ * return offset index in the range 0 < i < n.
+++ * return 0 if not found.
+++ */
+++static int seepair (char *pag, int n, char *key, int siz)
+++{
+++    int     i;
+++    int     off = PBLKSIZ;
+++    short  *ino = (short *) pag;
+++
+++    for (i = 1; i < n; i += 2)
+++      {
+++	  if (siz == off - ino[i] &&
+++	      memcmp (key, pag + ino[i], siz) == 0)
+++	      return i;
+++	  off = ino[i + 1];
+++      }
+++    return 0;
+++}
+++
+++#ifdef SEEDUPS
+++static int duppair (char *pag, datum key)
+++{
+++    short  *ino = (short *) pag;
+++
+++    return ino[0] > 0 && seepair (pag, ino[0], key.dptr, key.dsize) > 0;
+++}
+++
+++#endif
+++
+++/* ************************* */
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Aake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain.
+++ *
+++ * page-level routines
+++ */
+++
+++/*
+++ * page format:
+++ *      +------------------------------+
+++ * ino  | n | keyoff | datoff | keyoff |
+++ *      +------------+--------+--------+
+++ *      | datoff | - - - ---->         |
+++ *      +--------+---------------------+
+++ *      |        F R E E A R E A       |
+++ *      +--------------+---------------+
+++ *      |  <---- - - - | data          |
+++ *      +--------+-----+----+----------+
+++ *      |  key   | data     | key      |
+++ *      +--------+----------+----------+
+++ *
+++ * calculating the offsets for free area:  if the number
+++ * of entries (ino[0]) is zero, the offset to the END of
+++ * the free area is the block size. Otherwise, it is the
+++ * nth (ino[ino[0]]) entry's offset.
+++ */
+++
+++static int fitpair (char *pag, int need)
+++{
+++    int     n;
+++    int     off;
+++    int     avail;
+++    short  *ino = (short *) pag;
+++
+++    off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
+++    avail = off - (n + 1) * sizeof (short);
+++    need += 2 * sizeof (short);
+++
+++    return need <= avail;
+++}
+++
+++static void putpair (char *pag, datum key, datum val)
+++{
+++    int     n;
+++    int     off;
+++    short  *ino = (short *) pag;
+++
+++    off = ((n = ino[0]) > 0) ? ino[n] : PBLKSIZ;
+++/*
+++ * enter the key first
+++ */
+++    off -= key.dsize;
+++    (void) memcpy (pag + off, key.dptr, key.dsize);
+++    ino[n + 1] = off;
+++/*
+++ * now the data
+++ */
+++    off -= val.dsize;
+++    (void) memcpy (pag + off, val.dptr, val.dsize);
+++    ino[n + 2] = off;
+++/*
+++ * adjust item count
+++ */
+++    ino[0] += 2;
+++}
+++
+++static datum getpair (char *pag, datum key)
+++{
+++    int     i;
+++    int     n;
+++    datum   val;
+++    short  *ino = (short *) pag;
+++
+++    if ((n = ino[0]) == 0)
+++	return nullitem;
+++
+++    if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
+++	return nullitem;
+++
+++    val.dptr = pag + ino[i + 1];
+++    val.dsize = ino[i] - ino[i + 1];
+++    return val;
+++}
+++
+++static datum getnkey (char *pag, int num)
+++{
+++    datum   key;
+++    int     off;
+++    short  *ino = (short *) pag;
+++
+++    num = num * 2 - 1;
+++    if (ino[0] == 0 || num > ino[0])
+++	return nullitem;
+++
+++    off = (num > 1) ? ino[num - 1] : PBLKSIZ;
+++
+++    key.dptr = pag + ino[num];
+++    key.dsize = off - ino[num];
+++
+++    return key;
+++}
+++
+++static int delpair (char *pag, datum key)
+++{
+++    int     n;
+++    int     i;
+++    short  *ino = (short *) pag;
+++
+++    if ((n = ino[0]) == 0)
+++	return 0;
+++
+++    if ((i = seepair (pag, n, key.dptr, key.dsize)) == 0)
+++	return 0;
+++/*
+++ * found the key. if it is the last entry
+++ * [i.e. i == n - 1] we just adjust the entry count.
+++ * hard case: move all data down onto the deleted pair,
+++ * shift offsets onto deleted offsets, and adjust them.
+++ * [note: 0 < i < n]
+++ */
+++    if (i < n - 1)
+++      {
+++	  int     m;
+++	  char   *dst = pag + (i == 1 ? PBLKSIZ : ino[i - 1]);
+++	  char   *src = pag + ino[i + 1];
+++	  int     zoo = dst - src;
+++
+++/*
+++ * shift data/keys down
+++ */
+++	  m = ino[i + 1] - ino[n];
+++#ifdef DUFF
+++#define MOVB    *--dst = *--src
+++	  if (m > 0)
+++	    {
+++		int     loop = (m + 8 - 1) >> 3;
+++
+++		switch (m & (8 - 1))
+++		  {
+++		  case 0:
+++		      do
+++			{
+++			    MOVB;
+++		  case 7:
+++			    MOVB;
+++		  case 6:
+++			    MOVB;
+++		  case 5:
+++			    MOVB;
+++		  case 4:
+++			    MOVB;
+++		  case 3:
+++			    MOVB;
+++		  case 2:
+++			    MOVB;
+++		  case 1:
+++			    MOVB;
+++			}
+++		      while (--loop);
+++		  }
+++	    }
+++#else
+++	  dst -= m;
+++	  src -= m;
+++	  memmove (dst, src, m);
+++#endif
+++/*
+++ * adjust offset index up
+++ */
+++	  while (i < n - 1)
+++	    {
+++		ino[i] = ino[i + 2] + zoo;
+++		i++;
+++	    }
+++      }
+++    ino[0] -= 2;
+++    return 1;
+++}
+++
+++static void splpage (char *pag, char *new, long sbit)
+++{
+++    datum   key;
+++    datum   val;
+++
+++    int     n;
+++    int     off = PBLKSIZ;
+++    char    cur[PBLKSIZ];
+++    short  *ino = (short *) cur;
+++
+++    (void) memcpy (cur, pag, PBLKSIZ);
+++    (void) memset (pag, 0, PBLKSIZ);
+++    (void) memset (new, 0, PBLKSIZ);
+++
+++    n = ino[0];
+++    for (ino++; n > 0; ino += 2)
+++      {
+++	  key.dptr = cur + ino[0];
+++	  key.dsize = off - ino[0];
+++	  val.dptr = cur + ino[1];
+++	  val.dsize = ino[0] - ino[1];
+++/*
+++ * select the page pointer (by looking at sbit) and insert
+++ */
+++	  (void) putpair ((exhash (key) & sbit) ? new : pag, key, val);
+++
+++	  off = ino[1];
+++	  n -= 2;
+++      }
+++}
+++
+++static int getdbit (DBM * db, long dbit)
+++{
+++    long    c;
+++    long    dirb;
+++
+++    c = dbit / BYTESIZ;
+++    dirb = c / DBLKSIZ;
+++
+++    if (dirb != db->dirbno)
+++      {
+++	  int got;
+++	  if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
+++	      || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
+++	      return 0;
+++	  if (got==0)
+++              memset(db->dirbuf,0,DBLKSIZ);
+++	  db->dirbno = dirb;
+++      }
+++
+++    return db->dirbuf[c % DBLKSIZ] & (1 << dbit % BYTESIZ);
+++}
+++
+++static int setdbit (DBM * db, long dbit)
+++{
+++    long    c;
+++    long    dirb;
+++
+++    c = dbit / BYTESIZ;
+++    dirb = c / DBLKSIZ;
+++
+++    if (dirb != db->dirbno)
+++      {
+++	  int got;
+++	  if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
+++	      || (got = read(db->dirf, db->dirbuf, DBLKSIZ)) < 0)
+++	      return 0;
+++	  if (got==0)
+++              memset(db->dirbuf,0,DBLKSIZ);
+++	  db->dirbno = dirb;
+++      }
+++
+++    db->dirbuf[c % DBLKSIZ] |= (1 << dbit % BYTESIZ);
+++
+++#if 0
+++    if (dbit >= db->maxbno)
+++	db->maxbno += DBLKSIZ * BYTESIZ;
+++#else
+++    if (OFF_DIR((dirb+1))*BYTESIZ > db->maxbno)
+++        db->maxbno=OFF_DIR((dirb+1))*BYTESIZ;
+++#endif
+++
+++    if (lseek (db->dirf, OFF_DIR (dirb), SEEK_SET) < 0
+++	|| write (db->dirf, db->dirbuf, DBLKSIZ) < 0)
+++	return 0;
+++
+++    return 1;
+++}
+++
+++/*
+++ * getnext - get the next key in the page, and if done with
+++ * the page, try the next page in sequence
+++ */
+++static datum getnext (DBM * db)
+++{
+++    datum   key;
+++
+++    for (;;)
+++      {
+++	  db->keyptr++;
+++	  key = getnkey (db->pagbuf, db->keyptr);
+++	  if (key.dptr != NULL)
+++	      return key;
+++/*
+++ * we either run out, or there is nothing on this page..
+++ * try the next one... If we lost our position on the
+++ * file, we will have to seek.
+++ */
+++	  db->keyptr = 0;
+++	  if (db->pagbno != db->blkptr++)
+++	      if (lseek (db->pagf, OFF_PAG (db->blkptr), SEEK_SET) < 0)
+++		  break;
+++	  db->pagbno = db->blkptr;
+++	  if (read (db->pagf, db->pagbuf, PBLKSIZ) <= 0)
+++	      break;
+++	  if (!chkpage (db->pagbuf))
+++	      break;
+++      }
+++
+++    return ioerr (db), nullitem;
+++}
+++
+++/*
+++ * all important binary trie traversal
+++ */
+++static int getpage (DBM * db, long hash)
+++{
+++    int     hbit;
+++    long    dbit;
+++    long    pagb;
+++
+++    dbit = 0;
+++    hbit = 0;
+++    while (dbit < db->maxbno && getdbit (db, dbit))
+++	dbit = 2 * dbit + ((hash & (1 << hbit++)) ? 2 : 1);
+++
+++    db->curbit = dbit;
+++    db->hmask = masks[hbit];
+++
+++    pagb = hash & db->hmask;
+++/*
+++ * see if the block we need is already in memory.
+++ * note: this lookaside cache has about 10% hit rate.
+++ */
+++    if (pagb != db->pagbno)
+++      {
+++/*
+++ * note: here, we assume a "hole" is read as 0s.
+++ * if not, must zero pagbuf first.
+++ */
+++	  if (lseek (db->pagf, OFF_PAG (pagb), SEEK_SET) < 0
+++	      || read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++	      return 0;
+++	  if (!chkpage (db->pagbuf))
+++	      return 0;
+++	  db->pagbno = pagb;
+++      }
+++    return 1;
+++}
+++
+++/*
+++ * makroom - make room by splitting the overfull page
+++ * this routine will attempt to make room for SPLTMAX times before
+++ * giving up.
+++ */
+++static int makroom (DBM * db, long hash, int need)
+++{
+++    long    newp;
+++    char    twin[PBLKSIZ];
+++    char   *pag = db->pagbuf;
+++    char   *new = twin;
+++    int     smax = SPLTMAX;
+++
+++    do
+++      {
+++/*
+++ * split the current page
+++ */
+++	  (void) splpage (pag, new, db->hmask + 1);
+++/*
+++ * address of the new page
+++ */
+++	  newp = (hash & db->hmask) | (db->hmask + 1);
+++
+++/*
+++ * write delay, read avoidence/cache shuffle:
+++ * select the page for incoming pair: if key is to go to the new page,
+++ * write out the previous one, and copy the new one over, thus making
+++ * it the current page. If not, simply write the new page, and we are
+++ * still looking at the page of interest. current page is not updated
+++ * here, as sdbm_store will do so, after it inserts the incoming pair.
+++ */
+++	  if (hash & (db->hmask + 1))
+++	    {
+++		if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++		    || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++		    return 0;
+++		db->pagbno = newp;
+++		(void) memcpy (pag, new, PBLKSIZ);
+++	    }
+++	  else if (lseek (db->pagf, OFF_PAG (newp), SEEK_SET) < 0
+++		   || write (db->pagf, new, PBLKSIZ) < 0)
+++	      return 0;
+++
+++	  if (!setdbit (db, db->curbit))
+++	      return 0;
+++/*
+++ * see if we have enough room now
+++ */
+++	  if (fitpair (pag, need))
+++	      return 1;
+++/*
+++ * try again... update curbit and hmask as getpage would have
+++ * done. because of our update of the current page, we do not
+++ * need to read in anything. BUT we have to write the current
+++ * [deferred] page out, as the window of failure is too great.
+++ */
+++	  db->curbit = 2 * db->curbit +
+++	      ((hash & (db->hmask + 1)) ? 2 : 1);
+++	  db->hmask |= db->hmask + 1;
+++
+++	  if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++	      || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++	      return 0;
+++
+++      }
+++    while (--smax);
+++/*
+++ * if we are here, this is real bad news. After SPLTMAX splits,
+++ * we still cannot fit the key. say goodnight.
+++ */
+++#ifdef BADMESS
+++    (void) write (2, "sdbm: cannot insert after SPLTMAX attempts.\n", 44);
+++#endif
+++    return 0;
+++
+++}
+++
+++static SDBM *sdbm_prep (char *dirname, char *pagname, int flags, int mode)
+++{
+++    SDBM   *db;
+++    struct stat dstat;
+++
+++    if ((db = (SDBM *) mymalloc (sizeof (SDBM))) == NULL)
+++	return errno = ENOMEM, (SDBM *) NULL;
+++
+++    db->flags = 0;
+++    db->blkptr = 0;
+++    db->keyptr = 0;
+++/*
+++ * adjust user flags so that WRONLY becomes RDWR,
+++ * as required by this package. Also set our internal
+++ * flag for RDONLY if needed.
+++ */
+++    if (flags & O_WRONLY)
+++	flags = (flags & ~O_WRONLY) | O_RDWR;
+++    else if ((flags & 03) == O_RDONLY)
+++	db->flags = DBM_RDONLY;
+++#if defined(OS2) || defined(MSDOS) || defined(WIN32)
+++    flags |= O_BINARY;
+++#endif
+++
+++/*
+++ * Make sure to ignore the O_EXCL option, as the file might exist due
+++ * to the locking.
+++ */
+++    flags &= ~O_EXCL;
+++
+++/*
+++ * open the files in sequence, and stat the dirfile.
+++ * If we fail anywhere, undo everything, return NULL.
+++ */
+++
+++    if ((db->pagf = open (pagname, flags, mode)) > -1)
+++      {
+++	  if ((db->dirf = open (dirname, flags, mode)) > -1)
+++	    {
+++/*
+++ * need the dirfile size to establish max bit number.
+++ */
+++		if (fstat (db->dirf, &dstat) == 0)
+++		  {
+++		      /*
+++                       * success
+++                       */
+++		      return db;
+++		  }
+++		msg_info ("closing dirf");
+++		(void) close (db->dirf);
+++	    }
+++	  msg_info ("closing pagf");
+++	  (void) close (db->pagf);
+++      }
+++    myfree ((char *) db);
+++    return (SDBM *) NULL;
+++}
+++
+++static DBM *sdbm_internal_open (SDBM * sdbm)
+++{
+++    DBM    *db;
+++    struct stat dstat;
+++
+++    if ((db = (DBM *) mymalloc (sizeof (DBM))) == NULL)
+++	return errno = ENOMEM, (DBM *) NULL;
+++
+++    db->flags = sdbm->flags;
+++    db->hmask = 0;
+++    db->blkptr = sdbm->blkptr;
+++    db->keyptr = sdbm->keyptr;
+++    db->pagf = sdbm->pagf;
+++    db->dirf = sdbm->dirf;
+++    db->pagbuf = sdbm->pagbuf;
+++    db->dirbuf = sdbm->dirbuf;
+++
+++/*
+++ * need the dirfile size to establish max bit number.
+++ */
+++    if (fstat (db->dirf, &dstat) == 0)
+++      {
+++/*
+++ * zero size: either a fresh database, or one with a single,
+++ * unsplit data page: dirpage is all zeros.
+++ */
+++	  db->dirbno = (!dstat.st_size) ? 0 : -1;
+++	  db->pagbno = -1;
+++	  db->maxbno = dstat.st_size * BYTESIZ;
+++
+++	  (void) memset (db->pagbuf, 0, PBLKSIZ);
+++	  (void) memset (db->dirbuf, 0, DBLKSIZ);
+++	  return db;
+++      }
+++    myfree ((char *) db);
+++    return (DBM *) NULL;
+++}
+++
+++static void sdbm_internal_close (DBM * db)
+++{
+++    if (db == NULL)
+++	errno = EINVAL;
+++    else
+++      {
+++	  myfree ((char *) db);
+++      }
+++}
+++
+++datum   sdbm_fetch (SDBM * sdb, datum key)
+++{
+++    datum   retval;
+++    DBM    *db;
+++
+++    if (sdb == NULL || bad (key))
+++	return errno = EINVAL, nullitem;
+++
+++    if (!(db = sdbm_internal_open (sdb)))
+++	return errno = EINVAL, nullitem;
+++
+++    if (getpage (db, exhash (key)))
+++      {
+++	  retval = getpair (db->pagbuf, key);
+++	  sdbm_internal_close (db);
+++	  return retval;
+++      }
+++
+++    sdbm_internal_close (db);
+++
+++    return ioerr (sdb), nullitem;
+++}
+++
+++int     sdbm_delete (SDBM * sdb, datum key)
+++{
+++    int     retval;
+++    DBM    *db;
+++
+++    if (sdb == NULL || bad (key))
+++	return errno = EINVAL, -1;
+++    if (sdbm_rdonly (sdb))
+++	return errno = EPERM, -1;
+++
+++    if (!(db = sdbm_internal_open (sdb)))
+++	return errno = EINVAL, -1;
+++
+++    if (getpage (db, exhash (key)))
+++      {
+++	  if (!delpair (db->pagbuf, key))
+++	      retval = -1;
+++/*
+++ * update the page file
+++ */
+++	  else if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++		   || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++	      retval = ioerr (sdb), -1;
+++	  else
+++	      retval = 0;
+++      }
+++    else
+++	retval = ioerr (sdb), -1;
+++
+++    sdbm_internal_close (db);
+++
+++    return retval;
+++}
+++
+++int     sdbm_store (SDBM * sdb, datum key, datum val, int flags)
+++{
+++    int     need;
+++    int     retval;
+++    long    hash;
+++    DBM    *db;
+++
+++    if (sdb == NULL || bad (key))
+++	return errno = EINVAL, -1;
+++    if (sdbm_rdonly (sdb))
+++	return errno = EPERM, -1;
+++
+++    need = key.dsize + val.dsize;
+++/*
+++ * is the pair too big (or too small) for this database ??
+++ */
+++    if (need < 0 || need > PAIRMAX)
+++	return errno = EINVAL, -1;
+++
+++    if (!(db = sdbm_internal_open (sdb)))
+++	return errno = EINVAL, -1;
+++
+++    if (getpage (db, (hash = exhash (key))))
+++      {
+++/*
+++ * if we need to replace, delete the key/data pair
+++ * first. If it is not there, ignore.
+++ */
+++	  if (flags == DBM_REPLACE)
+++	      (void) delpair (db->pagbuf, key);
+++#ifdef SEEDUPS
+++	  else if (duppair (db->pagbuf, key))
+++	    {
+++		sdbm_internal_close (db);
+++		return 1;
+++	    }
+++#endif
+++/*
+++ * if we do not have enough room, we have to split.
+++ */
+++	  if (!fitpair (db->pagbuf, need))
+++	      if (!makroom (db, hash, need))
+++		{
+++		    sdbm_internal_close (db);
+++		    return ioerr (db), -1;
+++		}
+++/*
+++ * we have enough room or split is successful. insert the key,
+++ * and update the page file.
+++ */
+++	  (void) putpair (db->pagbuf, key, val);
+++
+++	  if (lseek (db->pagf, OFF_PAG (db->pagbno), SEEK_SET) < 0
+++	      || write (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++	    {
+++		sdbm_internal_close (db);
+++		return ioerr (db), -1;
+++	    }
+++	  /*
+++           * success
+++           */
+++	  sdbm_internal_close (db);
+++	  return 0;
+++      }
+++
+++    sdbm_internal_close (db);
+++    return ioerr (sdb), -1;
+++}
+++
+++/*
+++ * the following two routines will break if
+++ * deletions aren't taken into account. (ndbm bug)
+++ */
+++datum   sdbm_firstkey (SDBM * sdb)
+++{
+++    datum   retval;
+++    DBM    *db;
+++
+++    if (sdb == NULL)
+++	return errno = EINVAL, nullitem;
+++
+++    if (!(db = sdbm_internal_open (sdb)))
+++	return errno = EINVAL, nullitem;
+++
+++/*
+++ * start at page 0
+++ */
+++    if (lseek (db->pagf, OFF_PAG (0), SEEK_SET) < 0
+++	|| read (db->pagf, db->pagbuf, PBLKSIZ) < 0)
+++      {
+++	  sdbm_internal_close (db);
+++	  return ioerr (sdb), nullitem;
+++      }
+++    db->pagbno = 0;
+++    db->blkptr = 0;
+++    db->keyptr = 0;
+++
+++    retval = getnext (db);
+++    sdb->blkptr = db->blkptr;
+++    sdb->keyptr = db->keyptr;
+++    sdbm_internal_close (db);
+++    return retval;
+++}
+++
+++datum   sdbm_nextkey (SDBM * sdb)
+++{
+++    datum   retval;
+++    DBM    *db;
+++
+++    if (sdb == NULL)
+++	return errno = EINVAL, nullitem;
+++
+++    if (!(db = sdbm_internal_open (sdb)))
+++	return errno = EINVAL, nullitem;
+++
+++    retval = getnext (db);
+++    sdb->blkptr = db->blkptr;
+++    sdb->keyptr = db->keyptr;
+++    sdbm_internal_close (db);
+++    return retval;
+++}
+++
+++void    sdbm_close (SDBM * db)
+++{
+++    if (db == NULL)
+++	errno = EINVAL;
+++    else
+++      {
+++	  (void) close (db->dirf);
+++	  (void) close (db->pagf);
+++	  myfree ((char *) db);
+++      }
+++}
+++
+++SDBM   *sdbm_open (char *file, int flags, int mode)
+++{
+++    SDBM   *db;
+++    char   *dirname;
+++    char   *pagname;
+++    int     n;
+++
+++    if (file == NULL || !*file)
+++	return errno = EINVAL, (SDBM *) NULL;
+++/*
+++ * need space for two seperate filenames
+++ */
+++    n = strlen (file) * 2 + strlen (DIRFEXT) + strlen (PAGFEXT) + 2;
+++
+++    if ((dirname = (char *) mymalloc ((unsigned) n)) == NULL)
+++	return errno = ENOMEM, (SDBM *) NULL;
+++/*
+++ * build the file names
+++ */
+++    dirname = strcat (strcpy (dirname, file), DIRFEXT);
+++    pagname = strcpy (dirname + strlen (dirname) + 1, file);
+++    pagname = strcat (pagname, PAGFEXT);
+++
+++    db = sdbm_prep (dirname, pagname, flags, mode);
+++    myfree ((char *) dirname);
+++    return db;
+++}
+++
++diff -ruN postfix-2.1.0-vanilla/src/util/sdbm.h postfix-2.1.0/src/util/sdbm.h
++--- postfix-2.1.0-vanilla/src/util/sdbm.h	Thu Jan  1 01:00:00 1970
+++++ postfix-2.1.0/src/util/sdbm.h	Sat Apr 24 14:35:29 2004
++@@ -0,0 +1,97 @@
+++/*++
+++/* NAME
+++/*      sdbm 3h
+++/* SUMMARY
+++/*      SDBM Simple DBM: ndbm work-alike hashed database library
+++/* SYNOPSIS
+++/*      include "sdbm.h"
+++/* DESCRIPTION
+++/* .nf
+++/*--*/
+++
+++#ifndef UTIL_SDBM_H
+++#define UTIL_SDBM_H
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * based on Per-Ake Larson's Dynamic Hashing algorithms. BIT 18 (1978).
+++ * author: oz at nexus.yorku.ca
+++ * status: public domain.
+++ */
+++
+++#define DUFF    /* go ahead and use the loop-unrolled version */
+++
+++#include <stdio.h>
+++
+++#define DBLKSIZ 16384                   /* SSL cert chains require more */
+++#define PBLKSIZ 8192                    /* SSL cert chains require more */
+++#define PAIRMAX 8008                    /* arbitrary on PBLKSIZ-N */
+++#define SPLTMAX 10                      /* maximum allowed splits */
+++                                        /* for a single insertion */
+++#define DIRFEXT ".dir"
+++#define PAGFEXT ".pag"
+++
+++typedef struct {
+++        int dirf;                      /* directory file descriptor */
+++        int pagf;                      /* page file descriptor */
+++        int flags;                     /* status/error flags, see below */
+++        long blkptr;                   /* current block for nextkey */
+++        int keyptr;                    /* current key for nextkey */
+++        char pagbuf[PBLKSIZ];          /* page file block buffer */
+++        char dirbuf[DBLKSIZ];          /* directory file block buffer */
+++} SDBM;
+++
+++#define DBM_RDONLY      0x1            /* data base open read-only */
+++#define DBM_IOERR       0x2            /* data base I/O error */
+++
+++/*
+++ * utility macros
+++ */
+++#define sdbm_rdonly(db)         ((db)->flags & DBM_RDONLY)
+++#define sdbm_error(db)          ((db)->flags & DBM_IOERR)
+++
+++#define sdbm_clearerr(db)       ((db)->flags &= ~DBM_IOERR)  /* ouch */
+++
+++#define sdbm_dirfno(db) ((db)->dirf)
+++#define sdbm_pagfno(db) ((db)->pagf)
+++
+++typedef struct {
+++        char *dptr;
+++        int dsize;
+++} datum;
+++
+++extern datum nullitem;
+++
+++/*
+++ * flags to sdbm_store
+++ */
+++#define DBM_INSERT      0
+++#define DBM_REPLACE     1
+++
+++/*
+++ * ndbm interface
+++ */
+++extern SDBM *sdbm_open(char *, int, int);
+++extern void sdbm_close(SDBM *);
+++extern datum sdbm_fetch(SDBM *, datum);
+++extern int sdbm_delete(SDBM *, datum);
+++extern int sdbm_store(SDBM *, datum, datum, int);
+++extern datum sdbm_firstkey(SDBM *);
+++extern datum sdbm_nextkey(SDBM *);
+++
+++/*
+++ * sdbm - ndbm work-alike hashed database library
+++ * tuning and portability constructs [not nearly enough]
+++ * author: oz at nexus.yorku.ca
+++ */
+++
+++#define BYTESIZ         8
+++
+++/*
+++ * important tuning parms (hah)
+++ */
+++
+++#define SEEDUPS                 /* always detect duplicates */
+++#define BADMESS                 /* generate a message for worst case:
+++                                   cannot make room after SPLTMAX splits */
+++#endif /* UTIL_SDBM_H */
+diff -urNad postfix-release/tls/README /tmp/dpep.cXJuVH/postfix-release/tls/README
+--- postfix-release/tls/README	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/README	2005-02-03 10:22:13.116084199 -0700
+@@ -0,0 +1,42 @@
++Overview:
++=========
++
++- This is an SSL/TLS enhancement package for postfix.
++  It realizes (well, or at least should, once it is finished) the
++  STARTTLS extension to SMTP as described in RFC2487 and used
++  by Netscape 4.5x.
++- For instructions on how to install the kit, please read the installation
++  section in the "html" manual in the "doc/" subdirectory.
++
++License:
++========
++- This software is free. You can do with it whatever you want.
++  I would however kindly ask you to acknowledge the use of this
++  package, if you are going use it in your software, which you might
++  be going to distribute. I would also like to receive a note if you
++  are a satisfied user :-)
++
++Acknowledgements:
++=================
++- This package is based on the OpenSSL package as provided by the
++  ``OpenSSL Project''.
++
++Disclaimer:
++===========
++- This software is provided ``as is''. You are using it at your own risk.
++  I will take no liability in any case.
++- This software package uses strong cryptography, so even if it is created,
++  maintained and distributed from liberal countries in Europe (where it is
++  legal to do this), it falls under certain export/import and/or use
++  restrictions in some other parts of the world. 
++- PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG
++  CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST
++  COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS
++  ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE
++  TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL
++  TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR
++  OTHER PEOPLE YOU ARE STRONGLY ADVICED TO PAY CLOSE ATTENTION TO ANY
++  EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHOR OF
++  PFIXTLS IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE
++  CAREFULLY YOURSELF, IT IS YOUR RESPONSIBILITY.  
++
+diff -urNad postfix-release/tls/TODO /tmp/dpep.cXJuVH/postfix-release/tls/TODO
+--- postfix-release/tls/TODO	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.cXJuVH/postfix-release/tls/TODO	2005-02-03 10:22:13.116084199 -0700
+@@ -0,0 +1,36 @@
++This list does not really follow priority.
++
++* Implement support of CRL checking. OpenSSL 0.9.7 finally supports CRLs,
++  so Postfix/TLS should support loading CRLs.
++
++* Cleanup the "pfixtls" special logging, so that it fits Wietses original
++  "per site" decision to make debugging easier.
++
++* Move TLS based information from separate lines into Postfix's smtpd
++  logging lines to make logfile analysis easier.
++
++* Check the "info_callback" for sensitive use. I already had to remove the
++  "warning alert" issued on normal shutdown. Why is a warning issued for
++  a normal shutdown??
++
++* Allow to specify the protocol used globally: SSLv2, SSLv3, TLSv1.
++
++* Enhance tls_per_site feature, such that not only MAY, MUST, NONE flags
++  are supported. It should also be possible to influence the behaviour:
++  choose the SSLv2/SSLv3/TLSv1 protocols.
++  [A compatible way to upgrad the tls_per_site table would be to add the
++  keywords:
++  MUST,SSLv2
++  MAY,NO_TLSv1
++  ]
++
++* Introduce new tls_per_client table to achieve the same selective behaviour
++  for incoming connections.
++
++* Introduce better support for "opportunistic" encryption: collect information
++  about peers connecting; log warnings when the key changed etc.
++  [I am not sure that I already have the best answers available.]
++
++* Find a way to use the certificates themselves instead of the fingerprints
++  to allow certificate based relaying. The maintenance of the fingerprints
++  is a nightmare.

