[pkg-kolab] r837 - in postfix/trunk/debian: . patches po

noel at alioth.debian.org noel at alioth.debian.org
Fri May 2 10:36:07 UTC 2008


Author: noel
Date: 2008-05-02 10:36:05 +0000 (Fri, 02 May 2008)
New Revision: 837

Added:
   postfix/trunk/debian/compat
   postfix/trunk/debian/main.cf.in
   postfix/trunk/debian/patches/10man-names.dpatch
   postfix/trunk/debian/patches/10myorigin.dpatch
   postfix/trunk/debian/patches/10postfix-script.dpatch
   postfix/trunk/debian/patches/10tls.dpatch
   postfix/trunk/debian/patches/10tlsmgr.dpatch
   postfix/trunk/debian/patches/10warnings.dpatch
   postfix/trunk/debian/patches/30hurd.dpatch
   postfix/trunk/debian/po/ca.po
   postfix/trunk/debian/po/gl.po
   postfix/trunk/debian/po/pt.po
   postfix/trunk/debian/po/sv.po
   postfix/trunk/debian/po/vi.po
   postfix/trunk/debian/postfix-cdb.README.Debian
   postfix/trunk/debian/postfix-cdb.copyright
   postfix/trunk/debian/postfix-cdb.dirs
   postfix/trunk/debian/postfix-cdb.files
   postfix/trunk/debian/postfix-cdb.postinst
   postfix/trunk/debian/postfix-cdb.prerm
   postfix/trunk/debian/postfix.config
   postfix/trunk/debian/postfix.copyright
   postfix/trunk/debian/postfix.postinst
   postfix/trunk/debian/postfix.postrm
   postfix/trunk/debian/postfix.preinst
   postfix/trunk/debian/postfix.prerm
   postfix/trunk/debian/postfix.shlibs
   postfix/trunk/debian/postfix_groups.pl
Removed:
   postfix/trunk/debian/conffiles
   postfix/trunk/debian/config
   postfix/trunk/debian/copyright
   postfix/trunk/debian/patches/10hostname.dpatch
   postfix/trunk/debian/patches/50tls.dpatch
   postfix/trunk/debian/patches/60hpux.dpatch
   postfix/trunk/debian/patches/master.cf.local
   postfix/trunk/debian/postfix-tls.copyright
   postfix/trunk/debian/postfix-tls.dirs
   postfix/trunk/debian/postfix-tls.postinst
   postfix/trunk/debian/postfix-tls.postrm
   postfix/trunk/debian/postfix-tls.preinst
   postfix/trunk/debian/postfix-tls.prerm
   postfix/trunk/debian/postinst
   postfix/trunk/debian/postrm
   postfix/trunk/debian/preinst
   postfix/trunk/debian/prerm
   postfix/trunk/debian/shlibs
   postfix/trunk/debian/tls-patch
Modified:
   postfix/trunk/debian/README.Debian
   postfix/trunk/debian/arch-version
   postfix/trunk/debian/changelog
   postfix/trunk/debian/control
   postfix/trunk/debian/dirs
   postfix/trunk/debian/functions
   postfix/trunk/debian/init.d
   postfix/trunk/debian/ip-down.d
   postfix/trunk/debian/ip-up.d
   postfix/trunk/debian/lintian-override
   postfix/trunk/debian/patches/00list
   postfix/trunk/debian/patches/10cyrus.dpatch
   postfix/trunk/debian/patches/10greylist.dpatch
   postfix/trunk/debian/patches/10main.cf.dpatch
   postfix/trunk/debian/patches/10man.dpatch
   postfix/trunk/debian/patches/10master.cf.dpatch
   postfix/trunk/debian/patches/10rmail.dpatch
   postfix/trunk/debian/patches/10smtplinelength.dpatch
   postfix/trunk/debian/patches/20maps.dpatch
   postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch
   postfix/trunk/debian/po/cs.po
   postfix/trunk/debian/po/de.po
   postfix/trunk/debian/po/es.po
   postfix/trunk/debian/po/fr.po
   postfix/trunk/debian/po/it.po
   postfix/trunk/debian/po/ja.po
   postfix/trunk/debian/po/nl.po
   postfix/trunk/debian/po/pt_BR.po
   postfix/trunk/debian/po/ru.po
   postfix/trunk/debian/po/templates.pot
   postfix/trunk/debian/postfix-doc.dirs
   postfix/trunk/debian/postfix-ldap.README.Debian
   postfix/trunk/debian/rules
   postfix/trunk/debian/templates
Log:
etch version of postfix with two additional postfix patches: 30-kolab.dpatch and 40-kolab-ldap-leafonly.dpatch

Modified: postfix/trunk/debian/README.Debian
===================================================================
--- postfix/trunk/debian/README.Debian	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/README.Debian	2008-05-02 10:36:05 UTC (rev 837)
@@ -2,12 +2,20 @@
 and the source from upstream:
 
 1.  The Debian install is chrooted by default.
-2.  IPV6 support is present and enabled.
-3.  TLS/SASL support is found in the postfix-tls package.
-4.  Dynamically loadable map support.
-5.  For policy reasons:
-  a. SASL configuration is found in /etc/postfix/sasl
+2.  Dynamically loadable map support.
+3.  For policy reasons:
+  a. SASL configuration goes in /etc/postfix/sasl
   b. myhostname=/path/to/file is supported (and used) in main.cf
+4.  smtp_line_length_limit defaults to 0, instead of 990, in absolute
+    violation of the RFC.  Note that mailers in the path will still
+    potentially split the line, though.  This will be removed at some
+    point in the future.
+5.  IPV6 support is enabled: postfix listens on ipv6/ipv4 by default,
+    (see: inet_protocols)
+6.  TLS/SASL support is enabled.
+7.  rmail comes from sendmail, not from postfix.
+8.  The upstream main.cf is delivered as /usr/share/postfix/main.cf.dist,
+    rather than cluttering /etc/postfix/main.cf with comments.
 
 Known caveats:
 1.  The dynamically loadable modules are not found in the chroot.

Modified: postfix/trunk/debian/arch-version
===================================================================
--- postfix/trunk/debian/arch-version	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/arch-version	2008-05-02 10:36:05 UTC (rev 837)
@@ -1 +1 @@
-lamont at debian.org--2004/postfix--debian--2.1--patch-6
+lamont at debian.org--2005/postfix--merged--2.3--patch-81

Modified: postfix/trunk/debian/changelog
===================================================================
--- postfix/trunk/debian/changelog	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/changelog	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,17 +1,576 @@
-postfix (2.1.5-10kolab2) unstable; urgency=low
+postfix (2.3.8-3~kolab.credativ1) etch-backport; urgency=low
 
-  * Build for Kolab sarge
-  * Add patch (40-kolab-ldap-leafonly.dpatch)
+  * etch backport with kolab Patch:
+    - 30-kolab.dpatch
+    - 40-kolab-ldap-leafonly.dpatch
 
- -- Noèl Köthe <noel.koethe at credativ.de>  Tue, 27 Jun 2006 13:24:31 +0200
+ -- Noèl Köthe <noel.koethe at credativ.de>  Fri, 02 May 2008 11:30:48 +0200
 
-postfix (2.1.5-10kolab1) unstable; urgency=low
+postfix (2.3.8-2) unstable; urgency=low
 
-  * Build for Kolab
-  * Add patch (30-kolab.dpatch)
+  * Updated Czech debconf template.  Closes: #414392
 
- -- Steffen Joeris <steffen.joeris at skolelinux.de>  Wed, 11 Jan 2006 15:55:55 +0000
+ -- LaMont Jones <lamont at debian.org>  Mon, 12 Mar 2007 22:42:23 -0600
 
+postfix (2.3.8-1) unstable; urgency=low
+
+  * New upstream version:
+    - Workaround: GNU POP3D creates a new mailbox and deletes the
+      old one. Postfix now backs off and retries delivery later,
+      instead of appending mail to a deleted file.  File:
+      global/mbox_open.c.
+    - Workaround: Disable SSL/TLS ciphers when the underlying
+      symmetric algorithm is not available in the OpenSSL crypto
+      library at the required bit strength. Problem observed with
+      SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
+      with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
+      upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
+      Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
+      src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
+      src/tls/tls_misc.c and src/tls/tls_server.c.
+  * Correct check for new (empty) answer to root alias debconf question.
+    Introduced in 2.3.6-2.  Closes: #413610, #413086
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  5 Mar 2007 21:43:22 -0700
+
+postfix (2.3.7-4) unstable; urgency=low
+
+  * New russian, portugese, spanish, galician debconf templates.
+    Closes: #411941, #412205, #412413, #412494
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 26 Feb 2007 14:04:32 -0700
+
+postfix (2.3.7-3) unstable; urgency=low
+
+  * Really fix update-inetd's verboseness, by running it after dh_stop.
+    Closes: #410871
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 14 Feb 2007 21:41:37 -0700
+
+postfix (2.3.7-2) unstable; urgency=low
+
+  * Don't let update-inetd spew garbage to debconf.  Closes: #410871
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 13 Feb 2007 21:47:27 -0700
+
+postfix (2.3.7-1) unstable; urgency=low
+
+  * New upstream version
+    - Bugfix (introduced Postfix 2.3): when creating an alias map
+      on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
+      and YP_LAST_MODIFIED lookup keys. This requires that an
+      application can turn off case folding on the fly. This is
+      a point fix. A complete fix requires updates to other map
+      types and to the proxymap protocol, which is too much change
+      for a stable release.
+    - Bugfix (introduced 20011008): after return from a nested
+      access restriction, possible longjump into exited stack
+      frame upon configuration error or table lookup error.
+    - Workaround: don't insert empty-line header/body separator
+      into malformed MIME attachments, to avoid breaking digital
+      signatures. This change introduces ambiguity. Postfix still
+      treats the remainder of the attachment as body content;
+      header_checks rules will not detect forbidden MIME types
+      inside a message/rfc822 attachment.  With the empty-line
+      header/body separator no longer inserted by Postfix, other
+      software may process the malformed attachment differently,
+      and thus may become exposed to forbidden MIME types.  This
+      is back-ported from Postfix 2.4.
+    - Bugfix: match lists didn't implement ![ipv6address].
+  * New fr.po
+  * Updated postfix_groups.pl.  Closes: #409009, #409010
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 31 Jan 2007 12:45:49 -0700
+
+postfix (2.3.6-2) unstable; urgency=low
+
+  * Fix preinst checking mydomain.  Closes: #407790, #408089
+  * Deal with debconf silliness.  Closes: #387646
+  * Don't directly call initscript in prerm.
+  * Updated Dutch, Czech, Galician templates. Closes: #407433, #407832, #407959
+  * Change the "I'm stupid enough to not want a root alias" answer from the
+    localization-problematic 'NONE' to the empty string, and mark it
+    non-translatable.  Closes: #389675
+    - changes to ca.po, de.po, gl.po, ja.po, nl.po for same
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 23 Jan 2007 07:46:45 -0700
+
+postfix (2.3.6-1) unstable; urgency=low
+
+  * New upstream version
+  * French debconf template.  Closes: #404132
+  * Galician debconf template.  Closes: #404573
+  * fix typos in debconf messages.  Closes: #399916
+  * Catalan debconf template.  Closes: #405320
+
+ -- LaMont Jones <lamont at debian.org>  Fri,  5 Jan 2007 19:31:31 -0700
+
+postfix (2.3.5-3) unstable; urgency=low
+
+  * Fix typo.  Closes: #403121
+  * German translation update.  Closes: #403310
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 16 Dec 2006 06:30:17 -0700
+
+postfix (2.3.5-2) unstable; urgency=low
+
+  * Don't call update-inetd in postinst if it's not there.  Fixes Ubuntu
+    bug #73511.  Not yet reported in Debian.
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 13 Dec 2006 09:04:10 -0700
+
+postfix (2.3.5-1) unstable; urgency=low
+
+  * New upstream version
+  * mydomain needs some cleanup if we're upgrading from < 2.3.5-1 on a machine
+    where hostname(2) is a short name.  Bug introduced in 2.3.3-2.  Closes: #402788
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 12 Dec 2006 15:33:53 -0700
+
+postfix (2.3.4-3) unstable; urgency=high
+
+  * Fix broken tls patch.  Closes: #397771, #398534
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  6 Dec 2006 14:09:25 -0700
+
+postfix (2.3.4-2) unstable; urgency=low
+
+  * Fix sasl patch.. Thanks again to Fabian Fagerholm. Closes: #398245
+  * New ja.po.  Closes: #398599
+  * New de.po.  Closes: #399918
+  * New fr.po.  Closes: #399998
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 23 Nov 2006 22:53:16 -0700
+
+postfix (2.3.4-1) unstable; urgency=low
+
+  * SASL split conf and plugin directories.  Thanks to Fabian Fagerholm for
+    the patch.  Closes: #397771
+  * New upstream version.
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  9 Nov 2006 10:36:45 -0700
+
+postfix (2.3.3-4) unstable; urgency=low
+
+  * Empty /etc/mailname was incorrectly handled.  Closes: #387641
+  * updated spanish,french translations.  Closes: #393770, #391884
+  * also copy /etc/nss_mdns.config into the chroot.  Closes: #393716
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 18 Oct 2006 10:46:48 -0600
+
+postfix (2.3.3-3) unstable; urgency=low
+
+  * Fix rfc1035_violation template entry.  Closes: #393087
+  * Add catalan transations. (debian/po/ca.po)  Closes: #393090
+  * Need to have libcdb1, not just tinycdb without the .so
+  * Fix postfix-cdb so that it actually works.
+
+ -- LaMont Jones <lamont at debian.org>  Sun, 15 Oct 2006 21:11:54 -0600
+
+postfix (2.3.3-2) unstable; urgency=low
+
+  * Add postfix-cdb package, which supports tinycdb maps.
+    Closes: #183163
+  * Detect and die nicely on emty myorigin file.  Closes: #322602
+  * Drop 10hostname.dpatch, which was only needed for installing
+    postfix inside of debian-installer.  Closes: #333646
+  * cleanup confusing debconf question.  Closes: #387646
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 19 Sep 2006 09:04:02 -0600
+
+postfix (2.3.3-1) unstable; urgency=low
+
+  * New upstream version with various bug fixes.
+  * use invoke-rc.d in preinst.  Closes: #381167
+  * Suggest: resolvconf
+  * Fix section 8postfix man page headers to say '8postfix', to fix lintian
+    errors.
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 29 Aug 2006 08:49:35 -0600
+
+postfix (2.3.2-1) unstable; urgency=low
+
+  * New upstream version: more milter fixes.
+  * Update japanese translations.  Closes: #379951
+  * Move prng_exch back to $queue_directory from /etc (where it
+    lived for all of 2.2...)  Closes: #380285
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 31 Jul 2006 23:50:43 -0600
+
+postfix (2.3.1-1) unstable; urgency=low
+
+  * New upstream.
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 24 Jul 2006 23:42:21 -0600
+
+postfix (2.3.0-2) unstable; urgency=low
+
+  * init script needs to deal with queue_directory being non-standard.
+    Closes: #379357
+  * Fix .so-using man pages.  Closes: #358935
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 24 Jul 2006 10:42:18 -0600
+
+postfix (2.3.0-1) unstable; urgency=low
+
+  * New upstream release.  Closes: #378074, #378109
+    Thanks to Pascal A Dupuis for the patch migration work.
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 13 Jul 2006 08:28:02 -0600
+
+postfix (2.3-20060611-1) experimental; urgency=low
+
+  * New upstream release
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 14 Jun 2006 15:15:50 -0600
+
+postfix (2.2.10-2) unstable-UNRELEASED; urgency=low
+
+  * Drop conffiles listed under /etc, since debhelper does that for us now.
+    Closes: #356768
+  * Add portugese translations.  Close: #363134
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 19 Apr 2006 11:37:05 -0600
+
+postfix (2.3-20060405-1) experimental; urgency=low
+
+  * New upstream version
+
+ -- LaMont Jones <lamont at debian.org>  Fri,  7 Apr 2006 08:38:45 -0600
+
+postfix (2.2.10-1) unstable; urgency=low
+
+  * New upstream version
+  * Add Galician debconf translations.  Closes: #361255
+
+ -- LaMont Jones <lamont at debian.org>  Fri,  7 Apr 2006 08:20:32 -0600
+
+postfix (2.2.9-4) unstable; urgency=low
+
+  * When lo is configured, don't bother having i[pf]-up.d/postfix
+    restart postfix.  Thanks to Scott James Remnant.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  5 Apr 2006 23:28:58 -0600
+
+postfix (2.3-20060403-1) experimental; urgency=low
+
+  * New upstream version
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  5 Apr 2006 22:42:03 -0600
+
+postfix (2.2.9-3) unstable; urgency=low
+
+  * Don't override the admin's changes to inet_protocols.  Closes: #359272
+  * Update description of satellite system, including in several
+    translations.  Closes: #359271
+  * Add buildsystem support for Hurd.  Closes: #356392
+  * New Czech translations.  Closes: #356559
+  * Include fixes for pcre maps and sendmail -t/MIME issues.
+    - Workaround: null-terminate the input after stripping CR,
+      and before passing the input to the MIME processor. Leandro
+      Santi. The fix, a rewrite of the MIME processor input
+      handling, is too much change for a stable release. File:
+      sendmail/sendmail.c.
+    - Workaround: the PCRE library reports an inappropriate error
+      code (invalid substring) when $number refers to a valid ()
+      expression that matches the null string. This caused fatal
+      run-time errors.  File: dict_pcre.c.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  5 Apr 2006 22:22:16 -0600
+
+postfix (2.3-20060315-1) experimental; urgency=low
+
+  * New upstream
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 18 Mar 2006 22:55:36 -0700
+
+postfix (2.2.9-1) unstable; urgency=low
+
+  * New upstream, fixes various TLS/SASL bugs.
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 24 Feb 2006 10:10:26 -0700
+
+postfix (2.2.8-10) unstable; urgency=low
+
+  * Don't call permit_sasl_auth in smtpd checks if sasl is not enabled.
+    Thanks to Sven Mueller <debian at incase.de> and Victor Duchovni.
+    Closes: #351675
+  * if ssl-cert created a cert, then configure smtpd to use it (only
+    on fresh installation)
+  * make sure usr/lib/zoneinfo exists in the chroot before using it.
+    Closes: #163861
+  * init.d start must return 0 when already running.  Closes: #351466
+  * Make mydomain selection in postinst conform to resolver library method.
+    Closes: #351937
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 23 Feb 2006 11:08:23 -0700
+
+postfix (2.3-20060207-1) experimental; urgency=low
+
+  * New upstream
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 13 Feb 2006 08:59:02 -0700
+
+postfix (2.3-20060126-1) experimental; urgency=low
+
+  * Merge in 2.2.8-9 fix
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 28 Jan 2006 08:36:19 -0700
+
+postfix (2.2.8-9) unstable; urgency=low
+
+  * ifup/down need to deal with /var not being writable (by exiting).
+    Closes: launchpad.net/29925
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 28 Jan 2006 08:33:43 -0700
+
+postfix (2.3-20060126-0) experimental; urgency=low
+
+  * New upstream version
+  * add the now-necessary -DUSE_CYRUS_SASL.  Closes: #350151
+  * deliver lmtp symlink.  Closes: #350158
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 27 Jan 2006 12:06:49 -0700
+
+postfix (2.2.8-8) unstable; urgency=low
+
+  * init.d stop needs to be more thurough in killing master.  Closes: #349950
+  * ifup should be quiet when /usr is not mounted.  Closes launchpad.net/29788
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 27 Jan 2006 12:09:43 -0700
+
+postfix (2.3-20060123-0) experimental; urgency=low
+
+  * New upstream version
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 23 Jan 2006 16:40:28 -0700
+
+postfix (2.2.8-7) unstable; urgency=low
+
+  * Drop /dev/{u,}random creation, add a note to
+    /usr/share/doc/postfix-ldap/README.Debian.  Closes: #349244
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 23 Jan 2006 16:50:56 -0700
+
+postfix (2.2.8-6) unstable; urgency=low
+
+  * postfix startup issues.  Closes: #348645
+  * copy /dev/random and /dev/urandom into the chroot for ldaps.
+    Closes: #348835.
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 19 Jan 2006 10:40:40 -0700
+
+postfix (2.2.8-5) unstable; urgency=low
+
+  * maildrop lives in /usr/bin, not /usr/local/bin.  Ubuntu Bug#25069
+  * bump standards version.  Closes: #318913
+
+ -- LaMont Jones <lamont at debian.org>  Mon, 16 Jan 2006 14:33:48 -0700
+
+postfix (2.3-20060112-0) experimental; urgency=low
+
+  * New upstream
+
+ -- LaMont Jones <lamont at debian.org>  Thu, 12 Jan 2006 16:19:40 -0700
+
+postfix (2.3-20060103-0.1) experimental; urgency=low
+
+  * resync with 2.2
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  9 Jan 2006 18:12:21 -0700
+
+postfix (2.2.8-4) unstable; urgency=low
+
+  * Fix init.d cleanup patch
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 11 Jan 2006 14:59:00 -0700
+
+postfix (2.2.8-3) unstable; urgency=low
+
+  * Make init.d script closer to upstream.
+  * French and swedish debconf translations.  Closes: #347609, #347619
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 11 Jan 2006 13:26:03 -0700
+
+postfix (2.3-20060103-0) experimental; urgency=low
+
+  * New upstream.
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  9 Jan 2006 18:12:21 -0700
+
+postfix (2.2.8-2) unstable; urgency=low
+
+  * Fix shlib symlink error.
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  5 Jan 2006 17:42:59 -0700
+
+postfix (2.2.8-1) unstable; urgency=low
+
+  * New upstream version
+    - an EHLO I/O error after STARTTLS was reported as STARTTLS error
+    - the *SQL, proxy and LDAP maps were not defined in user-land
+      commands such as postqueue
+    - regex maps didn't correctly convert $$ -> $ in some cases
+    - Anvil server terminated after max_idle seconds
+    - 2.2.6 server garbage response code caused delivery problems,
+      turned off.
+
+ -- LaMont Jones <lamont at debian.org>  Thu,  5 Jan 2006 00:07:53 -0700
+
+postfix (2.2.7-2) unstable; urgency=low
+
+  * Make mailman service run privileged.  sigh.  Closes: #315939
+  * Add comment about myorigin=/etc/mailname being the default to main.cf
+  * Document /usr/share/postfix/main.cf.dist in README.Debian.
+  * Really listen on ipv6 ports in the default install.  Closes: #345961
+    - config selects the default answer to the low priority question based
+      on whether or not ipv6/ipv4 are installed at that time.
+  * allow libmysqlclient14-dev to satisfy build-deps as well as 15.
+  * Suggest: sasl2-bin, libsasl2-modules.  Closes: #345664, #265375
+  * Run newaliases instead of postalias with hardcoded parameters, so that we
+    use $alias_database like we should.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  4 Jan 2006 11:26:11 -0700
+
+postfix (2.2.7-1) unstable; urgency=low
+
+  * New upstream:
+    - LMTP client would reuse a session after a negative reply to the
+      RSET command.
+    - the best_mx_transport, mailbox_transport and fallback_transport
+      features did not write a per-recipient defer logfile record when
+      the target delivery agent was broken.
+  * use libmysqlclient15-dev
+
+ -- LaMont Jones <lamont at debian.org>  Fri, 23 Dec 2005 20:24:16 -0700
+
+postfix (2.2.6-1) unstable; urgency=low
+
+  * New upstream.
+    - the *SQL clients did not uniformly choose the database host from
+      the available pool
+    - raise the "policy violation" flag when a client request exceeds
+      a concurrency or rate limit.
+    - don't do smtpd_end_of_data_restrictions after the transaction
+      failed due to, e.g., a write error.
+    - two messages could get the same message ID due to a race
+      condition. This time window was increased when queue file creation
+      was postponed from MAIL FROM until the first accepted RCPT TO.  The
+      window is closed again.
+    - the queue manager did not write a per-recipient defer logfile record
+      when the delivery agent crashed after the initial handshake with the
+      queue manager, and before reporting the delivery status to the queue
+      manager.
+    - moved code around from one place to another to make REDIRECT, FILTER,
+      HOLD and DISCARD access(5) table actions work in
+      smtpd_end_of_data_restrictions.  PREPEND will not be fixed; it must
+      be specified before the message content is received.
+  * Updated Italian translations.  Closes: #336925
+  * Swedish translations.  Closes: #339746
+  * Switch to libdb4.3.  Closes: #336488
+  * Add Replaces: mail-transport-agent.  Closes: #325624
+  * Merge changes from ubuntu.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  7 Dec 2005 15:39:11 -0700
+
+postfix (2.2.4-1) unstable; urgency=low
+
+  * New upstream bug-fix version
+  * postgresql fix from Martin Pitt (via Ubuntu):
+    - transition to new PostgreSQL architecture.
+    - debian/control: Changed build dependency postgresql-dev to libpq-dev.
+    - debian/rules: Use pg_config to determine include directory.
+  * New translations:
+    * Italian from Cristian Rigamonti <cri at linux.it>.  Closes: #311411
+    * Russian from Yuriy Talakan' <yt at amur.elektra.ru>.  Closes: #310055
+  * Fix typo in if-down.d.  Closes: #313355
+  * Vietnamese translations from Clytie Siddall.  Closes: #317118
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  6 Jul 2005 09:57:05 -0600
+
+postfix (2.2.3-3) unstable; urgency=low
+
+  * Shorter, more friendly patch to have mantools/postlink work.  Thanks
+    to Brendan O'Dea.
+  * Fix pgsql map initialization in the case of missing 'hosts' declaration.
+    Closes: #307967
+  * Remove extraneous -d option from bsmtp invocation.  Closes: #309114
+
+ -- LaMont Jones <lamont at debian.org>  Wed, 18 May 2005 22:12:14 -0600
+
+postfix (2.2.3-2) unstable; urgency=low
+
+  * The 'hell with sdbm' release.
+    * provide sdbm.[ch], and define HAS_SDBM, so things still work.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  4 May 2005 14:23:03 -0600
+
+postfix (2.2.3-1) unstable; urgency=low
+
+  * New upstream version
+  * really fix sdbm entry in dynamicmaps.cf.  Closes: #305586
+  * provide/conflict: postfix-tls for easier upgrade.
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  2 May 2005 20:45:57 -0600
+
+postfix (2.2.2-3) unstable; urgency=low
+
+  * Updated czech translations.  Closes: #307168
+  * Updated french translations.  Closes: #306083
+  * Updated japanese translations.  Closes: #306942
+  * Add RUNNING check to ip-down.d.  Might fix: #306851
+  * Fix libdb symlink for building.  Closes: #305447
+  * Missing sdbm entry in dynamicmaps.cf.  Closes: #305586
+  * add mailman entry.  Closes: #297869
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  2 May 2005 10:13:22 -0600
+
+postfix (2.2.2-2) unstable; urgency=low
+
+  * Closes: #304559
+    - fix shlib symlinks.
+    - use upstream's default for inet_protocols.  Also Closes: #304753
+  * Only start in postinst if the user has a main.cf.  Closes: #304871
+  * Include 10tls in 00list.. :-(  Closes: #304920
+  * At the end of postinst, warn if root has no alias.  Closes: #293889
+  * Fix tlsmgr entry in master.cf if needed.
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 19 Apr 2005 10:00:57 -0600
+
+postfix (2.2.2-1) unstable; urgency=low
+
+  * New upstream version
+  * Restore use of /etc/postfix/sasl2 for sasl config stuff.
+    (/usr/lib/sasl2 is not a configuration directory, after all...)
+    Reported by Iacopo Spalletti, Bernhard Schmidt <berni at birkenwald.de>
+    Closes: #301423
+  * Don't deliver /usr/share/doc/postfix-tls.  Reported by Iacopo Spalletti
+  * cleanup README.Debian
+  * Fix shlib deliveries.  Closes: #294207, #285111, #295789
+
+ -- LaMont Jones <lamont at debian.org>  Tue, 12 Apr 2005 08:49:08 -0600
+
+postfix (2.2.1-0) experimental; urgency=low
+
+  * New upstream version
+
+ -- LaMont Jones <lamont at ubuntu.com>  Thu, 17 Mar 2005 19:23:07 -0700
+
+postfix (2.2-20050211-2) UNRELEASED; urgency=low
+
+  * re-sync changes from 2.1 tree
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  7 Mar 2005 12:33:34 -0700
+
+postfix (2.1.5-10) UNRELEASED; urgency=low
+
+  * Create a root alias on initial install (unless ~root/.forward
+    exists), even if /etc/aliases exists from some previous MTA.
+    Closes: #293889
+  * Get rid of failure messages during _shutdown_, too.
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  7 Mar 2005 12:33:34 -0700
+
 postfix (2.1.5-9) unstable; urgency=low
 
   * more cleanup in if-up.d script.  Closes: #297127
@@ -32,6 +591,56 @@
 
  -- LaMont Jones <lamont at debian.org>  Tue, 22 Feb 2005 20:10:19 -0700
 
+postfix (2.2-20050211-1) experimental; urgency=low
+
+  * New upstream version
+
+ -- LaMont Jones <lamont at debian.org>  Sat, 12 Feb 2005 00:20:00 -0700
+
+postfix (2.2-20050209-1) experimental; urgency=low
+
+  * New upstream version.
+  * Merge postfix-tls package into postfix package.
+
+ -- LaMont Jones <lamont at debian.org>  Wed,  9 Feb 2005 16:57:00 -0700
+
+postfix (2.2-20050206-1) experimental; urgency=low
+
+  * New upstream version
+    * output address rewriting
+    * mx_session_limit fixes
+
+ -- LaMont Jones <lamont at debian.org>  Mon,  7 Feb 2005 12:46:02 -0700
+
+postfix (2.2-20050205-1) experimental; urgency=low
+
+  * New upstream version
+    -  Feature: REPLACE command in header/body_checks (implemented
+       as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
+    -  Cleanup: linted the manual pages for consistency in the
+       way manuals are referenced, and in the presentation of
+       command examples.
+
+ -- LaMont Jones <lamont at debian.org>  Sun,  6 Feb 2005 16:13:53 -0700
+
+postfix (2.2-20050203-1) experimental; urgency=low
+
+  * New upstream version, includes TLS and IPv6 support.
+    - Postfix version 2.2 IP version 6 support is based on the Postfix/IPv6
+      patch by Dean Strik, but differs in a few minor ways.
+      - Network protocol support including DNS lookup is selected with
+      the inet_protocols parameter instead of the inet_interfaces parameter.
+      This is needed so that Postfix will not attempt to deliver mail
+      via IPv6 when the system has no IPv6 connectivity.
+      - The lmtp_bind_address6 feature was omitted. The Postfix LMTP
+      client will be absorbed into the SMTP client, so there is no reason
+      to keep adding features to the LMTP client.
+      - The cidr-based address matching code was rewritten.  The new
+      behavior is believed to be closer to expectation. The results may
+      be incompatible with that of the Postfix/IPv6 patch.
+
+ -- LaMont Jones <lamont at debian.org>  Sat,  5 Feb 2005 11:51:06 -0700
+
 postfix (2.1.5-6) unstable; urgency=low
 
   * inet_interfaces=loopback-only from 2.2 snapshot.  Closes: #293250, #292086

Added: postfix/trunk/debian/compat
===================================================================
--- postfix/trunk/debian/compat	                        (rev 0)
+++ postfix/trunk/debian/compat	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1 @@
+4

Deleted: postfix/trunk/debian/conffiles
===================================================================
--- postfix/trunk/debian/conffiles	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/conffiles	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,9 +0,0 @@
-/etc/init.d/postfix
-/etc/ppp/ip-up.d/postfix
-/etc/ppp/ip-down.d/postfix
-/etc/network/if-up.d/postfix
-/etc/network/if-down.d/postfix
-/etc/postfix/postfix-script
-/etc/postfix/post-install
-/etc/postfix/postfix-files
-/etc/resolvconf/update-libc.d/postfix

Deleted: postfix/trunk/debian/config
===================================================================
--- postfix/trunk/debian/config	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/config	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,355 +0,0 @@
-#!/usr/bin/perl -w
-# -*-CPerl-*-
-# Script to configure Postfix.
-# Based on code by Colin Walters <walters at cis.ohio-state.edu>,
-# and John Goerzen <jgoerzen at progenylinux.com>.
-
-use Debconf::Client::ConfModule qw(:all);
-use Fcntl;
-
-my $version = version(2.0);
-capb("backup");
-title("Postfix Configuration");
-
-# begin configuration script
-  
-my $topstate;
-my $back;
-my $noninteractive;
-
-# Regexps for checking domain names, blatantly stolen from exim config
-my $rfc1035_label_re= '[0-9A-Za-z]([-0-9A-Za-z]*[0-9A-Za-z])?';
-my $rfc1035_domain_re= "$rfc1035_label_re(\\.$rfc1035_label_re)*";
-my $network_re= '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}';
-
-$topstate = "start";
-
-while ($topstate ne "done") {
- TOPSTATE: {
-    if ($topstate eq "start") {
-      if (fget("postfix/main_mailer_type", "isdefault") eq "true") {
-	if (-f "/etc/postfix/main.cf") {
-	    set("postfix/main_mailer_type", "No configuration");
-	}
-      }
-      $noninteractive = (((input("high", "postfix/main_mailer_type"))[0]) == 30);
-      if ($noninteractive) {
-	my $mailertype = get("postfix/main_mailer_type");
-	if ($mailertype eq "No configuration") {
-	  # We can't display a note here, because it could send mail,
-	  # which isn't configured...
-	  #$noninteractive = ((input("critical", "postfix/not_configured"))[0] == 30);
-	  #go();
-	  $topstate="ending-setup";
-	} else {
-	  $topstate="root";
-	}
-      } else {
-	go();
-	$back = (((go())[0]) == 30);
-	$mailertype = get("postfix/main_mailer_type");
-	if ($mailertype eq "No configuration") {
-	  $topstate="ending-setup";
-	} else {
-	  fset("postfix/main_mailer_type", "changed", "true");
-	  if ($back) {
-	    fset("postfix/main_mailer_type", "isdefault", "true");
-	    fset("postfix/db2_db3_upgrade", "isdefault", "true");
-	  } else {
-	    fset("postfix/main_mailer_type", "changed", "true");
-	    $topstate = "root";
-	    if (!(($mailertype eq "Internet with smarthost") ||
-		  ($mailertype eq "Satellite system") ||
-		  ($mailertype eq "HP"))) {
-	      set("postfix/relayhost", "");
-	      fset("postfix/relayhost", "changed", "true");
-	    }
-	  }
-	}
-      }
-    }
-
-    if ($topstate eq "root") {
-      if (fget("postfix/root_address", "isdefault") eq "true") {
-        open(F,"getent passwd 1000|");
-        @l=<F>;
-        close(F);
-        if ($#l > 0) {
-          $l[0] =~ s/:.*$//;
-          set("postfix/root_address",$l[0]);
-          fset("postfix/root_address", "changed", "true");
-        }
-      }
-      $noninteractive = (((input("medium", "postfix/root_address"))[0]) == 30);
-      if (!$noninteractive) {
-	go();
-	fset("postfix/root_address", "changed", "true");
-      }
-      $topstate="mailname";
-    }
-
-    if ($topstate eq "mailname") {
-      my $mailertype = get("postfix/main_mailer_type");
-      if (fget("postfix/mailname", "isdefault") eq "true") {
-	my $mailname;
-	if (-f "/etc/mailname") {
-	  $mailname =`cat /etc/mailname`;
-	  chomp $mailname;
-	} else {
-	  $mailname = `hostname --fqdn 2>/dev/null` || "localdomain";
-	  chomp $mailname;
-	} 
-	set("postfix/mailname", $mailname);
-      }
-      $noninteractive = (((input("high", "postfix/mailname"))[0]) == 30);
-      if ($noninteractive) {
-	$topstate = "relayhost";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/main_mailer_type", "isdefault", "true");
-	  fset("postfix/mailname", "isdefault", "true");
-	  $topstate = "type";
-	} else {
-	  # error checking
-	  my $mailname = get("postfix/mailname");
-	  fset("postfix/mailname", "changed", "true");
-	  if (not ($mailname =~ /$rfc1035_domain_re/)) {
-	    set("postfix/rfc1035_violation", "false");
-	    fset("postfix/rfc1035_violation", "isdefault", "true");
-	    subst("postfix/rfc1035_violation", "enteredstring", $mailname);
-	    $noninteractive = (((input("high", "postfix/rfc1035_violation"))[0]) == 30);
-	    $back = (((go())[0]) == 30);
-	    if ($back) {
-	      fset("postfix/mailname", "isdefault", "true");
-	      # and back around to ask mailname again.
-	    } 
-	    if (get("postfix/rfc1035_violation") eq "true") {
-	      # they wanted to continue despite the error
-	      $topstate = "relayhost";
-	    } else {
-	      fset("postfix/mailname", "isdefault", "true");
-	      # and back around to ask mailname again.
-	    }
-	  } else {
-	    # their mailname passed error checking, go on
-	    $topstate = "relayhost";
-	  }
-	}
-      }
-    }
-
-    if ($topstate eq "relayhost") {
-      my $mailertype = get("postfix/main_mailer_type");
-      if (($mailertype eq "Internet with smarthost") || ($mailertype eq "Satellite system")) {
-	if (fget("postfix/relayhost", "isdefault") eq "true") {
-	  my $hostname = `hostname --domain` || "localdomain";
-	  chomp $hostname;
-	  my $relayname = "smtp." . $hostname;
-	  set("postfix/relayhost", $relayname);
-	}
-	$noninteractive = (((input("high", "postfix/relayhost"))[0]) == 30);
-      } else {
-	# skip relayhost if we're an "Internet site" or a "Local only"
-	$topstate = "destinations";
-	$noninteractive=1;
-      }
-      if ($noninteractive) {
-	$topstate = "destinations";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/mailname", "isdefault", "true");
-	  fset("postfix/relayhost", "isdefault", "true");
-	  $topstate = "mailname"; # we skip back to the last question of
-	  # equal or higher priority
-	} else {
-	  fset("postfix/relayhost", "changed", "true");
-	  $topstate = "destinations";
-	}
-      }
-    }
-    
-    if ($topstate eq "destinations") {
-      my $mailertype = get("postfix/main_mailer_type");
-      my $hostname = `hostname --fqdn` || "localhost";
-      chomp $hostname;
-      my $domain = `hostname --domain` || "localdomain";
-      chomp $domain;
-      my $mailname = get("postfix/mailname") || "localhost";
-      my $destinations;
-      my $priority="medium";
-      if (fget("postfix/destinations", "set") eq "true") {
-	if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
-	  if (open(POSTCONF, "postconf -h mydestination |")) {
-	    $destinations=<POSTCONF>;
-	    close(POSTCONF);
-	    chomp $destinations;
-	    set("postfix/destinations", $destinations);
-	  }
-	}
-      } else {
-	if ($mailertype eq "Internet Site") {
-	  if ($mailname eq $hostname) {
-	    $destinations = join ", ",($mailname, "localhost." . $domain, ", localhost");
-	  } else {
-	    $destinations = join ", ",($mailname, $hostname, "localhost." . $domain . ", localhost");
-	  }
-	} else {
-	  # don't accept mail for $mailname by default if we have a relayhost or local only mail,
-	  # unless the mailname bears no resemblance to $myorigin.
-	  $destinations = join ", ",($hostname, "localhost." . $domain . ", localhost" );
-	  unless ( $hostname =~ m/(^|[\.])$mailname$/  ) {
-	    $destinations = $mailname . ", " . $destinations;
-	  }
-	}
-	set("postfix/destinations", $destinations);
-	fset("postfix/destinations","set","true");
-      }
-      if ($mailertype eq "Local only") {
-	$priority="low";
-      }
-      $noninteractive = (((input($priority, "postfix/destinations"))[0]) == 30);
-      if ($noninteractive) {
-	$topstate = "chattr";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/relayhost", "isdefault", "true");
-	  fset("postfix/destinations", "isdefault", "true");
-	  $topstate = "relayhost";
-	} else {
-	  fset("postfix/destinations", "changed", "true");
-	  $topstate = "chattr";
-	}
-      }
-    }
-
-    if ($topstate eq "chattr") {
-      $noninteractive = (((input("medium", "postfix/chattr"))[0]) == 30);
-      if ($noninteractive) {
-	$topstate = "mynetworks";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/destinations", "isdefault", "true");
-	  fset("postfix/chattr", "isdefault", "true");
-	  $topstate = "destinations";
-	} else {
-	  fset("postfix/chattr", "changed", "true");
-	  $topstate = "mynetworks";
-	}
-      }
-    }
-
-    if ($topstate eq "mynetworks") {
-      if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
-	my $mynetworks;
-	if (open(POSTCONF, "postconf -h mynetworks |")) {
-	  $mynetworks=<POSTCONF>;
-	  close(POSTCONF);
-	  chomp $mynetworks;
-	  set("postfix/mynetworks", $mynetworks);
-	}
-      }
-      $noninteractive = (((input("low", "postfix/mynetworks"))[0]) == 30);
-      if ($noninteractive) {
-	$topstate = "procmail";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/chattr", "isdefault", "true");
-	  fset("postfix/mynetworks", "isdefault", "true");
-	  $topstate = "chattr";
-	} else {
-	  fset("postfix/mynetworks", "changed", "true");
-	  $topstate = "procmail";
-	}
-      }
-    }
-
-    if ($topstate eq "procmail") {
-      if (fget("postfix/procmail", "isdefault") eq "true") {
-	my $pmdefault="false";
-	if (-x "/usr/bin/procmail") {
-	  $pmdefault="true";
-	}
-	set("postfix/procmail", $pmdefault);
-      }
-      if (-x "/usr/bin/procmail") {
-	$noninteractive = (((input("low", "postfix/procmail"))[0]) == 30);
-      } else {
-	$noninteractive = 1;
-      }
-      if ($noninteractive) {
-	$topstate = "mailbox_limit";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/mynetworks", "isdefault", "true");
-	  fset("postfix/procmail", "isdefault", "true");
-	  $topstate = "mynetworks";
-	} else {
-	  fset("postfix/procmail", "changed", "true");
-	  $topstate = "mailbox_limit";
-	}
-      }
-    }
-
-    if ($topstate eq "mailbox_limit") {
-      $noninteractive = (((input("low", "postfix/mailbox_limit"))[0]) == 30);
-      if ($noninteractive) {
-	$topstate = "recipient_delim";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/procmail", "isdefault", "true");
-	  fset("postfix/mailbox_limit", "isdefault", "true");
-	  $topstate = "procmail";
-	} else {
-	  fset("postfix/mailbox_limit", "changed", "true");
-	  $topstate = "recipient_delim";
-	}
-      }
-    }
-
-    if ($topstate eq "recipient_delim") {
-      $noninteractive = (((input("low", "postfix/recipient_delim"))[0]) == 30);
-      if ($noninteractive) {
-	$topstate = "ending-setup";
-      } else {
-	$back = (((go())[0]) == 30);
-	if ($back) {
-	  fset("postfix/mailbox_limit", "isdefault", "true");
-	  fset("postfix/recipient_delim", "isdefault", "true");
-	  $topstate = "mailbox_limit";
-	} else {
-	  my $delim = get("postfix/recipient_delim");
-	  if (length($delim) > 1) {
-	    fset("postfix/bad_recipient_delimiter","isdefault","true");
-	    subst("postfix/bad_recipient_delimiter", "enteredstring", $delim);
-	    $noninteractive = (((input("low", "postfix/bad_recipient_delimiter"))[0]) == 30);
-	    fset("postfix/recipient_delim","isdefault","true");
-	    # and do it again...
-	  } else {
-	    fset("postfix/recipient_delim", "changed", "true");
-	    $topstate = "ending-setup";
-	  }
-	}
-      }
-    }
-
-    if ($topstate eq "ending-setup") {
-      if ($ARGV[1] eq "reconfigure") {
-	# touch /var/lib/postfix/reload
-	sysopen RESTARTFILE, "/var/spool/postfix/reload", O_CREAT;
-	close RESTARTFILE;
-      } else {
-	# touch /var/lib/postfix/restart
-	sysopen RESTARTFILE, "/var/spool/postfix/restart", O_CREAT;
-	close RESTARTFILE;
-      }
-      $topstate = "done";
-    }
-  }				# end TOPSTATE
-}				# end while ($topstate ne q(done))

Modified: postfix/trunk/debian/control
===================================================================
--- postfix/trunk/debian/control	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/control	2008-05-02 10:36:05 UTC (rev 837)
@@ -2,22 +2,19 @@
 Section: mail
 Priority: extra
 Maintainer: LaMont Jones <lamont at debian.org>
-Standards-Version: 3.5.2.0
-Build-Depends: debhelper (>= 4.1.16), libdb4.2-dev, libgdbm-dev, libldap2-dev (>=2.1), libpcre3-dev, libmysqlclient10-dev, patch, libssl-dev (>=0.9.7-1), libsasl2-dev, postgresql-dev, po-debconf (>= 0.5.0), groff-base, dpatch
+Standards-Version: 3.7.2.0
+Build-Depends: debhelper (>= 4.1.16), po-debconf (>= 0.5.0), groff-base, patch, dpatch, lsb-release, libdb4.3-dev, libgdbm-dev, libldap2-dev (>=2.1), libpcre3-dev, libmysqlclient15-dev|libmysqlclient14-dev, libssl-dev (>=0.9.7-1), libsasl2-dev, libpq-dev, libcdb-dev
 
 Package: postfix
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser (>=3.48), dpkg (>= 1.8.3)
-Recommends: mail-reader, resolvconf
-Replaces: postfix-doc (<<1.1.7-0), postfix-tls
-Suggests: procmail, postfix-mysql, postfix-pgsql, postfix-ldap, postfix-pcre
-Conflicts: mail-transport-agent, smail, libnss-db (<< 2.2-3), postfix-tls (<< 2.0-0)
-Provides: mail-transport-agent
+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser (>=3.48), dpkg (>= 1.8.3), lsb-base (>=3.0-6), ssl-cert
+Recommends: mail-reader
+Replaces: postfix-doc (<<1.1.7-0), postfix-tls, mail-transport-agent
+Suggests: procmail, postfix-mysql, postfix-pgsql, postfix-ldap, postfix-pcre, sasl2-bin, libsasl2-modules, resolvconf, postfix-cdb
+Conflicts: mail-transport-agent, smail, libnss-db (<< 2.2-3), postfix-tls
+Provides: mail-transport-agent, postfix-tls
 Description: A high-performance mail transport agent
  ${Description}
- .
- This package does not have SASL or TLS support.  For SASL and TLS support,
- install postfix-tls.
 
 Package: postfix-ldap
 Architecture: any
@@ -28,6 +25,15 @@
  This provides support for LDAP maps in Postfix.  If you plan to use LDAP maps
  with Postfix, you need this.
 
+Package: postfix-cdb
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Description: CDB map support for Postfix
+ ${Description}
+ .
+ This provides support for CDB (constant database) maps in Postfix.  If you
+ plan to use CDB maps with Postfix, you need this.
+
 Package: postfix-pcre
 Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
@@ -75,14 +81,3 @@
  ${Description}
  .
  This package provides documentation for Postfix.
-
-Package: postfix-tls
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
-Conflicts: postfix-snap-tls
-Recommends: mail-reader
-Description: TLS and SASL support for Postfix
- ${Description}
- .
- This package adds support for TLS (see RFC 2487) and SASL (see RFC 2554) to
- Postfix.

Deleted: postfix/trunk/debian/copyright
===================================================================
--- postfix/trunk/debian/copyright	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/copyright	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,326 +0,0 @@
-This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
-agent.
-
-Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
-package has been assembled by LaMont Jones <lamont at debian.org> from sources
-available from http://www.postfix.org.
-
-
-    Copyright (c) 1999, International Business Machines Corporation 
-    and others. All Rights Reserved.  
-
-The following copyright and license applies to this software:
-
-    IBM PUBLIC LICENSE VERSION 1.0 - SECURE MAILER
-
-    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
-    LICENSE ("AGREEMENT").  ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
-    PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
-    1.  DEFINITIONS
-
-    "Contribution" means:  
-	a) in the case of International Business Machines Corporation ("IBM"), 
-	   the Original Program, and 
-	b) in the case of each Contributor, 
-	   i)  changes to the Program, and
-	   ii) additions to the Program;
-	       where such changes and/or additions to the Program originate
-	       from and are distributed by that particular Contributor.  
-	       A Contribution 'originates' from a Contributor if it was added 
-	       to the Program by such Contributor itself or anyone acting on 
-	       such Contributor's behalf.  
-	Contributions do not include additions to the Program which:
-	   (i)  are separate modules of software distributed in conjunction 
-		with the Program under their own license agreement, and 
-	   (ii) are not derivative works of the Program.
-
-    "Contributor" means IBM and any other entity that distributes the Program.
-
-    "Licensed Patents " mean patent claims licensable by a Contributor which
-    are necessarily infringed by the use or sale of its Contribution alone
-    or when combined with the Program.
-
-    "Original Program" means the original version of the software accompanying
-    this Agreement as released by IBM, including source code, object code
-    and documentation, if any.
-
-    "Program" means the Original Program and Contributions.
-
-    "Recipient" means anyone who receives the Program under this Agreement, 
-    including all Contributors.
-
-    2.  GRANT OF RIGHTS
-
-	a) Subject to the terms of this Agreement, each Contributor hereby
-	grants Recipient a non-exclusive, worldwide, royalty-free copyright
-	license to reproduce, prepare derivative works of, publicly display,
-	publicly perform, distribute and sublicense the Contribution of such
-	Contributor, if any, and such derivative works, in source code and
-	object code form.
-
-	b) Subject to the terms of this Agreement, each Contributor hereby
-	grants Recipient a non-exclusive, worldwide, royalty-free patent
-	license under Licensed Patents to make, use, sell, offer to sell,
-	import and otherwise transfer the Contribution of such Contributor,
-	if any, in source code and object code form.  This patent license
-	shall apply to the combination of the Contribution and the Program
-	if, at the time the Contribution is added by the Contributor, such
-	addition of the Contribution causes such combination to be covered
-	by the Licensed Patents.  The patent license shall not apply to any
-	other combinations which include the Contribution.  No hardware per
-	se is licensed hereunder.
-
-	c) Recipient understands that although each Contributor grants the
-	licenses to its Contributions set forth herein, no assurances are
-	provided by any Contributor that the Program does not infringe the
-	patent or other intellectual property rights of any other entity.
-	Each Contributor disclaims any liability to Recipient for claims
-	brought by any other entity based on infringement of intellectual
-	property rights or otherwise.  As a condition to exercising the rights
-	and licenses granted hereunder, each Recipient hereby assumes sole
-	responsibility to secure any other intellectual property rights
-	needed, if any.  For example, if a third party patent license
-	is required to allow Recipient to distribute the Program, it is
-	Recipient's responsibility to acquire that license before distributing
-	the Program.
-
-	d) Each Contributor represents that to its knowledge it has sufficient
-	copyright rights in its Contribution, if any, to grant the copyright
-	license set forth in this Agreement.
-
-    3.  REQUIREMENTS
-
-    A Contributor may choose to distribute the Program in object code form 
-    under its own license agreement, provided that:
-	a) it complies with the terms and conditions of this Agreement; and
-	b) its license agreement:
-	   i)   effectively disclaims on behalf of all Contributors all
-		warranties and conditions, express and implied, including
-		warranties or conditions of title and non-infringement, and
-		implied warranties or conditions of merchantability and fitness
-		for a particular purpose;
-	   ii)  effectively excludes on behalf of all Contributors all 
-		liability for damages, including direct, indirect, special, 
-		incidental and consequential damages, such as lost profits; 
-	   iii) states that any provisions which differ from this Agreement 
-		are offered by that Contributor alone and not by any other 
-		party; and
-	   iv)  states that source code for the Program is available from 
-		such Contributor, and informs licensees how to obtain it in a 
-		reasonable manner on or through a medium customarily used for 
-		software exchange. 
-
-    When the Program is made available in source code form:
-	a) it must be made available under this Agreement; and 
-	b) a copy of this Agreement must be included with each copy of the 
-	   Program.  
-
-    Each Contributor must include the following in a conspicuous location 
-    in the Program: 
-
-	Copyright (c) 1997,1998,1999, International Business Machines
-	Corporation and others. All Rights Reserved.
-
-    In addition, each Contributor must identify itself as the originator of
-    its Contribution, if any, in a manner that reasonably allows subsequent
-    Recipients to identify the originator of the Contribution. 
-
-    4.  COMMERCIAL DISTRIBUTION
-
-    Commercial distributors of software may accept certain responsibilities
-    with respect to end users, business partners and the like.  While this
-    license is intended to facilitate the commercial use of the Program, the
-    Contributor who includes the Program in a commercial product offering
-    should do so in a manner which does not create potential liability for
-    other Contributors.   Therefore, if a Contributor includes the Program in
-    a commercial product offering, such Contributor ("Commercial Contributor")
-    hereby agrees to defend and indemnify every other Contributor
-    ("Indemnified Contributor") against any losses, damages and costs
-    (collectively "Losses") arising from claims, lawsuits and other legal
-    actions brought by a third party against the Indemnified Contributor to
-    the extent caused by the acts or omissions of such Commercial Contributor
-    in connection with its distribution of the Program in a commercial
-    product offering.  The obligations in this section do not apply to any
-    claims or Losses relating to any actual or alleged intellectual property
-    infringement.  In order to qualify, an Indemnified Contributor must:
-	a) promptly notify the Commercial Contributor in writing of such claim,
-    and 
-	b) allow the Commercial Contributor to control, and cooperate with
-	   the Commercial Contributor in, the defense and any related 
-	   settlement negotiations.  The Indemnified Contributor may 
-	   participate in any such claim at its own expense.
-
-    For example, a Contributor might include the Program in a commercial
-    product offering, Product X.  That Contributor is then a Commercial
-    Contributor.  If that Commercial Contributor then makes performance
-    claims, or offers warranties related to Product X, those performance
-    claims and warranties are such Commercial Contributor's responsibility
-    alone.  Under this section, the Commercial Contributor would have to
-    defend claims against the other Contributors related to those performance
-    claims and warranties, and if a court requires any other Contributor to
-    pay any damages as a result, the Commercial Contributor must pay those
-    damages.
-
-    5.  NO WARRANTY
-
-    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
-    ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
-    EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
-    CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
-    PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
-    the appropriateness of using and distributing the Program and assumes
-    all risks associated with its exercise of rights under this Agreement,
-    including but not limited to the risks and costs of program errors,
-    compliance with applicable laws, damage to or loss of data, programs or
-    equipment, and unavailability or interruption of operations. 
-
-    6.  DISCLAIMER OF LIABILITY
-
-    EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
-    ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
-    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
-    WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
-    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
-    OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
-    ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-    7.  GENERAL
-
-    If any provision of this Agreement is invalid or unenforceable under
-    applicable law, it shall not affect the validity or enforceability of
-    the remainder of the terms of this Agreement, and without further action
-    by the parties hereto, such provision shall be reformed to the minimum
-    extent necessary to make such provision valid and enforceable.
-
-    If Recipient institutes patent litigation against a Contributor with
-    respect to a patent applicable to software (including a cross-claim or
-    counterclaim in a lawsuit), then any patent licenses granted by that
-    Contributor to such Recipient under this Agreement shall terminate
-    as of the date such litigation is filed.  In addition, If Recipient
-    institutes patent litigation against any entity (including a cross-claim
-    or counterclaim in a lawsuit) alleging that the Program itself (excluding
-    combinations of the Program with other software or hardware) infringes
-    such Recipient's patent(s), then such Recipient's rights granted under
-    Section 2(b) shall terminate as of the date such litigation is filed.
-
-    All Recipient's rights under this Agreement shall terminate if it fails
-    to comply with any of the material terms or conditions of this Agreement
-    and does not cure such failure in a reasonable period of time after
-    becoming aware of such noncompliance.  If all Recipient's rights under
-    this Agreement terminate, Recipient agrees to cease use and distribution
-    of the Program as soon as reasonably practicable.  However, Recipient's
-    obligations under this Agreement and any licenses granted by Recipient
-    relating to the Program shall continue and survive. 
-
-    IBM may publish new versions (including revisions) of this Agreement
-    from time to time.  Each new version of the Agreement will be given a
-    distinguishing version number.  The Program (including Contributions)
-    may always be distributed subject to the version of the Agreement under
-    which it was received. In addition, after a new version of the Agreement
-    is published, Contributor may elect to distribute the Program (including
-    its Contributions) under the new version. No one other than IBM has the
-    right to modify this Agreement.  Except as expressly stated in Sections
-    2(a) and 2(b) above, Recipient receives no rights or licenses to the
-    intellectual property of any Contributor under this Agreement, whether
-    expressly, by implication, estoppel or otherwise.  All rights in the
-    Program not expressly granted under this Agreement are reserved.
-
-    This Agreement is governed by the laws of the State of New York and the
-    intellectual property laws of the United States of America. No party to
-    this Agreement will bring a legal action under this Agreement more than
-    one year after the cause of action arose.  Each party waives its rights
-    to a jury trial in any resulting litigation. 
-
-The following license applies to rmail, distributed with Postfix:
-
-			     SENDMAIL LICENSE
-
-    The following license terms and conditions apply, unless a different
-    license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
-    Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
-
-    License Terms:
-
-    Use, Modification and Redistribution (including distribution of any
-    modified or derived work) in source and binary forms is permitted only if
-    each of the following conditions is met:
-
-    1. Redistributions qualify as "freeware" or "Open Source Software" under
-       one of the following terms:
-
-       (a) Redistributions are made at no charge beyond the reasonable cost of
-	   materials and delivery.
-
-       (b) Redistributions are accompanied by a copy of the Source Code or by an
-	   irrevocable offer to provide a copy of the Source Code for up to three
-	   years at the cost of materials and delivery.  Such redistributions
-	   must allow further use, modification, and redistribution of the Source
-	   Code under substantially the same terms as this license.  For the
-	   purposes of redistribution "Source Code" means the complete compilable
-	   and linkable source code of sendmail including all modifications.
-
-    2. Redistributions of source code must retain the copyright notices as they
-       appear in each source code file, these license terms, and the
-       disclaimer/limitation of liability set forth as paragraph 6 below.
-
-    3. Redistributions in binary form must reproduce the Copyright Notice,
-       these license terms, and the disclaimer/limitation of liability set
-       forth as paragraph 6 below, in the documentation and/or other materials
-       provided with the distribution.  For the purposes of binary distribution
-       the "Copyright Notice" refers to the following language:
-       "Copyright (c) 1998-2000 Sendmail, Inc.  All rights reserved."
-
-    4. Neither the name of Sendmail, Inc. nor the University of California nor
-       the names of their contributors may be used to endorse or promote
-       products derived from this software without specific prior written
-       permission.  The name "sendmail" is a trademark of Sendmail, Inc.
-
-    5. All redistributions must comply with the conditions imposed by the
-       University of California on certain embedded code, whose copyright
-       notice and conditions for redistribution are as follows:
-
-       (a) Copyright (c) 1988, 1993 The Regents of the University of
-	   California.  All rights reserved.
-
-       (b) Redistribution and use in source and binary forms, with or without
-	   modification, are permitted provided that the following conditions
-	   are met:
-
-	  (i)   Redistributions of source code must retain the above copyright
-		notice, this list of conditions and the following disclaimer.
-
-	  (ii)  Redistributions in binary form must reproduce the above
-		copyright notice, this list of conditions and the following
-		disclaimer in the documentation and/or other materials provided
-		with the distribution.
-
-	  (iii) Neither the name of the University nor the names of its
-		contributors may be used to endorse or promote products derived
-		from this software without specific prior written permission.
-
-    6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
-       SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
-       WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-       MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN
-       NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
-       CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-       INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
-       USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-       ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-       THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
-    $Revision: 1.1.4.3 $, Last updated $Date: 2003/07/23 16:13:15 $
-
-The TLS patch was written by Lutz Jänicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>.
-Downlaoded from ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls, it has the
-following license:
-
-    This software is free. You can do with it whatever you want. I would
-    however kindly ask you to acknowledge the use of this package, if you
-    are going use it in your software, which you might be going to
-    distribute. I would also like to receive a note if you are a satisfied
-    user :-)

Modified: postfix/trunk/debian/dirs
===================================================================
--- postfix/trunk/debian/dirs	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/dirs	2008-05-02 10:36:05 UTC (rev 837)
@@ -4,6 +4,7 @@
 etc/ppp/ip-down.d
 etc/network/if-up.d
 etc/network/if-down.d
+etc/postfix/sasl
 usr/bin
 usr/sbin
 usr/lib/postfix

Modified: postfix/trunk/debian/functions
===================================================================
--- postfix/trunk/debian/functions	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/functions	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,3 +1,4 @@
+DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
 addmap()
 {   
     name=$1

Modified: postfix/trunk/debian/init.d
===================================================================
--- postfix/trunk/debian/init.d	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/init.d	2008-05-02 10:36:05 UTC (rev 837)
@@ -18,64 +18,93 @@
 
 test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0
 
+. /lib/lsb/init-functions
+DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
+
+running() {
+    queue=$(postconf -h queue_directory 2>/dev/null || echo /var/spool/postfix)
+    if [ -f ${queue}/pid/master.pid ]; then
+	pid=$(sed 's/ //g' ${queue}/pid/master.pid)
+	exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //; s/.*\///')
+	if [ "X$exe" = "Xmaster" ]; then
+	    echo y
+	fi
+    fi
+}
 case "$1" in
     start)
-	echo -n "Starting mail transport agent: Postfix"
+	log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
+	RUNNING=$(running)
+	if [ -n "$RUNNING" ]; then
+	    log_end_msg 0
+	else
+	    # see if anything is running chrooted.
+	    NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
 
-	# see if anything is running chrooted.
-	NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
+	    if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
+		# Make sure that the chroot environment is set up correctly.
+		oldumask=$(umask)
+		umask 022
+		cd $(postconf -h queue_directory)
 
-	if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
-	    # Make sure that the chroot environment is set up correctly.
-	    oldumask=$(umask)
-	    umask 022
-	    cd $(postconf -h queue_directory)
+		# if we're using unix:passwd.byname, then we need to add etc/passwd.
+		local_maps=$(postconf -h local_recipient_maps)
+		if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
+		    if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
+			sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
+			chmod a+r etc/passwd
+		    fi
+		fi
 
-	    # if we're using unix:passwd.byname, then we need to add etc/passwd.
-	    local_maps=$(postconf -h local_recipient_maps)
-	    if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
-		if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
-		    sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
-		    chmod a+r etc/passwd
-		fi
+		FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
+		    etc/nsswitch.conf etc/nss_mdns.config"
+		for file in $FILES; do 
+		    [ -d ${file%/*} ] || mkdir -p ${file%/*}
+		    if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
+		    if [ -f  ${file} ]; then chmod a+rX ${file}; fi
+		done
+		rm -f usr/lib/zoneinfo/localtime
+		mkdir -p usr/lib/zoneinfo
+		ln -sf /etc/localtime usr/lib/zoneinfo/localtime
+		rm -f lib/libnss_*so*
+		tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
+		umask $oldumask
 	    fi
 
-	    FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
-		etc/nsswitch.conf"
-	    for file in $FILES; do 
-		[ -d ${file%/*} ] || mkdir -p ${file%/*}
-		if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
-		if [ -f  ${file} ]; then chmod a+rX ${file}; fi
-	    done
-	    rm -f usr/lib/zoneinfo/localtime
-	    ln -sf /etc/localtime usr/lib/zoneinfo/localtime
-	    rm -f lib/libnss_*so*
-	    tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
-	    umask $oldumask
+	    if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then
+		log_end_msg 0
+	    else
+		log_end_msg 1
+	    fi
 	fi
-
-	start-stop-daemon --start --exec ${DAEMON} -- start 2>&1 |
-		(grep -v 'starting the Postfix' 1>&2 || /bin/true)
-	echo "."
     ;;
 
     stop)
-	echo -n "Stopping mail transport agent: Postfix"
-	${DAEMON} stop 2>&1 |
-		(grep -v 'stopping the Postfix' 1>&2 || /bin/true)
-	echo "."
+	RUNNING=$(running)
+	log_daemon_msg "Stopping Postfix Mail Transport Agent" postfix
+	if [ -n "$RUNNING" ]; then
+	    if ${DAEMON} quiet-stop; then
+		log_end_msg 0
+	    else
+		log_end_msg 1
+	    fi
+	else
+	    log_end_msg 0
+	fi
     ;;
 
     restart)
-        $0 stop || true
+        $0 stop
         $0 start
     ;;
     
     force-reload|reload)
-	echo -n "Reloading Postfix configuration..."
-	${DAEMON} reload 2>&1 |
-		(grep -v 'refreshing the Postfix' 1>&2 || /bin/true)
-	echo "done."
+	log_action_begin_msg "Reloading Postfix configuration"
+	if ${DAEMON} quiet-reload; then
+	    log_action_end_msg 0
+	else
+	    log_action_end_msg 1
+	fi
     ;;
 
     flush|check|abort)
@@ -83,7 +112,7 @@
     ;;
 
     *)
-	echo "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
+	log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
 	exit 1
     ;;
 esac

Modified: postfix/trunk/debian/ip-down.d
===================================================================
--- postfix/trunk/debian/ip-down.d	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/ip-down.d	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,12 +1,34 @@
 #!/bin/sh -e
 
-# Called when ppp disconnects
+# Called when an interface disconnects
 # Written by LaMont Jones <lamont at debian.org>
 
 # start or reload Postfix as needed
+
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+	exit 0
+fi
+
+RUNNING=""
+# If master is running, force a queue run to unload any mail that is
+# hanging around.  Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+	pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+	exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+	if [ "X$exe" = "Xmaster" ]; then
+		RUNNING="y"
+	fi
+fi
+
 if [ ! -x /sbin/resolvconf ]; then
-	cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
-	/etc/init.d/postfix reload >/dev/null 2>&1
+	f=/etc/resolv.conf
+	if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+		exit 0
+	fi
+	if [ -n "$RUNNING" ]; then
+		/etc/init.d/postfix reload >/dev/null 2>&1
+	fi
 fi
 
 exit 0

Modified: postfix/trunk/debian/ip-up.d
===================================================================
--- postfix/trunk/debian/ip-up.d	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/ip-up.d	2008-05-02 10:36:05 UTC (rev 837)
@@ -2,20 +2,42 @@
 # Called when a new interface comes up
 # Written by LaMont Jones <lamont at debian.org>
 
-# start or reload Postfix as needed
-if [ ! -x /sbin/resolvconf ]; then
-	cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
-	/etc/init.d/postfix reload >/dev/null 2>&1
+# don't bother to restart postfix when lo is configured.
+if [ "$IFACE" = "lo" ]; then
+	exit 0
 fi
 
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+	exit 0
+fi
+
+RUNNING=""
 # If master is running, force a queue run to unload any mail that is
 # hanging around.  Yes, sendmail is a symlink...
 if [ -f /var/spool/postfix/pid/master.pid ]; then
 	pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
-	exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //')
-	if [ "X$exe" = "X/usr/lib/postfix/master" ]; then
-		if [ -x /usr/sbin/sendmail ]; then
-			/usr/sbin/sendmail -q
-		fi
+	exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+	if [ "X$exe" = "Xmaster" ]; then
+		RUNNING="y"
 	fi
 fi
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+	f=/etc/resolv.conf
+	if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+		exit 0
+	fi
+	if [ -n "$RUNNING" ]; then
+		/etc/init.d/postfix reload >/dev/null 2>&1
+	fi
+fi
+
+# If master is running, force a queue run to unload any mail that is
+# hanging around.  Yes, sendmail is a symlink...
+if [ -n "$RUNNING" ]; then
+	if [ -x /usr/sbin/sendmail ]; then
+		/usr/sbin/sendmail -q >/dev/null 2>&1
+	fi
+fi

Modified: postfix/trunk/debian/lintian-override
===================================================================
--- postfix/trunk/debian/lintian-override	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/lintian-override	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,3 +1,4 @@
 # Lintian doesn't know how to parse the damn files.
 postfix: postinst-unsafe-ldconfig
 postfix: postrm-unsafe-ldconfig
+postfix: package-name-doesnt-match-sonames

Added: postfix/trunk/debian/main.cf.in
===================================================================
--- postfix/trunk/debian/main.cf.in	                        (rev 0)
+++ postfix/trunk/debian/main.cf.in	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,16 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (@@DISTRO@@)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h

Modified: postfix/trunk/debian/patches/00list
===================================================================
--- postfix/trunk/debian/patches/00list	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/00list	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,13 +1,17 @@
 10cyrus
 10greylist
-10hostname
 10main.cf
 10man
+10man-names
 10master.cf
+10myorigin
+10postfix-script
 10rmail
 10smtplinelength
+10tls
+10tlsmgr
+10warnings
 20maps
-50tls
-60hpux
+30hurd
 30-kolab
-40-kolab-ldap-leafonly.dpatch
+40-kolab-ldap-leafonly

Modified: postfix/trunk/debian/patches/10cyrus.dpatch
===================================================================
--- postfix/trunk/debian/patches/10cyrus.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10cyrus.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -5,9 +5,9 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad postfix-2.1.5/README_FILES/CYRUS_README /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README
---- postfix-2.1.5/README_FILES/CYRUS_README	2004-04-11 15:05:32.000000000 -0600
-+++ /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README	2004-12-27 22:18:15.721024714 -0700
+diff -urNad work/README_FILES/CYRUS_README /tmp/dpep.QH9rwq/work/README_FILES/CYRUS_README
+--- work/README_FILES/CYRUS_README	2005-02-05 11:40:32.000000000 -0700
++++ /tmp/dpep.QH9rwq/work/README_FILES/CYRUS_README	2005-02-05 11:59:04.618649066 -0700
 @@ -3,3 +3,4 @@
  -------------------------------------------------------------------------------
  This document will be made available via http://www.postfix.org/.

Modified: postfix/trunk/debian/patches/10greylist.dpatch
===================================================================
--- postfix/trunk/debian/patches/10greylist.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10greylist.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -5,9 +5,9 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad postfix-2.1.5/examples/smtpd-policy/greylist.pl /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl
---- postfix-2.1.5/examples/smtpd-policy/greylist.pl	2004-02-10 18:37:27.000000000 -0700
-+++ /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl	2004-12-27 22:18:25.645891286 -0700
+diff -urNad work/examples/smtpd-policy/greylist.pl /tmp/dpep.77gsTr/work/examples/smtpd-policy/greylist.pl
+--- work/examples/smtpd-policy/greylist.pl	2005-02-05 11:40:32.000000000 -0700
++++ /tmp/dpep.77gsTr/work/examples/smtpd-policy/greylist.pl	2005-02-05 11:59:23.325491096 -0700
 @@ -73,7 +73,7 @@
  # In case of database corruption, this script saves the database as
  # $database_name.time(), so that the mail system does not get stuck.

Deleted: postfix/trunk/debian/patches/10hostname.dpatch
===================================================================
--- postfix/trunk/debian/patches/10hostname.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10hostname.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,40 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 10hostname.dpatch by LaMont Jones <lamont at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
- at DPATCH@
-diff -urNad postfix-2.1.5/src/util/get_hostname.c /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c
---- postfix-2.1.5/src/util/get_hostname.c	2001-01-28 07:00:12.000000000 -0700
-+++ /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c	2004-12-27 22:18:38.981024795 -0700
-@@ -33,6 +33,7 @@
- #include <sys/param.h>
- #include <string.h>
- #include <unistd.h>
-+#include <netdb.h>
- 
- #if (MAXHOSTNAMELEN < 256)
- #undef MAXHOSTNAMELEN
-@@ -55,6 +56,7 @@
- const char *get_hostname(void)
- {
-     char    namebuf[MAXHOSTNAMELEN + 1];
-+    struct hostent *hp;
- 
-     /*
-      * The gethostname() call is not (or not yet) in ANSI or POSIX, but it is
-@@ -66,9 +68,11 @@
- 	if (gethostname(namebuf, sizeof(namebuf)) < 0)
- 	    msg_fatal("gethostname: %m");
- 	namebuf[MAXHOSTNAMELEN] = 0;
--	if (valid_hostname(namebuf, DO_GRIPE) == 0)
-+	if (!(hp = gethostbyname(namebuf)))
-+	    msg_fatal("gethostbyname: %m");
-+	if (valid_hostname(hp->h_name, DO_GRIPE) == 0)
- 	    msg_fatal("unable to use my own hostname");
--	my_host_name = mystrdup(namebuf);
-+	my_host_name = mystrdup(hp->h_name);
-     }
-     return (my_host_name);
- }

Modified: postfix/trunk/debian/patches/10main.cf.dpatch
===================================================================
--- postfix/trunk/debian/patches/10main.cf.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10main.cf.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -5,9 +5,9 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad postfix-2.1.5/conf/main.cf /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf
---- postfix-2.1.5/conf/main.cf	2004-12-27 22:02:52.879396736 -0700
-+++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf	2004-12-27 22:18:47.208256287 -0700
+diff -urNad work/conf/main.cf /tmp/dpep.OjJjJG/work/conf/main.cf
+--- work/conf/main.cf	2005-02-05 11:40:32.000000000 -0700
++++ /tmp/dpep.OjJjJG/work/conf/main.cf	2005-02-05 12:00:42.124976820 -0700
 @@ -27,7 +27,7 @@
  # See the files in examples/chroot-setup for setting up Postfix chroot
  # environments on different UNIX systems.
@@ -70,7 +70,7 @@
  #
  #smtpd_banner = $myhostname ESMTP $mail_name
  #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
-+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
++smtpd_banner = $myhostname ESMTP $mail_name (@@DISTRO@@)
 +
  
  # PARALLEL DELIVERY TO THE SAME DESTINATION
@@ -84,18 +84,3 @@
  
  # The debug_peer_list parameter specifies an optional list of domain
  # or network patterns, /file/name patterns or type:name tables. When
-diff -urNad postfix-2.1.5/conf/main.cf.debian /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian
---- postfix-2.1.5/conf/main.cf.debian	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian	2004-12-27 22:18:47.208256287 -0700
-@@ -0,0 +1,11 @@
-+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
-+
-+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-+biff = no
-+
-+# appending .domain is the MUA's job.
-+append_dot_mydomain = no
-+
-+# Uncomment the next line to generate "delayed mail" warnings
-+#delay_warning_time = 4h
-+

Added: postfix/trunk/debian/patches/10man-names.dpatch
===================================================================
--- postfix/trunk/debian/patches/10man-names.dpatch	                        (rev 0)
+++ postfix/trunk/debian/patches/10man-names.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,25 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10man-names.dpatch by  <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Moving man pages to 8postfix requires a few fixes
+
+ at DPATCH@
+diff -urNad postfix~/man/man8/defer.8 postfix/man/man8/defer.8
+--- postfix~/man/man8/defer.8	2006-07-24 10:24:44.000000000 -0600
++++ postfix/man/man8/defer.8	2006-07-24 10:41:29.000000000 -0600
+@@ -1 +1 @@
+-.so man8/bounce.8
++.so man8/bounce.8postfix
+diff -urNad postfix~/man/man8/lmtp.8 postfix/man/man8/lmtp.8
+--- postfix~/man/man8/lmtp.8	2006-07-24 10:24:44.000000000 -0600
++++ postfix/man/man8/lmtp.8	2006-07-24 10:41:29.000000000 -0600
+@@ -1 +1 @@
+-.so man8/smtp.8
++.so man8/smtp.8postfix
+diff -urNad postfix~/man/man8/trace.8 postfix/man/man8/trace.8
+--- postfix~/man/man8/trace.8	2006-07-24 10:24:44.000000000 -0600
++++ postfix/man/man8/trace.8	2006-07-24 10:41:29.000000000 -0600
+@@ -1 +1 @@
+-.so man8/bounce.8
++.so man8/bounce.8postfix

Modified: postfix/trunk/debian/patches/10man.dpatch
===================================================================
--- postfix/trunk/debian/patches/10man.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10man.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -5,943 +5,22 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad postfix-release/man/Makefile.in /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in
---- postfix-release/man/Makefile.in	2004-12-27 22:31:17.051071712 -0700
-+++ /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in	2004-12-27 22:39:32.648539161 -0700
-@@ -3,6 +3,8 @@
- # For now, just hard-coded rules for daemons, commands, config files.
+diff -urNad debian-2.2/mantools/postlink /tmp/dpep.F70AKp/debian-2.2/mantools/postlink
+--- debian-2.2/mantools/postlink	2005-05-04 14:42:14.000000000 -0600
++++ /tmp/dpep.F70AKp/debian-2.2/mantools/postlink	2005-05-05 10:18:23.000000000 -0600
+@@ -12,6 +12,7 @@
  
- DAEMONS	= man8/bounce.8 man8/defer.8 man8/cleanup.8 man8/error.8 man8/local.8 \
-+	man8/qmqp-sink.8 man8/qmqp-source.8 \
-+	man8/smtp-sink.8 man8/smtp-source.8 \
- 	man8/lmtp.8 man8/master.8 man8/pickup.8 man8/pipe.8 man8/qmgr.8 \
- 	man8/showq.8 man8/smtp.8 man8/smtpd.8 man8/trivial-rewrite.8 \
- 	man8/oqmgr.8 man8/spawn.8 man8/flush.8 man8/virtual.8 man8/qmqpd.8 \
-@@ -103,6 +105,12 @@
- 	    (cmp -s junk $? || mv junk $?)
- 	../mantools/srctoman $? >$@
+     # Glue together words that were broken across line breaks.
  