Added: trunk/postfix/debian/patches/60hpux.dpatch
===================================================================
--- trunk/postfix/debian/patches/60hpux.dpatch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/60hpux.dpatch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 60hpux.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad postfix-2.1.5/src/global/mail_params.c /tmp/dpep.V1hFGZ/postfix-2.1.5/src/global/mail_params.c
+--- postfix-2.1.5/src/global/mail_params.c	2004-12-27 22:21:44.686106036 -0700
++++ /tmp/dpep.V1hFGZ/postfix-2.1.5/src/global/mail_params.c	2004-12-27 22:21:44.958047580 -0700
+@@ -77,6 +77,7 @@
+ /*	char	*var_export_environ;
+ /*	char	*var_debug_peer_list;
+ /*	int	var_debug_peer_level;
++/*	int	var_command_maxtime;
+ /*	int	var_in_flow_delay;
+ /*	int	var_fault_inj_code;
+ /*	char   *var_bounce_service;
+@@ -268,6 +269,7 @@
+ char   *var_export_environ;
+ char   *var_debug_peer_list;
+ int     var_debug_peer_level;
++int	var_command_maxtime;
+ int     var_fault_inj_code;
+ char   *var_bounce_service;
+ char   *var_cleanup_service;

Added: trunk/postfix/debian/patches/master.cf.local
===================================================================
--- trunk/postfix/debian/patches/master.cf.local	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/patches/master.cf.local	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,12 @@
+--- conf/master.cf.local	2004-07-28 09:38:42.000000000 -0600
++++ conf/master.cf.local	2004-08-05 09:42:37.000000000 -0600
+@@ -77,7 +77,8 @@
+ # service type  private unpriv  chroot  wakeup  maxproc command + args
+ #               (yes)   (yes)   (yes)   (never) (100)
+ # ==========================================================================
+-smtp      inet  n       -       -       -       -       smtpd
++127.0.0.1:smtp inet n   -       -       -       -       smtpd
++::1:smtp       inet n   -       -       -       -       smtpd
+ #submission inet n      -       -       -       -       smtpd
+ #	-o smtpd_etrn_restrictions=reject
+ #628      inet  n       -       -       -       -       qmqpd

Added: trunk/postfix/debian/po/POTFILES.in
===================================================================
--- trunk/postfix/debian/po/POTFILES.in	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/POTFILES.in	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] templates

Added: trunk/postfix/debian/po/cs.po
===================================================================
--- trunk/postfix/debian/po/cs.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/cs.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,665 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-07-11 18:01-0600\n"
+"PO-Revision-Date: 2004-10-07 15:45+0200\n"
+"Last-Translator: Miroslav Kure <kurem at debian.cz>\n"
+"Language-Team: Czech <provoz at debian.cz>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-2\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Opravit dynamicmaps.cf pro aktualizaci?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix verze 2.0.2 a pozdìj¹í vy¾adují zmìny v dynamicmaps.cf. Konkrétnì "
+"je pryè podpora zástupných znakù a s ní expanze %s. Jakékoliv zmìny, které "
+"jste provedli v dynamicmaps.cf a které se spoléhají na tyto vlastnosti, "
+"bude potøeba opravit. Pokud je neopravíte, bude výsledkem nefunkèní po¹ta."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Má být dynamicmaps.cf automaticky zmìnìn? Odmítnìte tuto volbu pro "
+"pøeru¹ení aktualizace, dostanete tak ¹anci odstranit zástupné znaky a "
+"konfiguraci závislou na %s-expanzi. Pøijmìte tuto volbu, pokud ¾ádnou "
+"takovou konfiguraci nemáte a chcete mít dynamicmaps.cf po této stránce "
+"automaticky kompatibilní s Postfixem 2.0.2."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr "Postfix verze 2.1 a vy¹¹í vy¾adují nové slu¾by v master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Má být tato konfigurace automaticky pøidána do master.cf? Odmítnìte "
+"tuto volbu pro pøeru¹ení aktualizace, dostanete tak ¹anci pøidat tuto "
+"konfiguraci sami. Pøijmìte tuto volbu, pokud chcete mít master.cf po "
+"této stránce automaticky kompatibilní s Postfix 2.1."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Opravit master.cf pro aktualizaci?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"Postfix verze 2.1 pøejmenoval \"nqmgr\" na \"qmgr\" a vy pou¾íváte \"nqmgr\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Opomenutí této opravy bude mít za následek nefunkèní po¹tu. Odmítnìte "
+"tuto volbu pro pøeru¹ení aktualizace, dostanete tak ¹anci pøidat tuto "
+"konfiguraci sami. Pøijmìte tuto volbu, pokud chcete mít master.cf po "
+"této stránce automaticky kompatibilní s Postfix 2.1."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Má Postfix aktualizovat hash a btree mapy?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr "Postfix pøe¹el na db4, co¾ mù¾e vy¾adovat aktualizaci map."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Chcete se pokusit o automatickou konverzi?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Nekompatibilita transportní mapy"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"Máte definovánu transportní mapu a v této verzi se nachází nekompatibilní "
+"zmìna ve zpùsobu pou¾ívání transportních map. Postfix nebude automaticky "
+"restartován."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Polo¾ky trasportní mapy pøebíjejí $mydestination. Pokud pou¾íváte "
+"transportní mapy, je lep¹í mít v¾dy explicitní polo¾ky pro v¹echna "
+"doménová jména, která máte uvedena v $mydestination. Viz sekce pro firewally "
+"a intranety v html/faq.html. Pokud máte transportní polo¾ky pro nadøazené "
+"domény èehokoliv doruèovaného lokálnì, budete pravdìpodobnì muset pøed "
+"restartováním Postfixu pøidat konkrétní polo¾ky pro cílové domény."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Chybný záznam. Zkusit znovu?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "Øetìzec, který jste zadali"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ani nevyhovuje RFC 1035, ani nevypadá jako platná IP adresa."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 øíká, ¾e: \"Ka¾dá èást musí zaèínat a konèit alfanumerickým znakem "
+"a mù¾e obsahovat pouze alfanumerické znaky a pomlèky. Jednotlivé èáasti "
+"musí být oddìleny teèkami."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Chcete to tak pøesto ponechat?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only, HP"
+msgstr ""
+"®ádné nastavení, Internetový server, Internet se smarthostem, Satelitní "
+"systém, Pouze lokální, HP"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Obecný typ nastavení?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Nyní si mù¾ete zvolit z nìkolika základních typù nastavení. Pokud máte "
+"priritu debconf otázek nastavenu na nízkou nebo støední, budete dotázáni "
+"na více otázek. Budete-li si chtít tyto otázky projít pozdìji, mù¾ete "
+"pou¾ít pøíkaz \"dpkg-reconfigure --priority=low postfix\"."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"®ádné nastavení - POKUD CHCETE, ABY INSTALÁTOR NECHAL VA©E NASTAVENÍ NA "
+"POKOJI, VYBERTE TUTO MO®NOST. ®ádné konfiguraèní zmìny nebudou nyní "
+"provedeny: Pokud ji¾ nemáte Postfix zkonfigurovaný, vá¹ po¹tovní systém "
+"bude nefunkèní a nemìl by se pou¾ívat. Potom musíte provést konfiguraci "
+"ruènì editováním /usr/share/postfix/main.cf.dist a ulo¾ením zmìn jako "
+"/etc/postfix/main.cf, nebo spu¹tìním dpkg-reconfigure postfix. Soubor "
+"main.cf nebude instalaèním procesem Postfixu zmìnìn."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internetový server - po¹ta je zasílána a pøijímána pøímo pomocí SMTP. "
+"Pokud va¹e potøeby poøádnì nezapadají do ¾ádné kategorie, bude nejlep¹í "
+"zaèít s touto a potom upravit konfiguraèní soubor ruènì."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internetový poèítaè pou¾ívající smarthost - Pøijímáte internetovou po¹tu "
+"na tomto stroji buï pøímo pomocí SMTP nebo spu¹tìním nástroje jako je "
+"fetchmail. Odchozí po¹ta je zasílána pomocí smarthosta, volitelnì s "
+"pøepsanými adresami. Toto je nejlep¹í volba pro vytáèený (dialup) systém."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Satelitní systém - Ve¹kerá po¹ta je zaslána na jiný stroj, nazývaný "
+"\"smart host\", který ji doruèí. Po¹ta pro u¾ivatele root a postmaster "
+"je doruèována podle /etc/aliases. ®ádná po¹ta není doruèována lokálnì."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"Pouze lokální doruèování - Nejste na síti. Doruèuje se pouze po¹ta mezi "
+"lokálními u¾ivateli."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"HP - Configuration used inside of HP.  This just hardcodes several "
+"configuration parameters based on the final components of the hostname, but "
+"looks largely like 'Internet site using smarthost'.  This option will "
+"modify /etc/postfix/transport and install it as a transport map."
+msgstr ""
+"HP - Konfigurace pou¾ívaná uvnitø HP. Toto jen napevno nastaví nìkolik "
+"konfiguraèních parametrù na základì koneèných èástí jména poèítaèe, ale "
+"celkovì vypadá jako 'Internetový server pou¾ívající smarthosta'. Tato "
+"volba zmìní /etc/postfix/transport a nainstaluje jej jako trasportní mapu."
+
+#. Type: note
+#. Description
+#: ../templates:114
+msgid "WARNING: Postfix not configured"
+msgstr "VAROVÁNÍ: Postfix nebyl nastaven"
+
+#. Type: note
+#. Description
+#: ../templates:114
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Zvolili jste \"®ádné nastavení\" - Postfix nyní nebude nastaven a proto "
+"také nebude spu¹tìn. Pozdìji to mù¾ete napravit pøíkazem 'dpkg-reconfigure "
+"postfix', nebo ruèním nastavením:"
+
+#. Type: note
+#. Description
+#: ../templates:114
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Upravte /etc/postfix/main.cf dle potøeb"
+
+#. Type: note
+#. Description
+#: ../templates:114
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Spus»te /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:125
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:126
+msgid "Mail name?"
+msgstr "Po¹tovní jméno?"
+
+#. Type: string
+#. Description
+#: ../templates:126
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Va¹e po¹tovní jméno je adresa poèítaèe, která se bude zobrazovat na "
+"odchozích zprávách (následuje za jménem u¾ivatele a znakem @)."
+
+#. Type: string
+#. Description
+#: ../templates:126
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Toto jméno budou kromì Postfixu vyu¾ívat i jiné programy; mìlo by se jednat "
+"o plnì kvalifikované doménové jméno (FQDN)."
+
+#. Type: string
+#. Description
+#: ../templates:135
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr "Dal¹í místa, pro která pøijímat po¹tu? (nebo ponechte prázdné)"
+
+#. Type: string
+#. Description
+#: ../templates:135
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Zadejte èárkami oddìlený seznam domén, pro které má Postfix "
+"pøedpokládat, ¾e po¹ta z nich skonèí na tomto poèítaèi. Pokud je "
+"poèítaè bránou pro po¹tovní doménu, mìli byste zahrnout vrcholovou "
+"doménu."
+
+#. Type: string
+#. Description
+#: ../templates:142
+msgid "SMTP relay host? (blank for none)"
+msgstr "Poèítaè pro SMTP relay? (nebo prázdné)"
+
+#. Type: string
+#. Description
+#: ../templates:142
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"Zadejte doménu, poèítaè, poèítaè:port, [adresu] nebo "
+"[adresu]:port. Variantu [cíl] mù¾ete pou¾ít pro vypnutí MX "
+"dotazù. Pokud nepou¾íváte poèítaè pro pøeposílání (relay) po¹ty, "
+"ponechte prázdné."
+
+#. Type: string
+#. Description
+#: ../templates:142
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Parametr relayhost zadává implicitní poèítaè, pøes který se zasílá po¹ta, "
+"která nevyhoví ¾ádnému pravidlu ve volitelné tabulce transport(5). Pokud "
+"je parametr relayhost prázdný, po¹ta je smìrována rovnou k cíli."
+
+#. Type: boolean
+#. Description
+#: ../templates:153
+msgid "Use procmail for local delivery?"
+msgstr "Pou¾ít pro lokální doruèování procmail?"
+
+#. Type: boolean
+#. Description
+#: ../templates:153
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Chcete pro doruèování lokální po¹ty pou¾ít procmail?"
+
+#. Type: boolean
+#. Description
+#: ../templates:153
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Pokud budete pro doruèování po¹ty v celém systému pou¾ívat procmail, mìli "
+"byste vytvoøit alias, který bude pøeposílat rootovu po¹tu reálnému u¾ivateli."
+
+#. Type: string
+#. Default
+#: ../templates:161
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:162
+msgid "Local address extension character?"
+msgstr "Znak pro pøíponu lokální adresy?"
+
+#. Type: string
+#. Description
+#: ../templates:162
+msgid "What character defines a local address extension?"
+msgstr "Který znak definuje pøíponu lokální adresy?"
+
+#. Type: string
+#. Description
+#: ../templates:162
+msgid "To not use address extensions, leave the string blank."
+msgstr "Pokud nechcete pou¾ívat pøípony adres, ponechte prázdné."
+
+#. Type: note
+#. Description
+#: ../templates:169
+msgid "Bad recipient delimiter"
+msgstr "Chybný oddìlovaè pøíjemcù"
+
+#. Type: note
+#. Description
+#: ../templates:169
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"Oddìlovaè pøíjemcù je jeden znak, ale vy jste zadali znakù nìkolik. "
+"Zkuste to prosím znovu."
+
+#. Type: note
+#. Description
+#: ../templates:169
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:177
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:178
+msgid "Force synchronous updates on mail queue?"
+msgstr "Vynutit synchronní aktualizaci po¹tovní fronty?"
+
+#. Type: boolean
+#. Description
+#: ../templates:178
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a chance of losing some mail if the system crashes "
+"at an inopportune time."
+msgstr ""
+"Pokud je vynucena synchronní aktualizace, bude se po¹ta zpracovávat "
+"pomaleji. Pokud není vynucena, existuje ¹ance, ¾e kdy¾ systém spadne v "
+"nevhodný okam¾ik, mù¾e se ztratit nìkterá po¹ta."
+
+#. Type: boolean
+#. Description
+#: ../templates:178
+msgid "The default is \"off\", see the changelog for an explanation."
+msgstr "Implicitnì je \"vypnuto\", vysvìtlení viz seznam zmìn balíku."
+
+#. Type: string
+#. Default
+#: ../templates:187
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:188
+msgid "Local networks?"
+msgstr "Lokální sítì?"
+
+#. Type: string
+#. Description
+#: ../templates:188
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Pro které bloky adres má tento poèítaè pøedávat po¹tu? Implicitní je pouze "
+"tento poèítaè, co¾ je vy¾adováno nìkterými po¹tovními agenty."
+
+#. Type: string
+#. Description
+#: ../templates:188
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Pokud tento poèítaè slou¾í jako smarthost pro skupinu poèítaèù, musíte "
+"je zde zadat, nebo bude jejich po¹ta odmítnuta."
+
+#. Type: string
+#. Description
+#: ../templates:188
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Chcete-li pou¾ít implicitní nastavení (které je zalo¾eno na pøipojených "
+"sítích), zadejte prázdný øetìzec."
+
+#. Type: string
+#. Default
+#: ../templates:200
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:201
+msgid "Mailbox size limit"
+msgstr "Limit po¹tovní schránky"
+
+#. Type: string
+#. Description
+#: ../templates:201
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"Jaký limit má Postfix uplatòovat na velikost po¹tovní schránky? Hodnota "
+"nula (0) znamená bez omezení. (Autor programu nastavuje 51200000.)"
+
+#. Type: boolean
+#. Description
+#: ../templates:209
+msgid "Append .domain to simple addresses"
+msgstr "Pøidávat doménu k jednoduchým adresám"
+
+#. Type: boolean
+#. Description
+#: ../templates:209
+msgid ""
+"When Postfix sees an address with only one component in the hostname, should "
+"it append .$mydomain?  Appending .$mydomain means that you don't need to "
+"qualify destinations in your own domain, but breaks mail bound for users at "
+"top-level domain addresses.  (yes, there are some of these.)"
+msgstr ""
+"Kdy¾ Postfix vidí adresu s pouze první èástí jména poèítaèe, má k ní "
+"pøipojit .$mydomain? Pøipojení .$mydomain znamená, ¾e pro poèítaèe ve "
+"vlastní doménì nemusíte zadávat plnì kvalifikované doménové jméno, ale "
+"mù¾e to poru¹it po¹tu pro u¾ivatele ve vrcholových doménách (ano, i tací "
+"existují)."
+
+#. Type: boolean
+#. Description
+#: ../templates:209
+msgid ""
+"If you are forwarding mail out of your organization, you should almost "
+"certainly not append .$mydomain. If you're the only user of mail on your "
+"system, choose whichever is more convenient for you."
+msgstr ""
+"Posíláte-li po¹tu ven z organizace, mìli byste zamítnout. Pokud jste "
+"domácí u¾ivatel, vyberte si, co je pro vás vhodnìj¹í."
+
+#. Type: string
+#. Default
+#: ../templates:221
+msgid "NONE"
+msgstr "NIC"
+
+#. Type: string
+#. Description
+#: ../templates:222
+msgid "Where should mail for root go"
+msgstr "Kam má chodit po¹ta pro roota?"
+
+#. Type: string
+#. Description
+#: ../templates:222
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"U¾ivatel root (nebo jiný u¾ivatel s uid 0) musí mít po¹tu pøesmìrovánu "
+"pøes alias, nebo bude jeho po¹ta doruèena do /var/mail/nobody. To je vìc "
+"návrhu, proto¾e po¹ta není pøedávána externím doruèovacím programùm pod "
+"u¾ivatelem root."
+
+#. Type: string
+#. Description
+#: ../templates:222
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Pokud ji¾ soubor /etc/aliases máte, zkontrolujte, ¾e tam je i pøíslu¹ný "
+"záznam. (Pøidám jej pouze pokud vytvoøím nový /etc/aliases.)"
+
+#. Type: string
+#. Description
+#: ../templates:222
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Pokud vytvoøím soubor /etc/aliases, jakou adresu mám do nìj pøidat? (Pokud "
+"nechcete pøidat ¾ádnou, napi¹te NIC)."

Added: trunk/postfix/debian/po/de.po
===================================================================
--- trunk/postfix/debian/po/de.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/de.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,703 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.0.6-1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2003-03-19 21:02+0100\n"
+"Last-Translator: Martin A. Godisch <godisch at debian.org>\n"
+"Language-Team: German <debian-l10n-german at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=iso-8859-15\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Möchten Sie dynamicmaps.cf aktualisieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Für Postfix, Version 2.0.2 und folgende, sind Änderungen in der Datei "
+"dynamicmaps.cf erforderlich. Insbesondere gibt es keine Unterstützung mehr "
+"für Platzhalter und %s Expansionen. Alle Anpassungen in dynamicmaps.cf, die "
+"auf diesen basieren, müssen Sie korrigieren, ansonsten haben Sie einen "
+"unbrauchbaren Mail-Server."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Die Datei dynamicmaps.cf kann automatisch übernommen werden. Verneinen Sie "
+"diese Frage, um das Upgrade abzubrechen und sämtliche Platzhalter und %s "
+"Expansionen zu entfernen. Akzeptieren Sie diese Frage, wenn Sie keine solche "
+"Konfiguration haben, um die Datei dynamicmaps.cf in ein zu Postfix 2.0.2 "
+"kompatibles Format zu bringen."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+#, fuzzy
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"Postfix, Version 2.0.2 und folgende, erfordert die Angabe eines Proxy-"
+"Servers in der Datei master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+#, fuzzy
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Der Proxy-Server kann automatisch zur Datei master.cf hinzugefügt werden. "
+"Verneinen Sie, um das Upgrade abzubrechen und diese Änderung selbst "
+"vorzunehmen. Akzeptieren Sie, um die Datei master.cf automatisch in ein zu "
+"Postfix 2.0.2 kompatibles Format zu bringen."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Möchten Sie master.cf aktualisieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+#, fuzzy
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Der Proxy-Server kann automatisch zur Datei master.cf hinzugefügt werden. "
+"Verneinen Sie, um das Upgrade abzubrechen und diese Änderung selbst "
+"vorzunehmen. Akzeptieren Sie, um die Datei master.cf automatisch in ein zu "
+"Postfix 2.0.2 kompatibles Format zu bringen."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Möchten Sie die Hash- und BTree-Tabellen aktualisieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Möchten Sie eine automatische Konvertierung veranlassen?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Inkompatible Transport-Tabelle"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"Sie haben eine Transport-Tabelle definiert, jedoch gibt es inkompatible "
+"Änderungen in der Art, wie diese genutzt werden. Postfix wird nicht "
+"automatisch neu gestartet werden."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Transport-Tabellen-Einträge überschreiben $mydestination. Nutzen Sie "
+"Transport-Tabellen, ist es besser, jeweils explizite Einträge für alle "
+"Domains in $mydestination zu definieren. Beachten Sie in html/faq.html die "
+"Abschnitte über Firewalls und Intranets. Haben Sie Transport-Einträge für "
+"Eltern-Domains lokal zugestellter Domains, müssen Sie wahrscheinlich "
+"konkrete Einträge für diese Domains hinzufügen, bevor Sie Postfix neu "
+"starten."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Ungültiger Eintrag, möchten Sie es noch einmal probieren?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "Die von Ihnen gemachte Eingabe"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ist nicht RFC 1035 kompatibel und ist keine gültige IP-Adresse."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 fordert, daß jede Komponente mit einem alphanumerischen Zeichen "
+"beginnen und enden muß, und ansonsten auch nur aus alphanumerischen Zeichen "
+"und Bindestrichen bestehen darf. Alle Komponenten werden jeweils durch einen "
+"Punkt getrennt."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Bestehen Sie auf Ihrer Eingabe?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Keine Konfiguration, Internet-Server, Internet mit Relay-Host, Satelliten-"
+"System, Nur lokale Zustellung, Hewlett Packard"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Allgemeine Konfiguration?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Sie haben an dieser Stelle verschiedene Wahlmöglichkeiten der "
+"grundsätzlichen Konfiguration. Ist Ihre Debconf-Priorität auf 'niedrig' oder "
+"'mittel' gesetzt, werden Sie im folgenden mit weiteren Fragen gequält. ;-) "
+"Sie können diese Fragen später mittels 'dpkg-reconfigure --priority=low "
+"postfix' jederzeit erneut durchgehen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Keine Konfiguration - WENN SIE IHRE MOMENTANE KONFIGURATION ERHALTEN "
+"MÖCHTEN, WÄHLEN SIE DIESE OPTION! Es werden keine Änderungen vorgenommen. "
+"Sollten Sie Postfix nicht bereits konfiguriert haben, ist Ihr Mail-System "
+"unbrauchbar und sollte nicht genutzt werden. In diesem Fall müssen Sie die "
+"Konfiguration selbst vornehmen, indem Sie die Datei /usr/share/postfix/main."
+"cf.dist nach/etc/postfix/main.cf kopieren und dort Ihren Gegebenheiten "
+"anpassen, oder indem Sie dpkg-reconfigure ausführen. Diese Installation wird "
+"main.cf nicht modifizieren."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internet-Server - Mail wird über SMTP versandt und empfangen. Sollten Ihre "
+"Anforderungen nicht ganz dieser Kategorie entsprechen, sollten Sie die "
+"erzeugte Konfigurationsdatei im Anschluß per Hand anpassen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internet-Server mit Relay-Host - Sie empfangen auf diesem Rechner Mails, "
+"entweder direkt über SMTP oder mittels eines Programmes wie z.B. fetchmail. "
+"Ausgehende Mails werden an einen Relay-Server (Smarthost) weitergeleitet, "
+"nachdem (optional) Adressen umgeschrieben wurden. Diese Konfiguration wird "
+"vorrangig für Einwahl-Verbindungen genutzt."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Satelliten-System - Alle Mails werden an einen entfernten Server, den "
+"sogenannten Smarthost zwecks Zustellung übergeben. Mails an root und "
+"postmaster werden entsprechend der Datei /etc/aliases ausgeliefert, es "
+"werden keine Mails lokal zugestellt."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"Nur lokale Zustellung - Sie sind mit keinem Netzwerk verbunden. Mails an "
+"lokale Nutzer werden zugestellt."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ACHTUNG: Postfix ist nicht konfiguriert."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Sie haben 'Keine Konfiguration' gewählt - Postfix wird nicht konfiguriert "
+"oder automatisch gestartet. Rufen Sie bitte 'dpkg-reconfigure postfix' zu "
+"einem späteren Zeitpunkt auf oder konfigurieren Sie Postfix manuell wie "
+"folgt:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1. Passen Sie /etc/postfix/main.cf Ihren Wünschen an."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2. Führen Sie '/etc/init.d/postfix start' aus."
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Wie lautet der Mailname Ihres Systems?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Ihr 'Mailname' ist der Hostname aller ausgehenden News-Artikel und Mails, "
+"der dem Nutzernamen und '@'-Zeichen folgende Teil der Adresse."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Dieser Name wird auch von anderen Programmen als nur Postfix genutzt, es "
+"sollte dies der eindeutige voll-qualifizierte Domainname (FQDN) dieses "
+"Rechners sein, er ist i.d.R. Teil der Absender-Adresse lokal generierter "
+"Mails."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Für welche weiteren Rechner möchten Sie Mails akzeptieren (leere Eingabe: "
+"keine)?"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Spezifizieren Sie bitte eine durch Kommata getrennte Liste der Rechner, für "
+"die dieser Rechner das Zielsystem darstellt. Ist dieser Rechner für eine "
+"gesamte Mail-Domain zuständig, sollten Sie möglicherweise die Top-Level "
+"Domain (TLD) hinzufügen."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "Welches ist Ihr SMTP Relay-Server (leere Eingabe: keiner)?"
+
+#. Type: string
+#. Description
+#: ../templates:137
+#, fuzzy
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"Geben Sie bitte Ihren Smarthost in einer der folgenden Formen an: Domain, "
+"Host, Host:Port, [Adresse] oder [Adresse:Port]. Nutzen Sie die Form [Ziel], "
+"um MX-Abfragen zu verhindern. Lassen Sie dieses Feld leer, wenn Sie keinen "
+"Relay-Server angeben möchten."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Mails, für die kein Eintrag in der optionalen Transport-Tabelle gefunden "
+"wird, werden standardmäßig an den Relay-Server, weitergeleitet. Geben Sie "
+"keinen Relay-Server an, erfolgen für die einzelnen Mails entsprechende "
+"Zielanfragen (MX-Lookups)."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Möchten Sie procmail zur lokalen Mail-Zustellung nutzen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Möchten Sie lokale Mails mittels procmail zustellen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Beachten Sie, daß bei systemweiter Mail-Zustellung mittels procmail ein "
+"Alias genutzt werden sollte, um an root adressierte Mails an einen normalen "
+"Nutzer weiterzuleiten."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Zeichen für lokale Adreß-Erweiterung?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Welches Zeichen definiert eine lokale Adreß-Erweiterung?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+"Lassen Sie die Eingabe leer, wenn Sie keine Adreß-Erweiterungen nutzen "
+"möchten."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Ungültiges Adreß-Trennzeichen"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"Das Adreß-Trennzeichen ist ein einzelnes Zeichen, Sie haben zu viele Zeichen "
+"eingegeben. Versuchen Sie es bitte noch einmal."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Lokale Netzwerke?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Für welche Teilnetze soll dieser Rechner Mails weiterleiten? Standardmäßig "
+"ist dies nur der lokale Rechner, dieser wird für einige Mail-Programme "
+"benötigt."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Wenn dieser Rechner ein Relay-Server für ein Teilnetz anderer Rechner ist, "
+"muß dieses Teilnetz hier spezifiziert werden, ansonsten werden "
+"weiterzuleitende Mails abgewiesen."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Maximale Mailbox-Größe"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"Welches Limit (in Bytes) soll für Mailbox-Dateien gelten, um Software-"
+"Fehlern eine Grenze zu setzen? Null (0) bedeutet: kein Limit, der Postfix-"
+"Standard beträgt 51200000 (etwa 50 MB)."
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "An wen sollen an root adressierte Mails weitergeleitet werden?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+#, fuzzy
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Mails an den Nutzer 'root', sowie an jeden anderen Nutzer mit der Nutzer-ID "
+"0, müssen mittels eines Aliases weitergeleitet werden, ansonsten werden Sie "
+"nach /var/spool/mail/nobody ausgeliefert. Dies ist durch das Design "
+"vorgegeben: Mails werden niemals als Nutzer root ausgeliefert."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Falls Sie bereits eine /etc/aliases Datei haben, müssen Sie möglicherweise "
+"diesen Eintrag hinzufügen. Automatisch wird er nur dann hinzugefügt, wenn /"
+"etc/aliases neu erzeugt wird."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Welche Adresse möchten Sie zu /etc/aliases hinzufügen, wenn diese Datei "
+"erzeugt wird? Geben Sie 'NONE' ein, um keine hinzuzufügen."
+
+#, fuzzy
+#~ msgid ""
+#~ "HP - Configuration used inside of HP.  This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'.  This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "Hewlett Packard - von HP genutzte Konfiguration. Hier werden einige "
+#~ "Parameter fest kodiert, ansonsten entspricht diese Konfiguration dem "
+#~ "'Internet mit Relay-Host'. Bei dieser Konfiguration wird die Datei /etc/"
+#~ "postfix/transport modifiziert und als Transport-Tabelle installiert."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Möchten Sie .domain an einfache Adressen anfügen lassen?"
+
+#, fuzzy
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain?  Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses.  (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Sieht Postfix Adressen mit nur einer Komponente im Hostnamen, kann ."
+#~ "$mydomain angehangen werden. Falls Sie dies wünschen, müssen Sie Ziele "
+#~ "innerhalb Ihrer eigenen Domain nicht vervollständigen (qualifizieren), "
+#~ "erhalten aber ungültige Adressen für Nutzer von Top-Level Domain (TLD) "
+#~ "Adressen. Ja, es gibt ein paar solche..."
+
+#, fuzzy
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Leiten Sie Mails nach außerhalb Ihrer Organisation weiter, sollten Sie "
+#~ "dies wahrscheinlich verneinen. Sind Sie der einzige Nutzer Ihres Mail-"
+#~ "Systems, wählen Sie, was immer Ihnen geeigneter erscheint."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Falls Sie verneinen, werden Sie 'localhost' zu der Liste Ihrer lokalen "
+#~ "Ziele hinzufügen müssen."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format.  This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "Postfix wurde vom libdb2 zum libdb3-Format konvertiert. Diese Änderung "
+#~ "erfordert eine Regenerierung sämtlicher Hash- und BTree-Tabellen."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted.  If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "Verneinen Sie, wird ein Neustart von Postfix möglicherweise versagen, "
+#~ "falls Ihre Datenbank-Dateien noch konvertiert werden müssen. Antworten "
+#~ "Sie mit ja, werden zuvor alle Hash- und BTree-Tabellen regeneriert."

Added: trunk/postfix/debian/po/es.po
===================================================================
--- trunk/postfix/debian/po/es.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/es.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,621 @@
+# postfix translation to spanish
+# Copyright (C) 2004 Software in the Public Interest
+# This file is distributed under the same license as the postfix package.
+#
+# Changes:
+# - Initial translation
+#       Rudy Godoy <rudy at kernel-panik.org>, 2004
+#
+#
+#  Traductores, si no conoce el formato PO, merece la pena leer la 
+#  documentación de gettext, especialmente las secciones dedicadas a este
+#  formato, por ejemplo ejecutando:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+# Equipo de traducción al español, por favor lean antes de traducir
+# los siguientes documentos:
+# 
+# - El proyecto de traducción de Debian al español
+#   http://www.debian.org/intl/spanish/coordinacion
+#   especialmente las notas de traducción en
+#   http://www.debian.org/intl/spanish/notas
+#
+# - La guía de traducción de po's de debconf:
+#   /usr/share/doc/po-debconf/README-trans
+#   o http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.0.18\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-20 19:29-0500\n"
+"Last-Translator: Rudy Godoy <rudy at kernel-panik.org>\n"
+"Language-Team: Debian Spanish <debian-l10n-spanish at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-15\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "¿Corregir dynamicmaps.cf para la actualización?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix versión 2.0.2 y posterior requiere cambios en dynamicmaps.cf. "
+"Específicamente, el soporte de comodines se ha eliminado, y con éste, la "
+"expansión %s. Cualquier cambio que usted haya hecho a dynamicmaps.cf que "
+"haga uso de estas características deberá ser corregido por usted. Los "
+"errores al corregirlos harán que su sistema de correo deje de funcionar."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr "¿Se debe cambiar automáticamente «dynamicmaps.cf»? Rechace esta opción para cancelar la actualización, dándole la oportunidad de eliminar los comodines y configuración dependiente de expansión %s. Acepte esta opción si no tiene este tipo de configuración, y quiere hacer compatible automáticamente el fichero «dynamicmaps.cf» con Postfix 2.0.2 en este aspecto."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr "La versión de Postfix 2.1 y posteriores requieren nuevos servicios en «master.cf»"
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr "¿Se debe añadir automáticamente la configuración a master.cf? Rechace esta opción para cancelar la actualización, dándole la oportunidad de añadirla usted mismo. Acepte esta opción para automáticamente hacer master.cf compatible con Postfix 2.1 en este aspecto."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "¿Corregir master.cf para la actualización?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr "La versión 2.1 de Postfix ha renombrado «nqmgr» a «qmgr» y está usando «qmgr»."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr "En caso de fallo al corregir esto, resultará en un sistema de correo disfuncional. Rechace esta opción para cancelar la actualización, dándole la oportunidad de añadirla usted mismo. Acepte esta opción para automáticamente hacer master.cf compatible con Postfix 2.1 en este aspecto."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "¿Debe Postfix actualizar los mapas hash y btree?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr "Postfix ha cambiado a db4 y esto podría requerir actualizar los mapas."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "¿Desea que se intente la conversión automáticamente?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilidad en el mapa de transporte"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr "Tiene un mapa de transporte definido y existe un cambio incompatible en como se usan los mapas de transporte. Postfix no se reiniciará automáticamente."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr "Las entradas del mapa de transporte anulan «$mydestination». Si usa mapas de transporte, es mejor tener siempre entradas explícitas para todos los nombres de dominio que usted tenga en $mydestination. Vea las secciones de cortafuegos e intranets en html/faq.html. Si tiene entradas de transporte para dominios padres de cualquier cosa que se entregue localmente, probablemente necesite añadir entradas específicas para los dominios destino antes de reiniciar Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Entrada incorrecta, ¿intentar nuevamente?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "La cadena que ha ingresado"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "no cumple con la RFC 1035 y no parece ser una dirección IP válida."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr "RFC 1035 indica que «cada componente debe empezar con un caracter alfanumérico, finalizar con un alfanumérico y solamente contener alfanuméricos y guiones»."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "¿Desea mantenerlo de todas maneras?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr "Sin configuración, Sitio de Internet, Internet con smarthost, Sistema satélite, Sólo entrega local"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Tipo genérico de configuración"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr "En este momento tiene diversas opciones para la configuración general. Si tiene configurada la prioridad de debconf en «low» o «medium», se le harán mas preguntas luego. Cuando lo desee puede ejecutar «dpkg-reconfigure --priority=low postfix» si quiere ver estas preguntas nuevamente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr "Sin configuración - SI DESEA QUE EL PROGRAMA DE INSTALACIÓN NO TOQUE SU CONFIGURACIÓN, ELIJA ESTA OPCIÓN. No se realizará ningún cambio en la configuración ahora: Si usted todavía no ha configurado Postfix, su sistema de correo no funcionará y no deberá usarse. En ese caso debe efectuar la configuración editando el fichero «/usr/share/postfix/main.cf.dist» y guardando sus cambios como «/etc/postfix/main.cf», o ejecutando «dpkg-reconfigure postfix». «main.cf» no será modificado por el proceso de instalación de postfix."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr "Sitio Internet - el correo se envía y se recibe directamente usando SMTP. Si sus necesidades no se adaptan a ninguna categoría, probablemente quiera empezar con ésta y luego modificar el fichero de configuración en forma manual."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr "Sitio Internet usando smarthost - Recibe correo de internet en esta máquina ya sea directamente a través de SMTP o ejecutando una herramienta como fetchmail. El correo saliente se envía usando un smarthost, opcionalmente con las direcciones reescritas. Esto es probablemente lo que querría para una conexión a través de línea telefónica."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr "Sistema satélite - Todo el correo se envía a otra máquina, llamada «smart host». El correo de root y postmaster se envía de acuerdo a «/etc/aliases». No se recibe correo localmente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr "Sólo entrega local - No forma parte de una red. Se envía correo a los usuarios locales."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ADVERTENCIA: Postfix no esta configurado"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr "Ha elegido «Sin configuración» - Postfix no será configurado y no será iniciado automáticamente. Por favor, ejecute «dpkg-reconfigure postfix» en cualquier momento o configúrelo usted mismo mediante los siguientes pasos:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Modificando «/etc/postfix/main.cf» a su gusto"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Ejecutando «/etc/init.d/postfix start»"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "¿Nombre de correo?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr "El «nombre de correo» es la porción del nombre de máquina de la dirección que será mostrada en las noticias y correos salientes (despues del nombre de usuario y el signo @)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Este nombre será usado por otros programas además de Postfix; deberá ser un "
+"único nombre de dominio completo (FDQN) desde el que parecerá originarse el "
+"correo."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr "¿Otros destinos para los cuales aceptar correo? (en blanco para ninguno)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Ingrese una lista, separada por comas, de dominios de los que esta máquina "
+"deberá considerarse destino final. Si ésta es una pasarela de correo del "
+"dominio, probablemente querrá incluir el dominio padre."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "¿Máquina de pasarela SMTP? (en blanco para ninguna)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"Especifique un dominio, máquina, máquina:puerto, [dirección] o [dirección:"
+"puerto]. Use la forma [destino] para desactivar las búsquedas de MX. Deje "
+"esto en blanco para ninguna máquina de reenvío."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"El parámetro relayhost especifica la máquina predeterminada a donde enviar "
+"correo cuando ninguna entrada coincide en la tabla opcional transport(5). "
+"Cuando no se especifica el relayhost, el correo se enruta directamente a su "
+"destino."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "¿Usar procmail para la entrega local?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "¿Desea usar procmail para entregar el correo local?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Note que si usa procmail para entregar el correo de todo el sistema, deberá "
+"configurar un alias que reenvíe el correo de root a un usuario real."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "¿Caracter de extensión de direcciones locales?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "¿Qué caracter define una extensión de dirección local?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Para no usar extensiones de dirección, deje la cadena en blanco."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Delimitador de destinatario incorrecto"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"El delimitador de destinatario es sólo un caracter. Por favor inténtelo "
+"nuevamente."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "«${enteredstring}»"
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "falso"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "¿Forzar actualizaciones síncronas en la cola de correo?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr "Si se fuerzan las actualizaciones síncronas, el correo será procesado más lentamente. Si no se fuerzan, existe la posibilidad remota de perder algunos correos si el sistema se colapsa en un momento inoportuno y no está usando un sistema de ficheros transaccional (como ext3)."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "El predeterminado es «off»."
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "¿Redes locales?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr "¿Para cuales bloques de la red esta máquina deberá reenviar el correo?. El predeterminado es simplemente a la máquina local, lo cual necesitan algunos agentes de correo de usuario."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Si éste es un smarthost para un bloque de máquinas, debe especificar los "
+"bloques de red aquí, o el correo será rechazado en lugar de reenviado."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Para usar el predeterminado de postfix (que se basa en las redes "
+"conectadas), ingrese una cadena vacía."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Límite de tamaño de buzón de correo"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"¿Qué límite deberá colocar Postfix en los ficheros de buzón de correo para "
+"prevenir errores de software? El valor de cero (0) significa ilimitado. (El "
+"predeterminado por el desarrollador principal es 51200000.)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NINGUNA"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Dónde debe enviarse el correo para el superusuario"
+
+#. Type: string
+#. Description
+#: ../templates:205
+#, fuzzy
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr "El superusuario (y cualquier otro usuario con un uid 0) deberá tener el correo redirigido a través de un alias, o su correo será entregado a «/var/mail/nobody». Esto es por diseño: no se entrega correo como superusuario."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr "Si ya tiene un fichero /etc/aliases, entonces posiblemente necesite añadir esta entrada (Solamente se añadirá si se crea un nuevo /etc/aliases)."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"¿Que dirección se deberá añadir a /etc/aliases, si se crea el fichero? "
+"(Ingrese NONE para no añadir ninguna)."
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP.  This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'.  This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - Configuración usada dentro de HP. Simplemente escribe diversos "
+#~ "parámetros de configuración basados en los componentes finales del nombre "
+#~ "de la máquina, pero es muy parecido a 'Sitio Internet usando smarthost'. "
+#~ "Esta opción modificará /etc/postfix/transport y lo instalará como un mapa "
+#~ "de transporte."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "El predeterminado es \"off\", vea el registro de cambios para más "
+#~ "detalles."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Añadir .dominio a direcciones simples"
+
+#, fuzzy
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain?  Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses.  (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Cuando postfix encuentra una dirección con solamente un componente en el "
+#~ "nombre de máquina, ¿deberá añadir .$mydomain? Si elige que sí, significa "
+#~ "que no necesitará verificar destinos en su propio dominio, pero rompe el "
+#~ "límite de correo para usuarios con direcciones de dominio padre. (Si, hay "
+#~ "algunas de éstas)."
+
+#, fuzzy
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Si usted está reenviando correo fuera de su organización, deberá decir "
+#~ "«no» aquí con casi toda seguridad. Si usted es el único usuario de correo "
+#~ "en su sistema, elija lo que sea más adecuado para usted."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Si su respuesta es no, seguramente necesitará añadir 'localhost' a la "
+#~ "lista de destinos locales."