-+man8/qmqp-sink.8: ../src/smtpstone/qmqp-sink.c
-+	../mantools/srctoman $? >$@
-+
-+man8/qmqp-source.8: ../src/smtpstone/qmqp-source.c
-+	../mantools/srctoman $? >$@
-+
- man8/qmqpd.8: ../src/qmqpd/qmqpd.c
- 	../mantools/fixman ../proto/postconf.proto $? >junk && \
- 	    (cmp -s junk $? || mv junk $?)
-@@ -123,6 +131,12 @@
- 	    (cmp -s junk $? || mv junk $?)
- 	../mantools/srctoman $? >$@
- 
-+man8/smtp-sink.8: ../src/smtpstone/smtp-sink.c
-+	../mantools/srctoman $? >$@
-+
-+man8/smtp-source.8: ../src/smtpstone/smtp-source.c
-+	../mantools/srctoman $? >$@
-+
- man8/smtpd.8: ../src/smtpd/smtpd.c
- 	../mantools/fixman ../proto/postconf.proto $? >junk && \
- 	    (cmp -s junk $? || mv junk $?)
-diff -urNad postfix-release/mantools/postlink /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink
---- postfix-release/mantools/postlink	2004-12-27 22:31:17.054071067 -0700
-+++ /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink	2004-12-27 22:39:32.651538517 -0700
-@@ -47,360 +47,360 @@
- 		p
- 		d
- 		}
--	s;[[:<:]]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
--	s;[[:<:]]debugger_command[[:>:]];<a href="postconf.5.html#debugger_command">&</a>;g
--	s;[[:<:]]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[[:>:]];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
--	s;[[:<:]]access_map_reject_code[[:>:]];<a href="postconf.5.html#access_map_reject_code">&</a>;g
--	s;[[:<:]]address_verify_default_transport[[:>:]];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
--	s;[[:<:]]address_verify_local_transport[[:>:]];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
--	s;[[:<:]]address_verify_map[[:>:]];<a href="postconf.5.html#address_verify_map">&</a>;g
--	s;[[:<:]]address_verify_negative_cache[[:>:]];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
--	s;[[:<:]]address_verify_negative_expire_time[[:>:]];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
--	s;[[:<:]]address_verify_negative_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
--	s;[[:<:]]address_verify_poll_count[[:>:]];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
--	s;[[:<:]]address_verify_poll_delay[[:>:]];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
--	s;[[:<:]]address_verify_positive_expire_time[[:>:]];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
--	s;[[:<:]]address_verify_positive_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
--	s;[[:<:]]address_verify_relay_transport[[:>:]];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
--	s;[[:<:]]address_verify_relayhost[[:>:]];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
--	s;[[:<:]]address_verify_sender[[:>:]];<a href="postconf.5.html#address_verify_sender">&</a>;g
--	s;[[:<:]]address_verify_service_name[[:>:]];<a href="postconf.5.html#address_verify_service_name">&</a>;g
--	s;[[:<:]]address_verify_transport_maps[[:>:]];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
--	s;[[:<:]]address_verify_virtual_transport[[:>:]];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
--	s;[[:<:]]alias_database[[:>:]];<a href="postconf.5.html#alias_database">&</a>;g
--	s;[[:<:]]alias_maps[[:>:]];<a href="postconf.5.html#alias_maps">&</a>;g
--	s;[[:<:]]allow_mail_to_commands[[:>:]];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
--	s;[[:<:]]allow_mail_to_files[[:>:]];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
--	s;[[:<:]]allow_min_user[[:>:]];<a href="postconf.5.html#allow_min_user">&</a>;g
--	s;[[:<:]]allow_percent_hack[[:>:]];<a href="postconf.5.html#allow_percent_hack">&</a>;g
--	s;[[:<:]]allow_untrusted_routing[[:>:]];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
--	s;[[:<:]]alternate_config_directories[[:>:]];<a href="postconf.5.html#alternate_config_directories">&</a>;g
--	s;[[:<:]]always_bcc[[:>:]];<a href="postconf.5.html#always_bcc">&</a>;g
--	s;[[:<:]]anvil_rate_time_unit[[:>:]];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
--	s;[[:<:]]append_at_myorigin[[:>:]];<a href="postconf.5.html#append_at_myorigin">&</a>;g
--	s;[[:<:]]append_dot_mydomain[[:>:]];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
--	s;[[:<:]]application_event_drain_time[[:>:]];<a href="postconf.5.html#application_event_drain_time">&</a>;g
--	s;[[:<:]]backwards_bounce_logfile_compatibility[[:>:]];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
--	s;[[:<:]]berkeley_db_create_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
--	s;[[:<:]]berkeley_db_read_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
--	s;[[:<:]]best_mx_transport[[:>:]];<a href="postconf.5.html#best_mx_transport">&</a>;g
--	s;[[:<:]]biff[[:>:]];<a href="postconf.5.html#biff">&</a>;g
--	s;[[:<:]]body_checks[[:>:]];<a href="postconf.5.html#body_checks">&</a>;g
--	s;[[:<:]]body_checks_size_limit[[:>:]];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
--	s;[[:<:]]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
--	s;[[:<:]]bounce_queue_lifetime[[:>:]];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
--	s;[[:<:]]bounce_service_name[[:>:]];<a href="postconf.5.html#bounce_service_name">&</a>;g
--	s;[[:<:]]bounce_size_limit[[:>:]];<a href="postconf.5.html#bounce_size_limit">&</a>;g
--	s;[[:<:]]broken_sasl_auth_clients[[:>:]];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
--	s;[[:<:]]canonical_maps[[:>:]];<a href="postconf.5.html#canonical_maps">&</a>;g
--	s;[[:<:]]cleanup_service_name[[:>:]];<a href="postconf.5.html#cleanup_service_name">&</a>;g
--	s;[[:<:]]anvil_status_update_time[[:>:]];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
--	s;[[:<:]]command_directory[[:>:]];<a href="postconf.5.html#command_directory">&</a>;g
--	s;[[:<:]]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#command_expansion_filter">&</a>;g
--	s;[[:<:]]command_time_limit[[:>:]];<a href="postconf.5.html#command_time_limit">&</a>;g
--	s;[[:<:]]config_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#config_directory">&</a>;g
--	s;[[:<:]]con[-</bB>]*\n*[ <bB>]*tent_filter[[:>:]];<a href="postconf.5.html#content_filter">&</a>;g
--	s;[[:<:]]daemon_directory[[:>:]];<a href="postconf.5.html#daemon_directory">&</a>;g
--	s;[[:<:]]daemon_timeout[[:>:]];<a href="postconf.5.html#daemon_timeout">&</a>;g
--	s;[[:<:]]debug_peer_level[[:>:]];<a href="postconf.5.html#debug_peer_level">&</a>;g
--	s;[[:<:]]debug_peer_list[[:>:]];<a href="postconf.5.html#debug_peer_list">&</a>;g
--	s;[[:<:]]default_database_type[[:>:]];<a href="postconf.5.html#default_database_type">&</a>;g
--	s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[[:>:]];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
--	s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[[:>:]];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
--	s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[[:>:]];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
--	s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[[:>:]];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
--	s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
--	s;[[:<:]]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
--	s;[[:<:]]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[[:>:]];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
--	s;[[:<:]]default_privs[[:>:]];<a href="postconf.5.html#default_privs">&</a>;g
--	s;[[:<:]]default_process_limit[[:>:]];<a href="postconf.5.html#default_process_limit">&</a>;g
--	s;[[:<:]]default_rbl_reply[[:>:]];<a href="postconf.5.html#default_rbl_reply">&</a>;g
--	s;[[:<:]]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_recipient_limit">&</a>;g
--	s;[[:<:]]default_transport[[:>:]];<a href="postconf.5.html#default_transport">&</a>;g
--	s;[[:<:]]default_verp_delimiters[[:>:]];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
--	s;[[:<:]]defer_code[[:>:]];<a href="postconf.5.html#defer_code">&</a>;g
--	s;[[:<:]]defer_service_name[[:>:]];<a href="postconf.5.html#defer_service_name">&</a>;g
--	s;[[:<:]]defer_transports[[:>:]];<a href="postconf.5.html#defer_transports">&</a>;g
--	s;[[:<:]]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
--	s;[[:<:]]delay_warning_time[[:>:]];<a href="postconf.5.html#delay_warning_time">&</a>;g
--	s;[[:<:]]deliver_lock_attempts[[:>:]];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
--	s;[[:<:]]deliver_lock_delay[[:>:]];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
--	s;[[:<:]]disable_dns_lookups[[:>:]];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
--	s;[[:<:]]disable_mime_input_processing[[:>:]];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
--	s;[[:<:]]disable_mime_output_conversion[[:>:]];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
--	s;[[:<:]]disable_verp_bounces[[:>:]];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
--	s;[[:<:]]disable_vrfy_command[[:>:]];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
--	s;[[:<:]]dont_remove[[:>:]];<a href="postconf.5.html#dont_remove">&</a>;g
--	s;[[:<:]]double_bounce_sender[[:>:]];<a href="postconf.5.html#double_bounce_sender">&</a>;g
--	s;[[:<:]]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[[:>:]];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
--	s;[[:<:]]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#empty_address_recipient">&</a>;g
--	s;[[:<:]]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#enable_original_recipient">&</a>;g
--	s;[[:<:]]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#error_notice_recipient">&</a>;g
--	s;[[:<:]]error_service_name[[:>:]];<a href="postconf.5.html#error_service_name">&</a>;g
--	s;[[:<:]]expand_owner_alias[[:>:]];<a href="postconf.5.html#expand_owner_alias">&</a>;g
--	s;[[:<:]]export_environment[[:>:]];<a href="postconf.5.html#export_environment">&</a>;g
--	s;[[:<:]]fallback_relay[[:>:]];<a href="postconf.5.html#fallback_relay">&</a>;g
--	s;[[:<:]]fallback_transport[[:>:]];<a href="postconf.5.html#fallback_transport">&</a>;g
--	s;[[:<:]]fast_flush_domains[[:>:]];<a href="postconf.5.html#fast_flush_domains">&</a>;g
--	s;[[:<:]]fast_flush_purge_time[[:>:]];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
--	s;[[:<:]]fast_flush_refresh_time[[:>:]];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
--	s;[[:<:]]fault_injection_code[[:>:]];<a href="postconf.5.html#fault_injection_code">&</a>;g
--	s;[[:<:]]flush_service_name[[:>:]];<a href="postconf.5.html#flush_service_name">&</a>;g
--	s;[[:<:]]fork_attempts[[:>:]];<a href="postconf.5.html#fork_attempts">&</a>;g
--	s;[[:<:]]fork_delay[[:>:]];<a href="postconf.5.html#fork_delay">&</a>;g
--	s;[[:<:]]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
--	s;[[:<:]]for[-</bB>]*\n* *[<bB>]*ward_path[[:>:]];<a href="postconf.5.html#forward_path">&</a>;g
--	s;[[:<:]]hash_queue_depth[[:>:]];<a href="postconf.5.html#hash_queue_depth">&</a>;g
--	s;[[:<:]]hash_queue_names[[:>:]];<a href="postconf.5.html#hash_queue_names">&</a>;g
--	s;[[:<:]]header_address_token_limit[[:>:]];<a href="postconf.5.html#header_address_token_limit">&</a>;g
--	s;[[:<:]]header_checks[[:>:]];<a href="postconf.5.html#header_checks">&</a>;g
--	s;[[:<:]]header_size_limit[[:>:]];<a href="postconf.5.html#header_size_limit">&</a>;g
--	s;[[:<:]]helpful_warnings[[:>:]];<a href="postconf.5.html#helpful_warnings">&</a>;g
--	s;[[:<:]]home_mailbox[[:>:]];<a href="postconf.5.html#home_mailbox">&</a>;g
--	s;[[:<:]]hopcount_limit[[:>:]];<a href="postconf.5.html#hopcount_limit">&</a>;g
--	s;[[:<:]]html_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#html_directory">&</a>;g
--	s;[[:<:]]ignore_mx_lookup_error[[:>:]];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
--	s;[[:<:]]import_environment[[:>:]];<a href="postconf.5.html#import_environment">&</a>;g
--	s;[[:<:]]in_flow_delay[[:>:]];<a href="postconf.5.html#in_flow_delay">&</a>;g
--	s;[[:<:]]inet_interfaces[[:>:]];<a href="postconf.5.html#inet_interfaces">&</a>;g
--	s;[[:<:]]initial_destination_concurrency[[:>:]];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
--	s;[[:<:]]invalid_hostname_reject_code[[:>:]];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
--	s;[[:<:]]ipc_idle[[:>:]];<a href="postconf.5.html#ipc_idle">&</a>;g
--	s;[[:<:]]ipc_timeout[[:>:]];<a href="postconf.5.html#ipc_timeout">&</a>;g
--	s;[[:<:]]ipc_ttl[[:>:]];<a href="postconf.5.html#ipc_ttl">&</a>;g
--	s;[[:<:]]line_length_limit[[:>:]];<a href="postconf.5.html#line_length_limit">&</a>;g
--	s;[[:<:]]lmtp_cache_connection[[:>:]];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
--	s;[[:<:]]lmtp_connect_timeout[[:>:]];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
--	s;[[:<:]]lmtp_data_done_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
--	s;[[:<:]]lmtp_data_init_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
--	s;[[:<:]]lmtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
--	s;[[:<:]]lmtp_lhlo_timeout[[:>:]];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
--	s;[[:<:]]lmtp_mail_timeout[[:>:]];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
--	s;[[:<:]]lmtp_quit_timeout[[:>:]];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
--	s;[[:<:]]lmtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
--	s;[[:<:]]lmtp_rset_timeout[[:>:]];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
--	s;[[:<:]]lmtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
--	s;[[:<:]]lmtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
--	s;[[:<:]]lmtp_sasl_security_options[[:>:]];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
--	s;[[:<:]]lmtp_send_xforward_command[[:>:]];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
--	s;[[:<:]]lmtp_skip_quit_response[[:>:]];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
--	s;[[:<:]]lmtp_tcp_port[[:>:]];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
--	s;[[:<:]]lmtp_xforward_timeout[[:>:]];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
--	s;[[:<:]]local_command_shell[[:>:]];<a href="postconf.5.html#local_command_shell">&</a>;g
--	s;[[:<:]]local_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
--	s;[[:<:]]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
--	s;[[:<:]]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[[:>:]];<a href="postconf.5.html#local_recipient_maps">&</a>;g
--	s;[[:<:]]local_transport[[:>:]];<a href="postconf.5.html#local_transport">&</a>;g
--	s;[[:<:]]luser_relay[[:>:]];<a href="postconf.5.html#luser_relay">&</a>;g
--	s;[[:<:]]mail_name[[:>:]];<a href="postconf.5.html#mail_name">&</a>;g
--	s;[[:<:]]mail_owner[[:>:]];<a href="postconf.5.html#mail_owner">&</a>;g
--	s;[[:<:]]mail_release_date[[:>:]];<a href="postconf.5.html#mail_release_date">&</a>;g
--	s;[[:<:]]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[[:>:]];<a href="postconf.5.html#mail_spool_directory">&</a>;g
--	s;[[:<:]]mail_version[[:>:]];<a href="postconf.5.html#mail_version">&</a>;g
--	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command[[:>:]];<a href="postconf.5.html#mailbox_command">&</a>;g
--	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command_maps[[:>:]];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
--	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[[:>:]];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
--	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_size_limit[[:>:]];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
--	s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_transport[[:>:]];<a href="postconf.5.html#mailbox_transport">&</a>;g
--	s;[[:<:]]mailq_path[[:>:]];<a href="postconf.5.html#mailq_path">&</a>;g
--	s;[[:<:]]manpage_directory[[:>:]];<a href="postconf.5.html#manpage_directory">&</a>;g
--	s;[[:<:]]maps_rbl_domains[[:>:]];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
--	s;[[:<:]]maps_rbl_reject_code[[:>:]];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
--	s;[[:<:]]masquerade_classes[[:>:]];<a href="postconf.5.html#masquerade_classes">&</a>;g
--	s;[[:<:]]masquerade_domains[[:>:]];<a href="postconf.5.html#masquerade_domains">&</a>;g
--	s;[[:<:]]masquerade_exceptions[[:>:]];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
--	s;[[:<:]]max_idle[[:>:]];<a href="postconf.5.html#max_idle">&</a>;g
--	s;[[:<:]]max_use[[:>:]];<a href="postconf.5.html#max_use">&</a>;g
--	s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[[:>:]];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
--	s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[[:>:]];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
--	s;[[:<:]]message_size_limit[[:>:]];<a href="postconf.5.html#message_size_limit">&</a>;g
--	s;[[:<:]]mime_boundary_length_limit[[:>:]];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
--	s;[[:<:]]mime_header_checks[[:>:]];<a href="postconf.5.html#mime_header_checks">&</a>;g
--	s;[[:<:]]mime_nesting_limit[[:>:]];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
--	s;[[:<:]]minimal_backoff_time[[:>:]];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
--	s;[[:<:]]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[[:>:]];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
--	s;[[:<:]]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[[:>:]];<a href="postconf.5.html#mydestination">&</a>;g
--	s;[[:<:]]mydomain[[:>:]];<a href="postconf.5.html#mydomain">&</a>;g
--	s;[[:<:]]myhostname[[:>:]];<a href="postconf.5.html#myhostname">&</a>;g
--	s;[[:<:]]mynetworks[[:>:]];<a href="postconf.5.html#mynetworks">&</a>;g
--	s;[[:<:]]mynetworks_style[[:>:]];<a href="postconf.5.html#mynetworks_style">&</a>;g
--	s;[[:<:]]myorigin[[:>:]];<a href="postconf.5.html#myorigin">&</a>;g
--	s;[[:<:]]nested_header_checks[[:>:]];<a href="postconf.5.html#nested_header_checks">&</a>;g
--	s;[[:<:]]newaliases_path[[:>:]];<a href="postconf.5.html#newaliases_path">&</a>;g
--	s;[[:<:]]non_fqdn_reject_code[[:>:]];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
--	s;[[:<:]]notify_classes[[:>:]];<a href="postconf.5.html#notify_classes">&</a>;g
--	s;[[:<:]]owner_request_special[[:>:]];<a href="postconf.5.html#owner_request_special">&</a>;g
--	s;[[:<:]]parent_domain_matches_subdomains[[:>:]];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
--	s;[[:<:]]permit_mx_backup_networks[[:>:]];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
--	s;[[:<:]]pickup_service_name[[:>:]];<a href="postconf.5.html#pickup_service_name">&</a>;g
--	s;[[:<:]]prepend_delivered_header[[:>:]];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
--	s;[[:<:]]process_id[[:>:]];<a href="postconf.5.html#process_id">&</a>;g
--	s;[[:<:]]process_id_directory[[:>:]];<a href="postconf.5.html#process_id_directory">&</a>;g
--	s;[[:<:]]process_name[[:>:]];<a href="postconf.5.html#process_name">&</a>;g
--	s;[[:<:]]propagate_unmatched_extensions[[:>:]];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
--	s;[[:<:]]proxy_interfaces[[:>:]];<a href="postconf.5.html#proxy_interfaces">&</a>;g
--	s;[[:<:]]proxy_read_maps[[:>:]];<a href="postconf.5.html#proxy_read_maps">&</a>;g
--	s;[[:<:]]qmgr_clog_warn_time[[:>:]];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
--	s;[[:<:]]qmgr_fudge_factor[[:>:]];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
--	s;[[:<:]]qmgr_message_active_limit[[:>:]];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
--	s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
--	s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
--	s;[[:<:]]qmqpd_authorized_clients[[:>:]];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
--	s;[[:<:]]qmqpd_error_delay[[:>:]];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
--	s;[[:<:]]qmqpd_timeout[[:>:]];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
--	s;[[:<:]]queue_directory[[:>:]];<a href="postconf.5.html#queue_directory">&</a>;g
--	s;[[:<:]]queue_file_attribute_count_limit[[:>:]];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
--	s;[[:<:]]queue_minfree[[:>:]];<a href="postconf.5.html#queue_minfree">&</a>;g
--	s;[[:<:]]queue_run_delay[[:>:]];<a href="postconf.5.html#queue_run_delay">&</a>;g
--	s;[[:<:]]queue_service_name[[:>:]];<a href="postconf.5.html#queue_service_name">&</a>;g
--	s;[[:<:]]rbl_reply_maps[[:>:]];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
--	s;[[:<:]]readme_directory[[:>:]];<a href="postconf.5.html#readme_directory">&</a>;g
--	s;[[:<:]]receive_override_options[[:>:]];<a href="postconf.5.html#receive_override_options">&</a>;g
--	s;[[:<:]]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[[:>:]];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
--	s;[[:<:]]no_address_mappings[[:>:]];<a href="postconf.5.html#no_address_mappings">&</a>;g
--	s;[[:<:]]no_header_body_checks[[:>:]];<a href="postconf.5.html#no_header_body_checks">&</a>;g
--	s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[[:>:]];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
--	s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[[:>:]];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
--	s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[[:>:]];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
--	s;[[:<:]]reject_code[[:>:]];<a href="postconf.5.html#reject_code">&</a>;g
--	s;[[:<:]]relay_domains[[:>:]];<a href="postconf.5.html#relay_domains">&</a>;g
--	s;[[:<:]]relay_domains_reject_code[[:>:]];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
--	s;[[:<:]]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[[:>:]];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
--	s;[[:<:]]relay_transport[[:>:]];<a href="postconf.5.html#relay_transport">&</a>;g
--	s;[[:<:]]relayhost[[:>:]];<a href="postconf.5.html#relayhost">&</a>;g
--	s;[[:<:]]relocated_maps[[:>:]];<a href="postconf.5.html#relocated_maps">&</a>;g
--	s;[[:<:]]require_home_directory[[:>:]];<a href="postconf.5.html#require_home_directory">&</a>;g
--	s;[[:<:]]resolve_dequoted_address[[:>:]];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
--	s;[[:<:]]rewrite_service_name[[:>:]];<a href="postconf.5.html#rewrite_service_name">&</a>;g
--	s;[[:<:]]sample_directory[[:>:]];<a href="postconf.5.html#sample_directory">&</a>;g
--	s;[[:<:]]sender_based_routing[[:>:]];<a href="postconf.5.html#sender_based_routing">&</a>;g
--	s;[[:<:]]sender_bcc_maps[[:>:]];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
--	s;[[:<:]]sender_canonical_maps[[:>:]];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
--	s;[[:<:]]sendmail_path[[:>:]];<a href="postconf.5.html#sendmail_path">&</a>;g
--	s;[[:<:]]service_throttle_time[[:>:]];<a href="postconf.5.html#service_throttle_time">&</a>;g
--	s;[[:<:]]setgid_group[[:>:]];<a href="postconf.5.html#setgid_group">&</a>;g
--	s;[[:<:]]show_user_unknown_table_name[[:>:]];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
--	s;[[:<:]]showq_service_name[[:>:]];<a href="postconf.5.html#showq_service_name">&</a>;g
--	s;[[:<:]]smtp_always_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
--	s;[[:<:]]smtp_bind_address[[:>:]];<a href="postconf.5.html#smtp_bind_address">&</a>;g
--	s;[[:<:]]smtp_connect_timeout[[:>:]];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
--	s;[[:<:]]smtp_data_done_timeout[[:>:]];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
--	s;[[:<:]]smtp_data_init_timeout[[:>:]];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
--	s;[[:<:]]smtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
--	s;[[:<:]]smtp_defer_if_no_mx_address_found[[:>:]];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
--	s;[[:<:]]lmtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
--	s;[[:<:]]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
--	s;[[:<:]]relay_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
--	s;[[:<:]]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
--	s;[[:<:]]resolve_null_domain[[:>:]];<a href="postconf.5.html#resolve_null_domain">&</a>;g
--	s;[[:<:]]smtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
--	s;[[:<:]]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
--	s;[[:<:]]smtp_helo_name[[:>:]];<a href="postconf.5.html#smtp_helo_name">&</a>;g
--	s;[[:<:]]smtp_helo_timeout[[:>:]];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
--	s;[[:<:]]smtp_host_lookup[[:>:]];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
--	s;[[:<:]]smtp_line_length_limit[[:>:]];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
--	s;[[:<:]]smtp_mail_timeout[[:>:]];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
--	s;[[:<:]]smtp_mx_address_limit[[:>:]];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
--	s;[[:<:]]smtp_mx_session_limit[[:>:]];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
--	s;[[:<:]]smtp_never_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
--	s;[[:<:]]smtp_pix_workaround_delay_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
--	s;[[:<:]]smtp_pix_workaround_threshold_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
--	s;[[:<:]]smtp_quit_timeout[[:>:]];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
--	s;[[:<:]]smtp_quote_rfc821_envelope[[:>:]];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
--	s;[[:<:]]smtp_randomize_addresses[[:>:]];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
--	s;[[:<:]]smtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
--	s;[[:<:]]smtp_rset_timeout[[:>:]];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
--	s;[[:<:]]smtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
--	s;[[:<:]]smtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
--	s;[[:<:]]smtp_sasl_security_options[[:>:]];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
--	s;[[:<:]]smtp_send_xforward_command[[:>:]];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
--	s;[[:<:]]smtp_skip_4xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
--	s;[[:<:]]smtp_skip_5xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
--	s;[[:<:]]smtp_skip_quit_response[[:>:]];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
--	s;[[:<:]]smtp_xforward_timeout[[:>:]];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
--	s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
--	s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
--	s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
--	s;[[:<:]]smtpd_banner[[:>:]];<a href="postconf.5.html#smtpd_banner">&</a>;g
--	s;[[:<:]]smtpd_client_connection_count_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
--	s;[[:<:]]smtpd_client_connection_limit_exceptions[[:>:]];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
--	s;[[:<:]]smtpd_client_connection_rate_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
--	s;[[:<:]]smtpd_client_restrictions[[:>:]];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
--	s;[[:<:]]smtpd_data_restrictions[[:>:]];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
--	s;[[:<:]]smtpd_delay_reject[[:>:]];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
--	s;[[:<:]]smtpd_error_sleep_time[[:>:]];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
--	s;[[:<:]]smtpd_etrn_restrictions[[:>:]];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
--	s;[[:<:]]smtpd_expansion_filter[[:>:]];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
--	s;[[:<:]]smtpd_hard_error_limit[[:>:]];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
--	s;[[:<:]]smtpd_helo_required[[:>:]];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
--	s;[[:<:]]smtpd_helo_restrictions[[:>:]];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
--	s;[[:<:]]smtpd_history_flush_threshold[[:>:]];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
--	s;[[:<:]]smtpd_junk_command_limit[[:>:]];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
--	s;[[:<:]]smtpd_noop_commands[[:>:]];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
--	s;[[:<:]]smtpd_null_access_lookup_key[[:>:]];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
--	s;[[:<:]]smtpd_recipient_overshoot_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
--	s;[[:<:]]smtpd_policy_service_max_idle[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
--	s;[[:<:]]smtpd_policy_service_max_ttl[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
--	s;[[:<:]]smtpd_policy_service_timeout[[:>:]];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
--	s;[[:<:]]smtpd_proxy_ehlo[[:>:]];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
--	s;[[:<:]]smtpd_proxy_filter[[:>:]];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
--	s;[[:<:]]smtpd_proxy_timeout[[:>:]];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
--	s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
--	s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[[:>:]];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
--	s;[[:<:]]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
--	s;[[:<:]]smtpd_reject_unlisted_sender[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
--	s;[[:<:]]smtpd_restriction_classes[[:>:]];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
--	s;[[:<:]]smtpd_sasl_application_name[[:>:]];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
--	s;[[:<:]]smtpd_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
--	s;[[:<:]]smtpd_sasl_exceptions_networks[[:>:]];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
--	s;[[:<:]]smtpd_sasl_local_domain[[:>:]];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
--	s;[[:<:]]smtpd_sasl_security_options[[:>:]];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
--	s;[[:<:]]smtpd_sender_login_maps[[:>:]];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
--	s;[[:<:]]smtpd_sender_restrictions[[:>:]];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
--	s;[[:<:]]smtpd_soft_error_limit[[:>:]];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
--	s;[[:<:]]smtpd_timeout[[:>:]];<a href="postconf.5.html#smtpd_timeout">&</a>;g
--	s;[[:<:]]soft_bounce[[:>:]];<a href="postconf.5.html#soft_bounce">&</a>;g
--	s;[[:<:]]stale_lock_time[[:>:]];<a href="postconf.5.html#stale_lock_time">&</a>;g
--	s;[[:<:]]strict_7bit_headers[[:>:]];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
--	s;[[:<:]]strict_8bitmime[[:>:]];<a href="postconf.5.html#strict_8bitmime">&</a>;g
--	s;[[:<:]]strict_8bitmime_body[[:>:]];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
--	s;[[:<:]]strict_mime_encoding_domain[[:>:]];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
--	s;[[:<:]]strict_rfc821_envelopes[[:>:]];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
--	s;[[:<:]]sun_mailtool_compatibility[[:>:]];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
--	s;[[:<:]]swap_bangpath[[:>:]];<a href="postconf.5.html#swap_bangpath">&</a>;g
--	s;[[:<:]]syslog_facility[[:>:]];<a href="postconf.5.html#syslog_facility">&</a>;g
--	s;[[:<:]]syslog_name[[:>:]];<a href="postconf.5.html#syslog_name">&</a>;g
--	s;[[:<:]]trace_service_name[[:>:]];<a href="postconf.5.html#trace_service_name">&</a>;g
--	s;[[:<:]]transport_maps[[:>:]];<a href="postconf.5.html#transport_maps">&</a>;g
--	s;[[:<:]]transport_retry_time[[:>:]];<a href="postconf.5.html#transport_retry_time">&</a>;g
--	s;[[:<:]]trigger_timeout[[:>:]];<a href="postconf.5.html#trigger_timeout">&</a>;g
--	s;[[:<:]]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[[:>:]];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
--	s;[[:<:]]unknown_address_reject_code[[:>:]];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
--	s;[[:<:]]unknown_client_reject_code[[:>:]];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
--	s;[[:<:]]unknown_hostname_reject_code[[:>:]];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
--	s;[[:<:]]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
--	s;[[:<:]]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[[:>:]];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
--	s;[[:<:]]unknown_virtual_alias_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
--	s;[[:<:]]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
--	s;[[:<:]]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
--	s;[[:<:]]unverified_sender_reject_code[[:>:]];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
--	s;[[:<:]]verp_delimiter_filter[[:>:]];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[[:>:]];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[[:>:]];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_maps[[:>:]];<a href="postconf.5.html#virtual_maps">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[[:>:]];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[[:>:]];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[[:>:]];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[[:>:]];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[[:>:]];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[[:>:]];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[[:>:]];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_transport[[:>:]];<a href="postconf.5.html#virtual_transport">&</a>;g
--	s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[[:>:]];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
-+	s;[\[{(<]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
-+	s;[\[{(<]debugger_command[\]})>];<a href="postconf.5.html#debugger_command">&</a>;g
-+	s;[\[{(<]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[\]})>];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
-+	s;[\[{(<]access_map_reject_code[\]})>];<a href="postconf.5.html#access_map_reject_code">&</a>;g
-+	s;[\[{(<]address_verify_default_transport[\]})>];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
-+	s;[\[{(<]address_verify_local_transport[\]})>];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
-+	s;[\[{(<]address_verify_map[\]})>];<a href="postconf.5.html#address_verify_map">&</a>;g
-+	s;[\[{(<]address_verify_negative_cache[\]})>];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
-+	s;[\[{(<]address_verify_negative_expire_time[\]})>];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
-+	s;[\[{(<]address_verify_negative_refresh_time[\]})>];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
-+	s;[\[{(<]address_verify_poll_count[\]})>];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
-+	s;[\[{(<]address_verify_poll_delay[\]})>];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
-+	s;[\[{(<]address_verify_positive_expire_time[\]})>];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
-+	s;[\[{(<]address_verify_positive_refresh_time[\]})>];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
-+	s;[\[{(<]address_verify_relay_transport[\]})>];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
-+	s;[\[{(<]address_verify_relayhost[\]})>];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
-+	s;[\[{(<]address_verify_sender[\]})>];<a href="postconf.5.html#address_verify_sender">&</a>;g
-+	s;[\[{(<]address_verify_service_name[\]})>];<a href="postconf.5.html#address_verify_service_name">&</a>;g
-+	s;[\[{(<]address_verify_transport_maps[\]})>];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
-+	s;[\[{(<]address_verify_virtual_transport[\]})>];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
-+	s;[\[{(<]alias_database[\]})>];<a href="postconf.5.html#alias_database">&</a>;g
-+	s;[\[{(<]alias_maps[\]})>];<a href="postconf.5.html#alias_maps">&</a>;g
-+	s;[\[{(<]allow_mail_to_commands[\]})>];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
-+	s;[\[{(<]allow_mail_to_files[\]})>];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
-+	s;[\[{(<]allow_min_user[\]})>];<a href="postconf.5.html#allow_min_user">&</a>;g
-+	s;[\[{(<]allow_percent_hack[\]})>];<a href="postconf.5.html#allow_percent_hack">&</a>;g
-+	s;[\[{(<]allow_untrusted_routing[\]})>];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
-+	s;[\[{(<]alternate_config_directories[\]})>];<a href="postconf.5.html#alternate_config_directories">&</a>;g
-+	s;[\[{(<]always_bcc[\]})>];<a href="postconf.5.html#always_bcc">&</a>;g
-+	s;[\[{(<]anvil_rate_time_unit[\]})>];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
-+	s;[\[{(<]append_at_myorigin[\]})>];<a href="postconf.5.html#append_at_myorigin">&</a>;g
-+	s;[\[{(<]append_dot_mydomain[\]})>];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
-+	s;[\[{(<]application_event_drain_time[\]})>];<a href="postconf.5.html#application_event_drain_time">&</a>;g
-+	s;[\[{(<]backwards_bounce_logfile_compatibility[\]})>];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
-+	s;[\[{(<]berkeley_db_create_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
-+	s;[\[{(<]berkeley_db_read_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
-+	s;[\[{(<]best_mx_transport[\]})>];<a href="postconf.5.html#best_mx_transport">&</a>;g
-+	s;[\[{(<]biff[\]})>];<a href="postconf.5.html#biff">&</a>;g
-+	s;[\[{(<]body_checks[\]})>];<a href="postconf.5.html#body_checks">&</a>;g
-+	s;[\[{(<]body_checks_size_limit[\]})>];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
-+	s;[\[{(<]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
-+	s;[\[{(<]bounce_queue_lifetime[\]})>];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
-+	s;[\[{(<]bounce_service_name[\]})>];<a href="postconf.5.html#bounce_service_name">&</a>;g
-+	s;[\[{(<]bounce_size_limit[\]})>];<a href="postconf.5.html#bounce_size_limit">&</a>;g
-+	s;[\[{(<]broken_sasl_auth_clients[\]})>];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
-+	s;[\[{(<]canonical_maps[\]})>];<a href="postconf.5.html#canonical_maps">&</a>;g
-+	s;[\[{(<]cleanup_service_name[\]})>];<a href="postconf.5.html#cleanup_service_name">&</a>;g
-+	s;[\[{(<]anvil_status_update_time[\]})>];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
-+	s;[\[{(<]command_directory[\]})>];<a href="postconf.5.html#command_directory">&</a>;g
-+	s;[\[{(<]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#command_expansion_filter">&</a>;g
-+	s;[\[{(<]command_time_limit[\]})>];<a href="postconf.5.html#command_time_limit">&</a>;g
-+	s;[\[{(<]config_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#config_directory">&</a>;g
-+	s;[\[{(<]con[-</bB>]*\n*[ <bB>]*tent_filter[\]})>];<a href="postconf.5.html#content_filter">&</a>;g
-+	s;[\[{(<]daemon_directory[\]})>];<a href="postconf.5.html#daemon_directory">&</a>;g
-+	s;[\[{(<]daemon_timeout[\]})>];<a href="postconf.5.html#daemon_timeout">&</a>;g
-+	s;[\[{(<]debug_peer_level[\]})>];<a href="postconf.5.html#debug_peer_level">&</a>;g
-+	s;[\[{(<]debug_peer_list[\]})>];<a href="postconf.5.html#debug_peer_list">&</a>;g
-+	s;[\[{(<]default_database_type[\]})>];<a href="postconf.5.html#default_database_type">&</a>;g
-+	s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[\]})>];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
-+	s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[\]})>];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
-+	s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[\]})>];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
-+	s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[\]})>];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
-+	s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
-+	s;[\[{(<]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
-+	s;[\[{(<]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[\]})>];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
-+	s;[\[{(<]default_privs[\]})>];<a href="postconf.5.html#default_privs">&</a>;g
-+	s;[\[{(<]default_process_limit[\]})>];<a href="postconf.5.html#default_process_limit">&</a>;g
-+	s;[\[{(<]default_rbl_reply[\]})>];<a href="postconf.5.html#default_rbl_reply">&</a>;g
-+	s;[\[{(<]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_recipient_limit">&</a>;g
-+	s;[\[{(<]default_transport[\]})>];<a href="postconf.5.html#default_transport">&</a>;g
-+	s;[\[{(<]default_verp_delimiters[\]})>];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
-+	s;[\[{(<]defer_code[\]})>];<a href="postconf.5.html#defer_code">&</a>;g
-+	s;[\[{(<]defer_service_name[\]})>];<a href="postconf.5.html#defer_service_name">&</a>;g
-+	s;[\[{(<]defer_transports[\]})>];<a href="postconf.5.html#defer_transports">&</a>;g
-+	s;[\[{(<]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
-+	s;[\[{(<]delay_warning_time[\]})>];<a href="postconf.5.html#delay_warning_time">&</a>;g
-+	s;[\[{(<]deliver_lock_attempts[\]})>];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
-+	s;[\[{(<]deliver_lock_delay[\]})>];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
-+	s;[\[{(<]disable_dns_lookups[\]})>];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
-+	s;[\[{(<]disable_mime_input_processing[\]})>];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
-+	s;[\[{(<]disable_mime_output_conversion[\]})>];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
-+	s;[\[{(<]disable_verp_bounces[\]})>];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
-+	s;[\[{(<]disable_vrfy_command[\]})>];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
-+	s;[\[{(<]dont_remove[\]})>];<a href="postconf.5.html#dont_remove">&</a>;g
-+	s;[\[{(<]double_bounce_sender[\]})>];<a href="postconf.5.html#double_bounce_sender">&</a>;g
-+	s;[\[{(<]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[\]})>];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
-+	s;[\[{(<]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#empty_address_recipient">&</a>;g
-+	s;[\[{(<]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#enable_original_recipient">&</a>;g
-+	s;[\[{(<]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#error_notice_recipient">&</a>;g
-+	s;[\[{(<]error_service_name[\]})>];<a href="postconf.5.html#error_service_name">&</a>;g
-+	s;[\[{(<]expand_owner_alias[\]})>];<a href="postconf.5.html#expand_owner_alias">&</a>;g
-+	s;[\[{(<]export_environment[\]})>];<a href="postconf.5.html#export_environment">&</a>;g
-+	s;[\[{(<]fallback_relay[\]})>];<a href="postconf.5.html#fallback_relay">&</a>;g
-+	s;[\[{(<]fallback_transport[\]})>];<a href="postconf.5.html#fallback_transport">&</a>;g
-+	s;[\[{(<]fast_flush_domains[\]})>];<a href="postconf.5.html#fast_flush_domains">&</a>;g
-+	s;[\[{(<]fast_flush_purge_time[\]})>];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
-+	s;[\[{(<]fast_flush_refresh_time[\]})>];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
-+	s;[\[{(<]fault_injection_code[\]})>];<a href="postconf.5.html#fault_injection_code">&</a>;g
-+	s;[\[{(<]flush_service_name[\]})>];<a href="postconf.5.html#flush_service_name">&</a>;g
-+	s;[\[{(<]fork_attempts[\]})>];<a href="postconf.5.html#fork_attempts">&</a>;g
-+	s;[\[{(<]fork_delay[\]})>];<a href="postconf.5.html#fork_delay">&</a>;g
-+	s;[\[{(<]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
-+	s;[\[{(<]for[-</bB>]*\n* *[<bB>]*ward_path[\]})>];<a href="postconf.5.html#forward_path">&</a>;g
-+	s;[\[{(<]hash_queue_depth[\]})>];<a href="postconf.5.html#hash_queue_depth">&</a>;g
-+	s;[\[{(<]hash_queue_names[\]})>];<a href="postconf.5.html#hash_queue_names">&</a>;g
-+	s;[\[{(<]header_address_token_limit[\]})>];<a href="postconf.5.html#header_address_token_limit">&</a>;g
-+	s;[\[{(<]header_checks[\]})>];<a href="postconf.5.html#header_checks">&</a>;g
-+	s;[\[{(<]header_size_limit[\]})>];<a href="postconf.5.html#header_size_limit">&</a>;g
-+	s;[\[{(<]helpful_warnings[\]})>];<a href="postconf.5.html#helpful_warnings">&</a>;g
-+	s;[\[{(<]home_mailbox[\]})>];<a href="postconf.5.html#home_mailbox">&</a>;g
-+	s;[\[{(<]hopcount_limit[\]})>];<a href="postconf.5.html#hopcount_limit">&</a>;g
-+	s;[\[{(<]html_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#html_directory">&</a>;g
-+	s;[\[{(<]ignore_mx_lookup_error[\]})>];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
-+	s;[\[{(<]import_environment[\]})>];<a href="postconf.5.html#import_environment">&</a>;g
-+	s;[\[{(<]in_flow_delay[\]})>];<a href="postconf.5.html#in_flow_delay">&</a>;g
-+	s;[\[{(<]inet_interfaces[\]})>];<a href="postconf.5.html#inet_interfaces">&</a>;g
-+	s;[\[{(<]initial_destination_concurrency[\]})>];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
-+	s;[\[{(<]invalid_hostname_reject_code[\]})>];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
-+	s;[\[{(<]ipc_idle[\]})>];<a href="postconf.5.html#ipc_idle">&</a>;g
-+	s;[\[{(<]ipc_timeout[\]})>];<a href="postconf.5.html#ipc_timeout">&</a>;g
-+	s;[\[{(<]ipc_ttl[\]})>];<a href="postconf.5.html#ipc_ttl">&</a>;g
-+	s;[\[{(<]line_length_limit[\]})>];<a href="postconf.5.html#line_length_limit">&</a>;g
-+	s;[\[{(<]lmtp_cache_connection[\]})>];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
-+	s;[\[{(<]lmtp_connect_timeout[\]})>];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
-+	s;[\[{(<]lmtp_data_done_timeout[\]})>];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
-+	s;[\[{(<]lmtp_data_init_timeout[\]})>];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
-+	s;[\[{(<]lmtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
-+	s;[\[{(<]lmtp_lhlo_timeout[\]})>];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
-+	s;[\[{(<]lmtp_mail_timeout[\]})>];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
-+	s;[\[{(<]lmtp_quit_timeout[\]})>];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
-+	s;[\[{(<]lmtp_rcpt_timeout[\]})>];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
-+	s;[\[{(<]lmtp_rset_timeout[\]})>];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
-+	s;[\[{(<]lmtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
-+	s;[\[{(<]lmtp_sasl_password_maps[\]})>];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
-+	s;[\[{(<]lmtp_sasl_security_options[\]})>];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
-+	s;[\[{(<]lmtp_send_xforward_command[\]})>];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
-+	s;[\[{(<]lmtp_skip_quit_response[\]})>];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
-+	s;[\[{(<]lmtp_tcp_port[\]})>];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
-+	s;[\[{(<]lmtp_xforward_timeout[\]})>];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
-+	s;[\[{(<]local_command_shell[\]})>];<a href="postconf.5.html#local_command_shell">&</a>;g
-+	s;[\[{(<]local_destination_concurrency_limit[\]})>];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
-+	s;[\[{(<]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
-+	s;[\[{(<]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[\]})>];<a href="postconf.5.html#local_recipient_maps">&</a>;g
-+	s;[\[{(<]local_transport[\]})>];<a href="postconf.5.html#local_transport">&</a>;g
-+	s;[\[{(<]luser_relay[\]})>];<a href="postconf.5.html#luser_relay">&</a>;g
-+	s;[\[{(<]mail_name[\]})>];<a href="postconf.5.html#mail_name">&</a>;g
-+	s;[\[{(<]mail_owner[\]})>];<a href="postconf.5.html#mail_owner">&</a>;g
-+	s;[\[{(<]mail_release_date[\]})>];<a href="postconf.5.html#mail_release_date">&</a>;g
-+	s;[\[{(<]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[\]})>];<a href="postconf.5.html#mail_spool_directory">&</a>;g
-+	s;[\[{(<]mail_version[\]})>];<a href="postconf.5.html#mail_version">&</a>;g
-+	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command[\]})>];<a href="postconf.5.html#mailbox_command">&</a>;g
-+	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command_maps[\]})>];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
-+	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[\]})>];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
-+	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_size_limit[\]})>];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
-+	s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_transport[\]})>];<a href="postconf.5.html#mailbox_transport">&</a>;g
-+	s;[\[{(<]mailq_path[\]})>];<a href="postconf.5.html#mailq_path">&</a>;g
-+	s;[\[{(<]manpage_directory[\]})>];<a href="postconf.5.html#manpage_directory">&</a>;g
-+	s;[\[{(<]maps_rbl_domains[\]})>];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
-+	s;[\[{(<]maps_rbl_reject_code[\]})>];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
-+	s;[\[{(<]masquerade_classes[\]})>];<a href="postconf.5.html#masquerade_classes">&</a>;g
-+	s;[\[{(<]masquerade_domains[\]})>];<a href="postconf.5.html#masquerade_domains">&</a>;g
-+	s;[\[{(<]masquerade_exceptions[\]})>];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
-+	s;[\[{(<]max_idle[\]})>];<a href="postconf.5.html#max_idle">&</a>;g
-+	s;[\[{(<]max_use[\]})>];<a href="postconf.5.html#max_use">&</a>;g
-+	s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[\]})>];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
-+	s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[\]})>];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
-+	s;[\[{(<]message_size_limit[\]})>];<a href="postconf.5.html#message_size_limit">&</a>;g
-+	s;[\[{(<]mime_boundary_length_limit[\]})>];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
-+	s;[\[{(<]mime_header_checks[\]})>];<a href="postconf.5.html#mime_header_checks">&</a>;g
-+	s;[\[{(<]mime_nesting_limit[\]})>];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
-+	s;[\[{(<]minimal_backoff_time[\]})>];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
-+	s;[\[{(<]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[\]})>];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
-+	s;[\[{(<]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[\]})>];<a href="postconf.5.html#mydestination">&</a>;g
-+	s;[\[{(<]mydomain[\]})>];<a href="postconf.5.html#mydomain">&</a>;g
-+	s;[\[{(<]myhostname[\]})>];<a href="postconf.5.html#myhostname">&</a>;g
-+	s;[\[{(<]mynetworks[\]})>];<a href="postconf.5.html#mynetworks">&</a>;g
-+	s;[\[{(<]mynetworks_style[\]})>];<a href="postconf.5.html#mynetworks_style">&</a>;g
-+	s;[\[{(<]myorigin[\]})>];<a href="postconf.5.html#myorigin">&</a>;g
-+	s;[\[{(<]nested_header_checks[\]})>];<a href="postconf.5.html#nested_header_checks">&</a>;g
-+	s;[\[{(<]newaliases_path[\]})>];<a href="postconf.5.html#newaliases_path">&</a>;g
-+	s;[\[{(<]non_fqdn_reject_code[\]})>];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
-+	s;[\[{(<]notify_classes[\]})>];<a href="postconf.5.html#notify_classes">&</a>;g
-+	s;[\[{(<]owner_request_special[\]})>];<a href="postconf.5.html#owner_request_special">&</a>;g
-+	s;[\[{(<]parent_domain_matches_subdomains[\]})>];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
-+	s;[\[{(<]permit_mx_backup_networks[\]})>];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
-+	s;[\[{(<]pickup_service_name[\]})>];<a href="postconf.5.html#pickup_service_name">&</a>;g
-+	s;[\[{(<]prepend_delivered_header[\]})>];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
-+	s;[\[{(<]process_id[\]})>];<a href="postconf.5.html#process_id">&</a>;g
-+	s;[\[{(<]process_id_directory[\]})>];<a href="postconf.5.html#process_id_directory">&</a>;g
-+	s;[\[{(<]process_name[\]})>];<a href="postconf.5.html#process_name">&</a>;g
-+	s;[\[{(<]propagate_unmatched_extensions[\]})>];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
-+	s;[\[{(<]proxy_interfaces[\]})>];<a href="postconf.5.html#proxy_interfaces">&</a>;g
-+	s;[\[{(<]proxy_read_maps[\]})>];<a href="postconf.5.html#proxy_read_maps">&</a>;g
-+	s;[\[{(<]qmgr_clog_warn_time[\]})>];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
-+	s;[\[{(<]qmgr_fudge_factor[\]})>];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
-+	s;[\[{(<]qmgr_message_active_limit[\]})>];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
-+	s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
-+	s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[\]})>];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
-+	s;[\[{(<]qmqpd_authorized_clients[\]})>];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
-+	s;[\[{(<]qmqpd_error_delay[\]})>];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
-+	s;[\[{(<]qmqpd_timeout[\]})>];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
-+	s;[\[{(<]queue_directory[\]})>];<a href="postconf.5.html#queue_directory">&</a>;g
-+	s;[\[{(<]queue_file_attribute_count_limit[\]})>];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
-+	s;[\[{(<]queue_minfree[\]})>];<a href="postconf.5.html#queue_minfree">&</a>;g
-+	s;[\[{(<]queue_run_delay[\]})>];<a href="postconf.5.html#queue_run_delay">&</a>;g
-+	s;[\[{(<]queue_service_name[\]})>];<a href="postconf.5.html#queue_service_name">&</a>;g
-+	s;[\[{(<]rbl_reply_maps[\]})>];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
-+	s;[\[{(<]readme_directory[\]})>];<a href="postconf.5.html#readme_directory">&</a>;g
-+	s;[\[{(<]receive_override_options[\]})>];<a href="postconf.5.html#receive_override_options">&</a>;g
-+	s;[\[{(<]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[\]})>];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
-+	s;[\[{(<]no_address_mappings[\]})>];<a href="postconf.5.html#no_address_mappings">&</a>;g
-+	s;[\[{(<]no_header_body_checks[\]})>];<a href="postconf.5.html#no_header_body_checks">&</a>;g
-+	s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[\]})>];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
-+	s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[\]})>];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
-+	s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[\]})>];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
-+	s;[\[{(<]reject_code[\]})>];<a href="postconf.5.html#reject_code">&</a>;g
-+	s;[\[{(<]relay_domains[\]})>];<a href="postconf.5.html#relay_domains">&</a>;g
-+	s;[\[{(<]relay_domains_reject_code[\]})>];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
-+	s;[\[{(<]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[\]})>];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
-+	s;[\[{(<]relay_transport[\]})>];<a href="postconf.5.html#relay_transport">&</a>;g
-+	s;[\[{(<]relayhost[\]})>];<a href="postconf.5.html#relayhost">&</a>;g
-+	s;[\[{(<]relocated_maps[\]})>];<a href="postconf.5.html#relocated_maps">&</a>;g
-+	s;[\[{(<]require_home_directory[\]})>];<a href="postconf.5.html#require_home_directory">&</a>;g
-+	s;[\[{(<]resolve_dequoted_address[\]})>];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
-+	s;[\[{(<]rewrite_service_name[\]})>];<a href="postconf.5.html#rewrite_service_name">&</a>;g
-+	s;[\[{(<]sample_directory[\]})>];<a href="postconf.5.html#sample_directory">&</a>;g
-+	s;[\[{(<]sender_based_routing[\]})>];<a href="postconf.5.html#sender_based_routing">&</a>;g
-+	s;[\[{(<]sender_bcc_maps[\]})>];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
-+	s;[\[{(<]sender_canonical_maps[\]})>];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
-+	s;[\[{(<]sendmail_path[\]})>];<a href="postconf.5.html#sendmail_path">&</a>;g
-+	s;[\[{(<]service_throttle_time[\]})>];<a href="postconf.5.html#service_throttle_time">&</a>;g
-+	s;[\[{(<]setgid_group[\]})>];<a href="postconf.5.html#setgid_group">&</a>;g
-+	s;[\[{(<]show_user_unknown_table_name[\]})>];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
-+	s;[\[{(<]showq_service_name[\]})>];<a href="postconf.5.html#showq_service_name">&</a>;g
-+	s;[\[{(<]smtp_always_send_ehlo[\]})>];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
-+	s;[\[{(<]smtp_bind_address[\]})>];<a href="postconf.5.html#smtp_bind_address">&</a>;g
-+	s;[\[{(<]smtp_connect_timeout[\]})>];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
-+	s;[\[{(<]smtp_data_done_timeout[\]})>];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
-+	s;[\[{(<]smtp_data_init_timeout[\]})>];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
-+	s;[\[{(<]smtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
-+	s;[\[{(<]smtp_defer_if_no_mx_address_found[\]})>];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
-+	s;[\[{(<]lmtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
-+	s;[\[{(<]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
-+	s;[\[{(<]relay_destination_concurrency_limit[\]})>];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
-+	s;[\[{(<]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
-+	s;[\[{(<]resolve_null_domain[\]})>];<a href="postconf.5.html#resolve_null_domain">&</a>;g
-+	s;[\[{(<]smtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
-+	s;[\[{(<]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[\]})>];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
-+	s;[\[{(<]smtp_helo_name[\]})>];<a href="postconf.5.html#smtp_helo_name">&</a>;g
-+	s;[\[{(<]smtp_helo_timeout[\]})>];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
-+	s;[\[{(<]smtp_host_lookup[\]})>];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
-+	s;[\[{(<]smtp_line_length_limit[\]})>];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
-+	s;[\[{(<]smtp_mail_timeout[\]})>];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
-+	s;[\[{(<]smtp_mx_address_limit[\]})>];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
-+	s;[\[{(<]smtp_mx_session_limit[\]})>];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
-+	s;[\[{(<]smtp_never_send_ehlo[\]})>];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
-+	s;[\[{(<]smtp_pix_workaround_delay_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
-+	s;[\[{(<]smtp_pix_workaround_threshold_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
-+	s;[\[{(<]smtp_quit_timeout[\]})>];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
-+	s;[\[{(<]smtp_quote_rfc821_envelope[\]})>];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
-+	s;[\[{(<]smtp_randomize_addresses[\]})>];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
-+	s;[\[{(<]smtp_rcpt_timeout[\]})>];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
-+	s;[\[{(<]smtp_rset_timeout[\]})>];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
-+	s;[\[{(<]smtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
-+	s;[\[{(<]smtp_sasl_password_maps[\]})>];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
-+	s;[\[{(<]smtp_sasl_security_options[\]})>];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
-+	s;[\[{(<]smtp_send_xforward_command[\]})>];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
-+	s;[\[{(<]smtp_skip_4xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
-+	s;[\[{(<]smtp_skip_5xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
-+	s;[\[{(<]smtp_skip_quit_response[\]})>];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
-+	s;[\[{(<]smtp_xforward_timeout[\]})>];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
-+	s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
-+	s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
-+	s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
-+	s;[\[{(<]smtpd_banner[\]})>];<a href="postconf.5.html#smtpd_banner">&</a>;g
-+	s;[\[{(<]smtpd_client_connection_count_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
-+	s;[\[{(<]smtpd_client_connection_limit_exceptions[\]})>];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
-+	s;[\[{(<]smtpd_client_connection_rate_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
-+	s;[\[{(<]smtpd_client_restrictions[\]})>];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
-+	s;[\[{(<]smtpd_data_restrictions[\]})>];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
-+	s;[\[{(<]smtpd_delay_reject[\]})>];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
-+	s;[\[{(<]smtpd_error_sleep_time[\]})>];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
-+	s;[\[{(<]smtpd_etrn_restrictions[\]})>];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
-+	s;[\[{(<]smtpd_expansion_filter[\]})>];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
-+	s;[\[{(<]smtpd_hard_error_limit[\]})>];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
-+	s;[\[{(<]smtpd_helo_required[\]})>];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
-+	s;[\[{(<]smtpd_helo_restrictions[\]})>];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
-+	s;[\[{(<]smtpd_history_flush_threshold[\]})>];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
-+	s;[\[{(<]smtpd_junk_command_limit[\]})>];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
-+	s;[\[{(<]smtpd_noop_commands[\]})>];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
-+	s;[\[{(<]smtpd_null_access_lookup_key[\]})>];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
-+	s;[\[{(<]smtpd_recipient_overshoot_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
-+	s;[\[{(<]smtpd_policy_service_max_idle[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
-+	s;[\[{(<]smtpd_policy_service_max_ttl[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
-+	s;[\[{(<]smtpd_policy_service_timeout[\]})>];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
-+	s;[\[{(<]smtpd_proxy_ehlo[\]})>];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
-+	s;[\[{(<]smtpd_proxy_filter[\]})>];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
-+	s;[\[{(<]smtpd_proxy_timeout[\]})>];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
-+	s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
-+	s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[\]})>];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
-+	s;[\[{(<]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
-+	s;[\[{(<]smtpd_reject_unlisted_sender[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
-+	s;[\[{(<]smtpd_restriction_classes[\]})>];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
-+	s;[\[{(<]smtpd_sasl_application_name[\]})>];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
-+	s;[\[{(<]smtpd_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
-+	s;[\[{(<]smtpd_sasl_exceptions_networks[\]})>];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
-+	s;[\[{(<]smtpd_sasl_local_domain[\]})>];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
-+	s;[\[{(<]smtpd_sasl_security_options[\]})>];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
-+	s;[\[{(<]smtpd_sender_login_maps[\]})>];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
-+	s;[\[{(<]smtpd_sender_restrictions[\]})>];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
-+	s;[\[{(<]smtpd_soft_error_limit[\]})>];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
-+	s;[\[{(<]smtpd_timeout[\]})>];<a href="postconf.5.html#smtpd_timeout">&</a>;g
-+	s;[\[{(<]soft_bounce[\]})>];<a href="postconf.5.html#soft_bounce">&</a>;g
-+	s;[\[{(<]stale_lock_time[\]})>];<a href="postconf.5.html#stale_lock_time">&</a>;g
-+	s;[\[{(<]strict_7bit_headers[\]})>];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
-+	s;[\[{(<]strict_8bitmime[\]})>];<a href="postconf.5.html#strict_8bitmime">&</a>;g
-+	s;[\[{(<]strict_8bitmime_body[\]})>];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
-+	s;[\[{(<]strict_mime_encoding_domain[\]})>];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
-+	s;[\[{(<]strict_rfc821_envelopes[\]})>];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
-+	s;[\[{(<]sun_mailtool_compatibility[\]})>];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
-+	s;[\[{(<]swap_bangpath[\]})>];<a href="postconf.5.html#swap_bangpath">&</a>;g
-+	s;[\[{(<]syslog_facility[\]})>];<a href="postconf.5.html#syslog_facility">&</a>;g
-+	s;[\[{(<]syslog_name[\]})>];<a href="postconf.5.html#syslog_name">&</a>;g
-+	s;[\[{(<]trace_service_name[\]})>];<a href="postconf.5.html#trace_service_name">&</a>;g
-+	s;[\[{(<]transport_maps[\]})>];<a href="postconf.5.html#transport_maps">&</a>;g
-+	s;[\[{(<]transport_retry_time[\]})>];<a href="postconf.5.html#transport_retry_time">&</a>;g
-+	s;[\[{(<]trigger_timeout[\]})>];<a href="postconf.5.html#trigger_timeout">&</a>;g
-+	s;[\[{(<]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[\]})>];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
-+	s;[\[{(<]unknown_address_reject_code[\]})>];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
-+	s;[\[{(<]unknown_client_reject_code[\]})>];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
-+	s;[\[{(<]unknown_hostname_reject_code[\]})>];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
-+	s;[\[{(<]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
-+	s;[\[{(<]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[\]})>];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
-+	s;[\[{(<]unknown_virtual_alias_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
-+	s;[\[{(<]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
-+	s;[\[{(<]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
-+	s;[\[{(<]unverified_sender_reject_code[\]})>];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
-+	s;[\[{(<]verp_delimiter_filter[\]})>];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[\]})>];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[\]})>];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[\]})>];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_maps[\]})>];<a href="postconf.5.html#virtual_maps">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[\]})>];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[\]})>];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[\]})>];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[\]})>];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[\]})>];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[\]})>];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[\]})>];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[\]})>];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_transport[\]})>];<a href="postconf.5.html#virtual_transport">&</a>;g
-+	s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[\]})>];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
- 
- 	# Undo hyperlinks of manual pages with the same name as parameters.
- 
-@@ -424,7 +424,7 @@
- 	s/[<bB>]*pickup[</bB>]*(8)/<a href="pickup.8.html">&<\/a>/g
- 	s/[<bB>]*pipe[</bB>]*(8)/<a href="pipe.8.html">&<\/a>/g
- 	s/[<bB>]*oqmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
--	s/[<bB>]*[[:<:]]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
-+	s/[<bB>]*[\[{(<]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
- 	s/[<bB>]*qmqpd[</bB>]*(8)/<a href="qmqpd.8.html">&<\/a>/g
- 	s/[<bB>]*showq[</bB>]*(8)/<a href="showq.8.html">&<\/a>/g
- 	s/[<bB>]*smtp[</bB>]*(8)/<a href="smtp.8.html">&<\/a>/g
-@@ -475,9 +475,9 @@
- 
- 	# Hyperlink README document names
- 
--	s/[[:<:]][A-Z_]*_README[[:>:]]/<a href="&.html">&<\/a>/g
--	s/[[:<:]]INSTALL[[:>:]]/<a href="&.html">&<\/a>/g
--	s/[[:<:]]OVERVIEW[[:>:]]/<a href="&.html">&<\/a>/g
-+	s/[\[{(<][A-Z_]*_README[\]})>]/<a href="&.html">&<\/a>/g
-+	s/[\[{(<]INSTALL[\]})>]/<a href="&.html">&<\/a>/g
-+	s/[\[{(<]OVERVIEW[\]})>]/<a href="&.html">&<\/a>/g
- 	s/"type:table"/"<a href="DATABASE_README.html">type:table<\/a>"/g
- 
- 	# Split manual page hyperlinks across newlines
-@@ -486,61 +486,61 @@
- 
- 	# Access restrictions - generic
- 
--	s;[[:<:]]check_policy_service[[:>:]];<a href="postconf.5.html#check_policy_service">&</a>;g
--	s;[[:<:]]defer_if_permit[[:>:]];<a href="postconf.5.html#defer_if_permit">&</a>;g
--	s;[[:<:]]defer_if_reject[[:>:]];<a href="postconf.5.html#defer_if_reject">&</a>;g
--	s;[[:<:]]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[[:>:]];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
--	s;[[:<:]]reject_unauth_pipelining[[:>:]];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
--	s;[[:<:]]warn_if_reject[[:>:]];<a href="postconf.5.html#warn_if_reject">&</a>;g
-+	s;[\[{(<]check_policy_service[\]})>];<a href="postconf.5.html#check_policy_service">&</a>;g
-+	s;[\[{(<]defer_if_permit[\]})>];<a href="postconf.5.html#defer_if_permit">&</a>;g
-+	s;[\[{(<]defer_if_reject[\]})>];<a href="postconf.5.html#defer_if_reject">&</a>;g
-+	s;[\[{(<]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[\]})>];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
-+	s;[\[{(<]reject_unauth_pipelining[\]})>];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
-+	s;[\[{(<]warn_if_reject[\]})>];<a href="postconf.5.html#warn_if_reject">&</a>;g
- 
- 	# Access restrictions - client
- 
--	s;[[:<:]]check_client_access[[:>:]];<a href="postconf.5.html#check_client_access">&</a>;g
--	s;[[:<:]]permit_mynetworks[[:>:]];<a href="postconf.5.html#permit_mynetworks">&</a>;g
--	s;[[:<:]]reject_unknown_client[[:>:]];<a href="postconf.5.html#reject_unknown_client">&</a>;g
--	s;[[:<:]]reject_rbl_client[[:>:]];<a href="postconf.5.html#reject_rbl_client">&</a>;g
--	s;[[:<:]]reject_rhsbl_client[[:>:]];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
-+	s;[\[{(<]check_client_access[\]})>];<a href="postconf.5.html#check_client_access">&</a>;g
-+	s;[\[{(<]permit_mynetworks[\]})>];<a href="postconf.5.html#permit_mynetworks">&</a>;g
-+	s;[\[{(<]reject_unknown_client[\]})>];<a href="postconf.5.html#reject_unknown_client">&</a>;g
-+	s;[\[{(<]reject_rbl_client[\]})>];<a href="postconf.5.html#reject_rbl_client">&</a>;g
-+	s;[\[{(<]reject_rhsbl_client[\]})>];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
- 
- 	# Access restrictions - helo
- 
--	s;[[:<:]]check_helo_access[[:>:]];<a href="postconf.5.html#check_helo_access">&</a>;g
--	s;[[:<:]]reject_invalid_hostname[[:>:]];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
--	s;[[:<:]]reject_non_fqdn_hostname[[:>:]];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
--	s;[[:<:]]reject_unknown_hostname[[:>:]];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
-+	s;[\[{(<]check_helo_access[\]})>];<a href="postconf.5.html#check_helo_access">&</a>;g
-+	s;[\[{(<]reject_invalid_hostname[\]})>];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
-+	s;[\[{(<]reject_non_fqdn_hostname[\]})>];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
-+	s;[\[{(<]reject_unknown_hostname[\]})>];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
- 
- 	# Access restrictions - sender
- 
--	s;[[:<:]]check_sender_access[[:>:]];<a href="postconf.5.html#check_sender_access">&</a>;g
--	s;[[:<:]]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[[:>:]];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
--	s;[[:<:]]reject_non_fqdn_sender[[:>:]];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
--	s;[[:<:]]reject_rhsbl_sender[[:>:]];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
--	s;[[:<:]]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[[:>:]];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
--	s;[[:<:]]reject_unauthenticated_sender_login_mismatch[[:>:]];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
--	s;[[:<:]]reject_unknown_sender_domain[[:>:]];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
--	s;[[:<:]]reject_unlisted_sender[[:>:]];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
--	s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[[:>:]];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
-+	s;[\[{(<]check_sender_access[\]})>];<a href="postconf.5.html#check_sender_access">&</a>;g
-+	s;[\[{(<]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[\]})>];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
-+	s;[\[{(<]reject_non_fqdn_sender[\]})>];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
-+	s;[\[{(<]reject_rhsbl_sender[\]})>];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
-+	s;[\[{(<]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[\]})>];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
-+	s;[\[{(<]reject_unauthenticated_sender_login_mismatch[\]})>];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
-+	s;[\[{(<]reject_unknown_sender_domain[\]})>];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
-+	s;[\[{(<]reject_unlisted_sender[\]})>];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
-+	s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[\]})>];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
- 
- 	# Access restrictions - recip[-</bB>]*\n* *[<bB>]*ient
- 
--	s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_access[[:>:]];<a href="postconf.5.html#check_recipient_access">&</a>;g
--	s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[[:>:]];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
--	s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[[:>:]];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
--	s;[[:<:]]permit_auth_destination[[:>:]];<a href="postconf.5.html#permit_auth_destination">&</a>;g
--	s;[[:<:]]permit_mx_backup[[:>:]];<a href="postconf.5.html#permit_mx_backup">&</a>;g
--	s;[[:<:]]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
--	s;[[:<:]]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
--	s;[[:<:]]reject_unauth_destination[[:>:]];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
--	s;[[:<:]]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[[:>:]];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
--	s;[[:<:]]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
--	s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
-+	s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_access[\]})>];<a href="postconf.5.html#check_recipient_access">&</a>;g
-+	s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[\]})>];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
-+	s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[\]})>];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
-+	s;[\[{(<]permit_auth_destination[\]})>];<a href="postconf.5.html#permit_auth_destination">&</a>;g
-+	s;[\[{(<]permit_mx_backup[\]})>];<a href="postconf.5.html#permit_mx_backup">&</a>;g
-+	s;[\[{(<]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
-+	s;[\[{(<]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
-+	s;[\[{(<]reject_unauth_destination[\]})>];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
-+	s;[\[{(<]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[\]})>];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
-+	s;[\[{(<]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
-+	s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
- 
- 	# Access restrictions - etrn
- 
--	s;[[:<:]]check_etrn_access[[:>:]];<a href="postconf.5.html#check_etrn_access">&</a>;g
-+	s;[\[{(<]check_etrn_access[\]})>];<a href="postconf.5.html#check_etrn_access">&</a>;g
- 
- 	# Split parameter or restriction hyperlinks across line breaks
- 
--	s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[[:>:]]\([-</bB>]*\n *[<bB>]*\)[[:<:]]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
-+	s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[\]})>]\([-</bB>]*\n *[<bB>]*\)[\[{(<]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
- 
- 	# Glue manual/parameter/restriction hyperlinks without line breaks.
- 
-@@ -551,7 +551,7 @@
- 
- 	s/\(http:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
- 	s/\(ftp:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
--	s/[[:<:]]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
-+	s/[\[{(<]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
- 
- 	# Hyperlink phrases not in headers.
- 
-@@ -572,32 +572,32 @@
- 	s/relay domains*/<a href="ADDRESS_CLASS_README.html#relay_domain_class">&<\/a>/
- 	s/default domains*/<a href="ADDRESS_CLASS_README.html#default_domain_class">&<\/a>/
- 	s/mydestination domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">&<\/a>/
--	s/[[:<:]]"*maildrop"* *queues*[[:>:]]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
--	s/[[:<:]]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
--	s/[[:<:]]\("*incoming"*\) and[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
--	s/[[:<:]]\("*incoming"*\) or[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
--	s/[[:<:]]"*incoming"* *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
--	s/<b> *incoming *<\/b> *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
--	s/[[:<:]]"*active"* *queues*[[:>:]]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
--	s/[[:<:]]"*deferred"* *queues*[[:>:]]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
--	s/[[:<:]]"*hold"* *queues*[[:>:]]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
--	s/[[:<:]]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
-+	s/[\[{(<]"*maildrop"* *queues*[\]})>]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
-+	s/[\[{(<]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
-+	s/[\[{(<]\("*incoming"*\) and[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
-+	s/[\[{(<]\("*incoming"*\) or[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
-+	s/[\[{(<]"*incoming"* *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
-+	s/<b> *incoming *<\/b> *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
-+	s/[\[{(<]"*active"* *queues*[\]})>]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
-+	s/[\[{(<]"*deferred"* *queues*[\]})>]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
-+	s/[\[{(<]"*hold"* *queues*[\]})>]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
-+	s/[\[{(<]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
- 
- 	# Hyperlink map types.
- 
--	s/[[:<:]]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
--	s/[[:<:]]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
--	s/[[:<:]]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
--	s/[[:<:]]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
--	s/[[:<:]]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
--	s/[[:<:]]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
--	s/[[:<:]]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
--	#s/[[:<:]]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
-+	s/[\[{(<]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
-+	s/[\[{(<]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
-+	s/[\[{(<]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
-+	s/[\[{(<]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
-+	s/[\[{(<]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
-+	s/[\[{(<]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
-+	s/[\[{(<]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
-+	#s/[\[{(<]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
- 
- 	# Do nice links for smtp:host:port etc.
- 
--	s/[[:<:]]\(error\):/<a href="error.8.html">\1<\/a>:/g
--	s/[[:<:]]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
--	s/[[:<:]]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
-+	s/[\[{(<]\(error\):/<a href="error.8.html">\1<\/a>:/g
-+	s/[\[{(<]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
-+	s/[\[{(<]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
- 
- ' "$@"
++  {
+   Again:
+     if (/-[<\/bB>]*$/) {
+ 	$_ .= "\n";
+@@ -20,6 +21,7 @@
+ 	chop if $len1 < length;
+ 	goto Again;
+     }
++  }
+     if (/<[Aa] *[HhNn][RrAa][EeMm][FfEe] *=/) {
+ 	print;
+ 	$printit = 0;

Modified: postfix/trunk/debian/patches/10master.cf.dpatch
===================================================================
--- postfix/trunk/debian/patches/10master.cf.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10master.cf.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -5,34 +5,42 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad postfix-2.1.5/conf/master.cf /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf
---- postfix-2.1.5/conf/master.cf	2004-12-27 22:02:52.864399960 -0700
-+++ /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf	2004-12-27 22:19:03.606731307 -0700
-@@ -77,26 +77,26 @@
+diff -urNad --exclude=CVS --exclude=.svn ./conf/master.cf /tmp/dpep-work.FpuCe6/postfix--wietse--2.2--patch-8/conf/master.cf
+--- ./conf/master.cf	2005-11-09 13:42:38.000000000 -0700
++++ /tmp/dpep-work.FpuCe6/postfix--wietse--2.2--patch-8/conf/master.cf	2006-01-09 17:56:07.000000000 -0700
+@@ -6,41 +6,41 @@
  # service type  private unpriv  chroot  wakeup  maxproc command + args
  #               (yes)   (yes)   (yes)   (never) (100)
  # ==========================================================================
 -smtp      inet  n       -       n       -       -       smtpd
--#submission inet n      -       n       -       -       smtpd
+-#submission inet n       -       n       -       -       smtpd
 +smtp      inet  n       -       -       -       -       smtpd
-+#submission inet n      -       -       -       -       smtpd
- #	-o smtpd_etrn_restrictions=reject
++#submission inet n       -       -       -       -       smtpd
+ #  -o smtpd_enforce_tls=yes
+ #  -o smtpd_sasl_auth_enable=yes
+ #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+-#smtps     inet  n       -       n       -       -       smtpd
++#smtps     inet  n       -       -       -       -       smtpd
+ #  -o smtpd_tls_wrappermode=yes
+ #  -o smtpd_sasl_auth_enable=yes
+ #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -#628      inet  n       -       n       -       -       qmqpd
 -pickup    fifo  n       -       n       60      1       pickup
 -cleanup   unix  n       -       n       -       0       cleanup
--qmgr      fifo  n       -       n       300     1       qmgr
++#628      inet  n       -       -       -       -       qmqpd
++pickup    fifo  n       -       -       60      1       pickup
++cleanup   unix  n       -       -       -       0       cleanup
+ qmgr      fifo  n       -       n       300     1       qmgr
 -#qmgr     fifo  n       -       n       300     1       oqmgr
+-tlsmgr    unix  -       -       n       1000?   1       tlsmgr
 -rewrite   unix  -       -       n       -       -       trivial-rewrite
 -bounce    unix  -       -       n       -       0       bounce
 -defer     unix  -       -       n       -       0       bounce
 -trace     unix  -       -       n       -       0       bounce
 -verify    unix  -       -       n       -       1       verify
 -flush     unix  n       -       n       1000?   0       flush
-+#628      inet  n       -       -       -       -       qmqpd
-+pickup    fifo  n       -       -       60      1       pickup
-+cleanup   unix  n       -       -       -       0       cleanup
-+qmgr      fifo  n       -       -       300     1       qmgr
 +#qmgr     fifo  n       -       -       300     1       oqmgr
++tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 +rewrite   unix  -       -       -       -       -       trivial-rewrite
 +bounce    unix  -       -       -       -       0       bounce
 +defer     unix  -       -       -       -       0       bounce
@@ -41,21 +49,34 @@
 +flush     unix  n       -       -       1000?   0       flush
  proxymap  unix  -       -       n       -       -       proxymap
 -smtp      unix  -       -       n       -       -       smtp
++smtp      unix  -       -       -       -       -       smtp
+ # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
 -relay     unix  -       -       n       -       -       smtp
-+smtp      unix  -       -       -       -       -       smtp
 +relay     unix  -       -       -       -       -       smtp
+ 	-o fallback_relay=
  #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 -showq     unix  n       -       n       -       -       showq
 -error     unix  -       -       n       -       -       error
+-discard   unix  -       -       n       -       -       discard
 +showq     unix  n       -       -       -       -       showq
 +error     unix  -       -       -       -       -       error
++discard   unix  -       -       -       -       -       discard
  local     unix  -       n       n       -       -       local
  virtual   unix  -       n       n       -       -       virtual
- lmtp      unix  -       -       n       -       -       lmtp
-@@ -109,18 +109,16 @@
+-lmtp      unix  -       -       n       -       -       lmtp
+-anvil     unix  -       -       n       -       1       anvil
+-scache	  unix	-	-	n	-	1	scache
++lmtp      unix  -       -       -       -       -       lmtp
++anvil     unix  -       -       -       -       1       anvil
++scache	  unix	-	-	-	-	1	scache
  #
+ # ====================================================================
+ # Interfaces to non-Postfix software. Be sure to examine the manual
+@@ -55,16 +55,7 @@
+ # Also specify in main.cf: maildrop_destination_recipient_limit=1
+ #
  maildrop  unix  -       n       n       -       -       pipe
-   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+-  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
 -#
 -# The Cyrus deliver program has changed incompatibly, multiple times.
 -#
@@ -65,17 +86,19 @@
 -# Also specify in main.cf: cyrus_destination_recipient_limit=1
 -cyrus     unix  -       n       n       -       -       pipe
 -  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
- uucp      unix  -       n       n       -       -       pipe
-   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
++  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+ #
+ # See the Postfix UUCP_README file for configuration details.
+ #
+@@ -76,4 +67,10 @@
  ifmail    unix  -       n       n       -       -       pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
  bsmtp     unix  -       n       n       -       -       pipe
 -  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
-+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
++  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
 +scalemail-backend unix	-	n	n	-	2	pipe
 +  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
++mailman   unix  -       n       n       -       -       pipe
++  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
++  ${nexthop} ${user}
 +
-+# only used by postfix-tls
-+#tlsmgr	  fifo	-	-	n	300	1	tlsmgr
-+#smtps	  inet	n	-	n	-	-	smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
-+#587	  inet	n	-	n	-	-	smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

Added: postfix/trunk/debian/patches/10myorigin.dpatch
===================================================================
--- postfix/trunk/debian/patches/10myorigin.dpatch	                        (rev 0)
+++ postfix/trunk/debian/patches/10myorigin.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,73 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10myorigin.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Allow myorigin to be /path/to/file
+
+ at DPATCH@
+diff -urNad postfix~/src/global/mail_params.c postfix/src/global/mail_params.c
+--- postfix~/src/global/mail_params.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mail_params.c	2006-10-18 10:39:22.000000000 -0600
+@@ -157,6 +157,8 @@
+ #include <valid_hostname.h>
+ #include <stringops.h>
+ #include <safe.h>
++#include <safe_open.h>
++#include <mymalloc.h>
+ #ifdef HAS_DB
+ #include <dict_db.h>
+ #endif
+@@ -433,6 +435,40 @@
+ 		  (long) var_sgid_gid);
+ }
+ 
++static char *read_file(const char *name)
++{
++    char *ret;
++    VSTRING *why=vstring_alloc(1);
++    VSTRING *new_name=vstring_alloc(1);
++    VSTREAM *vp=safe_open(name, O_RDONLY, 0, NULL, -1, -1, why);
++
++    /*
++     * Ugly macros to make complex expressions less unreadable.
++     */
++#define SKIP(start, var, cond) \
++	for (var = start; *var && (cond); var++);
++
++#define TRIM(s) { \
++	char *p; \
++	for (p = (s) + strlen(s); p > (s) && ISSPACE(p[-1]); p--); \
++	*p = 0; \
++    }
++
++    if (!vp) {
++	msg_fatal("%s: unable to open: %s",name,vstring_str(why));
++    }
++    vstring_get_nonl(new_name,vp);
++    vstream_fclose(vp);
++    SKIP(vstring_str(new_name),ret,ISSPACE(*ret));
++    ret=mystrdup(ret);
++    if (*ret) {	/* empty strings are shared */
++	TRIM(ret);
++    }
++    vstring_free(why);
++    vstring_free(new_name);
++    return ret;
++}
++
+ /* mail_params_init - configure built-in parameters */
+ 
+ void    mail_params_init()
+@@ -584,6 +620,12 @@
+      * Variables that are needed by almost every program.
+      */
+     get_mail_conf_str_table(other_str_defaults);
++    if (*var_myorigin=='/') {
++	char *origin=read_file(var_myorigin);
++	if (!origin || !*origin)
++	    msg_fatal("myorigin file %s is empty",var_myorigin);
++	var_myorigin=origin;
++    }
+     get_mail_conf_int_table(other_int_defaults);
+     get_mail_conf_bool_table(bool_defaults);
+     get_mail_conf_time_table(time_defaults);

Added: postfix/trunk/debian/patches/10postfix-script.dpatch
===================================================================
--- postfix/trunk/debian/patches/10postfix-script.dpatch	                        (rev 0)
+++ postfix/trunk/debian/patches/10postfix-script.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,88 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## postfix-script2.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad --exclude=CVS --exclude=.svn ./conf/postfix-script /tmp/dpep-work.gXE1m7/postfix/conf/postfix-script
+--- ./conf/postfix-script	2005-04-14 10:14:16.000000000 -0600
++++ /tmp/dpep-work.gXE1m7/postfix/conf/postfix-script	2006-01-18 23:21:34.000000000 -0700
+@@ -42,6 +42,13 @@
+ FATAL="$LOGGER -p fatal"
+ PANIC="$LOGGER -p panic"
+ 
++if [ "X${1#quiet-}" != "X${1}" ]; then
++    INFO=:
++    x=${1#quiet-}
++    shift
++    set -- $x "$@"
++fi
++
+ umask 022
+ SHELL=/bin/sh
+ 
+@@ -84,6 +91,20 @@
+ 	echo "Stop postfix"
+ 	;;
+ 
++quick-start)
++
++	$daemon_directory/master -t 2>/dev/null || {
++		$FATAL the Postfix mail system is already running
++		exit 1
++	}
++	$config_directory/postfix-script quick-check || {
++		$FATAL Postfix integrity check failed!
++		exit 1
++	}
++	$INFO starting the Postfix mail system
++	$daemon_directory/master &
++	;;
++
+ start)
+ 
+ 	$daemon_directory/master -t 2>/dev/null || {
+@@ -125,7 +146,7 @@
+ 
+ 	$daemon_directory/master -t 2>/dev/null && {
+ 		$FATAL the Postfix mail system is not running
+-		exit 1
++		exit 0
+ 	}
+ 	$INFO stopping the Postfix mail system
+ 	kill `sed 1q pid/master.pid`
+@@ -135,7 +156,7 @@
+ 
+ 	$daemon_directory/master -t 2>/dev/null && {
+ 		$FATAL the Postfix mail system is not running
+-		exit 1
++		exit 0
+ 	}
+ 	$INFO aborting the Postfix mail system
+ 	kill `sed 1q pid/master.pid`
+@@ -169,9 +190,7 @@
+ 	exit 0
+ 	;;
+ 
+-check-fatal)
+-	# This command is NOT part of the public interface.
+-
++quick-check)
+ 	$SHELL $config_directory/post-install create-missing || {
+ 		$WARN unable to create missing queue directories
+ 		exit 1
+@@ -183,6 +202,13 @@
+ 		$FATAL no $config_directory/master.cf file found
+ 		exit 1
+ 	}
++	exit 0
++	;;
++
++check-fatal)
++	# This command is NOT part of the public interface.
++
++	$config_directory/postfix-script quick-check
+ 
+ 	# See if all queue files are in the right place. This is slow.
+ 	# We must scan all queues for mis-named queue files before the

Modified: postfix/trunk/debian/patches/10rmail.dpatch
===================================================================
--- postfix/trunk/debian/patches/10rmail.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10rmail.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -5,25 +5,20 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad postfix-2.1.5/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in
---- postfix-2.1.5/Makefile.in	2004-12-27 22:02:52.848403399 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in	2004-12-27 22:19:13.392627752 -0700
-@@ -1,10 +1,11 @@
- SHELL	= /bin/sh
- WARN    = -Wmissing-prototypes -Wformat
--OPTS	= 'CC=$(CC)'
-+OPTS	= "CC=$(CC)"
- DIRS	= src/util src/global src/dns src/master src/postfix src/smtpstone \
- 	src/sendmail src/error src/pickup src/cleanup src/smtpd src/local \
- 	src/lmtp src/trivial-rewrite src/qmgr src/oqmgr src/smtp src/bounce \
+diff -urNad debian-2.2/Makefile.in /tmp/dpep.a1Cna5/debian-2.2/Makefile.in
+--- debian-2.2/Makefile.in	2005-04-14 10:14:15.671108333 -0600
++++ /tmp/dpep.a1Cna5/debian-2.2/Makefile.in	2005-04-14 10:44:57.466696469 -0600
+@@ -7,6 +7,7 @@
  	src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \
-+	rmail \
  	src/postkick src/postlock src/postlog src/postmap src/postqueue \
  	src/postsuper src/qmqpd src/spawn src/flush src/verify \
- 	src/virtual src/proxymap
-diff -urNad postfix-2.1.5/rmail/LICENSE /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE
---- postfix-2.1.5/rmail/LICENSE	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE	2004-12-27 22:19:13.392627752 -0700
++	rmail \
+ 	src/virtual src/proxymap src/anvil src/scache src/discard src/tlsmgr
+ MANDIRS	= proto man html
+ 
+diff -urNad debian-2.2/rmail/LICENSE /tmp/dpep.a1Cna5/debian-2.2/rmail/LICENSE
+--- debian-2.2/rmail/LICENSE	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/LICENSE	2005-04-14 10:44:57.466696469 -0600
 @@ -0,0 +1,79 @@
 +			     SENDMAIL LICENSE
 +
@@ -104,9 +99,9 @@
 +   THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
 +
 +$Revision: 1.1.2.1 $, Last updated $Date: 2004/12/28 05:34:15 $
-diff -urNad postfix-2.1.5/rmail/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in
---- postfix-2.1.5/rmail/Makefile.in	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in	2004-12-27 22:19:13.392627752 -0700
+diff -urNad debian-2.2/rmail/Makefile.in /tmp/dpep.a1Cna5/debian-2.2/rmail/Makefile.in
+--- debian-2.2/rmail/Makefile.in	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/Makefile.in	2005-04-14 10:44:57.467695793 -0600
 @@ -0,0 +1,56 @@
 +SHELL	= /bin/sh
 +SRCS	= rmail.c
@@ -164,9 +159,9 @@
 +
 +# do not edit below this line - it is generated by 'make depend'
 +rmail.o: rmail.c
-diff -urNad postfix-2.1.5/rmail/rmail.8 /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8
---- postfix-2.1.5/rmail/rmail.8	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8	2004-12-27 22:19:13.393627537 -0700
+diff -urNad debian-2.2/rmail/rmail.8 /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.8
+--- debian-2.2/rmail/rmail.8	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.8	2005-04-14 10:44:57.467695793 -0600
 @@ -0,0 +1,49 @@
 +.\" Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.
 +.\"	 All rights reserved.
@@ -217,9 +212,9 @@
 +.B Rmail
 +should not reside in 
 +/bin.
-diff -urNad postfix-2.1.5/rmail/rmail.c /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c
---- postfix-2.1.5/rmail/rmail.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c	2004-12-27 22:19:13.393627537 -0700
+diff -urNad debian-2.2/rmail/rmail.c /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.c
+--- debian-2.2/rmail/rmail.c	1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.c	2005-04-14 10:44:57.468695117 -0600
 @@ -0,0 +1,475 @@
 +/*
 + * Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers.

Modified: postfix/trunk/debian/patches/10smtplinelength.dpatch
===================================================================
--- postfix/trunk/debian/patches/10smtplinelength.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10smtplinelength.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -5,15 +5,18 @@
 ## DP: No description.
 
 @DPATCH@
-diff -urNad postfix-2.1.5/src/global/mail_params.h /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h
---- postfix-2.1.5/src/global/mail_params.h	2004-12-27 22:21:10.756399492 -0700
-+++ /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h	2004-12-27 22:21:15.100465701 -0700
-@@ -837,7 +837,7 @@
+diff -urNad --exclude=CVS --exclude=.svn ./src/global/mail_params.h /tmp/dpep-work.r5zWix/postfix--wietse--2.2--patch-8/src/global/mail_params.h
+--- ./src/global/mail_params.h	2006-01-03 11:56:40.000000000 -0700
++++ /tmp/dpep-work.r5zWix/postfix--wietse--2.2--patch-8/src/global/mail_params.h	2006-01-09 17:58:24.000000000 -0700
+@@ -997,9 +997,9 @@
  extern bool var_smtp_rand_addr;
  
  #define VAR_SMTP_LINE_LIMIT	"smtp_line_length_limit"
 -#define DEF_SMTP_LINE_LIMIT	990
 +#define DEF_SMTP_LINE_LIMIT	0
+ #define VAR_LMTP_LINE_LIMIT	"lmtp_line_length_limit"
+-#define DEF_LMTP_LINE_LIMIT	990
++#define DEF_LMTP_LINE_LIMIT	0
  extern int var_smtp_line_limit;
  
  #define VAR_SMTP_PIX_THRESH	"smtp_pix_workaround_threshold_time"

Added: postfix/trunk/debian/patches/10tls.dpatch
===================================================================
--- postfix/trunk/debian/patches/10tls.dpatch	                        (rev 0)
+++ postfix/trunk/debian/patches/10tls.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,118 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10tls.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Debian tweaks to the default tls config
+
+ at DPATCH@
+diff -urNad postfix~/conf/main.cf.tls postfix/conf/main.cf.tls
+--- postfix~/conf/main.cf.tls	1969-12-31 17:00:00.000000000 -0700
++++ postfix/conf/main.cf.tls	2006-12-06 13:16:29.000000000 -0700
+@@ -0,0 +1,11 @@
++
++# TLS parameters
++smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
++smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
++smtpd_use_tls=yes
++smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
++smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
++
++# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
++# information on enabling SSL in the smtp client.
++
+diff -urNad postfix~/src/global/mail_params.h postfix/src/global/mail_params.h
+--- postfix~/src/global/mail_params.h	2006-12-06 13:16:28.000000000 -0700
++++ postfix/src/global/mail_params.h	2006-12-06 13:16:29.000000000 -0700
+@@ -591,7 +591,7 @@
+ extern int var_dup_filter_limit;
+ 
+ #define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"
+-#define DEF_TLS_RAND_EXCH_NAME	"${config_directory}/prng_exch"
++#define DEF_TLS_RAND_EXCH_NAME	"${queue_directory}/prng_exch"
+ extern char *var_tls_rand_exch_name;
+ 
+ #define VAR_TLS_RAND_SOURCE	"tls_random_source"
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_client.c postfix/src/xsasl/xsasl_cyrus_client.c
+--- postfix~/src/xsasl/xsasl_cyrus_client.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_client.c	2006-12-06 13:25:12.000000000 -0700
+@@ -222,6 +222,10 @@
+      */
+     static sasl_callback_t callbacks[] = {
+ 	{SASL_CB_LOG, &xsasl_cyrus_log, 0},
++	{SASL_CB_GETPATH,&xsasl_getpath, 0},
++#ifdef SASL_CB_GETCONFPATH
++	{SASL_CB_GETCONFPATH,&xsasl_getconfpath, 0},
++#endif
+ 	{SASL_CB_LIST_END, 0, 0}
+     };
+ 
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_common.h postfix/src/xsasl/xsasl_cyrus_common.h
+--- postfix~/src/xsasl/xsasl_cyrus_common.h	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_common.h	2006-12-06 13:25:29.000000000 -0700
+@@ -16,12 +16,18 @@
+   */
+ #if defined(USE_SASL_AUTH) && defined(USE_CYRUS_SASL)
+ 
++#include <sasl.h>
++
+ #define NO_SASL_LANGLIST	((const char *) 0)
+ #define NO_SASL_OUTLANG		((const char **) 0)
+ #define xsasl_cyrus_strerror(status) \
+ 	sasl_errstring((status), NO_SASL_LANGLIST, NO_SASL_OUTLANG)
+ extern int xsasl_cyrus_log(void *, int, const char *);
+ extern int xsasl_cyrus_security_parse_opts(const char *);
++extern int xsasl_getpath(void * context, char ** path);
++#ifdef SASL_CB_GETCONFPATH
++extern int xsasl_getconfpath(void * context, char ** path);
++#endif
+ 
+ #endif
+ 
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_log.c postfix/src/xsasl/xsasl_cyrus_log.c
+--- postfix~/src/xsasl/xsasl_cyrus_log.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_log.c	2006-12-06 13:25:50.000000000 -0700
+@@ -28,6 +28,7 @@
+ /* System library. */
+ 
+ #include <sys_defs.h>
++#include <string.h>
+ 
+ /* Utility library. */
+ 
+@@ -101,4 +102,22 @@
+     return (SASL_OK);
+ }
+ 
++int xsasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++    return SASL_OK;
++}
++
++#ifdef SASL_CB_GETCONFPATH
++int xsasl_getconfpath(void * context, char ** path)
++{
++    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++    return SASL_OK;
++}
++#endif
++
+ #endif
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_server.c postfix/src/xsasl/xsasl_cyrus_server.c
+--- postfix~/src/xsasl/xsasl_cyrus_server.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_server.c	2006-12-06 13:25:58.000000000 -0700
+@@ -174,6 +174,10 @@
+ 
+ static sasl_callback_t callbacks[] = {
+     {SASL_CB_LOG, &xsasl_cyrus_log, NO_CALLBACK_CONTEXT},
++    {SASL_CB_GETPATH,&xsasl_getpath, 0},
++#ifdef SASL_CB_GETCONFPATH
++    {SASL_CB_GETCONFPATH,&xsasl_getconfpath, 0},
++#endif
+     {SASL_CB_LIST_END, 0, 0}
+ };
+ 

Added: postfix/trunk/debian/patches/10tlsmgr.dpatch
===================================================================
--- postfix/trunk/debian/patches/10tlsmgr.dpatch	                        (rev 0)
+++ postfix/trunk/debian/patches/10tlsmgr.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10tlsmgr.dpatch by "Pascal A. Dupuis" <Pascal.Dupuis at worldonline.be>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix FTBFS in tlsmgr
+
+ at DPATCH@
+diff -urNad postfix-2.3~/src/tlsmgr/tlsmgr.c postfix-2.3/src/tlsmgr/tlsmgr.c
+--- postfix-2.3~/src/tlsmgr/tlsmgr.c	2006-07-13 08:22:56.000000000 -0600
++++ postfix-2.3/src/tlsmgr/tlsmgr.c	2006-07-13 08:43:06.000000000 -0600
+@@ -213,6 +213,7 @@
+   * Tunables.
+   */
+ char   *var_tls_rand_source;
++int 	var_tls_daemon_rand_bytes;
+ int     var_tls_rand_bytes;
+ int     var_tls_reseed_period;
+ int     var_tls_prng_exch_period;

Added: postfix/trunk/debian/patches/10warnings.dpatch
===================================================================
--- postfix/trunk/debian/patches/10warnings.dpatch	                        (rev 0)
+++ postfix/trunk/debian/patches/10warnings.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10warnings.dpatch by  <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad --exclude=CVS --exclude=.svn ./src/global/dict_ldap.c /tmp/dpep-work.1J5k3l/postfix/src/global/dict_ldap.c
+--- ./src/global/dict_ldap.c	2005-04-14 10:14:18.000000000 -0600
++++ /tmp/dpep-work.1J5k3l/postfix/src/global/dict_ldap.c	2006-02-13 10:38:22.000000000 -0700
+@@ -273,7 +273,7 @@
+      * character requires quoting per the RFC.
+      */
+     while (*sub)
+-    	if ((len = strcspn(sub, " \t\"#+,;<>\\")) > 0) {
++    	if ((len = strcspn((char*)sub, " \t\"#+,;<>\\")) > 0) {
+ 	    vstring_strncat(result, sub, len);
+ 	    sub += len;
+ 	} else
+@@ -295,7 +295,7 @@
+      * parameter and then this more comprehensive mechanism.
+      */
+     while (*sub)
+-    	if ((len = strcspn(sub, "*()\\")) > 0) {
++    	if ((len = strcspn((char*)sub, "*()\\")) > 0) {
+ 	    vstring_strncat(result, sub, len);
+ 	    sub += len;
+ 	} else

Modified: postfix/trunk/debian/patches/20maps.dpatch
===================================================================
--- postfix/trunk/debian/patches/20maps.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/20maps.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -2,69 +2,49 @@
 ## 20maps.dpatch by LaMont Jones <lamont at debian.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: patches to build dynamic maps and shared libs
 
 @DPATCH@
-diff -urNad postfix-release/conf/postfix-files /tmp/dpep.TxugCA/postfix-release/conf/postfix-files
---- postfix-release/conf/postfix-files	2004-12-27 22:28:28.638273359 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/conf/postfix-files	2004-12-27 22:29:11.315099642 -0700
-@@ -62,6 +62,9 @@
- $queue_directory/saved:d:$mail_owner:-:700:ucr
+diff -urNad postfix~/conf/postfix-files postfix/conf/postfix-files
+--- postfix~/conf/postfix-files	2006-07-24 23:42:11.000000000 -0600
++++ postfix/conf/postfix-files	2006-10-15 20:55:26.000000000 -0600
+@@ -63,6 +63,12 @@
  $queue_directory/trace:d:$mail_owner:-:700:ucr
+ $daemon_directory/anvil:f:root:-:755
  $daemon_directory/bounce:f:root:-:755
++$daemon_directory/dict_cdb.so:f:root:-:755
 +$daemon_directory/dict_ldap.so:f:root:-:755
 +$daemon_directory/dict_pcre.so:f:root:-:755
 +$daemon_directory/dict_mysql.so:f:root:-:755
++$daemon_directory/dict_tcp.so:f:root:-:755
++$daemon_directory/dict_sdbm.so:f:root:-:755
  $daemon_directory/cleanup:f:root:-:755
+ $daemon_directory/discard:f:root:-:755
  $daemon_directory/error:f:root:-:755
- $daemon_directory/flush:f:root:-:755
-@@ -81,6 +84,10 @@
+@@ -85,6 +91,11 @@
  $daemon_directory/trivial-rewrite:f:root:-:755
  $daemon_directory/verify:f:root:-:755
  $daemon_directory/virtual:f:root:-:755
 +/usr/lib/libpostfix-dns.so.1:f:root:-:755
 +/usr/lib/libpostfix-global.so.1:f:root:-:755
++/usr/lib/libpostfix-tls.so.1:f:root:-:755
 +/usr/lib/libpostfix-master.so.1:f:root:-:755
 +/usr/lib/libpostfix-util.so.1:f:root:-:755
  $daemon_directory/nqmgr:h:$daemon_directory/qmgr
+ $daemon_directory/lmtp:h:$daemon_directory/smtp
  $command_directory/postalias:f:root:-:755
- $command_directory/postcat:f:root:-:755
-@@ -100,6 +107,7 @@
- $config_directory/access:f:root:-:644:p
+@@ -107,6 +118,7 @@
  $config_directory/aliases:f:root:-:644:p
+ $config_directory/bounce.cf.default:f:root:-:644
  $config_directory/canonical:f:root:-:644:p
 +$config_directory/dynamicmaps.cf:f:root:-:644:p
  $config_directory/cidr_table:f:root:-:644:o
- $config_directory/header_checks:f:root:-:644:p
- $config_directory/install.cf:f:root:-:644:o
-diff -urNad postfix-release/makedefs /tmp/dpep.TxugCA/postfix-release/makedefs
---- postfix-release/makedefs	2004-12-27 22:28:28.639273144 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/makedefs	2004-12-27 22:29:11.315099642 -0700
-@@ -208,6 +208,20 @@
- 		#     CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
- 		#     GDBM_LIBS=gdbm
- 		# fi
-+
-+		# XXX: post-sarge
-+		# But, we'll keep shipping it (with error generation) until
-+		# sarge releases.
-+		if [ -f /usr/include/gdbm-ndbm.h ]
-+		then
-+		    CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm-ndbm.h>'"
-+		    GDBM_LIBS=gdbm_compat
-+		elif [ -f /usr/include/gdbm/ndbm.h ]
-+		then
-+		    CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
-+		    GDBM_LIBS=gdbm
-+		fi
-+
- 		SYSLIBS="-ldb"
- 		for name in nsl resolv $GDBM_LIBS
- 		do
-diff -urNad postfix-release/src/dns/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in
---- postfix-release/src/dns/Makefile.in	2004-12-27 22:28:28.639273144 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in	2004-12-27 22:29:11.315099642 -0700
-@@ -12,7 +12,7 @@
+ $config_directory/generic:f:root:-:644:p
+ $config_directory/generics:f:root:-:644:o
+diff -urNad postfix~/src/dns/Makefile.in postfix/src/dns/Makefile.in
+--- postfix~/src/dns/Makefile.in	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/dns/Makefile.in	2006-10-15 20:55:26.000000000 -0600
+@@ -14,7 +14,7 @@
  LIB_DIR	= ../../lib
  INC_DIR	= ../../include
  
@@ -73,8 +53,8 @@
  
  all: $(LIB)
  
-@@ -24,12 +24,10 @@
- tests:	test
+@@ -31,12 +31,10 @@
+ root_tests:
  
  $(LIB):	$(OBJS)
 -	$(AR) $(ARFL) $(LIB) $?
@@ -87,52 +67,45 @@
  
  update: $(LIB_DIR)/$(LIB) $(HDRS)
  	-for i in $(HDRS); \
-diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in
---- postfix-release/src/global/Makefile.in	2004-12-27 22:28:28.640272930 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in	2004-12-27 22:29:11.316099427 -0700
-@@ -3,6 +3,7 @@
- 	canon_addr.c cfg_parser.c cleanup_strerror.c cleanup_strflags.c \
- 	clnt_stream.c debug_peer.c debug_process.c defer.c \
- 	deliver_completed.c deliver_flock.c deliver_pass.c deliver_request.c \
-+	dict_sdbm.c sdbm.c \
- 	dict_ldap.c dict_mysql.c dict_pgsql.c dict_proxy.c domain_list.c \
- 	dot_lockfile.c dot_lockfile_as.c ext_prop.c file_id.c flush_clnt.c \
- 	header_opts.c header_token.c hold_message.c input_transp.c \
-@@ -27,7 +28,7 @@
+diff -urNad postfix~/src/global/Makefile.in postfix/src/global/Makefile.in
+--- postfix~/src/global/Makefile.in	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/Makefile.in	2006-10-15 20:55:26.000000000 -0600
+@@ -32,7 +32,7 @@
  	canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
- 	clnt_stream.o debug_peer.o debug_process.o defer.o \
- 	deliver_completed.o deliver_flock.o deliver_pass.o deliver_request.o \
--	dict_ldap.o dict_mysql.o dict_pgsql.o dict_proxy.o domain_list.o \
-+	dict_proxy.o domain_list.o \
- 	dot_lockfile.o dot_lockfile_as.o ext_prop.o file_id.o flush_clnt.o \
- 	header_opts.o header_token.o hold_message.o input_transp.o \
- 	is_header.o log_adhoc.o mail_addr.o mail_addr_crunch.o \
-@@ -51,6 +52,7 @@
- 	canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
- 	debug_peer.h debug_process.h defer.h deliver_completed.h \
- 	deliver_flock.h deliver_pass.h deliver_request.h dict_ldap.h \
-+	dict_sdbm.h sdbm.h \
- 	dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h dot_lockfile.h \
- 	dot_lockfile_as.h ext_prop.h file_id.h flush_clnt.h header_opts.h \
- 	header_token.h hold_message.h input_transp.h is_header.h \
-@@ -84,10 +86,14 @@
+ 	clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \
+ 	defer.o deliver_completed.o deliver_flock.o deliver_pass.o \
+-	deliver_request.o dict_ldap.o dict_mysql.o dict_pgsql.o \
++	deliver_request.o \
+ 	dict_proxy.o domain_list.o dot_lockfile.o dot_lockfile_as.o \
+ 	dsb_scan.o dsn.o dsn_buf.o dsn_mask.o dsn_print.o dsn_util.o \
+ 	ehlo_mask.o ext_prop.o file_id.o flush_clnt.o header_opts.o \
+@@ -45,7 +45,7 @@
+ 	mail_params.o mail_pathname.o mail_queue.o mail_run.o \
+ 	mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o maps.o \
+ 	mark_corrupt.o match_parent_style.o mbox_conf.o mbox_open.o \
+-	mime_state.o mkmap_cdb.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
++	mime_state.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
+ 	mkmap_sdbm.o msg_stats_print.o msg_stats_scan.o mynetworks.o \
+ 	mypwd.o namadr_list.o off_cvt.o opened.o own_inet_addr.o \
+ 	pipe_command.o post_mail.o quote_821_local.o quote_822_local.o \
+@@ -97,10 +97,14 @@
  LIB_DIR	= ../../lib
  INC_DIR	= ../../include
  MAKES	=
-+SDBMSO  = dict_sdbm.so
 +LDAPSO  = dict_ldap.so
 +MYSQLSO = dict_mysql.so
 +PGSQLSO = dict_pgsql.so
++CDBSO   = dict_cdb.so
  
 -.c.o:;	$(CC) $(CFLAGS) -c $*.c
 +.c.o:;	$(CC) -fPIC $(CFLAGS) -c $*.c
  
 -all: $(LIB)
-+all: $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) 
++all: $(LIB) $(CDBSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) 
  
- Makefile: Makefile.in
- 	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
-@@ -95,14 +101,36 @@
+ $(OBJS): ../../conf/makedefs.out
+ 
+@@ -110,14 +114,39 @@
  test:	$(TESTPROG)
  
  $(LIB):	$(OBJS)
@@ -140,9 +113,12 @@
 -	$(RANLIB) $(LIB)
 +	gcc -shared -Wl,-soname,libpostfix-global.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
 +
-+$(SDBMSO): dict_sdbm.o sdbm.o
-+	gcc -shared -Wl,-soname,dict_sdbm.so -o $@ dict_sdbm.o sdbm.o -L. -lutil -lglobal
++$(CDBSO): dict_cdb.o mkmap_cdb.o
++	gcc -shared -Wl,-soname,dict_cdb.so -o $@ $? -lcdb -L. -lutil
 +
++dict_cdb.o: ../util/dict_cdb.c
++	$(CC) -fPIC $(CFLAGS) -c $?
++
 +$(LDAPSO): dict_ldap.o
 +	gcc -shared -Wl,-soname,dict_ldap.so -o $@ $? -lldap -llber -L../../lib -lutil -L. -lglobal
 +
@@ -157,8 +133,8 @@
 -	$(RANLIB) $(LIB_DIR)/$(LIB)
  
 -update: $(LIB_DIR)/$(LIB) $(HDRS)
-+$(LIB_DIR)/$(SDBMSO): $(SDBMSO)
-+	cp $(SDBMSO) $(LIB_DIR)
++$(LIB_DIR)/$(CDBSO): $(CDBSO)
++	cp $(CDBSO) $(LIB_DIR)
 +
 +$(LIB_DIR)/$(LDAPSO): $(LDAPSO)
 +	cp $(LDAPSO) $(LIB_DIR)
@@ -169,564 +145,923 @@
 +$(LIB_DIR)/$(PGSQLSO): $(PGSQLSO)
 +	cp $(PGSQLSO) $(LIB_DIR)
 +
-+update: $(LIB_DIR)/$(LIB) $(LIB_DIR)/${LDAPSO} $(LIB_DIR)/${MYSQLSO} $(LIB_DIR)/${PGSQLSO} $(LIB_DIR)/$(SDBMSO) $(HDRS)
++update: $(LIB_DIR)/$(LIB) $(LIB_DIR)/${CDBSO} $(LIB_DIR)/${LDAPSO} $(LIB_DIR)/${MYSQLSO} $(LIB_DIR)/${PGSQLSO} $(HDRS)
  	-for i in $(HDRS); \
  	do \
  	  cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
-@@ -354,7 +382,7 @@
+@@ -403,7 +432,7 @@
  	lint $(DEFS) $(SRCS) $(LINTFIX)
  
  clean:
 -	rm -f *.o $(LIB) *core $(TESTPROG) junk
-+	rm -f *.o $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) *core $(TESTPROG) junk
++	rm -f *.o $(LIB) $(CDBSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) *core $(TESTPROG) junk
  	rm -rf printfck
  