Added: trunk/postfix/debian/po/fr.po
===================================================================
--- trunk/postfix/debian/po/fr.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/fr.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,707 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.1.5-1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-07 21:30+0100\n"
+"Last-Translator: Philippe Batailler <philippe.batailler at free.fr>\n"
+"Language-Team: French <debian-l10n-french at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-15\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Faut-il corriger le fichier dynamicmaps.cf pour faire la mise à jour ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"À partir de la version 2.0.2, Postfix demande des modifications du fichier "
+"dynamicmaps.cf. En particulier, l'utilisation de joker n'est plus possible "
+"et avec elle, l'expansion de %s. Il vous faudra corriger tout ce qui "
+"utilisait ces possibilités. Ne pas le faire rendra le programme défectueux."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Souhaitez-vous une modification automatique du fichier dynamicmaps.cf ? "
+"Refusez cette option pour interrompre la mise à jour : cela vous donne "
+"l'occasion de supprimer l'utilisation de joker et l'expansion des %s dans "
+"votre configuration. Si votre configuration n'utilise pas ces possibilités, "
+"accepter l'option rendra le fichier dynamicmaps.cf compatible avec la "
+"version 2.0.2 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"À partir de la version 2.1, Postfix demande de nouvelles définitions dans le "
+"fichier master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Souhaitez-vous ajouter automatiquement ces services dans le fichier master."
+"cf ? Refusez cette option pour interrompre la mise à jour : cela vous donne "
+"l'occasion de faire vous-même cette configuration. Accepter l'option rendra "
+"le fichier master.cf compatible avec la version 2.1 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Faut-il corriger le fichier master.cf pour la mise à jour ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"Le fichier « nqmgr », que vous utilisez, s'appelle maintenant « qmgr », "
+"depuis la version 2.1 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Si vous ne changez pas ce nom, le serveur de courriel ne fonctionnera pas. "
+"Refusez cette option pour interrompre la mise à jour : cela vous donne "
+"l'occasion de faire vous-même cette configuration. Accepter l'option rendra "
+"le fichier master.cf compatible avec la version 2.1 de Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Faut-il mettre à jour les tables de type hash et btree ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"Postfix est passé à db4, ce qui peut nécessiter la mise à jour des tables."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Voulez-vous procéder automatiquement à cette conversion ?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilité dans la table de transport"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"Vous avez défini une table de transport ; mais la façon d'utiliser les "
+"tables de transport a changé. Postfix ne sera pas relancé automatiquement."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Les entrées de la table de transport annulent « $mydestination ». Si vous "
+"utilisez une table de transport, il vaut mieux créer explicitement une "
+"entrée pour chaque nom de domaine listé dans $mydestination. Voyez les "
+"sections dans html/faq.html sur les pare-feux et les intranets. Si vous avez "
+"des entrées pour les domaines parents de tout ce qui est distribué "
+"localement, vous avez sans doute besoin d'ajouter des entrées spécifiques "
+"pour les domaines de destination avant de relancer Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Mauvaise entrée, faut-il réessayer ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "La chaîne saisie"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ne suit pas la RFC 1035 et ne semble pas être une adresse IP valable."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"La RFC 1035 stipule : « Chaque élément doit commencer par un caractère "
+"alphanumérique, se terminer par un caractère alphanumérique et ne contenir "
+"que des caractères alphanumériques et des traits d'union. Les éléments "
+"doivent être séparés par des points. »"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Voulez-vous quand même la garder ?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Pas de configuration, Site Internet, Internet par un FAI, Système satellite, "
+"Utilisation locale seulement"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Type de configuration :"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Vous pouvez maintenant choisir entre plusieurs types de configuration. Si la "
+"priorité de debconf est fixée à « low » ou à « medium », des questions "
+"supplémentaires vous seront proposées. Vous pourrez exécuter « dpkg-"
+"reconfigure --priority=low postfix » quand vous voudrez revoir ces questions."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Pas de configuration. SI VOUS NE VOULEZ PAS QUE L'INSTALLATION TOUCHE À "
+"VOTRE CONFIGURATION, CHOISISSEZ CETTE OPTION. Aucune configuration ne sera "
+"faite. Si Postfix n'est pas déjà configuré, votre système de courrier sera "
+"défectueux et ne devrait pas être utilisé. Vous devez alors vous-même "
+"modifier le fichier /usr/share/postfix/main.cf.dist et sauvegarder votre "
+"configuration dans /etc/postfix/main.cf. Vous pouvez aussi lancer « dpkg-"
+"reconfigure postfix ». Le processus d'installation de Postfix ne modifiera "
+"pas le fichier main.cf."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Site Internet. Le courrier est expédié et reçu directement, en utilisant "
+"SMTP. Si aucun des choix proposés ne décrit nettement vos besoins, il vaut "
+"mieux commencer avec cette option et modifier par la suite le fichier de "
+"configuration."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Site Internet utilisant un « smarthost » (machine relais). Vous recevez le "
+"courrier internet sur cette machine soit directement par SMTP soit grâce à "
+"un utilitaire comme fetchmail. Le courrier sortant est envoyé grâce au  "
+"« smarthost ». Les adresses ont pu être réécrites. C'est sans doute l'option "
+"adaptée à un système connecté par le réseau téléphonique."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Système satellite. Tout le courrier est envoyé à une autre machine, le "
+"« smarthost », qui le distribue. Le courrier pour root ou pour postmaster "
+"est distribué selon /etc/aliases. Aucun courrier n'est reçu localement."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"Distribution locale seulement. Vous n'êtes pas sur un réseau. Le courrier "
+"est distribué aux utilisateurs locaux."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ATTENTION : Postfix n'est pas configuré"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Vous avez choisi l'option « pas de configuration ». Postfix ne sera pas "
+"configuré ni lancé. Vous pourrez plus tard exécuter « dpkg-reconfigure "
+"postfix » ou bien vous pouvez le configurer vous-même :"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) en faisant les modifications que vous voulez à /etc/postfix/main.cf"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) puis en exécutant : /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Nom de courrier :"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Votre « nom de courrier » est la partie de l'adresse contenant le nom de "
+"machine qui doit être écrite sur les courriers électroniques ou sur les "
+"articles des forums de discussion que vous postez ; elle suit le nom "
+"d'utilisateur et le caractère @."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"D'autres programmes que Postfix se servent de ce nom ; il doit correspondre "
+"au domaine unique et complètement qualifié (FQDN) d'où le courrier semblera "
+"provenir."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Pour quelles autres destinations accepter le courrier ? (ou laisser le champ "
+"vide)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Donnez une liste des domaines, séparés par des virgules, que cette machine "
+"reconnaîtra comme lui appartenant. Si la machine est un serveur de courrier, "
+"vous voudrez sans doute inclure le domaine de plus haut niveau."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "Machine de relais SMTP :"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"Indiquez un domaine, une machine hôte, machine_hôte:port, [adresse] ou "
+"[adresse:port]. Utilisez la forme [destination] pour désactiver la recherche "
+"de MX (Mail eXchange). Laissez ce champ vide s'il n'y a pas de machine "
+"relais."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Ce paramètre indique la machine par défaut où envoyer le courrier quand "
+"aucune entrée correspondante n'existe dans la table optionnelle de transport"
+"(5). Quand aucune machine relais n'est donnée, le courrier est routé "
+"directement vers sa destination."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Faut-il utiliser procmail pour la distribution locale ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Voulez-vous utiliser procmail pour la distribution locale ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Remarque : si vous utilisez procmail pour distribuer le courrier sur tout un "
+"système, vous devriez créer un alias, représentant un utilisateur réel, vers "
+"lequel faire suivre le courrier de l'utilisateur root."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Quel caractère signifie une adresse locale ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Quel caractère signifie une extension d'adresse locale ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+"Pour ne pas utiliser d'extension pour les adresses locales, laissez le champ "
+"vide."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Mauvais délimiteur du destinataire"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"Le délimiteur du destinataire ne doit comporter qu'un seul caractère, vous "
+"en avez donné trop. Veuillez recommencer."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "« ${enteredstring} »"
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "Faux"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+"Forcer des mises à jour synchronisées de la file d'attente des courriels ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Quand on impose des mises à jour synchronisées, l'envoi des courriels se "
+"fait plus lentement. Dans le cas contraire, il y a des risques de perdre des "
+"courriels si le système meurt inopinément et si vous n'utilisez pas un "
+"système de fichiers journalisé, comme ext3."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "La valeur par défaut est « off »."
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Réseaux internes :"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Pour quels réseaux cette machine relaye-t-elle le courrier ? Par défaut, les "
+"courriels du réseau local sont acceptés, ce qui est demandé par certains "
+"lecteurs de courrier."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Si c'est un « smarthost » pour un ensemble de machines, vous devez indiquer "
+"l'ensemble des réseaux, sinon le courrier sera rejeté plutôt qu'expédié."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Pour utiliser les valeurs par défaut de postfix (basées sur des réseaux "
+"connectés), veuillez entrer une valeur vide."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Taille maximale des boîtes aux lettres :"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"Quelle limite Postfix doit-il mettre à la taille des boîtes aux lettres pour "
+"empêcher les erreurs des logiciels incontrôlables ? Une valeur nulle "
+"signifie aucune limite. Les créateurs du logiciel ont mis par défaut "
+"51200000."
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "À qui envoyer le courrier pour root ?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Le courrier pour l'utilisateur root (et pour tout utilisateur avec un uid "
+"égal à 0) doit être dirigé vers un alias. Sinon le courrier est distribué à /"
+"var/mail/nobody. Cela est voulu, le courrier n'est pas distribué à des "
+"agents de distribution externes tel que root."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Si le fichier /etc/aliases existe déjà, vous devrez sans doute ajouter cette "
+"entrée (elle n'est ajoutée que lors de la création d'un fichier /etc/"
+"aliases)."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Quelle adresse faut-il ajouter dans /etc/aliases si ce fichier est créé ? "
+"Choisissez NONE pour ne rien ajouter."
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP.  This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'.  This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP. Configuration utilisée au sein de HP. Cela code en dur quelques "
+#~ "paramètres de configuration qui sont basés sur les derniers éléments du "
+#~ "nom de machine, mais cela ressemble en grande partie au site Internet "
+#~ "utilisant un « smarthost ». Cette option va modifier /etc/postfix/"
+#~ "transport pour l'utiliser comme table de transport."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "Par défaut, la valeur est « off ». Voyez le fichier changelog pour des "
+#~ "explications."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Faut-il ajouter .domaine aux adresses simples ?"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain?  Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses.  (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Postfix doit-il ajouter .$mydomain quand il rencontre une adresse dont le "
+#~ "nom de domaine ne comporte qu'un élément ? Ajouter .$mydomain signifie "
+#~ "que vous n'avez pas besoin de qualifier les destinations dans votre "
+#~ "propre domaine. Mais le courrier pour des utilisateurs situés dans des "
+#~ "domaines supérieurs (oui, cela existe) devient mal formé."
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Si vous réexpédiez le courrier à l'extérieur de votre organisation, il "
+#~ "vous faut certainement ne pas rajouter .$mydomain. Si vous êtes le seul "
+#~ "utilisateur de votre système, choisissez ce que vous voulez."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Si vous ne choisissez pas cette option, vous devez ajouter « localhost » "
+#~ "comme destination locale."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format.  This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "Postfix est passé du format libdb2 au format libdb3. Cette modification "
+#~ "impose que toutes les tables de type hash et btree soient reconstruites."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted.  If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "Si vous répondez négativement, Postfix sera relancé mais échouera sans "
+#~ "doute si les fichiers db n'ont pas été modifiés. Si vous acceptez, toutes "
+#~ "les tables seront reconstruites avant le lancement de Postfix."

Added: trunk/postfix/debian/po/it.po
===================================================================
--- trunk/postfix/debian/po/it.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/it.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,675 @@
+# Italian translation of the postfix debconf template
+# This file is distributed under the same license as the postfix package
+# Cristian Rigamonti <cri at linux.it>, 2004.
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix 2.1.4-3\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-08-01 18:13+0200\n"
+"Last-Translator: Cristian Rigamonti <cri at linux.it>\n"
+"Language-Team: Italian <tp at lists.linux.it>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-1\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Correggere dynamicmaps.cf per l'aggiornamento?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix dalla versione 2.0.2 in poi richiede delle modifiche a dynamicmaps."
+"cf. In particolare, i caratteri jolly non sono più supportati, come neanche "
+"l'espansione %s .  Ogni modifica fatta a dynamicmaps.cf che si basa su "
+"queste funzionalità deve essere corretta, altrimenti il sistema di posta non "
+"funzionerà correttamente."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Si desidera la correzione automatica di dynamicmaps.cf?  Rifiutando questa "
+"proposta, l'aggiornamento verrà annullato e si avrà la possibilità di "
+"eliminare le configurazioni che dipendono dai caratteri jolly e dalle "
+"espansioni %s. Se non si usano configurazioni di questo tipo, accettando la "
+"proposta si renderà dynamicmaps.cf compatibile con Postfix 2.0.2 in modo "
+"automatico."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"Postfix dalla versione 2.1 in poi richiede che siano aggiunti nuovi servizi "
+"in master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Si desidera modificare automaticamente la configurazione di master.cf? "
+"Rifiutando questa proposta, l'aggiornamento verrà annullato e si avrà la "
+"possibilità di eseguire manualmente la configurazione. Accettando la "
+"proposta si renderà master.cf compatibile con Postfix 2.1 in modo automatico."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Correggere master.cf per l'aggiornamento?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"A partire dalla versione 2.1 di Postfix, \"nqmgr\" è stato rinominato \"qmgr"
+"\" ma sul sistema è ancora in uso \"nqmgr\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Se non si effettua questa correzione, il programma sarà inutilizzabile. "
+"Rifiutando questa proposta, l'aggiornamento verrà annullato e si avrà la "
+"possibilità di eseguire manualmente la configurazione. Accettando la "
+"proposta si renderà master.cf compatibile con Postfix 2.1 in modo automatico."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Si desidera aggiornare le mappe hash e btree di Postfix?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"Postfix ha adottato db4; ciò può richiedere un aggiornamento delle mappe."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Si desidera tentare la conversione automatica?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilità nella mappa transport"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"È stata rilevata una mappa transport; poiché la modalità di uso delle mappe "
+"transport è cambiata in modo incompatibile, Postfix non sarà riavviato "
+"automaticamente."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Le voci della mappa transport prevalgono su $mydestination.  Se si usano le "
+"mappe transport è meglio includere sempre delle voci esplicite per tutti i "
+"nomi di dominio contenuti in $mydestination.  Si vedano le sezioni di html/"
+"faq.html riguardanti i firewall e le intranet.  Se transport contiene delle "
+"voci per domini gerarchicamente superiori a quelli per cui avviene la "
+"consegna locale, prima di riavviare Postfix è opportuno aggiungere delle "
+"voci specifiche anche per i domini di destinazione."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Valore errato, riprovare?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "La stringa immessa"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr ""
+"non è conforme alla RFC 1035 e non sembra essere un indirizzo IP valido."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"La RFC 1035 richiede che ogni componente inizi e finisca con un carattere "
+"alfanumerico e contenga solo caratteri alfanumerici o il trattino \"-\". Le "
+"componenti devono essere separate da punti."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Si desidera mantenerlo comunque?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Nessuna configurazione, Sito Internet, Sito Internet con \"smarthost\", "
+"Sistema satellite, Solo consegna locale, HP"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Profilo generale di configurazione?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Sono disponibili vari profili di configurazione.  Se il livello di priorità "
+"di debconf è impostato a \"low\" o \"medium\", verranno poste ulteriori "
+"domande in seguito. È sempre possibile eseguire \"dpkg-reconfigure --"
+"priority=low postfix\" in futuro, per rivedere queste domande."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Nessuna configurazione - SE SI VUOLE CHE LA PROCEDURA DI INSTALLAZIONE NON "
+"MODIFICHI I FILE DI CONFIGURAZIONE, SI SCELGA QUESTA OPZIONE.  Non verranno "
+"eseguite modifiche alla configurazione: se Postfix non è stato ancora "
+"configurato, il sistema di posta non funzionerà e non deve essere usato. "
+"Occorre eseguire la configurazione manualmente, modificando /usr/share/"
+"postfix/main.cf.dist e salvandolo come /etc/postfix/main.cf, o eseguendo "
+"dpkg-reconfigure Postfix.  main.cf non sarà modificato dalla procedura di "
+"installazione di Postfix."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Sito internet - la posta viene ricevuta e inviata direttamente, usando SMTP. "
+"Se nessuna delle altre opzioni corrisponde perfettamente alle proprie "
+"esigenze, conviene scegliere questa opzione e modificare poi manualmente il "
+"file di configurazione."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Sito internet con \"smarthost\" - Questo computer riceve posta da internet, "
+"direttamente con SMTP o usando un programma come fetchmail. La posta in "
+"uscita viene inoltrata a un altro computer (\"smarthost\"), eventualmente "
+"dopo una riscrittura degli indirizzi. Probabilmente è la soluzione migliore "
+"per un sistema con una connessione dialup."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Sistema satellite - Tutta la posta viene inoltrata a un altro computer "
+"(\"smart host\"). La posta per \"root\" e \"postmaster\" è consegnata "
+"secondo /etc/aliases. Non viene ricevuta posta localmente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"Solo consegna locale - Il computer non è in rete.  Viene consegnata solo la "
+"posta per gli utenti locali."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ATTENZIONE: Postfix non è configurato"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Si è scelto \"Nessuna configurazione\" - Postfix non sarà configurato e non "
+"sarà avviato. Si prega di eseguire \"dpkg-reconfigure postfix\" in seguito, "
+"o di eseguire la seguente procedura manuale:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Modificare /etc/postfix/main.cf a proprio piacimento"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Eseguire \"/etc/init.d/postfix start\""
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Scegliere il \"mail name\""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Il \"mail name\" è la parte host dell'indirizzo che verrà usato per i "
+"messaggi di posta e news in uscita da questo computer (ossia la parte che "
+"segue il nome dell'utente e il segno \"@\")."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Questo nome verrà usato da altri programmi oltre a Postfix; dovrebbe essere "
+"il nome univoco e completo di dominio (FQDN: fully qualified domain name) da "
+"cui la posta apparirà originata."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Altre destinazioni per cui accettare posta? Lasciare in bianco se non ce ne "
+"sono."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Indicare una lista (separata da virgole) di domini per cui questo computer "
+"si deve considerare come la destinazione finale. Se questo computer è un "
+"gateway di posta per un intero dominio, è consigliabile includere anche il "
+"top-level domain."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "Host da usare come relay SMTP? Lasciare in bianco se non viene usato."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"Indicare un dominio, host, host:porta, [indirizzo] o [indirizzo:porta]. "
+"Usando la forma [destinazione] vengono disabilitate le ricerche MX. Lasciare "
+"in bianco se non si usa alcun relay."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"Il parametro \"relayhost\" indica l'host a cui inviare la posta quando non "
+"viene trovata alcuna corrispondenza nella tabella opzionale transport(5). Se "
+"non viene indicato, la posta è instradata direttamente alla destinazione."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Usare procmail per la consegna locale?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Si vuole usare procmail per consegnare la posta locale?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Nota: se si usa procmail per consegnare la posta di tutto il sistema, è "
+"consigliabile impostare un alias per inoltrare a un altro utente la posta "
+"diretta a \"root\"."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Carattere per le estensioni degli indirizzi locali?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Quale carattere definisce un'estensione degli indirizzi locali?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Per non usare le estensioni di indirizzi, lasciare in bianco."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Delimitatore errato."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"Il delimitatore dei destinatari deve essere un carattere singolo, ma sono "
+"stati immessi più caratteri. Riprovare."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "Forzare gli aggiornamenti sincroni della coda di posta?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+#, fuzzy
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Se viene forzato l'uso degli aggiornamenti sincroni, la posta verrà "
+"processata più lentamente. In caso contrario, potrebbe esserci la "
+"possibilità di perdere dei messaggi, nel caso il sistema cada in un momento "
+"particolarmente inopportuno."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Reti locali?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Per quali blocchi di rete questo computer deve fare da relay? Il valore "
+"predefinito è solo l'host locale, che può essere richiesto da alcuni client "
+"di posta."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Se questo computer deve fare da \"smarthost\" per un gruppo di altri "
+"computer, occorre indicare il blocco di rete opportuno, altrimenti la posta "
+"verrà rifiutata."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Per usare il valore predefinito di postfix (che è basato sulle reti a cui il "
+"computer è connesso), indicare una stringa vuota."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Limite di dimensione delle mailbox"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"Limite che deve essere imposto da Postfix alla dimensione dei file delle "
+"mailbox per prevenire errori in caso di programmi incontrollabili. Il valore "
+"zero (0) indica nessun limite. Il valore predefinito nella distribuzione "
+"originale di Postfix è 51200000."
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Dove inoltrare la posta di \"root\""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"La posta destinata all'utente \"root\" (o a qualsiasi altro utente con UID "
+"0) deve essere rediretta usando un alias, altrimenti verrà consegnata a /var/"
+"mail/nobody. Questa è una scelta progettuale: la posta non viene consegnata "
+"come root a programmi esterni di consegna."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Se si ha già un file /etc/aliases, occorre aggiungervi manualmente una voce. "
+"Questa procedura lo farà automaticamente solo nel caso si debba creare un "
+"nuovo /etc/aliases."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Che indirizzo si desidera aggiungere in /etc/aliases, nel caso si voglia "
+"creare il file? Indicare \"NONE\" per non aggiungerne alcuno."
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP.  This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'.  This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - Configurazione usata all'interno di HP. Vari parametri di "
+#~ "configurazione vengono impostati a seconda delle componenti finali "
+#~ "dell'hostname, ma in pratica assomiglia molto a \"Sito internet con "
+#~ "smarthost\". /etc/postfix/transport verrà modificato e installato come "
+#~ "mappa transport."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "Il valore predefinito è \"off\", si veda il changelog per una spiegazione."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Appendere \".dominio\" agli indirizzi semplici"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain?  Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses.  (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Quando Postfix trova un indirizzo con un'unica componente nel nome "
+#~ "dell'host deve appendere \".$mydomain\"? In caso positivo non occorrerà "
+#~ "usare degli indirizzi pienamente qualificati per per la posta destinata "
+#~ "al proprio dominio, ma in questo caso gli indirizzi che hanno come unica "
+#~ "componente il dominio principale (sì, ce ne sono) risulternno riscritti "
+#~ "in modo errato."
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Se si inoltrano messaggi al di fuori della propria organizzazione, quasi "
+#~ "certamente si vorrà rispondere no a questa domanda. Se si è l'unico "
+#~ "utente di posta su questo sistema, si può scegliere la soluzione più "
+#~ "comoda."

Added: trunk/postfix/debian/po/ja.po
===================================================================
--- trunk/postfix/debian/po/ja.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/ja.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,655 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-07 19:45+0900\n"
+"Last-Translator: Kenshi Muto <kmuto at debian.org>\n"
+"Language-Team: Japanese <debian-japanese at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=EUC-JP\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "¹¹¿·¤Î¤¿¤á¤Ë dynamicmaps.cf ¤òÄûÀµ¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Postfix ¥Ð¡¼¥¸¥ç¥ó 2.0.2 °Ê¹ß¤Ç¤Ï dynamicmaps.cf ¤ÎÊѹ¹¤¬É¬ÍפǤ¹¡£Æä˥磻¥ë"
+"¥É¥«¡¼¥É¥µ¥Ý¡¼¥È¡¢¤ª¤è¤ÓÉտ路¤Æ %s ³ÈÄ¥¤¬¤Ê¤¯¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£¤³¤ì¤é¤Îµ¡Ç½¤ò»È"
+"¤¦¤è¤¦¤¢¤Ê¤¿¤¬ dynamicmaps.cf ¤Ë¹Ô¤Ã¤¿Êѹ¹¤Ï¤¹¤Ù¤Æ¡¢¤¢¤Ê¤¿¼«¿È¤Ç½¤Àµ¤¹¤ëɬÍ×"
+"¤¬¤¢¤ê¤Þ¤¹¡£ÄûÀµ¤Ë¼ºÇÔ¤¹¤ë¤È¡¢²õ¤ì¤¿¥á¡¼¥é¤Ë¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"dynamicmaps.cf ¤ò¼«Æ°Åª¤ËÊѹ¹¤·¤Þ¤¹¤«? ¹¹¿·¤òÃæ»ß¤¹¤ë¤Ë¤Ï¤³¤ÎÁªÂò»è¤Ë¡Ö¤¤¤¤"
+"¤¨¡×¤È¤·¡¢¥ï¥¤¥ë¥É¥«¡¼¥É¤ª¤è¤Ó %s ³ÈÄ¥°Í¸¤ÎÀßÄê¤ò¤¢¤Ê¤¿¤¬½üµî¤·¤Þ¤¹¡£¤½¤Î¤è"
+"¤¦¤ÊÀßÄ꤬¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¤³¤ÎÁªÂò»è¤Ç¡Ö¤Ï¤¤¡×¤ÈÅú¤¨¤ì¤Ð¡¢¼«Æ°Åª¤Ë "
+"dynamicmaps.cf ¤Ï Postfix 2.0.2 ¤È¤³¤ÎÅÀ¤Ç¸ß´¹À­¤ò»ý¤Ä¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+"Postfix ¥Ð¡¼¥¸¥ç¥ó 2.1 °Ê¹ß¤Ç¤Ï¡¢master.cf ¤Ë¿·¤·¤¤¥µ¡¼¥Ó¥¹¤¬É¬ÍפǤ¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"¤³¤ÎÀßÄê¤ò¼«Æ°Åª¤Ë master.cf ¤ËÄɲä·¤Þ¤¹¤«? ¹¹¿·¤òÃæ»ß¤¹¤ë¤Ë¤Ï¤³¤ÎÁªÂò»è¤Ë"
+"¡Ö¤¤¤¤¤¨¡×¤È¤·¡¢¤³¤ÎÀßÄê¤ò¤¢¤Ê¤¿¼«¿È¤ÇÄɲä·¤Þ¤¹¡£¤³¤ÎÁªÂò»è¤Ç¡Ö¤Ï¤¤¡×¤ÈÅú¤¨"
+"¤ì¤Ð¡¢¼«Æ°Åª¤Ë master.cf ¤Ï Postfix 2.1 ¤È¤³¤ÎÅÀ¤Ç¸ß´¹À­¤ò»ý¤Ä¤è¤¦¤Ë¤Ê¤ê¤Þ"
+"¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "¹¹¿·¤Î¤¿¤á¤Ë master.cf ¤òÄûÀµ¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"Postfix ¥Ð¡¼¥¸¥ç¥ó 2.1 ¤Ç¤Ï¡¢\"nqmgr\" ¤«¤é \"qmgr\" ¤Ë̾Á°¤¬ÊѤï¤Ã¤Æ¤¤¤Þ¤¹"
+"¤¬¡¢¤¢¤Ê¤¿¤Ï \"nqmgr\" ¤ò»È¤Ã¤Æ¤¤¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"¤³¤ì¤ò½¤Àµ¤¹¤ë¤Î¤Ë¼ºÇÔ¤¹¤ë¤È¡¢²õ¤ì¤¿¥á¡¼¥é¤È¤Ê¤Ã¤Æ¤·¤Þ¤¤¤Þ¤¹¡£¹¹¿·¤òÃæ»ß¤¹¤ë"
+"¤Ë¤Ï¤³¤ÎÁªÂò»è¤Ë¡Ö¤¤¤¤¤¨¡×¤È¤·¡¢¤³¤ÎÀßÄê¤ò¤¢¤Ê¤¿¼«¿È¤ÇÄɲä·¤Þ¤¹¡£¤³¤ÎÁªÂò»è"
+"¤Ç¡Ö¤Ï¤¤¡×¤ÈÅú¤¨¤ì¤Ð¡¢¼«Æ°Åª¤Ë master.cf ¤Ï Postfix 2.1 ¤È¤³¤ÎÅÀ¤Ç¸ß´¹À­¤ò»ý"
+"¤Ä¤è¤¦¤Ë¤Ê¤ê¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Postfix ¤Î¥Ï¥Ã¥·¥å¤È btree ¥Þ¥Ã¥×¤ò¹¹¿·¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr "Postfix ¤Ï db4 ¤ËÀÚ¤êÂؤï¤Ã¤Æ¤ª¤ê¡¢¥Þ¥Ã¥×¤Î¹¹¿·¤¬É¬ÍפǤ¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "¼«Æ°Å¾´¹¤ò»î¤ß¤Þ¤¹¤«?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "transport ¥Þ¥Ã¥×¤¬Èó¸ß´¹¤Ç¤¹"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"transport ¥Þ¥Ã¥×¤òÄêµÁ¤·¤Æ¤¤¤Þ¤¹¤¬¡¢¤É¤Î¤è¤¦¤Ë transport ¥Þ¥Ã¥×¤¬»È¤ï¤ì¤ë¤«¤Ë"
+"¤Ä¤¤¤Æ¤ÎÈó¸ß´¹¤ÎÊѹ¹¤¬¤¢¤ê¤Þ¤¹¡£Postfix ¤Ï¼«Æ°Åª¤Ë¤ÏºÆµ¯Æ°¤µ¤ì¤Þ¤»¤ó¡£"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"transport ¥Þ¥Ã¥×¤Î¥¨¥ó¥È¥ê¤Ï $mydestination ¤ËÍ¥À褷¤Þ¤¹¡£transport ¥Þ¥Ã¥×¤ò"
+"»È¤¦¾ì¹ç¡¢¾ï¤Ë $mydesination ¤Ë¤¢¤ë¤¹¤Ù¤Æ¤Î¥É¥á¥¤¥ó̾¤ËÂФ¹¤ëÌÀ³Î¤Ê¥¨¥ó¥È¥ê¤ò"
+"»ý¤Ä¤Û¤¦¤¬ÌµÆñ¤Ç¤¹¡£html/faq.html ¤Î¥Õ¥¡¥¤¥¢¥¦¥©¡¼¥ë¤È¥¤¥ó¥È¥é¥Í¥Ã¥È¤Ë´Ø¤¹¤ë"
+"¥»¥¯¥·¥ç¥ó¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£¥í¡¼¥«¥ë¤ËÇÛÁ÷¤µ¤ì¤ë¤¹¤Ù¤Æ¤Î¿Æ¥É¥á¥¤¥ó¤Ë¤Ä¤¤¤Æ"
+"¤Î transport ¥¨¥ó¥È¥ê¤¬¤¢¤ë¾ì¹ç¡¢Postfix ¤òºÆµ¯Æ°¤¹¤ëÁ°¤Ë¤ª¤½¤é¤¯°¸Àè¥É¥á¥¤¥ó"
+"¤Ø¤Î¸ÇÍ­¤Î¥¨¥ó¥È¥ê¤òÄɲ乤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "¸í¤Ã¤¿¥¨¥ó¥È¥ê¤Ç¤¹¡£ºÆ»î¹Ô¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "¤¢¤Ê¤¿¤ÎÆþÎϤ·¤¿Ê¸»úÎó"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "RFC 1035 ¤Ë½¾¤Ã¤Æ¤¤¤Ê¤¤¤«¡¢Í­¸ú¤Ê IP ¥¢¥É¥ì¥¹¤¬¸«Åö¤¿¤ê¤Þ¤»¤ó¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 ¤Ç¤Ï¡Ö³ÆÍ×ÁǤϱѻú¥¢¥ë¥Õ¥¡¥Ù¥Ã¥È¤Þ¤¿¤Ï¿ô»ú¤Ç³«»Ï¤ª¤è¤Ó½ªÎ»¤·¡¢¤½¤ÎÃæ"
+"¤Ï±Ñ»ú¥¢¥ë¥Õ¥¡¥Ù¥Ã¥È¤È¿ô»ú¡¢¥Ï¥¤¥Õ¥ó¤À¤±¤ò´Þ¤à¡£Í×ÁǤϥԥꥪ¥É (.) ¤Ç¶èÀÚ¤é¤ì"
+"¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£¡×¤È½Ò¤Ù¤Æ¤¤¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "¤½¤ì¤Ç¤â¤³¤ì¤òÊÝ»ý¤·¤Þ¤¹¤«?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr "ÀßÄꤷ¤Ê¤¤, ¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È, ¥¹¥Þ¡¼¥È¥Û¥¹¥ÈÉÕ¤­¥¤¥ó¥¿¡¼¥Í¥Ã¥È, ¥µ¥Æ¥é¥¤¥È¥·¥¹¥Æ¥à, ¥í¡¼¥«¥ë¤Î¤ß"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "ÀßÄê¤Î°ìÈÌŪ¤Ê¥¿¥¤¥×¤Ï¤É¤ì¤Ç¤¹¤«?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"¤³¤³¤Ç¡¢°ìÈÌŪ¤ÊÀßÄê¤Î¤¤¤¯¤Ä¤«¤ÎÁªÂò»è¤¬¤¢¤ê¤Þ¤¹¡£debconf ¤ÎÍ¥ÀèÅÙ¤ò 'Äã' ¤Þ"
+"¤¿¤Ï 'ɸ½à' ¤ËÀßÄꤷ¤Æ¤¤¤ë¾ì¹ç¤Ë¤Ï¡¢¤è¤ê¿¤¯¤Î¼ÁÌä¤ò¤¢¤È¤Ç¿Ò¤Í¤é¤ì¤Þ¤¹¡£¤³¤ì"
+"¤é¤Î¼ÁÌä¤òºÆ¤Ó¸«¤¿¤±¤ì¤Ð¡¢\"dpkg-reconfigure --priority=low postfix\" ¤ò¤¢¤È"
+"¤Ç¤¤¤Ä¤Ç¤â¼Â¹Ô¤Ç¤­¤Þ¤¹¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"ÀßÄꤷ¤Ê¤¤ - *¤¢¤Ê¤¿¤ÎÀßÄê¤ò¤½¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤­¤¿¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¤³¤Î¥ª¥×¥·¥ç¥ó"
+"¤òÁªÂò¤·¤Æ¤¯¤À¤µ¤¤¡£* ÀßÄêÊѹ¹¤ò²¿¤â¹Ô¤¤¤Þ¤»¤ó¡£Postfix ¤òÀßÄêºÑ¤ß¤Ç¤Ê¤¤¾ì¹ç"
+"¤Ë¤Ï¡¢¥á¡¼¥ë¥·¥¹¥Æ¥à¤ÏÉÔ´°Á´¤Ç¡¢ÍøÍѤǤ­¤Ê¤¤¤Ç¤·¤ç¤¦¡£/usr/share/postfix/"
+"main.cf.dist ¤òÊÔ½¸¤·¡¢etc/postfix/main.cf ¤È¤·¤ÆÊѹ¹¤òÊݸ¤¹¤ë¡¢¤È¤¤¤¦ÀßÄê¤ò"
+"¤¢¤Ê¤¿¼«¿È¤Ç¹Ô¤¦¤«¡¢¤¢¤ë¤¤¤Ï dpkg-reconfigure Postfix ¤ò¼Â¹Ô¤¹¤ëɬÍפ¬¤¢¤ê¤Þ"
+"¤¹¡£main.cf ¤Ï Postfix ¤Î¥¤¥ó¥¹¥È¡¼¥ë¼ê½ç¤Ç¤ÏÊѹ¹¤µ¤ì¤Þ¤»¤ó¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È - ¥á¡¼¥ë¤Ï SMTP ¤ò»È¤Ã¤ÆľÀÜÁ÷¼õ¿®¤µ¤ì¤Þ¤¹¡£¤¤¤º¤ì¤Î¥«¥Æ"
+"¥´¥ê¤â¤¢¤Ê¤¿¤Î¥Ë¡¼¥º¤Ë¤Ô¤Ã¤¿¤ê¤È¤ÏÅö¤Æ¤Ï¤Þ¤é¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢¤ª¤½¤é¤¯¤³¤ì¤òÁª¤ó"
+"¤Ç³«»Ï¤·¡¢¤½¤ì¤«¤é¼ê¤ÇÀßÄê¥Õ¥¡¥¤¥ë¤òÊÔ½¸¤¹¤ë¤Î¤¬¤è¤¤¤Ç¤·¤ç¤¦¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"¥¹¥Þ¡¼¥È¥Û¥¹¥ÈÉÕ¤­¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È - SMTP ¤ÇľÀÜ¡¢¤Þ¤¿¤Ï fetchmail ¤Î¤è¤¦"
+"¤Ê¥æ¡¼¥Æ¥£¥ê¥Æ¥£¤ò¼Â¹Ô¤·¤Æ¡¢¤³¤Î¥Þ¥·¥ó¤Ç¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥á¡¼¥ë¤ò¼õ¿®¤·¤Þ¤¹¡£³°"
+"¤ËÁ÷¤é¤ì¤ë¥á¡¼¥ë¤Ï¡¢¥¹¥Þ¡¼¥È¥Û¥¹¥È¤ò»È¤Ã¤Æ¡¢Ç¤°Õ¤Î¥¢¥É¥ì¥¹¤Ë½ñ¤­´¹¤¨¤é¤ì¤ÆÁ÷"
+"¿®¤µ¤ì¤Þ¤¹¡£¤³¤ì¤Ï¤ª¤½¤é¤¯¥À¥¤¥¢¥ë¥¢¥Ã¥×¥·¥¹¥Æ¥à¤Ç˾¤Þ¤ì¤ë¤â¤Î¤Ç¤¹¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"¥µ¥Æ¥é¥¤¥È¥·¥¹¥Æ¥à - ¤¹¤Ù¤Æ¤Î¥á¡¼¥ë¤ÏÇÛ¿®ÍѤΡ֥¹¥Þ¡¼¥È¥Û¥¹¥È¡×¤È¸Æ¤Ð¤ì¤ëÊ̤Î"
+"¥Þ¥·¥ó¤ËÁ÷¤é¤ì¤Þ¤¹¡£root ¤È postmaster ¤Î¥á¡¼¥ë¤Ï /etc/aliases ¤Ë½¾¤Ã¤ÆÇÛ¿®¤µ"
+"¤ì¤Þ¤¹¡£¥í¡¼¥«¥ë¤Ç¤Ï¥á¡¼¥ë¤ò¼õ¿®¤·¤Þ¤»¤ó¡£"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"¥í¡¼¥«¥ëÇÛ¿®¤Î¤ß - ¤¢¤Ê¤¿¤Ï¥Í¥Ã¥È¥ï¡¼¥¯¤ËÀܳ¤·¤Æ¤¤¤Þ¤»¤ó¡£¥í¡¼¥«¥ë¥æ¡¼¥¶¸þ¤±"
+"¤Î¥á¡¼¥ë¤¬ÇÛ¿®¤µ¤ì¤Þ¤¹¡£"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "·Ù¹ð: Postfix ¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Þ¤»¤ó"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"¤¢¤Ê¤¿¤Ï¡ÖÀßÄꤷ¤Ê¤¤¡×¤òÁª¤Ó¤Þ¤·¤¿ - Postfix ¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤ÏÀßÄꤵ¤ì¤Æ¤ª¤é"
+"¤º¡¢³«»Ï¤â¤·¤Þ¤»¤ó¡£¸åÆü 'dpkg-reconfigure postfix' ¤ò¼Â¹Ô¤¹¤ë¤«¡¢¼¡¤Î¤È¤ª¤ê"
+"¤¢¤Ê¤¿¼«¿È¤ÇÊѹ¹¤·¤Æ¤¯¤À¤µ¤¤:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) /etc/postfix/main.cf ¤ò¹¥¤­¤Ê¤è¤¦¤ËÊÔ½¸¤¹¤ë"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) /etc/init.d/postfix start ¤ò¼Â¹Ô¤¹¤ë"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "¥á¡¼¥ë̾¤Ï?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"`¥á¡¼¥ë̾' ¤Ï¡¢Á÷½Ð¤µ¤ì¤ë¥Ë¥å¡¼¥¹¤ª¤è¤Ó¥á¡¼¥ë¤Î¥á¥Ã¥»¡¼¥¸ (¥æ¡¼¥¶Ì¾¤È @ µ­¹æ"
+"¤Î¤¢¤È¤ËÉÕ¤¯) ¤Çɽ¼¨¤µ¤ì¤ë¥¢¥É¥ì¥¹¤Î¥Û¥¹¥È̾Éôʬ¤Ç¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"¤³¤Î̾Á°¤Ï Postfix ¤À¤±¤Ç¤Ê¤¯¤Û¤«¤Î¥×¥í¥°¥é¥à¤Ë¤è¤Ã¤Æ¤â»È¤ï¤ì¤Þ¤¹¡£¤³¤ì¤Ï¡¢"
+"¥á¡¼¥ë¤¬¤½¤³¤«¤éÁ÷½Ð¤µ¤ì¤ë¤³¤È¤Ë¤Ê¤ëñ°ì¤Î´°Á´½¤¾þ¥É¥á¥¤¥ó̾ (FQDN) ¤Ë¤¹¤Ù¤­"
+"¤Ç¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"¥á¡¼¥ë¤ò¼õ¤±¼è¤ë¤Û¤«¤Î°¸Àè¤Ï¤¢¤ê¤Þ¤¹¤«? (¤Ê¤±¤ì¤Ð¶õ¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤­¤Þ¤¹)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"¤³¤Î¥Þ¥·¥ó¤¬ºÇ½ªÅª¤Ê°¸Àè¤È¸«¤Ê¤µ¤ì¤ë¥É¥á¥¤¥ó¤Î¥ê¥¹¥È¤ò¡¢¥³¥ó¥Þ¤Ç¶èÀڤäƻØÄê"
+"¤·¤Æ¤¯¤À¤µ¤¤¡£¤³¤ì¤¬¥á¡¼¥ë¥É¥á¥¤¥ó¤Î¥²¡¼¥È¥¦¥§¥¤¤Ç¤¢¤ë¤Ê¤é¡¢¤ª¤½¤é¤¯¥È¥Ã¥×¥ì"
+"¥Ù¥ë¥É¥á¥¤¥ó¤ò´Þ¤á¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "SMTP ¥ê¥ì¡¼¥Û¥¹¥È¤Ï²¿¤Ç¤¹¤«? (¤Ê¤±¤ì¤Ð¶õ¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤­¤Þ¤¹)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"¥É¥á¥¤¥ó¡¢¥Û¥¹¥È¡¢¥Û¥¹¥È:¥Ý¡¼¥È¡¢[¥¢¥É¥ì¥¹] ¤Þ¤¿¤Ï [¥¢¥É¥ì¥¹:¥Ý¡¼¥È] ¤ò»ØÄꤷ"
+"¤Æ¤¯¤À¤µ¤¤¡£MX õº÷¤ò¹Ô¤ï¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤Ë¤Ï [°¸Àè] ·Á¼°¤ò»È¤¤¤Þ¤¹¡£¥ê¥ì¡¼¥Û¥¹"
+"¥È¤¬¤Ê¤±¤ì¤Ð¤³¤³¤Ï¶õ¤Î¤Þ¤Þ¤Ë¤·¤Æ¤ª¤­¤Þ¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"¥ê¥ì¡¼¥Û¥¹¥È¥Ñ¥é¥á¡¼¥¿¤Ï¡¢¥ª¥×¥·¥ç¥ó¤Î transport(5) ¥Æ¡¼¥Ö¥ë¤ËŬ¹ç¤¹¤ë¥¨¥ó¥È"
+"¥ê¤¬¤Ê¤¤¤È¤­¤Ë¥á¡¼¥ë¤òÁ÷¤ë¥Ç¥Õ¥©¥ë¥È¤Î¥Û¥¹¥È¤ò»ØÄꤷ¤Þ¤¹¡£¥ê¥ì¡¼¥Û¥¹¥È¤¬Í¿¤¨"
+"¤é¤ì¤Æ¤¤¤Ê¤¤¤È¤­¤Ë¤Ï¡¢¥á¡¼¥ë¤ÏľÀÜ°¸Àè¤ËȯÁ÷¤µ¤ì¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "¥í¡¼¥«¥ëÇÛÁ÷¤Ë procmail ¤ò»È¤¤¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "¥í¡¼¥«¥ë¥á¡¼¥ë¤ÎÇÛÁ÷¤Ë procmail ¤ò»È¤¤¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"¥·¥¹¥Æ¥àÁ´ÂΤΠ¥á¡¼¥ëÇÛÁ÷¤Ë procmail ¤ò»È¤¦¾ì¹ç¡¢root¤Ø¤Î¥á¡¼¥ë¤ò¼Â¥æ¡¼¥¶¤Ëž"
+"Á÷¤¹¤ë¥¨¥¤¥ê¥¢¥¹¤ò¥»¥Ã¥È¥¢¥Ã¥×¤¹¤Ù¤­¤³¤È¤ËÃí°Õ¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "¥í¡¼¥«¥ë¥¢¥É¥ì¥¹³Èĥʸ»ú¤ò²¿¤Ë¤·¤Þ¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "¥í¡¼¥«¥ë¥¢¥É¥ì¥¹³ÈÄ¥¤òÄêµÁ¤¹¤ëʸ»ú¤Ï²¿¤Ç¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "¥¢¥É¥ì¥¹³ÈÄ¥¤ò»È¤ï¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¤³¤Îʸ»úÎó¤ò¶õ¤Ë¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "¸í¤Ã¤¿¼õ¿®¼Ô¶èÀÚ¤êʸ»ú¤Ç¤¹"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"¼õ¿®¼Ô¶èÀÚ¤êʸ»ú¤Ïñ°ì¤Îʸ»ú¤Ç¤¹¤¬¡¢Â¿¤¹¤®¤ëʸ»ú·²¤¬ÆþÎϤµ¤ì¤Æ¤¤¤Þ¤¹¡£ºÆ»î¹Ô"
+"¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "¥á¡¼¥ë¥­¥å¡¼¤ÎƱ´ü¹¹¿·¤ò¶¯À©¤·¤Þ¤¹¤«?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr "Ʊ´ü¹¹¿·¤ò¶¯À©¤¹¤ë¤È¡¢¥á¡¼¥ë¤Î½èÍý¤¬¼ã´³ÃÙ¤¯¤Ê¤ê¤Þ¤¹¡£¶¯À©¤·¤Ê¤¤¾ì¹ç¤Ï¡¢¥¸¥ã¡¼¥Ê¥ê¥ó¥°¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à (ext3 ¤Ê¤É) ¤ò»È¤Ã¤Æ¤¤¤Ê¤¤¾õÂ֤ǥ·¥¹¥Æ¥à¤¬±¿°­¤¯¥¯¥é¥Ã¥·¥å¤·¤¿¤È¤­¤Ë¡¢¥ê¥â¡¼¥È¤«¤é¤Î¤¯¤Ä¤«¤Î¥á¡¼¥ë¤¬¼º¤ï¤ì¤ë²ÄǽÀ­¤¬¤¢¤ê¤Þ¤¹¡£"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "¥Ç¥Õ¥©¥ë¥È¤Ï \"off\" ¤Ç¤¹¡£"
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "¥í¡¼¥«¥ë¥Í¥Ã¥È¥ï¡¼¥¯¤Ï²¿¤Ç¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"¤³¤Î¥Þ¥·¥ó¤¬¥á¡¼¥ë¤ò¥ê¥ì¡¼¤¹¤Ù¤­¥Í¥Ã¥È¥ï¡¼¥¯¥Ö¥í¥Ã¥¯¤Ï²¿¤Ç¤¹¤«? ¥Ç¥Õ¥©¥ë¥È¤Ç"
+"¤Ï¡¢¤¤¤¯¤Ä¤«¤Î¥á¡¼¥ë¥æ¡¼¥¶¥¨¡¼¥¸¥§¥ó¥È¤Ë¤è¤Ã¤ÆɬÍפȤµ¤ì¤ë¥í¡¼¥«¥ë¥Û¥¹¥È¤À¤±"
+"¤Ç¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"¤³¤ì¤Ï¥Þ¥·¥ó¥Ö¥í¥Ã¥¯¸þ¤±¤Î¥¹¥Þ¡¼¥È¥Û¥¹¥È¤Ê¤Î¤Ç¡¢¥Í¥Ã¥È¥ï¡¼¥¯¥Ö¥í¥Ã¥¯¤ò¤³¤³¤Ç"
+"»ØÄꤹ¤ëɬÍפ¬¤¢¤ê¤Þ¤¹¡£¤µ¤â¤Ê¤±¤ì¤Ð¡¢¥á¡¼¥ë¤Ï¥ê¥ì¡¼¤µ¤ì¤º¡¢µñÈݤµ¤ì¤Þ¤¹¡£"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"postfix ¤Î¥Ç¥Õ¥©¥ë¥È (Àܳ¤µ¤ì¤Æ¤¤¤ë¥Í¥Ã¥È¥ï¡¼¥¯¤Ë´ð¤Å¤¯) ¤ò»È¤¦¤Ë¤Ï¡¢¶õ¤Îʸ"
+"»úÎó¤òÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "¥á¡¼¥ë¥Ü¥Ã¥¯¥¹¤Î¥µ¥¤¥º¤ÎÀ©¸Â"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"¼ê¤ËÉ館¤Ê¤¤¥½¥Õ¥È¥¦¥§¥¢¥¨¥é¡¼¤òËɤ°¤¿¤á¤Ë¡¢¥á¡¼¥ë¥Ü¥Ã¥¯¥¹¥Õ¥¡¥¤¥ë¤Î¾å¸Â¤òÀß"
+"Äê¤Ç¤­¤Þ¤¹¡£¥¼¥í (0) ¤È¤¤¤¦ÃͤÏÀ©¸Â¤·¤Ê¤¤¤³¤È¤ò°ÕÌ£¤·¤Þ¤¹¡£(upstream ¤Î¥Ç¥Õ¥©"
+"¥ë¥È¤Ï 51200000 ¤Ç¤¹¡£)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "root ¤Ø¤Î¥á¡¼¥ë¤ò¤É¤³¤ËÁ÷¤ê¤Þ¤¹¤«?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"¥æ¡¼¥¶ root (¤¢¤ë¤¤¤Ï uid 0 ¤ò»ý¤Ä¤½¤Î¾¤Î¥æ¡¼¥¶) ¤Ï¥¨¥¤¥ê¥¢¥¹¤ò·Ðͳ¤·¤Æ¥á¡¼"
+"¥ë¤ò¥ê¥À¥¤¥ì¥¯¥È¤¹¤ë¤«¡¢¤½¤ì¤é¤Î¥á¡¼¥ë¤ò /var/mail/nobody ¤ËÇÛ¿®¤·¤Þ¤¹¡£¤³¤ì"
+"¤Ï»ÅÍͤǤ¹: ¥á¡¼¥ë¤Ï³°Éô¤ÎÇÛÁ÷¥¨¡¼¥¸¥§¥ó¥È¤Ë root ¤È¤·¤ÆÇÛ¿®¤µ¤ì¤ë¤³¤È¤Ï¤¢¤ê"
+"¤Þ¤»¤ó¡£"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"´û¸¤Î /etc/aliases ¥Õ¥¡¥¤¥ë¤¬¤¢¤ë¾ì¹ç¤Ï¡¢¤³¤Î¥¨¥ó¥È¥ê¤òÄɲ乤ëɬÍפ¬¤¢¤ë¤«"
+"¤â¤·¤ì¤Þ¤»¤ó (¿·¤·¤¤ /etc/aliases ¤òºîÀ®¤¹¤ë¤È¤­¤Î¤ß¤³¤ì¤ÏÄɲ䵤ì¤Þ¤¹)¡£"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë¾ì¹ç¡¢/etc/aliases ¤ËÄɲ乤륢¥É¥ì¥¹¤Ï²¿¤Ç¤¹¤«? (Äɲä·¤Ê"
+"¤¤¾ì¹ç¤Ë¤Ï NONE ¤ÈÆþÎϤ·¤Æ¤¯¤À¤µ¤¤¡£)"
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP.  This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'.  This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - HP ¤ÎÆâÉô¤Ç»È¤ï¤ì¤Æ¤¤¤ëÀßÄê¡£¤³¤ì¤Ïñ¤Ë¥Û¥¹¥È̾¤ÎºÇ¸å¤ÎÍ×ÁǤ˴𤤤Ƥ¤"
+#~ "¤¯¤Ä¤«¤ÎÀßÄê¥Ñ¥é¥á¡¼¥¿¤ò¥Ï¡¼¥É¥³¡¼¥É¤¹¤ë¤â¤Î¤Ç¡¢ÂçÉôʬ¤Ï¡Ö¥¹¥Þ¡¼¥È¥Û¥¹¥ÈÉÕ"
+#~ "¤­¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥µ¥¤¥È¡×¤Ë»÷¤Æ¤¤¤Þ¤¹¡£¤³¤ÎÁªÂò»è¤Ï /etc/postfix/transport "
+#~ "¤òÊѹ¹¤·¡¢transport ¥Þ¥Ã¥×¤È¤·¤Æ¤½¤ì¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤Þ¤¹¡£"
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr ""
+#~ "¥Ç¥Õ¥©¥ë¥È¤Ï \"off\" ¤Ç¤¹¡£¾ÜºÙ¤Ë¤Ä¤¤¤Æ¤Ï changelog ¤ò»²¾È¤·¤Æ¤¯¤À¤µ¤¤¡£"
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "´Ê°×¥¢¥É¥ì¥¹¤Ë¡Ö.¥É¥á¥¤¥ó¡×¤òÄɲÃ"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain?  Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses.  (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Postfix ¤¬¥Û¥¹¥È̾¤Î 1 ¤Ä¤ÎÍ×ÁǤ·¤«¥¢¥É¥ì¥¹¤Ë¤Ê¤¤¤È²ò¼á¤·¤¿¤È¤­¤Ë¡¢."
+#~ "$mydomain ¤ò¤½¤ì¤ËÄɲä·¤Þ¤¹¤«? .$mydomain ¤òÄɲ乤ë¤È¡¢¤¢¤Ê¤¿¼«¿È¤Î¥É¥á"
+#~ "¥¤¥ó¤Ø¤Î°¸Àè¤ò½¤¾þ¤¹¤ëɬÍפϤʤ¯¤Ê¤ë¤â¤Î¤Î¡¢¥È¥Ã¥×¥ì¥Ù¥ë¥É¥á¥¤¥ó¥¢¥É¥ì¥¹¤Î"
+#~ "¥æ¡¼¥¶¤Ø¤Î¥á¡¼¥ë¥Ð¥¦¥ó¥É¤¬»È¤¨¤Ê¤¯¤Ê¤ë¤³¤È¤Ë¤Ê¤ê¤Þ¤¹ (½¤¾þ¤µ¤ì¤¿¤â¤Î¤Ï¥È¥Ã"
+#~ "¥×¥ì¥Ù¥ë¥É¥á¥¤¥ó¤ÎÃæ¤Î¤â¤Î¤Ê¤Î¤Ç)¡£"
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "¤¢¤Ê¤¿¤ÎÁÈ¿¥¤Î³°¤Ë¥á¡¼¥ë¤òžÁ÷¤·¤Æ¤¤¤ë¤Î¤Ç¤¢¤ì¤Ð¡¢¤Û¤Ü³Î¼Â¤Ë .$mydomain ¤Ï"
+#~ "ÉÕ¤±¤Ê¤¤¤Û¤¦¤¬¤è¤¤¤Ç¤·¤ç¤¦¡£¤¢¤Ê¤¿¤¬¥·¥¹¥Æ¥à¤ÎÍ£°ì¤Î¥á¡¼¥ë¥æ¡¼¥¶¤Ç¤¢¤ë¤Ê"
+#~ "¤é¡¢¤¢¤Ê¤¿¤Ë¤È¤Ã¤ÆÊØÍø¤À¤È»×¤ï¤ì¤ë¤Û¤¦¤ò¤¤¤º¤ì¤«Áª¤Ù¤Ð¤è¤¤¤Ç¤·¤ç¤¦¡£"

Added: trunk/postfix/debian/po/nl.po
===================================================================
--- trunk/postfix/debian/po/nl.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/nl.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,689 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-07-04 15:58-0500\n"
+"Last-Translator: Bart Cornelis <cobaco at linux.be>\n"
+"Language-Team: dutch <debian-l10n-dutch at lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=iso-8859-1\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#  Description
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "dynamicmaps.cf verbeteren voor de actualisering?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"Versie 2.0.2 en later van Postfix vereisen aanpassingen in dynamicmaps.cf. "
+"Meer precies: de ondersteuning voor jokertekens, en daarmee ook de %s-"
+"uitbreiding is niet meer. Alle door u gemaakte aanpassingen in dynamicmaps."
+"cf die hiervan gebruik maakten dient u te verbeteren. Dit nalaten resulteert "
+"in een niet-werkend postsysteem."
+
+#  Description
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"Wilt u dynamicmaps.cf automatisch aanpassen? Sla dit af om de actualisering "
+"af te breken, waardoor u de mogelijkheid krijgt om de jokerteken- en %s-"
+"uitbreiding-afhankelijke configuratie te verwijderen. Aanvaard deze optie, "
+"indien u dit niet in uw configuratie gebruikt, en maak dynamicmaps.cf "
+"automatisch compatibel met Postfix 2.0.2."
+
+#  Description
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr "Versie 2.1 en later van Postfix vereisen nieuwe services in master.cf."
+
+#  Description
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Wilt u deze configuratie automatisch toevoegen in master.cf? Sla dit af om "
+"de actualisering af te breken, waardoor u de mogelijkheid heeft om dit zelf "
+"te doen. Aanvaard dit voorstel om master.cf in dit opzicht automatisch "
+"compatibel te maken met Postfix 2.1 "
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "master.cf verbeteren voor de aktualisering?"
+
+#  Description
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"In Postfix versie 2.1 is 'nqmgr' hernoemd naar 'qmgr'; u maakt echter "
+"gebruikt van 'ngmgr'."
+
+#  Description
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Dit nalaten resulteert in een niet-werkend postsysteem. Sla dit af om de "
+"actualisering af te breken, waardoor u de mogelijkheid heeft om dit zelf te "
+"doen. Aanvaard dit voorstel om master.cf in dit opzicht automatisch "
+"compatibel te maken met Postfix 2.1."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "Dient Postfix de hash en btree toewijzingen te actualiseren?"
+
+#  Description
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"Postfix is overgeschakeld naar db4, hierdoor kan het nodig zijn om "
+"toewijzigingen te aktualiseren."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Wilt u de automatische conversie proberen?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Overzetkaart  incompatibiliteit"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"U heeft een overzetrelaties gedefiniëerd; er is echter een incompatibele "
+"verandering in het gebruik van overzetrelaties. Postfix zal niet automatisch "
+"herstart worden."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"$mydestination wordt overstegen door overzetrelatieingangen. Bij gebruik van "
+"overzetrelaties is het best om altijd expliciete ingangen voor alle "
+"domeinnamen in $mydestination te gebruiken. Zie in html/faq.html de secties "
+"bereffende firewalls en intranetten. Indien u overzetingangen heeft voor "
+"ouderdomeinen van al wat lokaal afgeleverd wordt, kunt u best specifieke "
+"ingangen voor alle bestemmingsdomeinen toevoegen alvorens u Postfix herstart."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Slechte invoer, opnieuw proberen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "De ingevoerde string"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "voldoet niet aan RFC 1035, en lijkt geen geldig IP-adres te zijn."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 stelt dat \"Elk onderdeel dient te starten met een alphanumeriek "
+"karakter, en mag slechts alphanumerieke karakters en koppeltekens bevatten. "
+"Onderdelen dienen van elkaar gescheiden te worden met punten.\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Wilt u dit toch behouden?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Geen configuratie, Internet site, Internet site die gebruik maakt van "
+"smarthost, Satelliet systeem, Enkel lokale aflevering, HP"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Welk type algemene configuratie?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"U heeft verschillende mogelijkheden voor de algemene configuratie. Indien uw "
+"debconf prioriteit ingesteld is op 'laag' of 'medium' zullen u later meer "
+"vragen gesteld worden. U kunt later ook altijd nog \"dpkg-reconfigure --"
+"priority=low postfix\" uitvoeren indien u deze vragen (opnieuw) wilt "
+"beantwoorden."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Geen configuratie - KIES DEZE OPTIE INDIEN DEBCONF UW CONFIGURATIE MET RUST "
+"MOET LATEN. De configuratie wordt niet aangepast: als u postfix nog niet "
+"geconfigureerd hebt zal uw postsysteem niet werken. U dient de configuratie "
+"zelf te doen door het bestand /usr/share/postfix/main.cf.dist aan te passen, "
+"en de gewijzigde versie op te slaan als /etc/postfix/main.cf, of door \"dpkg-"
+"reconfigure postfix\" uit te voeren. main.cf wordt niet aangepast door het "
+"postfix installatieproces."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internet site - post wordt rechtstreeks via SMTP verzonden en ontvangen. "
+"Indien uw wensen niet netjes in een van de mogelijkheden passen, kunt u best "
+"van deze optie starten, en het configuratiebestand vervolgens handmatig "
+"aanpassen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internet site die gebruik maakt van smarthost - U ontvangt berichten op deze "
+"machine ofwel rechtstreeks via SMTP, ofwel door middel van een hulpprogramma "
+"zoals fetchmail. Uitgaande post wordt verzonden via een smarthost, en "
+"mogelijks met aangepaste adressen. Op inbellende systemen is dit de normale "
+"keuze."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Satellietsysteem - alle post wordt verzonden naar een andere machine, een "
+"zogenaamde \"smart host\" voor aflevering. De post voor root en postmaster "
+"wordt afgeleverd zoals aangegeven in /etc/aliases. Er wordt lokaal geen post "
+"ontvangen."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"Enkel lokale aflevering - U zit niet op een netwerk. Post voor lokale "
+"gebruikers wordt afgeleverd."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "WAARSCHUWING: Postfix is niet geconfigureerd"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"U heeft gekozen voor \"Geen configuratie\" - Postfix wordt dus niet "
+"geconfigureerd en zal standaard niet gestart worden. Gelieve later 'dpkg-"
+"reconfigure postfix' uit te voeren, of postfix handmatig te configureren "
+"door:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) Het bestand /etc/postfix/main.cf naar uw wensen aan te passen"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) /etc/init.d/postfix start uit te voeren"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Wat is de postnaam?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Uw `postnaam' is het computernaam-gedeelte van het adres dat getoond wordt "
+"op uitgaande niews- en emailberichten (i.e. dit volgt de gebruikersnaam en "
+"het @ teken)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Deze naam wordt niet alleen door Postfix gebruikt; het dient dan ook een "
+"enkele, volledige domeinnaam (FQDN) te zijn waarvan berichten zullen lijken "
+"te komen."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Andere bestemmingen waarvoor post aanvaard wordt? (laat leeg indien geen)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Gelieve een komma-gescheiden lijst van domeinen op te geven waarvoor deze "
+"machine zichzelf als de eindbestemming moet beschouwen. Indien dit een post-"
+"domein gateway is kunt u best het top-niveau domein toevoegen."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "SMTP doorvoerserver? (laat leeg indien geen)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+#, fuzzy
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"Geef een domein, computer, computer:poort, [adres] of [adres:poort] op. "
+"Gebruik de vorm [bestemming] om MX-opzoekingen te vermijden. Laat dit blanco "
+"indien er geen doorvoerserver gebruikt wordt."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"De doorvoerserver-parameter geeft een standaard server op waarnaar post "
+"gestuurd word indien geen enkele ingang in de optionele overzetrelatie "
+"(transport(5)) overeenkomt. Indien er geen doorvoerserver opgegeven is wordt "
+"post rechtstreeks naar de bestemming gestuurd."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Procmail gebruiken voor lokale aflevering?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Wilt u procmail gebruiken voor het afleveren van lokale post?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Merk op dat u, bij gebruik van procmail voor systeemwijde aflevering, een "
+"alias dient in te stellen zodat post voor root naar een echte gebruiker "
+"gestuurd wordt."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Lokaal adres-uitbreidingskarakter?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Welk karakter geeft een lokale adresuitbreiding aan?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Laat dit leeg indien u geen adres-uitbreidingen wilt gebruiken."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Slecht ontvanger-scheidingsteken"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"Het ontvanger-scheidingsteken is een enkel karakter, u heeft meerdere "
+"karakters ingevoerd. Gelieve opnieuw te proberen."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "Synchroon bijwerken van de post-wachtrij afdwingen?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+#, fuzzy
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Wanneer synchrone bijwerking afgedwongen wordt, verloopt het verwerken van "
+"berichten trager. Daar staat tegenover dat er mogelijks berichten verloren "
+"gaan wanneer dit niet afgedwongen wordt en het systeem op het verkeerde "
+"moment vastloopt."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Lokale netwerken?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Voor welke netwerkblokken dient deze machine post door te geven? Standaard "
+"is dit enkel de lokale computer, wat noodzakelijk is voor sommige post-"
+"gebruiker-agenten."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Indien dit een smarthost is voor een groep machines dient u hier de "
+"netblokken op te geven om te vermijden dat post geweigerd wordt, in plaats "
+"van doorgegeven."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Om de postfix-standaard te gebruiken (die gebaseerd is op verbonden "
+"netwerken) laat u dit leeg."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Grootte limiet voor postvak"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"Welke limiet dient Postfix op postvakken te plaatsen om fouten van op hol "
+"geslagen software te voorkomen. Waarde 0 betekent geen limiet. (de "
+"standaardwaarde is 51200000)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "GEEN"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Naar waar dient de post voor root gestuurd te worden"
+
+#  Description
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Voor de gebruiker root (en alle andere gebruikers met uid 0) moet de post "
+"omgeleid worden via een alias, anders wordt hun post afgeleverd bij /var/"
+"spool/mail/nobody. Dit is zo ontworpen: post wordt niet afgeleverd aan "
+"externe afleveringsagenten als root."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Indien u reeds een /etc/aliases bestand hebt dient u mogelijks deze ingang "
+"toe te voegen. (Ik doe dit enkel indien het bestand /etc/aliases nog niet "
+"bestaat)"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Welk adres dien ik in /etc/aliases toe te voegen, bij het aanmaken van dit "
+"bestand? (laat leeg om niemand toe te voegen)"
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP.  This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'.  This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - configuratie gebruikt binnen HP. Dit past een aantal parameters aan "
+#~ "naargelang de laatste onderdelen van de computernaam, maar komt verder "
+#~ "grotendeels overeen met 'Internet site die gebruik maakt van smarthost'. "
+#~ "Deze optie zal /etc/postfix/transport aanpassen, en dit bestand als een "
+#~ "overzetrelatie installeren."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr "Standaard staat dit uit, zie het veranderingslog voor de reden."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Voeg .domein toe aan eenvoudige adressen"
+
+#  Description
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain?  Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses.  (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Dient Postfix .$mydomein toe te voegen wanneer een adres met slechts een "
+#~ "computernaam component tegengekomen wordt? Het toevoegen van .$mydomain "
+#~ "betekent dat u bestemmingen in uw eigen domein niet dient te "
+#~ "qualificeren, maar breekt post bestemd voor gebruikers op top-niveau "
+#~ "domein adressen. (Ja, deze bestaan.)"
+
+#  Description
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Indien u mail doorsluist buiten uw organisatie, dient u bijna zeker geen ."
+#~ "$mydomain toe te voegen. Indien u de enige postgebruiker bent op dit "
+#~ "systeem kunt u kiezen wat u het beste uitkomt."