  tidy:	clean
-@@ -569,6 +597,10 @@
- dict_proxy.o: mail_params.h
- dict_proxy.o: clnt_stream.h
- dict_proxy.o: dict_proxy.h
-+dict_sdbm.o: ../../include/sys_defs.h
-+dict_sdbm.o: sdbm.h
-+dict_sdbm.o: dict_sdbm.c
-+dict_sdbm.o: dict_sdbm.h
- domain_list.o: domain_list.c
- domain_list.o: ../../include/sys_defs.h
- domain_list.o: ../../include/match_list.h
-@@ -643,6 +675,10 @@
- hold_message.o: ../../include/vstream.h
- hold_message.o: mail_params.h
- hold_message.o: hold_message.h
-+inet_interfaces_to_af.o: inet_interfaces_to_af.c
-+inet_interfaces_to_af.o: ../../include/sys_defs.h
-+inet_interfaces_to_af.o: mail_params.h
-+inet_interfaces_to_af.o: inet_interfaces_to_af.h
- input_transp.o: input_transp.c
- input_transp.o: ../../include/sys_defs.h
- input_transp.o: ../../include/name_mask.h
-@@ -1088,6 +1124,7 @@
- own_inet_addr.o: ../../include/vbuf.h
- own_inet_addr.o: mail_params.h
- own_inet_addr.o: own_inet_addr.h
-+own_inet_addr.o: inet_interfaces_to_af.h
- pipe_command.o: pipe_command.c
- pipe_command.o: ../../include/sys_defs.h
- pipe_command.o: ../../include/msg.h
-@@ -1220,6 +1257,8 @@
- rewrite_clnt.o: mail_params.h
- rewrite_clnt.o: clnt_stream.h
- rewrite_clnt.o: rewrite_clnt.h
-+sdbm.o: sdbm.c
-+sdbm.o: sdbm.h
- sent.o: sent.c
- sent.o: ../../include/sys_defs.h
- sent.o: ../../include/msg.h
-diff -urNad postfix-release/src/global/dict_sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c
---- postfix-release/src/global/dict_sdbm.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c	2004-12-27 22:29:11.317099212 -0700
-@@ -0,0 +1,469 @@
-+/*++
-+/* NAME
-+/*	dict_sdbm 3
-+/* SUMMARY
-+/*	dictionary manager interface to SDBM files
-+/* SYNOPSIS
-+/*	#include <dict_sdbm.h>
-+/*
-+/*	DICT	*dict_sdbm_open(path, open_flags, dict_flags)
-+/*	const char *name;
-+/*	const char *path;
-+/*	int	open_flags;
-+/*	int	dict_flags;
-+/* DESCRIPTION
-+/*	dict_sdbm_open() opens the named SDBM database and makes it available
-+/*	via the generic interface described in dict_open(3).
-+/* DIAGNOSTICS
-+/*	Fatal errors: cannot open file, file write error, out of memory.
-+/* SEE ALSO
-+/*	dict(3) generic dictionary manager
-+/*	sdbm(3) data base subroutines
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/*	Wietse Venema
-+/*	IBM T.J. Watson Research
-+/*	P.O. Box 704
-+/*	Yorktown Heights, NY 10598, USA
-+/*--*/
+diff -urNad postfix~/src/global/mail_conf.c postfix/src/global/mail_conf.c
+--- postfix~/src/global/mail_conf.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mail_conf.c	2006-10-15 20:55:26.000000000 -0600
+@@ -175,6 +175,13 @@
+     path = concatenate(var_config_dir, "/", "main.cf", (char *) 0);
+     dict_load_file(CONFIG_DICT, path);
+     myfree(path);
 +
-+#include "sys_defs.h"
++#ifndef NO_DYNAMIC_MAPS
++    path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++    dict_open_dlinfo(path);
++    myfree(path);
++#endif
 +
-+/* System library. */
+ }
+ 
+ /* mail_conf_eval - expand macros in string */
+diff -urNad postfix~/src/global/mail_dict.c postfix/src/global/mail_dict.c
+--- postfix~/src/global/mail_dict.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mail_dict.c	2006-10-15 20:55:26.000000000 -0600
+@@ -45,6 +45,7 @@
+ 
+ static DICT_OPEN_INFO dict_open_info[] = {
+     DICT_TYPE_PROXY, dict_proxy_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_LDAP
+     DICT_TYPE_LDAP, dict_ldap_open,
+ #endif
+@@ -54,6 +55,7 @@
+ #ifdef HAS_PGSQL
+     DICT_TYPE_PGSQL, dict_pgsql_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+     0,
+ };
+ 
+diff -urNad postfix~/src/global/mail_params.c postfix/src/global/mail_params.c
+--- postfix~/src/global/mail_params.c	2006-10-15 20:55:25.000000000 -0600
++++ postfix/src/global/mail_params.c	2006-10-15 20:55:26.000000000 -0600
+@@ -77,6 +77,7 @@
+ /*	char	*var_export_environ;
+ /*	char	*var_debug_peer_list;
+ /*	int	var_debug_peer_level;
++/*	int	var_command_maxtime;
+ /*	int	var_in_flow_delay;
+ /*	int	var_fault_inj_code;
+ /*	char   *var_bounce_service;
+@@ -249,6 +250,7 @@
+ char   *var_export_environ;
+ char   *var_debug_peer_list;
+ int     var_debug_peer_level;
++int	var_command_maxtime;
+ int     var_fault_inj_code;
+ char   *var_bounce_service;
+ char   *var_cleanup_service;
+@@ -260,6 +262,7 @@
+ char   *var_error_service;
+ char   *var_flush_service;
+ char   *var_verify_service;
++char   *var_scache_service;
+ char   *var_trace_service;
+ int     var_db_create_buf;
+ int     var_db_read_buf;
+diff -urNad postfix~/src/global/mkmap_open.c postfix/src/global/mkmap_open.c
+--- postfix~/src/global/mkmap_open.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mkmap_open.c	2006-10-15 20:57:13.000000000 -0600
+@@ -78,14 +78,16 @@
+   * types that exist as files. Network-based maps are not of interest.
+   */
+ typedef struct {
+-    char   *type;
++    const char   *type;
+     MKMAP  *(*before_open) (const char *);
+ } MKMAP_OPEN_INFO;
+ 
+ MKMAP_OPEN_INFO mkmap_types[] = {
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_CDB
+     DICT_TYPE_CDB, mkmap_cdb_open,
+ #endif
++#endif
+ #ifdef HAS_SDBM
+     DICT_TYPE_SDBM, mkmap_sdbm_open,
+ #endif
+@@ -152,7 +154,16 @@
+      */
+     for (mp = mkmap_types; /* void */ ; mp++) {
+ 	if (mp->type == 0)
++#ifndef NO_DYNAMIC_MAPS
++	{
++	    static MKMAP_OPEN_INFO oi;
++	    oi.before_open=(MKMAP*(*)(const char*))dict_mkmap_func(type);
++	    oi.type=type;
++	    mp=&oi;
++	}
++#else
+ 	    msg_fatal("unsupported map type: %s", type);
++#endif
+ 	if (strcmp(type, mp->type) == 0)
+ 	    break;
+     }
+diff -urNad postfix~/src/master/Makefile.in postfix/src/master/Makefile.in
+--- postfix~/src/master/Makefile.in	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/master/Makefile.in	2006-10-15 20:55:26.000000000 -0600
+@@ -20,7 +20,7 @@
+ INC_DIR	= ../../include
+ BIN_DIR	= ../../libexec
+ 
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) `for i in $(LIB_OBJ); do [ $$i = $@ ] && echo -fPIC; done` $(CFLAGS) -c $*.c
+ 
+ all:	$(PROG) $(LIB)
+ 
+@@ -39,12 +39,10 @@
+ root_tests:
+ 
+ $(LIB):	$(LIB_OBJ)
+-	$(AR) $(ARFL) $(LIB) $?
+-	$(RANLIB) $(LIB)
++	gcc -shared -Wl,-soname,libpostfix-master.so.1 -o $(LIB) $(LIB_OBJ) $(LIBS) $(SYSLIBS)
+ 
+ $(LIB_DIR)/$(LIB): $(LIB)
+ 	cp $(LIB) $(LIB_DIR)/$(LIB)
+-	$(RANLIB) $(LIB_DIR)/$(LIB)
+ 
+ $(BIN_DIR)/$(PROG): $(PROG)
+ 	 cp $(PROG) $(BIN_DIR)
+diff -urNad postfix~/src/postconf/postconf.c postfix/src/postconf/postconf.c
+--- postfix~/src/postconf/postconf.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/postconf/postconf.c	2006-10-15 20:55:26.000000000 -0600
+@@ -898,6 +898,16 @@
+ {
+     ARGV   *maps_argv;
+     int     i;
++#ifndef NO_DYNAMIC_MAPS
++    char   *path;
++    char   *config_dir;
 +
-+#include <sys/stat.h>
-+#include <string.h>
-+#include <unistd.h>
++    var_config_dir = mystrdup((config_dir = safe_getenv(CONF_ENV_PATH)) != 0 ?
++			      config_dir : DEF_CONFIG_DIR);	/* XXX */
++    path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++    dict_open_dlinfo(path);
++    myfree(path);
++#endif
+ 
+     maps_argv = dict_mapnames();
+     for (i = 0; i < maps_argv->argc; i++)
+diff -urNad postfix~/src/postmap/postmap.c postfix/src/postmap/postmap.c
+--- postfix~/src/postmap/postmap.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/postmap/postmap.c	2006-10-15 20:55:26.000000000 -0600
+@@ -5,7 +5,7 @@
+ /*	Postfix lookup table management
+ /* SYNOPSIS
+ /* .fi
+-/*	\fBpostmap\fR [\fB-Nfinoprsvw\fR] [\fB-c \fIconfig_dir\fR]
++/*	\fBpostmap\fR [\fB-Nfinoprsuvw\fR] [\fB-c \fIconfig_dir\fR]
+ /*	[\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
+ /*		[\fIfile_type\fR:]\fIfile_name\fR ...
+ /* DESCRIPTION
+@@ -109,6 +109,8 @@
+ /*	as the original input order.
+ /*	This feature is available in Postfix version 2.2 and later,
+ /*	and is not available for all database types.
++/* .IP \fB-u\fR
++/*	Upgrade the database to the current version.
+ /* .IP \fB-v\fR
+ /*	Enable verbose logging for debugging purposes. Multiple \fB-v\fR
+ /*	options make the software increasingly verbose.
+@@ -531,6 +533,18 @@
+     dict_close(dict);
+ }
+ 
++/* postmap_upgrade - upgrade a map */
 +
-+/* Utility library. */
-+
-+#include "msg.h"
-+#include "mymalloc.h"
-+#include "htable.h"
-+#include "iostuff.h"
-+#include "vstring.h"
-+#include "myflock.h"
-+#include "stringops.h"
-+#include "dict.h"
-+#include "dict_sdbm.h"
-+#include "sdbm.h"
-+
-+/* Application-specific. */
-+
-+typedef struct {
-+    DICT    dict;			/* generic members */
-+    SDBM   *dbm;			/* open database */
-+    char   *path;			/* pathname */
-+} DICT_SDBM;
-+
-+/* dict_sdbm_lookup - find database entry */
-+
-+static const char *dict_sdbm_lookup(DICT *dict, const char *name)
++static int postmap_upgrade(const char *map_type, const char *map_name)
 +{
-+    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+    datum   dbm_key;
-+    datum   dbm_value;
-+    static VSTRING *buf;
-+    const char *result = 0;
++    DICT   *dict;
 +
-+    dict_errno = 0;
++    dict = dict_open3(map_type, map_name, O_RDWR,
++			DICT_FLAG_LOCK|DICT_FLAG_UPGRADE);
++    dict_close(dict);
++    return (dict != 0);
++}
 +
-+    /*
-+     * Acquire an exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
-+	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
-+
-+    /*
-+     * See if this DBM file was written with one null byte appended to key
-+     * and value.
-+     */
-+    if (dict->flags & DICT_FLAG_TRY1NULL) {
-+	dbm_key.dptr = (void *) name;
-+	dbm_key.dsize = strlen(name) + 1;
-+	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
-+	if (dbm_value.dptr != 0) {
-+	    dict->flags &= ~DICT_FLAG_TRY0NULL;
-+	    result = dbm_value.dptr;
+ /* usage - explain */
+ 
+ static NORETURN usage(char *myname)
+@@ -549,6 +563,7 @@
+     int     postmap_flags = POSTMAP_FLAG_AS_OWNER | POSTMAP_FLAG_SAVE_PERM;
+     int     open_flags = O_RDWR | O_CREAT | O_TRUNC;
+     int     dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_FIX;
++    int     upgrade = 0;
+     char   *query = 0;
+     char   *delkey = 0;
+     int     sequence = 0;
+@@ -588,7 +603,7 @@
+     /*
+      * Parse JCL.
+      */
+-    while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rsvw")) > 0) {
++    while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rsuvw")) > 0) {
+ 	switch (ch) {
+ 	default:
+ 	    usage(argv[0]);
+@@ -602,8 +617,8 @@
+ 		msg_fatal("out of memory");
+ 	    break;
+ 	case 'd':
+-	    if (sequence || query || delkey)
+-		msg_fatal("specify only one of -s -q or -d");
++	    if (sequence || query || delkey || upgrade)
++		msg_fatal("specify only one of -s -q -u or -d");
+ 	    delkey = optarg;
+ 	    break;
+ 	case 'f':
+@@ -623,8 +638,8 @@
+ 	    postmap_flags &= ~POSTMAP_FLAG_SAVE_PERM;
+ 	    break;
+ 	case 'q':
+-	    if (sequence || query || delkey)
+-		msg_fatal("specify only one of -s -q or -d");
++	    if (sequence || query || delkey || upgrade)
++		msg_fatal("specify only one of -s -q -u or -d");
+ 	    query = optarg;
+ 	    break;
+ 	case 'r':
+@@ -632,10 +647,15 @@
+ 	    dict_flags |= DICT_FLAG_DUP_REPLACE;
+ 	    break;
+ 	case 's':
+-	    if (query || delkey)
+-		msg_fatal("specify only one of -s or -q or -d");
++	    if (query || delkey || upgrade)
++		msg_fatal("specify only one of -s or -q -u or -d");
+ 	    sequence = 1;
+ 	    break;
++	case 'u':
++	    if (sequence || query || delkey || upgrade)
++		msg_fatal("specify only one of -s -q -u or -d");
++	    upgrade=1;
++	    break;
+ 	case 'v':
+ 	    msg_verbose++;
+ 	    break;
+@@ -701,6 +721,21 @@
+ 	    exit(0);
+ 	}
+ 	exit(1);
++    } else if (upgrade) {			/* Upgrade the map(s) */
++	int success = 1;
++	if (optind + 1 > argc)
++	    usage(argv[0]);
++	while (optind < argc) {
++	    if ((path_name = split_at(argv[optind], ':')) != 0) {
++		success &= postmap_upgrade(argv[optind], path_name);
++	    } else {
++		success &= postmap_upgrade(var_db_type, path_name);
++	    }
++	    if (!success)
++		exit(1);
++	    optind++;
 +	}
-+    }
++	exit(0);
+     } else {					/* create/update map(s) */
+ 	if (optind + 1 > argc)
+ 	    usage(argv[0]);
+diff -urNad postfix~/src/tls/Makefile.in postfix/src/tls/Makefile.in
+--- postfix~/src/tls/Makefile.in	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/tls/Makefile.in	2006-10-15 20:55:26.000000000 -0600
+@@ -22,7 +22,7 @@
+ INC_DIR	= ../../include
+ MAKES	=
+ 
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) -fPIC $(CFLAGS) -c $*.c
+ 
+ all: $(LIB)
+ 
+@@ -38,12 +38,10 @@
+ root_tests:
+ 
+ $(LIB):	$(OBJS)
+-	$(AR) $(ARFL) $(LIB) $?
+-	$(RANLIB) $(LIB)
++	gcc -shared -Wl,-soname,libpostfix-tls.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
+ 
+ $(LIB_DIR)/$(LIB): $(LIB)
+ 	cp $(LIB) $(LIB_DIR)
+-	$(RANLIB) $(LIB_DIR)/$(LIB)
+ 
+ update: $(LIB_DIR)/$(LIB) $(HDRS)
+ 	-for i in $(HDRS); \
+diff -urNad postfix~/src/util/Makefile.in postfix/src/util/Makefile.in
+--- postfix~/src/util/Makefile.in	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/Makefile.in	2006-10-15 20:55:26.000000000 -0600
+@@ -1,4 +1,4 @@
+-SHELL	= /bin/sh
++cdb	= /bin/sh
+ SRCS	= alldig.c allprint.c argv.c argv_split.c attr_clnt.c attr_print0.c \
+ 	attr_print64.c attr_print_plain.c attr_scan0.c attr_scan64.c \
+ 	attr_scan_plain.c auto_clnt.c base64_code.c basename.c binhash.c \
+@@ -30,21 +30,21 @@
+ 	username.c valid_hostname.c vbuf.c vbuf_print.c vstream.c \
+ 	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
+ 	write_buf.c write_wait.c sane_basename.c format_tv.c allspace.c \
+-	allascii.c load_file.c
++	allascii.c load_file.c load_lib.c sdbm.c
+ OBJS	= alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
+ 	attr_print64.o attr_print_plain.o attr_scan0.o attr_scan64.o \
+ 	attr_scan_plain.o auto_clnt.o base64_code.o basename.o binhash.o \
+ 	chroot_uid.o cidr_match.o clean_env.o close_on_exec.o concatenate.o \
+-	ctable.o dict.o dict_alloc.o dict_cdb.o dict_cidr.o dict_db.o \
++	ctable.o dict.o dict_alloc.o dict_cidr.o dict_db.o \
+ 	dict_dbm.o dict_debug.o dict_env.o dict_ht.o dict_ni.o dict_nis.o \
+-	dict_nisplus.o dict_open.o dict_pcre.o dict_regexp.o dict_sdbm.o \
+-	dict_static.o dict_tcp.o dict_unix.o dir_forest.o doze.o dummy_read.o \
++	dict_nisplus.o dict_open.o dict_regexp.o dict_sdbm.o \
++	dict_static.o dict_unix.o dir_forest.o doze.o dummy_read.o \
+ 	dummy_write.o duplex_pipe.o environ.o events.o exec_command.o \
+ 	fifo_listen.o fifo_trigger.o file_limit.o find_inet.o fsspace.o \
+ 	fullname.o get_domainname.o get_hostname.o hex_code.o hex_quote.o \
+ 	host_port.o htable.o inet_addr_host.o inet_addr_list.o \
+ 	inet_addr_local.o inet_connect.o inet_listen.o inet_proto.o \
+-	inet_trigger.o line_wrap.o lowercase.o lstat_as.o mac_expand.o \
++	inet_trigger.o line_wrap.o lowercase.o lstat_as.o mac_expand.o load_lib.o sdbm.o \
+ 	mac_parse.o make_dirs.o mask_addr.o match_list.o match_ops.o msg.o \
+ 	msg_output.o msg_syslog.o msg_vstream.o mvect.o myaddrinfo.o myflock.o \
+ 	mymalloc.o myrand.o mystrtok.o name_code.o name_mask.o netstring.o \
+@@ -76,7 +76,7 @@
+ 	msg_output.h msg_syslog.h msg_vstream.h mvect.h myaddrinfo.h myflock.h \
+ 	mymalloc.h myrand.h name_code.h name_mask.h netstring.h nvtable.h \
+ 	open_as.h open_lock.h percentm.h posix_signals.h readlline.h ring.h \
+-	safe.h safe_open.h sane_accept.h sane_connect.h sane_fsops.h \
++	safe.h safe_open.h sane_accept.h sane_connect.h sane_fsops.h sdbm.h load_lib.h \
+ 	sane_socketpair.h sane_time.h scan_dir.h set_eugid.h set_ugid.h \
+ 	sigdelay.h sock_addr.h spawn_command.h split_at.h stat_as.h \
+ 	stringops.h sys_defs.h timed_connect.h timed_wait.h trigger.h \
+@@ -88,6 +88,8 @@
+ CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
+ FILES	= Makefile $(SRCS) $(HDRS)
+ INCL	=
++PCRESO  = dict_pcre.so
++TCPSO   = dict_tcp.so
+ LIB	= libutil.a
+ TESTPROG= dict_open dup2_pass_on_exec events exec_command fifo_open \
+ 	fifo_rdonly_bug fifo_rdwr_bug fifo_trigger fsspace fullname \
+@@ -102,10 +104,11 @@
+ 
+ LIB_DIR	= ../../lib
+ INC_DIR	= ../../include
++LIBS    = $(LIB_DIR)/$(LIB) $(LIB_DIR)/$(PCRESO) $(LIB_DIR)/$(TCPSO)
+ 
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) -fPIC $(CFLAGS) -c $*.c
+ 
+-all: $(LIB)
++all: $(LIB) $(PCRESO) $(TCPSO)
+ 
+ $(OBJS): ../../conf/makedefs.out
+ 
+@@ -114,15 +117,25 @@
+ 
+ test:	$(TESTPROG)
+ 
++$(PCRESO): dict_pcre.o
++	gcc -shared -Wl,-soname,dict_pcre.so -o $@ $? -lpcre -L. -lutil
 +
-+    /*
-+     * See if this DBM file was written with no null byte appended to key and
-+     * value.
-+     */
-+    if (result == 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
-+	dbm_key.dptr = (void *) name;
-+	dbm_key.dsize = strlen(name);
-+	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
-+	if (dbm_value.dptr != 0) {
-+	    if (buf == 0)
-+		buf = vstring_alloc(10);
-+	    vstring_strncpy(buf, dbm_value.dptr, dbm_value.dsize);
-+	    dict->flags &= ~DICT_FLAG_TRY1NULL;
-+	    result = vstring_str(buf);
-+	}
-+    }
++$(TCPSO): dict_tcp.o
++	gcc -shared -Wl,-soname,dict_tcp.so -o $@ $? -L. -lutil
 +
-+    /*
-+     * Release the exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+ $(LIB):	$(OBJS)
+-	$(AR) $(ARFL) $(LIB) $?
+-	$(RANLIB) $(LIB)
++	gcc -shared -Wl,-soname,libpostfix-util.so.1 -o $(LIB) $(OBJS) -ldl $(SYSLIBS)
+ 
+ $(LIB_DIR)/$(LIB): $(LIB)
+ 	cp $(LIB) $(LIB_DIR)
+-	$(RANLIB) $(LIB_DIR)/$(LIB)
+ 
+-update: $(LIB_DIR)/$(LIB) $(HDRS)
++$(LIB_DIR)/$(PCRESO): $(PCRESO)
++	cp $(PCRESO) $(LIB_DIR)
 +
-+    return (result);
-+}
++$(LIB_DIR)/$(TCPSO): $(TCPSO)
++	cp $(TCPSO) $(LIB_DIR)
 +
-+/* dict_sdbm_update - add or update database entry */
++update: $(LIBS) $(HDRS)
+ 	-for i in $(HDRS); \
+ 	do \
+ 	  cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
+@@ -144,7 +157,8 @@
+ 	lint $(SRCS)
+ 
+ clean:
+-	rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAKES) *.tmp
++	rm -f *.o $(LIB) $(PCRESO) $(TCPSO) *core $(TESTPROG) \
++		junk $(MAKES) *.tmp
+ 	rm -rf printfck
+ 
+ tidy:	clean
+diff -urNad postfix~/src/util/dict.h postfix/src/util/dict.h
+--- postfix~/src/util/dict.h	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict.h	2006-10-15 20:55:26.000000000 -0600
+@@ -65,6 +65,7 @@
+ #define DICT_FLAG_NO_UNAUTH	(1<<13)	/* disallow unauthenticated data */
+ #define DICT_FLAG_FOLD_FIX	(1<<14)	/* case-fold key with fixed-case map */
+ #define DICT_FLAG_FOLD_MUL	(1<<15)	/* case-fold key with multi-case map */
++#define DICT_FLAG_UPGRADE	(1<<30) /* Upgrade the db */
+ #define DICT_FLAG_FOLD_ANY	(DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL)
+ 
+  /* IMPORTANT: Update the dict_mask[] table when the above changes */
+@@ -109,6 +110,11 @@
+ extern DICT *dict_open(const char *, int, int);
+ extern DICT *dict_open3(const char *, const char *, int, int);
+ extern void dict_open_register(const char *, DICT *(*) (const char *, int, int));
++#ifndef NO_DYNAMIC_MAPS
++extern void dict_open_dlinfo(const char *path);
++typedef void* (*dict_mkmap_func_t)(const char *);
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type);
++#endif
+ 
+ #define dict_get(dp, key)	(dp)->lookup((dp), (key))
+ #define dict_put(dp, key, val)	(dp)->update((dp), (key), (val))
+diff -urNad postfix~/src/util/dict_db.c postfix/src/util/dict_db.c
+--- postfix~/src/util/dict_db.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict_db.c	2006-10-15 20:55:26.000000000 -0600
+@@ -658,6 +658,12 @@
+ 	msg_fatal("set DB cache size %d: %m", dict_db_cache_size);
+     if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
+ 	msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
++    if (dict_flags & DICT_FLAG_UPGRADE) {
++	if (msg_verbose)
++	    msg_info("upgrading database %s",db_path);
++	if ((errno = db->upgrade(db,db_path,0)) != 0)
++	    msg_fatal("upgrade of database %s: %m",db_path);
++    }
+ #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
+     if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
+ 	msg_fatal("open database %s: %m", db_path);
+diff -urNad postfix~/src/util/dict_dbm.c postfix/src/util/dict_dbm.c
+--- postfix~/src/util/dict_dbm.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict_dbm.c	2006-10-15 20:55:26.000000000 -0600
+@@ -401,6 +401,10 @@
+     char   *dbm_path;
+     int     lock_fd;
+ 
++#ifdef HAVE_GDBM
++    msg_fatal("%s: gdbm maps use locking that is incompatible with postfix.  Use a hash map instead.",
++		 path);
++#endif
+     /*
+      * Note: DICT_FLAG_LOCK is used only by programs that do fine-grained (in
+      * the time domain) locking while accessing individual database records.
+diff -urNad postfix~/src/util/dict_open.c postfix/src/util/dict_open.c
+--- postfix~/src/util/dict_open.c	2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict_open.c	2006-10-15 20:55:26.000000000 -0600
+@@ -44,6 +44,8 @@
+ /*	DICT	*(*open) (const char *, int, int);
+ /*
+ /*	ARGV	*dict_mapnames()
++/*
++/*	void (*)() dict_mkmap_func(const char *dict_type)
+ /* DESCRIPTION
+ /*	This module implements a low-level interface to multiple
+ /*	physical dictionary types.
+@@ -156,6 +158,9 @@
+ /*
+ /*	dict_mapnames() returns a sorted list with the names of all available
+ /*	dictionary types.
++/*
++/*	dict_mkmap_func() returns a pointer to the mkmap setup function
++/*	for the given map type, as given in /etc/dynamicmaps.cf
+ /* DIAGNOSTICS
+ /*	Fatal error: open error, unsupported dictionary type, attempt to
+ /*	update non-writable dictionary.
+@@ -180,6 +185,9 @@
+ #include <strings.h>
+ #endif
+ 
++#include <sys/stat.h>
++#include <unistd.h>
 +
-+static void dict_sdbm_update(DICT *dict, const char *name, const char *value)
-+{
-+    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+    datum   dbm_key;
-+    datum   dbm_value;
-+    int     status;
+ /* Utility library. */
+ 
+ #include <argv.h>
+@@ -204,6 +212,27 @@
+ #include <split_at.h>
+ #include <htable.h>
+ 
++#ifndef NO_DYNAMIC_MAPS
++#include <load_lib.h>
++#include <vstring.h>
++#include <vstream.h>
++#include <vstring_vstream.h>
++#include <mvect.h>
 +
-+    dbm_key.dptr = (void *) name;
-+    dbm_value.dptr = (void *) value;
-+    dbm_key.dsize = strlen(name);
-+    dbm_value.dsize = strlen(value);
++ /*
++  * Interface for dynamic map loading.
++  */
++typedef struct {
++    const char  *pattern;
++    const char  *soname;
++    const char  *openfunc;
++    const char  *mkmapfunc;
++} DLINFO;
 +
-+    /*
-+     * If undecided about appending a null byte to key and value, choose a
-+     * default depending on the platform.
-+     */
-+    if ((dict->flags & DICT_FLAG_TRY1NULL)
-+	&& (dict->flags & DICT_FLAG_TRY0NULL)) {
-+#ifdef DBM_NO_TRAILING_NULL
-+	dict->flags &= ~DICT_FLAG_TRY1NULL;
++static DLINFO *dict_dlinfo;
++static DLINFO *dict_open_dlfind(const char *type);
++#endif
++
+  /*
+   * lookup table for available map types.
+   */
+@@ -213,14 +242,18 @@
+ } DICT_OPEN_INFO;
+ 
+ static DICT_OPEN_INFO dict_open_info[] = {
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_CDB
+     DICT_TYPE_CDB, dict_cdb_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+     DICT_TYPE_ENVIRON, dict_env_open,
+     DICT_TYPE_UNIX, dict_unix_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef SNAPSHOT
+     DICT_TYPE_TCP, dict_tcp_open,
+ #endif
++#endif
+ #ifdef HAS_SDBM
+     DICT_TYPE_SDBM, dict_sdbm_open,
+ #endif
+@@ -240,9 +273,11 @@
+ #ifdef HAS_NETINFO
+     DICT_TYPE_NETINFO, dict_ni_open,
+ #endif
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_PCRE
+     DICT_TYPE_PCRE, dict_pcre_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+ #ifdef HAS_POSIX_REGEXP
+     DICT_TYPE_REGEXP, dict_regexp_open,
+ #endif
+@@ -300,8 +335,31 @@
+ 		  dict_type, dict_name);
+     if (dict_open_hash == 0)
+ 	dict_open_init();
+-    if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0)
+-	msg_fatal("unsupported dictionary type: %s", dict_type);
++    if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0) {
++#ifdef NO_DYNAMIC_MAPS
++	msg_fatal("%s: unsupported dictionary type: %s", myname, dict_type);
 +#else
-+	dict->flags &= ~DICT_FLAG_TRY0NULL;
++	struct stat st;
++	LIB_FN fn[2];
++	DICT *(*open) (const char *, int, int);
++	DLINFO *dl=dict_open_dlfind(dict_type);
++	if (!dl)
++	    msg_fatal("%s: unsupported dictionary type: %s:  Is the postfix-%s package installed?", myname, dict_type, dict_type);
++	if (stat(dl->soname,&st) < 0) {
++	    msg_fatal("%s: unsupported dictionary type: %s (%s not found.  Is the postfix-%s package installed?)",
++		myname, dict_type, dl->soname, dict_type);
++	}
++	fn[0].name = dl->openfunc;
++	fn[0].ptr  = (void**)&open;
++	fn[1].name = NULL;
++	load_library_symbols(dl->soname, fn, NULL);
++	dict_open_register(dict_type, open);
++	dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type);
 +#endif
 +    }
-+
-+    /*
-+     * Optionally append a null byte to key and value.
-+     */
-+    if (dict->flags & DICT_FLAG_TRY1NULL) {
-+	dbm_key.dsize++;
-+	dbm_value.dsize++;
++    if (msg_verbose>1) {
++	msg_info("%s: calling %s open routine",myname,dict_type);
 +    }
-+
-+    /*
-+     * Acquire an exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
-+
-+    /*
-+     * Do the update.
-+     */
-+    if ((status = sdbm_store(dict_sdbm->dbm, dbm_key, dbm_value,
-+     (dict->flags & DICT_FLAG_DUP_REPLACE) ? DBM_REPLACE : DBM_INSERT)) < 0)
-+	msg_fatal("error writing SDBM database %s: %m", dict_sdbm->path);
-+    if (status) {
-+	if (dict->flags & DICT_FLAG_DUP_IGNORE)
-+	     /* void */ ;
-+	else if (dict->flags & DICT_FLAG_DUP_WARN)
-+	    msg_warn("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
-+	else
-+	    msg_fatal("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
+     if ((dict = dp->open(dict_name, open_flags, dict_flags)) == 0)
+ 	msg_fatal("opening %s:%s %m", dict_type, dict_name);
+     if (msg_verbose)
+@@ -309,6 +367,36 @@
+     return (dict);
+ }
+ 
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type)
++{
++    char   *myname="dict_mkmap_func";
++    struct stat st;
++    LIB_FN fn[2];
++    dict_mkmap_func_t mkmap;
++    DLINFO *dl;
++#ifndef NO_DYNAMIC_MAPS
++    if (!dict_dlinfo)
++	msg_fatal("dlinfo==NULL");
++    dl=dict_open_dlfind(dict_type);
++    if (!dl)
++	msg_fatal("%s: unsupported dictionary type: %s:  Is the postfix-%s package installed?", myname, dict_type, dict_type);
++    if (stat(dl->soname,&st) < 0) {
++	msg_fatal("%s: unsupported dictionary type: %s (%s not found.  Is the postfix-%s package installed?)",
++	    myname, dict_type, dl->soname, dict_type);
 +    }
++    if (!dl->mkmapfunc)
++	msg_fatal("%s: unsupported dictionary type: %s does not allow map creation.", myname, dict_type);
 +
-+    /*
-+     * Release the exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++    fn[0].name = dl->mkmapfunc;
++    fn[0].ptr  = (void**)&mkmap;
++    fn[1].name = NULL;
++    load_library_symbols(dl->soname, fn, NULL);
++    return mkmap;
++#else
++    return (void(*)())NULL;
++#endif
 +}
 +
+ /* dict_open_register - register dictionary type */
+ 
+ void    dict_open_register(const char *type,
+@@ -342,6 +430,9 @@
+     HTABLE_INFO **ht;
+     DICT_OPEN_INFO *dp;
+     ARGV   *mapnames;
++#ifndef NO_DYNAMIC_MAPS
++    DLINFO *dlp;
++#endif
+ 
+     if (dict_open_hash == 0)
+ 	dict_open_init();
+@@ -350,6 +441,13 @@
+ 	dp = (DICT_OPEN_INFO *) ht[0]->value;
+ 	argv_add(mapnames, dp->type, ARGV_END);
+     }
++#ifndef NO_DYNAMIC_MAPS
++    if (!dict_dlinfo)
++	msg_fatal("dlinfo==NULL");
++    for (dlp=dict_dlinfo; dlp->pattern; dlp++) {
++	argv_add(mapnames, dlp->pattern, ARGV_END);
++    }
++#endif
+     qsort((void *) mapnames->argv, mapnames->argc, sizeof(mapnames->argv[0]),
+ 	  dict_sort_alpha_cpp);
+     myfree((char *) ht_info);
+@@ -357,6 +455,87 @@
+     return mapnames;
+ }
+ 
++#ifndef NO_DYNAMIC_MAPS
++#define	STREQ(x,y) (x == y || (x[0] == y[0] && strcmp(x,y) == 0))
 +
-+/* dict_sdbm_delete - delete one entry from the dictionary */
-+
-+static int dict_sdbm_delete(DICT *dict, const char *name)
++void dict_open_dlinfo(const char *path)
 +{
-+    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+    datum   dbm_key;
-+    int     status = 1;
-+    int     flags = 0;
++    char    *myname="dict_open_dlinfo";
++    VSTREAM *conf_fp=vstream_fopen(path,O_RDONLY,0);
++    VSTRING *buf = vstring_alloc(100);
++    char    *cp;
++    ARGV    *argv;
++    MVECT    vector;
++    int      nelm=0;
++    int      linenum=0;
 +
-+    /*
-+     * Acquire an exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++    dict_dlinfo=(DLINFO*)mvect_alloc(&vector,sizeof(DLINFO),3,NULL,NULL);
 +
-+    /*
-+     * See if this DBM file was written with one null byte appended to key
-+     * and value.
-+     */
-+    if (dict->flags & DICT_FLAG_TRY1NULL) {
-+	dbm_key.dptr = (void *) name;
-+	dbm_key.dsize = strlen(name) + 1;
-+	sdbm_clearerr(dict_sdbm->dbm);
-+	if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
-+	    if (sdbm_error(dict_sdbm->dbm) != 0)	/* fatal error */
-+		msg_fatal("error deleting from %s: %m", dict_sdbm->path);
-+	    status = 1;				/* not found */
-+	} else {
-+	    dict->flags &= ~DICT_FLAG_TRY0NULL;	/* found */
++    if (!conf_fp) {
++	msg_warn("%s: cannot open %s.  No dynamic maps will be allowed.",
++		myname, path);
++    } else {
++	while (vstring_get_nonl(buf,conf_fp) != VSTREAM_EOF) {
++	    cp = vstring_str(buf);
++	    linenum++;
++	    if (*cp == '#' || *cp == '\0')
++		continue;
++	    argv = argv_split(cp, " \t");
++	    if (argv->argc != 3 && argv->argc != 4) {
++		msg_fatal("%s: Expected \"pattern .so-name open-function [mkmap-function]\" at line %d",
++			  myname, linenum);
++	    }
++	    if (STREQ(argv->argv[0],"*")) {
++		msg_warn("%s: wildcard dynamic map entry no longer supported.",
++			  myname);
++		continue;
++	    }
++	    if (argv->argv[1][0] != '/') {
++		msg_fatal("%s: .so name must begin with a \"/\" at line %d",
++			  myname, linenum);
++	    }
++	    if (nelm >= vector.nelm) {
++		dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+3);
++	    }
++	    dict_dlinfo[nelm].pattern  = mystrdup(argv->argv[0]);
++	    dict_dlinfo[nelm].soname   = mystrdup(argv->argv[1]);
++	    dict_dlinfo[nelm].openfunc = mystrdup(argv->argv[2]);
++	    if (argv->argc==4)
++		dict_dlinfo[nelm].mkmapfunc = mystrdup(argv->argv[3]);
++	    else
++		dict_dlinfo[nelm].mkmapfunc = NULL;
++	    nelm++;
++	    argv_free(argv);
 +	}
 +    }
-+
-+    /*
-+     * See if this DBM file was written with no null byte appended to key and
-+     * value.
-+     */
-+    if (status > 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
-+	dbm_key.dptr = (void *) name;
-+	dbm_key.dsize = strlen(name);
-+	sdbm_clearerr(dict_sdbm->dbm);
-+	if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
-+	    if (sdbm_error(dict_sdbm->dbm) != 0)	/* fatal error */
-+		msg_fatal("error deleting from %s: %m", dict_sdbm->path);
-+	    status = 1;				/* not found */
-+	} else {
-+	    dict->flags &= ~DICT_FLAG_TRY1NULL;	/* found */
-+	}
++    if (nelm >= vector.nelm) {
++	dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+1);
 +    }
-+
-+    /*
-+     * Release the exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
-+
-+    return (status);
++    dict_dlinfo[nelm].pattern  = NULL;
++    dict_dlinfo[nelm].soname   = NULL;
++    dict_dlinfo[nelm].openfunc = NULL;
++    dict_dlinfo[nelm].mkmapfunc = NULL;
++    if (conf_fp)
++	vstream_fclose(conf_fp);
++    vstring_free(buf);
 +}
 +
-+/* traverse the dictionary */
-+
-+static int dict_sdbm_sequence(DICT *dict, const int function,
-+			             const char **key, const char **value)
++static DLINFO *dict_open_dlfind(const char *type)
 +{
-+    char   *myname = "dict_sdbm_sequence";
-+    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+    datum   dbm_key;
-+    datum   dbm_value;
-+    int     status = 0;
-+    static VSTRING *key_buf;
-+    static VSTRING *value_buf;
++    DLINFO *dp;
 +
-+    /*
-+     * Acquire an exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+	msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++    if (!dict_dlinfo)
++	return NULL;
 +
-+    /*
-+     * Determine and execute the seek function. It returns the key.
-+     */
-+    switch (function) {
-+    case DICT_SEQ_FUN_FIRST:
-+	dbm_key = sdbm_firstkey(dict_sdbm->dbm);
-+	break;
-+    case DICT_SEQ_FUN_NEXT:
-+	dbm_key = sdbm_nextkey(dict_sdbm->dbm);
-+	break;
-+    default:
-+	msg_panic("%s: invalid function: %d", myname, function);
++    for (dp=dict_dlinfo; dp->pattern; dp++) {
++	if (STREQ(dp->pattern,type))
++	    return dp;
 +    }
++    return NULL;
++}
 +
-+    /*
-+     * Release the exclusive lock.
-+     */
-+    if ((dict->flags & DICT_FLAG_LOCK)
-+	&& myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+	msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++#endif /* !NO_DYNAMIC_MAPS */
 +
-+    if (dbm_key.dptr != 0 && dbm_key.dsize > 0) {
+ #ifdef TEST
+ 
+  /*
+diff -urNad postfix~/src/util/load_lib.c postfix/src/util/load_lib.c
+--- postfix~/src/util/load_lib.c	1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/load_lib.c	2006-10-15 20:55:26.000000000 -0600
+@@ -0,0 +1,135 @@
++/*++
++/* NAME
++/*	load_lib 3
++/* SUMMARY
++/*	library loading wrappers
++/* SYNOPSIS
++/*	#include <load_lib.h>
++/*
++/*	extern int  load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++/*	const char *libname;
++/*      LIB_FN     *libfuncs;
++/*      LIB_FN     *libdata;
++/*
++/* DESCRIPTION
++/*	This module loads functions from libraries, returnine pointers
++/*	to the named functions.
++/*
++/*	load_library_symbols() loads all of the desired functions, and
++/*	returns zero for success, or exits via msg_fatal().
++/*
++/* SEE ALSO
++/*	msg(3) diagnostics interface
++/* DIAGNOSTICS
++/*	Problems are reported via the msg(3) diagnostics routines:
++/*	library not found, symbols not found, other fatal errors.
++/* LICENSE
++/* .ad
++/* .fi
++/*	The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/*	LaMont Jones
++/*	Hewlett-Packard Company
++/*	3404 Harmony Road
++/*	Fort Collins, CO 80528, USA
++/*
++/*	Wietse Venema
++/*	IBM T.J. Watson Research
++/*	P.O. Box 704
++/*	Yorktown Heights, NY 10598, USA
++/*--*/
 +
-+	/*
-+	 * See if this DB file was written with one null byte appended to key
-+	 * an d value or not. If necessary, copy the key.
-+	 */
-+	if (((char *) dbm_key.dptr)[dbm_key.dsize - 1] == 0) {
-+	    *key = dbm_key.dptr;
-+	} else {
-+	    if (key_buf == 0)
-+		key_buf = vstring_alloc(10);
-+	    vstring_strncpy(key_buf, dbm_key.dptr, dbm_key.dsize);
-+	    *key = vstring_str(key_buf);
-+	}
++/* System libraries. */
 +
-+	/*
-+	 * Fetch the corresponding value.
-+	 */
-+	dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++#include "sys_defs.h"
++#include <stdlib.h>
++#include <stddef.h>
++#include <string.h>
++#if defined(HAS_DLOPEN)
++#include <dlfcn.h>
++#elif defined(HAS_SHL_LOAD)
++#include <dl.h>
++#endif
 +
-+	if (dbm_value.dptr != 0 && dbm_value.dsize > 0) {
++/* Application-specific. */
 +
-+	    /*
-+	     * See if this DB file was written with one null byte appended to
-+	     * key and value or not. If necessary, copy the key.
-+	     */
-+	    if (((char *) dbm_value.dptr)[dbm_value.dsize - 1] == 0) {
-+		*value = dbm_value.dptr;
-+	    } else {
-+		if (value_buf == 0)
-+		    value_buf = vstring_alloc(10);
-+		vstring_strncpy(value_buf, dbm_value.dptr, dbm_value.dsize);
-+		*value = vstring_str(value_buf);
-+	    }
-+	} else {
++#include "msg.h"
++#include "load_lib.h"
 +
-+	    /*
-+	     * Determine if we have hit the last record or an error
-+	     * condition.
-+	     */
-+	    if (sdbm_error(dict_sdbm->dbm))
-+		msg_fatal("error seeking %s: %m", dict_sdbm->path);
-+	    return (1);				/* no error: eof/not found
-+						 * (should not happen!) */
-+	}
-+    } else {
-+
-+	/*
-+	 * Determine if we have hit the last record or an error condition.
-+	 */
-+	if (sdbm_error(dict_sdbm->dbm))
-+	    msg_fatal("error seeking %s: %m", dict_sdbm->path);
-+	return (1);				/* no error: eof/not found */
-+    }
-+    return (0);
-+}
-+
-+/* dict_sdbm_close - disassociate from data base */
-+
-+static void dict_sdbm_close(DICT *dict)
++extern int  load_library_symbols(const char * libname, LIB_FN * libfuncs, LIB_FN * libdata)
 +{
-+    DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++    char   *myname = "load_library_symbols";
++    LIB_FN *fn;
 +
-+    sdbm_close(dict_sdbm->dbm);
-+    myfree(dict_sdbm->path);
-+    myfree((char *) dict_sdbm);
-+}
++#if defined(HAS_DLOPEN)
++    void   *handle;
++    char   *emsg;
 +
-+/* dict_sdbm_open - open SDBM data base */
++    handle=dlopen(libname,RTLD_NOW);
++    emsg=dlerror();
++    if (emsg) {
++	msg_fatal("%s: dlopen failure loading %s: %s", myname, libname, emsg);
++    }
 +
-+DICT   *dict_sdbm_open(const char *path, int open_flags, int dict_flags)
-+{
-+    DICT_SDBM *dict_sdbm;
-+    struct stat st;
-+    SDBM   *dbm;
-+    char   *dbm_path;
-+    int     lock_fd;
++    if (libfuncs) {
++	for (fn=libfuncs; fn->name; fn++) {
++	    *(fn->ptr) = dlsym(handle,fn->name);
++	    emsg=dlerror();
++	    if (emsg) {
++		msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++			  fn->name, libname, emsg);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
++    }
 +
-+    if (dict_flags & DICT_FLAG_LOCK) {
-+	dbm_path = concatenate(path, ".pag", (char *) 0);
-+	if ((lock_fd = open(dbm_path, open_flags, 0644)) < 0)
-+	    msg_fatal("open database %s: %m", dbm_path);
-+	if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
-+	    msg_fatal("shared-lock database %s for open: %m", dbm_path);
++    if (libdata) {
++	for (fn=libdata; fn->name; fn++) {
++	    *(fn->ptr) = dlsym(handle,fn->name);
++	    emsg=dlerror();
++	    if (emsg) {
++		msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++			  fn->name, libname, emsg);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
 +    }
++#elif defined(HAS_SHL_LOAD)
++    shl_t   handle;
 +
-+    /*
-+     * XXX SunOS 5.x has no const in dbm_open() prototype.
-+     */
-+    if ((dbm = sdbm_open((char *) path, open_flags, 0644)) == 0)
-+	msg_fatal("open database %s.{dir,pag}: %m", path);
++    handle = shl_load(libname,BIND_IMMEDIATE,0);
 +
-+    if (dict_flags & DICT_FLAG_LOCK) {
-+	if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+	    msg_fatal("unlock database %s for open: %m", dbm_path);
-+	if (close(lock_fd) < 0)
-+	    msg_fatal("close database %s: %m", dbm_path);
-+	myfree(dbm_path);
++    if (libfuncs) {
++	for (fn=libfuncs; fn->name; fn++) {
++	    if (shl_findsym(&handle,fn->name,TYPE_PROCEDURE,fn->ptr) != 0) {
++		msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++			  myname, fn->name, libname);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
 +    }
-+    dict_sdbm = (DICT_SDBM *) mymalloc(sizeof(*dict_sdbm));
-+    dict_sdbm->dict.lookup = dict_sdbm_lookup;
-+    dict_sdbm->dict.update = dict_sdbm_update;
-+    dict_sdbm->dict.delete = dict_sdbm_delete;
-+    dict_sdbm->dict.sequence = dict_sdbm_sequence;
-+    dict_sdbm->dict.close = dict_sdbm_close;
-+    dict_sdbm->dict.lock_fd = sdbm_dirfno(dbm);
-+    dict_sdbm->dict.stat_fd = sdbm_pagfno(dbm);
-+    if (fstat(dict_sdbm->dict.stat_fd, &st) < 0)
-+	msg_fatal("dict_sdbm_open: fstat: %m");
-+    dict_sdbm->dict.mtime = st.st_mtime;
-+    close_on_exec(sdbm_pagfno(dbm), CLOSE_ON_EXEC);
-+    close_on_exec(sdbm_dirfno(dbm), CLOSE_ON_EXEC);
-+    dict_sdbm->dict.flags = dict_flags | DICT_FLAG_FIXED;
-+    if ((dict_flags & (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL)) == 0)
-+	dict_sdbm->dict.flags |= (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL);
-+    dict_sdbm->dbm = dbm;
-+    dict_sdbm->path = mystrdup(path);
 +
-+    return (&dict_sdbm->dict);
-+}
++    if (libdata) {
++	for (fn=libdata; fn->name; fn++) {
++	    if (shl_findsym(&handle,fn->name,TYPE_DATA,fn->ptr) != 0) {
++		msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++			  myname, fn->name, libname);
++	    }
++	    if (msg_verbose>1) {
++		msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++	    }
++	}
++    }
 +
-+#include "mkmap.h"
-+
-+typedef struct MKMAP_DBM {
-+    MKMAP   mkmap;			/* parent class */
-+    char   *lock_file;			/* path name */
-+    int     lock_fd;			/* -1 or open locked file */
-+} MKMAP_DBM;
-+
-+/* mkmap_dbm_after_close - clean up after closing database */
-+
-+static void mkmap_sdbm_after_close(MKMAP *mp)
-+{
-+    MKMAP_DBM *mkmap = (MKMAP_DBM *) mp;
-+
-+    if (mkmap->lock_fd >= 0 && close(mkmap->lock_fd) < 0)
-+	msg_warn("close %s: %m", mkmap->lock_file);
-+    myfree(mkmap->lock_file);
++#else
++    msg_fatal("%s: need dlopen or shl_load support for dynamic libraries",
++		myname);
++#endif
++    return 0;
 +}
+diff -urNad postfix~/src/util/load_lib.h postfix/src/util/load_lib.h
+--- postfix~/src/util/load_lib.h	1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/load_lib.h	2006-10-15 20:55:26.000000000 -0600
+@@ -0,0 +1,41 @@
++#ifndef _LOAD_LIB_H_INCLUDED_
++#define _LOAD_LIB_H_INCLUDED_
 +
-+/* mkmap_sdbm_open - create or open database */
-+
-+MKMAP  *mkmap_sdbm_open(const char *path)
-+{
-+    MKMAP_DBM *mkmap = (MKMAP_DBM *) mymalloc(sizeof(*mkmap));
-+    char   *pag_file;
-+    int     pag_fd;
-+
-+    /*
-+     * Fill in the generic members.
-+     */
-+    mkmap->lock_file = concatenate(path, ".dir", (char *) 0);
-+    mkmap->mkmap.open = dict_sdbm_open;
-+    mkmap->mkmap.after_open = 0;
-+    mkmap->mkmap.after_close = mkmap_sdbm_after_close;
-+
-+    /*
-+     * Unfortunately, not all systems support locking on open(), so we open
-+     * the .dir and .pag files before truncating them. Keep one file open for
-+     * locking.
-+     */
-+    if ((mkmap->lock_fd = open(mkmap->lock_file, O_CREAT | O_RDWR, 0644)) < 0)
-+	msg_fatal("open %s: %m", mkmap->lock_file);
-+
-+    pag_file = concatenate(path, ".pag", (char *) 0);
-+    if ((pag_fd = open(pag_file, O_CREAT | O_RDWR, 0644)) < 0)
-+	msg_fatal("open %s: %m", pag_file);
-+    if (close(pag_fd))
-+	msg_warn("close %s: %m", pag_file);
-+    myfree(pag_file);
-+
-+    /*
-+     * Get an exclusive lock - we're going to change the database so we can't
-+     * have any spectators.
-+     */
-+    if (myflock(mkmap->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+	msg_fatal("lock %s: %m", mkmap->lock_file);
-+
-+    return (&mkmap->mkmap);
-+}
-+
-diff -urNad postfix-release/src/global/dict_sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h
---- postfix-release/src/global/dict_sdbm.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h	2004-12-27 22:29:11.317099212 -0700
-@@ -0,0 +1,36 @@
-+#ifndef _DICT_SDBM_H_INCLUDED_
-+#define _DICT_SDBM_H_INCLUDED_
-+
 +/*++
 +/* NAME
-+/*	dict_dbm 3h
++/*	load_lib 3h
 +/* SUMMARY
-+/*	dictionary manager interface to DBM files
++/*	library loading wrappers
 +/* SYNOPSIS
-+/*	#include <dict_dbm.h>
++/*	#include "load_lib.h"
 +/* DESCRIPTION
 +/* .nf
 +
 + /*
-+  * Utility library.
-+  */
-+#include <dict.h>
-+
-+ /*
 +  * External interface.
 +  */
-+#define DICT_TYPE_SDBM	"sdbm"
-+extern DICT *dict_sdbm_open(const char *, int, int);
++/* NULL name terminates list */
++typedef struct LIB_FN {
++    const char *name;
++    void       **ptr;
++} LIB_FN;
 +
++extern int  load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++
 +/* LICENSE
 +/* .ad
 +/* .fi
 +/*	The Secure Mailer license must be distributed with this software.
 +/* AUTHOR(S)
++/*	LaMont Jones
++/*	Hewlett-Packard Company
++/*	3404 Harmony Road
++/*	Fort Collins, CO 80528, USA
++/*
 +/*	Wietse Venema
 +/*	IBM T.J. Watson Research
 +/*	P.O. Box 704
@@ -734,126 +1069,9 @@
 +/*--*/
 +
 +#endif
-diff -urNad postfix-release/src/global/mail_conf.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c
---- postfix-release/src/global/mail_conf.c	2004-12-27 22:28:28.642272500 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c	2004-12-27 22:29:11.318098997 -0700
-@@ -175,6 +175,13 @@
-     path = concatenate(var_config_dir, "/", "main.cf", (char *) 0);
-     dict_load_file(CONFIG_DICT, path);
-     myfree(path);
-+
-+#ifndef NO_DYNAMIC_MAPS
-+    path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
-+    dict_open_dlinfo(path);
-+    myfree(path);
-+#endif
-+
- }
- 
- /* mail_conf_eval - expand macros in string */
-diff -urNad postfix-release/src/global/mail_dict.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c
---- postfix-release/src/global/mail_dict.c	2004-12-27 22:28:28.642272500 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c	2004-12-27 22:29:11.318098997 -0700
-@@ -45,6 +45,7 @@
- 
- static DICT_OPEN_INFO dict_open_info[] = {
-     DICT_TYPE_PROXY, dict_proxy_open,
-+#ifndef MAX_DYNAMIC_MAPS
- #ifdef HAS_LDAP
-     DICT_TYPE_LDAP, dict_ldap_open,
- #endif
-@@ -54,6 +55,7 @@
- #ifdef HAS_PGSQL
-     DICT_TYPE_PGSQL, dict_pgsql_open,
- #endif
-+#endif /* MAX_DYNAMIC_MAPS */
-     0,
- };
- 
-diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c
---- postfix-release/src/global/mail_params.c	2004-12-27 22:28:28.643272285 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c	2004-12-27 22:29:11.318098997 -0700
-@@ -149,6 +149,8 @@
- #include <valid_hostname.h>
- #include <stringops.h>
- #include <safe.h>
-+#include <safe_open.h>
-+#include <mymalloc.h>
- #ifdef HAS_DB
- #include <dict_db.h>
- #endif
-@@ -422,6 +424,38 @@
- 		  (long) var_sgid_gid);
- }
- 
-+static char *read_file(const char *name)
-+{
-+    char *ret;
-+    VSTRING *why=vstring_alloc(1);
-+    VSTRING *new_name=vstring_alloc(1);
-+    VSTREAM *vp=safe_open(name, O_RDONLY, 0, NULL, -1, -1, why);
-+
-+    /*
-+     * Ugly macros to make complex expressions less unreadable.
-+     */
-+#define SKIP(start, var, cond) \
-+	for (var = start; *var && (cond); var++);
-+
-+#define TRIM(s) { \
-+	char *p; \
-+	for (p = (s) + strlen(s); p > (s) && ISSPACE(p[-1]); p--); \
-+	*p = 0; \
-+    }
-+
-+    if (!vp) {
-+	msg_fatal("%s: unable to open: %s",name,vstring_str(why));
-+    }
-+    vstring_get_nonl(new_name,vp);
-+    vstream_fclose(vp);
-+    SKIP(vstring_str(new_name),ret,ISSPACE(*ret));
-+    ret=mystrdup(ret);
-+    TRIM(ret);
-+    vstring_free(why);
-+    vstring_free(new_name);
-+    return ret;
-+}
-+
- /* mail_params_init - configure built-in parameters */
- 
- void    mail_params_init()
-@@ -563,6 +597,9 @@
-      * Variables that are needed by almost every program.
-      */
-     get_mail_conf_str_table(other_str_defaults);
-+    if (*var_myorigin=='/') {
-+	var_myorigin=read_file(var_myorigin);
-+    }
-     get_mail_conf_int_table(other_int_defaults);
-     get_mail_conf_bool_table(bool_defaults);
-     get_mail_conf_time_table(time_defaults);
-diff -urNad postfix-release/src/global/mkmap_open.c /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c
---- postfix-release/src/global/mkmap_open.c	2004-12-27 22:28:28.643272285 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c	2004-12-27 22:29:11.318098997 -0700
-@@ -144,7 +144,16 @@
-      */
-     for (mp = mkmap_types; /* void */ ; mp++) {
- 	if (mp->type == 0)
-+#ifndef NO_DYNAMIC_MAPS
-+	{
-+	    static MKMAP_OPEN_INFO oi;
-+	    oi.before_open=dict_mkmap_func(type);
-+	    oi.type=type;
-+	    mp=&oi;
-+	}
-+#else
- 	    msg_fatal("unsupported map type: %s", type);
-+#endif
- 	if (strcmp(type, mp->type) == 0)
- 	    break;
-     }
-diff -urNad postfix-release/src/global/sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c
---- postfix-release/src/global/sdbm.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c	2004-12-27 22:29:11.320098567 -0700
+diff -urNad postfix~/src/util/sdbm.c postfix/src/util/sdbm.c
+--- postfix~/src/util/sdbm.c	1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/sdbm.c	2006-10-15 20:55:26.000000000 -0600
 @@ -0,0 +1,972 @@
 +/*++
 +/* NAME
@@ -1827,9 +2045,9 @@
 +    return db;
 +}
 +
-diff -urNad postfix-release/src/global/sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h
---- postfix-release/src/global/sdbm.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h	2004-12-27 22:29:11.320098567 -0700
+diff -urNad postfix~/src/util/sdbm.h postfix/src/util/sdbm.h
+--- postfix~/src/util/sdbm.h	1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/sdbm.h	2006-10-15 20:55:26.000000000 -0600
 @@ -0,0 +1,97 @@
 +/*++
 +/* NAME
@@ -1928,789 +2146,18 @@
 +#define BADMESS                 /* generate a message for worst case:
 +                                   cannot make room after SPLTMAX splits */
 +#endif /* UTIL_SDBM_H */
-diff -urNad postfix-release/src/master/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in
---- postfix-release/src/master/Makefile.in	2004-12-27 22:28:28.645271855 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in	2004-12-27 22:29:11.320098567 -0700
-@@ -20,7 +20,7 @@
- INC_DIR	= ../../include
- BIN_DIR	= ../../libexec
- 
--.c.o:;	$(CC) $(CFLAGS) -c $*.c
-+.c.o:;	$(CC) `for i in $(LIB_OBJ); do [ $$i = $@ ] && echo -fPIC; done` $(CFLAGS) -c $*.c
- 
- all:	$(PROG) $(LIB)
- 
-@@ -35,12 +35,10 @@
- tests:	test
- 
- $(LIB):	$(LIB_OBJ)
--	$(AR) $(ARFL) $(LIB) $?
--	$(RANLIB) $(LIB)
-+	gcc -shared -Wl,-soname,libpostfix-master.so.1 -o $(LIB) $(LIB_OBJ) $(LIBS) $(SYSLIBS)
- 
- $(LIB_DIR)/$(LIB): $(LIB)
- 	cp $(LIB) $(LIB_DIR)/$(LIB)
--	$(RANLIB) $(LIB_DIR)/$(LIB)
- 
- $(BIN_DIR)/$(PROG): $(PROG)
- 	 cp $(PROG) $(BIN_DIR)
-diff -urNad postfix-release/src/postconf/postconf.c /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c
---- postfix-release/src/postconf/postconf.c	2004-12-27 22:28:28.646271640 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c	2004-12-27 22:29:11.321098352 -0700
-@@ -822,6 +822,16 @@
- {
-     ARGV   *maps_argv;
-     int     i;
-+#ifndef NO_DYNAMIC_MAPS
-+    char   *path;
-+    char   *config_dir;
-+
-+    var_config_dir = mystrdup((config_dir = safe_getenv(CONF_ENV_PATH)) != 0 ?
-+			      config_dir : DEF_CONFIG_DIR);	/* XXX */
-+    path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
-+    dict_open_dlinfo(path);
-+    myfree(path);
-+#endif
- 
-     maps_argv = dict_mapnames();
-     for (i = 0; i < maps_argv->argc; i++)
-diff -urNad postfix-release/src/postmap/postmap.c /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c
---- postfix-release/src/postmap/postmap.c	2004-12-27 22:28:28.647271425 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c	2004-12-27 22:29:11.321098352 -0700
-@@ -5,7 +5,7 @@
- /*	Postfix lookup table management
- /* SYNOPSIS
- /* .fi
--/*	\fBpostmap\fR [\fB-Nfinoprvw\fR] [\fB-c \fIconfig_dir\fR]
-+/*	\fBpostmap\fR [\fB-Nfinopruvw\fR] [\fB-c \fIconfig_dir\fR]
- /*	[\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
- /*		[\fIfile_type\fR:]\fIfile_name\fR ...
- /* DESCRIPTION
-@@ -92,6 +92,8 @@
- /* .IP \fB-r\fR
- /*	When updating a table, do not warn about duplicate entries; silently
- /*	replace them.
-+/* .IP \fB-u\fR
-+/*	Upgrade the database to the current version.
- /* .IP \fB-v\fR
- /*	Enable verbose logging for debugging purposes. Multiple \fB-v\fR
- /*	options make the software increasingly verbose.
-@@ -102,7 +104,7 @@
- /*	Arguments:
- /* .IP \fIfile_type\fR
- /*	The database type. To find out what types are supported, use
--/*	the "\fBpostconf -m" command.
-+/*	the "\fBpostconf -m\fR" command.
- /*
- /*	The \fBpostmap\fR command can query any supported file type,
- /*	but it can create only the following file types:
-@@ -484,6 +486,18 @@
-     return (status == 0);
- }
- 
-+/* postmap_upgrade - upgrade a map */
-+
-+static int postmap_upgrade(const char *map_type, const char *map_name)
-+{
-+    DICT   *dict;
-+
-+    dict = dict_open3(map_type, map_name, O_RDWR,
-+			DICT_FLAG_LOCK|DICT_FLAG_UPGRADE);
-+    dict_close(dict);
-+    return (dict != 0);
-+}
-+
- /* usage - explain */
- 
- static NORETURN usage(char *myname)
-@@ -504,6 +518,7 @@
-     int     dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_KEY;
-     char   *query = 0;
-     char   *delkey = 0;
-+    int     upgrade=0;
-     int     found;
- 
-     /*
-@@ -540,7 +555,7 @@
-     /*
-      * Parse JCL.
-      */
--    while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rvw")) > 0) {
-+    while ((ch = GETOPT(argc, argv, "Nc:d:finopq:ruvw")) > 0) {
- 	switch (ch) {
- 	default:
- 	    usage(argv[0]);
-@@ -554,8 +569,8 @@
- 		msg_fatal("out of memory");
- 	    break;
- 	case 'd':
--	    if (query || delkey)
--		msg_fatal("specify only one of -q or -d");
-+	    if (query || delkey || upgrade)
-+		msg_fatal("specify only one of -q or -d or -u");
- 	    delkey = optarg;
- 	    break;
- 	case 'f':
-@@ -575,14 +590,19 @@
- 	    postmap_flags &= ~POSTMAP_FLAG_SAVE_PERM;
- 	    break;
- 	case 'q':
--	    if (query || delkey)
--		msg_fatal("specify only one of -q or -d");
-+	    if (query || delkey || upgrade)
-+		msg_fatal("specify only one of -q or -d or -u");
- 	    query = optarg;
- 	    break;
- 	case 'r':
- 	    dict_flags &= ~(DICT_FLAG_DUP_WARN | DICT_FLAG_DUP_IGNORE);
- 	    dict_flags |= DICT_FLAG_DUP_REPLACE;
- 	    break;
-+	case 'u':
-+	    if (query || delkey || upgrade)
-+		msg_fatal("specify only one of -q or -d or -u");
-+	    upgrade=1;
-+	    break;
- 	case 'v':
- 	    msg_verbose++;
- 	    break;
-@@ -633,6 +653,21 @@
- 	    optind++;
- 	}
- 	exit(1);
-+    } else if (upgrade) {			/* Upgrade the map(s) */
-+	int success = 1;
-+	if (optind + 1 > argc)
-+	    usage(argv[0]);
-+	while (optind < argc) {
-+	    if ((path_name = split_at(argv[optind], ':')) != 0) {
-+		success &= postmap_upgrade(argv[optind], path_name);
-+	    } else {
-+		success &= postmap_upgrade(var_db_type, path_name);
-+	    }
-+	    if (!success)
-+		exit(1);
-+	    optind++;
-+	}
-+	exit(0);
-     } else {					/* create/update map(s) */
- 	if (optind + 1 > argc)
- 	    usage(argv[0]);
-diff -urNad postfix-release/src/util/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in
---- postfix-release/src/util/Makefile.in	2004-12-27 22:28:28.648271210 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in	2004-12-27 22:29:11.322098138 -0700
-@@ -4,6 +4,7 @@
- 	chroot_uid.c clean_env.c close_on_exec.c concatenate.c ctable.c \
- 	dict.c dict_alloc.c dict_db.c dict_dbm.c dict_debug.c dict_env.c \
- 	dict_cidr.c dict_ht.c dict_ni.c dict_nis.c \
-+	load_lib.c \
- 	dict_nisplus.c dict_open.c dict_pcre.c dict_regexp.c \
- 	dict_static.c dict_tcp.c dict_unix.c dir_forest.c doze.c \
- 	duplex_pipe.c environ.c events.c exec_command.c fifo_listen.c \
-@@ -34,8 +35,8 @@
- 	chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
- 	dict.o dict_alloc.o dict_db.o dict_dbm.o dict_debug.o dict_env.o \
- 	dict_cidr.o dict_ht.o dict_ni.o dict_nis.o \
--	dict_nisplus.o dict_open.o dict_pcre.o dict_regexp.o \
--	dict_static.o dict_tcp.o dict_unix.o dir_forest.o doze.o \
-+	dict_nisplus.o dict_open.o dict_regexp.o \
-+	dict_static.o dict_unix.o dir_forest.o doze.o \
- 	duplex_pipe.o environ.o events.o exec_command.o fifo_listen.o \
- 	fifo_trigger.o file_limit.o find_inet.o fsspace.o fullname.o \
- 	get_domainname.o get_hostname.o hex_quote.o host_port.o htable.o \
-@@ -58,10 +59,11 @@
- 	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
- 	write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
- 	attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
--	uppercase.o
-+	uppercase.o load_lib.o
- HDRS	= argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
- 	connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
- 	dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
-+	load_lib.h \
- 	dict_nisplus.h dict_pcre.h dict_regexp.h \
- 	dict_static.h dict_tcp.h dict_unix.h dir_forest.h events.h \
- 	exec_command.h find_inet.h fsspace.h fullname.h get_domainname.h \
-@@ -72,7 +74,7 @@
- 	msg_syslog.h msg_vstream.h mvect.h myflock.h mymalloc.h myrand.h \
- 	name_mask.h netstring.h nvtable.h open_as.h open_lock.h \
- 	percentm.h posix_signals.h readlline.h ring.h safe.h safe_open.h \
--	sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h \
-+	sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h load_lib.h \
- 	scan_dir.h set_eugid.h set_ugid.h sigdelay.h spawn_command.h \
- 	split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
- 	timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
-@@ -84,6 +86,8 @@
- CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
- FILES	= Makefile $(SRCS) $(HDRS)
- INCL	=
-+PCRESO  = dict_pcre.so
-+TCPSO   = dict_tcp.so
- LIB	= libutil.a
- TESTPROG= dict_open dup2_pass_on_exec events exec_command fifo_open \
- 	fifo_rdonly_bug fifo_rdwr_bug fifo_trigger fsspace fullname \
-@@ -96,8 +100,9 @@
- 
- LIB_DIR	= ../../lib
- INC_DIR	= ../../include
-+LIBS    = $(LIB_DIR)/$(LIB) $(LIB_DIR)/$(PCRESO) $(LIB_DIR)/$(TCPSO)
- 
--.c.o:;	$(CC) $(CFLAGS) -c $*.c
-+.c.o:;	$(CC) -fPIC $(CFLAGS) -c $*.c
- 
- all: $(LIB)
- 
-@@ -106,15 +111,25 @@
- 
- test:	$(TESTPROG)
- 
-+$(PCRESO): dict_pcre.o
-+	gcc -shared -Wl,-soname,dict_pcre.so -o $@ $? -lpcre -L. -lutil
-+
-+$(TCPSO): dict_tcp.o
-+	gcc -shared -Wl,-soname,dict_tcp.so -o $@ $? -L. -lutil
-+
- $(LIB):	$(OBJS)
--	$(AR) $(ARFL) $(LIB) $?
--	$(RANLIB) $(LIB)
-+	gcc -shared -Wl,-soname,libpostfix-util.so.1 -o $(LIB) $(OBJS) -ldl $(SYSLIBS)
- 
- $(LIB_DIR)/$(LIB): $(LIB)
- 	cp $(LIB) $(LIB_DIR)
--	$(RANLIB) $(LIB_DIR)/$(LIB)
- 
--update: $(LIB_DIR)/$(LIB) $(HDRS)
-+$(LIB_DIR)/$(PCRESO): $(PCRESO)
-+	cp $(PCRESO) $(LIB_DIR)
-+
-+$(LIB_DIR)/$(TCPSO): $(TCPSO)
-+	cp $(TCPSO) $(LIB_DIR)
-+
-+update: $(LIBS) $(HDRS)
- 	-for i in $(HDRS); \
- 	do \
- 	  cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
-@@ -136,7 +151,8 @@
- 	lint $(SRCS)
- 
- clean:
--	rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAKES) *.tmp
-+	rm -f *.o $(LIB) $(PCRESO) $(TCPSO) *core $(TESTPROG) \
-+		junk $(MAKES) *.tmp
- 	rm -rf printfck
- 
- tidy:	clean
-diff -urNad postfix-release/src/util/dict.h /tmp/dpep.TxugCA/postfix-release/src/util/dict.h
---- postfix-release/src/util/dict.h	2004-12-27 22:28:28.649270995 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict.h	2004-12-27 22:29:11.323097923 -0700
-@@ -61,6 +61,7 @@
- #define DICT_FLAG_NO_REGSUB	(1<<11)	/* disallow regexp substitution */
- #define DICT_FLAG_NO_PROXY	(1<<12)	/* disallow proxy mapping */
- #define DICT_FLAG_NO_UNAUTH	(1<<13)	/* disallow unauthenticated data */
-+#define DICT_FLAG_UPGRADE	(1<<30) /* Upgrade the db */
- 
- #define DICT_FLAG_PARANOID \
- 	(DICT_FLAG_NO_REGSUB | DICT_FLAG_NO_PROXY | DICT_FLAG_NO_UNAUTH)
-@@ -102,6 +103,11 @@
- extern DICT *dict_open(const char *, int, int);
- extern DICT *dict_open3(const char *, const char *, int, int);
- extern void dict_open_register(const char *, DICT *(*) (const char *, int, int));
-+#ifndef NO_DYNAMIC_MAPS
-+extern void dict_open_dlinfo(const char *path);
-+typedef void* (*dict_mkmap_func_t)(const char *);
-+dict_mkmap_func_t dict_mkmap_func(const char *dict_type);
-+#endif
- 
- #define dict_get(dp, key)	(dp)->lookup((dp), (key))
- #define dict_put(dp, key, val)	(dp)->update((dp), (key), (val))
-diff -urNad postfix-release/src/util/dict_db.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c
---- postfix-release/src/util/dict_db.c	2004-12-27 22:28:28.649270995 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c	2004-12-27 22:29:11.323097923 -0700
-@@ -548,6 +548,12 @@
- 	msg_fatal("set DB cache size %d: %m", dict_db_cache_size);
-     if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
- 	msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
-+    if (dict_flags & DICT_FLAG_UPGRADE) {
-+	if (msg_verbose)
-+	    msg_info("upgrading database %s",db_path);
-+	if ((errno = db->upgrade(db,db_path,0)) != 0)
-+	    msg_fatal("upgrade of database %s: %m",db_path);
-+    }
- #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
-     if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
- 	msg_fatal("open database %s: %m", db_path);
-diff -urNad postfix-release/src/util/dict_dbm.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c
---- postfix-release/src/util/dict_dbm.c	2004-12-27 22:28:28.650270780 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c	2004-12-27 22:29:11.323097923 -0700
-@@ -371,6 +371,10 @@
-     char   *dbm_path;
-     int     lock_fd;
- 
-+#ifdef HAVE_GDBM
-+    msg_error("%s: gdbm maps use locking that is incompatible with postfix.  Use a hash map instead.",
-+		 path);
-+#endif
-     /*
-      * Note: DICT_FLAG_LOCK is used only by programs that do fine-grained (in
-      * the time domain) locking while accessing individual database records.
-diff -urNad postfix-release/src/util/dict_open.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c
---- postfix-release/src/util/dict_open.c	2004-12-27 22:28:28.650270780 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c	2004-12-27 22:29:35.775841614 -0700
-@@ -42,6 +42,10 @@
- /*	dict_open_register(type, open)
- /*	char	*type;
- /*	DICT	*(*open) (const char *, int, int);
-+/*
-+/*	ARGV   *dict_mapnames()
-+/*
-+/*	void (*)() dict_mkmap_func(const char *dict_type)
- /* DESCRIPTION
- /*	This module implements a low-level interface to multiple
- /*	physical dictionary types.
-@@ -135,6 +139,13 @@
- /*	associated data structures.
- /*
- /*	dict_open_register() adds support for a new dictionary type.
-+/*
-+/*	dict_mapnames() returns an ARGV list containing all of the known
-+/*	map types, including dynamic maps.
-+/*
-+/*	dict_mkmap_func() returns a pointer to the mkmap setup function
-+/*	for the given map type, as given in /etc/dynamicmaps.cf
-+/*
- /* DIAGNOSTICS
- /*	Fatal error: open error, unsupported dictionary type, attempt to
- /*	update non-writable dictionary.
-@@ -158,6 +169,9 @@
- #include <strings.h>
- #endif
- 
-+#include <sys/stat.h>
-+#include <unistd.h>
-+
- /* Utility library. */
- 
- #include <argv.h>
-@@ -180,6 +194,27 @@
- #include <split_at.h>
- #include <htable.h>
- 
-+#ifndef NO_DYNAMIC_MAPS
-+#include <load_lib.h>
-+#include <vstring.h>
-+#include <vstream.h>
-+#include <vstring_vstream.h>
-+#include <mvect.h>
-+
-+ /*
-+  * Interface for dynamic map loading.
-+  */
-+typedef struct {
-+    const char  *pattern;
-+    const char  *soname;
-+    const char  *openfunc;
-+    const char  *mkmapfunc;
-+} DLINFO;
-+
-+static DLINFO *dict_dlinfo;
-+static DLINFO *dict_open_dlfind(const char *type);
-+#endif
-+
-  /*
-   * lookup table for available map types.
-   */
-@@ -191,9 +226,11 @@
- static DICT_OPEN_INFO dict_open_info[] = {
-     DICT_TYPE_ENVIRON, dict_env_open,
-     DICT_TYPE_UNIX, dict_unix_open,
-+#ifndef MAX_DYNAMIC_MAPS
- #ifdef SNAPSHOT
-     DICT_TYPE_TCP, dict_tcp_open,
- #endif
-+#endif
- #ifdef HAS_DBM
-     DICT_TYPE_DBM, dict_dbm_open,
- #endif
-@@ -210,9 +247,11 @@
- #ifdef HAS_NETINFO
-     DICT_TYPE_NETINFO, dict_ni_open,
- #endif
-+#ifndef MAX_DYNAMIC_MAPS
- #ifdef HAS_PCRE
-     DICT_TYPE_PCRE, dict_pcre_open,
- #endif
-+#endif /* MAX_DYNAMIC_MAPS */
- #ifdef HAS_POSIX_REGEXP
-     DICT_TYPE_REGEXP, dict_regexp_open,
- #endif
-@@ -267,8 +306,31 @@
- 
-     if (dict_open_hash == 0)
- 	dict_open_init();
--    if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0)
--	msg_fatal("unsupported dictionary type: %s", dict_type);
-+    if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0) {
-+#ifdef NO_DYNAMIC_MAPS
-+	msg_fatal("%s: unsupported dictionary type: %s", myname, dict_type);
-+#else
-+	struct stat st;
-+	LIB_FN fn[2];
-+	DICT *(*open) (const char *, int, int);
-+	DLINFO *dl=dict_open_dlfind(dict_type);
-+	if (!dl)
-+	    msg_fatal("%s: unsupported dictionary type: %s:  Is the postfix-%s package installed?", myname, dict_type, dict_type);
-+	if (stat(dl->soname,&st) < 0) {
-+	    msg_fatal("%s: unsupported dictionary type: %s (%s not found.  Is the postfix-%s package installed?)",
-+		myname, dict_type, dl->soname, dict_type);
-+	}
-+	fn[0].name = dl->openfunc;
-+	fn[0].ptr  = (void**)&open;
-+	fn[1].name = NULL;
-+	load_library_symbols(dl->soname, fn, NULL);
-+	dict_open_register(dict_type, open);
-+	dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type);
-+#endif
-+    }
-+    if (msg_verbose>1) {
-+	msg_info("%s: calling %s open routine",myname,dict_type);
-+    }
-     if ((dict = dp->open(dict_name, open_flags, dict_flags)) == 0)
- 	msg_fatal("opening %s:%s %m", dict_type, dict_name);
-     if (msg_verbose)
-@@ -276,6 +338,36 @@
-     return (dict);
- }
- 
-+dict_mkmap_func_t dict_mkmap_func(const char *dict_type)
-+{
-+    char   *myname="dict_mkmap_func";
-+    struct stat st;
-+    LIB_FN fn[2];
-+    dict_mkmap_func_t mkmap;
-+    DLINFO *dl;
-+#ifndef NO_DYNAMIC_MAPS
-+    if (!dict_dlinfo)
-+	msg_fatal("dlinfo==NULL");
-+    dl=dict_open_dlfind(dict_type);
-+    if (!dl)
-+	msg_fatal("%s: unsupported dictionary type: %s:  Is the postfix-%s package installed?", myname, dict_type, dict_type);
-+    if (stat(dl->soname,&st) < 0) {
-+	msg_fatal("%s: unsupported dictionary type: %s (%s not found.  Is the postfix-%s package installed?)",
-+	    myname, dict_type, dl->soname, dict_type);
-+    }
-+    if (!dl->mkmapfunc)
-+	msg_fatal("%s: unsupported dictionary type: %s does not allow map creation.", myname, dict_type);
-+
-+    fn[0].name = dl->mkmapfunc;
-+    fn[0].ptr  = (void**)&mkmap;
-+    fn[1].name = NULL;
-+    load_library_symbols(dl->soname, fn, NULL);
-+    return mkmap;
-+#else
-+    return (void(*)())NULL;
-+#endif
-+}
-+
- /* dict_open_register - register dictionary type */
- 
- void    dict_open_register(const char *type,
-@@ -302,6 +394,9 @@
-     HTABLE_INFO **ht;
-     DICT_OPEN_INFO *dp;
-     ARGV   *mapnames;
-+#ifndef NO_DYNAMIC_MAPS
-+    DLINFO *dlp;
-+#endif
- 
-     if (dict_open_hash == 0)
- 	dict_open_init();
-@@ -310,11 +405,99 @@
- 	dp = (DICT_OPEN_INFO *) ht[0]->value;
- 	argv_add(mapnames, dp->type, ARGV_END);
-     }
-+#ifndef NO_DYNAMIC_MAPS
-+    if (!dict_dlinfo)
-+	msg_fatal("dlinfo==NULL");
-+    for (dlp=dict_dlinfo; dlp->pattern; dlp++) {
-+	argv_add(mapnames, dlp->pattern, ARGV_END);
-+    }
-+#endif
-     myfree((char *) ht_info);
-     argv_terminate(mapnames);
-     return mapnames;
- }
- 
-+#ifndef NO_DYNAMIC_MAPS
-+#define	STREQ(x,y) (x == y || (x[0] == y[0] && strcmp(x,y) == 0))
-+
-+void dict_open_dlinfo(const char *path)
-+{
-+    char    *myname="dict_open_dlinfo";
-+    VSTREAM *conf_fp=vstream_fopen(path,O_RDONLY,0);
-+    VSTRING *buf = vstring_alloc(100);
-+    char    *cp;
-+    ARGV    *argv;
-+    MVECT    vector;
-+    int      nelm=0;
-+    int      linenum=0;
-+
-+    dict_dlinfo=(DLINFO*)mvect_alloc(&vector,sizeof(DLINFO),3,NULL,NULL);
-+
-+    if (!conf_fp) {
-+	msg_warn("%s: cannot open %s.  No dynamic maps will be allowed.",
-+		myname, path);
-+    } else {
-+	while (vstring_get_nonl(buf,conf_fp) != VSTREAM_EOF) {
-+	    cp = vstring_str(buf);
-+	    linenum++;
-+	    if (*cp == '#' || *cp == '\0')
-+		continue;
-+	    argv = argv_split(cp, " \t");
-+	    if (argv->argc != 3 && argv->argc != 4) {
-+		msg_fatal("%s: Expected \"pattern .so-name open-function [mkmap-function]\" at line %d",
-+			  myname, linenum);
-+	    }
-+	    if (STREQ(argv->argv[0],"*")) {
-+		msg_warn("%s: wildcard dynamic map entry no longer supported.",
-+			  myname);
-+		continue;
-+	    }
-+	    if (argv->argv[1][0] != '/') {
-+		msg_fatal("%s: .so name must begin with a \"/\" at line %d",
-+			  myname, linenum);
-+	    }
-+	    if (nelm >= vector.nelm) {
-+		dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+3);
-+	    }
-+	    dict_dlinfo[nelm].pattern  = mystrdup(argv->argv[0]);
-+	    dict_dlinfo[nelm].soname   = mystrdup(argv->argv[1]);
-+	    dict_dlinfo[nelm].openfunc = mystrdup(argv->argv[2]);
-+	    if (argv->argc==4)
-+		dict_dlinfo[nelm].mkmapfunc = mystrdup(argv->argv[3]);
-+	    else
-+		dict_dlinfo[nelm].mkmapfunc = NULL;
-+	    nelm++;
-+	    argv_free(argv);
-+	}
-+    }
-+    if (nelm >= vector.nelm) {
-+	dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+1);
-+    }
-+    dict_dlinfo[nelm].pattern  = NULL;
-+    dict_dlinfo[nelm].soname   = NULL;
-+    dict_dlinfo[nelm].openfunc = NULL;
-+    dict_dlinfo[nelm].mkmapfunc = NULL;
-+    if (conf_fp)
-+	vstream_fclose(conf_fp);
-+    vstring_free(buf);
-+}
-+
-+static DLINFO *dict_open_dlfind(const char *type)
-+{
-+    DLINFO *dp;
-+
-+    if (!dict_dlinfo)
-+	return NULL;
-+
-+    for (dp=dict_dlinfo; dp->pattern; dp++) {
-+	if (STREQ(dp->pattern,type))
-+	    return dp;
-+    }
-+    return NULL;
-+}
-+
-+#endif /* !NO_DYNAMIC_MAPS */
-+
- #ifdef TEST
- 
-  /*
-diff -urNad postfix-release/src/util/load_lib.c /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c
---- postfix-release/src/util/load_lib.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c	2004-12-27 22:29:11.324097708 -0700
-@@ -0,0 +1,135 @@
-+/*++
-+/* NAME
-+/*	load_lib 3
-+/* SUMMARY
-+/*	library loading wrappers
-+/* SYNOPSIS
-+/*	#include <load_lib.h>
-+/*
-+/*	extern int  load_library_symbols(const char *, LIB_FN *, LIB_FN *);
-+/*	const char *libname;
-+/*      LIB_FN     *libfuncs;
-+/*      LIB_FN     *libdata;
-+/*
-+/* DESCRIPTION
-+/*	This module loads functions from libraries, returnine pointers
-+/*	to the named functions.
-+/*
-+/*	load_library_symbols() loads all of the desired functions, and
-+/*	returns zero for success, or exits via msg_fatal().
-+/*
-+/* SEE ALSO
-+/*	msg(3) diagnostics interface
-+/* DIAGNOSTICS
-+/*	Problems are reported via the msg(3) diagnostics routines:
-+/*	library not found, symbols not found, other fatal errors.
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/*	LaMont Jones
-+/*	Hewlett-Packard Company
-+/*	3404 Harmony Road
-+/*	Fort Collins, CO 80528, USA
-+/*
-+/*	Wietse Venema
-+/*	IBM T.J. Watson Research
-+/*	P.O. Box 704
-+/*	Yorktown Heights, NY 10598, USA
-+/*--*/
-+
-+/* System libraries. */
-+
-+#include "sys_defs.h"
-+#include <stdlib.h>
-+#include <stddef.h>
-+#include <string.h>
-+#if defined(HAS_DLOPEN)
-+#include <dlfcn.h>
-+#elif defined(HAS_SHL_LOAD)
-+#include <dl.h>
-+#endif
-+
-+/* Application-specific. */
-+
-+#include "msg.h"
-+#include "load_lib.h"
-+
-+extern int  load_library_symbols(const char * libname, LIB_FN * libfuncs, LIB_FN * libdata)
-+{
-+    char   *myname = "load_library_symbols";
-+    LIB_FN *fn;
-+
-+#if defined(HAS_DLOPEN)
-+    void   *handle;
-+    char   *emsg;
-+
-+    handle=dlopen(libname,RTLD_NOW);
-+    emsg=dlerror();
-+    if (emsg) {
-+	msg_fatal("%s: dlopen failure loading %s: %s", myname, libname, emsg);
-+    }
-+
-+    if (libfuncs) {
-+	for (fn=libfuncs; fn->name; fn++) {
-+	    *(fn->ptr) = dlsym(handle,fn->name);
-+	    emsg=dlerror();
-+	    if (emsg) {
-+		msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
-+			  fn->name, libname, emsg);
-+	    }
-+	    if (msg_verbose>1) {
-+		msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
-+	    }
-+	}
-+    }
-+
-+    if (libdata) {
-+	for (fn=libdata; fn->name; fn++) {
-+	    *(fn->ptr) = dlsym(handle,fn->name);
-+	    emsg=dlerror();
-+	    if (emsg) {
-+		msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
-+			  fn->name, libname, emsg);
-+	    }
-+	    if (msg_verbose>1) {
-+		msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
-+	    }
-+	}
-+    }
-+#elif defined(HAS_SHL_LOAD)
-+    shl_t   handle;
-+
-+    handle = shl_load(libname,BIND_IMMEDIATE,0);
-+
-+    if (libfuncs) {
-+	for (fn=libfuncs; fn->name; fn++) {
-+	    if (shl_findsym(&handle,fn->name,TYPE_PROCEDURE,fn->ptr) != 0) {
-+		msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
-+			  myname, fn->name, libname);
-+	    }
-+	    if (msg_verbose>1) {
-+		msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
-+	    }
-+	}
-+    }
-+
-+    if (libdata) {
-+	for (fn=libdata; fn->name; fn++) {
-+	    if (shl_findsym(&handle,fn->name,TYPE_DATA,fn->ptr) != 0) {
-+		msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
-+			  myname, fn->name, libname);
-+	    }
-+	    if (msg_verbose>1) {
-+		msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
-+	    }
-+	}
-+    }
-+
-+#else
-+    msg_fatal("%s: need dlopen or shl_load support for dynamic libraries",
-+		myname);
-+#endif
-+    return 0;
-+}
-diff -urNad postfix-release/src/util/load_lib.h /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h
---- postfix-release/src/util/load_lib.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h	2004-12-27 22:29:11.324097708 -0700
-@@ -0,0 +1,41 @@
-+#ifndef _LOAD_LIB_H_INCLUDED_
-+#define _LOAD_LIB_H_INCLUDED_
-+
-+/*++
-+/* NAME
-+/*	load_lib 3h
-+/* SUMMARY
-+/*	library loading wrappers
-+/* SYNOPSIS
-+/*	#include "load_lib.h"
-+/* DESCRIPTION
-+/* .nf
-+
-+ /*
-+  * External interface.
-+  */
-+/* NULL name terminates list */
-+typedef struct LIB_FN {
-+    const char *name;
-+    void       **ptr;
-+} LIB_FN;
-+
-+extern int  load_library_symbols(const char *, LIB_FN *, LIB_FN *);
-+
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/*	LaMont Jones
-+/*	Hewlett-Packard Company
-+/*	3404 Harmony Road
-+/*	Fort Collins, CO 80528, USA
-+/*
-+/*	Wietse Venema
-+/*	IBM T.J. Watson Research
-+/*	P.O. Box 704
-+/*	Yorktown Heights, NY 10598, USA
-+/*--*/
-+
-+#endif
-diff -urNad postfix-release/src/util/sys_defs.h /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h
---- postfix-release/src/util/sys_defs.h	2004-12-27 22:28:28.652270351 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h	2004-12-27 22:29:11.325097493 -0700
-@@ -550,11 +550,25 @@
+diff -urNad postfix~/src/util/sys_defs.h postfix/src/util/sys_defs.h
+--- postfix~/src/util/sys_defs.h	2006-08-29 08:17:05.000000000 -0600
++++ postfix/src/util/sys_defs.h	2006-10-15 20:55:26.000000000 -0600
+@@ -655,6 +655,7 @@
+ #define INTERNAL_LOCK	MYFLOCK_STYLE_FLOCK
+ #define DEF_MAILBOX_LOCK "fcntl, dotlock"	/* RedHat >= 4.x */
+ #define HAS_FSYNC
++#define HAS_SDBM
+ #define HAS_DB
+ #define DEF_DB_TYPE	"hash"
+ #define ALIAS_DB_MAP	"hash:/etc/aliases"
+@@ -667,11 +668,25 @@
  #define UNIX_DOMAIN_CONNECT_BLOCKS_FOR_ACCEPT
  #define PREPEND_PLUS_TO_OPTSTRING
  #define HAS_POSIX_REGEXP
@@ -2736,7 +2183,7 @@
  #if __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
  #define SOCKADDR_SIZE	socklen_t
  #define SOCKOPT_SIZE	socklen_t
-@@ -620,6 +634,7 @@
+@@ -757,6 +772,7 @@
  #define USE_STATFS
  #define STATFS_IN_SYS_VFS_H
  #define HAS_POSIX_REGEXP
@@ -2744,7 +2191,7 @@
  #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
  #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
  #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
-@@ -655,6 +670,7 @@
+@@ -794,6 +810,7 @@
  #define USE_STATFS
  #define STATFS_IN_SYS_VFS_H
  #define HAS_POSIX_REGEXP
@@ -2752,7 +2199,7 @@
  #define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
  #define NATIVE_MAILQ_PATH "/usr/bin/mailq"
  #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
-@@ -692,6 +708,7 @@
+@@ -833,6 +850,7 @@
  #define USE_STATFS
  #define STATFS_IN_SYS_VFS_H
  #define HAS_POSIX_REGEXP

Added: postfix/trunk/debian/patches/30hurd.dpatch
===================================================================
--- postfix/trunk/debian/patches/30hurd.dpatch	                        (rev 0)
+++ postfix/trunk/debian/patches/30hurd.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,115 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 30hurd.dpatch by Marc Dequènes (Duck) <Duck at DuckCorp.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: patches to build on Hurd (buildsys configuration)
+
+ at DPATCH@
+diff -Nur postfix-2.2.9_old/makedefs postfix-2.2.9/makedefs
+--- postfix-2.2.9_old/makedefs	2006-01-03 22:50:25.000000000 +0100
++++ postfix-2.2.9/makedefs	2006-03-11 13:12:49.000000000 +0100
+@@ -259,6 +259,38 @@
+ 		2.[0-3].*) CCARGS="$CCARGS -DNO_IPV6";;
+ 		esac
+ 		;;
++     GNU*)
++     		SYSTYPE=GNU
++		# Postfix no longer needs DB 1.85 compatibility
++		if [ -f /usr/include/db.h ]
++		then
++		    : we are all set
++		elif [ -f /usr/include/db/db.h ]
++		then
++		    CCARGS="$CCARGS -I/usr/include/db"
++		else
++		    # No, we're not going to try db1 db2 db3 etc.
++		    # On a properly installed system, Postfix builds
++		    # by including <db.h> and by linking with -ldb
++		    echo "No <db.h> include file found." 1>&2
++		    echo "Install the appropriate db*-devel package first." 1>&2
++		    echo "See the RELEASE_NOTES file for more information." 1>&2
++		    exit 1
++		fi
++		SYSLIBS="-ldb"
++		for name in nsl resolv
++		do
++		    for lib in /usr/lib64 /lib64 /usr/lib /lib
++		    do
++			test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
++			    SYSLIBS="$SYSLIBS -l$name"
++			    break
++			}
++		    done
++		done
++		# currently no IPv6 support on Hurd
++		CCARGS="$CCARGS -DNO_IPV6"
++		;;
+      IRIX*.5.*)	SYSTYPE=IRIX5
+ 		# Use the native compiler by default
+ 		: ${CC=cc} ${DEBUG="-g3"}
+diff -Nur postfix-2.2.9_old/src/util/sys_defs.h postfix-2.2.9/src/util/sys_defs.h
+--- postfix-2.2.9_old/src/util/sys_defs.h	2006-01-03 22:52:17.000000000 +0100
++++ postfix-2.2.9/src/util/sys_defs.h	2006-03-11 14:29:44.000000000 +0100
+@@ -687,6 +687,62 @@
+ #endif
+ 
+  /*
++  * GNU.
++  */
++#ifdef GNU
++#define SUPPORTED
++#include <sys/types.h>
++#include <features.h>
++#define USE_PATHS_H
++#define HAS_FCNTL_LOCK
++#define INTERNAL_LOCK	MYFLOCK_STYLE_FCNTL
++#define DEF_MAILBOX_LOCK "fcntl, dotlock"	/* RedHat >= 4.x */
++#define HAS_FSYNC
++#define HAS_SDBM
++#define HAS_DB
++#define DEF_DB_TYPE	"hash"
++#define ALIAS_DB_MAP	"hash:/etc/aliases"
++#define HAS_NIS
++#define GETTIMEOFDAY(t)	gettimeofday(t,(struct timezone *) 0)
++#define ROOT_PATH	"/bin:/usr/bin:/sbin:/usr/sbin"
++#define FIONREAD_IN_TERMIOS_H
++#define USE_STATFS
++#define STATFS_IN_SYS_VFS_H
++#define UNIX_DOMAIN_CONNECT_BLOCKS_FOR_ACCEPT
++#define PREPEND_PLUS_TO_OPTSTRING
++#define HAS_POSIX_REGEXP
++#define HAS_DLOPEN
++#define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
++#define NATIVE_MAILQ_PATH "/usr/bin/mailq"
++#define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
++#define NATIVE_COMMAND_DIR "/usr/sbin"
++#ifdef DEBIAN
++#define NATIVE_DAEMON_DIR	"/usr/lib/postfix"
++#ifndef DEF_MANPAGE_DIR
++#define DEF_MANPAGE_DIR		"/usr/share/man"
++#endif
++#ifndef DEF_SAMPLE_DIR
++#define DEF_SAMPLE_DIR		"/usr/share/doc/postfix/examples"
++#endif
++#ifndef DEF_README_DIR
++#define DEF_README_DIR		"/usr/share/doc/postfix"
++#endif
++#else
++#define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
++#endif
++#define SOCKADDR_SIZE	socklen_t
++#define SOCKOPT_SIZE	socklen_t
++#ifndef NO_IPV6
++# define HAS_IPV6
++# define HAS_PROCNET_IFINET6
++# define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
++#endif
++#define CANT_USE_SEND_RECV_MSG
++#define DEF_SMTP_CACHE_DEMAND	0
++#define HAS_DEV_URANDOM			/* introduced in 1.1 */
++#endif
++
++ /*
+   * HPUX11 was copied from HPUX10, but can perhaps be trimmed down a bit.
+   */
+ #ifdef HPUX11

Modified: postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch
===================================================================
--- postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -11,35 +11,35 @@
 +++ ./src/global/dict_ldap.c    2005-07-19 02:46:30.000000000 +0200
 @@ -60,6 +60,10 @@
  /* .IP special_result_attribute
- /*     The attribute(s) of directory entries that can contain DNs or URLs.
- /*     If found, a recursive subsequent search is done using their values.
+ /*	The attribute(s) of directory entries that can contain DNs or URLs.
+ /*	If found, a recursive subsequent search is done using their values.
 +/* .IP exclude_internal
 +/*      Used in conjunction with \fIspecial_result_attribute\fR. If set to
 +/*      yes, only matching objects without \fIspecial_result_attribute\fR
 +/*      attributes are included in the result. The default is no.
  /* .IP scope
- /*     LDAP search scope: sub, base, or one.
+ /*	LDAP search scope: sub, base, or one.
  /* .IP bind
-@@ -226,6 +230,7 @@ typedef struct {
+@@ -229,6 +233,7 @@
      char   *search_base;
      ARGV   *result_attributes;
-     int     num_attributes;            /* rest of list is DN's. */
+     int     num_attributes;		/* rest of list is DN's. */
 +    int     exclude_internal;
      int     bind;
      char   *bind_dn;
      char   *bind_pw;
-@@ -717,6 +722,7 @@ static void dict_ldap_get_values(DICT_LD
-     char   *myname = "dict_ldap_get_values";
-     struct timeval tv;
+@@ -767,6 +772,7 @@
+     int     valcount;
      LDAPURLDesc *url;
+     const char *myname = "dict_ldap_get_values";
 +    int     is_leaf;
-
-     tv.tv_sec = dict_ldap->timeout;
-     tv.tv_usec = 0;
-@@ -744,6 +750,27 @@ static void dict_ldap_get_values(DICT_LD
-                     dict_ldap->size_limit);
-            dict_errno = DICT_ERR_RETRY;
-        }
+ 
+     if (++recursion == 1)
+ 	expansion = 0;
+@@ -791,6 +797,28 @@
+ 		     dict_ldap->size_limit);
+ 	    dict_errno = DICT_ERR_RETRY;
+ 	}
 +
 +       /*
 +        * The number of ordinary attributes is "num_attributes". We run through
@@ -61,28 +61,29 @@
 +               }
 +           }
 +       }
-        for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
-             attr != NULL;
-             ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
-@@ -791,6 +818,7 @@ static void dict_ldap_get_values(DICT_LD
-             */
-            if (i < dict_ldap->num_attributes) {
-                /* Ordinary result attribute */
-+               if(is_leaf) {
-                for (i = 0; vals[i] != NULL; i++) {
-                    if (db_common_expand(dict_ldap->ctx,
-                                         dict_ldap->result_format, vals[i],
-@@ -809,6 +837,7 @@ static void dict_ldap_get_values(DICT_LD
-                    msg_info("%s[%d]: search returned %ld value(s) for"
-                             " requested result attribute %s",
-                             myname, recursion, i, attr);
-+               }
-            } else if (recursion < dict_ldap->recursion_limit
-                       && dict_ldap->result_attributes->argv[i]) {
-                /* Special result attribute */
-@@ -1351,6 +1380,11 @@ DICT   *dict_ldap_open(const char *ldaps
++
+ 	for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
+ 	     attr != NULL;
+ 	     ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
+@@ -840,6 +868,7 @@
+ 	     */
+ 	    if (i < dict_ldap->num_attributes) {
+ 		/* Ordinary result attribute */
++		if(is_leaf) {
+ 		for (i = 0; i < valcount; i++) {
+ 		    if (db_common_expand(dict_ldap->ctx,
+ 					 dict_ldap->result_format,
+@@ -859,6 +888,7 @@
+ 		    msg_info("%s[%d]: search returned %ld value(s) for"
+ 			     " requested result attribute %s",
+ 			     myname, recursion, i, attr);
++		}
+ 	    } else if (recursion < dict_ldap->recursion_limit
+ 		       && dict_ldap->result_attributes->argv[i]) {
+ 		/* Special result attribute */
+@@ -1395,6 +1425,11 @@
      myfree(attr);
-
+ 
      /*
 +     * get configured value of "exclude_internal", default to no
 +     */