Added: trunk/postfix/debian/po/pt_BR.po
===================================================================
--- trunk/postfix/debian/po/pt_BR.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/pt_BR.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,712 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: postfix\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: 2004-11-18 21:34-0300\n"
+"Last-Translator: André Luís Lopes <andrelop at debian.org>\n"
+"Language-Team: Debian-BR Project <debian-l10n-portuguese at lsts.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=ISO-8859-1\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr "Corrigir dynamicmaps.cf para atualização ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+"O Postfix versão 2.0.2 ou superior requer mudanças no arquivo dynamicmaps."
+"cf. Especificamente, o suporte a caracteres curingas não existe mais e, "
+"devido a isso, a expansão %s não é mais válida. Quaisquer mudanças que você "
+"tenha feito no arquivo dynamicmaps.cf que dependiam destes recursos "
+"precisarão ser corrigidas manualmente. A não correção das mesmas resultará "
+"um servidor de mensagens não funcional."
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+"O arquivo dynamicmaps.cf deve ser modificado automaticamente ? Não aceite "
+"esta opção caso queira abortar a atualização, o que lhe dará a oportunidade "
+"de eliminar a configuração dependente de caracteres curingas e da expansão "
+"%s. Aceite esta opção caso você não possua nenhuma configuração personalizada "
+"e automaticamente permita que o arquivo dynamicmaps.cf seja compatível com o "
+"Postfix 2.0.2 em relação a esse detalhe."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr "O Postfix, a partir da versão 2.1, requer novos serviços no master.cf."
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+"Essa configuração deve ser adicionada automaticamente no master.cf ? Não "
+"aceite esta opção caso você queira abortar a atualização, o que lhe dará "
+"a oportunidade de adicionar a configuração manualmente. Aceite esta "
+"opção para automaticamente tornar o master.cf compatível com o Postfix 2.1 "
+"em relação a esse detalhe."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr "Corrigir master.cf para atualização ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+"O Postfix versão 2.1 renomeou o \"nqmgr\" para \"qmgr\" e você está usando o "
+"\"nqmgr\"."
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+"Caso isto não seja corrigido, você terá um servidor de e-mail quebrado. Não "
+"aceite esta opção para abortar a atualização, o que lhe dará a oportunidade "
+"de adicionar a configuração manualmente. Aceite esta opção para "
+"automaticamente tornar o master.cf compatível com o Postfix 2.1 em relação a "
+"esse detalhe."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "O Postfix deve atualizar os mapas hash e btree ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+"O Postfix mudou para o db4 e isso pode requerer que os mapas sejam "
+"atualizados."
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "Você deseja tentar a conversão automática ?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "Incompatibilidade de mapa de transporte"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"Você tem um mapa de transporte definido e existe uma mudança incompatível na "
+"maneira como os mapas de transporte são usados. O Postfix não será "
+"reiniciado automaticamente."
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"Entradas de mapa de transporte sobrepõem $mydestination. Caso você "
+"utilize mapas de transporte, é melhor ter sempre entradas explícitas "
+"para todos os nomes de domínios que você possui em $mydestination. Consulte "
+"as seções html/faq.html para firewalls e intranets. Caso você possua entradas "
+"de transporte para domínios pais de qualquer coisa entregue localmente, você "
+"provavelmente precisará adicionar entradas específicas para os domínios de "
+"destino antes de reiniciar o Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "Entrada ruim, tentar novamente ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "A string que você informou"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "não segue a RFC 1035 e não parece ser um endereço IP válido."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"A RFC 1035 determina que \"cada componente deve iniciar com um valor "
+"alfanumérico, finalizar com um valor alfanumérico e conter somente valores "
+"alfanuméricos e hífens. Componentes devem ser separados por pontos.\""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "Você deseja manter essa valor de qualquer forma ?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"Sem configuração, Internet Site, Internet com smarthost, Sistema satélite, "
+"Somente local"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "Tipo geral de configuração ?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"Você possui diversas opções para configuração geral neste ponto. Caso você "
+"possua a configuração de prioridades de seu debconf definida como 'baixa' ou "
+"'média', um número maior de perguntas serão exibidas posteriormente. Você "
+"poderá sempre executar o comando \"dpkg-reconfigure --priority=low postfix\" "
+"posteriormente caso queira ver essas perguntas novamente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"Sem configuração - CASO VOCÊ QUEIRA QUE A INSTALAÇÂO DEIXE SUA CONFIGURAÇÂO "
+"INTOCADA, ESCOLHA ESTA OPÇÃO. Nenhuma mudança de configuração será feita "
+"agora. Caso você já não tenha configurado o Postfix, seu sistema de e-mail "
+"ficará em um estado não funcional e não poderá ser usado. Você deverá então "
+"fazer a configuração manualmente editando o arquivo de configuração /usr/"
+"share/postfix/main.cf.dist e salvando suas modificações como /etc/postfix/"
+"main.cf ou executando o comando 'dpkg-reconfigure postfix'. O arquivo main."
+"cf não será modificado pelo processo de instalação do Postfix quando esta "
+"opção for escolhida."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"Internet Site - as mensagens são enviadas e recebidas diretamente usando o "
+"protocolo SMTP. Caso suas necessidades não se encaixem em nenhuma outra "
+"opção apresentada, você provavelmente iniciará com esta opção e então poderá "
+"editar o arquivo de configuração manualmente para personalizá-lo."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"Internet site usando smarthost - Você recebe e-mail Internet nesta máquina "
+"diretamente via SMTP ou executando um utilitário como o fetchmail. As "
+"mensagens com destino externo são enviadas usando um smarthost, "
+"opcionalmente com os endereços reescritos. Esta é provavelmente a opção que "
+"você precisa para um sistema com conexão discada (dialup)."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"Sistema satélite - Todas as mensagens serão enviadas para uma outra máquina, "
+"conhecida como \"smart host\" para entrega. As mensagens para o root e para "
+"o postmaster serão entregues de acordo com o arquivo /etc/aliases. Nenhuma "
+"mensagem será recebida localmente."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"Entrega somente local - Você não está em uma rede. As mensagens para "
+"usuários locais serão entregues."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "AVISO: Postfix não configurado"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"Vocè escolheu \"Sem configuração\" - o Postfix não será configurado e não "
+"será iniciado por padrão. Por favor, execute o comando 'dpkg-reconfigure "
+"postfix' posteriormente ou configure o Postfix manualmente da seguinte "
+"maneira :"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr ""
+"1) Edite o arquivo /etc/postfix/main.cf de acordo com suas necessidades"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) Execute o comando /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr "/etc/mailname"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "Nome de mensagens ?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"Seu `nome de mensagens' (mail name) é a porção nome de máquina (hostname) do "
+"endereço que será exibido em mensagens de e-mail (após o nome de usuário e o "
+"símbolo @)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"Esse nome será usado por outros programas além do Postfix. Por isso, ele "
+"deverá ser único. Deverá ser o nome de domínio completo (FQDN) a partir do "
+"qual as mensagens parecerão ter originado."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"Outros destinos para os quais aceitar mensagens ? (em branco para nenhum)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"Forneça uma lista de domínios separados por vírgulas os quais esta máquina "
+"deve considerar como sendo ela mesma o destino final. Caso este seja um "
+"gateway de mensagens do domínio, você provavelmente desejará incluir o "
+"domínio de nível mais alto (top-level)."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "SMTP relay host ? (branco para nenhum)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"Especifique um domínio, host, host:porta, [endereço] ou [endereço:porta]. "
+"Use o formato [destino] para desligar lookups MX. Mantenha em branco para "
+"não especificar nenhum host para relay."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"O parâmetro relayhost especifica o host padrão para o qual enviar mensagens "
+"quando não existe nenhuma entrada correspondente (nenhum match) na tabela "
+"opcional de transporte - transport(5). Quando nenhum relayhost é informado, "
+"as mensagens são roteadas diretamente para o destino."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "Usar procmail para entrega local ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "Você deseja usar o procmail para entrega local de mensagens ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"Note que, caso você use o procmail para entregar mensagens para todo o "
+"sistema (system-wide), você deverá configurar um alias que encaminhará "
+"as mensages enviadas para o root para um usuário real."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr "+"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "Caracter de extensão de endereço local ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "Qual caracter define uma extensão de endereço local ?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr "Para não usar extensões de endereços, deixe a string em branco."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "Delimitador de recipiente ruim"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"O delimitador de recipiente é um caracter único, você informou muitos "
+"caracteres. Por favor, tente novamente."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr "false"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr "Forçar atualizações síncronas na fila de mensagens ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+"Caso atualizações síncronas sejam forçadas, as mensagens serão processadas "
+"mais lentamente. Caso não sejam forçadas, existe a chance de perda de "
+"algumas mensagens caso o sistema trave em um momento inoportuno e você "
+"não esteja utilizando um sitema de arquivo com suporte a journalling "
+"(como o ext3)."
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr "O padrão é \"off\" (não forçar atualizações síncronas)."
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr "127.0.0.0/8"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "Redes locais ?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"Para quais blocos de rede esta máquina oferecerá 'relay' de mensagens ? O "
+"padrão é somente oferecer relay para o host local, o que é necessário para "
+"alguns clientes de e-mail."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"Caso esta máquina seja um smarthost para um bloco de máquinas, você "
+"precisará especificar os blocos de rede aqui ou as mensages serão "
+"rejeitadas ao invés do relay ocorrer."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+"Para usar o padrão do Postfix (o qual é baseado nas redes conectadas), "
+"informe uma string vazia."
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr "0"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "Tamanho máximo das caixas de mensagens"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"Qual limite deverá ser usado pelo Postfix em arquivos de caixas-postais para "
+"evitar erros de software. Um valor de zero (0) significa que nenhum limite "
+"será usado. (O padrão do Postfix é de 51200000 bytes, o que corresponde a, "
+"aproximadamente, 50 MB.)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr "NONE"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr "Onde as mensagens para o root devem ser entregues ?"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+"Todas as mensagens destinadas ao usuário root (e quaisquer outros usuários "
+"com um uid 0) devem ser redirecionadas através de um alias, ou as mensagens "
+"serão entregues em /var/spool/mail/nobody. Este comportamento é o padrão : "
+"nenhuma mensagem é entregue para agentes de entrega externa como root."
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+"Caso você já possua um arquivo /etc/aliases, você possivelmente precisará "
+"adicionar essa entrada. (Este sistema de configuração irá adicioná-la "
+"somente caso um novo arquivo /etc/aliases esteja sendo criado.)"
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+"Qual endereço deverá ser adicionado ao arquivo /etc/aliases caso o arquivo "
+"seja criado ? (Informe NONE para não adicionar nenhum.)"
+
+#~ msgid ""
+#~ "HP - Configuration used inside of HP.  This just hardcodes several "
+#~ "configuration parameters based on the final components of the hostname, "
+#~ "but looks largely like 'Internet site using smarthost'.  This option will "
+#~ "modify /etc/postfix/transport and install it as a transport map."
+#~ msgstr ""
+#~ "HP - Configuração usada internamente na HP. Esta opção somente força "
+#~ "diversos parâmetros de configuração baseados nos componentes finais do "
+#~ "hostname, mas se parece principalmente com a opção 'Internet site usando "
+#~ "smarthost'. Esta opção irá modificar o arquivo /etc/postfix/transport e "
+#~ "instalá-lo como uma mapa de transporte."
+
+#~ msgid "The default is \"off\", see the changelog for an explanation."
+#~ msgstr "O padrão é \"off\", consulte o changelog para uma explicação."
+
+#~ msgid "Append .domain to simple addresses"
+#~ msgstr "Incluir .domínio para endereços simples"
+
+#~ msgid ""
+#~ "When Postfix sees an address with only one component in the hostname, "
+#~ "should it append .$mydomain?  Appending .$mydomain means that you don't "
+#~ "need to qualify destinations in your own domain, but breaks mail bound "
+#~ "for users at top-level domain addresses.  (yes, there are some of these.)"
+#~ msgstr ""
+#~ "Quando o Postfix vê um endereço com somente um componente no hostname, ."
+#~ "$mydomain deve ser adicionado ? Aceitar a inclusão de .$mydomain signfica "
+#~ "que você não precisará qualificar destinos em seu próprio domínio, mas "
+#~ "fará com que o envio de mensagens para usuários em endereços de domínios "
+#~ "de alto nível não funcione. (sim, existem alguns desses.)"
+
+#~ msgid ""
+#~ "If you are forwarding mail out of your organization, you should almost "
+#~ "certainly not append .$mydomain. If you're the only user of mail on your "
+#~ "system, choose whichever is more convenient for you."
+#~ msgstr ""
+#~ "Caso você esteja encaminhando mensagens para fora de sua organização você "
+#~ "certmamente não deverá incluir .$mydomain. Caso você seja o único usuário "
+#~ "de e-mail em seu sistema, escolha qualquer opção que lhe seja mais "
+#~ "conveniente."
+
+#~ msgid ""
+#~ "If you answer no, you almost certainly need to add 'localhost' to the "
+#~ "list of local destinations."
+#~ msgstr ""
+#~ "Caso você não responda positivamente, você certamente precisará adicionar "
+#~ "'localhost' a lista de destinos locais."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format.  This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "O Postfix converteu do formato libdb2 para o formato libdb3. Esta mudança "
+#~ "requer que todos os mapas hash e btree do Postfix sejam gerados novamente."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted.  If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "Se você responder não, o Postfix será reiniciado, mas pode falhar caso "
+#~ "seus arquivos db continuem precisando ser convertidos. Se você responder "
+#~ "sim, todos os mapas hash e btree usados pelo Postfix serão reconstruídos "
+#~ "antes que o Postfix seja reiniciado."

Added: trunk/postfix/debian/po/ru.po
===================================================================
--- trunk/postfix/debian/po/ru.po	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/ru.po	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,637 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
+"Language-Team: LANGUAGE <LL at li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=KOI8-R\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr "äÏÌÖÅÎ ÌÉ Postfix ÏÂÎÏ×ÉÔØ ËÁÒÔÙ hash É btree?"
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr "÷Ù ÈÏÔÉÔÅ ÐÏÐÙÔÁÔØÓÑ ÚÁÐÕÓÔÉÔØ Á×ÔÏÍÁÔÉÞÅÓËÕÀ ÐÅÒÅÇÅÎÅÒÁÃÉÀ?"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr "îÅÓÏ×ÍÅÓÔÉÍÁÑ ËÁÒÔÁ ÔÒÁÎÓÐÏÒÔÁ"
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+"õ  ×ÁÓ  ÏÐÒÅÄÅÌÅÎÁ ËÁÒÔÁ ÔÒÁÎÓÐÏÒÔÁ, É ××ÅÄÅÎÏ ÎÅÓÏ×ÍÅÓÔÉÍÏÅ ÉÚÍÅÎÅÎÉÅ ÐÒÉ   "
+"ÉÓÐÏÌØÚÏ×ÁÎÉÉ   ÄÁÎÎÏÇÏ   ÆÁÊÌÁ.   Postfix   ÎÅ   ÐÅÒÅÚÁÐÕÓÔÉÔÓÑ "
+"Á×ÔÏÍÁÔÉÞÅÓËÉ."
+
+#. Type: note
+#. Description
+#: ../templates:46
+#, fuzzy
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+"úÁÐÉÓÉ ËÁÒÔÙ ÔÒÁÎÓÐÏÒÔÁ ÐÅÒÅËÒÙ×ÁÀÔ mydestination. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ËÁÒÔÙ "
+"ÔÒÁÎÓÐÏÒÔÁ, ÔÏ ×ÓÅÇÄÁ ÌÕÞÛÅ ÉÍÅÔØ ÔÏÞÎÙÅ ÚÁÐÉÓÉ ÄÌÑ  ×ÓÅÈ  ×ÁÛÉÈ ÄÏÍÅÎÏ× × "
+"$mydestination. óÍ. ÒÁÚÄÅÌÙ  html/faq.html  Ï  ÆÁÊÅÒ×ÏÌÁÈ  É ÉÎÔÒÁÎÅÔÁÈ.  "
+"åÓÌÉ  ×Ù  ÉÍÅÅÔÅ  ÔÒÁÎÓÐÏÒÔÎÙÅ  ÚÁÐÉÓÉ  ÄÌÑ  ÒÏÄÉÔÅÌØÓËÉÈ ÄÏÍÅÎÏ×  ×ÓÅÇÏ,  "
+"ÞÔÏ  ÏÔÐÒÁ×ÑÌÅÔÓÑ  ÌÏËÁÌØÎÏ,  ÔÏ  ×ÁÍ  ×ÅÒÏÑÔÎÏ ÎÕÖÎÏ ÄÏÂÁ×ÉÔØ   ×ÓÅ  "
+"ÕËÁÚÁÎÎÙÅ   ÚÁÐÉÓÉ   ÄÌÑ   ÄÏÍÅÎÏ×   ÎÁÚÎÁÞÅÎÉÑ  ÐÅÒÅÄ ÐÅÒÅÚÁÐÕÓËÏÍ Postfix."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr "îÅ×ÅÒÎÁÑ ÚÁÐÉÓØ, ÐÏÐÒÏÂÏ×ÁÔØ ÓÎÏ×Á?"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr "÷Ù ××ÅÌÉ ÓÔÒÏËÕ"
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr "ÎÅ  ÓÏ×ÍÅÓÔÉÍÕÀ Ó RFC 1035 É ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÕÀ ÐÒÁ×ÉÌØÎÏÍÕ IP ÁÄÒÅÓÕ."
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+"RFC 1035 ÕËÁÚÙ×ÁÅÔ, ÞÔÏ \"each component must start with  an  alphanum, end  "
+"with  an  alphanum  and  contain  only  alphanums  and   hyphens. Components "
+"must be separated by full stops.\""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr "÷ÓÅ ÒÁ×ÎÏ ÏÓÔÁ×ÉÔØ ××ÅÄÅÎÎÕÀ ×ÁÍÉ ÓÔÒÏËÕ?"
+
+#. Type: select
+#. Choices
+#: ../templates:75
+#, fuzzy
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+"éÎÔÅÒÎÅÔ-ÓÁÊÔ, éÎÔÅÒÎÅÔ-ÓÁÊÔ ÓÏ ÓÍÁÒÔÈÏÓÔÏÍ, óÉÓÔÅÍÁ-ÓÐÕÔÎÉË, ôÏÌØËÏ "
+"ÌÏËÁÌØÎÏ, âÅÚ ÎÁÓÔÒÏÊËÉ"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr "ïÓÎÏ×ÎÏÊ ×ÉÄ ÎÁÓÔÒÏÊËÉ?"
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+"óÅÊÞÁÓ ×Ù ÍÏÖÅÔÅ ×ÙÂÒÁÔØ ÏÄÉÎ ÉÚ ÎÅÓËÏÌØËÉÈ ×ÁÒÉÁÎÔÏ× ÏÂÝÅÊ ÎÁÓÔÒÏÊËÉ. åÓÌÉ "
+"×Ù ÕÓÔÁÎÏ×ÉÌÉ ÐÒÉÏÒÉÔÅÔ debconf 'ÎÉÚËÉÊ' ÉÌÉ 'ÓÒÅÄÎÉÊ', ÔÏ  ÄÁÌÅÅ ×ÁÍ  "
+"ÂÕÄÕÔ  ÚÁÄÁÎÙ  ÄÏÐÏÌÎÉÔÅÌØÎÙÅ  ×ÏÐÒÏÓÙ. ðÏÔÏÍ  ×Ù  ×ÓÅÇÄÁ  ÍÏÖÅÔÅ ÚÁÐÕÓÔÉÔØ "
+"\"dpkg-reconfigure --priority=low postfix\",  ÅÓÌÉ  ×Ù  ÈÏÔÉÔÅ ÏÔ×ÅÔÉÔØ ÎÁ "
+"ÜÔÉ ×ÏÐÒÏÓÙ ÅÝÅ ÒÁÚ."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+"âÅÚ ÎÁÓÔÒÏÊËÉ - åóìé ÷ù èïôéôå ïóôá÷éôø ÷áûé îáóôòïêëé âåú  éúíåîåîéê, ôï "
+"÷ùâåòéôå üôõ ïðãéà. óÅÊÞÁÓ ÉÚÍÅÎÅÎÉÊ ÎÁÓÔÒÏÅË  ÎÅ ÂÕÄÅÔ: ÅÓÌÉ Õ ×ÁÓ ÕÖÅ  ÎÅ  "
+"ÕÓÔÁÎÏ×ÌÅÎ Postfix, ÔÏ ×ÁÛÁ ÐÏÞÔÏ×ÁÑ ÓÉÓÔÅÍÁ ÂÕÄÅÔ ÎÅÒÁÂÏÞÅÊ. äÁÌÅÅ    "
+"×Ù     ÄÏÌÖÎÙ     ÓÁÍÏÓÔÏÑÔÅÌØÎÏ     ÏÔÒÅÄÁËÔÉÒÏ×ÁÔØ     ÆÁÊÌ /usr/share/"
+"postfix/main.cf.dist É ÓÏÈÒÁÎÉÔØ ËÁË  /etc/postfix/main.cf, ÌÉÂÏÚÁÐÕÓÔÉÔØ  "
+"dpkg-reconfigure Postfix.  main.cf  ÎÅ  ÂÕÄÅÔ ÉÚÍÅÎÅÎ × ÐÒÏÃÅÓÓÅ ÕÓÔÁÎÏ×ËÉ "
+"Postfix."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+"éÎÔÅÒÎÅÔ-ÓÁÊÔ - ÐÏÞÔÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ É  ÐÒÉÎÉÍÁÅÔÓÑ  ÎÁÐÒÑÍÕÀ  ÐÏ  SMTP. åÓÌÉ  "
+"×Ù  ÎÅ ÐÏÄÐÁÄÁÅÔÅ ÔÏÞÎÏ ÐÏÄ ÜÔÕ ËÁÔÅÇÏÒÉÀ, ÔÏ ×ÅÒÏÑÔÎÏ ×ÁÍ ÌÕÞÛÅ ÎÁÞÁÔØ Ó "
+"ÎÅÅ É ÚÁÔÅÍ ÏÔÒÅÄÁËÔÉÒÏ×ÁÔØ ÆÁÊÌ ÎÁÓÔÒÏÅË ×ÒÕÞÎÕÀ."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+"éÎÔÅÒÎÅÔ-ÓÁÊÔ ÓÏ ÓÍÁÒÔÈÏÓÔÏÍ - ÷Ù ÐÒÉÎÉÍÁÅÔÅ ÐÏÞÔÕ ÉÚ ÉÎÔÅÒÎÅÔ ÎÁ  ÜÔÕ "
+"ÍÁÛÉÎÕ  ÌÉÂÏ  ÎÁÐÒÑÍÕÀ  ÐÏ  SMTP,  ÌÉÂÏ  Ó  ÐÏÍÏÝØÀ  ÔÁËÏÊ ÕÔÉÌÉÔÙ ËÁË "
+"fetchmail.  éÓÈÏÄÑÝÁÑ  ÐÏÞÔÁ  ÏÔÐÒÁ×ÌÑÅÔÓÑ  ÎÁ  ÓÍÁÒÔÈÏÓÔ.  ÷ÏÚÍÏÖÎÏ Ó "
+"ÐÅÒÅÚÁÐÉÓØÀ ÁÄÒÅÓÁ. ïÞÅ×ÉÄÎÏ, ÜÔÏ  ÎÁÉÂÏÌÅÅ  ÐÏÄÈÏÄÉÔ  ÄÌÑ  ÓÉÓÔÅÍÙ  Ó "
+"ËÏÍÍÕÔÉÒÕÅÍÙÍ ËÁÎÁÌÏÍ."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+"óÉÓÔÅÍÁ-ÓÐÕÔÎÉË - ÷ÓÑ  ÐÏÄÇÏÔÏ×ÌÅÎÎÁÑ  ÄÌÑ ÏÔÐÒÁ×ËÉ ÐÏÞÔÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ ÎÁ  "
+"ÄÒÕÇÕÀ ÍÁÛÉÎÕ, ÎÁÚÙ×ÁÅÍÕÀ \"ÓÍÁÒÔÈÏÓÔ\". ðÏÞÔÁ ÐÏÌØÚÏ×ÁÔÅÌÅÊ root  É "
+"postmaster ÏÔÐÒÁ×ÌÑÅÔÓÑ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó /etc/aliases."
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+"ôÏÌØËÏ ÌÏËÁÌØÎÏ  - ÷Ù ÎÅ × ÓÅÔÉ. ðÏÞÔÁ ÄÏÓÔÁ×ÌÑÅÔÓÑ  ÔÏÌØËÏ  ÌÏËÁÌØÎÙÍ "
+"ÐÏÌØÚÏ×ÁÔÅÌÑÍ."
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr "ðòåäõðòåöäåîéå: Postfix ÎÅ ÎÁÓÔÒÏÅÎ"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+"÷Ù ×ÙÂÒÁÌÉ \"âÅÚ ÎÁÓÔÒÏÊËÉ\" - Postfix ÎÅ ÂÕÄÅÔ ÎÁÓÔÒÏÅÎ É ÐÏ  ÕÍÏÌÞÁÎÉÀ "
+"ÎÅ   ÂÕÄÅÔ  ÚÁÐÕÓËÁÔØÓÑ.  ðÏÚÖÅ  ×ÙÐÏÌÎÉÔÅ  ËÏÍÁÎÄÕ  'dpkg-reconfigure "
+"postfix', ÉÌÉ ÎÁÓÔÒÏÊÔÅ ÅÇÏ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÓÌÅÄÕÀÝÉÍ ÏÂÒÁÚÏÍ:"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr "1) ïÔÒÅÄÁËÔÉÒÕÊÔÅ ÆÁÊÌ /etc/postfix/main.cf ËÁË ×ÁÍ ÎÕÖÎÏ"
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr "2) ÷ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ /etc/init.d/postfix start"
+
+#. Type: string
+#. Default
+#: ../templates:120
+#, fuzzy
+msgid "/etc/mailname"
+msgstr "ðÏÞÔÏ×ÏÅ ÉÍÑ?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr "ðÏÞÔÏ×ÏÅ ÉÍÑ?"
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+"÷ÁÛÅ 'ÐÏÞÔÏ×ÏÅ ÉÍÑ' - ÜÔÏ ÉÍÑ ÈÏÓÔÁ × ÁÄÒÅÓÅ, ËÏÔÏÒÏÅ  ÂÕÄÅÔ  ÐÏËÁÚÁÎÏ × "
+"ÉÓÈÏÄÑÝÉÈ  ÓÏÏÂÝÅÎÉÑÈ  ÐÏÞÔÙ  É  ÇÒÕÐÐ  ÎÏ×ÏÓÔÅÊ  (×ÍÅÓÔÅ  Ó  ÉÍÅÎÅÍ "
+"ÐÏÌØÚÏ×ÁÔÅÌÑ É ÚÎÁËÏÍ @)."
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+"üÔÏ ÉÍÑ ÐÏÍÉÍÏ Postfix ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÒÕÇÉÍÉ  ÐÒÏÇÒÁÍÍÁÍÉ;  ÅÇÏ "
+"ÒÅËÏÍÅÎÄÕÅÔÓÑ ÄÅÌÁÔØ ÎÅÒÁÚÄÅÌØÎÙÍ, ÏÔ  ÐÏÌÎÏÇÏ  ÄÏÍÅÎÎÏÇÏ ÉÍÅÎÉ (FQDN) "
+"ËÏÔÏÒÏÇÏ ÂÕÄÅÔ ÏÔÐÒÁ×ÌÑÔØÓÑ ÐÏÞÔÁ."
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+"äÒÕÇÉÅ ÄÏÍÅÎÙ ÄÌÑ ËÏÔÏÒÙÈ ÐÒÉÎÉÍÁÅÔÓÑ ÐÏÞÔÁ? (ÏÓÔÁ×ÉÔØ ÐÕÓÔÙÍ, ÅÓÌÉ ÎÅÔÕ)"
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+"úÁÄÁÊÔÅ ÒÁÚÄÅÌÅÎÎÙÊ ÚÁÐÑÔÙÍÉ ÓÐÉÓÏË ÄÏÍÅÎÏ×, ËÏÔÏÒÙÅ ÜÔÁ ÍÁÛÉÎÁ ÄÏÌÖÎÁ "
+"ÕÞÉÔÙ×ÁÔØ × ËÁÞÅÓÔ×Å ËÏÎÅÞÎÏÇÏ ÐÕÎËÔÁ ÄÏÓÔÁ×ËÉ. åÓÌÉ ÜÔÏ ÐÏÞÔÏ×ÙÊ ÛÌÀÚ ÔÏ "
+"×ÁÍ ×ÅÒÏÑÔÎÏ ÓÔÏÉÔ ×ËÌÀÞÉÔØ ÄÏÍÅÎ ×ÅÒÈÎÅÇÏ ÕÒÏ×ÎÑ."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr "òÅÌÅÊÎÙÊ ÈÏÓÔ SMTP? (ÏÓÔÁ×ÉÔØ ÐÕÓÔÙÍ, ÅÓÌÉ ÎÅÔÕ)"
+
+#. Type: string
+#. Description
+#: ../templates:137
+#, fuzzy
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+"õËÁÖÉÔÅ ÄÏÍÅÎ, ÈÏÓÔ, ÈÏÓÔ:ÐÏÒÔ, [ÁÄÒÅÓ] ÉÌÉ [ÁÄÒÅÓ:ÐÏÒÔ]. þÔÏÂÙ ÉÚÂÅÖÁÔØ "
+"ÐÒÏÓÍÏÔÒÏ× íè-ÚÁÐÉÓÅÊ, ÉÓÐÏÌØÚÕÊÔÅ ÆÏÒÍÕ [ÎÁÚÎÁÞÅÎÉÅ]. åÓÌÉ ÒÅÌÅÊÎÏÇÏ ÈÏÓÔÁ "
+"ÎÅÔ, ÔÏ ÏÓÔÁ×ØÔÅ ÐÏÌÅ ÐÕÓÔÙÍ."
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+"ðÁÒÁÍÅÔÒ relayhost ÕËÁÚÙ×ÁÅÔ ÈÏÓÔ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÏÔÐÒÁ×ËÉ ÐÏÞÔÙ ÔÏÍÕ, ÞØÑ "
+"ÚÁÐÉÓØ ÏÔÓÕÔÓÔ×ÕÅÔ × ÎÅÏÂÑÚÁÔÅÌØÎÏÊ ÔÁÂÌÉÃÅ transport(5). åÓÌÉ relayhost ÎÅ "
+"ÚÁÄÁÎ, ÔÏ ÐÏÞÔÁ ÐÅÒÅÓÙÌÁÅÔÓÑ ÎÁÐÒÑÍÕÀ ÁÄÒÅÓÁÔÕ."
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr "éÓÐÏÌØÚÏ×ÁÔØ procmail ÄÌÑ ÌÏËÁÌØÎÏÊ ÄÏÓÔÁ×ËÉ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr "÷Ù ÈÏÔÉÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ procmail ÄÌÑ ÌÏËÁÌØÎÏÊ ÄÏÓÔÁ×ËÉ?"
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+"ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÅÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ procmail ÄÌÑ ÏÔÐÒÁ×ËÉ ÐÏÞÔÙ ÐÏ "
+"ÓÉÓÔÅÍÅ, ÔÏ ×ÁÍ ÒÅËÏÍÅÎÄÕÅÔÓÑ ÕÔÁÎÏ×ÉÔØ ÐÓÅ×ÄÏÎÉÍ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÐÅÒÅÓÙÌÁÔØ "
+"ÐÏÞÔÕ ÄÌÑ root ÒÅÁÌØÎÏÍÕ ÐÏÌØÚÏ×ÁÔÅÌÀ."
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr "óÉÍ×ÏÌ ÒÁÓÛÉÒÅÎÉÑ ÌÏËÁÌØÎÙÈ ÁÄÒÅÓÏ×?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr "ëÁËÏÊ ÓÉÍ×ÏÌ ÏÔÐÒÅÄÅÌÑÅÔ ÒÁÓÛÉÒÅÎÉÅ ÌÏËÁÌØÎÙÈ ÁÄÒÅÓÏ×?"
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+"þÔÏÂÙ ÎÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÒÁÓÛÉÒÅÎÉÅ ÌÏËÁÌØÎÙÈ ÁÄÒÅÓÏ×, ÏÓÔÁ×ØÔÅ ÐÏÌÅ ÐÕÓÔÙÍ."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr "îÅÐÒÁ×ÉÌØÎÙÊ ÒÁÚÄÅÌÉÔÅÌØ ÁÄÒÅÓÁÔÁ"
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+"òÁÚÄÅÌÉÔÅÌØ ÁÄÒÅÓÁÔÁ - ÜÔÏ ÏÄÉÎ ÓÉÍ×ÏÌ, Á ×Ù ××ÅÌÉ ÎÅÓËÏÌØËÏ. ðÏÐÒÏÂÕÊÔÅ ÅÝÅ "
+"ÒÁÚ."
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr "\"${enteredstring}\""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr "ìÏËÁÌØÎÙÅ ÓÅÔÉ?"
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+"äÌÑ ËÁËÉÈ ÂÌÏËÏ× ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ×  ÎÁ  ÜÔÏÊ  ÍÁÛÉÎÅ  ÒÁÚÒÅÛÅÎ  ÐÏÞÔÏ×ÙÊ "
+"ÒÅÌÅÊ?  ðÏ  ÕÍÏÌÞÁÎÉÀ ÜÔÏ ÔÏÌØËÏ localhost, ÞÔÏ  ÎÅÏÂÈÏÄÉÍÏ  ÎÅËÏÔÏÒÙÍ "
+"ÐÏÞÔÏ×ÙÍ ÁÇÅÎÔÁÍ ÐÏÌØÚÏ×ÁÔÅÌÑ."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+"åÓÌÉ ÜÔÏ ÓÍÁÒÔÈÏÓÔ ÄÌÑ ÂÌÏËÁ ÍÁÛÉÎ, ÔÏ ×ÁÍ ÎÕÖÎÏ ÕËÁÚÁÔØ  ÚÄÅÓØ  ÂÌÏËÉ "
+"ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ×, ÌÉÂÏ ÐÏÞÔÁ ÂÕÄÅÔ ÏÔ×ÅÒÇÎÕÔÁ, ÎÅ ÂÕÄÅÔ ÐÅÒÅÄÁÎÁ."
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr "ïÇÒÁÎÉÞÅÎÉÅ ÒÁÚÍÅÒÁ ÐÏÞÔÏ×ÏÇÏ ÑÝÉËÁ"
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+"ëÁË ÏÇÒÁÎÉÞÉÔØ ÆÁÊÌÙ ÐÏÞÔÏ×ÙÈ ÑÝÉËÏ×, ÞÔÏÂÙ ÉÚÂÅÖÁÔØ  ÓÂÏÅ×  ×  ÒÁÂÏÔÅ "
+"ÐÒÏÇÒÁÍÍÎÏÇÏ ÏÂÅÓÐÅÞÅÎÉÑ. ðÏ ÕÍÏÌÞÁÎÉÀ ÓÔÏÉÔ (0) - ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. (÷ "
+"ÏÒÉÇÉÎÁÌØÎÏÍ ÉÓÈÏÄÎÏÍ ÔÅËÓÔÅ ÓÔÏÉÔ 51200000.)"
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""
+
+#~ msgid "Postfix needs to correct master.cf"
+#~ msgstr "Postfix'Õ ÎÕÖÅÎ ÐÒÁ×ÉÌØÎÙÊ ÆÁÊÌ master.cf"
+
+#~ msgid ""
+#~ "Postfix version 0.0.20020113 and later requires changes in how the "
+#~ "pickup, cleanup and flush daemons are launched.  Since failure to correct "
+#~ "these will result in a broken mailer, the upgrade process will make the "
+#~ "changes. You can safely answer 'NO' when dpkg asks about installing "
+#~ "master.cf."
+#~ msgstr ""
+#~ "÷ Postfix ×ÅÒÓÉÉ 0.0.20020113 É ÂÏÌÅÅ ÐÏÚÄÎÉÈ ÔÒÅÂÕÀÔÓÑ ÉÚÍÅÎÅÎÉÑ  ÐÒÉ "
+#~ "ÚÁÐÕÓËÅ ÄÅÍÏÎÏ× pickup, cleanup É flush. ôÁË ËÁË ÎÅÕÄÁÞÎÙÊ ÚÁÐÕÓË ÜÔÉÈ "
+#~ "ÄÅÍÏÎÏ× ÎÁÒÕÛÉÔ ÒÁÂÏÔÕ ÐÏÞÔÏ×ÏÊ ÓÉÓÔÅÍÙ, ÔÏ ÐÒÏÃÅÓÓ ÏÂÎÏ×ÌÅÎÉÑ  ÓÅÊÞÁÓ "
+#~ "ÐÒÏÉÚ×ÅÄÅÔ  ÉÚÍÅÎÅÎÉÑ.  ÷Ù  ÍÏÖÅÔÅ ÓÐÏËÏÊÎÏ ÏÔ×ÅÔÉÔØ 'îåô', ËÏÇÄÁ dpkg "
+#~ "ÐÒÅÄÌÏÖÉÔ ÕÓÔÁÎÏ×ÉÔØ master.cf."
+
+#~ msgid ""
+#~ "Postfix has converted from libdb2 format to libdb3 format.  This change "
+#~ "requires that all Postfix hash and btree maps be regenerated."
+#~ msgstr ""
+#~ "Postfix ÔÅÐÅÒØ ÉÓÐÏÌØÚÕÅÔ ÆÏÒÍÁÔ libdb3 ×ÍÅÓÔÏ libdb3.  üÔÏ  ÉÚÍÅÎÅÎÉÅ "
+#~ "ÔÒÅÂÕÅÔ ÐÅÒÅÇÅÎÅÒÁÃÉÉ ×ÓÅÈ ËÁÒÔ hash É btree, ÉÓÐÏÌØÚÕÅÍÙÈ Postfix."
+
+#~ msgid ""
+#~ "If you answer no, Postfix will be restarted, but may fail if your db "
+#~ "files still need to be converted.  If you answer yes, all hash and btree "
+#~ "maps used by Postfix will be rebuilt prior to restarting Postfix."
+#~ msgstr ""
+#~ "åÓÌÉ ×Ù ÏÔ×ÅÔÉÔÅ îåô, ÔÏ Postfix ÐÏÐÒÏÂÕÅÔ ÚÁÐÕÓÔÉÔØÓÑ, ÎÏ  ÜÔÏ  ÍÏÖÅÔ ÎÅ "
+#~ "ÐÏÌÕÞÉÔØÓÑ, ÅÓÌÉ ×ÁÛÉ ËÁÒÔÙ  ÎÅ  ÂÕÄÕÔ  ÐÅÒÅÇÅÎÅÒÉÒÏ×ÁÎÙ.  åÓÌÉ  ×Ù "
+#~ "ÏÔ×ÅÔÉÔÅ  äá,  ÔÏ  ÐÅÒÅÄ  ÐÅÒÅÚÁÐÕÓËÏÍ Postfix ÜÔÉ ËÁÒÔÙ ÂÕÄÕÔ ÓÏÚÄÁÎÙ "
+#~ "ÚÁÎÏ×Ï."
+
+#~ msgid "Internet Site"
+#~ msgstr "éÎÔÅÒÎÅÔ-ÓÁÊÔ"