Deleted: postfix/trunk/debian/patches/50tls.dpatch
===================================================================
--- postfix/trunk/debian/patches/50tls.dpatch	2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/50tls.dpatch	2008-05-02 10:36:05 UTC (rev 837)
@@ -1,30277 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 50tls.dpatch by LaMont Jones <lamont at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
- at DPATCH@
-diff -urNad postfix-release/conf/postfix-files /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files
---- postfix-release/conf/postfix-files	2005-02-03 10:22:12.216284906 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files	2005-02-03 10:22:12.846144411 -0700
-@@ -81,6 +81,7 @@
- $daemon_directory/smtp:f:root:-:755
- $daemon_directory/smtpd:f:root:-:755
- $daemon_directory/spawn:f:root:-:755
-+$daemon_directory/tlsmgr:f:root:-:755
- $daemon_directory/trivial-rewrite:f:root:-:755
- $daemon_directory/verify:f:root:-:755
- $daemon_directory/virtual:f:root:-:755
-@@ -173,6 +174,7 @@
- $manpage_directory/man8/smtp.8:f:root:-:644
- $manpage_directory/man8/smtpd.8:f:root:-:644
- $manpage_directory/man8/spawn.8:f:root:-:644
-+$manpage_directory/man8/tlsmgr.8:f:root:-:644
- $manpage_directory/man8/trace.8:f:root:-:644
- $manpage_directory/man8/trivial-rewrite.8:f:root:-:644
- $manpage_directory/man8/verify.8:f:root:-:644
-@@ -184,6 +186,7 @@
- $sample_directory/sample-debug.cf:f:root:-:644:o
- $sample_directory/sample-filter.cf:f:root:-:644:o:o
- $sample_directory/sample-flush.cf:f:root:-:644:o
-+$sample_directory/sample-ipv6.cf:f:root:-:644:o
- $sample_directory/sample-ldap.cf:f:root:-:644:o
- $sample_directory/sample-lmtp.cf:f:root:-:644:o
- $sample_directory/sample-local.cf:f:root:-:644:o
-@@ -204,6 +207,7 @@
- $sample_directory/sample-scheduler.cf:f:root:-:644:o
- $sample_directory/sample-smtp.cf:f:root:-:644:o
- $sample_directory/sample-smtpd.cf:f:root:-:644:o
-+$sample_directory/sample-tls.cf:f:root:-:644:o
- $sample_directory/sample-transport.cf:f:root:-:644:o
- $sample_directory/sample-verify.cf:f:root:-:644:o
- $sample_directory/sample-virtual.cf:f:root:-:644:o
-@@ -222,6 +226,7 @@
- $readme_directory/FILTER_README:f:root:-:644
- $readme_directory/HOSTING_README:f:root:-:644:o
- $readme_directory/INSTALL:f:root:-:644
-+$readme_directory/IPV6_README:f:root:-:644
- $readme_directory/LDAP_README:f:root:-:644
- $readme_directory/LINUX_README:f:root:-:644
- $readme_directory/LMTP_README:f:root:-:644
-diff -urNad postfix-release/IPv6-ChangeLog /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog
---- postfix-release/IPv6-ChangeLog	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog	2005-02-03 10:22:12.847144188 -0700
-@@ -0,0 +1,470 @@
-+ChangeLog for Dean Strik's IPv6 patch for Postfix. The patch is based on
-+PLD's patch, which in turn seems to be based on KAME's. For more information:
-+
-+	http://www.ipnet6.org/postfix/
-+
-+---------------------------------------------------------------------
-+
-+Version 1.24	Postfix release 2.1.1
-+		Postfix release 2.0.20
-+		Postfix snapshot 2.0.19-20040312
-+		Postfix snapshot 2.2-20040504
-+
-+	Bugfix: Prefixlen non-noll host portion validation (in CIDR maps
-+	for example) yielded incorrect results sometimes because signed
-+	arithmetic was used instad of unsigned.
-+	File: util/match_ops.c
-+
-+	Patch correction: The TLS+IPv6 patch for Postfix 2.1.0 missed
-+	the master.cf update (used for new installattions). Added it
-+	back.
-+
-+Version 1.23	Postfix release 2.1.0
-+		Postfix release 2.0.20
-+		Postfix snapshot 2.0.19-20040312
-+
-+	Patch fixes: Several code fixes to make the patch compile
-+	and work correctly when compiled without IPv6 support.
-+
-+	Bugfix (Solaris only?): address family length was not updated
-+	which could cause client hostname validation errors.
-+	File: smtpd/smtpd_peer.c
-+
-+	Portability: added support for Darwin 7.3+. This may need
-+	some further testing.
-+
-+	Cleanup: Restructure and redocument interface address
-+	retrieval functions. (This reduced the number of preprocessor
-+	statements from 99 to 93 ;)
-+	File: util/inet_addr_local.c
-+
-+	Cleanup: make several explicit casts to have compilers shut
-+	their pie holes about uninteresting things.
-+
-+Version 1.22	Postfix release 2.0.19
-+		Postfix snapshot 2.0.19-20040312
-+
-+	Feature: Support "inet_interfaces = IPv4:all" and
-+	"inet_interfaces = IPv6:all", to restrict postfix to use
-+	either IPv4-only or IPv6-only. A more complete implementation
-+	will be part of a future patch. (Slightly modified) patch by
-+	Michal Ludvig, SuSE.
-+	Files: util/interfaces_to_af.[ch], util/inet_addr_local.c,
-+	global/own_inet_addr.c, global/wildcard_inet_addr.[ch],
-+	master/master_ent.ch
-+
-+	Bugfix: In Postfix snapshots, a #define was misplaced with
-+	the effect that IPv6 subnets were not included in auto-
-+	generated $mynetworks (i.e., mynetworks not defined in main.cf,
-+	when also mynetworks_style=subnet) on Linux 2.x systems.
-+	File: utils/sys_defs.h
-+
-+Version 1.21a	Postfix snapshots 2.0.18-2004{0122,0205,0209}
-+				  2.0.19-20040312
-+
-+	TLS/snapshot version: Update TLS patch to 0.8.18-20040122.
-+	Performed as a total repatch. 0.8.18 is cleaner with tls_*
-+	variables if TLS is not actually compiled in.
-+
-+Version 1.21	Postfix releases 2.0.18 - 2.0.19
-+		Postfix snapshot 2.0.16-20031231
-+
-+	Bugfix: The SMTP client could fail to setup a connection,
-+	erroring with a bogus "getaddrinfo(...): hostname nor servname
-+	provided" warning, because the wrong address was selected.
-+	File: smtp/smtp_connect.c
-+
-+	Safety: in dynamically growing data structures, update the
-+	length info after (instead of before) updating the data size.
-+	File: util/inet_addr_list.c
-+
-+Version 1.20	Postfix release 2.0.16
-+		Postfix snapshot 2.0.16-20031207
-+
-+	Bugfix: The SMTP client would abort when binding to specific
-+	IPv6 addresses.
-+	File: smtp/smtp_connect.c
-+
-+	Synchronisation/bugfix: LMTP source address binding is identical
-+	to the SMTP source binding setup, avoiding the need for
-+	lmtp_bind_address(6) if inet_interfaces is set to a single
-+	host for an address family.
-+	File: lmtp/lmtp_connect.c
-+
-+Version 1.19	Postfix release 2.0.16
-+		Postfix snapshot 2.0.16-20031207
-+
-+	Bugfix: Synchronisation of TLS patches in snapshots of 1.18[ab]
-+	was not complete, causing a crash of smtpd if used with the new
-+	proxy agent.
-+	File: smtpd/smtpd.c
-+
-+	Bugfix: SMTP source address binding based on a single hostname
-+	in inet_interfaces did not work since the code counted IPv4 and
-+	IPv6 addresses instead of only the used address family. Fixed,
-+	thereby no longer requiring exact specification of
-+	smtp_bind_address(6) in this case.
-+	File: smtp/smtp_connect.c
-+
-+	Bugfix: The QMQP sink server did not compile correctly. This
-+	program, part of smtpstone tools, is not compiled or installed
-+	by default.
-+	File: smtpstone/qmqp-sink.c
-+
-+	Bugfix: NI_WITHSCOPEID was not correctly defined everywhere,
-+	which could result in EAI_BADFLAGS. Changed location of
-+	definition to correct it.
-+	Files: util/sys_defs.h, util/inet_addr_list.h
-+
-+Version 1.18b	Postfix snapshot 2.0.16-20030921
-+
-+	IPv6 support: Added IPv6-enabled code to the new snapshot
-+	check_*_{ns,mx}_access restrictions.
-+	File: smtpd/smtpd_check.c
-+
-+Version 1.18a	Postfix release 2.0.16
-+
-+	Update (TLS patches): Updated Lutz Jaenicke's TLS patch to
-+	version 0.8.16. See pfixtls/ChangeLog for details.
-+	Diff contributed by Tuomo Soini.
-+
-+	The TLS+IPv6 patch now contains the original TLS patch
-+	documentation from Lutz Jaenicke.
-+
-+Version 1.18	Postfix releases 2.0.14 - 2.0.15
-+		Postfix snapshot 2.0.14-20030812
-+
-+	Bugfix: Perform actual hostname verification in the SMTP
-+	and QMTP servers. This was never supported in the IPv6
-+	patch. Reported by Wolfgang S. Rupprecht.
-+	Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c
-+
-+	IPv6 address ranges using address/prefixlength (e.g. in
-+	mynetworks and access maps) should be written as
-+	[ipv6:addr:ess]/plen (e.g. [fec0:10:20::]/48). The old
-+	supported syntax, [ipv6:addr:ess/plen] is deprecated and
-+	support will be removed in a later version.
-+	Thanks to Dr. Peter Bieringer and Pekka Savola for discussion.
-+	Files: util/match_ops.c, global/mynetworks.c
-+
-+	Explicitly prefer IPv6 over IPv4 addresses when delivering
-+	to a host when MX lookups are disabled when SMTP address
-+	randomization is on (default).
-+	File: smtp/smtp_addr.c
-+
-+	Compliance: write IPv6 address literals in mail headers 
-+	as [IPv6:addr] instead of [addr] as per RFC 2821:4.1.3
-+	tagging requirement, for example [IPv6:fec0:10:20::1].
-+	Pointed out by Dr. Peter Bieringer.
-+	Files: smtpd/smtpd{,_peer,_state}.c, smtpd/smtpd.h
-+
-+Version 1.17	Postfix release 2.0.13, 2.0.14
-+		Postfix snapshot 2.0.13-20030706, 2.0.14-20030812
-+
-+	Bugfix: Two memory allocation/deallocation bugs were
-+	introduced in patch 1.16. The impact of these bugs could
-+	be 'arbitrary' memory corruption.
-+	File: util/match_ops.c
-+
-+Version 1.16	Postfix release 2.0.13
-+		Postfix snapshot 2.0.13-20030706
-+
-+	Cleanup: rewrote match_ops.c. This rewrite is partly based on
-+	patch by Takahiro Igarashi. The rewrite enables some better
-+	handling of scoped addresses, and drops all GPL code from the
-+	patch, easying license considerations. Also, allowed for
-+	use of this code by the CIDR maps.
-+	Files: util/match_ops.[ch]
-+
-+	Bugfix: correctly relay for scoped unicast addresses when
-+	applicable. Until now, while Postfix was able to recognize
-+	scoped addresses, it was not able to see e.g. fe80::10%fxp0
-+	as local in mynetworks validation.  KAME-only code.
-+	(I've never heard of people using scoped addresses (think
-+	link-local addresses) for mail relaying though...)
-+	Files: util/inet_addr_list.[ch]
-+
-+	Feature (snapshot only): rewrote CIDR maps code to support
-+	IPv6 addresses, using new match_ops code. Allow the use
-+	of [::/0] since it allows one to easily disable further
-+	checks for IPv6 addresses.
-+	File: util/dict_cidr.c
-+
-+	Consistency: require IPv6 addresses in inet_interfaces to
-+	be enclosed in square brackets.
-+	File: util/inet_addr_host.c
-+
-+	Bugfix: (Linux2-only) A #define was misspelled. This could
-+	lead to Postfix being unable to read the system's local IPv6
-+	addresses (e.g. when using inet_interfaces).
-+	Spotted by Jochen Friedrich.
-+	File: util/sys_defs.h
-+
-+	Cleanup: require non-null host portion in CIDR /
-+	prefixlength notations for IPv6 (was IPv4-only).
-+
-+Version 1.15a	Postfix release 2.0.13
-+
-+	Update (TLS patches): Updated Lutz Jaenicke's TLS patch
-+	to version 0.8.15. This version introduces new options
-+	for managing SASL mechanisms. More information at:
-+	http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
-+	Diff contributed by Tuomo Soini.
-+
-+Version 1.15	Postfix release 2.0.12, 2.0.13
-+		Postfix snapshot 2.0.12-20030621
-+
-+	Bugfix (TLS-snapshots only): a change in Postfix snapshot
-+	2.0.11-20030609 broke initialisation of TLS in smtpd,
-+	causing TLS to both be unadvertised and unaccepted.
-+	This was fixed again by reordering initialisation.
-+	File: smtpd/smtpd.c
-+
-+	Update (TLS patches): Updated Lutz Jaenicke's TLS patch
-+	to version 0.8.14. This version introduces a few fixes and
-+	uses USE_SSL instead of HAS_SSL. More information at:
-+	http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
-+	Diff contributed by Tuomo Soini.
-+
-+	Bugfix (Postfix releases only - this was already added to
-+	the snapshots in patch 1.14). KAME derived systems only.
-+	Correctly decode scoped addresses, including network
-+	interface specifiers.
-+	File: util/inet_addr_local.c
-+
-+Version 1.14	Postfix releases 2.0.9, 2.0.10, 2.0.11, 2.0.12
-+		Postfix snapshots 2.0.9-20030424, 2.0.10-20030521,
-+				  2.0.11-20030609, 2.0.12-20030611
-+
-+	Patch change: made the patch available as an IPv6-only
-+	patch (i.e., without the TLS code). This on popular
-+	request by users and packagers.
-+	A TLS+IPv6 version is still available of course.
-+
-+	Bugfix: correctly decode scoped addresses from now on
-+	(KAME derived systems only). I think the original code
-+	was written by Itojun, so I'm rather puzzled that it
-+	didn't work...
-+	File: util/inet_addr_local.c
-+
-+	Bugfix/portability: Recent KAME snapshots return both
-+	TCP and SCTP address information on getaddrinfo() if
-+	no protocol was specified. This causes the socket counts
-+	to be wrong, confusing child processes.
-+	Merged patch by JINMEI Tatuya of KAME to fix this.
-+	Files: master/master.h, master/master_{ent,conf}.[ch],
-+		util/inet_listen.c
-+
-+	Documentation: added an IPV6_README file to the patch.
-+	This file contains the primary documentation. Also,
-+	added a sample-ipv6.cf to describe the (currently few)
-+	IPv6 related main.cf parameters.
-+
-+	Bugfix: the netmask structures for the *unsupported*
-+	platforms (boldly assume /64) were added to the wrong
-+	list (addresses instead of masks). This bug did not affect
-+	any supported platform though.
-+	File: util/inet_addr_local.c
-+
-+	Portability: added support for HP/Compaq Tru64Unix V5.1
-+	and later. (compiled with CompaqCC only).
-+	Thanks to Sten Spans for providing root access to an
-+	IPv6-connected Tru64 testing machine.
-+
-+Version 1.13	Postfix releases 2.0.4 - 2.0.9
-+		Postfix snapshots 2.0.3-20030126 - 2.0.7-20030319
-+
-+	Bugfix: Due to a missing storage pointer, DNS lookup
-+	results in the permit_mx_backups code were not processed,
-+	and smtpd would likely crash.
-+	Thanks to Wouter de Jong for reporting the crashes.
-+	File: smtpd/smtpd_check.c
-+
-+	Incompatible change: The addresses given to the parameters
-+	smtp_bind_address6 and lmtp_bind_address6 now need to be
-+	enclosed in square brackets for consistency.
-+	Files: [ls]mtp/[ls]mtp_connect.c
-+
-+Version 1.12	Postfix releases 2.0.2, 2.0.3
-+		Postfix snapshots 2.0.2-20030115, 2.0.3-20030126
-+
-+	Bugfix/workaround (Solaris): A simplified comparison
-+	function for Solaris' qsort() function, would result
-+	in corruption of network addresses in the SMTP client.
-+	Fixed. Reported with possible fix by Edvard Tuinder.
-+	File: smtp/smtp_addr.c
-+
-+Version 1.11	Postfix releases 2.0.0.x, 2.0.1, 2.0.2
-+		Postfix snapshots 2.0.0-20030105, 2.0.1-20030112
-+			2.0.2-20030115
-+
-+	Bugfix (Solaris): Properly initialize lifconf structure
-+	when requesting host interface addresses. If you get
-+	warnings about SIOCGLIFCONF with earlier versions,
-+	please upgrade.
-+	File: util/inet_addr_local.c
-+
-+	Patch fix: fixed compilation errors in case the patch is
-+	applied but built without IPv6 support (i.e., on unsupported
-+	platforms).
-+
-+Version 1.10	Postfix snapshots 1.1.12-200212{19,21}
-+		Postfix releases 2.0.0, 2.0.0.{1,2}
-+		Postfix snapshots 2.0.0-20021223 - 2.0.0-20030101
-+
-+	'Bugfix': don't show spurious warnings on Linux systems
-+	about missing /proc/net/if_inet6 unless verbose mode
-+	is enabled.
-+	File: util/inet_addr_local.c
-+
-+	Bugfix: If unable to create a socket for a specific adress
-+	in the SMTP client (e.g., when trying to create an IPv6
-+	connection while the local host has no configured IPv6
-+	addresses), then stop the attempt.
-+	File: smtp/smtp_connect.c
-+
-+	Small bugfix: never query DNS for <localpart@[domain.tld]>.
-+	This syntax now correctly generates an error immediately.
-+	File: global/resolve_local.c
-+
-+	Updated TLS patch to 0.8.12-1.1.12-20021219-0.9.6h, fixing
-+	a bug with "sendmail -bs".
-+
-+Version 1.9	Postfix version 1.1.11-20021115
-+		Postfix version 1.1.12-2002{1124,1209-1213}
-+
-+	Bugfix: with getifaddrs() code (*BSD, linux-USAGI), IPv4
-+	netmasks were set to /32 effectively. Work around broken
-+	netmask data structures (*BSD only perhaps).
-+
-+	Bugfix: same data corruption in another place created
-+	entirely wrong IPv4 netmasks. Work around broken
-+	SIOCGIFNETMASK structure.
-+
-+	New code was added for correct IPv6 netmasks. The original
-+	code did not contain IPv6 netmask support at all!
-+	For Solaris, use SIOCGLIF*; Linux: /proc/net/if_inet6.
-+	Getifaddrs() support is used otherwise. This should cover
-+	all supported systems. Other systems also work, prefix
-+	length is always set to /64 then.
-+
-+	Since there are no classes (context: Class A, class B etc
-+	networks) with IPv6, default to IPv6 subnet style if the
-+	mynetworks style is 'class'. I recommend against this style
-+	anyway.
-+
-+	Added support to display IPv6 nets mynetworks output.
-+
-+Version 1.8	Postfix version 1.1.11-200211{01,15}
-+
-+	An earlier author of the patch made a typo in the GAI_STRERROR()
-+	macro, resulting in bogus error messages when checking for
-+	PTR records. Fixed.
-+
-+	IPv4-mapped addresses in the smtpd are converted to true IPv4
-+	addresses just after the connection has been made. This means
-+	that all IPv4-mapped addresses are now logged as true IPv4
-+	addresses. Hence beside RBL checks, also access maps now treat
-+	IPv4-mapped addresses as native IPv4. Note that ::ffff:...
-+	entries in your access tables will no longer work.
-+
-+	You can now specify IPv6 'parent' networks in your access maps,
-+	e.g. to reject all mail from 3ffe:200:... nodes, add the line
-+		3ffe:200	REJECT
-+	Use of trailing colons is discouraged because postmap will
-+	warn about it possibly being an alias...
-+	NOTE: I'll soon obsolete this again in favor of the more
-+	common address/len notation. This was just so trivial to add
-+	that it didn't hurt and I needed it :)
-+
-+	For easy reference, the version of the TLS/IPv6 patch can be
-+	dynamically queried using the  tls_ipv6_version  variable.
-+	This gives the short version (like, "1.8").
-+
-+	The service bind address for 'inet' sockets in master.cf (e.g.,
-+	smtpd), must be enclosed in square brackets '[..]' for IPv6
-+	addresses. The old style (without brackets) still works but is
-+	unsupported and may be removed in the future. Example
-+	    [::1]:smtp inet n - n - - smtpd
-+
-+Version 1.7	Postfix version 1.1.11-20021029 - 1.1.11-20021101
-+
-+	Postfix' SMTP client performs randomization of MX addresses
-+	when sending mail. This however could result in A records
-+	being used before AAAA records. This has been corrected.
-+
-+	Note that from Postfix version 1.1.11-20021029 on, there is
-+	a  proxy_interfaces  parameter. This has of course not been
-+	ported to IPv6 addresses...
-+
-+Version 1.6	Postfix version 1.1.11-20020928
-+
-+	Added IPv6 support for backup_mx_networks feature; also the
-+	behaviour when DNS lookups fail when checking whether the
-+	local host is an MX for a domain conforms to the IPv4 case:
-+	defer rather than allow.
-+
-+Version 1.5	Postfix version 1.1.11-20020917
-+
-+	I introduced two bugs when I rewrote my older LMTP IPv6 patch.
-+	These bugs effectively rendered LMTP useless. Now fixed.
-+	Bugs spotted by Kaj Niemi.
-+
-+	Now supports Solaris 8 and 9. Due to lack of testing equipment,
-+	this has been only tested in production on Solaris 9, both
-+	with gcc and the Sun Workshop Compiler.
-+
-+Version 1.4	Postfix version 1.1.11-20020822 - 1.1.11-20020917
-+
-+	OpenBSD (>=200003) and FreeBSD release 4 and up now use
-+        getifaddrs(). This makes for cleaner code. The old code
-+	seems to be bug-ridden anyway.
-+
-+	Got rid of some compiler warnings. Should be cleaner on
-+	Alpha as well now. Thanks to Sten Spans for providing me
-+	access to an Alpha running FreeBSD4.
-+
-+	Fixed an old bug in smtpd memory alloation if you compiled
-+	without IPv6 support (the wrong buffer size was used. This
-+	was harmless for IPv6-enabled compiles since the sizes were
-+	equal then).
-+
-+	Added ChangeLog to the patch (as IPv6-ChangeLog) (this
-+	was absent in 1.3 contrary to docs).
-+
-+Version 1.3	Postfix version 1.1.11-20020613 - 1.1.11-20020718
-+
-+	FYI: In postfix version 1.1.11-20020718, DNS lookups for
-+	AAAA can be done natively. The code matches the code in
-+	the patch (though the #ifdef changed from INET6 to T_AAAA).
-+	This change causes the patch for 1.1.11-20020718 to be a
-+	bit smaller.
-+
-+Version 1.2	Postfix version 1.1.11-20020613
-+
-+	Added IPv6 support for the LMTP client.
-+
-+	Added lmtp_bind_address and lmtp_bind_address6 parameters,
-+	similar to those for smtp.
-+
-+	Added IPv6 support for the QMQP server.
-+
-+Version 1.1	Postfix version 1.1.11-20020602 - 1.1.11-20020613
-+
-+	Added parameter smtp_bind_address6. By using this parameter,
-+	it is possible to bind to an IPv6 address, independently of
-+	IPv4 address binding.
-+
-+	Lutz fixed a bug in his TLS patch regarding SASL. Incorporated.
-+
-+Version 1.0.x	Postfix version 1.1.8-20020505 - 1.1.11-20020602
-+
-+	Patch derived from PLD's IPv6 patch for Postfix, revision 1.10
-+	which applied to early Postfix snapshots 1.1.x. Updated this
-+	patch to apply to 1.1.8-20020505.
-+
-+	Added compile-time checks for SS_LEN. Some Linux installations,
-+	and maybe other systems, do define SA_LEN, but not SS_LEN.
-+
-+	Several updates of postfix snapshots.
-+
-diff -urNad postfix-release/makedefs /tmp/dpep.cXJuVH/postfix-release/makedefs
---- postfix-release/makedefs	2005-02-03 10:22:12.217284683 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/makedefs	2005-02-03 10:22:12.847144188 -0700
-@@ -327,6 +327,33 @@
- 		;;
- esac
- 
-+# Check for IPv6 support
-+
-+if [ -z "$NO_IPV6" ] ; then
-+if [ -f /usr/include/netinet6/in6.h ] ; then
-+	grep __KAME__ /usr/include/netinet6/in6.h 2>&1 >/dev/null
-+	if [ $?  = 1 ]; then
-+		INET6=
-+	else
-+		if [ -f /usr/local/v6/lib/libinet6.a ]; then
-+			INET6=kame
-+		else
-+			INET6=kame-merged
-+		fi
-+	fi
-+fi
-+if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h ]; then
-+	case "$SYSTYPE" in
-+	SUNOS5)	INET6=solaris ;;
-+	OSF1)	INET6=osf1 ;;
-+	*)	;;
-+	esac
-+fi
-+if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h -a -f /usr/include/linux/icmpv6.h ]; then
-+	INET6=linux
-+fi
-+fi # [-z NO_IPV6]
-+
- # Defaults that can be overruled (make makefiles CC=cc OPT=-O6 DEBUG=)
- # Disable optimizations by default when compiling for Purify. Disable
- # optimizations by default with gcc 2.8, until the compiler is known to
-@@ -346,6 +373,31 @@
- 	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
- 	-Wunused'}
- 
-+case "$INET6" in
-+kame)
-+	CCARGS="$CCARGS -DINET6 -DINET6_KAME"
-+	CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
-+	if test -f /usr/local/v6/lib/libinet6.a; then
-+		SYSLIBS="$SYSLIBS -L/usr/local/v6/lib -linet6"
-+	fi
-+	;;
-+kame-merged)
-+	CCARGS="$CCARGS -DINET6 -DINET6_KAME"
-+	CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
-+	;;
-+solaris|osf1)
-+	CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family -D__ss_len=ss_len"
-+	;;
-+linux)
-+	CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family"
-+	if test -f /usr/include/libinet6/netinet/ip6.h -a \
-+		-f /usr/lib/libinet6.a; then 
-+		CCARGS="$CCARGS -I/usr/include/libinet6 -DUSAGI_LIBINET6"
-+		SYSLIBS="$SYSLIBS -linet6"
-+	fi
-+	;;
-+esac
-+
- export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
- 
- sed 's/  / /g' <<EOF
-diff -urNad postfix-release/man/man8/tlsmgr.8 /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8
---- postfix-release/man/man8/tlsmgr.8	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8	2005-02-03 10:22:12.848143965 -0700
-@@ -0,0 +1,130 @@
-+.TH TLSMGR 8 
-+.ad
-+.fi
-+.SH NAME
-+tlsmgr
-+\-
-+Postfix TLS session cache and PRNG handling manager
-+.SH SYNOPSIS
-+.na
-+.nf
-+\fBtlsmgr\fR [generic Postfix daemon options]
-+.SH DESCRIPTION
-+.ad
-+.fi
-+The tlsmgr process does housekeeping on the session cache database
-+files. It runs through the databases and removes expired entries
-+and entries written by older (incompatible) versions.
-+
-+The tlsmgr is responsible for the PRNG handling. The used internal
-+OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
-+is initially seeded at startup from an external source (EGD or
-+/dev/urandom) and additional seed is obtained later during program
-+run at a configurable period. The exact time of seed query is
-+using random information and is equally distributed in the range of
-+[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
-+having a default of 1 hour.
-+
-+Tlsmgr can be run chrooted and with dropped privileges, as it will
-+connect to the entropy source at startup.
-+
-+The PRNG is additionally seeded internally by the data found in the
-+session cache and timevalues.
-+
-+Tlsmgr reads the old value of the exchange file at startup to keep
-+entropy already collected during previous runs.
-+
-+From the PRNG random pool a cryptographically strong 1024 byte random
-+sequence is written into the PRNG exchange file. The file is updated
-+periodically with the time changing randomly from
-+[0-\fBtls_random_prng_update_period\fR].
-+.SH STANDARDS
-+.na
-+.nf
-+.SH SECURITY
-+.na
-+.nf
-+.ad
-+.fi
-+Tlsmgr is not security-sensitive. It only deals with external data
-+to be fed into the PRNG, the contents is never trusted. The session
-+cache housekeeping will only remove entries if expired and will never
-+touch the contents of the cached data.
-+.SH DIAGNOSTICS
-+.ad
-+.fi
-+Problems and transactions are logged to the syslog daemon.
-+.SH BUGS
-+.ad
-+.fi
-+There is no automatic means to limit the number of entries in the
-+session caches and/or the size of the session cache files.
-+.SH CONFIGURATION PARAMETERS
-+.na
-+.nf
-+.ad
-+.fi
-+The following \fBmain.cf\fR parameters are especially relevant to
-+this program. See the Postfix \fBmain.cf\fR file for syntax details
-+and for default values. Use the \fBpostfix reload\fR command after
-+a configuration change.
-+.SH Session Cache
-+.ad
-+.fi
-+.IP \fBsmtpd_tls_session_cache_database\fR
-+Name of the SDBM file (type sdbm:) containing the SMTP server session
-+cache. If the file does not exist, it is created.
-+.IP \fBsmtpd_tls_session_cache_timeout\fR
-+Expiry time of SMTP server session cache entries in seconds. Entries
-+older than this are removed from the session cache. A cleanup-run is
-+performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
-+seconds. Default is 3600 (= 1 hour).
-+.IP \fBsmtp_tls_session_cache_database\fR
-+Name of the SDBM file (type sdbm:) containing the SMTP client session
-+cache. If the file does not exist, it is created.
-+.IP \fBsmtp_tls_session_cache_timeout\fR
-+Expiry time of SMTP client session cache entries in seconds. Entries
-+older than this are removed from the session cache. A cleanup-run is
-+performed periodically every \fBsmtp_tls_session_cache_timeout\fR
-+seconds. Default is 3600 (= 1 hour).
-+.SH Pseudo Random Number Generator
-+.ad
-+.fi
-+.IP \fBtls_random_source\fR
-+Name of the EGD socket or device or regular file to obtain entropy
-+from. The type of entropy source must be specified by preceding the
-+name with the appropriate type: egd:/path/to/egd_socket,
-+dev:/path/to/devicefile, or /path/to/regular/file.
-+tlsmgr opens \fBtls_random_source\fR and tries to read
-+\fBtls_random_bytes\fR from it.
-+.IP \fBtls_random_bytes\fR
-+Number of bytes to be read from \fBtls_random_source\fR.
-+Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
-+.IP \fBtls_random_exchange_name\fR
-+Name of the file written by tlsmgr and read by smtp and smtpd at
-+startup. The length is 1024 bytes. Default value is
-+/etc/postfix/prng_exch.
-+.IP \fBtls_random_reseed_period\fR
-+Time in seconds until the next reseed from external sources is due.
-+This is the maximum value. The actual point in time is calculated
-+with a random factor equally distributed between 0 and this maximum
-+value. Default is 3600 (= 60 minutes).
-+.IP \fBtls_random_prng_update_period\fR
-+Time in seconds until the PRNG exchange file is updated with new
-+pseude random values. This is the maximum value. The actual point
-+in time is calculated with a random factor equally distributed
-+between 0 and this maximum value. Default is 60 (= 1 minute).
-+.SH SEE ALSO
-+.na
-+.nf
-+smtp(8) SMTP client
-+smtpd(8) SMTP server
-+.SH LICENSE
-+.na
-+.nf
-+.ad
-+.fi
-+The Secure Mailer license must be distributed with this software.
-+.SH AUTHOR(S)
-+.na
-+.nf
-diff -urNad postfix-release/proto/Makefile.in /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in
---- postfix-release/proto/Makefile.in	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in	2005-02-03 10:22:12.848143965 -0700
-@@ -29,6 +29,7 @@
- 	../html/SMTPD_POLICY_README.html \
- 	../html/SMTPD_PROXY_README.html \
- 	../html/STANDARD_CONFIGURATION_README.html \
-+	../html/TLS_README.html \
- 	../html/TUNING_README.html \
- 	../html/UUCP_README.html ../html/ULTRIX_README.html \
- 	../html/VERP_README.html ../html/VIRTUAL_README.html \
-@@ -59,6 +60,7 @@
- 	../README_FILES/SMTPD_ACCESS_README \
- 	../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
- 	../README_FILES/STANDARD_CONFIGURATION_README \
-+	../README_FILES/TLS_README \
- 	../README_FILES/TUNING_README \
- 	../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
- 	../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
-@@ -233,6 +235,9 @@
- ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
- 	$(POSTLINK) $? >$@
- 
-+../html/TLS_README.html: TLS_README.html
-+	$(POSTLINK) $? >$@
-+
- ../html/TUNING_README.html: TUNING_README.html
- 	$(POSTLINK) $? >$@
- 
-@@ -356,6 +361,9 @@
- ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
- 	$(HT2READ) $? >$@
- 
-+../README_FILES/TLS_README: TLS_README.html
-+	$(HT2READ) $? >$@
-+
- ../README_FILES/TUNING_README: TUNING_README.html
- 	$(HT2READ) $? >$@
- 
-diff -urNad postfix-release/proto/postconf.proto /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto
---- postfix-release/proto/postconf.proto	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto	2005-02-03 10:22:12.985113413 -0700
-@@ -3814,6 +3814,20 @@
- <dd>Permit the request when the client IP address matches any
- network listed in  $mynetworks. </dd>
- 
-+<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
-+
-+<dd> Permit the request when the remote SMTP client certificate is
-+verified successfully.  This option must be used only if a special
-+CA issues the certificates and only this CA is listed as trusted
-+CA, otherwise all clients with a recognized certificate would be
-+allowed to relay.  </dd>
-+
-+<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
-+
-+<dd>Permit the request when the remote SMTP client certificate is
-+verified successfully, and the certificate fingerprint is listed
-+in $relay_clientcerts. </dd>
-+
- <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
- 
- <dd>Reject the request when the reversed client network address is
-@@ -6787,3 +6801,618 @@
- remote domains.  Available before Postfix version 2.0. With Postfix 2.1
- and later, this is replaced by separate controls: virtual_alias_domains
- and virtual_alias_maps. </p>
-+
-+%PARAM smtpd_tls_cert_file
-+
-+<p> File with the Postfix SMTP server RSA certificate in PEM format.
-+This file may also contain the server private key. </p>
-+
-+<p> Both RSA and DSA certificates are supported.  When both types
-+are present, the cipher used determines which certificate will be
-+presented to the client.  For Netscape and OpenSSL clients without
-+special cipher choices the RSA certificate is preferred. </p>
-+
-+<p> In order to verify a certificate, the CA certificate (in case
-+of a certificate chain, all CA certificates) must be available.
-+You should add these certificates to the server certificate, the
-+server certificate first, then the issuing CA(s).  </p>
-+
-+<p> Example: the certificate for "server.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate of "root CA".
-+Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
-+root_CA.pem &gt; server.pem". </p>
-+
-+<p> If you want to accept certificates issued by these CAs yourself,
-+you can also add the CA certificates to the smtpd_tls_CAfile, in
-+which case it is not necessary to have them in the smtpd_tls_dcert_file
-+or smtpd_tls_cert_file. </p>
-+
-+<p> A certificate supplied here must be usable as SSL server
-+certificate and hence pass the "openssl verify -purpose sslserver
-+..." test. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_cert_file = /etc/postfix/server.pem
-+</pre>
-+
-+%PARAM smtpd_tls_key_file $smtpd_tls_cert_file
-+
-+<p> File with the Postfix SMTP server RSA private key in PEM format.
-+This file may be combined with the server certificate file specified
-+with $smtpd_tls_cert_file. </p>
-+
-+<p> The private key must not be encrypted. In other words, the key
-+must be accessible without password. </p>
-+
-+%PARAM smtpd_tls_dcert_file
-+
-+<p> File with the Postfix SMTP server DSA certificate in PEM format.
-+This file may also contain the server private key. <p>
-+
-+<p> See the discussion under smtpd_tls_cert_file for more details.
-+</p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
-+</pre>
-+
-+%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file
-+
-+<p> File with the Postfix SMTP server DSA private key in PEM format.
-+This file may be combined with the server certificate file specified
-+with $smtpd_tls_dcert_file. </p>
-+
-+<p> The private key must not be encrypted. In other words, the key
-+must be accessible without password. </p>
-+
-+%PARAM smtpd_tls_CAfile
-+
-+<p> The file with the certificate of the certification authority
-+(CA) that issued the Postfix SMTP server certificate.  This is
-+needed only when the CA certificate is not already present in the
-+server certificate file.  This file may also contain the CA
-+certificates of other trusted CAs.  You must use this file for the
-+list of trusted CAs if you want to use chroot-mode. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+
-+%PARAM smtpd_tls_CApath
-+
-+<p> Directory with PEM format certificate authority certificates
-+that the Postfix SMTP server offers to remote SMTP clients for the
-+purpose of client certificate verification.  Do not forget to create
-+the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
-+/etc/postfix/certs".  </p>
-+
-+<p> To use this option in chroot mode, this directory (or a copy)
-+must be inside the chroot jail. Please note that in this case the
-+CA certificates are not offered to the client, so that e.g.  Netscape
-+clients might not offer certificates issued by them.  Use of this
-+feature is therefore not recommended. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_CApath = /etc/postfix/certs
-+</pre>
-+
-+%PARAM smtpd_tls_loglevel 0
-+
-+<p> Enable additional Postfix SMTP server logging of TLS activity.
-+Each logging level also includes the information that is logged at
-+a lower logging level.  </p>
-+
-+<dl compact>
-+
-+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
-+
-+<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
-+
-+<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
-+
-+<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
-+process.  </dd>
-+
-+<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS. </dd>
-+
-+</dl>
-+
-+<p> Use "smtpd_tls_loglevel = 3" only in case of problems. Use of
-+loglevel 4 is strongly discouraged. </p>
-+
-+%PARAM smtpd_tls_received_header no
-+
-+<p> Request that the Postfix SMTP server produces Received:  message
-+headers that include information about the protocol and cipher used,
-+as well as the client CommonName and client certificate issuer
-+CommonName.  This is disabled by default, as the information may
-+be modified in transit through other mail servers.  Only information
-+that was recorded by the final destination can be trusted. </p>
-+
-+%PARAM smtpd_use_tls no
-+
-+<p> Enable TLS support in the Postfix SMTP server. </p>
-+
-+<p> Note: when invoked via "sendmail -bs", Postfix will never offer
-+STARTTLS due to insufficient privileges to access the server private
-+key. This is intended behavior. </p>
-+
-+%PARAM smtpd_enforce_tls no
-+
-+<p> Require that remote SMTP clients use TLS encryption.  According
-+to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-+SMTP server.  This option is off by default and should only rarely
-+be used. </p>
-+
-+<p> This option implies "smtpd_use_tls = yes". </p>
-+
-+<p> Note: when invoked via "sendmail -bs", Postfix will never offer
-+STARTTLS due to insufficient privileges to access the server private  
-+key. This is intended behavior. </p>
-+
-+%PARAM smtpd_tls_wrappermode no
-+
-+<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
-+instead of using the STARTTLS command. </p>
-+
-+<p> If you want to support this service, enable a special port in
-+master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
-+server's command line. Port 465 (smtps) was once chosen for this
-+purpose. </p>
-+
-+%PARAM smtpd_tls_ask_ccert no
-+
-+<p> Ask a remote SMTP client for a client certificate. This
-+information is needed for certificate based mail relaying with,
-+for example, the permit_tls_clientcerts feature. </p>
-+
-+<p> Some clients such as Netscape will either complain if no
-+certificate is available (for the list of CAs in /etc/postfix/certs)
-+or will offer multiple client certificates to choose from. This
-+may be annoying, so this option is "off" by default. </p>
-+
-+%PARAM smtpd_tls_req_ccert no
-+
-+<p> When TLS encryption is enforced, require a remote SMTP client
-+certificate in order to allow TLS connections to proceed.  This
-+option implies "smtpd_tls_ask_ccert = yes". </p>
-+
-+<p> When TLS encryption is optional, remote SMTP clients can bypass
-+the restriction by simply not using STARTTLS at all. For this reason
-+a TLS connection will be handled as if only "smtpd_tls_ask_ccert
-+= yes" is specified.  </p>
-+
-+%PARAM smtpd_tls_ccert_verifydepth 5
-+
-+<p> The verification depth for remote SMTP client certificates. A
-+depth of 1 is sufficient if the issuing CA is listed in a local CA
-+file.  The default value should also suffice for longer chains (the
-+root CA issues special CA which then issues the actual certificate...).
-+</p>
-+
-+%PARAM smtpd_tls_auth_only no
-+
-+<p> When TLS encryption is optional in the Postfix SMTP server, do
-+not announce or accept SASL authentication over un-encrypted
-+connections. </p>
-+
-+%PARAM smtpd_tls_session_cache_database
-+
-+<p> Name of the SDBM file (type sdbm:) containing the optional
-+Postfix SMTP server TLS session cache. SDBM is required in order
-+to support concurrent updates.  The file is created if it does not
-+exist.  </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
-+</pre>
-+
-+%PARAM smtpd_tls_session_cache_timeout 3600s
-+
-+<p> The expiration time of Postfix SMTP server TLS session cache
-+information.  A cache cleanup is performed periodically every
-+$smtpd_tls_session_cache_timeout seconds.  </p>
-+
-+%PARAM relay_clientcerts
-+
-+<p> The list of remote SMTP client certificates for which the
-+Postfix SMTP server will allow access with the permit_tls_clientcerts
-+feature.  This feature does not use certificate names, because
-+Postfix list manipulation routines treat whitespace and some other
-+characters as special.  Instead we use certificate fingerprints as
-+they are difficult to fake but easy to use for lookup. </p>
-+
-+<p> Postfix lookup tables are in the form of (key, value) pairs.
-+Since we only need the key, the value can be chosen freely, e.g.
-+the name of the user or host:
-+D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+relay_clientcerts = hash:/etc/postfix/relay_clientcerts
-+</pre>
-+
-+%PARAM smtpd_tls_cipherlist
-+
-+<p> Controls the Postfix SMTP server TLS cipher selection scheme.
-+For details, see the OpenSSL documentation. Note: do not use ""
-+quotes around the parameter value. </p>
-+
-+%PARAM smtpd_tls_dh1024_param_file
-+
-+<p> File with DH parameters that the Postfix SMTP server should
-+use with EDH ciphers. </p>
-+
-+<p> Instead of using the exact same parameter sets as distributed
-+with other TLS packages, it is more secure to generate your own
-+set of parameters with something like the following command:  </p>
-+
-+<pre>
-+openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
-+</pre>
-+
-+<p> Your actual source for entropy may differ. Some systems have
-+/dev/random; on other system you may consider using the "Entropy
-+Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
-+</p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
-+</pre>
-+
-+%PARAM smtpd_tls_dh512_param_file
-+
-+<p> File with DH parameters that the Postfix SMTP server should
-+use with EDH ciphers. </p>
-+
-+<p> See also the discussion under the smtpd_tls_dh1024_param_file
-+configuration parameter.  </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
-+</pre>
-+
-+%PARAM smtpd_starttls_timeout 300s
-+
-+<p> The time limit for Postfix SMTP server write and read operations
-+during TLS startup and shutdown handshake procedures. </p>
-+
-+%PARAM smtp_tls_cert_file
-+
-+<p> File with the Postfix SMTP client RSA certificate in PEM format.
-+This file may also contain the client private key, and these may
-+be the same as the server certificate and key file. </p>
-+
-+<p> In order to verify certificates, the CA certificate (in case
-+of a certificate chain, all CA certificates) must be available.
-+You should add these certificates to the server certificate, the
-+server certificate first, then the issuing CA(s). </p>
-+
-+<p> Example: the certificate for "client.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate of "root CA".
-+Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
-+root_CA.pem &gt; client.pem". </p>
-+
-+<p> If you want to accept remote SMTP server certificates issued
-+by these CAs yourself, you can also add the CA certificates to the
-+smtp_tls_CAfile, in which case it is not necessary to have them in
-+the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
-+
-+<p> A certificate supplied here must be usable as SSL client certificate and
-+hence pass the "openssl verify -purpose sslclient ..." test. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_cert_file = /etc/postfix/client.pem
-+</pre>
-+
-+%PARAM smtp_tls_key_file $smtp_tls_cert_file
-+
-+<p> File with the Postfix SMTP client RSA private key in PEM format.
-+This file may be combined with the client certificate file specified
-+with $smtp_tls_cert_file. </p>
-+
-+<p> The private key must not be encrypted. In other words, the key
-+must be accessible without password. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_key_file = $smtp_tls_cert_file
-+</pre>
-+
-+%PARAM smtp_tls_CAfile
-+
-+<p> The file with the certificate of the certification authority
-+(CA) that issued the Postfix SMTP client certificate.  This is
-+needed only when the CA certificate is not already present in the
-+client certificate file.  </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+
-+%PARAM smtp_tls_CApath
-+
-+<p> Directory with PEM format certificate authority certificates
-+that the Postfix SMTP client uses to verify a remote SMTP server
-+certificate.  Don't forget to create the necessary "hash" links
-+with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
-+</p>
-+
-+<p> To use this option in chroot mode, this directory (or a copy) 
-+must be inside the chroot jail. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_CApath = /etc/postfix/certs
-+</pre>
-+
-+%PARAM smtp_tls_loglevel 0
-+
-+<p> Enable additional Postfix SMTP client logging of TLS activity.
-+Each logging level also includes the information that is logged at
-+a lower logging level.  </p>
-+
-+<dl compact>
-+
-+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
-+
-+<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
-+
-+<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
-+
-+<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
-+process.  </dd>
-+
-+<dt> </dt> <dd> 4 Log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS. </dd>
-+
-+</dl>
-+
-+<p> Use "smtp_tls_loglevel = 3" only in case of problems. Use of
-+loglevel 4 is strongly discouraged. </p>
-+
-+%PARAM smtp_tls_session_cache_database
-+
-+<p> Name of the SDBM file (type sdbm:) containing the optional
-+Postfix SMTP client TLS session cache. SDBM is required in order
-+to support concurrent updates. The file is created if it does not
-+exist.  </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
-+</pre>
-+
-+%PARAM smtp_tls_session_cache_timeout 3600s
-+
-+<p> The expiration time of Postfix SMTP client TLS session cache
-+information.  A cache cleanup is performed periodically every
-+$smtp_tls_session_cache_timeout seconds.  </p>
-+
-+%PARAM smtp_use_tls no
-+
-+<p> Always use TLS when a remote SMTP server announces STARTTLS
-+support.  Beware: some remote SMTP servers offer STARTTLS even if
-+it is not configured.  If the TLS handshake fails, and no other
-+server is available, delivery is deferred and mail stays in the
-+queue.  If this is a concern for you, use the smtp_tls_per_site
-+feature instead.  </p>
-+
-+%PARAM smtp_enforce_tls no
-+
-+<p> Require that remote SMTP servers use TLS encryption.  This also
-+requires that the remote SMTP server hostname matches the information
-+in the remote server certificate, and that the remote SMTP server
-+certificate was issued by a CA that is trusted by the Postfix SMTP
-+client. If the certificate doesn't verify or the hostname doesn't
-+match, delivery is deferred and mail stays in the queue.  </p>
-+
-+<p> The hostname used in the check is performed against all names
-+provided as dNSNames in the SubjectAlternativeName.  If no dNSNames
-+are specified, the CommonName is checked.  The behavior may be
-+changed with the smtp_tls_enforce_peername option.  </p>
-+
-+<p> This option is useful only if you are definitely sure that you
-+will only connect to servers that support RFC 2487 _and_ that
-+provide valid server certificates.  It is relatively safe to use
-+for local clients that only send email to one mailhub with the
-+necessary STARTTLS support.  </p>
-+
-+%PARAM smtp_tls_enforce_peername yes
-+
-+<p> When TLS encryption is enforced, require that the remote SMTP
-+server hostname matches the information in the remote SMTP server
-+certificate.  As of RFC 2487 the requirements for hostname checking
-+for MTA clients are not set. </p>
-+
-+<p> This option can be set to "no" to disable strict peer name
-+checking. This setting has no effect on sessions that are controlled
-+via the smtp_tls_per_site table.  </p>
-+
-+<p> Disabling the hostname verification can make sense in closed
-+environment where special CAs are created.  If not used carefully,
-+this option opens the danger of a "man-in-the-middle" attack (the
-+CommonName of this attacker will be logged). </p>
-+
-+%PARAM smtp_tls_per_site
-+
-+<p> Optional lookup tables with the Postfix SMTP client TLS usage
-+policy by next-hop domain name and by remote SMTP server hostname.
-+</p>
-+
-+<p> Table format:  domain names or server hostnames are specified
-+on the left-hand side; no wildcards are allowed.  On the right hand
-+side specify one of the following keywords:  </p>
-+
-+<dl>
-+
-+<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
-+
-+<dt> MAY </dt> <dd>Try to use STARTTLS if offered,
-+otherwise use the un-encrypted connection. </dd>
-+
-+<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
-+remote SMTP server hostname matches the information in the remote
-+SMTP server certificate, and require that the remote SMTP server
-+certificate was issued by a trusted CA. </dd>
-+
-+<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
-+not require that the remote SMTP server hostname matches the
-+information in the remote SMTP server certificate, or that the
-+server certificate was issued by a trusted CA. </dd>
-+
-+</dl>
-+
-+<p> Special hint for enforcement mode:  since no secure DNS lookup
-+mechanism is available, the recommended setup is:  specify local
-+transport(5) table entries for sensitive domains with explicit
-+smtp:[mailhost] destinations (since you can assure security of this
-+table unlike DNS), then specify MUST for these mail hosts in the
-+smtp_tls_per_site table. </p>
-+
-+%PARAM smtp_tls_scert_verifydepth 5
-+
-+<p> The verification depth for remote SMTP server certificates. A
-+depth of 1 is sufficient, if the certificate is directly issued by
-+a CA listed in the CA files.  The default value (5) should suffice
-+for longer chains (the root CA issues special CA which then issues
-+the actual certificate...). </p>
-+
-+%PARAM smtp_tls_note_starttls_offer no
-+
-+<p> Log the hostname of a remote SMTP server that offers STARTTLS,
-+when TLS is not already enabled for that server. </p>
-+
-+<p> The logfile record looks like:  </p>
-+
-+<pre>
-+postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
-+</pre>
-+
-+%PARAM smtp_tls_cipherlist
-+
-+<p> Controls the Postfix SMTP client TLS cipher selection scheme.
-+For details, see the OpenSSL documentation. Note: do not use ""
-+quotes around the parameter value. </p>
-+
-+%PARAM smtp_starttls_timeout 300s
-+
-+<p> Time limit for Postfix SMTP client write and read operations
-+during TLS startup and shutdown handshake procedures. </p>
-+
-+%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
-+
-+<p> File with the Postfix SMTP client DSA private key in PEM format.
-+The private key must not be encrypted. In other words, the key must
-+be accessible without password. </p>
-+
-+<p> This file may be combined with the server certificate file
-+specified with $smtp_tls_cert_file. </p>
-+
-+%PARAM smtp_tls_dcert_file
-+
-+<p> File with the Postfix SMTP client DSA certificate in PEM format.
-+This file may also contain the server private key. </p>
-+
-+<p> See the discussion under smtp_tls_cert_file for more details.
-+</p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-+</pre>
-+
-+%PARAM tls_random_exchange_name ${config_directory}/prng_exch
-+
-+<p> Name of the pseudo random number generator (PRNG) seed file
-+that is maintained by tlsmgr(8), and that is read by the smtp(8)
-+and smtpd(8) processes upon startup. The file length is fixed at
-+1024 bytes, and is created by tlsmgr(8) when it does not exist.
-+</p>
-+
-+<p> Since this file is changed by Postfix, it should probably be
-+kept in the /var file system, instead of under $config_directory.
-+The location should not be inside the chroot jail. </p>
-+
-+%PARAM tls_random_source
-+
-+<p> The external entropy source for the in-memory tlsmgr(8) pseudo
-+random number generator (PRNG) pool. Be sure to specify a non-blocking
-+source.  If this source is not a regular file, the entropy source
-+type must be prepended:  egd:/path/to/egd_socket for a source with
-+EGD compatible socket interface, or dev:/path/to/device for a
-+device file.  </p>
-+
-+%PARAM tls_random_bytes 32
-+
-+<p> The number of bytes that tlsmgr(8) reads from $tls_random_source
-+when (re)seeding the in-memory pseudo random number generator (PRNG)
-+pool. The default of 32 bytes (256 bits) is good enough for 128bit
-+symmetric keys.  If using EGD, a maximum of 255 bytes is read. </p>
-+
-+%PARAM tls_random_reseed_period 3600s
-+
-+<p> The maximal time between attempts by tlsmgr(8) to re-seed the
-+in-memory pseudo random number generator (PRNG) pool from external
-+sources.  The actual time between re-seeding attempts is calculated
-+using the PRNG, and is between 0 and the time specified.  </p>
-+
-+%PARAM tls_random_prng_update_period 60s
-+
-+<p> The maximal time between attempts by tlsmgr(8) to rewrite the
-+pseudo random number generator (PRNG) seed file specified with
-+$tls_random_exchange_name. This file is read by smtpd(8) and smtpd(8)
-+processes in order to seed their PRNGs.  The actual time between
-+rewriting attempts is calculated using the PRNG, and is between 0
-+and the time specified.  </p>
-+
-+%PARAM tls_daemon_random_source
-+
-+<p> Optional external source of entropy that can be read by smtpd(8)
-+and smtpd(8) processes in order to initialize their PRNGs. Be sure
-+to specify a non-blocking source.  The entropy source type must be
-+prepended to the source name:  egd:/path/to/egd_socket for a source
-+with EGD compatible socket interface, or dev:/path/to/device for
-+a device file.  </p>
-+
-+<p> Examples: </p>
-+
-+<pre>
-+tls_daemon_random_source = dev:/dev/urandom
-+tls_daemon_random_source = egd:/var/run/egd-pool
-+</pre>
-+
-+%PARAM tls_daemon_random_bytes 32
-+
-+<p> The amount of data that smtpd(8) and smtpd(8) processes read
-+from the entropy source specified with $tls_daemon_random_source.
-+The default of 32 bytes (equivalent to 256 bits) is sufficient to
-+generate a 128bit (or 168bit) session key. </p>
-+
-+<p> Usage of this option may drain EGD (consider the case of 50
-+smtp(8) processes starting up with a full queue and "postfix start",
-+which will request 1600 bytes of entropy). This is however not
-diff -urNad postfix-release/proto/TLS_README.html /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html
---- postfix-release/proto/TLS_README.html	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html	2005-02-03 10:22:12.994111406 -0700
-@@ -0,0 +1,1093 @@
-+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
-+        "http://www.w3.org/TR/html4/loose.dtd">
-+
-+<html>
-+
-+<head>
-+
-+<title>Postfix TLS Support </title>
-+
-+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-+
-+</head>
-+
-+<body>
-+
-+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLS Support
-+</h1>
-+
-+<hr>
-+
-+<h2> Purpose of this document </h2> 
-+
-+<p> This document describes how to configure the Transport Layer
-+Security (TLS) support in the Postfix SMTP client and Postfix SMTP server,
-+and how to configure the TLS manager daemon that maintains the
-+Pseudo Random Number Generator (PRNG) pool and the TLS session
-+cache information. </p>
-+
-+<p> Topics covered in this document: </p>
-+
-+<ul>
-+
-+<li><a href="#server_tls">SMTP Server specific settings</a>
-+
-+<li> <a href="#client_tls">SMTP Client specific settings</a>
-+
-+<li><a href="#tlsmgr_controls"> TLS manager specific settings </a>
-+
-+<li><a href="#problems"> Reporting problems </a>
-+
-+<li><a href="#credits"> Credits </a>
-+
-+</ul>
-+
-+<h2><a name="server_tls">SMTP Server specific settings</a></h2>
-+
-+<p> Topics covered in this section: </p>
-+
-+<ul>
-+
-+<li><a href="#server_cert_key">Server-side certificate and private
-+key configuration </a>
-+
-+<li><a href="#server_logging"> Server-side TLS activity logging
-+</a>
-+
-+<li><a href="#server_enable">Enabling TLS in the Postfix SMTP server </a>
-+
-+<li><a href="#server_vrfy_client">Client certificate verification</a>
-+
-+<li><a href="#server_tls_auth">Supporting AUTH over TLS only</a>
-+
-+<li><a href="#server_tls_cache">Server-side TLS session cache</a>
-+
-+<li><a href="#server_access">Server access control</a>
-+
-+<li><a href="#server_cipher">Server-side cipher controls</a>
-+
-+<li><a href="#server_misc"> Miscellaneous server controls</a>
-+
-+</ul>
-+
-+<h3><a name="server_cert_key">Server-side certificate and private
-+key configuration </a> </h3>
-+
-+<p> In order to use TLS, the Postfix SMTP server needs a certificate
-+and a private key. Both must be in "pem" format. The private key
-+must not be encrypted, meaning:  the key must be accessible without
-+password.  Both certificate and private key may be in the same
-+file.  </p>
-+
-+<p> Both RSA and DSA certificates are supported. Typically you will
-+only have RSA certificates issued by a commercial CA. In addition,
-+the tools supplied with OpenSSL will by default issue RSA certificates.
-+You can have both at the same time, in which case the cipher used
-+determines which certificate is presented. For Netscape and OpenSSL
-+clients without special cipher choices, the RSA certificate is
-+preferred. </p>
-+
-+<p> In order for remote SMTP clients to check the Postfix SMTP
-+server certificates, the CA certificate (in case of a certificate
-+chain, all CA certificates) must be available.  You should add
-+these certificates to the server certificate, the server certificate
-+first, then the issuing CA(s).  </p>
-+
-+<p> Example: the certificate for "server.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate issued by "root
-+CA".  Create the server.pem file with: </p>
-+
-+<blockquote>
-+<pre>
-+cat server_cert.pem intermediate_CA.pem root_CA.pem &gt; server.pem
-+</pre>
-+</blockquote>
-+
-+<p> If you want the Postfix SMTP server to accept remote SMTP client
-+certificates issued by these CAs, you can also add the CA certificates
-+to the smtpd_tls_CAfile, in which case it is not necessary to have
-+them in the smtpd_tls_cert_file or smtpd_tls_dcert_file. </p>
-+
-+<p> A Postfix SMTP server certificate supplied here must be usable
-+as SSL server certificate and hence pass the "openssl verify -purpose
-+sslserver
-+..." test. </p>
-+
-+<p> RSA key and certificate examples: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_cert_file = /etc/postfix/server.pem
-+smtpd_tls_key_file = $smtpd_tls_cert_file
-+</pre>
-+</blockquote>
-+
-+<p> Their DSA counterparts: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
-+smtpd_tls_dkey_file = $smtpd_tls_dcert_file
-+</pre>  
-+</blockquote>
-+
-+<p> The Postfix SMTP server certificate was issued by a certification
-+authority (CA), the CA-cert of which must be provided with the CA
-+file if it is not already provided in the certificate file.  The
-+CA file may also contain the CA certificates of other trusted CAs.
-+You must use this file for the list of trusted CAs if you want to
-+use chroot-mode. No default is supplied for this value as of now.
-+</p>
-+
-+<p> Example: </p>
-+<blockquote>
-+<pre>
-+smtpd_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+</blockquote>
-+
-+<p> To verify a remote SMTP client certificate, the Postfix SMTP
-+server needs to know the certificates of the issuing certification
-+authorities. These certificates in "pem" format are collected in
-+a directory. The same CA certificates are offered to clients for
-+client verification.  Don't forget to create the necessary "hash"
-+links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
-+place for the CA certificates may also be $OPENSSL_HOME/certs, so
-+there is no default and you explicitly have to set the value here!
-+</p>
-+
-+<p> To use this option in chroot mode, this directory itself or a
-+copy of it must be inside the chroot jail. Please note also, that
-+the CAs in this directory are not listed to the client, so that
-+e.g. Netscape might not offer certificates issued by them.  For
-+this reason, the use of this feature is discouraged. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_CApath = /etc/postfix/certs
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_logging"> Server-side TLS activity logging </a> </h3>
-+
-+<p> To get additional information about Postfix SMTP server TLS
-+activity you can increase the loglevel from 0..4. Each logging
-+level also includes the information that is logged at a lower
-+logging level. </p>
-+
-+<blockquote>
-+
-+<table>
-+
-+<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
-+
-+<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
-+</td> </tr>
-+
-+<tr> <td> 2 </td> <td> Log levels during TLS negotiation.  </td>
-+</tr>
-+
-+<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
-+negotiation process </td> </tr>
-+
-+<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS </td> </tr>
-+
-+</table>
-+
-+</blockquote>
-+
-+<p> Use loglevel 3 only in case of problems. Use of loglevel 4 is
-+strongly discouraged. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_loglevel = 0
-+</pre>
-+</blockquote>
-+
-+<p> To include information about the protocol and cipher used as
-+well as the client and issuer CommonName into the "Received:"
-+message header, set the smtpd_tls_received_header variable to true.
-+The default is no, as the information is not necessarily authentic.
-+Only information recorded at the final destination is reliable,
-+since the headers may be changed by intermediate servers. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_received_header = yes
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_enable">Enabling TLS in the Postfix SMTP server </a> </h3>
-+
-+<p> By default, TLS is disabled in the Postfix SMTP server, so no
-+difference to plain Postfix is visible.  Explicitly switch it on
-+using "smtpd_use_tls = yes". </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_use_tls = yes
-+</pre>
-+</blockquote>
-+
-+<p> Note: when an unprivileged user invokes "sendmail -bs", STARTTLS
-+is never offered due to insufficient privileges to access the server
-+private key. This is intended behavior. </p>
-+
-+<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
-+accepts no commands (except QUIT of course) without TLS encryption,
-+by setting "smtpd_enforce_tls = yes". According to RFC 2487 this
-+MUST NOT be applied in case of a publicly-referenced Postfix SMTP
-+server.  So this option is off by default and should only seldom
-+be used.  Using this option implies "smtpd_use_tls = yes". </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_enforce_tls = yes
-+</pre>
-+</blockquote>
-+
-+<p> Besides RFC 2487 some clients, namely Outlook [Express] prefer
-+to run the non-standard "wrapper" mode, not the STARTTLS enhancement
-+to SMTP.  This is true for OE (Win32 &lt; 5.0 and Win32 &gt;=5.0 when
-+run on a port&lt;&gt;25 and OE (5.01 Mac on all ports). </p>
-+
-+<p> It is strictly discouraged to use this mode from main.cf. If
-+you want to support this service, enable a special port in master.cf
-+and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
-+line option.  Port 465 (smtps) was once chosen for this feature.
-+</p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_wrappermode = no
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_vrfy_client">Client certificate verification</a> </h3>
-+
-+<p> To receive a remote SMTP client certificate, the Postfix SMTP
-+server must explicitly ask for one by sending the $smtpd_tls_CAfile
-+certificates to the client. Unfortunately, Netscape clients will
-+either complain if no matching client certificate is available or
-+will offer the user client a list of certificates to choose from.
-+This might be annoying, so this option is "off" by default.  You
-+will however need the certificate if you want to use certificate
-+based relaying with, for example, the permit_tls_client_certs
-+feature.  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_ask_ccert = no
-+</pre>
-+</blockquote>
-+
-+<p> You may also decide to REQUIRE a remote SMTP client certificate
-+before allowing TLS connections.  This feature is included for
-+completeness, and implies "smtpd_tls_ask_ccert = yes".  </p>
-+
-+<p> Please be aware, that this will inhibit TLS connections without
-+a proper client certificate and that it makes sense only when
-+non-TLS submission is disabled (smtpd_enforce_tls = yes). Otherwise,
-+clients could bypass the restriction by simply not using STARTTLS
-+at all. </p>
-+
-+<p> When TLS is not enforced, the connection will be handled as
-+if only "smtpd_tls_ask_ccert = yes" is specified, and a warning is
-+logged. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_req_ccert = no
-+</pre>
-+</blockquote>
-+
-+<p> A client certificate verification depth of 1 is sufficient if
-+the certificate is directly issued by a CA listed in the CA file.
-+The default value (5) should also suffice for longer chains (root
-+CA issues special CA which then issues the actual certificate...)
-+</p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_ccert_verifydepth = 5
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
-+
-+<p> Sending AUTH data over an un-encrypted channel poses a security
-+risk. When TLS layer encryption is required (smtpd_enforce_tls =
-+yes), the Postfix SMTP server will announce and accept AUTH only
-+after the TLS layer has been activated with STARTTLS. When TLS
-+layer encryption is optional (smtpd_enforce_tls = no), it may
-+however still be useful to only offer AUTH when TLS is active. To
-+maintain compatibility with non-TLS clients, the default is to
-+accept AUTH without encryption. In order to change this behavior,
-+set "smtpd_tls_auth_only = yes". </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_auth_only = no
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_tls_cache">Server-side TLS session cache</a> </h3>
-+
-+<p> The Postfix SMTP server and the remote SMTP client negotiate a
-+session, which takes some computer time and network bandwidth. By
-+default, this session information is cached only in the smtpd(8)
-+process actually using this session and is lost when the process
-+terminates.  To share the session information between multiple
-+smtpd(8) processes, a persistent session cache can be used based
-+on the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
-+</pre>
-+</blockquote>
-+
-+<p> Cached Postfix SMTP server session information expires after
-+a certain amount of time.  Postfix/TLS does not use the OpenSSL
-+default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
-+recommends a maximum of 24 hours.  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_session_cache_timeout = 3600s
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_access">Server access control</a> </h3>
-+
-+<p> Postfix TLS support introduces two additional features for
-+Postfix SMTP server access control:  </p>
-+
-+<blockquote>
-+
-+<dl>
-+
-+<dt> permit_tls_clientcerts </dt> <dd> <p> Allow the remote SMTP
-+client SMTP request if the client certificate passes verification,
-+and if its fingerprint is listed in the list of client certificates
-+(see relay_clientcerts discussion below). </p> </dd>
-+
-+<dt> permit_tls_all_clientcerts </dt> <dd> <p> Allow the remote
-+client SMTP request if the client certificate passes verification.
-+</p> </dd>
-+
-+</dl>
-+
-+</blockquote>
-+
-+<p> The permit_tls_all_clientcerts feature must be used with caution,
-+because it can result in too many access permissions.  Use this
-+feature only if a special CA issues the client certificates, and
-+only if this CA is listed as trusted CA. If other CAs are trusted,
-+any owner of a valid client certificate would be authorized.
-+The permit_tls_all_clientcerts feature can be practical for a
-+specially created email relay server.  </p>
-+
-+<p> It is however recommended to stay with the permit_tls_clientcerts
-+feature and list all certificates via $relay_clientcerts, as
-+permit_tls_all_clientcerts does not permit any control when a
-+certificate must no longer be used (e.g. an employee leaving). </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_recipient_restrictions = 
-+    ... 
-+    permit_tls_clientcerts 
-+    reject_unauth_destination
-+    ...
-+</pre>
-+</blockquote>
-+
-+<p> The Postfix list manipulation routines give special treatment
-+to whitespace and some other characters, making the use of certificate
-+names unpractical.  Instead we use the certificate fingerprints as
-+they are difficult to fake but easy to use for lookup.  Postfix
-+lookup tables are in the form of (key, value) pairs.  Since we only
-+need the key, the value can be chosen freely, e.g.  the name of
-+the user or host:</p>
-+
-+<blockquote>
-+<pre>
-+D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
-+</pre>
-+</blockquote>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+relay_clientcerts = hash:/etc/postfix/relay_clientcerts
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
-+
-+<p> To influence the Postfix SMTP server cipher selection scheme,
-+you can give cipherlist string.  A detailed description would go
-+to far here, please refer to the openssl documentation.  If you
-+don't know what to do with it, simply don't touch it and leave the
-+(openssl-)compiled in default! </p>
-+
-+<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_cipherlist = DEFAULT
-+</pre>
-+</blockquote>
-+
-+<p> If you want to take advantage of ciphers with EDH, DH parameters
-+are needed.  Instead of using the built-in DH parameters for both
-+1024bit and 512bit, it is better to generate "own" parameters,
-+since otherwise it would "pay" for a possible attacker to start a
-+brute force attack against parameters that are used by everybody.
-+For this reason, the parameters chosen are already different from
-+those distributed with other TLS packages. </p>
-+
-+<p> To generate your own set of DH parameters, use: </p>
-+
-+<blockquote>
-+<pre>
-+openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
-+openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
-+</pre>
-+</blockquote>
-+
-+<p> Your source for "entropy" might vary; some systems have
-+/dev/random; on other systems you might consider the "Entropy
-+Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
-+</p>
-+
-+<p> Examples: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
-+smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_misc"> Miscellaneous server controls</a> </h3>
-+
-+<p> The smtpd_starttls_timeout parameter limits the time of Postfix
-+SMTP server write and read operations during TLS startup and shutdown
-+handshake procedures.  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtpd_starttls_timeout = 300s
-+</pre>
-+</blockquote>
-+
-+<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
-+
-+<p> Topics covered in this section: </p>
-+
-+<ul>
-+
-+<li><a href="#client_cert_key">Client-side certificate and private
-+key configuration </a>
-+
-+<li><a href="#client_logging"> Client-side TLS activity logging
-+</a>
-+
-+<li><a href="#client_tls_cache">Client-side TLS session cache</a>
-+
-+<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
-+
-+<li><a href="#client_vrfy_server">Server certificate verification</a>
-+
-+<li> <a href="#client_cipher">Client-side cipher controls </a>
-+
-+<li> <a href="#client_misc"> Miscellaneous client controls </a>
-+
-+</ul>
-+
-+<h3><a name="client_cert_key">Client-side certificate and private
-+key configuration </a> </h3>
-+
-+During TLS startup negotiation the Postfix SMTP client may present
-+a certificate to the remote SMTP server.  The Netscape client is
-+rather clever here and lets the user select between only those
-+certificates that match CA certificates offered by the remote SMTP
-+server. As the Postfix SMTP client uses the "SSL_connect()" function
-+from the OpenSSL package, this is not possible and we have to choose
-+just one certificate.  So for now the default is to use _no_
-+certificate and key unless one is explicitly specified here. </p>
-+
-+<p> Both RSA and DSA certificates are supported.  You can have both
-+at the same time, in which case the cipher used determines which
-+certificate is presented.  </p>
-+
-+<p> It is possible for the Postfix SMTP client to use the same
-+key/certificate pair as the Postfix SMTP server.  If a certificate
-+is to be presented, it must be in "pem" format. The private key
-+must not be encrypted, meaning: it must be accessible without
-+password. Both parts (certificate and private key) may be in the
-+same file. </p>
-+
-+<p> In order for remote SMTP servers to verify the Postfix SMTP
-+client certificates, the CA certificate (in case of a certificate
-+chain, all CA certificates) must be available.  You should add
-+these certificates to the client certificate, the client certificate
-+first, then the issuing CA(s). </p>
-+
-+<p> Example: the certificate for "client.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate of "root CA".
-+Create the client.pem file with: </p>
-+
-+<blockquote>
-+<pre>
-+cat client_cert.pem intermediate_CA.pem root_CA.pem &gt; client.pem
-+</pre>
-+</blockquote>
-+
-+<p> If you want the Postfix SMTP client to accept certificates
-+issued by these CAs, you can also add the CA certificates to the
-+smtp_tls_CAfile, in which case it is not necessary to have them in
-+the smtp_tls_cert_file or smtp_tls_dcert_file.  </p>
-+
-+<p> A Postfix SMTP client certificate supplied here must be usable
-+as SSL client certificate and hence pass the "openssl verify -purpose
-+sslclient
-+..." test. </p>
-+
-+<p> RSA key and certificate examples: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_cert_file = /etc/postfix/client.pem
-+smtp_tls_key_file = $smtp_tls_cert_file
-+</pre>
-+</blockquote>
-+
-+<p> Their DSA counterparts: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-+smtp_tls_dkey_file = $smtpd_tls_cert_file
-+</pre>  
-+</blockquote>
-+
-+<p> The Postfix SMTP client certificate was issued by a certification
-+authority (CA), the CA-cert of which must be provided with the CA
-+file if it is not already provided in the certificate file.  The
-+CA file may also contain the CA certificates of other trusted CAs.
-+You must use this file for the list of trusted CAs if you want to
-+use chroot-mode. No default is supplied for this value as of now.
-+</p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+</blockquote>
-+
-+<p> To verify a remote SMTP server certificate, the Postfix SMTP
-+client needs to know the certificates of the issuing certification
-+authorities. These certificates in "pem" format are collected in
-+a directory. Don't forget to create the necessary "hash" links with
-+$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical place for
-+the CA certificates may also be $OPENSSL_HOME/certs, so there is
-+no default and you explicitly have to set the value here! </p>
-+
-+<p> To use this option in chroot mode, this directory itself or a
-+copy of it must be inside the chroot jail. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_CApath = /etc/postfix/certs
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
-+
-+<p> To get additional information about Postfix SMTP client TLS
-+activity you can increase the loglevel from 0..4. Each logging
-+level also includes the information that is logged at a lower
-+logging level. </p>
-+
-+<blockquote>
-+
-+<table>
-+
-+<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
-+
-+<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
-+</td> </tr>
-+
-+<tr> <td> 2 </td> <td> Log levels during TLS negotiation.  </td>
-+</tr>
-+
-+<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
-+negotiation process </td> </tr>
-+
-+<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS </td> </tr>