Added: trunk/postfix/debian/po/templates.pot
===================================================================
--- trunk/postfix/debian/po/templates.pot	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/po/templates.pot	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,525 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2004-10-30 21:06-0600\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
+"Language-Team: LANGUAGE <LL at li.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+msgid "Correct dynamicmaps.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Postfix version 2.0.2 and later require changes in dynamicmaps.cf. "
+"Specifically, wildcard support is gone, and with it, %s expansion.  Any "
+"changes that you made to dynamicmaps.cf that relied on these features will "
+"need to be fixed by you.  Failure to correct these will result in a broken "
+"mailer."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:3
+#, no-c-format
+msgid ""
+"Should dynamicmaps.cf be automatically changed?  Decline this option to "
+"abort the upgrade, giving you the opportunity to eliminate wildcard and %s-"
+"expansion-dependent configuration.  Accept this option if you have no such "
+"configuration, and automatically make dynamicmaps.cf compatible with Postfix "
+"2.0.2 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid "Postfix version 2.1 and later require new services in master.cf."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:18
+msgid ""
+"Should this configuration be automatically added to master.cf?  Decline this "
+"option to abort the upgrade, giving you the opportunity to add this "
+"configuration yourself.  Accept this option to automatically make master.cf "
+"compatible with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid "Correct master.cf for upgrade?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Postfix version 2.1 renamed \"nqmgr\" to \"qmgr\", and you are using \"nqmgr"
+"\"."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:28
+msgid ""
+"Failure to fix this will result in a broken mailer.  Decline this option to "
+"abort the upgrade, giving you the opportunity to add this configuration "
+"yourself.  Accept this option to automatically make master.cf compatible "
+"with Postfix 2.1 in this respect."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Should Postfix upgrade hash and btree maps?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Postfix has switched to db4, and this may require maps to be upgraded."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:39
+msgid "Do you want to automatically attempt the conversion?"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid "Transport map incompatibility"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"You have a transport map defined, and there is an incompatible change in how "
+"transport maps are used.  Postfix will not be restarted automatically."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:46
+msgid ""
+"Transport map entries override $mydestination.  If you use transport maps, "
+"it is better to always have explicit entries for all domain names you have "
+"in $mydestination.  See the html/faq.html sections for firewalls and "
+"intranets.  If you have transport entries for parent domains of anything "
+"delivered locally, you will probably need to add specific entries for the "
+"destination domains before you restart Postfix."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Bad entry, try again?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "The string you have entered"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "does not follow RFC 1035 and does not appear to be a valid IP address."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid ""
+"RFC 1035 states that \"each component must start with an alphanum, end with "
+"an alphanum and contain only alphanums and hyphens. Components must be "
+"separated by full stops.\""
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:60
+msgid "Do you want to keep it anyways?"
+msgstr ""
+
+#. Type: select
+#. Choices
+#: ../templates:75
+msgid ""
+"No configuration, Internet Site, Internet with smarthost, Satellite system, "
+"Local only"
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid "General type of configuration?"
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"You have several choices for general configuration at this point.  If you "
+"have your debconf priority set to 'low' or 'medium', you will be asked more "
+"questions later.  You can always run \"dpkg-reconfigure --priority=low "
+"postfix\" at a later point if you want to see these questions again."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE, "
+"CHOOSE THIS OPTION.  No configuration changes will be done now:  If you have "
+"not already configured Postfix, your mail system will be broken and should "
+"not be used. You must then do the configuration yourself by editing /usr/"
+"share/postfix/main.cf.dist and saving your changes as /etc/postfix/main.cf, "
+"or by running dpkg-reconfigure Postfix.  main.cf will not be modified by the "
+"Postfix install process."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site - mail is sent and received directly using SMTP. If your needs "
+"don't fit neatly into any category, you probably want to start with this one "
+"and then edit the config file by hand."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Internet site using smarthost - You receive Internet mail on this machine, "
+"either directly by SMTP or by running a utility such as fetchmail. Outgoing "
+"mail is sent using a smarthost. optionally with addresses rewritten. This is "
+"probably what you want for a dialup system."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Satellite system - All mail is sent to another machine, called a \"smart host"
+"\" for delivery. root and postmaster mail is delivered according to /etc/"
+"aliases. No mail is received locally."
+msgstr ""
+
+#. Type: select
+#. Description
+#: ../templates:77
+msgid ""
+"Local delivery only - You are not on a network.  Mail for local users is "
+"delivered."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "WARNING: Postfix not configured"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid ""
+"You have chosen \"No Configuration\" - Postfix will not be configured and "
+"will not be started by default.  Please run 'dpkg-reconfigure postfix' at a "
+"later date, or configure it yourself by:"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "1) Editing /etc/postfix/main.cf to your liking"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:109
+msgid "2) Running /etc/init.d/postfix start"
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:120
+msgid "/etc/mailname"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid "Mail name?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"Your `mail name' is the hostname portion of the address to be shown on "
+"outgoing news and mail messages (following the username and @ sign)."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:121
+msgid ""
+"This name will be used by other programs besides Postfix; it should be the "
+"single, full domain name (FQDN) from which mail will appear to originate."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid "Other destinations to accept mail for? (blank for none)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:130
+msgid ""
+"Give a comma-separated list of domains that this machine should consider "
+"itself the final destination for.  If this is a mail domain gateway, you "
+"probably want to include the top-level domain."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid "SMTP relay host? (blank for none)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"Specify a domain, host, host:port, [address] or [address]:port. Use the form "
+"[destination] to turn off MX lookups.  Leave this blank for no relay host."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:137
+msgid ""
+"The relayhost parameter specifies the default host to send mail to when no "
+"entry is matched in the optional transport(5) table. When no relayhost is "
+"given, mail is routed directly to the destination."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Use procmail for local delivery?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid "Do you want to use procmail to deliver local mail?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:148
+msgid ""
+"Note that if you use procmail to deliver mail system-wide, you should set up "
+"an alias that forwards mail for root to a real user."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:156
+msgid "+"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "Local address extension character?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "What character defines a local address extension?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:157
+msgid "To not use address extensions, leave the string blank."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "Bad recipient delimiter"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid ""
+"The recipient delimiter is a single character, you entered too many "
+"characters.  Please try again."
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../templates:164
+msgid "\"${enteredstring}\""
+msgstr ""
+
+#. Type: boolean
+#. Default
+#: ../templates:172
+msgid "false"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "Force synchronous updates on mail queue?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid ""
+"If synchronous updates are forced, then mail is processed more slowly. If "
+"not forced, then there is a remote chance of losing some mail if the system "
+"crashes at an inopportune time, and you are not using a journaled filesystem "
+"(such as ext3)."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../templates:173
+msgid "The default is \"off\"."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:183
+msgid "127.0.0.0/8"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid "Local networks?"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"For what network blocks should this machine relay mail?  The default is just "
+"the local host, which is needed by some mail user agents."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"If this is a smarthost for a block of machines, you need to specify the "
+"netblocks here, or mail will be rejected rather than relayed."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:184
+msgid ""
+"To use the postfix default (which is based on connected networks), enter an "
+"empty string."
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:196
+msgid "0"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid "Mailbox size limit"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:197
+msgid ""
+"What limit should Postfix place on mailbox files to prevent runaway software "
+"errors.  A value of zero (0) means no limit.  (The upstream default is "
+"51200000.)"
+msgstr ""
+
+#. Type: string
+#. Default
+#: ../templates:204
+msgid "NONE"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid "Where should mail for root go"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"The user root (and any other users with a uid of 0) must have mail "
+"redirected via an alias, or their mail may be delivered to /var/mail/"
+"nobody.  This is by design:  mail is not delivered to external delivery "
+"agents as root."
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"If you already have a /etc/aliases file, then you possibly need to add this "
+"entry.  (I will only add it if I am creating a new /etc/aliases.)"
+msgstr ""
+
+#. Type: string
+#. Description
+#: ../templates:205
+msgid ""
+"What address should I add to /etc/aliases, if I create the file?  (Enter "
+"NONE to not add one.)"
+msgstr ""

Added: trunk/postfix/debian/postfix-dev.copyright
===================================================================
--- trunk/postfix/debian/postfix-dev.copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-dev.copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) {date here}, International Business Machines Corporation 
+	and others. All Rights Reserved.  
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+				 SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+    94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete source
+	   code of sendmail including all modifications.
+
+       Other forms of redistribution are allowed only under a separate royalty-
+       free agreement permitting such redistribution subject to standard
+       commercial terms and conditions.  A copy of such agreement may be
+       obtained from Sendmail, Inc. at the above address.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) All advertising materials mentioning features or use of this
+		software must display the following acknowledgement:  "This
+		product includes software developed by the University of
+		California, Berkeley and its contributors."
+
+	  (iv)  Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    (Version 8.6, last updated 6/24/1998)

Added: trunk/postfix/debian/postfix-dev.dirs
===================================================================
--- trunk/postfix/debian/postfix-dev.dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-dev.dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,2 @@
+usr/include/postfix
+usr/lib

Added: trunk/postfix/debian/postfix-dev.postinst
===================================================================
--- trunk/postfix/debian/postfix-dev.postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-dev.postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,47 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+case "$1" in
+    configure)
+
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-dev.prerm
===================================================================
--- trunk/postfix/debian/postfix-dev.prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-dev.prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+    remove|upgrade|deconfigure)
+#       install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-doc.copyright
===================================================================
--- trunk/postfix/debian/postfix-doc.copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-doc.copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) {date here}, International Business Machines Corporation 
+	and others. All Rights Reserved.  
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+				 SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+    94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete source
+	   code of sendmail including all modifications.
+
+       Other forms of redistribution are allowed only under a separate royalty-
+       free agreement permitting such redistribution subject to standard
+       commercial terms and conditions.  A copy of such agreement may be
+       obtained from Sendmail, Inc. at the above address.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) All advertising materials mentioning features or use of this
+		software must display the following acknowledgement:  "This
+		product includes software developed by the University of
+		California, Berkeley and its contributors."
+
+	  (iv)  Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    (Version 8.6, last updated 6/24/1998)

Added: trunk/postfix/debian/postfix-doc.dirs
===================================================================
--- trunk/postfix/debian/postfix-doc.dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-doc.dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,6 @@
+usr/share/doc/postfix
+usr/share/doc/postfix/html
+usr/share/doc/postfix/examples
+usr/share/doc/postfix-doc
+usr/share/doc/postfix-tls
+usr/share/doc/postfix-tls/html

Added: trunk/postfix/debian/postfix-doc.doc-base
===================================================================
--- trunk/postfix/debian/postfix-doc.doc-base	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-doc.doc-base	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,9 @@
+Document: postfix
+Title: Postfix documentation
+Author: Wietse Venema <wietse at porcupine.org>
+Abstract: This document describes Postfix: how to configure and use it.
+Section: Apps/Mail
+
+Format: HTML
+Index: /usr/share/doc/postfix/html/index.html
+Files: /usr/share/doc/postfix/html/*.html

Added: trunk/postfix/debian/postfix-doc.postinst
===================================================================
--- trunk/postfix/debian/postfix-doc.postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-doc.postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,47 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+case "$1" in
+    configure)
+
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-doc.prerm
===================================================================
--- trunk/postfix/debian/postfix-doc.prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-doc.prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+    remove|upgrade|deconfigure)
+#       install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-ldap.README.Debian
===================================================================
--- trunk/postfix/debian/postfix-ldap.README.Debian	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-ldap.README.Debian	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type.  See /usr/share/doc/postfix/html/LDAP_README.html

Added: trunk/postfix/debian/postfix-ldap.copyright
===================================================================
--- trunk/postfix/debian/postfix-ldap.copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-ldap.copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) {date here}, International Business Machines Corporation 
+	and others. All Rights Reserved.  
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+				 SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+    94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete source
+	   code of sendmail including all modifications.
+
+       Other forms of redistribution are allowed only under a separate royalty-
+       free agreement permitting such redistribution subject to standard
+       commercial terms and conditions.  A copy of such agreement may be
+       obtained from Sendmail, Inc. at the above address.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) All advertising materials mentioning features or use of this
+		software must display the following acknowledgement:  "This
+		product includes software developed by the University of
+		California, Berkeley and its contributors."
+
+	  (iv)  Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    (Version 8.6, last updated 6/24/1998)

Added: trunk/postfix/debian/postfix-ldap.dirs
===================================================================
--- trunk/postfix/debian/postfix-ldap.dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-ldap.dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix

Added: trunk/postfix/debian/postfix-ldap.files
===================================================================
--- trunk/postfix/debian/postfix-ldap.files	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-ldap.files	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_ldap.so

Added: trunk/postfix/debian/postfix-ldap.postinst
===================================================================
--- trunk/postfix/debian/postfix-ldap.postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-ldap.postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+    configure)
+	addmap ldap
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-ldap.prerm
===================================================================
--- trunk/postfix/debian/postfix-ldap.prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-ldap.prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+    remove|upgrade|deconfigure)
+#       install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-mysql.README.Debian
===================================================================
--- trunk/postfix/debian/postfix-mysql.README.Debian	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-mysql.README.Debian	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type.  See /usr/share/doc/postfix/html/MYSQL_README.html

Added: trunk/postfix/debian/postfix-mysql.copyright
===================================================================
--- trunk/postfix/debian/postfix-mysql.copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-mysql.copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) {date here}, International Business Machines Corporation 
+	and others. All Rights Reserved.  
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+				 SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+    94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete source
+	   code of sendmail including all modifications.
+
+       Other forms of redistribution are allowed only under a separate royalty-
+       free agreement permitting such redistribution subject to standard
+       commercial terms and conditions.  A copy of such agreement may be
+       obtained from Sendmail, Inc. at the above address.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) All advertising materials mentioning features or use of this
+		software must display the following acknowledgement:  "This
+		product includes software developed by the University of
+		California, Berkeley and its contributors."
+
+	  (iv)  Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    (Version 8.6, last updated 6/24/1998)

Added: trunk/postfix/debian/postfix-mysql.dirs
===================================================================
--- trunk/postfix/debian/postfix-mysql.dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-mysql.dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix

Added: trunk/postfix/debian/postfix-mysql.files
===================================================================
--- trunk/postfix/debian/postfix-mysql.files	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-mysql.files	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_mysql.so

Added: trunk/postfix/debian/postfix-mysql.postinst
===================================================================
--- trunk/postfix/debian/postfix-mysql.postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-mysql.postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+    configure)
+	addmap mysql
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-mysql.prerm
===================================================================
--- trunk/postfix/debian/postfix-mysql.prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-mysql.prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+    remove|upgrade|deconfigure)
+#       install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-pcre.README.Debian
===================================================================
--- trunk/postfix/debian/postfix-pcre.README.Debian	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pcre.README.Debian	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type.  See /usr/share/doc/postfix/html/PCRE_README.html

Added: trunk/postfix/debian/postfix-pcre.copyright
===================================================================
--- trunk/postfix/debian/postfix-pcre.copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pcre.copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) {date here}, International Business Machines Corporation 
+	and others. All Rights Reserved.  
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+				 SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+    94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete source
+	   code of sendmail including all modifications.
+
+       Other forms of redistribution are allowed only under a separate royalty-
+       free agreement permitting such redistribution subject to standard
+       commercial terms and conditions.  A copy of such agreement may be
+       obtained from Sendmail, Inc. at the above address.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) All advertising materials mentioning features or use of this
+		software must display the following acknowledgement:  "This
+		product includes software developed by the University of
+		California, Berkeley and its contributors."
+
+	  (iv)  Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    (Version 8.6, last updated 6/24/1998)

Added: trunk/postfix/debian/postfix-pcre.dirs
===================================================================
--- trunk/postfix/debian/postfix-pcre.dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pcre.dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix

Added: trunk/postfix/debian/postfix-pcre.files
===================================================================
--- trunk/postfix/debian/postfix-pcre.files	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pcre.files	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_pcre.so

Added: trunk/postfix/debian/postfix-pcre.postinst
===================================================================
--- trunk/postfix/debian/postfix-pcre.postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pcre.postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+    configure)
+	addmap pcre
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-pcre.prerm
===================================================================
--- trunk/postfix/debian/postfix-pcre.prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pcre.prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+    remove|upgrade|deconfigure)
+#       install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-pgsql.README.Debian
===================================================================
--- trunk/postfix/debian/postfix-pgsql.README.Debian	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pgsql.README.Debian	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,2 @@
+The postfix-doc package contains documentation on how to configure this
+map type.  See /usr/share/doc/postfix/html/PGSQL_README.html

Added: trunk/postfix/debian/postfix-pgsql.copyright
===================================================================
--- trunk/postfix/debian/postfix-pgsql.copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pgsql.copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,324 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 6/14/1999 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) {date here}, International Business Machines Corporation 
+	and others. All Rights Reserved.  
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+				 SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 1401 Park Avenue, Emeryville, CA
+    94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete source
+	   code of sendmail including all modifications.
+
+       Other forms of redistribution are allowed only under a separate royalty-
+       free agreement permitting such redistribution subject to standard
+       commercial terms and conditions.  A copy of such agreement may be
+       obtained from Sendmail, Inc. at the above address.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) All advertising materials mentioning features or use of this
+		software must display the following acknowledgement:  "This
+		product includes software developed by the University of
+		California, Berkeley and its contributors."
+
+	  (iv)  Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    (Version 8.6, last updated 6/24/1998)

Added: trunk/postfix/debian/postfix-pgsql.dirs
===================================================================
--- trunk/postfix/debian/postfix-pgsql.dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pgsql.dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix

Added: trunk/postfix/debian/postfix-pgsql.files
===================================================================
--- trunk/postfix/debian/postfix-pgsql.files	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pgsql.files	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+usr/lib/postfix/dict_pgsql.so

Added: trunk/postfix/debian/postfix-pgsql.postinst
===================================================================
--- trunk/postfix/debian/postfix-pgsql.postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pgsql.postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,49 @@
+#! /bin/sh
+# postinst script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+#
+# quoting from the policy:
+#     Any necessary prompting should almost always be confined to the
+#     post-installation script, and should be protected with a conditional
+#     so that unnecessary prompting doesn't happen if a package's
+#     installation fails and the `postinst' is called with `abort-upgrade',
+#     `abort-remove' or `abort-deconfigure'.
+
+. /usr/share/postfix/postinst.functions
+
+case "$1" in
+    configure)
+	addmap pgsql
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-pgsql.prerm
===================================================================
--- trunk/postfix/debian/postfix-pgsql.prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-pgsql.prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,37 @@
+#! /bin/sh
+# prerm script for #PACKAGE#
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <prerm> `remove'
+#        * <old-prerm> `upgrade' <new-version>
+#        * <new-prerm> `failed-upgrade' <old-version>
+#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> `deconfigure' `in-favour'
+#          <package-being-installed> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see /usr/share/doc/packaging-manual/
+
+case "$1" in
+    remove|upgrade|deconfigure)
+#       install-info --quiet --remove /usr/info/#PACKAGE#.info.gz
+        ;;
+    failed-upgrade)
+        ;;
+    *)
+        echo "prerm called with unknown argument \`$1'" >&2
+        exit 0
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+