-+
-+</table>
-+
-+</blockquote>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_loglevel = 0
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
-+
-+<p> The remote SMTP server and the Postfix SMTP client negotiate a
-+session, which takes some computer time and network bandwidth.  By
-+default, this session information is cached only in the smtp(8)
-+process actually using this session and is lost when the process
-+terminates.  To share the session information between multiple
-+smtp(8) processes, a persistent session cache can be used based on
-+the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
-+</pre>
-+</blockquote>
-+
-+<p> Cached Postfix SMTP client session information expires after
-+a certain amount of time.  Postfix/TLS does not use the OpenSSL
-+default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
-+recommends a maximum of 24 hours.  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_session_cache_timeout = 3600s
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
-+</h3>
-+
-+<p> By default, TLS is disabled in the Postfix SMTP client, so no
-+difference to plain Postfix is visible.  If you enable TLS, the
-+Postfix SMTP client will send STARTTLS when TLS support is announced
-+by the remote SMTP server. </p>
-+
-+<p> WARNING: MS Exchange servers will announce STARTTLS support
-+even when the service is not configured, so that the TLS handshake
-+will fail.  It may be wise to not use this option on your central
-+mail hub, as you don't know in advance whether you are going to
-+connect to such a host. Instead, use the smtp_tls_per_site
-+recipient/site specific options that are described below. </p>
-+
-+<p> When the TLS handshake fails and no other server is available,
-+the Postfix SMTP client defers the delivery attempt, and the mail
-+stays in the queue.  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_use_tls = yes
-+</pre>
-+</blockquote>
-+
-+<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
-+will not deliver mail over un-encrypted connections.  In this mode,
-+the remote SMTP server hostname must match the information in the
-+remote server certificate, and the server certificate must be issued
-+by a CA that is trusted by the Postfix SMTP client.  If the remote
-+server certificate doesn't verify or the remote SMTP server hostname
-+doesn't match, and no other server is available, the delivery
-+attempt is deferred and the mail stays in the queue.  </p>
-+
-+<p> The remote SMTP server hostname used in the check is beyond
-+question, as it must be the principal hostname (no CNAME allowed
-+here). Checks are performed against all names provided as dNSNames
-+in the SubjectAlternativeName. If no dNSNames are specified, the
-+CommonName is checked.  The behavior may be changed with the
-+smtp_tls_enforce_peername option which is discussed below. </p>
-+
-+<p> This option is useful only if you know that you will only
-+connect to servers that support RFC 2487 _and_ that present server
-+certificates that meet the above requirements.  An example would
-+be a client only sends email to one specific mailhub that offers
-+the necessary STARTTLS support.  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_enforce_tls = no
-+</pre>
-+</blockquote>
-+
-+<p> As of RFC 2487 the requirements for hostname checking for MTA
-+clients are not set. When TLS is required (smtp_enforce_tls = yes),
-+the option smtp_tls_enforce_peername can be set to "no" to disable
-+strict remote SMTP server hostname checking. In this case, the mail
-+delivery will proceed regardless of the CommonName etc. listed in
-+the certificate. </p>
-+
-+<p> Note: the smtp_tls_enforce_peername setting has no effect on
-+sessions that are controlled via the smtp_tls_per_site table.  </p>
-+
-+<p>  Disabling the remote SMTP server hostname verification can
-+make sense in closed environment where special CAs are created.
-+If not used carefully, this option opens the danger of a
-+"man-in-the-middle" attack (the CommonName of this possible attacker
-+is logged). </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_enforce_peername = yes
-+</pre>
-+</blockquote>
-+
-+<p> Generally, trying TLS can be a bad idea, as some servers offer
-+STARTTLS but the negotiation will fail leading to unexplainable
-+failures. Instead, it may be a good idea to choose the TLS usage
-+policy based on the recipient or the mailhub to which you are
-+connecting. </p>
-+
-+<p> Deciding the TLS usage policy per recipient may be difficult,
-+since a single email delivery attempt can involve several recipients.
-+Instead, use of TLS is controlled by the Postfix next-hop destination
-+domain name and by the remote SMTP server hostname.  If either of these
-+matches an entry in the smtp_tls_per_site table, appropriate action
-+is taken.  </p>
-+
-+<p> The remote SMTP server hostname is simply the DNS name of the
-+server that the Postfix SMTP client connects to.  The next-hop
-+destination is Postfix specific.  By default, this is the domain
-+name in the recipient address, but this information can be overruled
-+by the transport(5) table or by the relayhost parameter setting.
-+In these cases the relayhost etc. must be listed in the smtp_tls_per_site
-+table, instead of the recipient domain name. </p>
-+
-+<p> Format of the table: domain or host names are specified on the
-+left-hand side; no wildcards are allowed.  On the right hand side
-+specify one of the following keywords:  </p>
-+
-+<blockquote>
-+
-+<dl>
-+
-+<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
-+
-+<dt> MAY </dt> <dd> Try to use STARTTLS if offered,
-+otherwise use the un-encrypted connection. </dd>
-+
-+<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
-+remote SMTP server hostname matches the information in the remote
-+SMTP server certificate, and require that the remote SMTP server
-+certificate was issued by a trusted CA. </dd>
-+
-+<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
-+not require that the remote SMTP server hostname matches the
-+information in the remote SMTP server certificate, or that the
-+server certificate was issued by a trusted CA. </dd>
-+
-+</dl>
-+
-+</blockquote>
-+
-+<p> The actual TLS usage policy depends not only on whether the
-+next-hop destination or remote SMTP server hostname are found in
-+the smtp_tls_per_site table, but also on the smtp_enforce_tls
-+setting:  </p>
-+
-+<ul>
-+
-+<li> <p> If no match was found, the policy is applied as specified
-+with smtp_enforce_tls. </p>
-+
-+<li> <p> If a match was found, and the smtp_enforce_tls policy is
-+"enforce", NONE explicitly switches it off; otherwise the "enforce"
-+mode is used even for entries that specify MAY. </p>
-+
-+</ul>
-+
-+<p> Special hint for TLS enforcement mode:  since no secure DNS
-+lookup mechanism is available, mail can be delivered to the wrong
-+remote SMTP server. This is not prevented by specifying MUST for
-+the next-hop domain name.  The recommended setup is:  specify local
-+transport(5) table entries for sensitive domains with explicit
-+smtp:[mailhost] destinations (since you can assure security of this
-+table unlike DNS), then specify MUST for these mail hosts in the
-+smtp_tls_per_site table. </p>
-+
-+<!-- XXX What it we were to require that each MX host lists the
-+domain it is responsible for in its server certificate, and that
-+Postfix/TLS includes the next-hop domain name in the peer name
-+verification process? -->
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_per_site = hash:/etc/postfix/tls_per_site
-+</pre>
-+</blockquote>
-+
-+<p> As we decide on a "per site" basis whether or not to use TLS,
-+it would be good to have a list of sites that offered "STARTTLS".
-+We can collect it ourselves with this option. </p>
-+
-+<p> If the smtp_tls_note_starttls_offer feature is enabled and a
-+server offers STARTTLS while TLS is not already enabled for that
-+server, the Postfix SMTP client logs a line as follows: </p>
-+
-+<blockquote>
-+<pre>
-+postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
-+</pre>
-+</blockquote>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_note_starttls_offer = yes
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
-+
-+<p> When verifying a remote SMTP server certificate, a verification
-+depth of 1 is sufficient if the certificate is directly issued by
-+a CA specified with smtp_tls_CAfile or smtp_tls_CApath.  The default
-+value of 5 should also suffice for longer chains (root CA issues
-+special CA which then issues the actual certificate...) </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_scert_verifydepth = 5
-+</pre>
-+</blockquote>
-+
-+<h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
-+
-+<p> To influence the Postfix SMTP client cipher selection scheme,
-+you can give cipherlist string.  A detailed description would go
-+to far here, please refer to the openssl documentation.  If you
-+don't know what to do with it, simply don't touch it and leave the
-+(openssl-)compiled in default! </p>
-+
-+<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_tls_cipherlist = DEFAULT
-+</pre>
-+</blockquote>
-+
-+<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
-+
-+<p> The smtp_starttls_timeout parameter limits the time of Postfix
-+SMTP client write and read operations during TLS startup and shutdown
-+handshake procedures.  In case of problems the Postfix SMTP client
-+tries the next network address on the mail exchanger list, and
-+defers delivery if no alternative server is available. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+smtp_starttls_timeout = 300s
-+</pre>
-+</blockquote>
-+
-+<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
-+
-+<p> The security of cryptographic software such as TLS depends
-+critically on the ability to generate unpredictable numbers for
-+keys and other information. To this end, the tlsmgr(8) process
-+maintains a Pseudo Random Number Generator (PRNG) pool.  This is
-+a fixed-size 1024-byte exchange file that is read by the smtp(8)
-+and smtpd(8) processes when they initialize.  These processes also
-+add some more entropy to the file by stirring in their own time
-+and process id information.  </p>
-+
-+<p> The tlsmgr(8) process creates the file if it does not already
-+exist, and rewrites the file at random time intervals with information
-+from its in-memory PRNG pool.  The default location is under the
-+Postfix configuration directory, which is not the proper place for
-+information that is modified by Postfix.  Instead, the file location
-+should probably be on the /var partition (but _not_ inside the
-+chroot jail).  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+tls_random_exchange_name = /etc/postfix/prng_exch
-+</pre>
-+</blockquote>
-+
-+<p> In order to feed its in-memory PRNG pool, the tlsmgr(8) reads
-+entropy from an external source, both at startup and during run-time.
-+Specify a good entropy source, like EGD or /dev/urandom; be sure
-+to only use non-blocking sources.  If the entropy source is not a
-+regular file, you must prepend the source type to the source name:
-+"dev:" for a device special file, or "egd:" for a source with EGD
-+compatible socket interface.  </p>
-+
-+<p> Examples (specify only one in main.cf): </p>
-+ 
-+<blockquote>
-+<pre>
-+tls_random_source = dev:/dev/urandom
-+tls_random_source = egd:/var/run/egd-pool
-+</pre>
-+</blockquote>
-+
-+<p> By default, tlsmgr(8) reads 32 bytes from the external entropy
-+source at each seeding event.  This amount (256bits) is more than
-+sufficient for generating a 128bit symmetric key.  With EGD and
-+device entropy sources, the tlsmgr(8) limits the amount of data
-+read at each step to 255 bytes. If you specify a regular file as
-+entropy source, a larger amount of data can be read.  </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+tls_random_bytes = 32
-+</pre>
-+</blockquote>
-+
-+<p> In order to update its in-memory PRNG pool, the tlsmgr(8)
-+queries the external entropy source again after a random amount of
-+time. The time is calculated using the PRNG, and is between 0 and
-+the maximal time specified with tls_random_reseed_period.  The
-+default maximal time interval is 1 hour. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+tls_random_reseed_period = 3600s
-+</pre>
-+</blockquote>
-+
-+<p> The tlsmgr(8) re-generates the 1024 byte seed exchange file
-+after a random amount of time.  The time is calculated using the
-+PRNG, and is between 0 and the maximal time specified with
-+tls_random_update_period.  The default maximal time interval is 60
-+seconds. </p>
-+
-+<p> Example: </p>
-+ 
-+<blockquote>
-+<pre>
-+tls_random_prng_update_period = 60s
-+</pre>
-+</blockquote>
-+
-+<p> If you have an entropy source available that is not easily
-+drained (like /dev/urandom), the smtp(8) and smtpd(8) daemons can
-+load additional entropy on startup.  By default, an amount of 32
-+bytes is read, the equivalent to 256 bits. This is more than
-+sufficient to generate a 128bit (or 168bit) session key. However,
-+when Postfix needs to generate more than one key it can drain the
-+EGD. Consider the case of 50 smtp(8) processes starting up with a
-+full queue; this will request 1600bytes of entropy. This is however
-+not fatal, as long as "entropy" data can still be read from the
-+seed file that is maintained by tlsmgr(8). </p>
-+
-+<p> Examples: </p>
-+ 
-+<blockquote>
-+<pre>
-+tls_daemon_random_source = dev:/dev/urandom
-+tls_daemon_random_source = egd:/var/run/egd-pool
-+tls_daemon_random_bytes = 32
-+</pre>
-+</blockquote>
-+
-+<h2> <a name="problems"> Reporting problems </a> </h2>
-+
-+<p> When reporting a problem, please be thorough in the report.
-+Patches, when possible, are greatly appreciated too. </p>
-+
-+<p> Please differentiate when possible between: </p>
-+
-+<ul>
-+
-+<li> Problems in the IPv6 code: <postfix-ipv6 at stack.nl>
-+
-+<li> Problems in the TLS code: <postfix_tls at aet.tu-cottbus.de>
-+
-+<li> Problems in vanilla Postfix: <postfix-users at postfix.org>
-+
-+</ul>
-+
-+<h2><a name="credits">Credits </a> </h2>
-+
-+<ul>
-+
-+<li> TLS support for Postfix was originally developed by  Lutz
-+J&auml;nicke at Cottbus Technical University.
-+
-+<li> This part of the documentation was compiled by Wietse Venema
-+</p>
-+
-+</ul>
-+
-+</body>
-+
-+</html>
-diff -urNad postfix-release/README_FILES/IPV6_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README
---- postfix-release/README_FILES/IPV6_README	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README	2005-02-03 10:22:13.048099363 -0700
-@@ -0,0 +1,158 @@
-+Postfix IPv6 / IPv6+TLS patch
-+Maintained by Dean C. Strik <dean at ipnet6.org>
-+
-+These patches add IPv6 support to Postfix. A combo TLS+IPv6 patch is
-+available as a replacement for Lutz Jaenicke's TLS patch.
-+
-+More information about these IPv6 patches can be found on Dean Strik's
-+postfix website at
-+	http://www.ipnet6.org/postfix/
-+
-+CONTENTS
-+---------
-+ - Supported platforms
-+ - Downloads
-+ - Installation
-+ - Configuration
-+ - Mailing list
-+ - Known issues
-+ - Reporting bugs
-+
-+SUPPORTED PLATFORMS
-+--------------------
-+
-+Currently, the following platforms are supported:
-+	- FreeBSD 4.x/5.x
-+	- OpenBSD 2.x/3.x
-+	- NetBSD 1.5+
-+	- Solaris 8/9
-+	- Linux 2.x
-+	- Darwin 7.3+
-+	- Tru64Unix V5.1+
-+Postfix may work on other versions of these operating systems or
-+other operating systems entirely. If you find a problem on one
-+of the above platforms, please contact me at <dean at ipnet6.org>.
-+
-+DOWNLOADS
-+----------
-+
-+The official download site is
-+
-+	http://www.ipnet6.org/postfix/
-+
-+Patches are offered as HTTP and FTP downloads here. To directly
-+access the files on the FTP server, use the following address:
-+
-+	ftp://ftp.stack.nl/pub/postfix/tls+ipv6/
-+
-+The patches are in gzipped context diff format.
-+
-+INSTALLATION
-+-------------
-+
-+The patch is distributed as a gzipped context diff. This used to
-+be unified diff (more readable), but it was changed because to
-+avoid unidiff limitations.
-+
-+We assume postfix is already extracted, to the directory
-+	postfix-2.1.1
-+
-+1. Decompress the patch:
-+	e.g.	$ gunzip tls+ipv6-1.24-pf-2.1.1.patch.gz
-+2. Change directory to the postfix source directory
-+	e.g.	$ cd postfix-2.1.1
-+3. Apply the patch
-+	e.g.	$ patch -s -p 1 < ../tls+ipv6-1.24-pf-2.1.1.patch
-+4. Build postfix. The IPv6 patch does not require additional environment
-+   variables or arguments to 'make'.
-+
-+CONFIGURATION
-+--------------
-+
-+In theory, no post-installation configuration of postfix is
-+required, although you may want to extend the value of the
-+'mynetworks' parameter to include the IPv6 networks the system is
-+in.
-+
-+Also you can restrict Postfix to use IPv6-only or IPv4-only by
-+changing the 'inet_interfaces' parameter.
-+
-+The main.cf parameters regarding IPv6 are documented in the file
-+'sample-ipv6.cf' in the samples/ directory.
-+
-+MAILING LISTS
-+--------------
-+
-+I've created two mailing lists about using IPv6 with Postfix.
-+There's a general list (postfix-ipv6) that can be used for discussion.
-+Also, there's an announcement-only list (postfix-ipv6-announce)
-+for people who only want to get the announcements.
-+All announcements are cross-posted to postfix-ipv6 though.
-+
-+List name:	postfix-ipv6
-+List type:	Discussion / general (incl. announcements)
-+List info:	http://lists.stack.nl/mailman/listinfo/postfix-ipv6
-+List archive:	http://lists.stack.nl/pipermail/postfix-ipv6
-+List admin:	Dean Strik <dean at ipnet6.org>
-+
-+List name:	postfix-ipv6-announce
-+List type:	Announcements only, moderated
-+List info:	http://lists.stack.nl/mailman/listinfo/postfix-ipv6-announce
-+List archive:	http://lists.stack.nl/pipermail/postfix-ipv6-announce
-+List admin:	Dean Strik <dean at ipnet6.org>
-+
-+KNOWN ISSUES
-+-------------
-+
-+The patch comes with an IPv6-ChangeLog file. Please always validate
-+whether you have the latest version. You can always download the
-+latest ChangeLog at
-+
-+	ftp://ftp.stack.nl/pub/postfix/tls+ipv6/ChangeLog
-+
-+The following 'issues' and todo items are known (none critical):
-+
-+ - It is not currently supported to use Postfix network daemons
-+   (such as smtp and smtpd) chrooted on Linux systems without
-+   mounting the proc filesystem under /var/spool/postfix/proc
-+   This is because the proc filesystem is required on Linux to
-+   obtain the system's IPv6 address information.
-+
-+ - The 'smtp_host_lookup' parameter is not effective with IPv6.
-+   This is because a different lookup mechanism is used that
-+   cannot easily disable the 'local' (i.e., non-DNS) lookups.
-+   Whether local files or the DNS are used first, is determined
-+   by your operating system, e.g. in /etc/nsswitch.conf or
-+   /etc/host.conf.
-+
-+ - The order of IPv6/IPv4 outgoing connection attempts is not
-+   yet configurable. This will be configurable in a later,
-+   soon to be released version. Currently, IPv6 is tried before
-+   IPv4.
-+
-+ - No IPv6 open relay checks. Since there is no IPv6 RBL service
-+   around at the moment (I'm considering setting one up but it's
-+   not a very hot issue), no lookups for IPv6 clients are ever done.
-+   Let's not have a lot of worthless DNS traffic. Of course, when
-+   this gets implemented, IPv6 client lookups will only be made
-+   to DNSBLs that support these.
-+
-+ - Tru64Unix: Using 'mynetworks_style = subnet' (which I do not
-+   recommend in any case...) causes Postfix to assume a /64 for
-+   all IPv6-connected IPv6 subnets. I have yet to find a good way
-+   for obtaining the prefixlength. Suggestions are welcome!
-+
-+REPORTING BUGS
-+---------------
-+
-+Of course there may be bugs in the patch. Please report bugs in the
-+patch to <dean at ipnet6.org>. Please be thorough in the report.
-+Patches, when possible, are greatly appreciated too!
-+
-+Please differentiate when possible between
-+ - Problems in vanilla Postfix:	<mailto:postfix-users at postfix.org>
-+ - Problems in Lutz' TLS patch:	<mailto:postfix_tls at aet.tu-cottbus.de>
-+ - Problems in the IPv6 code:	<mailto:postfix-ipv6 at stack.nl>
-+
-+-- 
-+Dean Strik <dean at ipnet6.org>
-diff -urNad postfix-release/README_FILES/SASL_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README
---- postfix-release/README_FILES/SASL_README	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README	2005-02-03 10:22:13.048099363 -0700
-@@ -12,6 +12,9 @@
- 
- HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn iinnffoorrmmaattiioonn
- 
-+Note: To use SASL support on Debian GNU/Linux, you must install the
-+postfix-tls package.
-+
- Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP clients
- to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a
- remote SMTP server.
-@@ -123,21 +126,21 @@
-         smtpd_recipient_restrictions =
-             permit_mynetworks permit_sasl_authenticated ...
- 
--In /usr/local/lib/sasl/smtpd.conf (SASL version 1.5.5) or /usr/local/lib/sasl2/
--smtpd.conf (SASL version 2.1.1) you need to specify how the server should
--validate client passwords.
--
--In order to authenticate against the UNIX password database, try:
--
--(SASL version 1.5.5)
-+In /etc/postfix/sasl/smtpd.conf you need to specify how the server
-+should validate client passwords. 
- 
--    /usr/local/lib/sasl/smtpd.conf:
--        pwcheck_method: pwcheck
-+IMPORTANT: If you configure SASL to use PAM (pluggable authentication
-+modules) authentication, the Postfix SMTP server will abort because
-+the SASL password file does not exist (default:  /etc/sasldb in
-+version 1.5.5, or /etc/sasldb2 in version 2.1.1). To fix, disable
-+CRAM-MD5 authentication by specifying 'mech_list: PLAIN LOGIN ANONYMOUS'
-+in /etc/postfix/sasl/smtpd.conf, or by deleting /usr/lib/sasl/libcrammd5.so
-+(for version 1.5.5).
- 
--(SASL version 2.1.1)
-+In order to authenticate against the UNIX password database, try:
- 
--    /usr/local/lib/sasl2/smtpd.conf:
--        pwcheck_method: pwcheck
-+    /etc/postfix/sasl/smtpd.conf:
-+	pwcheck_method: pwcheck
- 
- The name of the file in /usr/local/lib/sasl (SASL version 1.5.5) or /usr/local/
- lib/sasl2 (SASL version 2.1.1) used by the SASL library for configuration can
-@@ -151,16 +154,9 @@
- IMPORTANT: postfix processes need to have group read+execute permission for the
- /var/pwcheck directory, otherwise authentication attempts will fail.
- 
--Alternately, in SASL 1.5.26 and later (including 2.1.1), try:
--
--(SASL version 1.5.26)
--
--    /usr/local/lib/sasl/smtpd.conf:
--        pwcheck_method: saslauthd
--
--(SASL version 2.1.1)
-+Alternately, in SASL 2.1.1 and later, try:
- 
--    /usr/local/lib/sasl2/smtpd.conf:
-+    /etc/postfix/sasl/smtpd.conf:
-         pwcheck_method: saslauthd
- 
- The saslauthd daemon is also contained in the cyrus-sasl source tarball. It is
-@@ -169,15 +165,8 @@
- 
- In order to authenticate against SASL's own password database:
- 
--(SASL version 1.5.5)
--
--    /usr/local/lib/sasl/smtpd.conf:
--        pwcheck_method:  sasldb
--
--(SASL version 2.1.1)
--
--    /usr/local/lib/sasl2/smtpd.conf:
--        pwcheck_method:  auxprop
-+    /etc/postfix/sasl/smtpd.conf:
-+	pwcheck_method:  sasldb
- 
- This will use the SASL password file (default: /etc/sasldb in version 1.5.5, or
- /etc/sasldb2 in version 2.1.1), which is maintained with the saslpasswd or
-diff -urNad postfix-release/README_FILES/TLS_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README
---- postfix-release/README_FILES/TLS_README	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README	2005-02-03 10:22:13.049099140 -0700
-@@ -0,0 +1,731 @@
-+PPoossttffiixx TTLLSS SSuuppppoorrtt
-+
-+-------------------------------------------------------------------------------
-+
-+PPuurrppoossee ooff tthhiiss ddooccuummeenntt
-+
-+This document describes how to configure the Transport Layer Security (TLS)
-+support in the Postfix SMTP client and Postfix SMTP server, and how to
-+configure the TLS manager daemon that maintains the Pseudo Random Number
-+Generator (PRNG) pool and the TLS session cache information.
-+
-+Topics covered in this document:
-+
-+  * SMTP Server specific settings
-+  * SMTP Client specific settings
-+  * TLS manager specific settings
-+  * Reporting problems
-+  * Credits
-+
-+SSMMTTPP SSeerrvveerr ssppeecciiffiicc sseettttiinnggss
-+
-+Topics covered in this section:
-+
-+  * Server-side certificate and private key configuration
-+  * Server-side TLS activity logging
-+  * Enabling TLS in the Postfix SMTP server
-+  * Client certificate verification
-+  * Supporting AUTH over TLS only
-+  * Server-side TLS session cache
-+  * Server access control
-+  * Server-side cipher controls
-+  * Miscellaneous server controls
-+
-+SSeerrvveerr--ssiiddee cceerrttiiffiiccaattee aanndd pprriivvaattee kkeeyy ccoonnffiigguurraattiioonn
-+
-+In order to use TLS, the Postfix SMTP server needs a certificate and a private
-+key. Both must be in "pem" format. The private key must not be encrypted,
-+meaning: the key must be accessible without password. Both certificate and
-+private key may be in the same file.
-+
-+Both RSA and DSA certificates are supported. Typically you will only have RSA
-+certificates issued by a commercial CA. In addition, the tools supplied with
-+OpenSSL will by default issue RSA certificates. You can have both at the same
-+time, in which case the cipher used determines which certificate is presented.
-+For Netscape and OpenSSL clients without special cipher choices, the RSA
-+certificate is preferred.
-+
-+In order for remote SMTP clients to check the Postfix SMTP server certificates,
-+the CA certificate (in case of a certificate chain, all CA certificates) must
-+be available. You should add these certificates to the server certificate, the
-+server certificate first, then the issuing CA(s).
-+
-+Example: the certificate for "server.dom.ain" was issued by "intermediate CA"
-+which itself has a certificate issued by "root CA". Create the server.pem file
-+with:
-+
-+    cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem
-+
-+If you want the Postfix SMTP server to accept remote SMTP client certificates
-+issued by these CAs, you can also add the CA certificates to the
-+smtpd_tls_CAfile, in which case it is not necessary to have them in the
-+smtpd_tls_cert_file or smtpd_tls_dcert_file.
-+
-+A Postfix SMTP server certificate supplied here must be usable as SSL server
-+certificate and hence pass the "openssl verify -purpose sslserver ..." test.
-+
-+RSA key and certificate examples:
-+
-+    smtpd_tls_cert_file = /etc/postfix/server.pem
-+    smtpd_tls_key_file = $smtpd_tls_cert_file
-+
-+Their DSA counterparts:
-+
-+    smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
-+    smtpd_tls_dkey_file = $smtpd_tls_dcert_file
-+
-+The Postfix SMTP server certificate was issued by a certification authority
-+(CA), the CA-cert of which must be provided with the CA file if it is not
-+already provided in the certificate file. The CA file may also contain the CA
-+certificates of other trusted CAs. You must use this file for the list of
-+trusted CAs if you want to use chroot-mode. No default is supplied for this
-+value as of now.
-+
-+Example:
-+
-+    smtpd_tls_CAfile = /etc/postfix/CAcert.pem
-+
-+To verify a remote SMTP client certificate, the Postfix SMTP server needs to
-+know the certificates of the issuing certification authorities. These
-+certificates in "pem" format are collected in a directory. The same CA
-+certificates are offered to clients for client verification. Don't forget to
-+create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
-+certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
-+so there is no default and you explicitly have to set the value here!
-+
-+To use this option in chroot mode, this directory itself or a copy of it must
-+be inside the chroot jail. Please note also, that the CAs in this directory are
-+not listed to the client, so that e.g. Netscape might not offer certificates
-+issued by them. For this reason, the use of this feature is discouraged.
-+
-+Example:
-+
-+    smtpd_tls_CApath = /etc/postfix/certs
-+
-+SSeerrvveerr--ssiiddee TTLLSS aaccttiivviittyy llooggggiinngg
-+
-+To get additional information about Postfix SMTP server TLS activity you can
-+increase the loglevel from 0..4. Each logging level also includes the
-+information that is logged at a lower logging level.
-+
-+    0 Disable logging of TLS activity.
-+
-+    1 Log TLS handshake and certificate information.
-+
-+    2 Log levels during TLS negotiation.
-+
-+    3 Log hexadecimal and ASCII dump of TLS negotiation process
-+
-+    4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
-+
-+Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
-+discouraged.
-+
-+Example:
-+
-+    smtpd_tls_loglevel = 0
-+
-+To include information about the protocol and cipher used as well as the client
-+and issuer CommonName into the "Received:" message header, set the
-+smtpd_tls_received_header variable to true. The default is no, as the
-+information is not necessarily authentic. Only information recorded at the
-+final destination is reliable, since the headers may be changed by intermediate
-+servers.
-+
-+Example:
-+
-+    smtpd_tls_received_header = yes
-+
-+EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
-+
-+By default, TLS is disabled in the Postfix SMTP server, so no difference to
-+plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
-+
-+Example:
-+
-+    smtpd_use_tls = yes
-+
-+Note: when an unprivileged user invokes "sendmail -bs", STARTTLS is never
-+offered due to insufficient privileges to access the server private key. This
-+is intended behavior.
-+
-+You can ENFORCE the use of TLS, so that the Postfix SMTP server accepts no
-+commands (except QUIT of course) without TLS encryption, by setting
-+"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
-+case of a publicly-referenced Postfix SMTP server. So this option is off by
-+default and should only seldom be used. Using this option implies
-+"smtpd_use_tls = yes".
-+
-+Example:
-+
-+    smtpd_enforce_tls = yes
-+
-+Besides RFC 2487 some clients, namely Outlook [Express] prefer to run the non-
-+standard "wrapper" mode, not the STARTTLS enhancement to SMTP. This is true for
-+OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all
-+ports).
-+
-+It is strictly discouraged to use this mode from main.cf. If you want to
-+support this service, enable a special port in master.cf and specify "-
-+o smtpd_tls_wrappermode = yes" as an smtpd(8) command line option. Port 465
-+(smtps) was once chosen for this feature.
-+
-+Example:
-+
-+    smtpd_tls_wrappermode = no
-+
-+CClliieenntt cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
-+
-+To receive a remote SMTP client certificate, the Postfix SMTP server must
-+explicitly ask for one by sending the $smtpd_tls_CAfile certificates to the
-+client. Unfortunately, Netscape clients will either complain if no matching
-+client certificate is available or will offer the user client a list of
-+certificates to choose from. This might be annoying, so this option is "off" by
-+default. You will however need the certificate if you want to use certificate
-+based relaying with, for example, the permit_tls_client_certs feature.
-+
-+Example:
-+
-+    smtpd_tls_ask_ccert = no
-+
-+You may also decide to REQUIRE a remote SMTP client certificate before allowing
-+TLS connections. This feature is included for completeness, and implies
-+"smtpd_tls_ask_ccert = yes".
-+
-+Please be aware, that this will inhibit TLS connections without a proper client
-+certificate and that it makes sense only when non-TLS submission is disabled
-+(smtpd_enforce_tls = yes). Otherwise, clients could bypass the restriction by
-+simply not using STARTTLS at all.
-+
-+When TLS is not enforced, the connection will be handled as if only
-+"smtpd_tls_ask_ccert = yes" is specified, and a warning is logged.
-+
-+Example:
-+
-+    smtpd_tls_req_ccert = no
-+
-+A client certificate verification depth of 1 is sufficient if the certificate
-+is directly issued by a CA listed in the CA file. The default value (5) should
-+also suffice for longer chains (root CA issues special CA which then issues the
-+actual certificate...)
-+
-+Example:
-+
-+    smtpd_tls_ccert_verifydepth = 5
-+
-+SSuuppppoorrttiinngg AAUUTTHH oovveerr TTLLSS oonnllyy
-+
-+Sending AUTH data over an un-encrypted channel poses a security risk. When TLS
-+layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
-+will announce and accept AUTH only after the TLS layer has been activated with
-+STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
-+may however still be useful to only offer AUTH when TLS is active. To maintain
-+compatibility with non-TLS clients, the default is to accept AUTH without
-+encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
-+
-+Example:
-+
-+    smtpd_tls_auth_only = no
-+
-+SSeerrvveerr--ssiiddee TTLLSS sseessssiioonn ccaacchhee
-+
-+The Postfix SMTP server and the remote SMTP client negotiate a session, which
-+takes some computer time and network bandwidth. By default, this session
-+information is cached only in the smtpd(8) process actually using this session
-+and is lost when the process terminates. To share the session information
-+between multiple smtpd(8) processes, a persistent session cache can be used
-+based on the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used.
-+
-+Example:
-+
-+    smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
-+
-+Cached Postfix SMTP server session information expires after a certain amount
-+of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
-+time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours.
-+
-+Example:
-+
-+    smtpd_tls_session_cache_timeout = 3600s
-+
-+SSeerrvveerr aacccceessss ccoonnttrrooll
-+
-+Postfix TLS support introduces two additional features for Postfix SMTP server
-+access control:
-+
-+    permit_tls_clientcerts
-+        Allow the remote SMTP client SMTP request if the client certificate
-+        passes verification, and if its fingerprint is listed in the list of
-+        client certificates (see relay_clientcerts discussion below).
-+
-+    permit_tls_all_clientcerts
-+        Allow the remote client SMTP request if the client certificate passes
-+        verification.
-+
-+The permit_tls_all_clientcerts feature must be used with caution, because it
-+can result in too many access permissions. Use this feature only if a special
-+CA issues the client certificates, and only if this CA is listed as trusted CA.
-+If other CAs are trusted, any owner of a valid client certificate would be
-+authorized. The permit_tls_all_clientcerts feature can be practical for a
-+specially created email relay server.
-+
-+It is however recommended to stay with the permit_tls_clientcerts feature and
-+list all certificates via $relay_clientcerts, as permit_tls_all_clientcerts
-+does not permit any control when a certificate must no longer be used (e.g. an
-+employee leaving).
-+
-+Example:
-+
-+    smtpd_recipient_restrictions =
-+        ...
-+        permit_tls_clientcerts
-+        reject_unauth_destination
-+        ...
-+
-+The Postfix list manipulation routines give special treatment to whitespace and
-+some other characters, making the use of certificate names unpractical. Instead
-+we use the certificate fingerprints as they are difficult to fake but easy to
-+use for lookup. Postfix lookup tables are in the form of (key, value) pairs.
-+Since we only need the key, the value can be chosen freely, e.g. the name of
-+the user or host:
-+
-+    D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
-+
-+Example:
-+
-+    relay_clientcerts = hash:/etc/postfix/relay_clientcerts
-+
-+SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss
-+
-+To influence the Postfix SMTP server cipher selection scheme, you can give
-+cipherlist string. A detailed description would go to far here, please refer to
-+the openssl documentation. If you don't know what to do with it, simply don't
-+touch it and leave the (openssl-)compiled in default!
-+
-+DO NOT USE " to enclose the string, specify just the string!!!
-+
-+Example:
-+
-+    smtpd_tls_cipherlist = DEFAULT
-+
-+If you want to take advantage of ciphers with EDH, DH parameters are needed.
-+Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
-+better to generate "own" parameters, since otherwise it would "pay" for a
-+possible attacker to start a brute force attack against parameters that are
-+used by everybody. For this reason, the parameters chosen are already different
-+from those distributed with other TLS packages.
-+
-+To generate your own set of DH parameters, use:
-+
-+    openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
-+    openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
-+
-+Your source for "entropy" might vary; some systems have /dev/random; on other
-+systems you might consider the "Entropy Gathering Daemon EGD", available at
-+http://www.lothar.com/tech/crypto/.
-+
-+Examples:
-+
-+    smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
-+    smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
-+
-+MMiisscceellllaanneeoouuss sseerrvveerr ccoonnttrroollss
-+
-+The smtpd_starttls_timeout parameter limits the time of Postfix SMTP server
-+write and read operations during TLS startup and shutdown handshake procedures.
-+
-+Example:
-+
-+    smtpd_starttls_timeout = 300s
-+
-+SSMMTTPP CClliieenntt ssppeecciiffiicc sseettttiinnggss
-+
-+Topics covered in this section:
-+
-+  * Client-side certificate and private key configuration
-+  * Client-side TLS activity logging
-+  * Client-side TLS session cache
-+  * Enabling TLS in the Postfix SMTP client
-+  * Server certificate verification
-+  * Client-side cipher controls
-+  * Miscellaneous client controls
-+
-+CClliieenntt--ssiiddee cceerrttiiffiiccaattee aanndd pprriivvaattee kkeeyy ccoonnffiigguurraattiioonn
-+
-+During TLS startup negotiation the Postfix SMTP client may present a
-+certificate to the remote SMTP server. The Netscape client is rather clever
-+here and lets the user select between only those certificates that match CA
-+certificates offered by the remote SMTP server. As the Postfix SMTP client uses
-+the "SSL_connect()" function from the OpenSSL package, this is not possible and
-+we have to choose just one certificate. So for now the default is to use _no_
-+certificate and key unless one is explicitly specified here.
-+
-+Both RSA and DSA certificates are supported. You can have both at the same
-+time, in which case the cipher used determines which certificate is presented.
-+
-+It is possible for the Postfix SMTP client to use the same key/certificate pair
-+as the Postfix SMTP server. If a certificate is to be presented, it must be in
-+"pem" format. The private key must not be encrypted, meaning: it must be
-+accessible without password. Both parts (certificate and private key) may be in
-+the same file.
-+
-+In order for remote SMTP servers to verify the Postfix SMTP client
-+certificates, the CA certificate (in case of a certificate chain, all CA
-+certificates) must be available. You should add these certificates to the
-+client certificate, the client certificate first, then the issuing CA(s).
-+
-+Example: the certificate for "client.dom.ain" was issued by "intermediate CA"
-+which itself has a certificate of "root CA". Create the client.pem file with:
-+
-+    cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem
-+
-+If you want the Postfix SMTP client to accept certificates issued by these CAs,
-+you can also add the CA certificates to the smtp_tls_CAfile, in which case it
-+is not necessary to have them in the smtp_tls_cert_file or smtp_tls_dcert_file.
-+
-+A Postfix SMTP client certificate supplied here must be usable as SSL client
-+certificate and hence pass the "openssl verify -purpose sslclient ..." test.
-+
-+RSA key and certificate examples:
-+
-+    smtp_tls_cert_file = /etc/postfix/client.pem
-+    smtp_tls_key_file = $smtp_tls_cert_file
-+
-+Their DSA counterparts:
-+
-+    smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-+    smtp_tls_dkey_file = $smtpd_tls_cert_file
-+
-+The Postfix SMTP client certificate was issued by a certification authority
-+(CA), the CA-cert of which must be provided with the CA file if it is not
-+already provided in the certificate file. The CA file may also contain the CA
-+certificates of other trusted CAs. You must use this file for the list of
-+trusted CAs if you want to use chroot-mode. No default is supplied for this
-+value as of now.
-+
-+Example:
-+
-+    smtp_tls_CAfile = /etc/postfix/CAcert.pem
-+
-+To verify a remote SMTP server certificate, the Postfix SMTP client needs to
-+know the certificates of the issuing certification authorities. These
-+certificates in "pem" format are collected in a directory. Don't forget to
-+create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
-+certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
-+so there is no default and you explicitly have to set the value here!
-+
-+To use this option in chroot mode, this directory itself or a copy of it must
-+be inside the chroot jail.
-+
-+Example:
-+
-+    smtp_tls_CApath = /etc/postfix/certs
-+
-+CClliieenntt--ssiiddee TTLLSS aaccttiivviittyy llooggggiinngg
-+
-+To get additional information about Postfix SMTP client TLS activity you can
-+increase the loglevel from 0..4. Each logging level also includes the
-+information that is logged at a lower logging level.
-+
-+    0 Disable logging of TLS activity.
-+
-+    1 Log TLS handshake and certificate information.
-+
-+    2 Log levels during TLS negotiation.
-+
-+    3 Log hexadecimal and ASCII dump of TLS negotiation process
-+
-+    4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
-+
-+Example:
-+
-+    smtp_tls_loglevel = 0
-+
-+CClliieenntt--ssiiddee TTLLSS sseessssiioonn ccaacchhee
-+
-+The remote SMTP server and the Postfix SMTP client negotiate a session, which
-+takes some computer time and network bandwidth. By default, this session
-+information is cached only in the smtp(8) process actually using this session
-+and is lost when the process terminates. To share the session information
-+between multiple smtp(8) processes, a persistent session cache can be used
-+based on the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used.
-+
-+Example:
-+
-+    smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
-+
-+Cached Postfix SMTP client session information expires after a certain amount
-+of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
-+time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours.
-+
-+Example:
-+
-+    smtp_tls_session_cache_timeout = 3600s
-+
-+EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt
-+
-+By default, TLS is disabled in the Postfix SMTP client, so no difference to
-+plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send
-+STARTTLS when TLS support is announced by the remote SMTP server.
-+
-+WARNING: MS Exchange servers will announce STARTTLS support even when the
-+service is not configured, so that the TLS handshake will fail. It may be wise
-+to not use this option on your central mail hub, as you don't know in advance
-+whether you are going to connect to such a host. Instead, use the
-+smtp_tls_per_site recipient/site specific options that are described below.
-+
-+When the TLS handshake fails and no other server is available, the Postfix SMTP
-+client defers the delivery attempt, and the mail stays in the queue.
-+
-+Example:
-+
-+    smtp_use_tls = yes
-+
-+You can ENFORCE the use of TLS, so that the Postfix SMTP client will not
-+deliver mail over un-encrypted connections. In this mode, the remote SMTP
-+server hostname must match the information in the remote server certificate,
-+and the server certificate must be issued by a CA that is trusted by the
-+Postfix SMTP client. If the remote server certificate doesn't verify or the
-+remote SMTP server hostname doesn't match, and no other server is available,
-+the delivery attempt is deferred and the mail stays in the queue.
-+
-+The remote SMTP server hostname used in the check is beyond question, as it
-+must be the principal hostname (no CNAME allowed here). Checks are performed
-+against all names provided as dNSNames in the SubjectAlternativeName. If no
-+dNSNames are specified, the CommonName is checked. The behavior may be changed
-+with the smtp_tls_enforce_peername option which is discussed below.
-+
-+This option is useful only if you know that you will only connect to servers
-+that support RFC 2487 _and_ that present server certificates that meet the
-+above requirements. An example would be a client only sends email to one
-+specific mailhub that offers the necessary STARTTLS support.
-+
-+Example:
-+
-+    smtp_enforce_tls = no
-+
-+As of RFC 2487 the requirements for hostname checking for MTA clients are not
-+set. When TLS is required (smtp_enforce_tls = yes), the option
-+smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP
-+server hostname checking. In this case, the mail delivery will proceed
-+regardless of the CommonName etc. listed in the certificate.
-+
-+Note: the smtp_tls_enforce_peername setting has no effect on sessions that are
-+controlled via the smtp_tls_per_site table.
-+
-+Disabling the remote SMTP server hostname verification can make sense in closed
-+environment where special CAs are created. If not used carefully, this option
-+opens the danger of a "man-in-the-middle" attack (the CommonName of this
-+possible attacker is logged).
-+
-+Example:
-+
-+    smtp_tls_enforce_peername = yes
-+
-+Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the
-+negotiation will fail leading to unexplainable failures. Instead, it may be a
-+good idea to choose the TLS usage policy based on the recipient or the mailhub
-+to which you are connecting.
-+
-+Deciding the TLS usage policy per recipient may be difficult, since a single
-+email delivery attempt can involve several recipients. Instead, use of TLS is
-+controlled by the Postfix next-hop destination domain name and by the remote
-+SMTP server hostname. If either of these matches an entry in the
-+smtp_tls_per_site table, appropriate action is taken.
-+
-+The remote SMTP server hostname is simply the DNS name of the server that the
-+Postfix SMTP client connects to. The next-hop destination is Postfix specific.
-+By default, this is the domain name in the recipient address, but this
-+information can be overruled by the transport(5) table or by the relayhost
-+parameter setting. In these cases the relayhost etc. must be listed in the
-+smtp_tls_per_site table, instead of the recipient domain name.
-+
-+Format of the table: domain or host names are specified on the left-hand side;
-+no wildcards are allowed. On the right hand side specify one of the following
-+keywords:
-+
-+    NONE
-+        Don't use TLS at all.
-+    MAY
-+        Try to use STARTTLS if offered, otherwise use the un-encrypted
-+        connection.
-+    MUST
-+        Require usage of STARTTLS, require that the remote SMTP server hostname
-+        matches the information in the remote SMTP server certificate, and
-+        require that the remote SMTP server certificate was issued by a trusted
-+        CA.
-+    MUST_NOPEERMATCH
-+        Require usage of STARTTLS, but do not require that the remote SMTP
-+        server hostname matches the information in the remote SMTP server
-+        certificate, or that the server certificate was issued by a trusted CA.
-+
-+The actual TLS usage policy depends not only on whether the next-hop
-+destination or remote SMTP server hostname are found in the smtp_tls_per_site
-+table, but also on the smtp_enforce_tls setting:
-+
-+  * If no match was found, the policy is applied as specified with
-+    smtp_enforce_tls.
-+
-+  * If a match was found, and the smtp_enforce_tls policy is "enforce", NONE
-+    explicitly switches it off; otherwise the "enforce" mode is used even for
-+    entries that specify MAY.
-+
-+Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is
-+available, mail can be delivered to the wrong remote SMTP server. This is not
-+prevented by specifying MUST for the next-hop domain name. The recommended
-+setup is: specify local transport(5) table entries for sensitive domains with
-+explicit smtp:[mailhost] destinations (since you can assure security of this
-+table unlike DNS), then specify MUST for these mail hosts in the
-+smtp_tls_per_site table.
-+
-+Example:
-+
-+    smtp_tls_per_site = hash:/etc/postfix/tls_per_site
-+
-+As we decide on a "per site" basis whether or not to use TLS, it would be good
-+to have a list of sites that offered "STARTTLS". We can collect it ourselves
-+with this option.
-+
-+If the smtp_tls_note_starttls_offer feature is enabled and a server offers
-+STARTTLS while TLS is not already enabled for that server, the Postfix SMTP
-+client logs a line as follows:
-+
-+    postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
-+
-+Example:
-+
-+    smtp_tls_note_starttls_offer = yes
-+
-+SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
-+
-+When verifying a remote SMTP server certificate, a verification depth of 1 is
-+sufficient if the certificate is directly issued by a CA specified with
-+smtp_tls_CAfile or smtp_tls_CApath. The default value of 5 should also suffice
-+for longer chains (root CA issues special CA which then issues the actual
-+certificate...)
-+
-+Example:
-+
-+    smtp_tls_scert_verifydepth = 5
-+
-+CClliieenntt--ssiiddee cciipphheerr ccoonnttrroollss
-+
-+To influence the Postfix SMTP client cipher selection scheme, you can give
-+cipherlist string. A detailed description would go to far here, please refer to
-+the openssl documentation. If you don't know what to do with it, simply don't
-+touch it and leave the (openssl-)compiled in default!
-+
-+DO NOT USE " to enclose the string, specify just the string!!!
-+
-+Example:
-+
-+    smtp_tls_cipherlist = DEFAULT
-+
-+MMiisscceellllaanneeoouuss cclliieenntt ccoonnttrroollss
-+
-+The smtp_starttls_timeout parameter limits the time of Postfix SMTP client
-+write and read operations during TLS startup and shutdown handshake procedures.
-+In case of problems the Postfix SMTP client tries the next network address on
-+the mail exchanger list, and defers delivery if no alternative server is
-+available.
-+
-+Example:
-+
-+    smtp_starttls_timeout = 300s
-+
-+TTLLSS mmaannaaggeerr ssppeecciiffiicc sseettttiinnggss
-+
-+The security of cryptographic software such as TLS depends critically on the
-+ability to generate unpredictable numbers for keys and other information. To
-+this end, the tlsmgr(8) process maintains a Pseudo Random Number Generator
-+(PRNG) pool. This is a fixed-size 1024-byte exchange file that is read by the
-+smtp(8) and smtpd(8) processes when they initialize. These processes also add
-+some more entropy to the file by stirring in their own time and process id
-+information.
-+
-+The tlsmgr(8) process creates the file if it does not already exist, and
-+rewrites the file at random time intervals with information from its in-memory
-+PRNG pool. The default location is under the Postfix configuration directory,
-+which is not the proper place for information that is modified by Postfix.
-+Instead, the file location should probably be on the /var partition (but _not_
-+inside the chroot jail).
-+
-+Example:
-+
-+    tls_random_exchange_name = /etc/postfix/prng_exch
-+
-+In order to feed its in-memory PRNG pool, the tlsmgr(8) reads entropy from an
-+external source, both at startup and during run-time. Specify a good entropy
-+source, like EGD or /dev/urandom; be sure to only use non-blocking sources. If
-+the entropy source is not a regular file, you must prepend the source type to
-+the source name: "dev:" for a device special file, or "egd:" for a source with
-+EGD compatible socket interface.
-+
-+Examples (specify only one in main.cf):
-+
-+    tls_random_source = dev:/dev/urandom
-+    tls_random_source = egd:/var/run/egd-pool
-+
-+By default, tlsmgr(8) reads 32 bytes from the external entropy source at each
-+seeding event. This amount (256bits) is more than sufficient for generating a
-+128bit symmetric key. With EGD and device entropy sources, the tlsmgr(8) limits
-+the amount of data read at each step to 255 bytes. If you specify a regular
-+file as entropy source, a larger amount of data can be read.
-+
-+Example:
-+
-+    tls_random_bytes = 32
-+
-+In order to update its in-memory PRNG pool, the tlsmgr(8) queries the external
-+entropy source again after a random amount of time. The time is calculated
-+using the PRNG, and is between 0 and the maximal time specified with
-+tls_random_reseed_period. The default maximal time interval is 1 hour.
-+
-+Example:
-+
-+    tls_random_reseed_period = 3600s
-+
-+The tlsmgr(8) re-generates the 1024 byte seed exchange file after a random
-+amount of time. The time is calculated using the PRNG, and is between 0 and the
-+maximal time specified with tls_random_update_period. The default maximal time
-+interval is 60 seconds.
-+
-+Example:
-+
-+    tls_random_prng_update_period = 60s
-+
-+If you have an entropy source available that is not easily drained (like /dev/
-+urandom), the smtp(8) and smtpd(8) daemons can load additional entropy on
-+startup. By default, an amount of 32 bytes is read, the equivalent to 256 bits.
-+This is more than sufficient to generate a 128bit (or 168bit) session key.
-+However, when Postfix needs to generate more than one key it can drain the EGD.
-+Consider the case of 50 smtp(8) processes starting up with a full queue; this
-+will request 1600bytes of entropy. This is however not fatal, as long as
-+"entropy" data can still be read from the seed file that is maintained by
-+tlsmgr(8).
-+
-+Examples:
-+
-+    tls_daemon_random_source = dev:/dev/urandom
-+    tls_daemon_random_source = egd:/var/run/egd-pool
-+    tls_daemon_random_bytes = 32
-+
-+RReeppoorrttiinngg pprroobblleemmss
-+
-+When reporting a problem, please be thorough in the report. Patches, when
-+possible, are greatly appreciated too.
-+
-+Please differentiate when possible between:
-+
-+  * Problems in the IPv6 code: stack.nl>
-+  * Problems in the TLS code: aet.tu-cottbus.de>
-+  * Problems in vanilla Postfix: postfix.org>
-+
-+CCrreeddiittss
-+
-+  * TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
-+    Technical University.
-+  * This part of the documentation was compiled by Wietse Venema
-+
-diff -urNad postfix-release/src/global/inet_interfaces_to_af.c /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c
---- postfix-release/src/global/inet_interfaces_to_af.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c	2005-02-03 10:22:13.050098917 -0700
-@@ -0,0 +1,27 @@
-+#include <sys_defs.h>
-+#include <stdlib.h>
-+#include <sys/socket.h>
-+#include <mail_params.h>
-+#include <inet_interfaces_to_af.h>
-+
-+int     inet_interfaces_to_af (char *inet_interfaces)
-+{
-+    int     af = -1;
-+
-+    if (inet_interfaces == NULL || *inet_interfaces == '\0')
-+	return (af);
-+    if (strcasecmp(inet_interfaces, INET_INTERFACES_ALL) == 0 ||
-+	strcasecmp(inet_interfaces, INET_INTERFACES_LOCAL) == 0)
-+	af = AF_UNSPEC;
-+    else if (strcasecmp(inet_interfaces, "IPv6:" DEF_INET_INTERFACES) == 0)
-+#ifdef INET6
-+	af = AF_INET6;
-+#else
-+	msg_fatal("unable to bind to IPv6 only (%s=%s): IPv6 not compiled in",
-+		  VAR_INET_INTERFACES, inet_interfaces);
-+#endif
-+    else if (strcasecmp(inet_interfaces, "IPv4:" DEF_INET_INTERFACES) == 0)
-+	af = AF_INET;
-+
-+    return (af);
-+}
-diff -urNad postfix-release/src/global/inet_interfaces_to_af.h /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h
---- postfix-release/src/global/inet_interfaces_to_af.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h	2005-02-03 10:22:13.050098917 -0700
-@@ -0,0 +1,6 @@
-+#ifndef _INET_INTERFACES_TO_AF_H_INCLUDED_
-+#define _INET_INTERFACES_TO_AF_H_INCLUDED_
-+
-+extern int inet_interfaces_to_af (char *);
-+
-+#endif
-diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c
---- postfix-release/src/global/mail_params.c	2005-02-03 10:22:12.220284014 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c	2005-02-03 10:22:13.050098917 -0700
-@@ -46,6 +46,7 @@
- /*	int	var_message_limit;
- /*	char	*var_mail_release;
- /*	char	*var_mail_version;
-+/*	char	*var_tlsipv6_version;
- /*	int	var_ipc_idle_limit;
- /*	int	var_ipc_ttl_limit;
- /*	char	*var_db_type;
-@@ -163,6 +164,7 @@
- #include "mail_proto.h"
- #include "verp_sender.h"
- #include "mail_params.h"
-+#include "pfixtls.h"
- 
-  /*
-   * Special configuration variables.
-@@ -207,6 +209,9 @@
- int     var_message_limit;
- char   *var_mail_release;
- char   *var_mail_version;
-+#ifdef INET6
-+char   *var_tlsipv6_version;
-+#endif
- int     var_ipc_idle_limit;
- int     var_ipc_ttl_limit;
- char   *var_db_type;
-@@ -233,6 +238,31 @@
- int     var_in_flow_delay;
- char   *var_par_dom_match;
- char   *var_config_dirs;
-+char   *var_tls_rand_exch_name;
-+char   *var_smtpd_tls_cert_file;
-+char   *var_smtpd_tls_key_file;
-+char   *var_smtpd_tls_dcert_file;
-+char   *var_smtpd_tls_dkey_file;
-+char   *var_smtpd_tls_CAfile;
-+char   *var_smtpd_tls_CApath;
-+char   *var_smtpd_tls_cipherlist;
-+char   *var_smtpd_tls_dh512_param_file;
-+char   *var_smtpd_tls_dh1024_param_file;
-+int     var_smtpd_tls_loglevel;
-+char   *var_smtpd_tls_scache_db;
-+int     var_smtpd_tls_scache_timeout;
-+char   *var_smtp_tls_cert_file;
-+char   *var_smtp_tls_key_file;
-+char   *var_smtp_tls_dcert_file;
-+char   *var_smtp_tls_dkey_file;
-+char   *var_smtp_tls_CAfile;
-+char   *var_smtp_tls_CApath;
-+char   *var_smtp_tls_cipherlist;
-+int     var_smtp_tls_loglevel;
-+char   *var_smtp_tls_scache_db;
-+int     var_smtp_tls_scache_timeout;
-+char   *var_tls_daemon_rand_source;
-+int     var_tls_daemon_rand_bytes;
- 
- char   *var_import_environ;
- char   *var_export_environ;
-@@ -488,6 +518,9 @@
- 	VAR_ALIAS_DB_MAP, DEF_ALIAS_DB_MAP, &var_alias_db_map, 0, 0,
- 	VAR_MAIL_RELEASE, DEF_MAIL_RELEASE, &var_mail_release, 1, 0,
- 	VAR_MAIL_VERSION, DEF_MAIL_VERSION, &var_mail_version, 1, 0,
-+#ifdef INET6
-+	VAR_TLSIPV6_VERSION, DEF_TLSIPV6_VERSION, &var_tlsipv6_version, 1, 0,
-+#endif
- 	VAR_DB_TYPE, DEF_DB_TYPE, &var_db_type, 1, 0,
- 	VAR_HASH_QUEUE_NAMES, DEF_HASH_QUEUE_NAMES, &var_hash_queue_names, 1, 0,
- 	VAR_RCPT_DELIM, DEF_RCPT_DELIM, &var_rcpt_delim, 0, 1,
-@@ -512,6 +545,26 @@
- 	VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
- 	VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
- 	VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
-+	VAR_TLS_RAND_EXCH_NAME, DEF_TLS_RAND_EXCH_NAME, &var_tls_rand_exch_name, 0, 0,
-+	VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
-+	VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
-+	VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
-+	VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
-+	VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
-+	VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
-+	VAR_SMTPD_TLS_CLIST, DEF_SMTPD_TLS_CLIST, &var_smtpd_tls_cipherlist, 0, 0,
-+	VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
-+	VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
-+	VAR_SMTPD_TLS_SCACHE_DB, DEF_SMTPD_TLS_SCACHE_DB, &var_smtpd_tls_scache_db, 0, 0,
-+	VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
-+	VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
-+	VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
-+	VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
-+	VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
-+	VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
-+	VAR_SMTP_TLS_CLIST, DEF_SMTP_TLS_CLIST, &var_smtp_tls_cipherlist, 0, 0,
-+	VAR_SMTP_TLS_SCACHE_DB, DEF_SMTP_TLS_SCACHE_DB, &var_smtp_tls_scache_db, 0, 0,
-+	VAR_TLS_DAEMON_RAND_SOURCE, DEF_TLS_DAEMON_RAND_SOURCE, &var_tls_daemon_rand_source, 0, 0,
- 	0,
-     };
-     static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
-@@ -534,6 +587,9 @@
- 	VAR_TOKEN_LIMIT, DEF_TOKEN_LIMIT, &var_token_limit, 1, 0,
- 	VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
- 	VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
-+	VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
-+	VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
-+	VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 0, 0,
- 	0,
-     };
-     static CONFIG_TIME_TABLE time_defaults[] = {
-@@ -546,6 +602,8 @@
- 	VAR_FORK_DELAY, DEF_FORK_DELAY, &var_fork_delay, 1, 0,
- 	VAR_FLOCK_DELAY, DEF_FLOCK_DELAY, &var_flock_delay, 1, 0,
- 	VAR_FLOCK_STALE, DEF_FLOCK_STALE, &var_flock_stale, 1, 0,
-+	VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
-+	VAR_SMTP_TLS_SCACHTIME, DEF_SMTP_TLS_SCACHTIME, &var_smtp_tls_scache_timeout, 0, 0,
- 	VAR_DAEMON_TIMEOUT, DEF_DAEMON_TIMEOUT, &var_daemon_timeout, 1, 0,
- 	VAR_IN_FLOW_DELAY, DEF_IN_FLOW_DELAY, &var_in_flow_delay, 0, 10,
- 	0,
-diff -urNad postfix-release/src/global/mail_params.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h
---- postfix-release/src/global/mail_params.h	2005-02-03 10:22:12.200288474 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h	2005-02-03 10:22:13.052098471 -0700
-@@ -129,7 +129,9 @@
-   * Virtual host support. Default is to listen on all machine interfaces.
-   */
- #define VAR_INET_INTERFACES	"inet_interfaces"	/* listen addresses */
--#define DEF_INET_INTERFACES	"all"
-+#define INET_INTERFACES_ALL	"all"
-+#define INET_INTERFACES_LOCAL	"loopback-only"
-+#define DEF_INET_INTERFACES	INET_INTERFACES_ALL
- extern char *var_inet_interfaces;
- 
- #define VAR_PROXY_INTERFACES	"proxy_interfaces"	/* proxies, NATs */
-@@ -519,6 +521,34 @@
- #define DEF_DUP_FILTER_LIMIT	1000
- extern int var_dup_filter_limit;
- 
-+#define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"
-+#define DEF_TLS_RAND_EXCH_NAME	"${queue_directory}/prng_exch"
-+extern char *var_tls_rand_exch_name;
-+
-+#define VAR_TLS_RAND_SOURCE	"tls_random_source"
-+#define DEF_TLS_RAND_SOURCE	""
-+extern char *var_tls_rand_source;
-+
-+#define VAR_TLS_RAND_BYTES	"tls_random_bytes"
-+#define DEF_TLS_RAND_BYTES	32
-+extern int var_tls_rand_bytes;
-+
-+#define VAR_TLS_DAEMON_RAND_SOURCE	"tls_daemon_random_source"
-+#define DEF_TLS_DAEMON_RAND_SOURCE	""
-+extern char *var_tls_daemon_rand_source;
-+
-+#define VAR_TLS_DAEMON_RAND_BYTES	"tls_daemon_random_bytes"
-+#define DEF_TLS_DAEMON_RAND_BYTES	32
-+extern int var_tls_daemon_rand_bytes;
-+
-+#define VAR_TLS_RESEED_PERIOD	"tls_random_reseed_period"
-+#define DEF_TLS_RESEED_PERIOD	"3600s"
-+extern int var_tls_reseed_period;
-+
-+#define VAR_TLS_PRNG_UPD_PERIOD	"tls_random_prng_update_period"
-+#define DEF_TLS_PRNG_UPD_PERIOD "60s"
-+extern int var_tls_prng_upd_period;
-+
-  /*
-   * Queue manager: relocated databases.
-   */
-@@ -768,6 +798,10 @@
- #define DEF_SMTP_XFWD_TMOUT	"300s"
- extern int var_smtp_xfwd_tmout;
- 
-+#define VAR_SMTP_STARTTLS_TMOUT	"smtp_starttls_timeout"
-+#define DEF_SMTP_STARTTLS_TMOUT	"300s"
-+extern int var_smtp_starttls_tmout;
-+
- #define VAR_SMTP_MAIL_TMOUT	"smtp_mail_timeout"
- #define DEF_SMTP_MAIL_TMOUT	"300s"
- extern int var_smtp_mail_tmout;
-@@ -828,6 +862,10 @@
- #define DEF_SMTP_BIND_ADDR	""
- extern char *var_smtp_bind_addr;
- 
-+#define VAR_SMTP_BIND_ADDR6	"smtp_bind_address6"
-+#define DEF_SMTP_BIND_ADDR6	""
-+extern char *var_smtp_bind_addr6;
-+
- #define VAR_SMTP_HELO_NAME	"smtp_helo_name"
- #define DEF_SMTP_HELO_NAME	"$myhostname"
- extern char *var_smtp_helo_name;
-@@ -869,6 +907,10 @@
- #define DEF_SMTPD_TMOUT		"300s"
- extern int var_smtpd_tmout;
- 
-+#define VAR_SMTPD_STARTTLS_TMOUT "smtpd_starttls_timeout"
-+#define DEF_SMTPD_STARTTLS_TMOUT "300s"
-+extern int var_smtpd_starttls_tmout;
-+
- #define VAR_SMTPD_RCPT_LIMIT	"smtpd_recipient_limit"
- #define DEF_SMTPD_RCPT_LIMIT	1000
- extern int var_smtpd_rcpt_limit;
-@@ -901,6 +943,150 @@
- #define DEF_SMTPD_NOOP_CMDS	""
- extern char *var_smtpd_noop_cmds;
- 
-+#define VAR_SMTPD_TLS_WRAPPER	"smtpd_tls_wrappermode"
-+#define DEF_SMTPD_TLS_WRAPPER	0
-+extern bool var_smtpd_tls_wrappermode;
-+
-+#define VAR_SMTPD_USE_TLS	"smtpd_use_tls"
-+#define DEF_SMTPD_USE_TLS	0
-+extern bool var_smtpd_use_tls;
-+
-+#define VAR_SMTPD_ENFORCE_TLS	"smtpd_enforce_tls"
-+#define DEF_SMTPD_ENFORCE_TLS	0
-+extern bool var_smtpd_enforce_tls;
-+
-+#define VAR_SMTPD_TLS_AUTH_ONLY	"smtpd_tls_auth_only"
-+#define DEF_SMTPD_TLS_AUTH_ONLY 0
-+extern bool var_smtpd_tls_auth_only;
-+
-+#define VAR_SMTPD_TLS_ACERT	"smtpd_tls_ask_ccert"
-+#define DEF_SMTPD_TLS_ACERT	0
-+extern bool var_smtpd_tls_ask_ccert;
-+
-+#define VAR_SMTPD_TLS_RCERT	"smtpd_tls_req_ccert"
-+#define DEF_SMTPD_TLS_RCERT	0
-+extern bool var_smtpd_tls_req_ccert;
-+
-+#define VAR_SMTPD_TLS_CCERT_VD	"smtpd_tls_ccert_verifydepth"
-+#define DEF_SMTPD_TLS_CCERT_VD	5
-+extern int var_smtpd_tls_ccert_vd;
-+
-+#define VAR_SMTPD_TLS_CERT_FILE	"smtpd_tls_cert_file"
-+#define DEF_SMTPD_TLS_CERT_FILE	""
-+extern char *var_smtpd_tls_cert_file;
-+
-+#define VAR_SMTPD_TLS_KEY_FILE	"smtpd_tls_key_file"
-+#define DEF_SMTPD_TLS_KEY_FILE	"$smtpd_tls_cert_file"
-+extern char *var_smtpd_tls_key_file;
-+
-+#define VAR_SMTPD_TLS_DCERT_FILE "smtpd_tls_dcert_file"
-+#define DEF_SMTPD_TLS_DCERT_FILE ""
-+extern char *var_smtpd_tls_dcert_file;
-+
-+#define VAR_SMTPD_TLS_DKEY_FILE	"smtpd_tls_dkey_file"
-+#define DEF_SMTPD_TLS_DKEY_FILE	"$smtpd_tls_dcert_file"
-+extern char *var_smtpd_tls_dkey_file;
-+
-+#define VAR_SMTPD_TLS_CA_FILE	"smtpd_tls_CAfile"
-+#define DEF_SMTPD_TLS_CA_FILE	""
-+extern char *var_smtpd_tls_CAfile;
-+
-+#define VAR_SMTPD_TLS_CA_PATH	"smtpd_tls_CApath"
-+#define DEF_SMTPD_TLS_CA_PATH	""
-+extern char *var_smtpd_tls_CApath;
-+
-+#define VAR_SMTPD_TLS_CLIST	"smtpd_tls_cipherlist"
-+#define DEF_SMTPD_TLS_CLIST	""
-+extern char *var_smtpd_tls_cipherlist;
-+
-+#define VAR_SMTPD_TLS_512_FILE	"smtpd_tls_dh512_param_file"
-+#define DEF_SMTPD_TLS_512_FILE	""
-+extern char *var_smtpd_tls_dh512_param_file;
-+
-+#define VAR_SMTPD_TLS_1024_FILE	"smtpd_tls_dh1024_param_file"
-+#define DEF_SMTPD_TLS_1024_FILE	""
-+extern char *var_smtpd_tls_dh1024_param_file;
-+
-+#define VAR_SMTPD_TLS_LOGLEVEL	"smtpd_tls_loglevel"
-+#define DEF_SMTPD_TLS_LOGLEVEL	0
-+extern int var_smtpd_tls_loglevel;
-+
-+#define VAR_SMTPD_TLS_RECHEAD	"smtpd_tls_received_header"
-+#define DEF_SMTPD_TLS_RECHEAD	0
-+extern bool var_smtpd_tls_received_header;
-+
-+#define VAR_SMTPD_TLS_SCACHE_DB	"smtpd_tls_session_cache_database"
-+#define DEF_SMTPD_TLS_SCACHE_DB	""
-+extern char *var_smtpd_tls_scache_db;
-+
-+#define VAR_SMTPD_TLS_SCACHTIME	"smtpd_tls_session_cache_timeout"
-+#define DEF_SMTPD_TLS_SCACHTIME	"3600s"
-+extern int var_smtpd_tls_scache_timeout;
-+
-+#define VAR_SMTP_TLS_PER_SITE	"smtp_tls_per_site"
-+#define DEF_SMTP_TLS_PER_SITE	""
-+extern char *var_smtp_tls_per_site;
-+
-+#define VAR_SMTP_USE_TLS	"smtp_use_tls"
-+#define DEF_SMTP_USE_TLS	0
-+extern bool var_smtp_use_tls;
-+
-+#define VAR_SMTP_ENFORCE_TLS	"smtp_enforce_tls"
-+#define DEF_SMTP_ENFORCE_TLS	0
-+extern bool var_smtp_enforce_tls;
-+
-+#define VAR_SMTP_TLS_ENFORCE_PN	"smtp_tls_enforce_peername"
-+#define DEF_SMTP_TLS_ENFORCE_PN	1
-+extern bool var_smtp_tls_enforce_peername;
-+
-+#define VAR_SMTP_TLS_SCERT_VD	"smtp_tls_scert_verifydepth"
-+#define DEF_SMTP_TLS_SCERT_VD	5
-+extern int var_smtp_tls_scert_vd;
-+
-+#define VAR_SMTP_TLS_CERT_FILE	"smtp_tls_cert_file"
-+#define DEF_SMTP_TLS_CERT_FILE	""
-+extern char *var_smtp_tls_cert_file;
-+
-+#define VAR_SMTP_TLS_KEY_FILE	"smtp_tls_key_file"
-+#define DEF_SMTP_TLS_KEY_FILE	"$smtp_tls_cert_file"
-+extern char *var_smtp_tls_key_file;
-+
-+#define VAR_SMTP_TLS_DCERT_FILE "smtp_tls_dcert_file"
-+#define DEF_SMTP_TLS_DCERT_FILE ""
-+extern char *var_smtp_tls_dcert_file;
-+
-+#define VAR_SMTP_TLS_DKEY_FILE	"smtp_tls_dkey_file"
-+#define DEF_SMTP_TLS_DKEY_FILE	"$smtp_tls_dcert_file"
-+extern char *var_smtp_tls_dkey_file;
-+
-+#define VAR_SMTP_TLS_CA_FILE	"smtp_tls_CAfile"
-+#define DEF_SMTP_TLS_CA_FILE	""
-+extern char *var_smtp_tls_CAfile;
-+
-+#define VAR_SMTP_TLS_CA_PATH	"smtp_tls_CApath"
-+#define DEF_SMTP_TLS_CA_PATH	""
-+extern char *var_smtp_tls_CApath;
-+
-+#define VAR_SMTP_TLS_CLIST	"smtp_tls_cipherlist"
-+#define DEF_SMTP_TLS_CLIST	""
-+extern char *var_smtp_tls_cipherlist;
-+
-+#define VAR_SMTP_TLS_LOGLEVEL	"smtp_tls_loglevel"
-+#define DEF_SMTP_TLS_LOGLEVEL	0
-+extern int var_smtp_tls_loglevel;
-+
-+#define VAR_SMTP_TLS_NOTEOFFER	"smtp_tls_note_starttls_offer"
-+#define DEF_SMTP_TLS_NOTEOFFER	0
-+extern bool var_smtp_tls_note_starttls_offer;
-+
-+#define VAR_SMTP_TLS_SCACHE_DB	"smtp_tls_session_cache_database"
-+#define DEF_SMTP_TLS_SCACHE_DB	""
-+extern char *var_smtp_tls_scache_db;
-+
-+#define VAR_SMTP_TLS_SCACHTIME	"smtp_tls_session_cache_timeout"
-+#define DEF_SMTP_TLS_SCACHTIME	"3600s"
-+extern int var_smtp_tls_scache_timeout;
-+
-  /*
-   * SASL authentication support, SMTP server side.
-   */
-@@ -916,6 +1102,10 @@
- #define DEF_SMTPD_SASL_APPNAME	"smtpd"
- extern char *var_smtpd_sasl_appname;
- 
-+#define VAR_SMTPD_SASL_TLS_OPTS	"smtpd_sasl_tls_security_options"
-+#define DEF_SMTPD_SASL_TLS_OPTS	"$smtpd_sasl_security_options"
-+extern char *var_smtpd_sasl_opts;
-+
- #define VAR_SMTPD_SASL_REALM	"smtpd_sasl_local_domain"
- #define DEF_SMTPD_SASL_REALM	""
- extern char *var_smtpd_sasl_realm;
-@@ -945,6 +1135,14 @@
- #define DEF_SMTP_SASL_OPTS	"noplaintext, noanonymous"
- extern char *var_smtp_sasl_opts;
- 
-+#define VAR_SMTP_SASL_TLS_OPTS	"smtp_sasl_tls_security_options"
-+#define DEF_SMTP_SASL_TLS_OPTS	"$var_smtp_sasl_opts"
-+extern char *var_smtp_sasl_tls_opts;
-+
-+#define VAR_SMTP_SASL_TLSV_OPTS	"smtp_sasl_tls_verified_security_options"
-+#define DEF_SMTP_SASL_TLSV_OPTS	"$var_smtp_sasl_tls_opts"
-+extern char *var_smtp_sasl_tls_verified_opts;
-+
-  /*
-   * LMTP server. The soft error limit determines how many errors an LMTP
-   * client may make before we start to slow down; the hard error limit
-@@ -1075,6 +1273,14 @@
- #define DEF_LMTP_QUIT_TMOUT	"300s"
- extern int var_lmtp_quit_tmout;
- 
-+#define VAR_LMTP_BIND_ADDR	"lmtp_bind_address"
-+#define DEF_LMTP_BIND_ADDR	""
-+extern char *var_lmtp_bind_addr;
-+
-+#define VAR_LMTP_BIND_ADDR6	"lmtp_bind_address6"
-+#define DEF_LMTP_BIND_ADDR6	""
-+extern char *var_lmtp_bind_addr6;
-+
- #define VAR_LMTP_SEND_XFORWARD	"lmtp_send_xforward_command"
- #define DEF_LMTP_SEND_XFORWARD	0
- extern bool var_lmtp_send_xforward;
-@@ -1234,6 +1440,10 @@
- #define DEF_RELAY_RCPT_CODE	550
- extern int var_relay_rcpt_code;
- 
-+#define VAR_RELAY_CCERTS	"relay_clientcerts"
-+#define DEF_RELAY_CCERTS	""
-+extern char *var_relay_ccerts;
-+
- #define VAR_CLIENT_CHECKS	"smtpd_client_restrictions"
- #define DEF_CLIENT_CHECKS	""
- extern char *var_client_checks;
-@@ -1352,6 +1562,8 @@
- #define PERMIT_AUTH_DEST	"permit_auth_destination"
- #define REJECT_UNAUTH_DEST	"reject_unauth_destination"
- #define CHECK_RELAY_DOMAINS	"check_relay_domains"
-+#define PERMIT_TLS_CLIENTCERTS	"permit_tls_clientcerts"
-+#define PERMIT_TLS_ALL_CLIENTCERTS	"permit_tls_all_clientcerts"
- #define VAR_RELAY_CODE		"relay_domains_reject_code"
- #define DEF_RELAY_CODE		554
- extern int var_relay_code;
-diff -urNad postfix-release/src/global/mail_proto.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h
---- postfix-release/src/global/mail_proto.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h	2005-02-03 10:22:13.052098471 -0700
-@@ -42,6 +42,7 @@
- #define MAIL_SERVICE_LOCAL	"local"
- #define MAIL_SERVICE_PICKUP	"pickup"
- #define MAIL_SERVICE_QUEUE	"qmgr"
-+#define MAIL_SERVICE_TLSMGR	"tlsmgr"
- #define MAIL_SERVICE_RESOLVE	"resolve"
- #define MAIL_SERVICE_REWRITE	"rewrite"
- #define MAIL_SERVICE_VIRTUAL	"virtual"
-diff -urNad postfix-release/src/global/mail_version.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h
---- postfix-release/src/global/mail_version.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h	2005-02-03 10:22:13.052098471 -0700
-@@ -31,6 +31,14 @@
- #endif
- extern char *var_mail_version;
- 
-+#define VAR_TLSIPV6_VERSION	"tls_ipv6_version"
-+#ifdef INET6
-+#define DEF_TLSIPV6_VERSION	"1.24"
-+#else
-+#define DEF_TLSIPV6_VERSION	""
-+#endif
-+extern char *var_tlsipv6_version;
-+
-  /*
-   * Release date.
-   */
-diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in
---- postfix-release/src/global/Makefile.in	2005-02-03 10:22:12.218284460 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in	2005-02-03 10:22:13.053098248 -0700
-@@ -23,7 +23,8 @@
- 	sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
- 	sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
- 	tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
--	verify_clnt.c verp_sender.c virtual8_maps.c xtext.c
-+	verify_clnt.c verp_sender.c virtual8_maps.c xtext.c pfixtls.c \
-+	wildcard_inet_addr.c inet_interfaces_to_af.c
- OBJS	= abounce.o been_here.o bounce.o bounce_log.o \
- 	canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
- 	clnt_stream.o debug_peer.o debug_process.o defer.o \
-@@ -47,7 +48,8 @@
- 	sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
- 	sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
- 	tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
--	verify_clnt.o verp_sender.o virtual8_maps.o xtext.o
-+	verify_clnt.o verp_sender.o virtual8_maps.o xtext.o \
-+	wildcard_inet_addr.o inet_interfaces_to_af.o
- HDRS	= abounce.h been_here.h bounce.h bounce_log.h \
- 	canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
- 	debug_peer.h debug_process.h defer.h deliver_completed.h \
-@@ -69,7 +71,7 @@
- 	resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
- 	string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
- 	trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \
--	xtext.h
-+	xtext.h pfixtls.h wildcard_inet_addr.h inet_interfaces_to_af.h
- TESTSRC	= rec2stream.c stream2rec.c recdump.c
- DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
- CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
-@@ -898,6 +900,7 @@
- mail_params.o: ../../include/attr.h
- mail_params.o: verp_sender.h
- mail_params.o: mail_params.h
-+mail_params.o: pfixtls.h
- mail_pathname.o: mail_pathname.c
- mail_pathname.o: ../../include/sys_defs.h
- mail_pathname.o: ../../include/stringops.h
-diff -urNad postfix-release/src/global/mynetworks.c /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c
---- postfix-release/src/global/mynetworks.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c	2005-02-03 10:22:13.054098025 -0700
-@@ -28,6 +28,13 @@
- /*	IBM T.J. Watson Research
- /*	P.O. Box 704
- /*	Yorktown Heights, NY 10598, USA
-+/*
-+/*	Dean C. Strik
-+/*	Department ICT Services
-+/*	Eindhoven University of Technology
-+/*	P.O. Box 513
-+/*	5600 MB  Eindhoven, Netherlands
-+/*	E-mail: <dean at ipnet6.org>
- /*--*/
- 
- /* System library. */
-@@ -42,7 +49,8 @@
- #define IN_CLASSD_NSHIFT 	28
- #endif
- 
--#define BITS_PER_ADDR		32
-+#define BITS_PER_ADDR_V4	32
-+#define BITS_PER_ADDR_V6	128
- 
- /* Utility library. */
- 
-@@ -50,6 +58,12 @@
- #include <vstring.h>
- #include <inet_addr_list.h>
- #include <name_mask.h>
-+#ifdef INET6
-+#include <string.h>
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <netdb.h>
-+#endif
- 
- /* Global library. */
- 
-@@ -75,18 +89,25 @@
- const char *mynetworks(void)
- {
-     static VSTRING *result;
-+    int bits_per_addr;
-+#ifdef INET6
-+    char hbuf[NI_MAXHOST];
-+#endif
- 
-     if (result == 0) {
- 	char   *myname = "mynetworks";
- 	INET_ADDR_LIST *my_addr_list;
- 	INET_ADDR_LIST *my_mask_list;
--	unsigned long addr;
--	unsigned long mask;
-+	unsigned long addr = 0;
-+	unsigned long mask = 0;
- 	struct in_addr net;
--	int     shift;
-+	int     shift = 0;
- 	int     junk;
- 	int     i;
- 	int     mask_style;
-+#ifdef INET6
-+	struct sockaddr *sa;
-+#endif
- 
- 	mask_style = name_mask("mynetworks mask style", mask_styles,
- 			       var_mynetworks_style);
-@@ -107,8 +128,23 @@
- 	my_mask_list = own_inet_mask_list();
- 
- 	for (i = 0; i < my_addr_list->used; i++) {
-+#ifdef INET6
-+	    sa = (struct sockaddr *)&my_addr_list->addrs[i];
-+	    if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6) {
-+		msg_warn("%s: unknown family in address list", myname);
-+		 continue;
-+	    }
-+	    if (sa->sa_family == AF_INET) {
-+		bits_per_addr = BITS_PER_ADDR_V4;
-+		addr = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr);
-+		mask = ntohl(((struct sockaddr_in *)
-+			      &my_mask_list->addrs[i])->sin_addr.s_addr);
-+	    } else
-+		bits_per_addr = BITS_PER_ADDR_V6;
-+#else
- 	    addr = ntohl(my_addr_list->addrs[i].s_addr);
- 	    mask = ntohl(my_mask_list->addrs[i].s_addr);
-+#endif
- 
- 	    switch (mask_style) {
- 
-@@ -117,6 +153,9 @@
- 		 * ISP who gave you a small portion of their network.
- 		 */
- 	    case MASK_STYLE_CLASS:
-+#ifdef INET6
-+		if (sa->sa_family == AF_INET) {
-+#endif
- 		if (IN_CLASSA(addr)) {
- 		    mask = IN_CLASSA_NET;
- 		    shift = IN_CLASSA_NSHIFT;
-@@ -130,24 +169,73 @@
- 		    mask = IN_CLASSD_NET;
- 		    shift = IN_CLASSD_NSHIFT;
- 		} else {
-+#ifdef INET6
-+		    if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
-+				    NULL, 0, NI_NUMERICHOST))
-+			strncpy(hbuf, "???", sizeof(hbuf));
-+		    msg_fatal("%s: bad address class: %s", myname, hbuf);
-+#else
- 		    msg_fatal("%s: bad address class: %s",
- 			      myname, inet_ntoa(my_addr_list->addrs[i]));
-+#endif
- 		}
- 		break;
-+#ifdef INET6
-+		} /* if AF_INET */
-+		/*
-+		 * There are no classes for IPv6, we default to subnets instead.
-+		 */
-+		/* FALLTHROUGH */
-+#endif
- 
- 		/*
- 		 * Subnet mask. This is safe, but breaks backwards
- 		 * compatibility when used as default setting.
- 		 */
- 	    case MASK_STYLE_SUBNET:
--		for (junk = mask, shift = BITS_PER_ADDR; junk != 0; shift--, (junk <<= 1))
--		     /* void */ ;
-+#ifdef INET6
-+		if (sa->sa_family == AF_INET6) {
-+		    unsigned char *ac, *end;
-+		    ac = (unsigned char *)&(((struct sockaddr_in6 *)&my_mask_list->addrs[i])->sin6_addr);
-+		    end = ac + bits_per_addr / 8;
-+		    shift = bits_per_addr;
-+		    while (ac < end) {
-+			switch (*(ac++)) {
-+			    case 0xff: shift -= 8; break;
-+			    case 0xfe: shift -= 7; break;
-+			    case 0xfc: shift -= 6; break;
-+			    case 0xf8: shift -= 5; break;
-+			    case 0xf0: shift -= 4; break;
-+			    case 0xe0: shift -= 3; break;
-+			    case 0xc0: shift -= 2; break;
-+			    case 0x80: shift -= 1; break;
-+			    case 0x00: break;
-+			    default: msg_fatal("%s: inconsistent prefixlen",
-+				myname);
-+			}
-+		    }
-+		    break;
-+		}
-+#endif
-+		/* AF_INET */
-+		junk = mask;
-+		shift = bits_per_addr;
-+		while (junk != 0) {
-+		    shift--;
-+		    junk <<= 1;
-+		}
- 		break;
- 
- 		/*
- 		 * Host only. Do not relay authorize other hosts.
- 		 */
- 	    case MASK_STYLE_HOST:
-+#ifdef INET6
-+		if (sa->sa_family == AF_INET6) {
-+		    shift = 0;
-+		    break;
-+		}
-+#endif
- 		mask = ~0;
- 		shift = 0;
- 		break;
-@@ -156,9 +244,20 @@
- 		msg_panic("unknown mynetworks mask style: %s",
- 			  var_mynetworks_style);
- 	    }
-+#ifdef INET6
-+	    if (sa->sa_family == AF_INET6) {
-+		if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf), NULL, 0,
-+				NI_NUMERICHOST))
-+		    msg_fatal("%s: bad address to getnameinfo()", myname);
-+		vstring_sprintf_append(result, "[%s]/%d ",
-+				       hbuf, bits_per_addr - shift);
-+		continue;
-+	    }
-+#endif
-+	    /* AF_INET */
- 	    net.s_addr = htonl(addr & mask);
- 	    vstring_sprintf_append(result, "%s/%d ",
--				   inet_ntoa(net), BITS_PER_ADDR - shift);
-+				   inet_ntoa(net), bits_per_addr - shift);
- 	}
- 	if (msg_verbose)
- 	    msg_info("%s: %s", myname, vstring_str(result));
-diff -urNad postfix-release/src/global/own_inet_addr.c /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c
---- postfix-release/src/global/own_inet_addr.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c	2005-02-03 10:23:37.570246060 -0700
-@@ -50,6 +50,8 @@
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <string.h>
-+#include <sys/socket.h>
-+#include <netdb.h>
- 
- #ifdef STRCASECMP_IN_STRINGS_H
- #include <strings.h>
-@@ -63,11 +65,13 @@
- #include <inet_addr_local.h>
- #include <inet_addr_host.h>
- #include <stringops.h>
-+#include <sock_addr.h>
- 
- /* Global library. */
- 
- #include <mail_params.h>
- #include <own_inet_addr.h>
-+#include <inet_interfaces_to_af.h>
- 
- /* Application-specific. */
- 
-@@ -88,6 +92,10 @@
-     char   *bufp;
-     int     nvirtual;
-     int     nlocal;
-+    int     done = 0;
-+    int     af;
-+    struct sockaddr_storage *sa;
-+    struct sockaddr_storage *ma;
- 
-     inet_addr_list_init(addr_list);
-     inet_addr_list_init(mask_list);
-@@ -96,27 +104,52 @@
-      * If we are listening on all interfaces (default), ask the system what
-      * the interfaces are.
-      */
--    if (strcasecmp(var_inet_interfaces, DEF_INET_INTERFACES) == 0) {
--	if (inet_addr_local(addr_list, mask_list) == 0)
--	    msg_fatal("could not find any active network interfaces");
--#if 0
--	if (addr_list->used == 1)
--	    msg_warn("found only one active network interface: %s",
--		     inet_ntoa(addr_list->addrs[0]));
--#endif
-+    af = inet_interfaces_to_af(var_inet_interfaces);
-+    if (strcmp(var_inet_interfaces, INET_INTERFACES_ALL) == 0) {
-+	if (af > -1) {
-+	    if (inet_addr_local(addr_list, mask_list, af) == 0)
-+		msg_fatal("could not find any active network interfaces");
-+	}
-     }
- 
-     /*
-+     * Select all loopback interfaces from the system's available interface
-+     * list.
-+     */
-+    else if (strcmp(var_inet_interfaces, INET_INTERFACES_LOCAL) == 0) {
-+        int found=0;
-+        inet_addr_list_init(&local_addrs);
-+        inet_addr_list_init(&local_masks);
-+        if (inet_addr_local(&local_addrs, &local_masks, af) == 0)
-+            msg_fatal("could not find any active network interfaces");
-+        for (sa = local_addrs.addrs, ma = local_masks.addrs;
-+             sa < local_addrs.addrs + local_addrs.used; sa++, ma++) {
-+            if (sock_addr_in_loopback(SOCK_ADDR_PTR(sa))) {
-+                inet_addr_list_append(addr_list, SOCK_ADDR_PTR(sa));
-+                inet_addr_list_append(mask_list, SOCK_ADDR_PTR(ma));
-+		found=1;
-+		if (msg_verbose)
-+		    msg_info("found one");	/* XXX */
-+            }
-+        }
-+        inet_addr_list_free(&local_addrs);
-+        inet_addr_list_free(&local_masks);
-+	if (!found)
-+	    msg_fatal("could not find any loopback addresses");
-+    }
-+    
-+    /*
-      * If we are supposed to be listening only on specific interface
-      * addresses (virtual hosting), look up the addresses of those
-      * interfaces.
-      */
-     else {
- 	bufp = hosts = mystrdup(var_inet_interfaces);
--	while ((host = mystrtok(&bufp, sep)) != 0)
-+	while ((host = mystrtok(&bufp, sep)) != 0) {
- 	    if (inet_addr_host(addr_list, host) == 0)
- 		msg_fatal("config variable %s: host not found: %s",
- 			  VAR_INET_INTERFACES, host);
-+	}
- 	myfree(hosts);
- 
- 	/*
-@@ -129,19 +162,44 @@
- 
- 	inet_addr_list_init(&local_addrs);
- 	inet_addr_list_init(&local_masks);
--	if (inet_addr_local(&local_addrs, &local_masks) == 0)
-+	if (inet_addr_local(&local_addrs, &local_masks, AF_UNSPEC) == 0)
- 	    msg_fatal("could not find any active network interfaces");
- 	for (nvirtual = 0; nvirtual < addr_list->used; nvirtual++) {
- 	    for (nlocal = 0; /* see below */ ; nlocal++) {
--		if (nlocal >= local_addrs.used)
-+		if (nlocal >= local_addrs.used) {
-+#ifdef INET6
-+		    char hbuf[NI_MAXHOST];
-+		    if (getnameinfo((struct sockaddr *)&addr_list->addrs[nvirtual],
-+		        SS_LEN(addr_list->addrs[nvirtual]), hbuf,
-+		        sizeof(hbuf), NULL, 0, NI_NUMERICHOST) != 0)
-+			strncpy(hbuf, "???", sizeof(hbuf));
-+		    msg_fatal("parameter %s: no local interface found for %s",
-+			      VAR_INET_INTERFACES, hbuf);
-+#else
- 		    msg_fatal("parameter %s: no local interface found for %s",
- 			      VAR_INET_INTERFACES,
- 			      inet_ntoa(addr_list->addrs[nvirtual]));
-+#endif
-+		}
-+#ifdef INET6
-+		if (addr_list->addrs[nvirtual].ss_family == 
-+		    local_addrs.addrs[nlocal].ss_family &&
-+		    SS_LEN(addr_list->addrs[nvirtual]) == 
-+		    SS_LEN(local_addrs.addrs[nlocal]) &&
-+		    memcmp(&addr_list->addrs[nvirtual],
-+			   &local_addrs.addrs[nlocal],
-+			   SS_LEN(local_addrs.addrs[nlocal])) == 0) {
-+		    inet_addr_list_append(mask_list, (struct sockaddr *)
-+			&local_masks.addrs[nlocal]);
-+		    break;
-+		}
-+#else
- 		if (addr_list->addrs[nvirtual].s_addr
- 		    == local_addrs.addrs[nlocal].s_addr) {
- 		    inet_addr_list_append(mask_list, &local_masks.addrs[nlocal]);
- 		    break;
- 		}
-+#endif
- 	    }
- 	}
- 	inet_addr_list_free(&local_addrs);
-@@ -151,6 +209,49 @@
- 
- /* own_inet_addr - is this my own internet address */
- 
-+#ifdef INET6
-+
-+#ifdef INET6_KAME
-+#define SA6_ARE_ADDR_EQUAL(a, b) ( \
-+	((a)->sin6_scope_id == 0 || (b)->sin6_scope_id == 0 || \
-+	(a)->sin6_scope_id == (b)->sin6_scope_id) && \
-+	(memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
-+	sizeof(struct in6_addr)) == 0))
-+#else
-+#define SA6_ARE_ADDR_EQUAL(a, b) \
-+	(memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
-+	sizeof(struct in6_addr)) == 0)
-+#endif
-+
-+int     own_inet_addr(struct sockaddr *addr)
-+{
-+    int     i;
-+
-+    if (addr_list.used == 0)
-+	own_inet_addr_init(&addr_list, &mask_list);
-+
-+    for (i = 0; i < addr_list.used; i++) {
-+	if (((struct sockaddr *)&addr_list.addrs[i])->sa_family !=
-+		addr->sa_family)
-+	    continue;
-+	switch (addr->sa_family) {
-+	case AF_INET:
-+	    if (((struct sockaddr_in *)addr)->sin_addr.s_addr ==
-+		((struct sockaddr_in *)&addr_list.addrs[i])->sin_addr.s_addr)
-+		return (1);
-+	    break;
-+	case AF_INET6:
-+	    if (SA6_ARE_ADDR_EQUAL((struct sockaddr_in6 *)addr,
-+		    (struct sockaddr_in6 *)&addr_list.addrs[i]))
-+		return (1);
-+	    break;
-+	default:
-+	    continue;
-+	}
-+    }
-+    return (0);
-+}
-+#else
- int     own_inet_addr(struct in_addr * addr)
- {
-     int     i;
-@@ -163,6 +264,7 @@
- 	    return (1);
-     return (0);
- }
-+#endif
- 
- /* own_inet_addr_list - return list of addresses */
- 
-@@ -224,8 +326,15 @@
- 	proxy_inet_addr_init(&proxy_list);
- 
-     for (i = 0; i < proxy_list.used; i++)
-+#ifdef INET6
-+	if (proxy_list.addrs[i].ss_family == AF_INET && addr->s_addr ==
-+		((struct sockaddr_in *)&(proxy_list.addrs[i]))->
-+		sin_addr.s_addr)
-+	    return (1);
-+#else
- 	if (addr->s_addr == proxy_list.addrs[i].s_addr)
- 	    return (1);
-+#endif
-     return (0);
- }
- 
-diff -urNad postfix-release/src/global/own_inet_addr.h /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h
---- postfix-release/src/global/own_inet_addr.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h	2005-02-03 10:22:13.054098025 -0700
-@@ -15,11 +15,18 @@
-   * System library.
-   */
- #include <netinet/in.h>
-+#ifdef INET6
-+#include <sys/socket.h>
-+#endif
- 
-  /*
-   * External interface.
-   */
-+#ifdef INET6
-+extern int own_inet_addr(struct sockaddr *);
-+#else
- extern int own_inet_addr(struct in_addr *);
-+#endif
- extern struct INET_ADDR_LIST *own_inet_addr_list(void);
- extern struct INET_ADDR_LIST *own_inet_mask_list(void);
- extern int proxy_inet_addr(struct in_addr *);
-diff -urNad postfix-release/src/global/pfixtls.c /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c
---- postfix-release/src/global/pfixtls.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c	2005-02-03 10:22:13.059096910 -0700
-@@ -0,0 +1,2824 @@
-+#ifdef USE_TLS
-+/*++
-+/* NAME
-+/*	pfixtls
-+/* SUMMARY
-+/*	interface to openssl routines
-+/* SYNOPSIS
-+/*	#include <pfixtls.h>
-+/*
-+/*	const long scache_db_version;
-+/*	const long openssl_version;
-+/*
-+/*	int pfixtls_serverengine;
-+/*
-+/*	int pfixtls_clientengine;
-+/*
-+/*	int pfixtls_timed_read(fd, buf, len, timeout, unused_context)
-+/*	int fd;
-+/*	void *buf;
-+/*	unsigned len;
-+/*	int timeout;
-+/*	void *context;
-+/*
-+/*	int pfixtls_timed_write(fd, buf, len, timeout, unused_context);
-+/*	int fd;
-+/*	void *buf;
-+/*	unsigned len;
-+/*	int timeout;
-+/*	void *context;
-+/*
-+/*	int pfixtls_init_serverengine(verifydepth, askcert);
-+/*	int verifydepth;
-+/*	int askcert;
-+/*
-+/*	int pfixtls_start_servertls(stream, timeout, peername, peeraddr,
-+/*				    tls_info, requirecert);
-+/*	VSTREAM *stream;
-+/*	int timeout;
-+/*	const char *peername;
-+/*	const char *peeraddr;
-+/*	tls_info_t *tls_info;
-+/*	int requirecert;
-+/*
-+/*	int pfixtls_stop_servertls(stream, failure, tls_info);
-+/*	VSTREAM *stream;
-+/*	int failure;
-+/*	tls_info_t *tls_info;
-+/*	
-+/*	int pfixtls_init_clientengine(verifydepth);
-+/*	int verifydepth;
-+/*
-+/*	int pfixtls_start_clienttls(stream, timeout, peername, peeraddr,
-+/*				    tls_info);
-+/*	VSTREAM *stream;
-+/*	int timeout;
-+/*	const char *peername;
-+/*	const char *peeraddr;
-+/*	tls_info_t *tls_info;
-+/*
-+/*	int pfixtls_stop_clienttls(stream, failure, tls_info);
-+/*	VSTREAM *stream;
-+/*	int failure;
-+/*	tls_info_t *tls_info;
-+/*
-+/* DESCRIPTION
-+/*	This module is the interface between Postfix and the OpenSSL library.
-+/*
-+/*	pfixtls_timed_read() reads the requested number of bytes calling
-+/*	SSL_read(). pfixtls_time_read() will only be called indirect
-+/*	as a VSTREAM_FN function.
-+/*	pfixtls_timed_write() is the corresponding write function.
-+/*
-+/*	pfixtls_init_serverengine() is called once when smtpd is started
-+/*	in order to initialize as much of the TLS stuff as possible.
-+/*	The certificate handling is also decided during the setup phase,
-+/*	so that a peer specific handling is not possible.
-+/*
-+/*	pfixtls_init_clientengine() is the corresponding function called
-+/*	in smtp. Here we take the peer's (server's) certificate in any
-+/*	case.
-+/*
-+/*	pfixtls_start_servertls() activates the TLS feature for the VSTREAM
-+/*	passed as argument. We expect that all buffers are flushed and the
-+/*	TLS handshake can begin	immediately. Information about the peer
-+/*	is stored into the tls_info structure passed as argument.
-+/*
-+/*	pfixtls_stop_servertls() sends the "close notify" alert via
-+/*	SSL_shutdown() to the peer and resets all connection specific
-+/*	TLS data. As RFC2487 does not specify a seperate shutdown, it
-+/*	is supposed that the underlying TCP connection is shut down
-+/*	immediately afterwards, so we don't care about additional data
-+/*	coming through the channel.
-+/*	If the failure flag is set, the session is cleared from the cache.
-+/*
-+/*	pfixtls_start_clienttls() and pfixtls_stop_clienttls() are the
-+/*	corresponding functions for smtp.
-+/*
-+/*	Once the TLS connection is initiated, information about the TLS
-+/*	state is available via the tls_info structure:
-+/*	protocol holds the protocol name (SSLv2, SSLv3, TLSv1),
-+/*	tls_info->cipher_name the cipher name (e.g. RC4/MD5),
-+/*	tls_info->cipher_usebits the number of bits actually used (e.g. 40),
-+/*	tls_info->cipher_algbits the number of bits the algorithm is based on
-+/*	(e.g. 128).
-+/*	The last two values may be different when talking to a crippled
-+/*	- ahem - export controled peer (e.g. 40/128).
-+/*
-+/*	The status of the peer certificate verification is available in
-+/*	pfixtls_peer_verified. It is set to 1, when the certificate could
-+/*	be verified.
-+/*	If the peer offered a certifcate, part of the certificate data are
-+/*	available as:
-+/*	tls_info->peer_subject X509v3-oneline with the DN of the peer
-+/*	tls_info->peer_CN extracted CommonName of the peer
-+/*	tls_info->peer_issuer  X509v3-oneline with the DN of the issuer
-+/*	tls_info->peer_CN extracted CommonName of the issuer
-+/*	tls_info->PEER_FINGERPRINT fingerprint of the certificate
-+/*
-+/* DESCRIPTION (SESSION CACHING)
-+/*	In order to achieve high performance when using a lot of connections
-+/*	with TLS, session caching is implemented. It reduces both the CPU load
-+/*	(less cryptograpic operations) and the network load (the amount of
-+/*	certificate data exchanged is reduced).
-+/*	Since postfix uses a setup of independent processes for receiving
-+/*	and sending email, the processes must exchange the session information.
-+/*	Several connections at the same time between the identical peers can
-+/*	occur, so uniqueness and race conditions have to be taken into
-+/*	account.
-+/*	I have checked both Apache-SSL (Ben Laurie), using a seperate "gcache"
-+/*	process and Apache mod_ssl (Ralf S. Engelshall), using shared memory
-+/*	between several identical processes spawned from one parent.
-+/*
-+/*	Postfix/TLS uses a database approach based on the internal "dict"
-+/*	interface. Since the session cache information is approximately
-+/*	1300 bytes binary data, it will not fit into the dbm/ndbm model.
-+/*	It also needs write access to the database, ruling out most other
-+/*	interface, leaving Berkeley DB, which however cannot handle concurrent
-+/*	access by several processes. Hence a modified SDBM (public domain DBM)
-+/*	with enhanced buffer size is used and concurrent write capability
-+/*	is used. SDBM is part of Postfix/TLS.
-+/*
-+/*	Realization:
-+/*	Both (client and server) session cache are realized by individual
-+/*	cache databases. A common database would not make sense, since the
-+/*	key criteria are different (session ID for server, peername for
-+/*	client).
-+/*
-+/*	Server side:
-+/*	Session created by OpenSSL have a 32 byte session id, yielding a
-+/*	64 char file name. I consider these sessions to be unique. If they
-+/*	are not, the last session will win, overwriting the older one in
-+/*	the database. Remember: everything that is lost is a temporary
-+/*	information and not more than a renegotiation will happen.
-+/*	Originating from the same client host, several sessions can come
-+/*	in (e.g. from several users sending mail with Netscape at the same
-+/*	time), so the session id is the correct identifier; the hostname
-+/*	is of no importance, here.
-+/*
-+/*	Client side:
-+/*	We cannot recall sessions based on their session id, because we would
-+/*	have to check every session on disk for a matching server name, so
-+/*	the lookup has to be done based on the FQDN of the peer (receiving
-+/*	host).
-+/*	With regard to uniqueness, we might experience several open connections
-+/*	to the same server at the same time. This is even very likely to
-+/*	happen, since we might have several mails for the same destination
-+/*	in the queue, when a queue run is started. So several smtp's might
-+/*	negotiate sessions at the same time. We can however only save one
-+/*	session for one host.
-+/*	Like on the server side, the "last write" wins. The reason is
-+/*	quite simple. If we don't want to overwrite old sessions, an old
-+/*	session file will just stay in place until it is expired. In the
-+/*	meantime we would lose "fresh" session however. So we will keep the
-+/*	fresh one instead to avoid unnecessary renegotiations.
-+/*
-+/*	Session lifetime:
-+/*	RFC2246 recommends a session lifetime of less than 24 hours. The
-+/*	default is 300 seconds (5 minutes) for OpenSSL and is also used
-+/*	this way in e.g. mod_ssl. The typical usage for emails might be
-+/*	humans typing in emails and sending them, which might take just
-+/*	a while, so I think 3600 seconds (1 hour) is a good compromise.
-+/*	If the environment is save (the cached session contains secret
-+/*	key data), one might even consider using a longer timeout. Anyway,
-+/*	since everlasting sessions must be avoided, the session timeout
-+/*	is done based on the creation date of the session and so each
-+/*	session will timeout eventually.
-+/*
-+/*	Connection failures:
-+/*	RFC2246 requires us to remove sessions if something went wrong.
-+/*	Since the in-memory session cache of other smtp[d] processes cannot
-+/*	be controlled by simple means, we completely rely on the disc
-+/*	based session caching and remove all sessions from memory after
-+/*	connection closure.
-+/*
-+/*	Cache cleanup:
-+/*	Since old entries have to be removed from the session cache, a
-+/*	cleanup process is needed that runs through the collected session
-+/*	files on regular basis. The task is performed by tlsmgr based on
-+/*	the timestamp created by pfixtls and included in the saved session,
-+/*	so that tlsmgr has not to care about the SSL_SESSION internal data.
-+/*
-+/* BUGS
-+/*	The memory allocation policy of the OpenSSL library is not well
-+/*	documented, especially when loading sessions from disc. Hence there
-+/*	might be memory leaks.
-+/*
-+/* LICENSE
-+/* AUTHOR(S)
-+/*	Lutz Jaenicke
-+/*	BTU Cottbus
-+/*	Allgemeine Elektrotechnik
-+/*	Universitaetsplatz 3-4
-+/*	D-03044 Cottbus, Germany
-+/*--*/
-+
-+/* System library. */
-+
-+#include <sys_defs.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/time.h>			/* gettimeofday, not in POSIX */
-+#include <unistd.h>
-+#include <stdio.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <ctype.h>
-+
-+/* Utility library. */
-+
-+#include <iostuff.h>
-+#include <mymalloc.h>
-+#include <vstring.h>
-+#include <vstream.h>
-+#include <dict.h>
-+#include <myflock.h>
-+#include <stringops.h>
-+#include <msg.h>
-+#include <connect.h>
-+
-+/* Application-specific. */
-+
-+#include "mail_params.h"
-+#include "pfixtls.h"
-+
-+#define STR	vstring_str
-+
-+const tls_info_t tls_info_zero = {
-+    0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0
-+};
-+
-+#ifdef USE_SSL
-+
-+/* OpenSSL library. */
-+
-+#include <openssl/lhash.h>
-+#include <openssl/bn.h>
-+#include <openssl/err.h>
-+#include <openssl/pem.h>
-+#include <openssl/x509.h>
-+#include <openssl/x509v3.h>
-+#include <openssl/rand.h>
-+#include <openssl/ssl.h>
-+
-+/* We must keep some of the info available */
-+static const char hexcodes[] = "0123456789ABCDEF";
-+
-+/*
-+ * When saving sessions, we want to make sure, that the lenght of the key
-+ * is somehow limited. When saving client sessions, the hostname is used
-+ * as key. According to HP-UX 10.20, MAXHOSTNAMELEN=64. Maybe new standards
-+ * will increase this value, but as this will break compatiblity with existing
-+ * implementations, we won't see this for long. We therefore choose a limit
-+ * of 64 bytes.
-+ * The length of the (TLS) session id can be up to 32 bytes according to
-+ * RFC2246, so it fits well into the 64bytes limit.
-+ */
-+#define ID_MAXLENGTH	64		/* Max ID length in bytes */
-+
-+/*
-+ * The session_id_context is set, such that the client knows which services
-+ * on a host share the same session information (on the postfix host may
-+ * as well run a TLS-enabled webserver.
-+ */
-+static char server_session_id_context[] = "Postfix/TLS"; /* anything will do */
-+static int TLScontext_index = -1;
-+static int TLSpeername_index = -1;
-+static int do_dump = 0;
-+static DH *dh_512 = NULL, *dh_1024 = NULL;
-+static SSL_CTX *ctx = NULL;
-+
-+static int rand_exch_fd = -1;
-+
-+static DICT *scache_db = NULL;
-+const long scache_db_version = 0x00000003L;
-+const long openssl_version = OPENSSL_VERSION_NUMBER;
-+
-+
-+int     pfixtls_serverengine = 0;
-+static int pfixtls_serveractive = 0;	/* available or not */
-+
-+int     pfixtls_clientengine = 0;
-+static int pfixtls_clientactive = 0;	/* available or not */
-+
-+/*
-+ * Define a maxlength for certificate onelines. The length is checked by
-+ * all routines when copying.
-+ */
-+#define CCERT_BUFSIZ 256
-+
-+typedef struct {
-+  SSL *con;
-+  BIO *internal_bio;			/* postfix/TLS side of pair */
-+  BIO *network_bio;			/* netsork side of pair */
-+  char peer_subject[CCERT_BUFSIZ];
-+  char peer_issuer[CCERT_BUFSIZ];
-+  char peer_CN[CCERT_BUFSIZ];
-+  char issuer_CN[CCERT_BUFSIZ];
-+  unsigned char md[EVP_MAX_MD_SIZE];
-+  char fingerprint[EVP_MAX_MD_SIZE * 3];
-+  char peername_save[129];
-+  int enforce_verify_errors;
-+  int enforce_CN;
-+  int hostname_matched;
-+} TLScontext_t;
-+
-+typedef struct {
-+    int pid;
-+    struct timeval tv;
-+} randseed_t;
-+
-+static randseed_t randseed;
-+
-+/*
-+ * Finally some "backup" DH-Parameters to be loaded, if no parameters are
-+ * explicitely loaded from file.
-+ */
-+static unsigned char dh512_p[] = {
-+    0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
-+    0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
-+    0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
-+    0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
-+    0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
-+    0x4F, 0x70, 0xBA, 0x5B,
-+};
-+
-+static unsigned char dh512_g[] = {
-+    0x02,
-+};
-+
-+static unsigned char dh1024_p[] = {
-+    0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
-+    0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
-+    0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
-+    0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
-+    0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
-+    0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
-+    0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
-+    0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
-+    0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
-+    0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
-+    0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
-+};
-+
-+static unsigned char dh1024_g[] = {
-+    0x02,
-+};
-+
-+/*
-+ * DESCRIPTION: Keeping control of the network interface using BIO-pairs.
-+ *
-+ * When the TLS layer is active, all input/output must be filtered through
-+ * it. On the other hand to handle timeout conditions, full control over
-+ * the network socket must be kept. This rules out the "normal way" of
-+ * connecting the TLS layer directly to the socket.
-+ * The TLS layer is realized with a BIO-pair:
-+ *
-+ *     postfix  |   TLS-engine
-+ *       |      |
-+ *       +--------> SSL_operations()
-+ *              |     /\    ||
-+ *              |     ||    \/
-+ *              |   BIO-pair (internal_bio)
-+ *       +--------< BIO-pair (network_bio)
-+ *       |      |
-+ *     socket   |
-+ *
-+ * The normal postfix operations connect to the SSL operations to send
-+ * and retrieve (cleartext) data. Inside the TLS-engine the data are converted
-+ * to/from TLS protocol. The TLS functionality itself is only connected to
-+ * the internal_bio and hence only has status information about this internal
-+ * interface.
-+ * Thus, if the SSL_operations() return successfully (SSL_ERROR_NONE) or want
-+ * to read (SSL_ERROR_WANT_READ) there may as well be data inside the buffering
-+ * BIO-pair. So whenever an SSL_operation() returns without a fatal error,
-+ * the BIO-pair internal buffer must be flushed to the network.
-+ * NOTE: This is especially true in the SSL_ERROR_WANT_READ case: the TLS-layer
-+ * might want to read handshake data, that will never come since its own
-+ * written data will only reach the peer after flushing the buffer!
-+ *
-+ * The BIO-pair buffer size has been set to 8192 bytes, this is an arbitrary
-+ * value that can hold more data than the typical PMTU, so that it does
-+ * not force the generation of packets smaller than necessary.
-+ * It is also larger than the default VSTREAM_BUFSIZE (4096, see vstream.h),
-+ * so that large write operations could be handled within one call.
-+ * The internal buffer in the network/network_bio handling layer has been
-+ * set to the same value, since this seems to be reasonable. The code is
-+ * however able to handle arbitrary values smaller or larger than the
-+ * buffer size in the BIO-pair.
-+ */
-+
-+const size_t BIO_bufsiz = 8192;
-+
-+/*
-+ * The interface layer between network and BIO-pair. The BIO-pair buffers
-+ * the data to/from the TLS layer. Hence, at any time, there may be data
-+ * in the buffer that must be written to the network. This writing has
-+ * highest priority because the handshake might fail otherwise.
-+ * Only then a read_request can be satisfied.
-+ */
-+static int network_biopair_interop(int fd, int timeout, BIO *network_bio)
-+{
-+    int want_write;
-+    int num_write;
-+    int write_pos;
-+    int from_bio;
-+    int want_read;
-+    int num_read;
-+    int to_bio;
-+#define NETLAYER_BUFFERSIZE 8192
-+    char buffer[8192];
-+
-+    while ((want_write = BIO_ctrl_pending(network_bio)) > 0) {
-+	if (want_write > NETLAYER_BUFFERSIZE)
-+	    want_write = NETLAYER_BUFFERSIZE;
-+	from_bio = BIO_read(network_bio, buffer, want_write);
-+
-+	/*
-+	 * Write the complete contents of the buffer. Since TLS performs
-+	 * underlying handshaking, we cannot afford to leave the buffer
-+	 * unflushed, as we could run into a deadlock trap (the peer
-+	 * waiting for a final byte and we already waiting for his reply
-+	 * in read position).
-+	 */
-+        write_pos = 0;
-+	do {
-+	    if (timeout > 0 && write_wait(fd, timeout) < 0)
-+		return (-1);
-+	    num_write = write(fd, buffer + write_pos, from_bio - write_pos);
-+	    if (num_write <= 0) {
-+		if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
-+		    msg_warn("write() returns EAGAIN on a writable file descriptor!");
-+		    msg_warn("pausing to avoid going into a tight select/write loop!");
-+		    sleep(1);
-+		} else {
-+		    msg_warn("Write failed in network_biopair_interop with errno=%d: num_write=%d, provided=%d", errno, num_write, from_bio - write_pos);
-+		    return (-1);	/* something happened to the socket */
-+		}
-+	    } else
-+	    	write_pos += num_write;
-+	} while (write_pos < from_bio);
-+   }
-+
-+   while ((want_read = BIO_ctrl_get_read_request(network_bio)) > 0) {
-+	if (want_read > NETLAYER_BUFFERSIZE)
-+	    want_read = NETLAYER_BUFFERSIZE;
-+	if (timeout > 0 && read_wait(fd, timeout) < 0)
-+	    return (-1);
-+	num_read = read(fd, buffer, want_read);
-+	if (num_read <= 0) {
-+	    if ((num_write < 0) && (timeout > 0) && (errno == EAGAIN)) {
-+		msg_warn("read() returns EAGAIN on a readable file descriptor!");
-+		msg_warn("pausing to avoid going into a tight select/write loop!");
-+		sleep(1);
-+	    } else {
-+		msg_warn("Read failed in network_biopair_interop with errno=%d: num_read=%d, want_read=%d", errno, num_read, want_read);
-+		return (-1);	/* something happened to the socket */
-+	    }
-+	} else {
-+	    to_bio = BIO_write(network_bio, buffer, num_read);
-+	    if (to_bio != num_read)
-+		msg_fatal("to_bio != num_read");
-+	}
-+    }
-+
-+    return (0);
-+}
-+
-+static void pfixtls_print_errors(void);
-+
-+ /*
-+  * Function to perform the handshake for SSL_accept(), SSL_connect(),
-+  * and SSL_shutdown() and perform the SSL_read(), SSL_write() operations.
-+  * Call the underlying network_biopair_interop-layer to make sure the
-+  * write buffer is flushed after every operation (that did not fail with
-+  * a fatal error).
-+  */
-+static int do_tls_operation(int fd, int timeout, TLScontext_t *TLScontext,
-+			int (*hsfunc)(SSL *),
-+			int (*rfunc)(SSL *, void *, int),
-+			int (*wfunc)(SSL *, const void *, int),
-+			char *buf, int num)
-+{
-+    int status;
-+    int err;
-+    int retval = 0;
-+    int biop_retval;
-+    int done = 0;
-+
-+    while (!done) {
-+	if (hsfunc)
-+	    status = hsfunc(TLScontext->con);
-+	else if (rfunc)
-+	    status = rfunc(TLScontext->con, buf, num);
-+	else
-+	    status = wfunc(TLScontext->con, (const char *)buf, num);
-+	err = SSL_get_error(TLScontext->con, status);
-+
-+#if (OPENSSL_VERSION_NUMBER <= 0x0090581fL)
-+	/*
-+	 * There is a bug up to and including OpenSSL-0.9.5a: if an error
-+	 * occurs while checking the peers certificate due to some certificate
-+	 * error (e.g. as happend with a RSA-padding error), the error is put
-+	 * onto the error stack. If verification is not enforced, this error
-+	 * should be ignored, but the error-queue is not cleared, so we
-+	 * can find this error here. The bug has been fixed on May 28, 2000.
-+	 *
-+	 * This bug so far has only manifested as
-+	 * 4800:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
-+	 * 4800:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
-+	 * 4800:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
-+	 * so that we specifically test for this error. We print the errors
-+	 * to the logfile and automatically clear the error queue. Then we
-+	 * retry to get another error code. We cannot do better, since we
-+	 * can only retrieve the last entry of the error-queue without
-+	 * actually cleaning it on the way.
-+	 *
-+	 * This workaround is secure, as verify_result is set to "failed"
-+	 * anyway.
-+	 */
-+	if (err == SSL_ERROR_SSL) {
-+	    if (ERR_peek_error() == 0x0407006AL) {
-+		pfixtls_print_errors();	/* Keep information for the logfile */
-+		msg_info("OpenSSL <= 0.9.5a workaround called: certificate errors ignored");
-+		err = SSL_get_error(TLScontext->con, status);
-+	    }
-+	}
-+#endif
-+
-+	switch (err) {
-+	case SSL_ERROR_NONE:		/* success */
-+	    retval = status;
-+	    done = 1;			/* no break, flush buffer before */
-+					/* leaving */
-+	case SSL_ERROR_WANT_WRITE:
-+	case SSL_ERROR_WANT_READ:
-+	    biop_retval = network_biopair_interop(fd, timeout,
-+		TLScontext->network_bio);
-+	    if (biop_retval < 0)
-+		return (-1);		/* fatal network error */
-+	    break;
-+	case SSL_ERROR_ZERO_RETURN:	/* connection was closed cleanly */
-+	case SSL_ERROR_SYSCALL:		
-+	case SSL_ERROR_SSL:
-+	default:
-+	    retval = status;
-+	    done = 1;
-+	    ;
-+	}
-+    };
-+    return retval;
-+}
-+
-+int pfixtls_timed_read(int fd, void *buf, unsigned buf_len, int timeout, 
-+		       void *context)
-+{
-+    int     i;
-+    int     ret;
-+    char    mybuf[40];
-+    char   *mybuf2;
-+    TLScontext_t *TLScontext;
-+
-+    TLScontext = (TLScontext_t *)context;
-+    if (!TLScontext)
-+      msg_fatal("Called tls_timed_read() without TLS-context");
-+ 
-+    ret = do_tls_operation(fd, timeout, TLScontext, NULL, SSL_read, NULL,
-+			  (char *)buf, buf_len);
-+    if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
-+        (pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
-+	mybuf2 = (char *) buf;
-+	if (ret > 0) {
-+	    i = 0;
-+	    while ((i < 39) && (i < ret) && (mybuf2[i] != 0)) {
-+		mybuf[i] = mybuf2[i];
-+		i++;
-+	    }
-+	    mybuf[i] = '\0';
-+	    msg_info("Read %d chars: %s", ret, mybuf);
-+	}
-+    }
-+    return (ret);
-+}
-+
-+int pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
-+			void *context)
-+{
-+    int     i;
-+    char    mybuf[40];
-+    char   *mybuf2;
-+    TLScontext_t *TLScontext;
-+
-+    TLScontext = (TLScontext_t *)context;
-+    if (!TLScontext)
-+      msg_fatal("Called tls_timed_write() without TLS-context");
-+
-+    if ((pfixtls_serveractive && var_smtpd_tls_loglevel >= 4) ||
-+	(pfixtls_clientactive && var_smtp_tls_loglevel >= 4)) {
-+	mybuf2 = (char *) buf;
-+	if (len > 0) {
-+	    i = 0;
-+	    while ((i < 39) && (i < len) && (mybuf2[i] != 0)) {
-+		mybuf[i] = mybuf2[i];
-+		i++;
-+	    }
-+	    mybuf[i] = '\0';
-+	    msg_info("Write %d chars: %s", len, mybuf);
-+	}
-+    }
-+    return (do_tls_operation(fd, timeout, TLScontext, NULL, NULL, SSL_write,
-+			     buf, len));
-+}
-+
-+/* Add some more entropy to the pool by adding the actual time */
-+
-+static void pfixtls_stir_seed(void)
-+{
-+    GETTIMEOFDAY(&randseed.tv);
-+    RAND_seed(&randseed, sizeof(randseed_t));
-+}
-+
-+/*
-+ * Skeleton taken from OpenSSL crypto/err/err_prn.c.
-+ * Query the error stack and print the error string into the logging facility.
-+ * Clear the error stack on the way.
-+ */
-+
-+static void pfixtls_print_errors(void)
-+{
-+    unsigned long l;
-+    char    buf[256];
-+    const char   *file;
-+    const char   *data;
-+    int     line;
-+    int     flags;
-+    unsigned long es;
-+
-+    es = CRYPTO_thread_id();
-+    while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
-+	if (flags & ERR_TXT_STRING)
-+	    msg_info("%lu:%s:%s:%d:%s:", es, ERR_error_string(l, buf),
-+		     file, line, data);
-+	else
-+	    msg_info("%lu:%s:%s:%d:", es, ERR_error_string(l, buf),
-+		     file, line);
-+    }
-+}
-+
-+ /*
-+  * Set up the cert things on the server side. We do need both the
-+  * private key (in key_file) and the cert (in cert_file).
-+  * Both files may be identical.
-+  *
-+  * This function is taken from OpenSSL apps/s_cb.c
-+  */
-+
-+static int set_cert_stuff(SSL_CTX * ctx, char *cert_file, char *key_file)
-+{
-+    if (cert_file != NULL) {
-+	if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
-+	    msg_info("unable to get certificate from '%s'", cert_file);
-+	    pfixtls_print_errors();
-+	    return (0);
-+	}
-+	if (key_file == NULL)
-+	    key_file = cert_file;
-+	if (SSL_CTX_use_PrivateKey_file(ctx, key_file,
-+					SSL_FILETYPE_PEM) <= 0) {
-+	    msg_info("unable to get private key from '%s'", key_file);
-+	    pfixtls_print_errors();
-+	    return (0);
-+	}
-+	/* Now we know that a key and cert have been set against
-+         * the SSL context */
-+	if (!SSL_CTX_check_private_key(ctx)) {
-+	    msg_info("Private key does not match the certificate public key");
-+	    return (0);
-+	}
-+    }
-+    return (1);
-+}
-+
-+/* taken from OpenSSL apps/s_cb.c */
-+
-+static RSA *tmp_rsa_cb(SSL * s, int export, int keylength)
-+{
-+    static RSA *rsa_tmp = NULL;
-+
-+    if (rsa_tmp == NULL) {
-+	rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL);
-+    }
-+    return (rsa_tmp);
-+}
-+
-+
-+static DH *get_dh512(void)
-+{
-+    DH *dh;
-+
-+    if (dh_512 == NULL) {
-+	/* No parameter file loaded, use the compiled in parameters */
-+	if ((dh = DH_new()) == NULL) return(NULL);
-+	dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-+	dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-+	if ((dh->p == NULL) || (dh->g == NULL))
-+	    return(NULL);
-+	else
-+	    dh_512 = dh;
-+    }
-+    return (dh_512);
-+}
-+
-+static DH *get_dh1024(void)
-+{
-+    DH *dh;
-+
-+    if (dh_1024 == NULL) {
-+	/* No parameter file loaded, use the compiled in parameters */
-+	if ((dh = DH_new()) == NULL) return(NULL);
-+	dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
-+	dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
-+	if ((dh->p == NULL) || (dh->g == NULL))
-+	    return(NULL);
-+	else
-+	    dh_1024 = dh;
-+    }
-+    return (dh_1024);
-+}
-+
-+/* partly inspired by mod_ssl */
-+
-+static DH *tmp_dh_cb(SSL *s, int export, int keylength)
-+{
-+    DH *dh_tmp = NULL;
-+   
-+    if (export) {
-+	if (keylength == 512)
-+	    dh_tmp = get_dh512();	/* export cipher */
-+	else if (keylength == 1024)
-+	    dh_tmp = get_dh1024();	/* normal */
-+	else
-+	    dh_tmp = get_dh1024();	/* not on-the-fly (too expensive) */
-+					/* so use the 1024bit instead */
-+    }
-+    else {
-+	dh_tmp = get_dh1024();		/* sign-only certificate */
-+    }
-+    return (dh_tmp);
-+}
-+
-+
-+/*
-+ * match_hostname: match name provided in "buf" against the expected
-+ * hostname. Comparison is case-insensitive, wildcard certificates are
-+ * supported.
-+ * "buf" may be come from some OpenSSL data structures, so we copy before
-+ * modifying.
-+ */
-+static int match_hostname(const char *buf, TLScontext_t *TLScontext)
-+{
-+    char   *hostname_lowercase;
-+    char   *peername_left;
-+    int hostname_matched = 0;
-+    int buf_len;
-+
-+    buf_len = strlen(buf);
-+    if (!(hostname_lowercase = (char *)mymalloc(buf_len + 1)))
-+	return 0;
-+    memcpy(hostname_lowercase, buf, buf_len + 1);
-+
-+    hostname_lowercase = lowercase(hostname_lowercase);
-+    if (!strcmp(TLScontext->peername_save, hostname_lowercase)) {
-+        hostname_matched = 1;
-+    } else { 
-+        if ((buf_len > 2) &&
-+            (hostname_lowercase[0] == '*') && (hostname_lowercase[1] == '.')) {
-+            /*
-+             * Allow wildcard certificate matching. The proposed rules in  
-+             * RFCs (2818: HTTP/TLS, 2830: LDAP/TLS) are different, RFC2874
-+             * does not specify a rule, so here the strict rule is applied.
-+             * An asterisk '*' is allowed as the leftmost component and may
-+             * replace the left most part of the hostname. Matching is done
-+             * by removing '*.' from the wildcard name and the Name. from
-+             * the peername and compare what is left.
-+             */
-+            peername_left = strchr(TLScontext->peername_save, '.');
-+            if (peername_left) {
-+                if (!strcmp(peername_left + 1, hostname_lowercase + 2))
-+                    hostname_matched = 1;
-+            }
-+        }
-+    }
-+    myfree(hostname_lowercase);
-+    return hostname_matched;
-+}
-+                                       
-+/*
-+ * Skeleton taken from OpenSSL apps/s_cb.c
-+ *
-+ * The verify_callback is called several times (directly or indirectly) from
-+ * crypto/x509/x509_vfy.c. It is called as a last check for several issues,
-+ * so this verify_callback() has the famous "last word". If it does return "0",
-+ * the handshake is immediately shut down and the connection fails.
-+ *
-+ * Postfix/TLS has two modes, the "use" mode and the "enforce" mode:
-+ *
-+ * In the "use" mode we never want the connection to fail just because there is
-+ * something wrong with the certificate (as we would have sent happily without
-+ * TLS).  Therefore the return value is always "1".
-+ *
-+ * In the "enforce" mode we can shut down the connection as soon as possible.
-+ * In server mode TLS itself may be enforced (e.g. to protect passwords),
-+ * but certificates are optional. In this case the handshake must not fail
-+ * if we are unhappy with the certificate and return "1" in any case.
-+ * Only if a certificate is required the certificate must pass the verification
-+ * and failure to do so will result in immediate termination (return 0).
-+ * In the client mode the decision is made with respect to the peername
-+ * enforcement. If we strictly enforce the matching of the expected peername
-+ * the verification must fail immediatly on verification errors. We can also
-+ * immediatly check the expected peername, as it is the CommonName at level 0.
-+ * In all other cases, the problem is logged, so the SSL_get_verify_result()
-+ * will inform about the verification failure, but the handshake (and SMTP
-+ * connection will continue).
-+ *
-+ * The only error condition not handled inside the OpenSSL-Library is the
-+ * case of a too-long certificate chain, so we check inside verify_callback().
-+ * We only take care of this problem, if "ok = 1", because otherwise the
-+ * verification already failed because of another problem and we don't want
-+ * to overwrite the other error message. And if the verification failed,
-+ * there is no such thing as "more failed", "most failed"... :-)
-+ */
-+
-+static int verify_callback(int ok, X509_STORE_CTX * ctx)
-+{
-+    char    buf[256];
-+    char   *peername_left;
-+    X509   *err_cert;
-+    int     err;
-+    int     depth;
-+    int     verify_depth;
-+    SSL    *con;
-+    TLScontext_t *TLScontext;
-+
-+    err_cert = X509_STORE_CTX_get_current_cert(ctx);
-+    err = X509_STORE_CTX_get_error(ctx);
-+    depth = X509_STORE_CTX_get_error_depth(ctx);
-+
-+    con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
-+    TLScontext = SSL_get_ex_data(con, TLScontext_index);
-+
-+    X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
-+    if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
-+	((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
-+	msg_info("Peer cert verify depth=%d %s", depth, buf);
-+
-+    verify_depth = SSL_get_verify_depth(con);
-+    if (ok && (verify_depth >= 0) && (depth > verify_depth)) {
-+	ok = 0;
-+	err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
-+	X509_STORE_CTX_set_error(ctx, err);
-+    }
-+    if (!ok) {
-+	msg_info("verify error:num=%d:%s", err,
-+		 X509_verify_cert_error_string(err));
-+    }
-+
-+    if (ok && (depth == 0) && pfixtls_clientengine) {
-+	int i, r;
-+        int hostname_matched;
-+	int dNSName_found;
-+	STACK_OF(GENERAL_NAME) *gens;
-+
-+	/*
-+	 * Check out the name certified against the hostname expected.
-+	 * In case it does not match, print an information about the result.
-+	 * If a matching is enforced, bump out with a verification error
-+	 * immediately.
-+	 * Standards are not always clear with respect to the handling of
-+	 * dNSNames. RFC3207 does not specify the handling. We therefore follow
-+	 * the strict rules in RFC2818 (HTTP over TLS), Section 3.1:
-+	 * The Subject Alternative Name/dNSName has precedence over CommonName
-+	 * (CN). If dNSName entries are provided, CN is not checked anymore.
-+	 */
-+	hostname_matched = dNSName_found = 0;
-+
-+        gens = X509_get_ext_d2i(err_cert, NID_subject_alt_name, 0, 0);
-+        if (gens) {
-+            for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
-+                const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
-+                if (gn->type == GEN_DNS) {
-+		    dNSName_found++;
-+                    if ((hostname_matched =
-+			match_hostname((char *)gn->d.ia5->data, TLScontext)))
-+			break;
-+                }
-+            }
-+	    sk_GENERAL_NAME_free(gens);
-+        }
-+	if (dNSName_found) {
-+	    if (!hostname_matched)
-+		msg_info("Peer verification: %d dNSNames in certificate found, but no one does match %s", dNSName_found, TLScontext->peername_save);
-+	} else {
-+	    buf[0] = '\0';
-+	    if (!X509_NAME_get_text_by_NID(X509_get_subject_name(err_cert),
-+                          NID_commonName, buf, 256)) {
-+	        msg_info("Could not parse server's subject CN");
-+	        pfixtls_print_errors();
-+	    }
-+	    else {
-+	        hostname_matched = match_hostname(buf, TLScontext);
-+	        if (!hostname_matched)
-+		    msg_info("Peer verification: CommonName in certificate does not match: %s != %s", buf, TLScontext->peername_save);
-+	    }
-+	}
-+
-+	if (!hostname_matched) {
-+	    if (TLScontext->enforce_verify_errors && TLScontext->enforce_CN) {
-+		err = X509_V_ERR_CERT_REJECTED;
-+		X509_STORE_CTX_set_error(ctx, err);
-+		msg_info("Verify failure: Hostname mismatch");
-+		ok = 0;
-+	    }
-+	}
-+	else
-+	    TLScontext->hostname_matched = 1;
-+    }
-+
-+    switch (ctx->error) {
-+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-+	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
-+	msg_info("issuer= %s", buf);
-+	break;
-+    case X509_V_ERR_CERT_NOT_YET_VALID:
-+    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-+	msg_info("cert not yet valid");
-+	break;
-+    case X509_V_ERR_CERT_HAS_EXPIRED:
-+    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-+	msg_info("cert has expired");
-+	break;
-+    }
-+    if (((pfixtls_serverengine) && (var_smtpd_tls_loglevel >= 2)) ||
-+	((pfixtls_clientengine) && (var_smtp_tls_loglevel >= 2)))
-+	msg_info("verify return:%d", ok);
-+
-+    if (TLScontext->enforce_verify_errors)
-+	return (ok); 
-+    else
-+	return (1);
-+}
-+
-+/* taken from OpenSSL apps/s_cb.c */
-+
-+static void apps_ssl_info_callback(const SSL * s, int where, int ret)
-+{
-+    char   *str;
-+    int     w;
-+
-+    w = where & ~SSL_ST_MASK;
-+
-+    if (w & SSL_ST_CONNECT)
-+	str = "SSL_connect";
-+    else if (w & SSL_ST_ACCEPT)
-+	str = "SSL_accept";
-+    else
-+	str = "undefined";
-+
-+    if (where & SSL_CB_LOOP) {
-+	    msg_info("%s:%s", str, SSL_state_string_long(s));
-+    } else if (where & SSL_CB_ALERT) {
-+	str = (where & SSL_CB_READ) ? "read" : "write";
-+	if ((ret & 0xff) != SSL3_AD_CLOSE_NOTIFY)
-+	msg_info("SSL3 alert %s:%s:%s", str,
-+		 SSL_alert_type_string_long(ret),
-+		 SSL_alert_desc_string_long(ret));
-+    } else if (where & SSL_CB_EXIT) {
-+	if (ret == 0)
-+	    msg_info("%s:failed in %s",
-+		     str, SSL_state_string_long(s));
-+	else if (ret < 0) {
-+	    msg_info("%s:error in %s",
-+		     str, SSL_state_string_long(s));
-+	}
-+    }
-+}
-+
-+/*
-+ * taken from OpenSSL crypto/bio/b_dump.c, modified to save a lot of strcpy
-+ * and strcat by Matti Aarnio.
-+ */
-+
-+#define TRUNCATE
-+#define DUMP_WIDTH	16
-+
-+static int pfixtls_dump(const char *s, int len)
-+{
-+    int     ret = 0;
-+    char    buf[160 + 1];
-+    char    *ss;
-+    int     i;
-+    int     j;
-+    int     rows;
-+    int     trunc;
-+    unsigned char ch;
-+
-+    trunc = 0;
-+
-+#ifdef TRUNCATE
-+    for (; (len > 0) && ((s[len - 1] == ' ') || (s[len - 1] == '\0')); len--)
-+	trunc++;
-+#endif
-+
-+    rows = (len / DUMP_WIDTH);
-+    if ((rows * DUMP_WIDTH) < len)
-+	rows++;
-+
-+    for (i = 0; i < rows; i++) {
-+	buf[0] = '\0';				/* start with empty string */
-+	ss = buf;
-+
-+	sprintf(ss, "%04x ", i * DUMP_WIDTH);
-+	ss += strlen(ss);
-+	for (j = 0; j < DUMP_WIDTH; j++) {
-+	    if (((i * DUMP_WIDTH) + j) >= len) {
-+		strcpy(ss, "   ");
-+	    } else {
-+		ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j))
-+		    & 0xff;
-+		sprintf(ss, "%02x%c", ch, j == 7 ? '|' : ' ');
-+		ss += 3;
-+	    }
-+	}
-+	ss += strlen(ss);
-+	*ss++ = ' ';
-+	for (j = 0; j < DUMP_WIDTH; j++) {
-+	    if (((i * DUMP_WIDTH) + j) >= len)
-+		break;
-+	    ch = ((unsigned char) *((char *) (s) + i * DUMP_WIDTH + j)) & 0xff;
-+	    *ss++ = (((ch >= ' ') && (ch <= '~')) ? ch : '.');
-+	    if (j == 7) *ss++ = ' ';
-+	}
-+	*ss = 0;
-+	/* 
-+	 * if this is the last call then update the ddt_dump thing so that
-+         * we will move the selection point in the debug window
-+         */
-+	msg_info("%s", buf);
-+	ret += strlen(buf);
-+    }
-+#ifdef TRUNCATE
-+    if (trunc > 0) {
-+	sprintf(buf, "%04x - <SPACES/NULS>\n", len + trunc);
-+	msg_info("%s", buf);
-+	ret += strlen(buf);
-+    }
-+#endif
-+    return (ret);
-+}
-+
-+
-+
-+/* taken from OpenSSL apps/s_cb.c */
-+
-+static long bio_dump_cb(BIO * bio, int cmd, const char *argp, int argi,
-+			long argl, long ret)
-+{
-+    if (!do_dump)
-+	return (ret);
-+
-+    if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
-+	msg_info("read from %08lX [%08lX] (%d bytes => %ld (0x%lX))",
-+		 (unsigned long)bio, (unsigned long)argp, argi,
-+		 ret, (unsigned long)ret);
-+	pfixtls_dump(argp, (int) ret);
-+	return (ret);
-+    } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
-+	msg_info("write to %08lX [%08lX] (%d bytes => %ld (0x%lX))",
-+		 (unsigned long)bio, (unsigned long)argp, argi,
-+	 	 ret, (unsigned long)ret);
-+	pfixtls_dump(argp, (int) ret);
-+    }
-+    return (ret);
-+}
-+
-+
-+ /*
-+  * Callback to retrieve a session from the external session cache.
-+  */
-+static SSL_SESSION *get_session_cb(SSL *ssl, unsigned char *SessionID,
-+				  int length, int *copy)
-+{
-+    SSL_SESSION *session;
-+    char idstring[2 * ID_MAXLENGTH + 1];
-+    int n;
-+    int uselength;
-+    int hex_length;
-+    const char *session_hex;
-+    pfixtls_scache_info_t scache_info;
-+    unsigned char nibble, *data, *sess_data;
-+
-+    if (length > ID_MAXLENGTH)
-+	uselength = ID_MAXLENGTH;	/* Limit length of ID */
-+    else
-+	uselength = length;
-+
-+    for(n=0 ; n < uselength ; n++)
-+	sprintf(idstring + 2 * n, "%02x", SessionID[n]);
-+    if (var_smtpd_tls_loglevel >= 3)
-+	msg_info("Trying to reload Session from disc: %s", idstring);
-+
-+    session = NULL;
-+
-+    session_hex = dict_get(scache_db, idstring);
-+    if (session_hex) {
-+	hex_length = strlen(session_hex);
-+	data = (unsigned char *)mymalloc(hex_length / 2);
-+	if (!data) {
-+	    msg_info("could not allocate memory for session reload");
-+	    return(NULL);
-+	}
-+
-+	memset(data, 0, hex_length / 2);
-+	for (n = 0; n < hex_length; n++) {
-+	    if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
-+		nibble = session_hex[n] - '0';
-+	    else
-+		nibble = session_hex[n] - 'A' + 10;
-+	    if (n % 2)
-+		data[n / 2] |= nibble;
-+	    else
-+		data[n / 2] |= (nibble << 4);
-+	}
-+
-+	/*
-+	 * First check the version numbers, since wrong session data might
-+	 * hit us hard (SEGFAULT). We also have to check for expiry.
-+	 */
-+	memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
-+	if ((scache_info.scache_db_version != scache_db_version) ||
-+	    (scache_info.openssl_version != openssl_version) ||
-+	    (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
-+	    dict_del(scache_db, idstring);
-+	else {
-+	    sess_data = data + sizeof(pfixtls_scache_info_t);
-+	    session = d2i_SSL_SESSION(NULL, &sess_data,
-+			      hex_length / 2 - sizeof(pfixtls_scache_info_t));
-+	    if (!session)
-+		pfixtls_print_errors();
-+	}
-+	myfree((char *)data);
-+    }
-+
-+    if (session && (var_smtpd_tls_loglevel >= 3))
-+	msg_info("Successfully reloaded session from disc");
-+
-+    return (session);
-+}
-+
-+
-+static SSL_SESSION *load_clnt_session(const char *hostname,
-+				      int enforce_peername)
-+{
-+    SSL_SESSION *session = NULL;
-+    char idstring[ID_MAXLENGTH + 1];
-+    int n;
-+    int uselength;
-+    int length;
-+    int hex_length;
-+    const char *session_hex;
-+    pfixtls_scache_info_t scache_info;
-+    unsigned char nibble, *data, *sess_data;
-+
-+    length = strlen(hostname); 
-+    if (length > ID_MAXLENGTH)
-+	uselength = ID_MAXLENGTH;	/* Limit length of ID */
-+    else
-+	uselength = length;
-+
-+    for(n=0 ; n < uselength ; n++)
-+	idstring[n] = tolower(hostname[n]);
-+    idstring[uselength] = '\0';
-+    if (var_smtp_tls_loglevel >= 3)
-+	msg_info("Trying to reload Session from disc: %s", idstring);
-+
-+    session_hex = dict_get(scache_db, idstring);
-+    if (session_hex) {
-+	hex_length = strlen(session_hex);
-+	data = (unsigned char *)mymalloc(hex_length / 2);
-+	if (!data) {
-+	    msg_info("could not allocate memory for session reload");
-+	    return(NULL);
-+	}
-+
-+	memset(data, 0, hex_length / 2);
-+	for (n = 0; n < hex_length; n++) {
-+	    if ((session_hex[n] >= '0') && (session_hex[n] <= '9'))
-+		nibble = session_hex[n] - '0';
-+	    else
-+		nibble = session_hex[n] - 'A' + 10;
-+	    if (n % 2)
-+		data[n / 2] |= nibble;
-+	    else
-+		data[n / 2] |= (nibble << 4);
-+	}
-+
-+	/*
-+	 * First check the version numbers, since wrong session data might
-+	 * hit us hard (SEGFAULT). We also have to check for expiry.
-+	 * When we enforce_peername, we may find an old session, that was
-+	 * saved when enforcement was not set. In this case the session will
-+	 * be removed and a fresh session will be negotiated.
-+	 */
-+	memcpy(&scache_info, data, sizeof(pfixtls_scache_info_t));
-+	if ((scache_info.scache_db_version != scache_db_version) ||
-+	    (scache_info.openssl_version != openssl_version) ||
-+	    (scache_info.timestamp + var_smtpd_tls_scache_timeout < time(NULL)))
-+	    dict_del(scache_db, idstring);
-+	else if (enforce_peername && (!scache_info.enforce_peername))
-+	    dict_del(scache_db, idstring);
-+	else {
-+	    sess_data = data + sizeof(pfixtls_scache_info_t);
-+	    session = d2i_SSL_SESSION(NULL, &sess_data,
-+				      hex_length / 2 - sizeof(time_t));
-+	    strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
-+		    idstring, ID_MAXLENGTH + 1);
-+	    if (!session)
-+		pfixtls_print_errors();
-+	}
-+	myfree((char *)data);
-+    }
-+
-+    if (session && (var_smtp_tls_loglevel >= 3))
-+        msg_info("Successfully reloaded session from disc");
-+
-+    return (session);
-+}
-+
-+
-+static void create_client_lookup_id(char *idstring, char *hostname)
-+{
-+    int n, len, uselength;
-+
-+    len = strlen(hostname);
-+    if (len > ID_MAXLENGTH)
-+	uselength = ID_MAXLENGTH;	/* Limit length of ID */
-+    else
-+	uselength = len;
-+
-+    for (n = 0 ; n < uselength ; n++)
-+	idstring[n] = tolower(hostname[n]);
-+    idstring[uselength] = '\0';
-+}
-+
-+
-+static void create_server_lookup_id(char *idstring, SSL_SESSION *session)
-+{
-+    int n, uselength;
-+
-+    if (session->session_id_length > ID_MAXLENGTH)
-+	uselength = ID_MAXLENGTH;	/* Limit length of ID */
-+    else
-+	uselength = session->session_id_length;
-+
-+    for(n = 0; n < uselength ; n++)
-+	sprintf(idstring + 2 * n, "%02x", session->session_id[n]);
-+}
-+
-+
-+static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *session)
-+{
-+    char idstring[2 * ID_MAXLENGTH + 1];
-+    char *hostname;
-+
-+    if (pfixtls_clientengine) {
-+        hostname = SSL_SESSION_get_ex_data(session, TLSpeername_index);
-+	create_client_lookup_id(idstring, hostname);
-+	if (var_smtp_tls_loglevel >= 3)
-+	    msg_info("Trying to remove session from disc: %s", idstring);
-+    }
-+    else {
-+	create_server_lookup_id(idstring, session);
-+	if (var_smtpd_tls_loglevel >= 3)
-+	    msg_info("Trying to remove session from disc: %s", idstring);
-+    }
-+
-+    if (scache_db)
-+	dict_del(scache_db, idstring);
-+}
-+
-+
-+/*
-+ * We need space to save the peername into the SSL_SESSION, as we must
-+ * look up the external database for client sessions by peername, not
-+ * by session id. We therefore allocate place for the peername string,
-+ * when a new SSL_SESSION is generated. It is filled later.
-+ */
-+static int new_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-+			     int idx, long argl, void *argp)
-+{
-+    char *peername;
-+
-+    peername = (char *)mymalloc(ID_MAXLENGTH + 1);
-+    if (!peername)
-+	return 0;
-+    peername[0] = '\0'; 	/* initialize */
-+    return CRYPTO_set_ex_data(ad, idx, peername);
-+}
-+
-+/*
-+ * When the SSL_SESSION is removed again, we must free the memory to avoid
-+ * leaks.
-+ */
-+static void free_peername_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-+			       int idx, long argl, void *argp)
-+{
-+    myfree(CRYPTO_get_ex_data(ad, idx));
-+}
-+
-+/*
-+ * Duplicate application data, when a SSL_SESSION is duplicated
-+ */
-+static int dup_peername_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from,
-+			     void *from_d, int idx, long argl, void *argp)
-+{
-+    char *peername_old, *peername_new;
-+
-+    peername_old = CRYPTO_get_ex_data(from, idx);
-+    peername_new = CRYPTO_get_ex_data(to, idx);
-+    if (!peername_old || !peername_new)
-+	return 0;
-+    memcpy(peername_new, peername_old, ID_MAXLENGTH + 1);
-+    return 1;
-+}
-+
-+
-+ /*
-+  * Save a new session to the external cache
-+  */
-+static int new_session_cb(SSL *ssl, SSL_SESSION *session)
-+{
-+    char idstring[2 * ID_MAXLENGTH + 1];
-+    int n;
-+    int dsize;
-+    int len;
-+    unsigned char *data, *sess_data;
-+    pfixtls_scache_info_t scache_info;
-+    char *hexdata, *hostname;
-+    TLScontext_t *TLScontext;
-+
-+    if (pfixtls_clientengine) {
-+        TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
-+	hostname = TLScontext->peername_save;
-+	create_client_lookup_id(idstring, hostname);
-+	strncpy(SSL_SESSION_get_ex_data(session, TLSpeername_index),
-+		hostname, ID_MAXLENGTH + 1);
-+	/*
-+	 * Remember, whether peername matching was enforced when the session
-+	 * was created. If later enforce mode is enabled, we do not want to
-+	 * reuse a session that was not sufficiently checked.
-+	 */
-+	scache_info.enforce_peername =
-+		(TLScontext->enforce_verify_errors && TLScontext->enforce_CN);
-+
-+	if (var_smtp_tls_loglevel >= 3)
-+	    msg_info("Trying to save session for hostID to disc: %s", idstring);
-+
-+#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
-+	    /*
-+	     * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
-+	     * result in sessions for the client side.
-+	     * We modify the session directly which is version specific,
-+	     * but this bug is version specific, too.
-+	     *
-+	     * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
-+	     * beta1 have this bug, it has been fixed during development
-+	     * of 0.9.6a. The development version of 0.9.7 can have this
-+	     * bug, too. It has been fixed on 2000/11/29.
-+	     */
-+	    session->verify_result = SSL_get_verify_result(TLScontext->con);
-+#endif
-+
-+    }
-+    else {
-+	create_server_lookup_id(idstring, session);
-+	if (var_smtpd_tls_loglevel >= 3)
-+	    msg_info("Trying to save Session to disc: %s", idstring);
-+    }
-+
-+
-+    /*
-+     * Get the session and convert it into some "database" useable form.
-+     * First, get the length of the session to allocate the memory.
-+     */
-+    dsize = i2d_SSL_SESSION(session, NULL);
-+    if (dsize < 0) {
-+	msg_info("Could not access session");
-+	return 0;
-+    }
-+    data = (unsigned char *)mymalloc(dsize + sizeof(pfixtls_scache_info_t));
-+    if (!data) {
-+	msg_info("could not allocate memory for SSL session");
-+	return 0;
-+    }
-+
-+    /*
-+     * OpenSSL is not robust against wrong session data (might SEGFAULT),
-+     * so we secure it against version ids (session cache structure as well
-+     * as OpenSSL version).
-+     */
-+    scache_info.scache_db_version = scache_db_version;
-+    scache_info.openssl_version = openssl_version;
-+
-+    /*
-+     * Put a timestamp, so that expiration can be checked without
-+     * analyzing the session data itself. (We would need OpenSSL funtions,
-+     * since the SSL_SESSION is a private structure.)
-+     */
-+    scache_info.timestamp = time(NULL);
-+
-+    memcpy(data, &scache_info, sizeof(pfixtls_scache_info_t));
-+    sess_data = data + sizeof(pfixtls_scache_info_t);
-+
-+    /*
-+     * Now, obtain the session. Unfortunately, it is binary and dict_update
-+     * cannot handle binary data (it could contain '\0' in it) directly.
-+     * To save memory we could use base64 encoding. To make handling easier,
-+     * we simply use hex format.
-+     */
-+    len = i2d_SSL_SESSION(session, &sess_data);
-+    len += sizeof(pfixtls_scache_info_t);
-+
-+    hexdata = (char *)mymalloc(2 * len + 1);
-+
-+    if (!hexdata) {
-+	msg_info("could not allocate memory for SSL session (HEX)");
-+	myfree((char *)data);
-+	return 0;
-+    }
-+    for (n = 0; n < len; n++) {
-+	hexdata[n * 2] = hexcodes[(data[n] & 0xf0) >> 4];
-+	hexdata[(n * 2) + 1] = hexcodes[(data[n] & 0x0f)];
-+    }
-+    hexdata[len * 2] = '\0';
-+
-+    /*
-+     * The session id is a hex string, all uppercase. We are using SDBM as
-+     * compiled into Postfix with 8kB maximum entry size, so we set a limit
-+     * when caching. If the session is not cached, we have to renegotiate,
-+     * not more, not less. For a real session, this limit should never be
-+     * met
-+     */
-+    if (strlen(idstring) + strlen(hexdata) < 8000)
-+      dict_put(scache_db, idstring, hexdata);
-+
-+    myfree(hexdata);
-+    myfree((char *)data);
-+    return (1);
-+}
-+
-+
-+ /*
-+  * pfixtls_exchange_seed: read bytes from the seed exchange-file (expect
-+  * 1024 bytes)and immediately write back random bytes. Do so with EXCLUSIVE
-+  * lock, so * that each process will find a completely different (and
-+  * reseeded) file.
-+  */
-+static void pfixtls_exchange_seed(void)
-+{
-+    unsigned char buffer[1024];
-+
-+    if (rand_exch_fd == -1)
-+	return;
-+
-+    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
-+        msg_info("Could not lock random exchange file: %s",
-+                  strerror(errno));
-+
-+    lseek(rand_exch_fd, 0, SEEK_SET);
-+    if (read(rand_exch_fd, buffer, 1024) < 0)
-+        msg_fatal("reading exchange file failed");
-+    RAND_seed(buffer, 1024);
-+
-+    RAND_bytes(buffer, 1024);
-+    lseek(rand_exch_fd, 0, SEEK_SET);
-+    if (write(rand_exch_fd, buffer, 1024) != 1024)
-+        msg_fatal("Writing exchange file failed");
-+
-+    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
-+        msg_fatal("Could not unlock random exchange file: %s",
-+                  strerror(errno));
-+}
-+
-+ /*
-+  * This is the setup routine for the SSL server. As smtpd might be called
-+  * more than once, we only want to do the initialization one time.
-+  *
-+  * The skeleton of this function is taken from OpenSSL apps/s_server.c.
-+  */
-+
-+int     pfixtls_init_serverengine(int verifydepth, int askcert)
-+{
-+    int     off = 0;
-+    int     verify_flags = SSL_VERIFY_NONE;
-+    int     rand_bytes;
-+    int     rand_source_dev_fd;
-+    int     rand_source_socket_fd;
-+    unsigned char buffer[255];
-+    char   *CApath;
-+    char   *CAfile;
-+    char   *s_cert_file;
-+    char   *s_key_file;
-+    char   *s_dcert_file;
-+    char   *s_dkey_file;
-+    FILE   *paramfile;
-+
-+    if (pfixtls_serverengine)
-+	return (0);				/* already running */
-+
-+    if (var_smtpd_tls_loglevel >= 2)
-+	msg_info("starting TLS engine");
-+
-+    /*
-+     * Initialize the OpenSSL library by the book!
-+     * To start with, we must initialize the algorithms.
-+     * We want cleartext error messages instead of just error codes, so we
-+     * load the error_strings.
-+     */
-+    SSL_load_error_strings();
-+    OpenSSL_add_ssl_algorithms();
-+
-+ /*
-+  * Side effect, call a non-existing function to disable TLS usage with an
-+  * outdated OpenSSL version. There is a security reason (verify_result
-+  * is not stored with the session data).
-+  */
-+#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-+    needs_openssl_095_or_later();
-+#endif
-+
-+    /*
-+     * Initialize the PRNG Pseudo Random Number Generator with some seed.
-+     */
-+    randseed.pid = getpid();
-+    GETTIMEOFDAY(&randseed.tv);
-+    RAND_seed(&randseed, sizeof(randseed_t));
-+
-+    /*
-+     * Access the external sources for random seed. We will only query them
-+     * once, this should be sufficient and we will stir our entropy by using
-+     * the prng-exchange file anyway.
-+     * For reliability, we don't consider failure to access the additional
-+     * source fatal, as we can run happily without it (considering that we
-+     * still have the exchange-file). We also don't care how much entropy
-+     * we get back, as we must run anyway. We simply stir in the buffer
-+     * regardless how many bytes are actually in it.
-+     */
-+    if (*var_tls_daemon_rand_source) {
-+	if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
-+	    /*
-+	     * Source is a random device
-+	     */
-+	    rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
-+	    if (rand_source_dev_fd == -1) 
-+		msg_info("Could not open entropy device %s",
-+			  var_tls_daemon_rand_source);
-+	    else {
-+		if (var_tls_daemon_rand_bytes > 255)
-+		    var_tls_daemon_rand_bytes = 255;
-+	        read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
-+		RAND_seed(buffer, var_tls_daemon_rand_bytes);
-+		close(rand_source_dev_fd);
-+	    }
-+	} else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
-+	    /*
-+	     * Source is a EGD compatible socket
-+	     */
-+	    rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
-+						 BLOCKING, 10);
-+	    if (rand_source_socket_fd == -1)
-+		msg_info("Could not connect to %s", var_tls_daemon_rand_source);
-+	    else {
-+		if (var_tls_daemon_rand_bytes > 255)
-+		    var_tls_daemon_rand_bytes = 255;
-+		buffer[0] = 1;
-+		buffer[1] = var_tls_daemon_rand_bytes;
-+		if (write(rand_source_socket_fd, buffer, 2) != 2)
-+		    msg_info("Could not talk to %s",
-+			     var_tls_daemon_rand_source);
-+		else if (read(rand_source_socket_fd, buffer, 1) != 1)
-+		    msg_info("Could not read info from %s",
-+			     var_tls_daemon_rand_source);
-+		else {
-+		    rand_bytes = buffer[0];
-+		    read(rand_source_socket_fd, buffer, rand_bytes);
-+		    RAND_seed(buffer, rand_bytes);
-+		}
-+		close(rand_source_socket_fd);
-+	    }
-+	} else {
-+	    RAND_load_file(var_tls_daemon_rand_source,
-+			   var_tls_daemon_rand_bytes);
-+	}
-+    }
-+
-+    if (*var_tls_rand_exch_name) {
-+	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
-+	if (rand_exch_fd != -1)
-+	    pfixtls_exchange_seed();
-+    }
-+
-+    randseed.pid = getpid();
-+    GETTIMEOFDAY(&randseed.tv);
-+    RAND_seed(&randseed, sizeof(randseed_t));
-+
-+    /*
-+     * The SSL/TLS speficications require the client to send a message in
-+     * the oldest specification it understands with the highest level it
-+     * understands in the message.
-+     * Netscape communicator can still communicate with SSLv2 servers, so it
-+     * sends out a SSLv2 client hello. To deal with it, our server must be
-+     * SSLv2 aware (even if we don't like SSLv2), so we need to have the
-+     * SSLv23 server here. If we want to limit the protocol level, we can
-+     * add an option to not use SSLv2/v3/TLSv1 later.
-+     */
-+    ctx = SSL_CTX_new(SSLv23_server_method());
-+    if (ctx == NULL) {
-+	pfixtls_print_errors();
-+	return (-1);
-+    };
-+
-+    /*
-+     * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
-+     * Of course, the last one would not make sense, since RFC2487 is only
-+     * defined for TLS, but we also want to accept Netscape communicator
-+     * requests, and it only supports SSLv3.
-+     */
-+    off |= SSL_OP_ALL;		/* Work around all known bugs */
-+    SSL_CTX_set_options(ctx, off);
-+
-+    /*
-+     * Set the info_callback, that will print out messages during
-+     * communication on demand.
-+     */
-+    if (var_smtpd_tls_loglevel >= 2)
-+	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
-+
-+    /*
-+     * Set the list of ciphers, if explicitely given; otherwise the
-+     * (reasonable) default list is kept.
-+     */
-+    if (strlen(var_smtpd_tls_cipherlist) != 0)
-+	if (SSL_CTX_set_cipher_list(ctx, var_smtpd_tls_cipherlist) == 0) {
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+
-+    /*
-+     * Now we must add the necessary certificate stuff: A server key, a
-+     * server certificate, and the CA certificates for both the server
-+     * cert and the verification of client certificates.
-+     * As provided by OpenSSL we support two types of CA certificate handling:
-+     * One possibility is to add all CA certificates to one large CAfile,
-+     * the other possibility is a directory pointed to by CApath, containing
-+     * seperate files for each CA pointed on by softlinks named by the hash
-+     * values of the certificate.
-+     * The first alternative has the advantage, that the file is opened and
-+     * read at startup time, so that you don't have the hassle to maintain
-+     * another copy of the CApath directory for chroot-jail. On the other
-+     * hand, the file is not really readable.
-+     */
-+    if (strlen(var_smtpd_tls_CAfile) == 0)
-+	CAfile = NULL;
-+    else
-+	CAfile = var_smtpd_tls_CAfile;
-+    if (strlen(var_smtpd_tls_CApath) == 0)
-+	CApath = NULL;
-+    else
-+	CApath = var_smtpd_tls_CApath;
-+
-+    if (CAfile || CApath) {
-+	if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
-+	    msg_info("TLS engine: cannot load CA data");
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+	if (!SSL_CTX_set_default_verify_paths(ctx)) {
-+	    msg_info("TLS engine: cannot set verify paths");
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+    }
-+
-+    /*
-+     * Now we load the certificate and key from the files and check,
-+     * whether the cert matches the key (internally done by set_cert_stuff().
-+     * We cannot run without (we do not support ADH anonymous Diffie-Hellman
-+     * ciphers as of now).
-+     * We can use RSA certificates ("cert") and DSA certificates ("dcert"),
-+     * both can be made available at the same time. The CA certificates for
-+     * both are handled in the same setup already finished.
-+     * Which one is used depends on the cipher negotiated (that is: the first
-+     * cipher listed by the client which does match the server). A client with
-+     * RSA only (e.g. Netscape) will use the RSA certificate only.
-+     * A client with openssl-library will use RSA first if not especially
-+     * changed in the cipher setup.
-+     */
-+    if (strlen(var_smtpd_tls_cert_file) == 0)
-+	s_cert_file = NULL;
-+    else
-+	s_cert_file = var_smtpd_tls_cert_file;
-+    if (strlen(var_smtpd_tls_key_file) == 0)
-+	s_key_file = NULL;
-+    else
-+	s_key_file = var_smtpd_tls_key_file;
-+
-+    if (strlen(var_smtpd_tls_dcert_file) == 0)
-+	s_dcert_file = NULL;
-+    else
-+	s_dcert_file = var_smtpd_tls_dcert_file;
-+    if (strlen(var_smtpd_tls_dkey_file) == 0)
-+	s_dkey_file = NULL;
-+    else
-+	s_dkey_file = var_smtpd_tls_dkey_file;
-+
-+    if (s_cert_file) {
-+	if (!set_cert_stuff(ctx, s_cert_file, s_key_file)) {
-+	    msg_info("TLS engine: cannot load RSA cert/key data");
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+    }
-+    if (s_dcert_file) {
-+	if (!set_cert_stuff(ctx, s_dcert_file, s_dkey_file)) {
-+	    msg_info("TLS engine: cannot load DSA cert/key data");
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+    }
-+    if (!s_cert_file && !s_dcert_file) {
-+	msg_info("TLS engine: do need at least RSA _or_ DSA cert/key data");
-+	return (-1);
-+    }
-+
-+    /*
-+     * Sometimes a temporary RSA key might be needed by the OpenSSL