Added: trunk/postfix/debian/postfix-tls.copyright
===================================================================
--- trunk/postfix/debian/postfix-tls.copyright	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-tls.copyright	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,326 @@
+This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
+agent, with TLS and SASL support.
+
+Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
+package has been assembled by LaMont Jones <lamont at debian.org> from sources
+available from http://www.postfix.org.
+
+    Copyright (c) 1999, International Business Machines Corporation 
+    and others. All Rights Reserved.  
+
+The following copyright and license applies to this software:
+
+    IBM PUBLIC LICENSE VERSION 1.0 - SECURE MAILER
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
+    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
+    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+    1.  DEFINITIONS
+
+    "Contribution" means:  
+	a) in the case of International Business Machines Corporation ("IBM"), 
+	   the Original Program, and 
+	b) in the case of each Contributor, 
+	   i)  changes to the Program, and
+	   ii) additions to the Program;
+	       where such changes and/or additions to the Program originate
+	       from and are distributed by that particular Contributor.  
+	       A Contribution 'originates' from a Contributor if it was added 
+	       to the Program by such Contributor itself or anyone acting on 
+	       such Contributor's behalf.  
+	Contributions do not include additions to the Program which:
+	   (i)  are separate modules of software distributed in conjunction 
+		with the Program under their own license agreement, and 
+	   (ii) are not derivative works of the Program.
+
+    "Contributor" means IBM and any other entity that distributes the Program.
+
+    "Licensed Patents " mean patent claims licensable by a Contributor which
+    are necessarily infringed by the use or sale of its Contribution alone
+    or when combined with the Program.
+
+    "Original Program" means the original version of the software accompanying
+    this Agreement as released by IBM, including source code, object code
+    and documentation, if any.
+
+    "Program" means the Original Program and Contributions.
+
+    "Recipient" means anyone who receives the Program under this Agreement, 
+    including all Contributors.
+
+    2.  GRANT OF RIGHTS
+
+	a) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free copyright
+	license to reproduce, prepare derivative works of, publicly display,
+	publicly perform, distribute and sublicense the Contribution of such
+	Contributor, if any, and such derivative works, in source code and
+	object code form.
+
+	b) Subject to the terms of this Agreement, each Contributor hereby
+	grants Recipient a non-exclusive, worldwide, royalty-free patent
+	license under Licensed Patents to make, use, sell, offer to sell,
+	import and otherwise transfer the Contribution of such Contributor,
+	if any, in source code and object code form.  This patent license
+	shall apply to the combination of the Contribution and the Program
+	if, at the time the Contribution is added by the Contributor, such
+	addition of the Contribution causes such combination to be covered
+	by the Licensed Patents.  The patent license shall not apply to any
+	other combinations which include the Contribution.  No hardware per
+	se is licensed hereunder.
+
+	c) Recipient understands that although each Contributor grants the
+	licenses to its Contributions set forth herein, no assurances are
+	provided by any Contributor that the Program does not infringe the
+	patent or other intellectual property rights of any other entity.
+	Each Contributor disclaims any liability to Recipient for claims
+	brought by any other entity based on infringement of intellectual
+	property rights or otherwise.  As a condition to exercising the rights
+	and licenses granted hereunder, each Recipient hereby assumes sole
+	responsibility to secure any other intellectual property rights
+	needed, if any.  For example, if a third party patent license
+	is required to allow Recipient to distribute the Program, it is
+	Recipient's responsibility to acquire that license before distributing
+	the Program.
+
+	d) Each Contributor represents that to its knowledge it has sufficient
+	copyright rights in its Contribution, if any, to grant the copyright
+	license set forth in this Agreement.
+
+    3.  REQUIREMENTS
+
+    A Contributor may choose to distribute the Program in object code form 
+    under its own license agreement, provided that:
+	a) it complies with the terms and conditions of this Agreement; and
+	b) its license agreement:
+	   i)   effectively disclaims on behalf of all Contributors all
+		warranties and conditions, express and implied, including
+		warranties or conditions of title and non-infringement, and
+		implied warranties or conditions of merchantability and fitness
+		for a particular purpose;
+	   ii)  effectively excludes on behalf of all Contributors all 
+		liability for damages, including direct, indirect, special, 
+		incidental and consequential damages, such as lost profits; 
+	   iii) states that any provisions which differ from this Agreement 
+		are offered by that Contributor alone and not by any other 
+		party; and
+	   iv)  states that source code for the Program is available from 
+		such Contributor, and informs licensees how to obtain it in a 
+		reasonable manner on or through a medium customarily used for 
+		software exchange. 
+
+    When the Program is made available in source code form:
+	a) it must be made available under this Agreement; and 
+	b) a copy of this Agreement must be included with each copy of the 
+	   Program.  
+
+    Each Contributor must include the following in a conspicuous location 
+    in the Program: 
+
+	Copyright (c) 1997,1998,1999, International Business Machines
+	Corporation and others. All Rights Reserved.
+
+    In addition, each Contributor must identify itself as the originator of
+    its Contribution, if any, in a manner that reasonably allows subsequent
+    Recipients to identify the originator of the Contribution. 
+
+    4.  COMMERCIAL DISTRIBUTION
+
+    Commercial distributors of software may accept certain responsibilities
+    with respect to end users, business partners and the like.  While this
+    license is intended to facilitate the commercial use of the Program, the
+    Contributor who includes the Program in a commercial product offering
+    should do so in a manner which does not create potential liability for
+    other Contributors.   Therefore, if a Contributor includes the Program in
+    a commercial product offering, such Contributor ("Commercial Contributor")
+    hereby agrees to defend and indemnify every other Contributor
+    ("Indemnified Contributor") against any losses, damages and costs
+    (collectively "Losses") arising from claims, lawsuits and other legal
+    actions brought by a third party against the Indemnified Contributor to
+    the extent caused by the acts or omissions of such Commercial Contributor
+    in connection with its distribution of the Program in a commercial
+    product offering.  The obligations in this section do not apply to any
+    claims or Losses relating to any actual or alleged intellectual property
+    infringement.  In order to qualify, an Indemnified Contributor must:
+	a) promptly notify the Commercial Contributor in writing of such claim,
+    and 
+	b) allow the Commercial Contributor to control, and cooperate with
+	   the Commercial Contributor in, the defense and any related 
+	   settlement negotiations.  The Indemnified Contributor may 
+	   participate in any such claim at its own expense.
+
+    For example, a Contributor might include the Program in a commercial
+    product offering, Product X.  That Contributor is then a Commercial
+    Contributor.  If that Commercial Contributor then makes performance
+    claims, or offers warranties related to Product X, those performance
+    claims and warranties are such Commercial Contributor's responsibility
+    alone.  Under this section, the Commercial Contributor would have to
+    defend claims against the other Contributors related to those performance
+    claims and warranties, and if a court requires any other Contributor to
+    pay any damages as a result, the Commercial Contributor must pay those
+    damages.
+
+    5.  NO WARRANTY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
+    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
+    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
+    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
+    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
+    the appropriateness of using and distributing the Program and assumes
+    all risks associated with its exercise of rights under this Agreement,
+    including but not limited to the risks and costs of program errors,
+    compliance with applicable laws, damage to or loss of data, programs or
+    equipment, and unavailability or interruption of operations. 
+
+    6.  DISCLAIMER OF LIABILITY
+
+    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
+    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
+    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
+    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
+    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
+    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
+    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    7.  GENERAL
+
+    If any provision of this Agreement is invalid or unenforceable under
+    applicable law, it shall not affect the validity or enforceability of
+    the remainder of the terms of this Agreement, and without further action
+    by the parties hereto, such provision shall be reformed to the minimum
+    extent necessary to make such provision valid and enforceable.
+
+    If Recipient institutes patent litigation against a Contributor with
+    respect to a patent applicable to software (including a cross-claim or
+    counterclaim in a lawsuit), then any patent licenses granted by that
+    Contributor to such Recipient under this Agreement shall terminate
+    as of the date such litigation is filed.  In addition, If Recipient
+    institutes patent litigation against any entity (including a cross-claim
+    or counterclaim in a lawsuit) alleging that the Program itself (excluding
+    combinations of the Program with other software or hardware) infringes
+    such Recipient's patent(s), then such Recipient's rights granted under
+    Section 2(b) shall terminate as of the date such litigation is filed.
+
+    All Recipient's rights under this Agreement shall terminate if it fails
+    to comply with any of the material terms or conditions of this Agreement
+    and does not cure such failure in a reasonable period of time after
+    becoming aware of such noncompliance.  If all Recipient's rights under
+    this Agreement terminate, Recipient agrees to cease use and distribution
+    of the Program as soon as reasonably practicable.  However, Recipient's
+    obligations under this Agreement and any licenses granted by Recipient
+    relating to the Program shall continue and survive. 
+
+    IBM may publish new versions (including revisions) of this Agreement
+    from time to time.  Each new version of the Agreement will be given a
+    distinguishing version number.  The Program (including Contributions)
+    may always be distributed subject to the version of the Agreement under
+    which it was received. In addition, after a new version of the Agreement
+    is published, Contributor may elect to distribute the Program (including
+    its Contributions) under the new version. No one other than IBM has the
+    right to modify this Agreement.  Except as expressly stated in Sections
+    2(a) and 2(b) above, Recipient receives no rights or licenses to the
+    intellectual property of any Contributor under this Agreement, whether
+    expressly, by implication, estoppel or otherwise.  All rights in the
+    Program not expressly granted under this Agreement are reserved.
+
+    This Agreement is governed by the laws of the State of New York and the
+    intellectual property laws of the United States of America. No party to
+    this Agreement will bring a legal action under this Agreement more than
+    one year after the cause of action arose.  Each party waives its rights
+    to a jury trial in any resulting litigation. 
+
+The following license applies to rmail, distributed with Postfix:
+
+			     SENDMAIL LICENSE
+
+    The following license terms and conditions apply, unless a different
+    license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
+    Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
+
+    License Terms:
+
+    Use, Modification and Redistribution (including distribution of any
+    modified or derived work) in source and binary forms is permitted only if
+    each of the following conditions is met:
+
+    1. Redistributions qualify as "freeware" or "Open Source Software" under
+       one of the following terms:
+
+       (a) Redistributions are made at no charge beyond the reasonable cost of
+	   materials and delivery.
+
+       (b) Redistributions are accompanied by a copy of the Source Code or by an
+	   irrevocable offer to provide a copy of the Source Code for up to three
+	   years at the cost of materials and delivery.  Such redistributions
+	   must allow further use, modification, and redistribution of the Source
+	   Code under substantially the same terms as this license.  For the
+	   purposes of redistribution "Source Code" means the complete compilable
+	   and linkable source code of sendmail including all modifications.
+
+    2. Redistributions of source code must retain the copyright notices as they
+       appear in each source code file, these license terms, and the
+       disclaimer/limitation of liability set forth as paragraph 6 below.
+
+    3. Redistributions in binary form must reproduce the Copyright Notice,
+       these license terms, and the disclaimer/limitation of liability set
+       forth as paragraph 6 below, in the documentation and/or other materials
+       provided with the distribution.  For the purposes of binary distribution
+       the "Copyright Notice" refers to the following language:
+       "Copyright (c) 1998-2000 Sendmail, Inc.  All rights reserved."
+
+    4. Neither the name of Sendmail, Inc. nor the University of California nor
+       the names of their contributors may be used to endorse or promote
+       products derived from this software without specific prior written
+       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
+
+    5. All redistributions must comply with the conditions imposed by the
+       University of California on certain embedded code, whose copyright
+       notice and conditions for redistribution are as follows:
+
+       (a) Copyright (c) 1988, 1993 The Regents of the University of
+	   California.  All rights reserved.
+
+       (b) Redistribution and use in source and binary forms, with or without
+	   modification, are permitted provided that the following conditions
+	   are met:
+
+	  (i)   Redistributions of source code must retain the above copyright
+		notice, this list of conditions and the following disclaimer.
+
+	  (ii)  Redistributions in binary form must reproduce the above
+		copyright notice, this list of conditions and the following
+		disclaimer in the documentation and/or other materials provided
+		with the distribution.
+
+	  (iii) Neither the name of the University nor the names of its
+		contributors may be used to endorse or promote products derived
+		from this software without specific prior written permission.
+
+    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
+       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
+       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
+       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    $Revision: 1.1.2.1 $, Last updated $Date: 2003/05/22 06:34:17 $
+
+The following license applies to the TLS patch, which is available from:
+http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/.
+
+    License:
+    ========
+    - This software is free. You can do with it whatever you want.
+      I would however kindly ask you to acknowledge the use of this
+      package, if you are going use it in your software, which you might
+      be going to distribute. I would also like to receive a note if you
+      are a satisfied user :-)

Added: trunk/postfix/debian/postfix-tls.dirs
===================================================================
--- trunk/postfix/debian/postfix-tls.dirs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-tls.dirs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,5 @@
+DEBIAN
+usr/lib/postfix
+usr/sbin
+usr/share/man/man8
+etc/postfix/sasl

Added: trunk/postfix/debian/postfix-tls.postinst
===================================================================
--- trunk/postfix/debian/postfix-tls.postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-tls.postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,71 @@
+#!/bin/sh -e
+
+# Debian Postfix postinst
+# LaMont Jones <lamont at debian.org>
+# Based on debconf code by Colin Walters <walters at cis.ohio-state.edu>,
+# and John Goerzen <jgoerzen at progenylinux.com>.
+
+# Use debconf.
+. /usr/share/debconf/confmodule
+CHROOT=/var/spool/postfix
+
+umask 022
+
+# postinst processing
+
+. /usr/share/postfix/postinst.functions
+
+#DEBHELPER#
+
+case "$1" in
+    configure)
+	# see below
+	;;
+
+    abort-upgrade)
+	exit 0
+	;;
+
+    abort-remove|abort-deconfigure)
+	exit 0
+	;;
+
+    *)
+	echo "postinst called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+
+CHANGES=""
+
+cd /etc/postfix
+
+# all done with debconf here.
+db_stop
+
+# make sure that sdbm is in the maplist correctly.
+F=/etc/postfix/dynamicmaps.cf
+if ! grep -q '^sdbm[[:space:]].*mkmap_sdbm_open$' $F; then
+    echo "Fixing sdbm entry in ${F}"
+    delmap sdbm >/dev/null
+    addmap sdbm mkmap_sdbm_open >/dev/null
+fi
+
+# handle sasl-smtp[d] -> smtp[d] change.  oops..
+if [ -d /etc/postfix/sasl ]; then
+    cd /etc/postfix/sasl
+    for file in smtp smtpd; do 
+       if [ -r sasl-${file}.conf ] && [ ! -r ${file}.conf ]; then
+	    ln -s sasl-${file}.conf ${file}.conf
+       fi
+    done
+fi
+
+[ -x /usr/sbin/invoke-rc.d ] && \
+	INIT="invoke-rc.d postfix" || \
+	INIT="/etc/init.d/postfix"
+# start postfix
+if [ -f /var/spool/postfix/restart ]; then
+    rm -f /var/spool/postfix/restart
+    ${INIT} start
+fi

Added: trunk/postfix/debian/postfix-tls.postrm
===================================================================
--- trunk/postfix/debian/postfix-tls.postrm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-tls.postrm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Debian Postfix postrm
+
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+    remove)
+	dpkg-divert --package postfix-tls --remove --rename \
+		 --divert /usr/lib/postfix/lmtp.postfix \
+			  /usr/lib/postfix/lmtp
+	dpkg-divert --package postfix-tls --remove --rename \
+		 --divert /usr/lib/postfix/smtp.postfix \
+			  /usr/lib/postfix/smtp
+	dpkg-divert --package postfix-tls --remove --rename \
+		 --divert /usr/lib/postfix/smtpd.postfix \
+			  /usr/lib/postfix/smtpd
+	;;
+
+    upgrade)
+	;;
+
+    purge)
+	;;
+
+    failed-upgrade|abort-install|abort-upgrade|disappear)
+	;;
+
+    *)
+	echo "postrm called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+#DEBHELPER#

Added: trunk/postfix/debian/postfix-tls.preinst
===================================================================
--- trunk/postfix/debian/postfix-tls.preinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-tls.preinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,66 @@
+#!/bin/sh -e
+
+# Debian Postfix preinst
+# LaMont Jones <lamont at debian.org>
+# Modified to use debconf by Colin Walters <levanti at verbum.org>
+
+# do we have debconf?
+if [ -f /usr/share/debconf/confmodule ]; then
+    . /usr/share/debconf/confmodule
+    DEBCONF=true
+else
+    DEBCONF=
+fi
+
+dpkg_vers=$(dpkg --status dpkg | sed -n '/Version: /s/^Version: //p')
+CONFIG=/etc/postfix/main.cf
+POSTDROP=/usr/sbin/postdrop
+
+case "$1" in
+    install)
+	if [ -d /var/spool/postfix ] && [ -f /etc/postfix/main.cf ] && \
+		 [ -x /etc/init.d/postfix ]; then
+	    touch /var/spool/postfix/restart
+	    if [ ! start-stop-daemon -K -q -o \
+		    --pidfile /var/spool/postfix/pid/master.pid \
+		    --exec /usr/lib/postfix/master 2>/dev/null ]; then :; fi
+	fi
+	;;
+
+    upgrade)
+	if [ -d /var/spool/postfix ] && [ -f /etc/postfix/main.cf ] && \
+		 [ -x /etc/init.d/postfix ]; then
+	    touch /var/spool/postfix/restart
+	    if [ ! start-stop-daemon -K -q -o \
+		    --pidfile /var/spool/postfix/pid/master.pid \
+		    --exec /usr/lib/postfix/master 2>/dev/null ]; then :; fi
+	fi
+        ;;
+
+    abort-upgrade)
+	;;
+
+    *)
+	echo "preinst called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+
+# deal with smtpd delivering a man page on top of us.
+if [ install = "$1" -o upgrade = "$1" ]; then
+    dpkg-divert --package postfix-tls --add --rename \
+	 --divert /usr/lib/postfix/lmtp.postfix \
+		  /usr/lib/postfix/lmtp
+    dpkg-divert --package postfix-tls --add --rename \
+	 --divert /usr/lib/postfix/smtp.postfix \
+		  /usr/lib/postfix/smtp
+    dpkg-divert --package postfix-tls --add --rename \
+	 --divert /usr/lib/postfix/smtpd.postfix \
+		  /usr/lib/postfix/smtpd
+    rm -f /usr/sbin/postconf.postfix
+    dpkg-divert --package postfix-tls --remove \
+	 --divert /usr/sbin/postconf.postfix \
+		  /usr/sbin/postconf 2>/dev/null
+fi
+
+#DEBHELPER#

Added: trunk/postfix/debian/postfix-tls.prerm
===================================================================
--- trunk/postfix/debian/postfix-tls.prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postfix-tls.prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+# Debian Postfix prerm
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+    upgrade)
+	;;
+
+    deconfigure)
+	;;
+
+    remove)
+    	;;
+
+    failed-upgrade)
+	;;
+
+    *)
+	echo "prerm called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+#DEBHELPER#
+exit 0

Added: trunk/postfix/debian/postinst
===================================================================
--- trunk/postfix/debian/postinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,487 @@
+#!/bin/sh -e
+
+# Debian Postfix postinst
+# LaMont Jones <lamont at debian.org>
+# Based on debconf code by Colin Walters <walters at cis.ohio-state.edu>,
+# and John Goerzen <jgoerzen at progenylinux.com>.
+
+# Use debconf.
+. /usr/share/debconf/confmodule
+CHROOT=/var/spool/postfix
+config_directory="/etc/postfix"		# make variable expansion easier...
+
+. /usr/share/postfix/postinst.functions
+
+set_maildrop_perms() {
+    MAILDROP=${CHROOT}/maildrop
+    SCRIPT=/etc/postfix/postfix-script
+    POSTDROP=/usr/sbin/postdrop
+    mkdir -p $MAILDROP
+    if ! chown postfix:postdrop $MAILDROP 2>/dev/null; then
+	addgroup --system postdrop
+	chown postfix:postdrop $MAILDROP
+    fi
+    dpkg-statoverride --remove $POSTDROP >/dev/null 2>&1 || true
+    dpkg-statoverride --remove /var/spool/postfix/public >/dev/null 2>&1 || true
+    dpkg-statoverride --remove /usr/sbin/postqueue >/dev/null 2>&1 || true
+    dpkg-statoverride --update --add root postdrop 02555 $POSTDROP
+    dpkg-statoverride --update --add postfix postdrop 02710 /var/spool/postfix/public
+    dpkg-statoverride --update --add root postdrop 02555 /usr/sbin/postqueue
+    chmod 1730 $MAILDROP
+}
+
+fset_all_changed() {
+    db_fset postfix/main_mailer_type changed $1
+    db_fset postfix/root_address changed $1
+    db_fset postfix/destinations changed $1
+    db_fset postfix/mailname changed $1
+    db_fset postfix/relayhost changed $1
+    db_fset postfix/chattr changed $1
+    db_fset postfix/mynetworks changed $1
+    db_fset postfix/procmail changed $1
+    db_fset postfix/mailbox_limit changed $1
+    db_fset postfix/recipient_delim changed $1
+}
+
+set_postconf() {
+    CHANGES=true
+    postconf -e "$@"
+}
+
+get_postconf() {
+    postconf -h "$@"
+}
+
+makedir() {
+    if [ ! -d $1 ]; then
+	mkdir $1
+    fi
+    chown $2 $1 && chmod $3 $1
+}
+
+convert_dbs() {
+    # get all of the hash and btree maps.
+    maps=$(postconf -h | sed -e 's/[,[:space:]]/\
+/g' -e 's/^proxy://' -e '/:/p' | sort -u )
+    for i in $maps; do
+      case $i in
+	hash:*|btree:*)
+	    f=${i#*:}.db 
+	    if [ -f $f ]; then
+		echo "attempting conversion of $i"
+		echo "  saving old db in ${f}.db3"
+		cp $f ${f}.db3
+		postmap -u $i
+	    fi
+	    ;;
+      esac
+    done
+}
+
+fix_master() {
+    echoed=""
+    # Need to handle some changes in services.
+    MASTER=/etc/postfix/master.cf
+    if grep -qE '^cleanup[[:space:]]+unix[[:space:]]+-' ${MASTER}; then
+	echo "in master.cf:"; echoed=y
+	echo "  forcing pickup=unprivileged, cleanup=public, flush=public"
+	sed 's/^\(cleanup[[:space:]]*unix[[:space:]]*\)-/\1n/
+	     s/^\(flush[[:space:]]*unix[[:space:]]*\)-/\1n/
+	     s/^\(pickup[[:space:]]*fifo[[:space:]]*.[[:space:]]*\)n/\1-/
+	' ${MASTER} > ${MASTER}.$$
+	mv ${MASTER}.$$ ${MASTER}
+    fi
+
+    if ! grep -qE '^flush[[:space:]]' ${MASTER}; then
+	[ -n $echoed ] || echo "in master.cf:"; echoed=y
+	echo "  adding missing entry for flush service"
+	echo "flush	  unix	n	-	-	1000?	0	flush" \
+	    >> ${MASTER}
+    fi
+
+    if ! grep -qE '^proxymap[[:space:]]' ${MASTER}; then
+	[ -n $echoed ] || echo "in master.cf:"; echoed=y
+	echo "  adding missing entry for proxymap service"
+	echo "proxymap	  unix	-	-	n	-	-	proxymap" \
+	    >> ${MASTER}
+    fi
+    if ! grep -qE '^trace[[:space:]]' ${MASTER}; then
+	[ -n $echoed ] || echo "in master.cf:"; echoed=y
+	echo "  adding missing entry for trace service"
+	echo "trace	  unix	-	-	-	-	0	bounce" \
+	    >> ${MASTER}
+    fi
+
+    if ! grep -qE '^verify[[:space:]]' ${MASTER}; then
+	[ -n $echoed ] || echo "in master.cf:"; echoed=y
+	echo "  adding missing entry for verify service"
+	echo "verify	  unix	-	-	-	-	1	verify" \
+	    >> ${MASTER}
+    fi
+
+    if ! grep -qE '^relay[[:space:]]' ${MASTER}; then
+	[ -n $echoed ] || echo "in master.cf:"; echoed=y
+	echo "  adding missing entry for relay service"
+	echo "relay     unix  -       -       n       -       -       smtp" \
+	    >> ${MASTER}
+	echo "#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5" \
+	    >> ${MASTER}
+    fi
+}
+
+umask 022
+
+# postinst processing
+
+#DEBHELPER#
+
+case "$1" in
+    configure)
+	OLDVERSION="$2"
+	# see below
+	;;
+
+    abort-upgrade)
+	fix_master
+	exit 0
+	;;
+
+    abort-remove|abort-deconfigure)
+	exit 0
+	;;
+
+    *)
+	echo "postinst called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+
+CHANGES=""
+NEWALIASES="y"
+
+update-rc.d postfix defaults > /dev/null
+update-inetd --disable smtp
+
+ldconfig
+
+dpkg-divert --package postfix --remove --rename \
+	--divert /usr/share/man/man8/smtpd.real.8.gz \
+	/usr/share/man/man8/smtpd.8.gz > /dev/null 2>&1
+
+cd ${CHROOT}
+# make sure that the postfix user exists.  Simplest portable way to check is to
+# chown something, so we'll create the directories that we need here.
+makedir private		root:root 700
+chgrp postfix private 2>/dev/null ||
+    addgroup --system postfix
+chown postfix private 2>/dev/null ||
+    adduser --system --home ${CHROOT} --no-create-home --disabled-password --ingroup postfix postfix
+
+# need to have postfix in the right group, but old revs do it wrong..
+if [ "$(id -gn postfix)" != "postfix" ]; then
+    usermod -g postfix postfix
+fi
+
+chown postfix:root private
+
+db_fget postfix/chattr changed
+if [ "$RET" = "true" ]; then
+    db_get postfix/chattr && chat="$RET"
+    echo "setting synchronous mail queue updates: $chat"    
+    if [ "$chat" = "true" ]; then
+	chat="+S"
+    else
+	chat="-S"
+    fi
+fi
+
+for dir in pid public; do
+    makedir ${dir} postfix:root 755
+done
+for dir in incoming active bounce defer deferred flush saved corrupt; do
+    makedir ${dir} postfix:root 700
+    if [ -n "$chat" ]; then
+	chattr $chat $dir 2>/dev/null || true
+    fi
+done
+
+cd /etc/postfix
+
+if [ ! -f dynamicmaps.cf ]; then
+    echo "Creating /etc/postfix/dynamicmaps.cf"
+    cat << EOF > dynamicmaps.cf
+# Postfix dynamic maps configuration file.
+#
+# The first match found is the one that is used.  Wildcards are not supported
+# as of postfix 2.0.2
+#
+#type	location of .so file			open function	(mkmap func)
+#====	================================	=============	============
+EOF
+    addmap tcp
+else
+    # handle dynamicmaps.cf upgrade - we checked with the user in preinst.
+    if [ -f /var/spool/postfix/dynamicmaps_upgrade ]; then
+      (
+	if ! grep -qi 'wildcards are not supported' dynamicmaps.cf; then
+	    echo '# *** Wildcards are not supported as of postfix 2.0.2 ***'
+	    echo '#'
+	fi
+	sed '/^\*[[:space:]]/d' dynamicmaps.cf
+      ) > dynamicmaps.cf.$$
+      mv dynamicmaps.cf.$$ dynamicmaps.cf
+      # Need to add all of them, since we may need them to configure... sigh.
+      addmap tcp
+      addmap ldap
+      addmap pcre
+      addmap mysql
+      addmap pgsql
+      addmap sdbm mkmap_sdbm_open
+    fi
+fi
+
+db_get postfix/main_mailer_type && mailer="$RET"
+
+[ -f master.cf ] || cp /usr/share/postfix/master.cf.dist master.cf
+
+if [ "$mailer" != "No configuration" ]; then	# [
+    if [ -f main.cf ]; then
+	NEWCONF=""
+    else
+	cp /usr/share/postfix/main.cf.debian main.cf
+	NEWCONF=yes
+    fi
+
+    # This is the braindead local-only master.cf from elsewhen
+    # we now deal with this in main.cf, so mark the mailer_type changed.
+    md5sum=$(md5sum /etc/postfix/master.cf)
+    if [ "${md5sum%% *}" = "fadb677a071ea2851cc2b8a12345823d" ]; then
+	cp /usr/share/postfix/master.cf.dist master.cf
+	db_fset postfix/main_mailer_type changed true
+    fi
+fi	# !No configuration ]
+
+# cleanup from braindamage.
+if [ -d /etc/postfix/maildrop ]; then
+    rmdir /etc/postfix/maildrop 2>/dev/null
+fi
+
+set_maildrop_perms postdrop
+if [ -f /var/spool/postfix/db-upgrade ]; then
+    rm /var/spool/postfix/db-upgrade
+    db_get postfix/db_upgrade_warning && convert="$RET"
+    if [ "$convert" = "true" ]; then
+	convert_dbs
+    else
+	echo "DB files not converted, Postfix restart may fail."
+    fi
+fi
+
+if [ "$mailer" != "No configuration" ]; then	# [
+    myhostname=$(hostname --fqdn 2>/dev/null || echo "")
+    if [ -z "$myhostname" ]; then
+	if [ -r /etc/hostname ];then
+	    myhostname=$(cat /etc/hostname)
+	    if [ $hostname = ${hostname%.*} -a -f /etc/resolv.conf ]; then
+		mydom=$(awk '/^(search|domain)/ { print $2;quit;}' \
+			/etc/resolv.conf)
+		myhostname="$myhostname${mydom:+.$mydom}"
+	    fi
+	else
+	    myhostname="UNKNOWN"
+	fi
+    fi
+    mydomain=${myhostname#*.}
+
+    if [ -n "$NEWCONF" ]; then
+	fset_all_changed true
+	alias_maps=hash:/etc/aliases
+	nis_status=$(dpkg -l nis 2>/dev/null | sed -n '$p')
+	if [ "X$nis_status" != "X${nis_status#i}" ] && [ -x /usr/bin/ypcat ] &&
+		/usr/bin/ypcat mail.aliases >/dev/null 2>&1; then
+	    alias_maps="hash:/etc/aliases, nis:mail.aliases"
+	    cat << EOF
+It appears that you have an NIS map for mail aliases; using that in
+addition to /etc/aliases.
+
+EOF
+	fi
+	if [ -n "$myhostname" ]; then
+	    echo "setting myhostname: $myhostname"
+	    set_postconf "myhostname=$myhostname"
+	fi
+	echo "setting alias maps"
+	set_postconf "alias_maps=$alias_maps"
+	echo "setting alias database"
+	set_postconf "alias_database=hash:/etc/aliases"
+    fi
+
+    db_fget postfix/mailname changed
+    if [ "$RET" = "true" ]; then
+	db_get postfix/mailname && mailname="$RET"
+	if [ -f /etc/mailname ] && [ "X$(cat /etc/mailname)" = "X$mailname" ]; then
+	    MAILNAME=""
+	else
+	    MAILNAME=yes
+	fi
+	if [ "X${mailname%.*}" != "X${mailname}" ]; then
+	    if [ -n "$MAILNAME" ]; then
+		echo "changing /etc/mailname"
+		echo $mailname > /etc/mailname
+	    fi
+	    echo "setting myorigin"
+	    set_postconf "myorigin=/etc/mailname"
+	else
+	    echo "mailname is not a fully qualified domain name.  Not changing /etc/mailname."
+	fi
+    fi
+    db_fget postfix/destinations changed
+    if [ "$RET" = "true" ]; then
+	db_get postfix/destinations && destinations="$RET"
+	echo "setting destinations: $destinations"
+	set_postconf "mydestination=$destinations"
+    fi
+    db_fget postfix/relayhost changed
+    if [ "$RET" = "true" ]; then
+	db_get postfix/relayhost && relayhost="$RET"
+	echo "setting relayhost: $relayhost"    
+	set_postconf "relayhost=$relayhost"
+    fi
+    db_fget postfix/mynetworks changed
+    if [ "$RET" = "true" ]; then
+	db_get postfix/mynetworks && mynetworks="$RET"
+	if [ -z "$RET" ]; then
+	    echo "deleting mynetworks"    
+	    if grep -q '^mynetworks[[:space:]]*=' main.cf; then
+		# need to remove it, get postconf to do the hard part.
+		postconf -e 'mynetworks=127.0.0.0/8'
+		perl -i -ne 'print unless /^mynetworks\s*=/' main.cf
+	    fi
+	else
+	    echo "setting mynetworks: $mynetworks"    
+	    set_postconf "mynetworks=$mynetworks"
+	fi
+    fi
+    db_fget postfix/procmail changed
+    if [ "$RET" = "true" ]; then
+	db_get postfix/procmail && useprocmail="$RET"
+	if [ "x$useprocmail" = "xtrue" ]; then
+	    echo "setting mailbox_command"        
+	    set_postconf 'mailbox_command=procmail -a "$EXTENSION"'
+	else
+	    if grep -q ^mailbox_command /etc/postfix/main.cf; then
+		echo "clearing mailbox_command"        
+		set_postconf "mailbox_command="
+	    fi
+	fi
+    fi
+    db_fget postfix/mailbox_limit changed
+    if [ "$RET" = "true" ]; then
+	db_get postfix/mailbox_limit && mailbox_limit="$RET"
+	echo "setting mailbox_size_limit: $mailbox_limit"    
+	set_postconf "mailbox_size_limit=$mailbox_limit"
+    fi
+
+    db_fget postfix/recipient_delim changed
+    if [ "$RET" = "true" ]; then
+	db_get postfix/recipient_delim && recip="$RET"
+	echo "setting recipient_delimiter: $recip"    
+	set_postconf "recipient_delimiter=$recip"
+    fi
+
+    db_fget postfix/main_mailer_type changed
+    if [ "$RET" = "true" ]; then
+	# already have mailer
+	case "$mailer" in
+	    "Local only")	val=loopback-only;;
+	    "Satellite system")	val=loopback-only;;
+	    *)			val=all;;
+	esac
+	echo "setting inet_interfaces: $val"
+	set_postconf "inet_interfaces=$val"
+    fi
+
+    if [ -z "$CHANGES" ]; then
+	MSG="configuration was not changed"
+    else if [ -n "$NEWCONF" ]; then
+	    MSG="is now set up with a default configuration"
+	else
+	    MSG="is now set up with the changes above"
+	fi
+    fi
+else	# ] No configuration [
+    if [ -f main.cf ]; then
+	MSG="configuration was untouched"
+    else
+	MSG="was not set up.  Start with 
+  cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf
+"
+	# make sure that we don't try anything stupid below.
+	NEWALIASES=""
+	rm -f /var/spool/postfix/restart /var/spool/postfix/reload
+    fi
+fi	# not 'No configuration' ]
+
+if [ ! -f /etc/aliases ]; then	# no /etc/aliases [
+    echo "/etc/aliases does not exist, creating it."
+    cat << EOF > /etc/aliases
+# See man 5 aliases for format
+postmaster:    root
+EOF
+    if [ "$mailer" != "No configuration" ]; then	# [
+	db_fget postfix/root_address changed
+	if [ "$RET" = "true" ]; then
+	    db_get postfix/root_address && root_addr="$RET"
+	    ret=$(echo $RET | tr '[A-Z]' '[a-z]')
+	    if [ "$ret" != "none" ]; then
+		echo "root:	$RET" >> /etc/aliases
+	    fi
+	fi
+    fi	# not 'No configuration' ]
+fi # ] no /etc/aliases
+
+fset_all_changed false
+
+fold -s << EOF
+
+Postfix $MSG.  If you need to make changes, edit
+/etc/postfix/main.cf (and others) as needed.  To view Postfix configuration
+values, see postconf(1).
+
+After modifying main.cf, be sure to run '/etc/init.d/postfix reload'.
+
+EOF
+
+# all done with debconf here.
+db_stop
+
+fix_master
+
+if [ -n "$NEWALIASES" ]; then
+    echo "Running newaliases"
+    rm -f /etc/aliases.db	# handle the roll to db2.0
+    # newaliases chokes if hostname not set
+    if [ -z "$(postconf -h myhostname||true)" ]; then
+       cp -a main.cf main.cf.dpkg.$$
+       postconf -e 'myhostname=debian'
+       newaliases
+       mv main.cf.dpkg.$$ main.cf
+    else
+       newaliases
+    fi
+fi
+
+[ -x /usr/sbin/invoke-rc.d ] && \
+	INIT="invoke-rc.d postfix" || \
+	INIT="/etc/init.d/postfix"
+# start postfix
+if [ -f /var/spool/postfix/restart ]; then
+    rm -f /var/spool/postfix/restart
+    ${INIT} start
+else
+    # or maybe just restart postfix
+    if [ -f /var/spool/postfix/reload ]; then
+	rm -f /var/spool/postfix/reload
+	${INIT} restart
+    fi
+fi

Added: trunk/postfix/debian/postrm
===================================================================
--- trunk/postfix/debian/postrm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/postrm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,35 @@
+#!/bin/sh -e
+
+# Debian Postfix postrm
+
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+    remove)
+	ldconfig
+	dpkg-statoverride --remove /usr/sbin/postdrop >/dev/null 2>&1 || true
+	dpkg-statoverride --remove /var/spool/postfix/public >/dev/null 2>&1 || true
+	dpkg-statoverride --remove /usr/sbin/postqueue >/dev/null 2>&1 || true
+	;;
+
+    upgrade)
+	;;
+
+    purge)
+	rm -rf /var/spool/postfix
+	rm -rf /etc/postfix
+	update-rc.d postfix remove >/dev/null
+	userdel postfix >/dev/null 2>&1 || true
+	groupdel postdrop >/dev/null 2>&1 || true
+	groupdel postfix >/dev/null 2>&1 || true
+	;;
+
+    failed-upgrade|abort-install|abort-upgrade|disappear)
+	;;
+
+    *)
+	echo "postrm called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+#DEBHELPER#

Added: trunk/postfix/debian/preinst
===================================================================
--- trunk/postfix/debian/preinst	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/preinst	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,251 @@
+#!/bin/sh -e
+
+# Debian Postfix preinst
+# LaMont Jones <lamont at debian.org>
+# Modified to use debconf by Colin Walters <levanti at verbum.org>
+
+# do we have debconf?
+if [ -f /usr/share/debconf/confmodule ]; then
+    . /usr/share/debconf/confmodule
+    DEBCONF=true
+else
+    DEBCONF=
+fi
+
+dpkg_vers=$(dpkg --status dpkg | sed -n '/Version: /s/^Version: //p')
+CONFIG=/etc/postfix/main.cf
+MASTER=/etc/postfix/master.cf
+POSTDROP=/usr/sbin/postdrop
+
+dynamicmaps_warning() {
+    if [ -n "$DEBCONF" ]; then
+	db_fset postfix/dynamicmaps_upgrade_warning seen false
+	db_input medium postfix/dynamicmaps_upgrade_warning || true
+	db_go || true
+	db_get postfix/dynamicmaps_upgrade_warning
+	if [ "$RET" = "false" ]; then
+	    echo "aborting postfix install"
+	    exit 1
+	fi
+    else
+	# no debconf, fall back
+	cat << EOF
+Postfix version 2.0.2 and later require changes in dynamicmaps.cf.
+Specifically, wildcard support is gone, and with it %s expansion.  Any
+changes that you made to dynamicmaps.cf that relied on these features will
+need to be fixed by you.  Failure to correct these will result in a broken
+mailer.  Shall I make the changes?
+EOF
+	echo -n "Shall I make the changes? "
+	read line
+	case ${line} in
+	    [nN]*)	echo "aborting postfix install"
+			exit 1
+			;;
+	esac
+    fi
+}
+
+nqmgr_warning() {
+    if [ -n "$DEBCONF" ]; then
+	db_fset postfix/nqmgr_upgrade_warning seen false
+	db_input medium postfix/nqmgr_upgrade_warning || true
+	db_go || true
+	db_get postfix/nqmgr_upgrade_warning
+	if [ "$RET" = "false" ]; then
+	    echo "aborting postfix install"
+	    exit 1
+	fi
+    else
+	# no debconf, fall back
+	cat << EOF
+Postfix version 2.1 has renamed nqmgr to qmgr.  Shall I make the change?
+EOF
+	echo -n "Shall I make the change? "
+	read line
+	case ${line} in
+	    [nN]*)	echo "aborting postfix install"
+			exit 1
+			;;
+	esac
+    fi
+}
+
+master_warning() {
+    if [ -n "$DEBCONF" ]; then
+	db_fset postfix/master_upgrade_warning seen false
+	db_input medium postfix/master_upgrade_warning || true
+	db_go || true
+	db_get postfix/master_upgrade_warning
+	if [ "$RET" = "false" ]; then
+	    echo "aborting postfix install"
+	    exit 1
+	fi
+    else
+	# no debconf, fall back
+	cat << EOF
+Postfix version 2.1 and later require new services in master.cf.
+Shall I make the changes?
+EOF
+	echo -n "Shall I make the changes? "
+	read line
+	case ${line} in
+	    [nN]*)	echo "aborting postfix install"
+			exit 1
+			;;
+	esac
+    fi
+}
+
+transport_map_warning() {
+    if [ -n "$DEBCONF" ]; then
+	db_input critical postfix/transport_map_warning || true
+	db_go || true
+    else
+	# no debconf, fall back
+	cat << EOF
+You have a transport map defined, and there is an incompatible change
+in how transport maps are used.  Postfix will not be restarted
+automatically.
+
+Transport map entries override mydestination.  If you use transport
+maps, it is better to always have explicit entries for all domain
+names you have in \$mydestination.  See the html/faq.html sections
+for firewalls and intranets.
+
+If you have transport entries for parent domains of anything delivered
+locally, you will probably need to add specific entries for the
+destination domains before you restart Postfix.
+EOF
+	echo -n "Press [ENTER] "
+	read line
+    fi
+    # don't automatically restart postfix now
+    rm -f /var/spool/postfix/restart
+}
+
+db_upgrade_warning() {
+    if [ -n "$DEBCONF" ]; then
+	db_fset postfix/db_upgrade_warning seen false
+	db_input low postfix/db_upgrade_warning || true
+	db_go || true
+	db_get postfix/db_upgrade_warning
+    #else
+	# deal with it in postinst
+    fi
+}
+
+(umask 022; mkdir -p /var/spool/postfix)
+
+case "$1" in
+    install)
+	rm -f /var/spool/postfix/restart /var/spool/postfix/reload
+	# workaround sendmail not unregistering itself...
+	if [ -e /etc/suid.conf ] && [ -x /usr/sbin/suidunregister ]; then
+	    if grep -q sendmail /etc/suid.conf; then
+		/usr/sbin/suidunregister -s postfix /usr/sbin/sendmail
+	    fi
+	fi
+
+	if [ -L /etc/postfix/postfix-script ]; then
+		rm -f /etc/postfix/postfix-script
+	fi
+
+	;;
+
+    upgrade)
+	version=$2
+	if [ -d /var/spool/postfix ] && [ -f /etc/postfix/main.cf ]; then
+	    touch /var/spool/postfix/restart
+	fi
+	export LANG=C	# for the comparison of mail version...
+
+	if dpkg --compare-versions $version lt 0.0.19991231; then
+	  if [ -f $CONFIG ] && [ -n "$(postconf -h transport_maps)" ]; then
+	    transport_map_warning
+	  fi
+	fi
+
+	if [ -L /etc/postfix/postfix-script ]; then
+		rm -f /etc/postfix/postfix-script
+	fi
+
+	if dpkg --compare-versions $version lt 0.0.20001217.SNAPSHOT-4; then
+	  if dpkg --compare-versions $dpkg_vers ge 1.8 &&
+	     [ -x /usr/sbin/addgroup ]; then
+	    # was postdrop setgid before?  If so, add the override.
+	    set -- $(ls -l $POSTDROP)
+	    sgid=${1#??????}
+	    if [ "${sgid%???}" = "s" ]; then
+	      if ! chgrp postdrop $POSTDROP 2>/dev/null; then
+		addgroup postdrop || true
+	      fi
+	      dpkg-statoverride --remove $POSTDROP >/dev/null 2>&1 || true
+	      dpkg-statoverride --add root postdrop 02555 $POSTDROP
+	    fi
+	  fi
+	fi
+
+	if dpkg --compare-versions $version lt 2.0.7-4; then
+	  # are there any maps that need to be converted?
+	  # Likewise, if there's no config, then there is nothing to
+	  # upgrade...
+	  if [ -f $CONFIG ]; then
+	    maps=$(postconf -h | tr ' ,\11' '\12\12\12' | sort -u |
+		    grep -e hash: -e btree: || true)
+	    if [ -n "$maps" ]; then
+	      touch /var/spool/postfix/db-upgrade
+	      db_upgrade_warning
+	    fi
+	  fi
+	fi
+
+	# Don't care what version it was, nqmgr is gone (until
+	# it's back again..)
+	if grep -q '^qmgr.*nqmgr' $MASTER; then
+	  nqmgr_warning
+	fi
+	sed '/^qmgr[[:space:]]/s/nqmgr/qmgr/' $MASTER > ${MASTER}.$$
+	cp ${MASTER}.$$ $MASTER && rm ${MASTER}.$$
+
+	if dpkg --compare-versions $version lt 2.1.3-1; then
+	  oldsum=$(dpkg --status postfix | sed -n '/\/master.cf/s/^.* //p')
+	  filesum=$(md5sum < $MASTER)
+	  if [ "$oldsum" != "$filesum" ]; then
+	    master_warning
+	  fi
+	fi
+
+	if dpkg --compare-versions $version lt 2.0.2-3; then
+	  oldsum=$(dpkg --status postfix | sed -n '/\/dynamicmaps.cf/s/^.* //p')
+	  if [ -n "$oldsum" ]; then	# not a config file any more.
+	    dynamicmaps_warning
+	    touch /var/spool/postfix/dynamicmaps_upgrade
+	  fi
+	else
+	    rm -f /var/spool/postfix/dynamicmaps_upgrade
+	fi
+
+	if [ ! start-stop-daemon -K -q -o \
+		--pidfile /var/spool/postfix/pid/master.pid \
+		--exec /usr/lib/postfix/master 2>/dev/null ]; then :; fi
+	;;
+
+    abort-upgrade)
+	;;
+
+    *)
+	echo "preinst called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+
+if [ install = "$1" -o upgrade = "$1" ]; then
+    # cleanup after past mistakes.
+    rm -f /usr/sbin/postconf.postfix
+    dpkg-divert --package postfix-tls --remove \
+	 --divert /usr/sbin/postconf.postfix \
+		  /usr/sbin/postconf >/dev/null 2>/dev/null
+fi
+
+#DEBHELPER#

Added: trunk/postfix/debian/prerm
===================================================================
--- trunk/postfix/debian/prerm	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/prerm	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,43 @@
+#!/bin/sh -e
+
+# Debian Postfix prerm
+# LaMont Jones <lamont at debian.org>
+
+case "$1" in
+    upgrade)
+	new=$2			# get new version
+	/etc/init.d/postfix stop
+	if dpkg --compare-versions $new lt 0.0.20020113.SNAPSHOT-1; then
+	    # Need to handle some changes in services.
+	    MASTER=/etc/postfix/master.cf
+	    if grep -qE '^cleanup[[:space:]]+unix[[:space:]]+n' ${MASTER}; then
+		echo "in master.cf:"
+		echo "  forcing pickup=privileged, cleanup=private, flush=private"
+		sed 's/^\(cleanup[[:space:]]*unix[[:space:]]*\)n/\1-/
+		     s/^\(flush[[:space:]]*unix[[:space:]]*\)n/\1-/
+		     s/^\(pickup[[:space:]]*fifo[[:space:]]*.[[:space:]]*\)-/\1n/
+		' ${MASTER} > ${MASTER}.$$
+		mv ${MASTER}.$$ ${MASTER}
+	    fi
+	fi
+	;;
+
+    deconfigure)
+	;;
+
+    remove)
+	/etc/init.d/postfix stop
+	rm -rf /var/spool/postfix/lib
+	rm -rf /var/spool/postfix/etc
+    	;;
+
+    failed-upgrade)
+	;;
+
+    *)
+	echo "prerm called with unknown argument \`$1'" >&2
+	exit 1
+	;;
+esac
+#DEBHELPER#
+exit 0

Added: trunk/postfix/debian/rules
===================================================================
--- trunk/postfix/debian/rules	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/rules	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,263 @@
+#!/usr/bin/make -f
+# -*- makefile -*- 
+# Debianrules for building a Debian package
+# Version 1.5
+#
+# These rules have been specifically designed NOT to require root to
+# run them. At any time root privileges are required, the command to be
+# executed will be made obvious and root's password will be prompted for.
+# Of course, root may still run this and no password will be required.
+#
+# Robert Leslie <rob at mars.org>
+# modified for Postfix by LaMont Jones <lamont at debian.org>
+
+export DH_COMPAT=2
+
+PACKAGE=postfix
+include /usr/share/dpatch/dpatch.make
+
+TLSSRC=tls
+package=postfix
+base=debian/$(package)
+docpkg=${package}-doc
+docdir=${base}-doc/usr/share/doc/$(package)
+tls=${base}-tls
+tlsdocdir=${base}-doc/usr/share/doc/$(package)-tls
+chlogdir=${base}/usr/share/doc/$(package)
+sharedir=${base}/usr/share/postfix
+libdir=${base}/usr/lib
+plibdir=usr/lib/postfix
+sbindir=usr/sbin
+bindir=${base}/usr/bin
+confdir=${base}/etc/postfix
+
+#ifeq ($(DEB_BUILD_ARCH),sparc)
+#  OFLAGS = -O1
+#else
+#  OFLAGS = -O1
+#endif
+
+OFLAGS = -O2
+SHELL=/bin/bash
+
+ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
+DEBUG = -g
+endif
+
+ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
+STRIP=y
+endif
+
+CCARGS=-DDEBIAN -DMAX_DYNAMIC_MAPS -DHAS_PCRE -DHAS_LDAP \
+	 -DHAS_MYSQL -I/usr/include/mysql \
+	 -DHAS_PGSQL -I/usr/include/postgresql
+
+AUXLIBS =
+
+TLSCCARGS=-DUSE_TLS -I/usr/include/openssl -DHAS_SSL \
+	 -DUSE_SASL_AUTH -I/usr/include/sasl ${CCARGS} -DUSE_TLS
+
+TLSAUXLIBS=-lssl -lcrypto -lsasl2
+
+DOCFILES=README_FILES/*_README COMPATIBILITY TODO PORTING
+TLSDOCFILES=${TLSSRC}/README ${TLSSRC}/TODO ${TLSSRC}/ACKNOWLEDGEMENTS
+
+TLSDIRS=src/tlsmgr src/smtp.tls src/smtpd.tls src/lmtp.tls
+
+.PHONY: install install-doc binary binary-arch binary-indep clean
+.PHONY: checkroot
+
+build: patch debian/stamp-tlsfiles conf/master.cf.local
+	$(checkdir)
+	ln -sf /usr/lib/libdb3.so debian/libdb.so
+	${MAKE} makefiles CCARGS="${CCARGS} -UUSE_TLS" DEBUG=${DEBUG} \
+		AUXLIBS="${AUXLIBS} -L$$(pwd)/debian" OPT="$(OFLAGS)"
+	cd lib && for i in dns global master util; do \
+		ln -fs lib$${i}.a libpostfix-$${i}.so.1; \
+	done
+	${MAKE} LD_LIBRARY_PATH=$$(pwd)/lib:$${LD_LIBRARY_PATH}
+	${MAKE} manpages
+	
+	# now build the TLS stuff.
+	${MAKE} makefiles CCARGS="${TLSCCARGS}" DEBUG=${DEBUG} \
+		DIRS="${TLSDIRS}" \
+		AUXLIBS="${TLSAUXLIBS} -L$$(pwd)/debian" OPT="$(OFLAGS)"
+	${MAKE} LD_LIBRARY_PATH=$$(pwd)/lib:$${LD_LIBRARY_PATH} DIRS="${TLSDIRS}"
+	touch $@
+
+conf/master.cf.local: conf/master.cf
+	cp $? $@
+	patch -p0 < debian/patches/master.cf.local
+	
+	# now build the TLS stuff.
+debian/stamp-tlsfiles:
+	rm -rf src/*.tls
+	cp -r src/smtp src/smtp.tls
+	cp -r src/lmtp src/lmtp.tls
+	cp -r src/smtpd src/smtpd.tls
+	rm -f src/*.tls/*.[oa]
+	patch -p0 < debian/tls-patch
+	touch $@
+
+install-doc: build
+	dh_clean -k
+	dh_installdirs -i
+	install -m 0444 html/* $(docdir)/html; rm $(docdir)/html/Makefile.in
+	dh_installexamples -p ${docpkg} examples/{qmail-local,smtpd-policy}
+	dh_installexamples -p ${docpkg} -Xmain.cf -Xmaster.cf -Xfiles conf/[a-z]*
+	dh_installexamples -p ${docpkg} conf/main.cf.default
+	install -m 0444 RELEASE_NOTES $(docdir)/RELEASE_NOTES
+	install -m 0444 AAAREADME $(docdir)/README
+	for file in */README; do \
+	    install -m 0444 $${file} $(docdir)/README.$${file%/README}; \
+	done
+	rm -f $(docdir)/README.mantools $(docdir)/README.tls-*
+	for file in ${DOCFILES}; do					\
+		install -m 0444 $${file} $(docdir)/$${file##*/};	\
+	done
+	rm -f $(docdir)/ULTRIX_README $(docdir)/MACOSX_README
+
+	install -m 0444 include/[!CRS]* ${base}-dev/usr/include/postfix
+	cd lib; for i in libpostfix-*; do \
+		ln -sf $$i ../${base}-dev/usr/lib/$${i%.1}; \
+	done
+
+	# and the TLS stuff
+	install -m 0444 ${TLSSRC}/doc/[a-z]* $(tlsdocdir)/html
+	install -m 0444 ${TLSSRC}/CHANGES $(tlsdocdir)/changelog
+	for file in ${TLSDOCFILES}; do					\
+		install -m 0444 $${file} $(tlsdocdir)/$${file##*/};	\
+	done
+
+install: build
+	dh_clean -k
+	dh_installdirs -a
+	install lib/*.1 $(libdir)
+	install lib/dict_ldap.so ${base}-ldap/${plibdir}
+	install lib/dict_pcre.so ${base}-pcre/${plibdir}
+	install lib/dict_mysql.so ${base}-mysql/${plibdir}
+	install lib/dict_pgsql.so ${base}-pgsql/${plibdir}
+	install lib/dict_tcp.so ${base}/${plibdir}
+	install lib/dict_sdbm.so ${base}-tls/${plibdir}
+	install libexec/[a-z]* ${base}/${plibdir}
+	rm -f ${base}/${plibdir}/*.tls ${base}/${plibdir}/tlsmgr
+	install bin/[a-z]* ${base}/${sbindir}
+	install auxiliary/qshape/qshape.pl ${base}/${sbindir}/qshape
+	rm -f ${base}/${sbindir}/*.tls
+	install -m 0444 HISTORY $(chlogdir)/changelog
+	ln -s ../sbin/rmail $(bindir)/rmail
+	ln -s ../sbin/sendmail $(bindir)/newaliases
+	ln -s ../sbin/sendmail $(bindir)/mailq
+	ln -s ../sbin/sendmail ${base}/usr/lib/sendmail
+	install -m 0755 conf/postfix-script conf/post-install $(confdir)
+	install -m 0644 conf/postfix-files $(confdir)
+	install -m 0644 conf/main.cf $(sharedir)/main.cf.dist
+	install -m 0644 debian/functions $(sharedir)/postinst.functions
+	install -m 0644 conf/master.cf $(sharedir)/master.cf.dist
+	install -m 0644 conf/master.cf.local $(sharedir)/master.cf.local
+	install -m 0644 conf/main.cf.debian $(sharedir)/main.cf.debian
+
+	install man/man1/*.1 ${base}/usr/share/man/man1
+	install man/man5/*.5 ${base}/usr/share/man/man5
+	for f in man/man8/*.8; do \
+	  install $${f} ${base}/usr/share/$${f}postfix; \
+	done
+	install rmail/rmail.8 ${base}/usr/share/man/man8
+	gzip -9 ${base}/usr/share/man/man8/*.8postfix
+	ln -sf bounce.8postfix.gz ${base}/usr/share/man/man8/trace.8postfix.gz
+	ln -sf bounce.8postfix.gz ${base}/usr/share/man/man8/defer.8postfix.gz
+
+	install debian/init.d ${base}/etc/init.d/postfix
+	install debian/ip-up.d ${base}/etc/ppp/ip-up.d/postfix
+	install debian/ip-down.d ${base}/etc/ppp/ip-down.d/postfix
+	install debian/ip-up.d ${base}/etc/network/if-up.d/postfix
+	install debian/ip-down.d ${base}/etc/network/if-down.d/postfix
+	install debian/update-libc.d ${base}/etc/resolvconf/update-libc.d/postfix
+	install -m 0444 debian/lintian-override ${base}/usr/share/lintian/overrides/${package}
+
+	# and the TLS stuff
+	install lib/dict_sdbm.so ${tls}/${plibdir}
+	install libexec/lmtp.tls ${tls}/$(plibdir)/lmtp
+	install libexec/smtp.tls ${tls}/$(plibdir)/smtp
+	install libexec/smtpd.tls ${tls}/$(plibdir)/smtpd
+	install libexec/tlsmgr ${tls}/$(plibdir)/tlsmgr
+	mv ${base}/usr/share/man/man8/tlsmgr.8postfix.gz ${tls}/usr/share/man/man8
+
+debian/vars:
+	cp debian/vars.in $@
+	# This assumes non-native, and at least one hyphen in the version number.
+	echo Upstream=$$(sed 's/^.*(\(.*\)-[^-]*).*/\1/; q' debian/changelog) >> $@
+
+binary-indep: checkroot install-doc debian/vars
+	dh_installdocs -i
+##	dh_installexamples -i
+##	dh_installmenu -i
+##	dh_installcron -i
+	dh_installchangelogs -i
+	dh_installdebconf -i
+	dh_compress -i
+	dh_fixperms -i
+	dh_installdeb -i
+	for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars >> debian/$$i.substvars; done
+	cat debian/vars.in >> debian/substvars
+	dh_gencontrol -i
+##	dh_makeshlibs -i
+	dh_md5sums -i
+	dh_builddeb -i
+
+binary-arch: checkroot build install debian/vars
+
+	dh_installdocs -a
+##	dh_installexamples -a
+##	dh_installmenu -a
+##	dh_installcron -a
+	dh_installchangelogs -a
+	dh_installdebconf -a
+##	dh_movefiles -a
+	[ -n "$(STRIP)" ] || dh_strip -a
+	dh_compress -a
+	dh_fixperms -a
+	dh_makeshlibs -a
+	dh_installdeb -a
+	LD_LIBRARY_PATH=$$(pwd)/lib:$${LD_LIBRARY_PATH} dh_shlibdeps -a
+	for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars >> debian/$$i.substvars; done
+	cat debian/vars.in >> debian/substvars
+	dh_gencontrol -a
+##	dh_makeshlibs -a
+	dh_md5sums -a
+	dh_builddeb -a
+
+
+clean: unpatch
+	$(checkdir)
+	dh_clean build
+	test ! -d ${base} || rm -rf ${base}
+	$(MAKE) tidy
+	if [ -f src/tlsmgr/Makefile.in ]; then $(MAKE) tidy DIRS=src/tlsmgr; fi
+	#rm -rf $$(find debian/* -type d ! -name CVS ! -name po)
+	rm -rf debian/{files*,vars,*substvars,*.debhelper}
+	find .. -name $(package)*.asc -size 0 -maxdepth 1 -exec rm {} ";"
+	chmod +x debian/{pre*,post*}
+	rm -f debian/libdb.so debian/stamp-*
+	rm -rf src/*.tls
+
+buildinfo:
+	@echo; dpkg -l gcc "libc6*" binutils ldso make dpkg-dev $(BUILDINFO) \
+		| awk '$$1 == "ii" { printf("%s-%s\n", $$2, $$3) }' \
+		| tee $(docdir)/buildinfo.Debian; echo
+	chmod 644 $(docdir)/buildinfo.Debian		
+
+define checkdir
+	test -f debian/rules
+endef
+
+# Below here is fairly generic really
+
+binary: binary-arch binary-indep
+
+newtemplate:
+	debconf-updatepo
+
+checkroot:
+	$(checkdir)
+	test "`id -u`" -eq 0


Property changes on: trunk/postfix/debian/rules
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/postfix/debian/shlibs
===================================================================
--- trunk/postfix/debian/shlibs	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/shlibs	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,4 @@
+libpostfix-util		1	postfix
+libpostfix-global	1	postfix
+libpostfix-dns		1	postfix
+libpostfix-master	1	postfix

Added: trunk/postfix/debian/templates
===================================================================
--- trunk/postfix/debian/templates	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/templates	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,215 @@
+Template: postfix/dynamicmaps_upgrade_warning
+Type: boolean
+_Description: Correct dynamicmaps.cf for upgrade?
+ Postfix version 2.0.2 and later require changes in dynamicmaps.cf.
+ Specifically, wildcard support is gone, and with it, %s expansion.  Any
+ changes that you made to dynamicmaps.cf that relied on these features will
+ need to be fixed by you.  Failure to correct these will result in a broken
+ mailer.
+ .
+ Should dynamicmaps.cf be automatically changed?  Decline this option to
+ abort the upgrade, giving you the opportunity to eliminate wildcard and
+ %s-expansion-dependent configuration.  Accept this option if you have no
+ such configuration, and automatically make dynamicmaps.cf compatible with
+ Postfix 2.0.2 in this respect.
+
+Template: postfix/master_upgrade_warning
+Type: boolean
+_Description: Correct master.cf for upgrade?
+ Postfix version 2.1 and later require new services in master.cf.
+ .
+ Should this configuration be automatically added to master.cf?  Decline
+ this option to abort the upgrade, giving you the opportunity to add this
+ configuration yourself.  Accept this option to automatically make
+ master.cf compatible with Postfix 2.1 in this respect.
+
+Template: postfix/nqmgr_upgrade_warning
+Type: boolean
+_Description: Correct master.cf for upgrade?
+ Postfix version 2.1 renamed "nqmgr" to "qmgr", and you are using "nqmgr".
+ .
+ Failure to fix this will result in a broken mailer.  Decline this option
+ to abort the upgrade, giving you the opportunity to add this configuration
+ yourself.  Accept this option to automatically make master.cf compatible
+ with Postfix 2.1 in this respect.
+
+Template: postfix/db_upgrade_warning
+Type: boolean
+Default: true
+_Description: Should Postfix upgrade hash and btree maps?
+ Postfix has switched to db4, and this may require maps to be upgraded. 
+ .
+ Do you want to automatically attempt the conversion?
+
+Template: postfix/transport_map_warning
+Type: note
+_Description: Transport map incompatibility
+ You have a transport map defined, and there is an incompatible change in
+ how transport maps are used.  Postfix will not be restarted automatically.
+ .
+ Transport map entries override $mydestination.  If you use transport maps,
+ it is better to always have explicit entries for all domain names you have
+ in $mydestination.  See the html/faq.html sections for firewalls and
+ intranets.  If you have transport entries for parent domains of anything
+ delivered locally, you will probably need to add specific entries for the
+ destination domains before you restart Postfix.
+
+Template: postfix/rfc1035_violation
+Type: boolean
+Default: false
+_Description: Bad entry, try again?
+ The string you have entered
+ .
+ "${enteredstring}"
+ .
+ does not follow RFC 1035 and does not appear to be a valid IP address.
+ .
+ RFC 1035 states that "each component must start with an alphanum, end with
+ an alphanum and contain only alphanums and hyphens. Components must be
+ separated by full stops."
+ .
+ Do you want to keep it anyways?
+
+Template: postfix/main_mailer_type
+Type: select
+_Choices: No configuration, Internet Site, Internet with smarthost, Satellite system, Local only
+Default: Internet Site
+_Description: General type of configuration?
+ You have several choices for general configuration at this point.  If you
+ have your debconf priority set to 'low' or 'medium', you will be asked
+ more questions later.  You can always run "dpkg-reconfigure --priority=low
+ postfix" at a later point if you want to see these questions again.
+ .
+ No configuration - IF YOU WANT THE INSTALL TO LEAVE YOUR CONFIG ALONE,
+ CHOOSE THIS OPTION.  No configuration changes will be done now:  If you
+ have not already configured Postfix, your mail system will be broken and
+ should not be used. You must then do the configuration yourself by editing
+ /usr/share/postfix/main.cf.dist and saving your changes as
+ /etc/postfix/main.cf, or by running dpkg-reconfigure Postfix.  main.cf
+ will not be modified by the Postfix install process.
+ .
+ Internet site - mail is sent and received directly using SMTP. If your
+ needs don't fit neatly into any category, you probably want to start with
+ this one and then edit the config file by hand.
+ .
+ Internet site using smarthost - You receive Internet mail on this machine,
+ either directly by SMTP or by running a utility such as fetchmail.
+ Outgoing mail is sent using a smarthost. optionally with addresses
+ rewritten. This is probably what you want for a dialup system.
+ .
+ Satellite system - All mail is sent to another machine, called a "smart
+ host" for delivery. root and postmaster mail is delivered according to
+ /etc/aliases. No mail is received locally.
+ .
+ Local delivery only - You are not on a network.  Mail for local users is
+ delivered.
+
+Template: postfix/not_configured
+Type: note
+_Description: WARNING: Postfix not configured
+ You have chosen "No Configuration" - Postfix will not be configured and
+ will not be started by default.  Please run 'dpkg-reconfigure postfix' at
+ a later date, or configure it yourself by:
+ .
+ 1) Editing /etc/postfix/main.cf to your liking
+ .
+ 2) Running /etc/init.d/postfix start
+
+Template: postfix/mailname
+Type: string
+_Default: /etc/mailname
+_Description: Mail name?
+ Your `mail name' is the hostname portion of the address to be shown on
+ outgoing news and mail messages (following the username and @ sign).
+ .
+ This name will be used by other programs besides Postfix; it should be the
+ single, full domain name (FQDN) from which mail will appear to originate.
+
+Template: postfix/destinations
+Type: string
+_Description: Other destinations to accept mail for? (blank for none)
+ Give a comma-separated list of domains that this machine should consider
+ itself the final destination for.  If this is a mail domain gateway, you
+ probably want to include the top-level domain.
+
+Template: postfix/relayhost
+Type: string
+_Description: SMTP relay host? (blank for none)
+ Specify a domain, host, host:port, [address] or [address]:port. Use the
+ form [destination] to turn off MX lookups.  Leave this blank for no relay
+ host.
+ .
+ The relayhost parameter specifies the default host to send mail to when no
+ entry is matched in the optional transport(5) table. When no relayhost is
+ given, mail is routed directly to the destination.
+
+Template: postfix/procmail
+Type: boolean
+_Description: Use procmail for local delivery?
+ Do you want to use procmail to deliver local mail?
+ .
+ Note that if you use procmail to deliver mail system-wide, you should set
+ up an alias that forwards mail for root to a real user.
+
+Template: postfix/recipient_delim
+Type: string
+_Default: +
+_Description: Local address extension character?
+ What character defines a local address extension?
+ .
+ To not use address extensions, leave the string blank.
+
+Template: postfix/bad_recipient_delimiter
+Type: note
+_Description: Bad recipient delimiter
+ The recipient delimiter is a single character, you entered too many
+ characters.  Please try again.
+ .
+ "${enteredstring}"
+
+Template: postfix/chattr
+Type: boolean
+_Default: false
+_Description: Force synchronous updates on mail queue?
+ If synchronous updates are forced, then mail is processed more slowly.
+ If not forced, then there is a remote chance of losing some mail if
+ the system crashes at an inopportune time, and you are not using a
+ journaled filesystem (such as ext3).
+ .
+ The default is "off".
+
+Template: postfix/mynetworks
+Type: string
+_Default: 127.0.0.0/8
+_Description: Local networks?
+ For what network blocks should this machine relay mail?  The default is
+ just the local host, which is needed by some mail user agents.
+ .
+ If this is a smarthost for a block of machines, you need to specify the
+ netblocks here, or mail will be rejected rather than relayed.
+ .
+ To use the postfix default (which is based on connected networks), enter
+ an empty string.
+
+Template: postfix/mailbox_limit
+Type: string
+_Default: 0
+_Description: Mailbox size limit
+ What limit should Postfix place on mailbox files to prevent runaway
+ software errors.  A value of zero (0) means no limit.  (The upstream
+ default is 51200000.)
+
+Template: postfix/root_address
+Type: string
+_Default: NONE
+_Description: Where should mail for root go
+ The user root (and any other users with a uid of 0) must have mail
+ redirected via an alias, or their mail may be delivered to
+ /var/mail/nobody.  This is by design:  mail is not delivered to external
+ delivery agents as root.
+ .
+ If you already have a /etc/aliases file, then you possibly need to add
+ this entry.  (I will only add it if I am creating a new /etc/aliases.)
+ .
+ What address should I add to /etc/aliases, if I create the file?  (Enter
+ NONE to not add one.)

Added: trunk/postfix/debian/tls-patch
===================================================================
--- trunk/postfix/debian/tls-patch	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/tls-patch	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,42 @@
+diff -ur src/lmtp.tls.orig/Makefile.in src/lmtp.tls/Makefile.in
+--- src/lmtp.tls.orig/Makefile.in	2003-03-16 21:38:09.000000000 -0700
++++ src/lmtp.tls/Makefile.in	2003-03-16 21:36:10.000000000 -0700
+@@ -13,7 +13,7 @@
+ DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+ TESTPROG=
+-PROG	= lmtp
++PROG	= lmtp.tls
+ INC_DIR	= ../../include
+ LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a
+ 
+diff -ur src/smtp.tls.orig/Makefile.in src/smtp.tls/Makefile.in
+--- src/smtp.tls.orig/Makefile.in	2003-03-16 21:38:10.000000000 -0700
++++ src/smtp.tls/Makefile.in	2003-03-16 21:36:10.000000000 -0700
+@@ -13,9 +13,9 @@
+ DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+ TESTPROG= smtp_unalias
+-PROG	= smtp
++PROG	= smtp.tls
+ INC_DIR	= ../../include
+-LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a
++LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a ../../lib/pfixtls.o
+ 
+ .c.o:;	$(CC) $(CFLAGS) -c $*.c
+ 
+diff -ur src/smtpd.tls.orig/Makefile.in src/smtpd.tls/Makefile.in
+--- src/smtpd.tls.orig/Makefile.in	2003-03-16 21:38:10.000000000 -0700
++++ src/smtpd.tls/Makefile.in	2003-03-16 21:36:11.000000000 -0700
+@@ -12,9 +12,9 @@
+ DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
+ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+ TESTPROG= smtpd_token smtpd_check
+-PROG	= smtpd
++PROG	= smtpd.tls
+ INC_DIR	= ../../include
+-LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a
++LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libdns.a ../../lib/libutil.a ../../lib/pfixtls.o
+ 
+ .c.o:;	$(CC) $(CFLAGS) -c $*.c
+ 

Added: trunk/postfix/debian/update-libc.d
===================================================================
--- trunk/postfix/debian/update-libc.d	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/update-libc.d	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1,9 @@
+#!/bin/sh -e
+
+# make sure we're still here...
+[ -x /usr/sbin/postconf ] || exit 0
+
+cp /etc/resolv.conf $(/usr/sbin/postconf -h queue_directory)/etc/resolv.conf
+/etc/init.d/postfix reload >/dev/null 2>&1
+
+exit 0

Added: trunk/postfix/debian/vars.in
===================================================================
--- trunk/postfix/debian/vars.in	2006-01-13 09:47:54 UTC (rev 137)
+++ trunk/postfix/debian/vars.in	2006-01-13 09:53:12 UTC (rev 138)
@@ -0,0 +1 @@
+Description=Postfix is Wietse Venema's mail transport agent that started life as an${Newline} alternative to the widely-used Sendmail program.  Postfix attempts to${Newline} be fast, easy to administer, and secure, while at the same time being${Newline} sendmail compatible enough to not upset existing users. Thus, the outside${Newline} has a sendmail-ish flavor, but the inside is completely different.




More information about the pkg-kolab-devel mailing list