-+     * library. The OpenSSL doc indicates, that this might happen when
-+     * export ciphers are in use. We have to provide one, so well, we
-+     * just do it.
-+     */
-+    SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
-+
-+    /*
-+     * We might also need dh parameters, which can either be loaded from
-+     * file (preferred) or we simply take the compiled in values.
-+     * First, set the callback that will select the values when requested,
-+     * then load the (possibly) available DH parameters from files.
-+     * We are generous with the error handling, since we do have default
-+     * values compiled in, so we will not abort but just log the error message.
-+     */
-+    SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_cb);
-+    if (strlen(var_smtpd_tls_dh1024_param_file) != 0) {
-+	if ((paramfile = fopen(var_smtpd_tls_dh1024_param_file, "r")) != NULL) {
-+	    dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
-+	    if (dh_1024 == NULL) {
-+		msg_info("TLS engine: cannot load 1024bit DH parameters");
-+		pfixtls_print_errors();
-+	    }
-+	}
-+	else {
-+	    msg_info("TLS engine: cannot load 1024bit DH parameters: %s: %s",
-+		     var_smtpd_tls_dh1024_param_file, strerror(errno));
-+	}
-+    }
-+    if (strlen(var_smtpd_tls_dh512_param_file) != 0) {
-+	if ((paramfile = fopen(var_smtpd_tls_dh512_param_file, "r")) != NULL) {
-+	    dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
-+	    if (dh_512 == NULL) {
-+		msg_info("TLS engine: cannot load 512bit DH parameters");
-+		pfixtls_print_errors();
-+	    }
-+	}
-+	else {
-+	    msg_info("TLS engine: cannot load 512bit DH parameters: %s: %s",
-+		     var_smtpd_tls_dh512_param_file, strerror(errno));
-+	}
-+    }
-+
-+    /*
-+     * If we want to check client certificates, we have to indicate it
-+     * in advance. By now we only allow to decide on a global basis.
-+     * If we want to allow certificate based relaying, we must ask the
-+     * client to provide one with SSL_VERIFY_PEER. The client now can
-+     * decide, whether it provides one or not. We can enforce a failure
-+     * of the negotiation with SSL_VERIFY_FAIL_IF_NO_PEER_CERT, if we
-+     * do not allow a connection without one.
-+     * In the "server hello" following the initialization by the "client hello"
-+     * the server must provide a list of CAs it is willing to accept.
-+     * Some clever clients will then select one from the list of available
-+     * certificates matching these CAs. Netscape Communicator will present
-+     * the list of certificates for selecting the one to be sent, or it will
-+     * issue a warning, if there is no certificate matching the available
-+     * CAs.
-+     *
-+     * With regard to the purpose of the certificate for relaying, we might
-+     * like a later negotiation, maybe relaying would already be allowed
-+     * for other reasons, but this would involve severe changes in the
-+     * internal postfix logic, so we have to live with it the way it is.
-+     */
-+    if (askcert)
-+	verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
-+    SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
-+    SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
-+
-+    /*
-+     * Initialize the session cache. We only want external caching to
-+     * synchronize between server sessions, so we set it to a minimum value
-+     * of 1. If the external cache is disabled, we won't cache at all.
-+     * The recall of old sessions "get" and save to disk of just created
-+     * sessions "new" is handled by the appropriate callback functions.
-+     *
-+     * We must not forget to set a session id context to identify to which
-+     * kind of server process the session was related. In our case, the
-+     * context is just the name of the patchkit: "Postfix/TLS".
-+     */
-+    SSL_CTX_sess_set_cache_size(ctx, 1);
-+    SSL_CTX_set_timeout(ctx, var_smtpd_tls_scache_timeout);
-+    SSL_CTX_set_session_id_context(ctx, (void*)&server_session_id_context,
-+                sizeof(server_session_id_context));
-+
-+    /*
-+     * The session cache is realized by an external database file, that
-+     * must be opened before going to chroot jail. Since the session cache
-+     * data can become quite large, "[n]dbm" cannot be used as it has a
-+     * size limit that is by far to small.
-+     */
-+    if (*var_smtpd_tls_scache_db) {
-+	/*
-+	 * Insert a test against other dbms here, otherwise while writing
-+	 * a session (content to large), we will receive a fatal error!
-+	 */
-+	if (strncmp(var_smtpd_tls_scache_db, "sdbm:", 5))
-+	    msg_warn("Only sdbm: type allowed for %s",
-+		     var_smtpd_tls_scache_db);
-+	else
-+	    scache_db = dict_open(var_smtpd_tls_scache_db, O_RDWR,
-+	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
-+	if (scache_db) {
-+	    SSL_CTX_set_session_cache_mode(ctx,
-+			SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_AUTO_CLEAR);
-+	    SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
-+	    SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
-+	    SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
-+	}
-+	else
-+	    msg_warn("Could not open session cache %s",
-+		     var_smtpd_tls_scache_db);
-+    }
-+
-+    /*
-+     * Finally create the global index to access TLScontext information
-+     * inside verify_callback.
-+     */
-+    TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
-+					    NULL, NULL, NULL);
-+
-+    pfixtls_serverengine = 1;
-+    return (0);
-+}
-+
-+ /*
-+  * This is the actual startup routine for the connection. We expect
-+  * that the buffers are flushed and the "220 Ready to start TLS" was
-+  * send to the client, so that we can immediately can start the TLS
-+  * handshake process.
-+  */
-+int     pfixtls_start_servertls(VSTREAM *stream, int timeout,
-+				const char *peername, const char *peeraddr,
-+				tls_info_t *tls_info, int requirecert)
-+{
-+    int     sts;
-+    int     j;
-+    int verify_flags;
-+    unsigned int n;
-+    TLScontext_t *TLScontext;
-+    SSL_SESSION *session;
-+    SSL_CIPHER *cipher;
-+    X509   *peer;
-+
-+    if (!pfixtls_serverengine) {		/* should never happen */
-+	msg_info("tls_engine not running");
-+	return (-1);
-+    }
-+    if (var_smtpd_tls_loglevel >= 1)
-+	msg_info("setting up TLS connection from %s[%s]", peername, peeraddr);
-+
-+    /*
-+     * Allocate a new TLScontext for the new connection and get an SSL
-+     * structure. Add the location of TLScontext to the SSL to later
-+     * retrieve the information inside the verify_callback().
-+     */
-+    TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
-+    if (!TLScontext) {
-+	msg_fatal("Could not allocate 'TLScontext' with mymalloc");
-+    }
-+    if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
-+	msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
-+	pfixtls_print_errors();
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+    if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
-+	msg_info("Could not set application data for 'TLScontext->con'");
-+	pfixtls_print_errors();
-+	SSL_free(TLScontext->con);
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+
-+    /*
-+     * Set the verification parameters to be checked in verify_callback().
-+     */
-+    if (requirecert) {
-+	verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
-+	verify_flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-+	TLScontext->enforce_verify_errors = 1;
-+        SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
-+    }
-+    else {
-+	TLScontext->enforce_verify_errors = 0;
-+    }
-+    TLScontext->enforce_CN = 0;
-+
-+    /*
-+     * The TLS connection is realized by a BIO_pair, so obtain the pair.
-+     */
-+    if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
-+			  &TLScontext->network_bio, BIO_bufsiz)) {
-+	msg_info("Could not obtain BIO_pair");
-+	pfixtls_print_errors();
-+	SSL_free(TLScontext->con);
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+
-+    /*
-+     * Before really starting anything, try to seed the PRNG a little bit
-+     * more.
-+     */
-+    pfixtls_stir_seed();
-+    pfixtls_exchange_seed();
-+
-+    /*
-+     * Initialize the SSL connection to accept state. This should not be
-+     * necessary anymore since 0.9.3, but the call is still in the library
-+     * and maintaining compatibility never hurts.
-+     */
-+    SSL_set_accept_state(TLScontext->con);
-+
-+    /*
-+     * Connect the SSL-connection with the postfix side of the BIO-pair for
-+     * reading and writing.
-+     */
-+     SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
-+		 TLScontext->internal_bio);
-+
-+    /*
-+     * If the debug level selected is high enough, all of the data is
-+     * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
-+     *
-+     * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
-+     * Well there is a BIO below the SSL routines that is automatically
-+     * created for us, so we can use it for debugging purposes.
-+     */
-+    if (var_smtpd_tls_loglevel >= 3)
-+	BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
-+
-+
-+    /* Dump the negotiation for loglevels 3 and 4 */
-+    if (var_smtpd_tls_loglevel >= 3)
-+	do_dump = 1;
-+
-+    /*
-+     * Now we expect the negotiation to begin. This whole process is like a
-+     * black box for us. We totally have to rely on the routines build into
-+     * the OpenSSL library. The only thing we can do we already have done
-+     * by choosing our own callbacks for session caching and certificate
-+     * verification.
-+     *
-+     * Error handling:
-+     * If the SSL handhake fails, we print out an error message and remove
-+     * everything that might be there. A session has to be removed anyway,
-+     * because RFC2246 requires it.
-+     */
-+    sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
-+			   SSL_accept, NULL, NULL, NULL, 0);
-+    if (sts <= 0) {
-+	msg_info("SSL_accept error from %s[%s]: %d", peername, peeraddr, sts);
-+	pfixtls_print_errors();
-+	SSL_free(TLScontext->con);
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+
-+    /* Only loglevel==4 dumps everything */
-+    if (var_smtpd_tls_loglevel < 4)
-+	do_dump = 0;
-+
-+    /*
-+     * Lets see, whether a peer certificate is available and what is
-+     * the actual information. We want to save it for later use.
-+     */
-+    peer = SSL_get_peer_certificate(TLScontext->con);
-+    if (peer != NULL) {
-+	if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
-+	    tls_info->peer_verified = 1;
-+
-+	X509_NAME_oneline(X509_get_subject_name(peer),
-+			  TLScontext->peer_subject, CCERT_BUFSIZ);
-+	if (var_smtpd_tls_loglevel >= 2)
-+	    msg_info("subject=%s", TLScontext->peer_subject);
-+	tls_info->peer_subject = TLScontext->peer_subject;
-+	X509_NAME_oneline(X509_get_issuer_name(peer),
-+			  TLScontext->peer_issuer, CCERT_BUFSIZ);
-+	if (var_smtpd_tls_loglevel >= 2)
-+	    msg_info("issuer=%s", TLScontext->peer_issuer);
-+	tls_info->peer_issuer = TLScontext->peer_issuer;
-+	if (X509_digest(peer, EVP_md5(), TLScontext->md, &n)) {
-+	    for (j = 0; j < (int) n; j++) {
-+		TLScontext->fingerprint[j * 3] =
-+			hexcodes[(TLScontext->md[j] & 0xf0) >> 4];
-+		TLScontext->fingerprint[(j * 3) + 1] =
-+			hexcodes[(TLScontext->md[j] & 0x0f)];
-+		if (j + 1 != (int) n)
-+		    TLScontext->fingerprint[(j * 3) + 2] = ':';
-+		else
-+		    TLScontext->fingerprint[(j * 3) + 2] = '\0';
-+	    }
-+	    if (var_smtpd_tls_loglevel >= 1)
-+		msg_info("fingerprint=%s", TLScontext->fingerprint);
-+	    tls_info->peer_fingerprint = TLScontext->fingerprint;
-+	}
-+
-+	TLScontext->peer_CN[0] = '\0';
-+	if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
-+			NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
-+	    msg_info("Could not parse client's subject CN");
-+	    pfixtls_print_errors();
-+	}
-+	tls_info->peer_CN = TLScontext->peer_CN;
-+
-+	TLScontext->issuer_CN[0] = '\0';
-+	if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
-+			NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
-+	    msg_info("Could not parse client's issuer CN");
-+	    pfixtls_print_errors();
-+	}
-+	if (!TLScontext->issuer_CN[0]) {
-+	    /* No issuer CN field, use Organization instead */
-+	    if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
-+		NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
-+		msg_info("Could not parse client's issuer Organization");
-+		pfixtls_print_errors();
-+	    }
-+	}
-+	tls_info->issuer_CN = TLScontext->issuer_CN;
-+
-+	if (var_smtpd_tls_loglevel >= 1) {
-+	    if (tls_info->peer_verified)
-+		msg_info("Verified: subject_CN=%s, issuer=%s",
-+			 TLScontext->peer_CN, TLScontext->issuer_CN);
-+	    else
-+		msg_info("Unverified: subject_CN=%s, issuer=%s",
-+			 TLScontext->peer_CN, TLScontext->issuer_CN);
-+	}
-+
-+	X509_free(peer);
-+    }
-+
-+    /*
-+     * At this point we should have a certificate when required.
-+     * We may however have a cached session, so the callback would never
-+     * be called. We therefore double-check to make sure and remove the
-+     * session, if applicable.
-+     */
-+    if (requirecert) {
-+	if (!tls_info->peer_verified || !tls_info->peer_CN) {
-+	    msg_info("Re-used session without peer certificate removed");
-+	    session = SSL_get_session(TLScontext->con);
-+	    SSL_CTX_remove_session(ctx, session);
-+	    return (-1);
-+	}
-+    }
-+
-+    /*
-+     * Finally, collect information about protocol and cipher for logging
-+     */
-+    tls_info->protocol = SSL_get_version(TLScontext->con);
-+    cipher = SSL_get_current_cipher(TLScontext->con);
-+    tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
-+    tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
-+						 &(tls_info->cipher_algbits));
-+
-+    pfixtls_serveractive = 1;
-+
-+    /*
-+     * The TLS engine is active, switch to the pfixtls_timed_read/write()
-+     * functions and store the context.
-+     */
-+    vstream_control(stream,
-+		    VSTREAM_CTL_READ_FN, pfixtls_timed_read,
-+		    VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
-+		    VSTREAM_CTL_CONTEXT, (void *)TLScontext,
-+		    VSTREAM_CTL_END);
-+
-+    if (var_smtpd_tls_loglevel >= 1)
-+   	 msg_info("TLS connection established from %s[%s]: %s with cipher %s (%d/%d bits)",
-+		  peername, peeraddr,
-+		  tls_info->protocol, tls_info->cipher_name,
-+		  tls_info->cipher_usebits, tls_info->cipher_algbits);
-+    pfixtls_stir_seed();
-+
-+    return (0);
-+}
-+
-+ /*
-+  * Shut down the TLS connection, that does mean: remove all the information
-+  * and reset the flags! This is needed if the actual running smtpd is to
-+  * be restarted. We do not give back any value, as there is nothing to
-+  * be reported.
-+  * Since our session cache is external, we will remove the session from
-+  * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
-+  * I however want to make sure nothing is left.
-+  * RFC2246 requires us to remove sessions if something went wrong, as
-+  * indicated by the "failure" value, so we remove it from the external
-+  * cache, too. 
-+  */
-+int     pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
-+			       tls_info_t *tls_info)
-+{
-+    TLScontext_t *TLScontext;
-+    int retval;
-+
-+    if (pfixtls_serveractive) {
-+	TLScontext = (TLScontext_t *)vstream_context(stream);
-+	/*
-+	 * Perform SSL_shutdown() twice, as the first attempt may return
-+	 * to early: it will only send out the shutdown alert but it will
-+	 * not wait for the peer's shutdown alert. Therefore, when we are
-+	 * the first party to send the alert, we must call SSL_shutdown()
-+	 * again.
-+	 * On failure we don't want to resume the session, so we will not
-+	 * perform SSL_shutdown() and the session will be removed as being
-+	 * bad.
-+	 */
-+	if (!failure) {
-+            retval = do_tls_operation(vstream_fileno(stream), timeout,
-+				TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
-+	    if (retval == 0)
-+		do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
-+				SSL_shutdown, NULL, NULL, NULL, 0);
-+	}
-+	/*
-+	 * Free the SSL structure and the BIOs. Warning: the internal_bio is
-+	 * connected to the SSL structure and is automatically freed with
-+	 * it. Do not free it again (core dump)!!
-+	 * Only free the network_bio.
-+	 */
-+	SSL_free(TLScontext->con);
-+	BIO_free(TLScontext->network_bio);
-+	myfree((char *)TLScontext);
-+        vstream_control(stream,
-+		    VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
-+		    VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
-+		    VSTREAM_CTL_CONTEXT, (void *) NULL,
-+		    VSTREAM_CTL_END);
-+	SSL_CTX_flush_sessions(ctx, time(NULL));
-+
-+	pfixtls_stir_seed();
-+	pfixtls_exchange_seed();
-+
-+	*tls_info = tls_info_zero;
-+	pfixtls_serveractive = 0;
-+
-+    }
-+
-+    return (0);
-+}
-+
-+
-+ /*
-+  * This is the setup routine for the SSL client. As smtpd might be called
-+  * more than once, we only want to do the initialization one time.
-+  *
-+  * The skeleton of this function is taken from OpenSSL apps/s_client.c.
-+  */
-+
-+int     pfixtls_init_clientengine(int verifydepth)
-+{
-+    int     off = 0;
-+    int     verify_flags = SSL_VERIFY_NONE;
-+    int     rand_bytes;
-+    int     rand_source_dev_fd;
-+    int     rand_source_socket_fd;
-+    unsigned char buffer[255];
-+    char   *CApath;
-+    char   *CAfile;
-+    char   *c_cert_file;
-+    char   *c_key_file;
-+
-+
-+    if (pfixtls_clientengine)
-+	return (0);				/* already running */
-+
-+    if (var_smtp_tls_loglevel >= 2)
-+	msg_info("starting TLS engine");
-+
-+    /*
-+     * Initialize the OpenSSL library by the book!
-+     * To start with, we must initialize the algorithms.
-+     * We want cleartext error messages instead of just error codes, so we
-+     * load the error_strings.
-+     */ 
-+    SSL_load_error_strings();
-+    OpenSSL_add_ssl_algorithms();
-+
-+ /*
-+  * Side effect, call a non-existing function to disable TLS usage with an
-+  * outdated OpenSSL version. There is a security reason (verify_result
-+  * is not stored with the session data).
-+  */
-+#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-+    needs_openssl_095_or_later();
-+#endif
-+
-+    /*
-+     * Initialize the PRNG Pseudo Random Number Generator with some seed.
-+     */
-+    randseed.pid = getpid();
-+    GETTIMEOFDAY(&randseed.tv);
-+    RAND_seed(&randseed, sizeof(randseed_t));
-+
-+    /*
-+     * Access the external sources for random seed. We will only query them
-+     * once, this should be sufficient and we will stir our entropy by using
-+     * the prng-exchange file anyway.
-+     * For reliability, we don't consider failure to access the additional
-+     * source fatal, as we can run happily without it (considering that we
-+     * still have the exchange-file). We also don't care how much entropy
-+     * we get back, as we must run anyway. We simply stir in the buffer
-+     * regardless how many bytes are actually in it.
-+     */
-+    if (*var_tls_daemon_rand_source) {
-+	if (!strncmp(var_tls_daemon_rand_source, "dev:", 4)) {
-+	    /*
-+	     * Source is a random device
-+	     */
-+	    rand_source_dev_fd = open(var_tls_daemon_rand_source + 4, 0, 0);
-+	    if (rand_source_dev_fd == -1) 
-+		msg_info("Could not open entropy device %s",
-+			  var_tls_daemon_rand_source);
-+	    else {
-+		if (var_tls_daemon_rand_bytes > 255)
-+		    var_tls_daemon_rand_bytes = 255;
-+	        read(rand_source_dev_fd, buffer, var_tls_daemon_rand_bytes);
-+		RAND_seed(buffer, var_tls_daemon_rand_bytes);
-+		close(rand_source_dev_fd);
-+	    }
-+	} else if (!strncmp(var_tls_daemon_rand_source, "egd:", 4)) {
-+	    /*
-+	     * Source is a EGD compatible socket
-+	     */
-+	    rand_source_socket_fd = unix_connect(var_tls_daemon_rand_source +4,
-+						 BLOCKING, 10);
-+	    if (rand_source_socket_fd == -1)
-+		msg_info("Could not connect to %s", var_tls_daemon_rand_source);
-+	    else {
-+		if (var_tls_daemon_rand_bytes > 255)
-+		    var_tls_daemon_rand_bytes = 255;
-+		buffer[0] = 1;
-+		buffer[1] = var_tls_daemon_rand_bytes;
-+		if (write(rand_source_socket_fd, buffer, 2) != 2)
-+		    msg_info("Could not talk to %s",
-+			     var_tls_daemon_rand_source);
-+		else if (read(rand_source_socket_fd, buffer, 1) != 1)
-+		    msg_info("Could not read info from %s",
-+			     var_tls_daemon_rand_source);
-+		else {
-+		    rand_bytes = buffer[0];
-+		    read(rand_source_socket_fd, buffer, rand_bytes);
-+		    RAND_seed(buffer, rand_bytes);
-+		}
-+		close(rand_source_socket_fd);
-+	    }
-+	} else {
-+	    RAND_load_file(var_tls_daemon_rand_source,
-+			   var_tls_daemon_rand_bytes);
-+	}
-+    }
-+
-+    if (*var_tls_rand_exch_name) {
-+	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
-+	if (rand_exch_fd != -1)
-+	    pfixtls_exchange_seed();
-+    }
-+
-+    randseed.pid = getpid();
-+    GETTIMEOFDAY(&randseed.tv);
-+    RAND_seed(&randseed, sizeof(randseed_t));
-+
-+    /*
-+     * The SSL/TLS speficications require the client to send a message in
-+     * the oldest specification it understands with the highest level it
-+     * understands in the message.
-+     * RFC2487 is only specified for TLSv1, but we want to be as compatible
-+     * as possible, so we will start off with a SSLv2 greeting allowing
-+     * the best we can offer: TLSv1.
-+     * We can restrict this with the options setting later, anyhow.
-+     */
-+    ctx = SSL_CTX_new(SSLv23_client_method());
-+    if (ctx == NULL) {
-+	pfixtls_print_errors();
-+	return (-1);
-+    };
-+
-+    /*
-+     * Here we might set SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1.
-+     * Of course, the last one would not make sense, since RFC2487 is only
-+     * defined for TLS, but we don't know what is out there. So leave things
-+     * completely open, as of today.
-+     */
-+    off |= SSL_OP_ALL;		/* Work around all known bugs */
-+    SSL_CTX_set_options(ctx, off);
-+
-+    /*
-+     * Set the info_callback, that will print out messages during
-+     * communication on demand.
-+     */
-+    if (var_smtp_tls_loglevel >= 2)
-+	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
-+
-+    /*
-+     * Set the list of ciphers, if explicitely given; otherwise the
-+     * (reasonable) default list is kept.
-+     */
-+    if (strlen(var_smtp_tls_cipherlist) != 0)
-+	if (SSL_CTX_set_cipher_list(ctx, var_smtp_tls_cipherlist) == 0) {
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+
-+    /*
-+     * Now we must add the necessary certificate stuff: A client key, a
-+     * client certificate, and the CA certificates for both the client
-+     * cert and the verification of server certificates.
-+     * In fact, we do not need a client certificate,  so the certificates
-+     * are only loaded (and checked), if supplied. A clever client would
-+     * handle multiple client certificates and decide based on the list
-+     * of acceptable CAs, sent by the server, which certificate to submit.
-+     * OpenSSL does however not do this and also has no callback hoods to
-+     * easily realize it.
-+     *
-+     * As provided by OpenSSL we support two types of CA certificate handling:
-+     * One possibility is to add all CA certificates to one large CAfile,
-+     * the other possibility is a directory pointed to by CApath, containing
-+     * seperate files for each CA pointed on by softlinks named by the hash
-+     * values of the certificate.
-+     * The first alternative has the advantage, that the file is opened and
-+     * read at startup time, so that you don't have the hassle to maintain
-+     * another copy of the CApath directory for chroot-jail. On the other
-+     * hand, the file is not really readable.
-+     */ 
-+    if (strlen(var_smtp_tls_CAfile) == 0)
-+	CAfile = NULL;
-+    else
-+	CAfile = var_smtp_tls_CAfile;
-+    if (strlen(var_smtp_tls_CApath) == 0)
-+	CApath = NULL;
-+    else
-+	CApath = var_smtp_tls_CApath;
-+    if (CAfile || CApath) {
-+	if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
-+	    msg_info("TLS engine: cannot load CA data");
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+	if (!SSL_CTX_set_default_verify_paths(ctx)) {
-+	    msg_info("TLS engine: cannot set verify paths");
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+    }
-+
-+    if (strlen(var_smtp_tls_cert_file) == 0)
-+	c_cert_file = NULL;
-+    else
-+	c_cert_file = var_smtp_tls_cert_file;
-+    if (strlen(var_smtp_tls_key_file) == 0)
-+	c_key_file = NULL;
-+    else
-+	c_key_file = var_smtp_tls_key_file;
-+    if (c_cert_file || c_key_file)
-+	if (!set_cert_stuff(ctx, c_cert_file, c_key_file)) {
-+	    msg_info("TLS engine: cannot load cert/key data");
-+	    pfixtls_print_errors();
-+	    return (-1);
-+	}
-+
-+    /*
-+     * Sometimes a temporary RSA key might be needed by the OpenSSL
-+     * library. The OpenSSL doc indicates, that this might happen when
-+     * export ciphers are in use. We have to provide one, so well, we
-+     * just do it.
-+     */
-+    SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
-+
-+    /*
-+     * Finally, the setup for the server certificate checking, done
-+     * "by the book".
-+     */
-+    SSL_CTX_set_verify(ctx, verify_flags, verify_callback);
-+
-+    /*
-+     * Initialize the session cache. We only want external caching to
-+     * synchronize between server sessions, so we set it to a minimum value
-+     * of 1. If the external cache is disabled, we won't cache at all.
-+     *
-+     * In case of the client, there is no callback used in OpenSSL, so
-+     * we must call the session cache functions manually during the process.
-+     */
-+    SSL_CTX_sess_set_cache_size(ctx, 1);
-+    SSL_CTX_set_timeout(ctx, var_smtp_tls_scache_timeout);
-+
-+    /*
-+     * The session cache is realized by an external database file, that
-+     * must be opened before going to chroot jail. Since the session cache
-+     * data can become quite large, "[n]dbm" cannot be used as it has a
-+     * size limit that is by far to small.
-+     */
-+    if (*var_smtp_tls_scache_db) {
-+	/*
-+	 * Insert a test against other dbms here, otherwise while writing
-+	 * a session (content to large), we will receive a fatal error!
-+	 */
-+	if (strncmp(var_smtp_tls_scache_db, "sdbm:", 5))
-+	    msg_warn("Only sdbm: type allowed for %s",
-+		     var_smtp_tls_scache_db);
-+	else
-+	    scache_db = dict_open(var_smtp_tls_scache_db, O_RDWR,
-+	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
-+	if (!scache_db)
-+	    msg_warn("Could not open session cache %s",
-+		     var_smtp_tls_scache_db);
-+	/*
-+	 * It is practical to have OpenSSL automatically save newly created
-+	 * sessions for us by callback. Therefore we have to enable the
-+	 * internal session cache for the client side. Disable automatic
-+	 * clearing, as smtp has limited lifetime anyway and we can call
-+	 * the cleanup routine at will.
-+	 */
-+	SSL_CTX_set_session_cache_mode(ctx,
-+			SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_NO_AUTO_CLEAR);
-+	SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
-+    }
-+   
-+    /*
-+     * Finally create the global index to access TLScontext information
-+     * inside verify_callback.
-+     */
-+    TLScontext_index = SSL_get_ex_new_index(0, "TLScontext ex_data index",
-+					    NULL, NULL, NULL);
-+    TLSpeername_index = SSL_SESSION_get_ex_new_index(0,
-+					    "TLSpeername ex_data index",
-+					    new_peername_func,
-+					    dup_peername_func,
-+					    free_peername_func);
-+
-+    pfixtls_clientengine = 1;
-+    return (0);
-+}
-+
-+ /*
-+  * This is the actual startup routine for the connection. We expect
-+  * that the buffers are flushed and the "220 Ready to start TLS" was
-+  * received by us, so that we can immediately can start the TLS
-+  * handshake process.
-+  */
-+int     pfixtls_start_clienttls(VSTREAM *stream, int timeout,
-+			        int enforce_peername,
-+				const char *peername,
-+				tls_info_t *tls_info)
-+{
-+    int     sts;
-+    SSL_SESSION *session, *old_session;
-+    SSL_CIPHER *cipher;
-+    X509   *peer;
-+    int     verify_flags;
-+    TLScontext_t *TLScontext;
-+
-+    if (!pfixtls_clientengine) {		/* should never happen */
-+	msg_info("tls_engine not running");
-+	return (-1);
-+    }
-+    if (var_smtpd_tls_loglevel >= 1)
-+	msg_info("setting up TLS connection to %s", peername);
-+
-+    /*
-+     * Allocate a new TLScontext for the new connection and get an SSL
-+     * structure. Add the location of TLScontext to the SSL to later
-+     * retrieve the information inside the verify_callback().
-+     */
-+    TLScontext = (TLScontext_t *)mymalloc(sizeof(TLScontext_t));
-+    if (!TLScontext) {
-+	msg_fatal("Could not allocate 'TLScontext' with mymalloc");
-+    }
-+    if ((TLScontext->con = (SSL *) SSL_new(ctx)) == NULL) {
-+	msg_info("Could not allocate 'TLScontext->con' with SSL_new()");
-+	pfixtls_print_errors();
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+    if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
-+	msg_info("Could not set application data for 'TLScontext->con'");
-+	pfixtls_print_errors();
-+	SSL_free(TLScontext->con);
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+
-+    /*
-+     * Set the verification parameters to be checked in verify_callback().
-+     */
-+    if (enforce_peername) {
-+	verify_flags = SSL_VERIFY_PEER;
-+	TLScontext->enforce_verify_errors = 1;
-+	TLScontext->enforce_CN = 1;
-+        SSL_set_verify(TLScontext->con, verify_flags, verify_callback);
-+    }
-+    else {
-+	TLScontext->enforce_verify_errors = 0;
-+	TLScontext->enforce_CN = 0;
-+    }
-+    TLScontext->hostname_matched = 0;
-+
-+    /*
-+     * The TLS connection is realized by a BIO_pair, so obtain the pair.
-+     */
-+    if (!BIO_new_bio_pair(&TLScontext->internal_bio, BIO_bufsiz,
-+			  &TLScontext->network_bio, BIO_bufsiz)) {
-+	msg_info("Could not obtain BIO_pair");
-+	pfixtls_print_errors();
-+	SSL_free(TLScontext->con);
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+
-+    old_session = NULL;
-+
-+    /*
-+     * Find out the hashed HostID for the client cache and try to
-+     * load the session from the cache.
-+     */
-+    strncpy(TLScontext->peername_save, peername, ID_MAXLENGTH + 1);
-+    TLScontext->peername_save[ID_MAXLENGTH] = '\0';  /* just in case */
-+    (void)lowercase(TLScontext->peername_save);
-+    if (scache_db) {
-+	old_session = load_clnt_session(peername, enforce_peername);
-+	if (old_session) {
-+	   SSL_set_session(TLScontext->con, old_session);
-+#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
-+	    /*
-+	     * Ugly Hack: OpenSSL before 0.9.6a does not store the verify
-+	     * result in sessions for the client side.
-+	     * We modify the session directly which is version specific,
-+	     * but this bug is version specific, too.
-+	     *
-+	     * READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before
-+	     * beta1 have this bug, it has been fixed during development
-+	     * of 0.9.6a. The development version of 0.9.7 can have this
-+	     * bug, too. It has been fixed on 2000/11/29.
-+	     */
-+	    SSL_set_verify_result(TLScontext->con, old_session->verify_result);
-+#endif
-+	   
-+	}
-+    }
-+
-+    /*
-+     * Before really starting anything, try to seed the PRNG a little bit
-+     * more.
-+     */
-+    pfixtls_stir_seed();
-+    pfixtls_exchange_seed();
-+
-+    /*
-+     * Initialize the SSL connection to connect state. This should not be
-+     * necessary anymore since 0.9.3, but the call is still in the library
-+     * and maintaining compatibility never hurts.
-+     */
-+    SSL_set_connect_state(TLScontext->con);
-+
-+    /*
-+     * Connect the SSL-connection with the postfix side of the BIO-pair for
-+     * reading and writing.
-+     */
-+    SSL_set_bio(TLScontext->con, TLScontext->internal_bio,
-+		TLScontext->internal_bio);
-+
-+    /*
-+     * If the debug level selected is high enough, all of the data is
-+     * dumped: 3 will dump the SSL negotiation, 4 will dump everything.
-+     *
-+     * We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
-+     * Well there is a BIO below the SSL routines that is automatically
-+     * created for us, so we can use it for debugging purposes.
-+     */
-+    if (var_smtp_tls_loglevel >= 3)
-+	BIO_set_callback(SSL_get_rbio(TLScontext->con), bio_dump_cb);
-+
-+
-+    /* Dump the negotiation for loglevels 3 and 4 */
-+    if (var_smtp_tls_loglevel >= 3)
-+	do_dump = 1;
-+
-+    /*
-+     * Now we expect the negotiation to begin. This whole process is like a
-+     * black box for us. We totally have to rely on the routines build into
-+     * the OpenSSL library. The only thing we can do we already have done
-+     * by choosing our own callback certificate verification.
-+     *
-+     * Error handling:
-+     * If the SSL handhake fails, we print out an error message and remove
-+     * everything that might be there. A session has to be removed anyway,
-+     * because RFC2246 requires it. 
-+     */
-+    sts = do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
-+			   SSL_connect, NULL, NULL, NULL, 0);
-+    if (sts <= 0) {
-+	msg_info("SSL_connect error to %s: %d", peername, sts);
-+	pfixtls_print_errors();
-+	session = SSL_get_session(TLScontext->con);
-+	if (session) {
-+	    SSL_CTX_remove_session(ctx, session);
-+	    if (var_smtp_tls_loglevel >= 2)
-+		msg_info("SSL session removed");
-+	}
-+	if ((old_session) && (!SSL_session_reused(TLScontext->con)))
-+	    SSL_SESSION_free(old_session);	/* Must also be removed */
-+	SSL_free(TLScontext->con);
-+	myfree((char *)TLScontext);
-+	return (-1);
-+    }
-+
-+    if (!SSL_session_reused(TLScontext->con)) {
-+	SSL_SESSION_free(old_session);	/* Remove unused session */
-+    }
-+    else if (var_smtp_tls_loglevel >= 3)
-+	msg_info("Reusing old session");
-+
-+    /* Only loglevel==4 dumps everything */
-+    if (var_smtp_tls_loglevel < 4)
-+	do_dump = 0;
-+
-+    /*
-+     * Lets see, whether a peer certificate is available and what is
-+     * the actual information. We want to save it for later use.
-+     */
-+    peer = SSL_get_peer_certificate(TLScontext->con);
-+    if (peer != NULL) {
-+	if (SSL_get_verify_result(TLScontext->con) == X509_V_OK)
-+	    tls_info->peer_verified = 1;
-+
-+	tls_info->hostname_matched = TLScontext->hostname_matched;
-+	TLScontext->peer_CN[0] = '\0';
-+	if (!X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
-+			NID_commonName, TLScontext->peer_CN, CCERT_BUFSIZ)) {
-+	    msg_info("Could not parse server's subject CN");
-+	    pfixtls_print_errors();
-+	}
-+	tls_info->peer_CN = TLScontext->peer_CN;
-+
-+	TLScontext->issuer_CN[0] = '\0';
-+	if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
-+			NID_commonName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
-+	    msg_info("Could not parse server's issuer CN");
-+	    pfixtls_print_errors();
-+	}
-+	if (!TLScontext->issuer_CN[0]) {
-+	    /* No issuer CN field, use Organization instead */
-+	    if (!X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
-+		NID_organizationName, TLScontext->issuer_CN, CCERT_BUFSIZ)) {
-+		msg_info("Could not parse server's issuer Organization");
-+		pfixtls_print_errors();
-+	    }
-+	}
-+	tls_info->issuer_CN = TLScontext->issuer_CN;
-+
-+	if (var_smtp_tls_loglevel >= 1) {
-+	    if (tls_info->peer_verified)
-+		msg_info("Verified: subject_CN=%s, issuer=%s",
-+			 TLScontext->peer_CN, TLScontext->issuer_CN);
-+	    else
-+		msg_info("Unverified: subject_CN=%s, issuer=%s",
-+			 TLScontext->peer_CN, TLScontext->issuer_CN);
-+	}
-+	X509_free(peer);
-+    }
-+
-+    /*
-+     * Finally, collect information about protocol and cipher for logging
-+     */ 
-+    tls_info->protocol = SSL_get_version(TLScontext->con);
-+    cipher = SSL_get_current_cipher(TLScontext->con);
-+    tls_info->cipher_name = SSL_CIPHER_get_name(cipher);
-+    tls_info->cipher_usebits = SSL_CIPHER_get_bits(cipher,
-+						 &(tls_info->cipher_algbits));
-+
-+    pfixtls_clientactive = 1;
-+
-+    /*
-+     * The TLS engine is active, switch to the pfixtls_timed_read/write()
-+     * functions.
-+     */
-+    vstream_control(stream,
-+		    VSTREAM_CTL_READ_FN, pfixtls_timed_read,
-+		    VSTREAM_CTL_WRITE_FN, pfixtls_timed_write,
-+		    VSTREAM_CTL_CONTEXT, (void *)TLScontext,
-+		    VSTREAM_CTL_END);
-+
-+    if (var_smtp_tls_loglevel >= 1)
-+	msg_info("TLS connection established to %s: %s with cipher %s (%d/%d bits)",
-+		 peername, tls_info->protocol, tls_info->cipher_name,
-+		 tls_info->cipher_usebits, tls_info->cipher_algbits);
-+
-+    pfixtls_stir_seed();
-+
-+    return (0);
-+}
-+
-+ /*
-+  * Shut down the TLS connection, that does mean: remove all the information
-+  * and reset the flags! This is needed if the actual running smtp is to
-+  * be restarted. We do not give back any value, as there is nothing to
-+  * be reported.
-+  * Since our session cache is external, we will remove the session from
-+  * memory in any case. The SSL_CTX_flush_sessions might be redundant here,
-+  * I however want to make sure nothing is left.
-+  * RFC2246 requires us to remove sessions if something went wrong, as
-+  * indicated by the "failure" value,so we remove it from the external
-+  * cache, too.
-+  */
-+int     pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
-+			       tls_info_t *tls_info)
-+{
-+    TLScontext_t *TLScontext;
-+    int retval;
-+
-+    if (pfixtls_clientactive) {
-+	TLScontext = (TLScontext_t *)vstream_context(stream);
-+	/*
-+	 * Perform SSL_shutdown() twice, as the first attempt may return
-+	 * to early: it will only send out the shutdown alert but it will
-+	 * not wait for the peer's shutdown alert. Therefore, when we are
-+	 * the first party to send the alert, we must call SSL_shutdown()
-+	 * again.
-+	 * On failure we don't want to resume the session, so we will not
-+	 * perform SSL_shutdown() and the session will be removed as being
-+	 * bad.
-+	 */
-+	if (!failure) {
-+	    retval = do_tls_operation(vstream_fileno(stream), timeout,
-+				TLScontext, SSL_shutdown, NULL, NULL, NULL, 0);
-+	    if (retval == 0)
-+		do_tls_operation(vstream_fileno(stream), timeout, TLScontext,
-+				SSL_shutdown, NULL, NULL, NULL, 0);
-+	}
-+	/*
-+	 * Free the SSL structure and the BIOs. Warning: the internal_bio is
-+	 * connected to the SSL structure and is automatically freed with
-+	 * it. Do not free it again (core dump)!!
-+	 * Only free the network_bio.
-+	 */
-+	SSL_free(TLScontext->con);
-+	BIO_free(TLScontext->network_bio);
-+	myfree((char *)TLScontext);
-+	vstream_control(stream,
-+		    VSTREAM_CTL_READ_FN, (VSTREAM_FN) NULL,
-+		    VSTREAM_CTL_WRITE_FN, (VSTREAM_FN) NULL,
-+		    VSTREAM_CTL_CONTEXT, (void *) NULL,
-+		    VSTREAM_CTL_END);
-+	SSL_CTX_flush_sessions(ctx, time(NULL));
-+
-+	pfixtls_stir_seed();
-+	pfixtls_exchange_seed();
-+
-+	*tls_info = tls_info_zero;
-+	pfixtls_clientactive = 0;
-+
-+    }
-+
-+    return (0);
-+}
-+
-+
-+#endif /* USE_SSL */
-+#endif
-diff -urNad postfix-release/src/global/pfixtls.h /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.h
---- postfix-release/src/global/pfixtls.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.h	2005-02-03 10:22:13.060096687 -0700
-@@ -0,0 +1,81 @@
-+/*++
-+/* NAME
-+/*      pfixtls 3h
-+/* SUMMARY
-+/*      TLS routines
-+/* SYNOPSIS
-+/*      include "pfixtls.h"
-+/* DESCRIPTION
-+/* .nf
-+/*--*/
-+
-+#ifndef PFIXTLS_H_INCLUDED
-+#define PFIXTLS_H_INCLUDED
-+
-+#if defined(HAS_SSL) && !defined(USE_SSL)
-+#define USE_SSL
-+#endif
-+
-+typedef struct {
-+    int     peer_verified;
-+    int     hostname_matched;
-+    char   *peer_subject;
-+    char   *peer_issuer;
-+    char   *peer_fingerprint;
-+    char   *peer_CN;
-+    char   *issuer_CN;
-+    const char *protocol;
-+    const char *cipher_name;
-+    int     cipher_usebits;
-+    int     cipher_algbits;
-+} tls_info_t;
-+
-+extern const tls_info_t tls_info_zero;
-+
-+#ifdef USE_SSL
-+
-+typedef struct {
-+    long scache_db_version;
-+    long openssl_version;
-+    time_t timestamp;		/* We could add other info here... */
-+    int enforce_peername;
-+} pfixtls_scache_info_t;
-+
-+extern const long scache_db_version;
-+extern const long openssl_version;
-+
-+int     pfixtls_timed_read(int fd, void *buf, unsigned len, int timout,
-+			   void *unused_timeout);
-+int     pfixtls_timed_write(int fd, void *buf, unsigned len, int timeout,
-+			    void *unused_timeout);
-+
-+extern int pfixtls_serverengine;
-+int     pfixtls_init_serverengine(int verifydepth, int askcert);
-+int     pfixtls_start_servertls(VSTREAM *stream, int timeout,
-+				const char *peername, const char *peeraddr,
-+				tls_info_t *tls_info, int require_cert);
-+int     pfixtls_stop_servertls(VSTREAM *stream, int timeout, int failure,
-+			       tls_info_t *tls_info);
-+
-+extern int pfixtls_clientengine;
-+int     pfixtls_init_clientengine(int verifydepth);
-+int     pfixtls_start_clienttls(VSTREAM *stream, int timeout,
-+				int enforce_peername,
-+				const char *peername,
-+				tls_info_t *tls_info);
-+int     pfixtls_stop_clienttls(VSTREAM *stream, int timeout, int failure,
-+			       tls_info_t *tls_info);
-+
-+#endif /* PFIXTLS_H_INCLUDED */
-+#endif
-+
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/* AUTHOR(S)
-+/*	Lutz Jaenicke
-+/*	BTU Cottbus
-+/*	Allgemeine Elektrotechnik
-+/*	Universitaetsplatz 3-4
-+/*	D-03044 Cottbus, Germany
-+/*--*/
-diff -urNad postfix-release/src/global/resolve_local.c /tmp/dpep.cXJuVH/postfix-release/src/global/resolve_local.c
---- postfix-release/src/global/resolve_local.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/resolve_local.c	2005-02-03 10:22:13.060096687 -0700
-@@ -43,6 +43,7 @@
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <string.h>
-+#include <netdb.h>
- 
- #ifndef INADDR_NONE
- #define INADDR_NONE 0xffffffff
-@@ -80,7 +81,12 @@
- {
-     char   *saved_addr = mystrdup(addr);
-     char   *dest;
-+#ifdef INET6
-+    struct addrinfo hints, *res, *res0;
-+    int error;
-+#else
-     struct in_addr ipaddr;
-+#endif
-     int     len;
- 
- #define RETURN(x) { myfree(saved_addr); return(x); }
-@@ -118,9 +124,28 @@
-     if (*dest == '[' && dest[len - 1] == ']') {
- 	dest++;
- 	dest[len -= 2] = 0;
-+#ifdef INET6
-+ 	memset(&hints, 0, sizeof(hints));
-+ 	hints.ai_family = PF_UNSPEC;
-+ 	hints.ai_socktype = SOCK_DGRAM;
-+	hints.ai_flags = AI_NUMERICHOST;
-+ 	error = getaddrinfo(dest, NULL, &hints, &res0);
-+ 	if (!error) {
-+ 	    for (res = res0; res; res = res->ai_next) {
-+ 		if (own_inet_addr(res->ai_addr) ||
-+			(res->ai_family == AF_INET &&
-+			proxy_inet_addr((struct in_addr *)&res->ai_addr))) {
-+ 		    freeaddrinfo(res0);
-+ 		    RETURN(1);
-+ 		}
-+ 	    }
-+ 	    freeaddrinfo(res0);
-+ 	}
-+#else
- 	if ((ipaddr.s_addr = inet_addr(dest)) != INADDR_NONE
- 	    && (own_inet_addr(&ipaddr) || proxy_inet_addr(&ipaddr)))
- 	    RETURN(1);
-+#endif
-     }
- 
-     /*
-diff -urNad postfix-release/src/global/wildcard_inet_addr.c /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.c
---- postfix-release/src/global/wildcard_inet_addr.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.c	2005-02-03 10:22:13.060096687 -0700
-@@ -0,0 +1,81 @@
-+/* System library. */
-+
-+#include <sys_defs.h>
-+#include <netinet/in.h>
-+#include <arpa/inet.h>
-+#include <string.h>
-+#ifdef INET6
-+#include <sys/socket.h>
-+#endif
-+#include <netdb.h>
-+
-+#ifdef STRCASECMP_IN_STRINGS_H
-+#include <strings.h>
-+#endif
-+
-+/* Utility library. */
-+
-+#include <msg.h>
-+#include <mymalloc.h>
-+#include <inet_addr_list.h>
-+#include <inet_addr_local.h>
-+#include <inet_addr_host.h>
-+#include <stringops.h>
-+
-+/* Global library. */
-+
-+#include <mail_params.h>
-+#include <wildcard_inet_addr.h>
-+
-+/* Application-specific. */
-+static INET_ADDR_LIST addr_list;
-+
-+/* wildcard_inet_addr_init - initialize my own address list */
-+
-+static void wildcard_inet_addr_init(INET_ADDR_LIST *addr_list, int addr_family)
-+{
-+#ifdef INET6
-+    struct addrinfo hints, *res, *res0;
-+    char hbuf[NI_MAXHOST];
-+    int error;
-+    const int niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
-+
-+    inet_addr_list_init(addr_list);
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
-+    error = getaddrinfo(NULL, "0", &hints, &res0);
-+    if (error)
-+	msg_fatal("could not get list of wildcard addresses");
-+    for (res = res0; res; res = res->ai_next) {
-+	if (addr_family > 0 && res->ai_family != addr_family)
-+	    continue;
-+	if (addr_family <= 0 && res->ai_family != AF_INET 
-+	    && res->ai_family != AF_INET6)
-+	    continue;
-+	if (getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
-+	    NULL, 0, niflags) != 0)
-+	    continue;
-+	if (inet_addr_host(addr_list, hbuf) == 0)
-+	    continue; /* msg_fatal("config variable %s: host not found: %s",
-+		      VAR_INET_INTERFACES, hbuf); */
-+    }
-+    freeaddrinfo(res0);
-+#else
-+    if (inet_addr_host(addr_list, "0.0.0.0") == 0)
-+	msg_fatal("config variable %s: host not found: %s",
-+		  VAR_INET_INTERFACES, "0.0.0.0");
-+#endif
-+}
-+
-+/* wildcard_inet_addr_list - return list of addresses */
-+
-+INET_ADDR_LIST *wildcard_inet_addr_list(int addr_family)
-+{
-+    if (addr_list.used == 0)
-+	wildcard_inet_addr_init(&addr_list, addr_family);
-+
-+    return (&addr_list);
-+}
-diff -urNad postfix-release/src/global/wildcard_inet_addr.h /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.h
---- postfix-release/src/global/wildcard_inet_addr.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/wildcard_inet_addr.h	2005-02-03 10:22:13.061096464 -0700
-@@ -0,0 +1,36 @@
-+#ifndef _WILDCARD_INET_ADDR_H_INCLUDED_
-+#define _WILDCARD_INET_ADDR_H_INCLUDED_
-+
-+/*++
-+/* NAME
-+/*	wildcard_inet_addr_list 3h
-+/* SUMMARY
-+/*	grab the list of wildcard IP addresses.
-+/* SYNOPSIS
-+/*	#include <own_inet_addr.h>
-+/* DESCRIPTION
-+/* .nf
-+/*--*/
-+
-+ /*
-+  * System library.
-+  */
-+#include <netinet/in.h>
-+#ifdef INET6
-+#include <sys/socket.h>
-+#endif
-+
-+ /*
-+  * External interface.
-+  */
-+extern struct INET_ADDR_LIST *wildcard_inet_addr_list(int);
-+
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	foo
-+/* AUTHOR(S)
-+/*	Jun-ichiro itojun Hagino
-+/*--*/
-+
-+#endif
-diff -urNad postfix-release/src/lmtp/lmtp_addr.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_addr.c
---- postfix-release/src/lmtp/lmtp_addr.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_addr.c	2005-02-03 10:22:13.061096464 -0700
-@@ -166,7 +166,11 @@
-     /*
-      * Append the addresses for this host to the address list.
-      */
-+#ifdef INET6
-+    switch (dns_lookup_types(host, RES_DEFNAMES, &addr, (VSTRING *) 0, why, T_AAAA, T_A, NULL)) {
-+#else
-     switch (dns_lookup(host, T_A, RES_DEFNAMES, &addr, (VSTRING *) 0, why)) {
-+#endif
-     case DNS_OK:
- 	for (rr = addr; rr; rr = rr->next)
- 	    rr->pref = pref;
-diff -urNad postfix-release/src/lmtp/lmtp.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp.c
---- postfix-release/src/lmtp/lmtp.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp.c	2005-02-03 10:22:13.061096464 -0700
-@@ -163,6 +163,12 @@
- /* .IP "\fBlmtp_quit_timeout (300s)\fR"
- /*	The LMTP client time limit for sending the QUIT command, and for
- /*	receiving the server response.
-+/* .IP "\fBlmtp_bind_address ()\fR"
-+/*	Numerical source network address (IPv4) to bind to when making
-+/*	a connection.
-+/* .IP "\fBlmtp_bind_address6 ()\fR"
-+/*	Numerical source network address (IPv6) to bind to when making
-+/*	a connection.
- /* MISCELLANEOUS CONTROLS
- /* .ad
- /* .fi
-@@ -293,6 +299,8 @@
- char   *var_lmtp_sasl_passwd;
- bool    var_lmtp_sasl_enable;
- bool    var_lmtp_send_xforward;
-+char   *var_lmtp_bind_addr;
-+char   *var_lmtp_bind_addr6;
- 
-  /*
-   * Global variables.
-@@ -554,6 +562,8 @@
- 	VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
- 	VAR_LMTP_SASL_PASSWD, DEF_LMTP_SASL_PASSWD, &var_lmtp_sasl_passwd, 0, 0,
- 	VAR_LMTP_SASL_OPTS, DEF_LMTP_SASL_OPTS, &var_lmtp_sasl_opts, 0, 0,
-+	VAR_LMTP_BIND_ADDR, DEF_LMTP_BIND_ADDR, &var_lmtp_bind_addr, 0, 0,
-+	VAR_LMTP_BIND_ADDR6, DEF_LMTP_BIND_ADDR6, &var_lmtp_bind_addr6, 0, 0,
- 	0,
-     };
-     static CONFIG_INT_TABLE int_table[] = {
-diff -urNad postfix-release/src/lmtp/lmtp_connect.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_connect.c
---- postfix-release/src/lmtp/lmtp_connect.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_connect.c	2005-02-03 10:22:13.062096241 -0700
-@@ -94,16 +94,23 @@
- #include <stringops.h>
- #include <host_port.h>
- #include <sane_connect.h>
-+#include <inet_addr_list.h>
- 
- /* Global library. */
- 
- #include <mail_params.h>
- #include <mail_proto.h>
-+#include <own_inet_addr.h>
- 
- /* DNS library. */
- 
- #include <dns.h>
- 
-+#ifdef INET6
-+#define GAI_STRERROR(error) \
-+	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
-+#endif
-+	
- /* Application-specific. */
- 
- #include "lmtp.h"
-@@ -162,19 +169,221 @@
- 			      addr, addr, destination, why));
- }
- 
-+/* lmtp_force_bind: bind() address */
-+
-+static void lmtp_force_bind(const char *bind_addr,
-+			    const char *bind_var,
-+			    int sock,
-+			    int af)
-+{
-+    /*
-+     * If the bind() call fails, this is considered a non-fatal error.
-+     * All address conversion errors are fatal.
-+     */
-+    char   *myname = "lmtp_force_bind";
-+#ifdef INET6
-+    char    hbuf[NI_MAXHOST];
-+    int     aierr;
-+    struct addrinfo hints, *res;
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = af;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
-+    snprintf(hbuf, sizeof(hbuf), "%s", bind_addr);
-+    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
-+    if (aierr == EAI_NONAME)
-+	msg_fatal("%s: bad %s parameter: \"%s\"",
-+		  myname, bind_var, bind_addr);
-+    if (aierr != 0) {
-+	if (msg_verbose)
-+	    msg_warn("%s: getaddrinfo(%s): %s",
-+		     myname, hbuf, GAI_STRERROR(aierr));
-+	return;
-+    }
-+    aierr = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
-+			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
-+    if (aierr != 0) {
-+	msg_warn("%s: getnameinfo(): %s",
-+		 myname, GAI_STRERROR(aierr));
-+	freeaddrinfo(res);
-+	return;
-+    }
-+    if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
-+	msg_warn("%s: bind %s: %m", myname, hbuf);
-+    else if (msg_verbose)
-+	msg_info("%s: bind %s", myname, hbuf);
-+    freeaddrinfo(res);
-+#else /* INET6 */
-+    struct sockaddr_in sin;
-+
-+    memset(&sin, 0, sizeof(sin));
-+    sin.sin_family = AF_INET;
-+#ifdef HAS_SA_LEN
-+    sin.sin_len = sizeof(sin);
-+#endif
-+    sin.sin_addr.s_addr = inet_addr(bind_addr);
-+    if (sin.sin_addr.s_addr == INADDR_NONE) {
-+	msg_fatal("%s: bad %s parameter: \"%s\"",
-+		  myname, bind_var, bind_addr);
-+	return;
-+    }
-+    if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
-+	msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
-+    else if (msg_verbose)
-+	msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
-+#endif /* INET6 */
-+}
-+
-+/* lmtp_virtual_bind - bind() when acting as virtual host */
-+
-+static void lmtp_virtual_bind(int sock, int af)
-+{
-+    char    *myname = "lmtp_virtual_bind";
-+    INET_ADDR_LIST *addr_list;
-+    int     count;
-+
-+#ifdef INET6
-+    int     i;
-+    char    hbuf[NI_MAXHOST];
-+    int     aierr;
-+    struct sockaddr *sa;
-+    struct addrinfo hints, *loopback = NULL, *res = NULL;
-+
-+    /*
-+     * Check whether we are acting as a virtual host
-+     */
-+    count = 0;
-+    addr_list = own_inet_addr_list();
-+    for (i = 0; count < 2 && i < addr_list->used; i++)
-+	if (((struct sockaddr *)&addr_list->addrs[i])->sa_family == af)
-+	    count++;
-+    if (count != 1)
-+	return;
-+
-+    /*
-+     * Bind the source address.
-+     */
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = af;
-+    hints.ai_socktype = SOCK_STREAM;
-+    aierr = getaddrinfo(NULL, "0", &hints, &loopback);
-+    if (aierr != 0) {
-+	loopback = NULL;
-+	msg_warn("%s: getaddrinfo(\"0\"): %s",
-+		 myname, GAI_STRERROR(aierr));
-+    }
-+
-+    sa = (struct sockaddr *)&addr_list->addrs[i - 1];
-+    aierr = getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
-+			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
-+    if (aierr != 0)
-+	msg_fatal("%s: getnameinfo() (AF=%d): %s",
-+		  myname, af, GAI_STRERROR(aierr));
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = af;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
-+    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
-+    if (aierr != 0)
-+	msg_fatal("%s: getaddrinfo(\"%s\"): %s",
-+		  myname, hbuf, GAI_STRERROR(aierr));
-+
-+    if (res->ai_addrlen != loopback->ai_addrlen
-+	|| memcmp(res->ai_addr, loopback->ai_addr, res->ai_addrlen) != 0) {
-+	if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
-+	    msg_warn("%s: bind %s: %m", myname, hbuf);
-+	else if (msg_verbose)
-+	    msg_info("%s: bind %s", myname, hbuf);
-+    } else if (msg_verbose) {
-+	msg_info("%s: not calling bind(): unusable source "
-+		 "address from \"%s\"", myname, hbuf);
-+    }
-+    if (res)
-+	freeaddrinfo(res);
-+    if (loopback)
-+	freeaddrinfo(loopback);
-+
-+#else /* INET6 */
-+
-+    struct sockaddr_in sin;
-+    unsigned long inaddr;	/*XXX BAD!*/
-+
-+    /*
-+     * Check whether we are acting as a virtual host
-+     */
-+    addr_list = own_inet_addr_list();
-+    count = addr_list->used;
-+    if (count != 1)
-+	return;
-+
-+    /*
-+     * Bind the source address.
-+     */
-+    memset(&sin, 0, sizeof(sin));
-+    sin.sin_family = AF_INET;
-+#ifdef HAS_SA_LEN
-+    sin.sin_len = sizeof(sin);
-+#endif
-+    memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
-+    inaddr = (unsigned long)ntohl(sin.sin_addr.s_addr);
-+    if (!IN_CLASSA(inaddr)
-+	|| !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
-+	if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
-+	    msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
-+	else if (msg_verbose)
-+	    msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
-+    }
-+#endif /* INET6 */
-+}
-+
- /* lmtp_connect_addr - connect to explicit address */
- 
- static LMTP_SESSION *lmtp_connect_addr(DNS_RR *addr, unsigned port,
- 			              const char *destination, VSTRING *why)
- {
-     char   *myname = "lmtp_connect_addr";
--    struct sockaddr_in sin;
--    int     sock;
-+#ifdef INET6
-+    struct sockaddr_storage ss;
-+#else
-+    struct sockaddr ss;
-+#endif
-+    struct sockaddr *sa;
-+    struct sockaddr_in *sin;
-+#ifdef INET6
-+    struct sockaddr_in6 *sin6;
-+#endif
-+    SOCKADDR_SIZE salen;
-+#ifdef INET6
-+    char hbuf[NI_MAXHOST];
-+#else
-+    char hbuf[sizeof("255.255.255.255") + 1];
-+#endif
-+    int     sock = -1;
-+    INET_ADDR_LIST *addr_list;
-+    char    *bind_addr;
-+    char    *bind_var;
-+#ifdef INET6
-+    char    *addr6_ptr = NULL;
-+#endif
-+
-+    sa = (struct sockaddr *)&ss;
-+    sin = (struct sockaddr_in *)&ss;
-+#ifdef INET6
-+    sin6 = (struct sockaddr_in6 *)&ss;
-+#endif
- 
-     /*
-      * Sanity checks.
-      */
--    if (addr->data_len > sizeof(sin.sin_addr)) {
-+#ifdef INET6
-+    if (((addr->type==T_A) && (addr->data_len > sizeof(sin->sin_addr))) ||
-+	((addr->type==T_AAAA) && (addr->data_len > sizeof(sin6->sin6_addr))))
-+#else
-+    if (addr->data_len > sizeof(sin->sin_addr))
-+#endif
-+    {
- 	msg_warn("%s: skip address with length %d", myname, addr->data_len);
- 	lmtp_errno = LMTP_RETRY;
- 	return (0);
-@@ -183,25 +392,93 @@
-     /*
-      * Initialize.
-      */
--    memset((char *) &sin, 0, sizeof(sin));
--    sin.sin_family = AF_INET;
-+    switch (addr->type) {
-+#ifdef INET6
-+    case T_AAAA:
-+	bind_addr = "";
-+	bind_var = VAR_LMTP_BIND_ADDR6;
-+	if (*var_lmtp_bind_addr6) {
-+	    addr6_ptr = mystrdup(var_lmtp_bind_addr6);
-+	    if (*addr6_ptr == '[' && addr6_ptr[strlen(addr6_ptr) - 1] == ']') {
-+		addr6_ptr[strlen(addr6_ptr) - 1] = 0;
-+		bind_addr = addr6_ptr + 1;
-+	    } else {
-+		msg_warn("%s: skip incorrectly bracketed IPv6 address in %s",
-+		    myname, VAR_LMTP_BIND_ADDR6);
-+	    }
-+	}
-+	memset(sin6, 0, sizeof(*sin6));
-+	sin6->sin6_family = AF_INET6;
-+	salen = sizeof(*sin6);
-+	break;
-+#endif
-+    default: /* T_A: */
-+	bind_addr = var_lmtp_bind_addr;
-+	bind_var = VAR_SMTP_BIND_ADDR;
-+	memset(sin, 0, sizeof(*sin));
-+	sin->sin_family = AF_INET;
-+	salen = sizeof(*sin);
-+	break;
-+    };
-+#ifdef HAS_SALEN
-+    sa->sa_len = salen;
-+#endif
- 
--    if ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0)
-+    if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0)
- 	msg_fatal("%s: socket: %m", myname);
- 
-     /*
-+     * Allow the sysadmin to specify the source address
-+     */
-+
-+    if (bind_addr && *bind_addr) {
-+	lmtp_force_bind(bind_addr, bind_var, sock, sa->sa_family);
-+#ifdef INET6
-+	if (addr6_ptr)
-+	    myfree(addr6_ptr);
-+#endif
-+    } else {
-+	/*
-+	 * When running as a virtual host, bind to the virtual interface so that
-+	 * the mail appears to come from the "right" machine address.
-+	 */
-+	lmtp_virtual_bind(sock, sa->sa_family);
-+    }
-+
-+    /*
-      * Connect to the LMTP server.
-      */
--    sin.sin_port = port;
--    memcpy((char *) &sin.sin_addr, addr->data, sizeof(sin.sin_addr));
-+    switch (addr->type) {
-+#ifdef INET6
-+    case T_AAAA:
-+	/* XXX scope-unfriendly */
-+	memset(sin6, 0, sizeof(*sin6));
-+	sin6->sin6_port = port;
-+	sin6->sin6_family = AF_INET6;
-+	salen = sizeof(*sin6);
-+	memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
-+	inet_ntop(AF_INET6, &sin6->sin6_addr, hbuf, sizeof(hbuf));
-+	break;
-+#endif
-+    default: /* T_A: */
-+	memset(sin, 0, sizeof(*sin));
-+	sin->sin_port = port;
-+	sin->sin_family = AF_INET;
-+	salen = sizeof(*sin);
-+	memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
-+	inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
-+	break;
-+    }
-+#ifdef HAS_SA_LEN
-+    sa->sa_len = salen;
-+#endif
- 
-     if (msg_verbose)
- 	msg_info("%s: trying: %s[%s] port %d...",
--		 myname, addr->name, inet_ntoa(sin.sin_addr), ntohs(port));
-+		 myname, addr->name, hbuf, ntohs(port));
- 
--    return (lmtp_connect_sock(sock, (struct sockaddr *) & sin, sizeof(sin),
--			      addr->name, inet_ntoa(sin.sin_addr),
--			      destination, why));
-+    return (lmtp_connect_sock(sock, (struct sockaddr *)sa, salen,
-+			      addr->name, hbuf, destination, why));
- }
- 
- /* lmtp_connect_sock - connect a socket over some transport */
-diff -urNad postfix-release/src/lmtp/lmtp_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_sasl_glue.c
---- postfix-release/src/lmtp/lmtp_sasl_glue.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/lmtp/lmtp_sasl_glue.c	2005-02-03 10:22:13.062096241 -0700
-@@ -197,6 +197,16 @@
-     return (SASL_OK);
- }
- 
-+static int lmtp_sasl_getpath(void * context, char ** path)
-+{
-+#if SASL_VERSION_MAJOR >= 2
-+    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
-+#else
-+    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
-+#endif
-+    return SASL_OK;
-+}
-+
- /* lmtp_sasl_get_user - username lookup call-back routine */
- 
- static int lmtp_sasl_get_user(void *context, int unused_id, const char **result,
-@@ -298,6 +308,7 @@
-      */
-     static sasl_callback_t callbacks[] = {
- 	{SASL_CB_LOG, &lmtp_sasl_log, 0},
-+	{SASL_CB_GETPATH,&lmtp_sasl_getpath, 0},
- 	{SASL_CB_LIST_END, 0, 0}
-     };
- 
-diff -urNad postfix-release/src/master/master_ent.c /tmp/dpep.cXJuVH/postfix-release/src/master/master_ent.c
---- postfix-release/src/master/master_ent.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/master/master_ent.c	2005-02-03 10:22:13.063096018 -0700
-@@ -86,6 +86,10 @@
- #include <inet_addr_list.h>
- #include <inet_util.h>
- #include <inet_addr_host.h>
-+#include <inet_interfaces_to_af.h>
-+#ifdef INET6
-+#include <wildcard_inet_addr.h>
-+#endif
- 
- /* Global library. */
- 
-@@ -235,6 +239,7 @@
-     char   *bufp;
-     char   *atmp;
-     static char *saved_interfaces = 0;
-+    int     af;
- 
-     if (master_fp == 0)
- 	msg_panic("get_master_ent: config file not open");
-@@ -308,11 +313,12 @@
- 			  VSTREAM_PATH(master_fp), master_line, host);
- 	    inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
- 	    serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
--	} else if (strcasecmp(saved_interfaces, DEF_INET_INTERFACES) == 0) {
--	    MASTER_INET_ADDRLIST(serv) = 0;	/* wild-card */
--	    serv->listen_fd_count = 1;
- 	} else {
--	    MASTER_INET_ADDRLIST(serv) = own_inet_addr_list();	/* virtual */
-+	    af = inet_interfaces_to_af(var_inet_interfaces);
-+	    MASTER_INET_ADDRLIST(serv) =
-+		strcasecmp(saved_interfaces, INET_INTERFACES_ALL) ?
-+		own_inet_addr_list() :		/* virtual */
-+		wildcard_inet_addr_list(af);	/* wild-card */
- 	    inet_addr_list_uniq(MASTER_INET_ADDRLIST(serv));
- 	    serv->listen_fd_count = MASTER_INET_ADDRLIST(serv)->used;
- 	}
-diff -urNad postfix-release/src/master/master_listen.c /tmp/dpep.cXJuVH/postfix-release/src/master/master_listen.c
---- postfix-release/src/master/master_listen.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/master/master_listen.c	2005-02-03 10:22:13.063096018 -0700
-@@ -64,13 +64,22 @@
- 
- #include "master.h"
- 
-+#ifdef INET6
-+#include <netdb.h>
-+#include <stdio.h>
-+#endif 
-+
- /* master_listen_init - enable connection requests */
- 
- void    master_listen_init(MASTER_SERV *serv)
- {
-     char   *myname = "master_listen_init";
-     char   *end_point;
--    int     n;
-+    int     n,m,tmpfd;
-+#ifdef INET6
-+    char hbuf[NI_MAXHOST];
-+    SOCKADDR_SIZE salen;
-+#endif
- 
-     /*
-      * Find out what transport we should use, then create one or more
-@@ -111,18 +120,31 @@
- 	    serv->listen_fd[0] =
- 		inet_listen(MASTER_INET_PORT(serv),
- 			    serv->max_proc > var_proc_limit ?
--			    serv->max_proc : var_proc_limit, NON_BLOCKING);
-+			    serv->max_proc : var_proc_limit, NON_BLOCKING, 1);
- 	    close_on_exec(serv->listen_fd[0], CLOSE_ON_EXEC);
- 	} else {				/* virtual or host:port */
--	    for (n = 0; n < serv->listen_fd_count; n++) {
-+	    for (m = n = 0; n < serv->listen_fd_count; n++) {
-+#ifdef INET6
-+		if (getnameinfo((struct sockaddr *)&MASTER_INET_ADDRLIST(serv)->addrs[n],
-+			SA_LEN((struct sockaddr *)&MASTER_INET_ADDRLIST(serv)->addrs[n]), 
-+			hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
-+		    strncpy(hbuf, "?????", sizeof(hbuf));
-+		}
-+		end_point = concatenate(hbuf, ":", MASTER_INET_PORT(serv), (char *) 0);
-+#else
- 		end_point = concatenate(inet_ntoa(MASTER_INET_ADDRLIST(serv)->addrs[n]),
- 				   ":", MASTER_INET_PORT(serv), (char *) 0);
--		serv->listen_fd[n]
-+#endif
-+		tmpfd
- 		    = inet_listen(end_point, serv->max_proc > var_proc_limit ?
--			     serv->max_proc : var_proc_limit, NON_BLOCKING);
--		close_on_exec(serv->listen_fd[n], CLOSE_ON_EXEC);
-+			     serv->max_proc : var_proc_limit, NON_BLOCKING, 0);
-+		if (tmpfd >= 0) {
-+		    serv->listen_fd[m] = tmpfd;
-+		    close_on_exec(serv->listen_fd[m++], CLOSE_ON_EXEC);
-+		}
- 		myfree(end_point);
- 	    }
-+	    serv->listen_fd_count=m;
- 	}
- 	break;
-     default:
-diff -urNad postfix-release/src/qmqpd/qmqpd_peer.c /tmp/dpep.cXJuVH/postfix-release/src/qmqpd/qmqpd_peer.c
---- postfix-release/src/qmqpd/qmqpd_peer.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/qmqpd/qmqpd_peer.c	2005-02-03 10:22:13.064095795 -0700
-@@ -70,16 +70,23 @@
-     )
- #endif
- 
-+#ifdef INET6
-+#define GAI_STRERROR(error) \
-+	((error = EAI_SYSTEM) ? gai_strerror(error) : strerror(errno))
-+#endif
-+
- /* Utility library. */
- 
- #include <msg.h>
- #include <mymalloc.h>
- #include <valid_hostname.h>
- #include <stringops.h>
-+#ifdef INET6
-+#include <inet_addr_list.h>	/* for NI_WITHSCOPEID */
-+#endif
- 
- /* Global library. */
- 
--
- /* Application-specific. */
- 
- #include "qmqpd.h"
-@@ -88,16 +95,24 @@
- 
- void    qmqpd_peer_init(QMQPD_STATE *state)
- {
--    struct sockaddr_in sin;
--    SOCKADDR_SIZE len = sizeof(sin);
-+    char  *myname = "qmqpd_peer_init";
-+#ifdef INET6
-+    struct sockaddr_storage ss;
-+#else
-+    struct sockaddr ss;
-+    struct in_addr *in;
-     struct hostent *hp;
--    int     i;
-+#endif
-+    struct sockaddr *sa;
-+    SOCKADDR_SIZE len;
-+
-+    sa = (struct sockaddr *)&ss;
-+    len = sizeof(ss);
- 
-     /*
-      * Look up the peer address information.
-      */
--    if (getpeername(vstream_fileno(state->client),
--		    (struct sockaddr *) & sin, &len) >= 0) {
-+    if (getpeername(vstream_fileno(state->client), sa, &len) >= 0) {
- 	errno = 0;
-     }
- 
-@@ -112,16 +127,71 @@
-     /*
-      * Look up and "verify" the client hostname.
-      */
--    else if (errno == 0 && sin.sin_family == AF_INET) {
--	state->addr = mystrdup(inet_ntoa(sin.sin_addr));
--	hp = gethostbyaddr((char *) &(sin.sin_addr),
--			   sizeof(sin.sin_addr), AF_INET);
--	if (hp == 0) {
-+    else if (errno == 0 && (sa->sa_family == AF_INET
-+#ifdef INET6
-+			    || sa->sa_family == AF_INET6
-+#endif
-+             )) {
-+#ifdef INET6
-+	char hbuf[NI_MAXHOST];
-+	char abuf[NI_MAXHOST];
-+	char rabuf[NI_MAXHOST];
-+	struct addrinfo hints, *res0 = NULL, *res;
-+	char *colonp;
-+#else
-+	char abuf[sizeof("255.255.255.255") + 1];
-+	char *hbuf;
-+#endif
-+	int error = -1;
-+
-+#ifdef INET6
-+	error = getnameinfo(sa, len, abuf, sizeof(abuf), NULL, 0,
-+			    NI_NUMERICHOST | NI_WITHSCOPEID);
-+	if (error)
-+	    msg_fatal("%s: numeric getnameinfo lookup for peer: error %s",
-+		      myname, GAI_STRERROR(error));
-+	/*
-+	 * Convert IPv4-mapped IPv6 address to 'true' IPv4 address
-+	 * early on. We have no need for the mapped form in logging
-+	 * or access checks.
-+	 */
-+	if (sa->sa_family == AF_INET6
-+	    && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)
-+	    && (colonp = strrchr(abuf, ':')) != NULL) {
-+	    if (msg_verbose > 1)
-+		msg_info("%s: rewriting V4-mapped address \"%s\" to \"%s\"",
-+			 myname, abuf, colonp + 1);
-+	    state->addr = mystrdup(colonp + 1);
-+	} else {
-+	    state->addr = mystrdup(abuf);
-+	}
-+
-+	error = getnameinfo(sa, len, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD);
-+#else
-+	in = &((struct sockaddr_in *)sa)->sin_addr;
-+	inet_ntop(AF_INET, in, abuf, sizeof(abuf));
-+	state->addr = mystrdup(abuf);
-+	hbuf = NULL;
-+	hp = gethostbyaddr((char *)in, sizeof(*in), AF_INET);
-+	if (hp) {
-+	    error = 0;
-+	    hbuf = mystrdup(hp->h_name);
- 	    state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
--	} else if (!valid_hostname(hp->h_name, DONT_GRIPE)) {
-+	} else {
-+	    error = 1;
-+	}
-+#endif
-+	if (error) {
-+	    state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
-+#ifdef INET6
-+	    if (error != EAI_NONAME)
-+		msg_warn("%s: getnameinfo(%s,,,,,,NI_NAMEREQD) error %s",
-+			 myname, abuf, GAI_STRERROR(error));
-+#endif
-+	} else if (!valid_hostname(hbuf, DONT_GRIPE)) {
- 	    state->name = mystrdup(CLIENT_ATTR_UNKNOWN);
- 	} else {
--	    state->name = mystrdup(hp->h_name);	/* hp->name is clobbered!! */
-+	    state->name = mystrdup(hbuf);
- 
- 	    /*
- 	     * Reject the hostname if it does not list the peer address.
-@@ -131,16 +201,52 @@
- 	state->name = mystrdup(CLIENT_ATTR_UNKNOWN); \
-     }
- 
-+#ifdef INET6
-+	    memset(&hints, 0, sizeof(hints));
-+	    hints.ai_family = AF_UNSPEC;
-+	    hints.ai_socktype = SOCK_STREAM;
-+	    error = getaddrinfo(state->name, NULL, &hints, &res0);
-+	    if (error) {
-+		msg_warn("%s: hostname %s verification failed: %s",
-+		         state->addr, state->name, GAI_STRERROR(error));
-+		REJECT_PEER_NAME(state);
-+	    } else {
-+		for (res = res0; res; res = res->ai_next) {
-+		    if (res->ai_family != sa->sa_family)
-+			continue;
-+		    error = getnameinfo(res->ai_addr, res->ai_addrlen,
-+			    rabuf, sizeof(rabuf), NULL, 0,
-+			    NI_NUMERICHOST | NI_WITHSCOPEID);
-+		    if (error) {
-+			msg_warn("%s: %s: hostname %s verification failed: %s",
-+				 myname, state->addr, state->name,
-+				 GAI_STRERROR(error));
-+			REJECT_PEER_NAME(state);
-+			break;
-+		    }
-+		    if (strcmp(state->addr, rabuf) == 0)
-+			break;	    /* keep peer name */
-+		}
-+		if (res == NULL) {
-+		    msg_warn("%s: %s: address not listed for hostname %s",
-+			     myname, state->addr, state->name);
-+		    REJECT_PEER_NAME(state);
-+		}
-+	    }
-+	    if (res0)
-+		freeaddrinfo(res0);
-+#else
- 	    hp = gethostbyname(state->name);	/* clobbers hp->name!! */
- 	    if (hp == 0) {
- 		msg_warn("%s: hostname %s verification failed: %s",
- 			 state->addr, state->name, HSTRERROR(h_errno));
- 		REJECT_PEER_NAME(state);
--	    } else if (hp->h_length != sizeof(sin.sin_addr)) {
-+	    } else if (hp->h_length != sizeof(*in)) {
- 		msg_warn("%s: hostname %s verification failed: bad address size %d",
- 			 state->addr, state->name, hp->h_length);
- 		REJECT_PEER_NAME(state);
- 	    } else {
-+		int i;
- 		for (i = 0; /* void */ ; i++) {
- 		    if (hp->h_addr_list[i] == 0) {
- 			msg_warn("%s: address not listed for hostname %s",
-@@ -148,12 +254,12 @@
- 			REJECT_PEER_NAME(state);
- 			break;
- 		    }
--		    if (memcmp(hp->h_addr_list[i],
--			       (char *) &sin.sin_addr,
--			       sizeof(sin.sin_addr)) == 0)
-+		    if (memcmp(hp->h_addr_list[i], (char *)in,
-+			       sizeof(*in)) == 0)
- 			break;			/* keep peer name */
- 		}
- 	    }
-+#endif
- 	}
-     }
- 
-diff -urNad postfix-release/src/smtp/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtp/Makefile.in
---- postfix-release/src/smtp/Makefile.in	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/Makefile.in	2005-02-03 10:22:13.064095795 -0700
-@@ -77,6 +77,7 @@
- smtp.o: ../../include/debug_peer.h
- smtp.o: ../../include/flush_clnt.h
- smtp.o: ../../include/mail_server.h
-+smtp.o: ../../include/pfixtls.h
- smtp.o: smtp.h
- smtp.o: smtp_sasl.h
- smtp_addr.o: smtp_addr.c
-@@ -96,6 +97,7 @@
- smtp_addr.o: ../../include/argv.h
- smtp_addr.o: ../../include/deliver_request.h
- smtp_addr.o: ../../include/recipient_list.h
-+smtp_addr.o: ../../include/pfixtls.h
- smtp_addr.o: smtp_addr.h
- smtp_chat.o: smtp_chat.c
- smtp_chat.o: ../../include/sys_defs.h
-@@ -116,6 +118,7 @@
- smtp_chat.o: ../../include/cleanup_user.h
- smtp_chat.o: ../../include/mail_error.h
- smtp_chat.o: ../../include/name_mask.h
-+smtp_chat.o: ../../include/pfixtls.h
- smtp_chat.o: smtp.h
- smtp_connect.o: smtp_connect.c
- smtp_connect.o: ../../include/sys_defs.h
-@@ -142,8 +145,12 @@
- smtp_connect.o: ../../include/mail_error.h
- smtp_connect.o: ../../include/name_mask.h
- smtp_connect.o: ../../include/dns.h
-+smtp_connect.o: ../../include/pfixtls.h
-+smtp_connect.o: ../../include/get_port.h
- smtp_connect.o: smtp.h
- smtp_connect.o: ../../include/argv.h
-+smtp_connect.o: ../../include/deliver_request.h
-+smtp_connect.o: ../../include/recipient_list.h
- smtp_connect.o: smtp_addr.h
- smtp_proto.o: smtp_proto.c
- smtp_proto.o: ../../include/sys_defs.h
-@@ -168,12 +175,14 @@
- smtp_proto.o: ../../include/rec_type.h
- smtp_proto.o: ../../include/off_cvt.h
- smtp_proto.o: ../../include/mark_corrupt.h
-+smtp_proto.o: ../../include/pfixtls.h
- smtp_proto.o: ../../include/quote_821_local.h
- smtp_proto.o: ../../include/quote_flags.h
- smtp_proto.o: ../../include/mail_proto.h
- smtp_proto.o: ../../include/attr.h
- smtp_proto.o: ../../include/mime_state.h
- smtp_proto.o: ../../include/header_opts.h
-+smtp_proto.o: ../../include/pfixtls.h
- smtp_proto.o: smtp.h
- smtp_proto.o: ../../include/argv.h
- smtp_proto.o: smtp_sasl.h
-@@ -231,9 +240,12 @@
- smtp_session.o: ../../include/stringops.h
- smtp_session.o: ../../include/vstring.h
- smtp_session.o: smtp.h
-+smtp_session.o: ../../include/mail_params.h
-+smtp_session.o: ../../include/pfixtls.h
- smtp_session.o: ../../include/argv.h
- smtp_session.o: ../../include/deliver_request.h
- smtp_session.o: ../../include/recipient_list.h
-+smtp_session.o: ../../include/maps.h
- smtp_state.o: smtp_state.c
- smtp_state.o: ../../include/sys_defs.h
- smtp_state.o: ../../include/mymalloc.h
-@@ -247,6 +259,7 @@
- smtp_state.o: ../../include/argv.h
- smtp_state.o: ../../include/deliver_request.h
- smtp_state.o: ../../include/recipient_list.h
-+smtp_state.o: ../../include/pfixtls.h
- smtp_state.o: smtp_sasl.h
- smtp_trouble.o: smtp_trouble.c
- smtp_trouble.o: ../../include/sys_defs.h
-@@ -266,6 +279,7 @@
- smtp_trouble.o: ../../include/name_mask.h
- smtp_trouble.o: smtp.h
- smtp_trouble.o: ../../include/argv.h
-+smtp_trouble.o: ../../include/pfixtls.h
- smtp_unalias.o: smtp_unalias.c
- smtp_unalias.o: ../../include/sys_defs.h
- smtp_unalias.o: ../../include/htable.h
-@@ -278,3 +292,4 @@
- smtp_unalias.o: ../../include/argv.h
- smtp_unalias.o: ../../include/deliver_request.h
- smtp_unalias.o: ../../include/recipient_list.h
-+smtp_unalias.o: ../../include/pfixtls.h
-diff -urNad postfix-release/src/smtp/smtp_addr.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_addr.c
---- postfix-release/src/smtp/smtp_addr.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_addr.c	2005-02-03 10:22:13.065095572 -0700
-@@ -46,11 +46,11 @@
- /*
- /*	All routines either return a DNS_RR pointer, or return a null
- /*	pointer and set the \fIsmtp_errno\fR global variable accordingly:
--/* .IP SMTP_RETRY
-+/* .IP SMTP_ERR_RETRY
- /*	The request failed due to a soft error, and should be retried later.
--/* .IP SMTP_FAIL
-+/* .IP SMTP_ERR_FAIL
- /*	The request attempt failed due to a hard error.
--/* .IP SMTP_LOOP
-+/* .IP SMTP_ERR_LOOP
- /*	The local machine is the best mail exchanger.
- /* .PP
- /*	In addition, a textual description of the problem is made available
-@@ -132,18 +132,74 @@
- static void smtp_print_addr(char *what, DNS_RR *addr_list)
- {
-     DNS_RR *addr;
--    struct in_addr in_addr;
-+#ifdef INET6
-+    struct sockaddr_storage ss;
-+#else
-+    struct sockaddr ss;
-+#endif
-+    struct sockaddr_in *sin;
-+#ifdef INET6
-+    struct sockaddr_in6 *sin6;
-+    char   hbuf[NI_MAXHOST];
-+#else
-+    char   hbuf[sizeof("255.255.255.255") + 1];
-+#endif
- 
-     msg_info("begin %s address list", what);
-     for (addr = addr_list; addr; addr = addr->next) {
--	if (addr->data_len > sizeof(addr)) {
--	    msg_warn("skipping address length %d", addr->data_len);
--	} else {
--	    memcpy((char *) &in_addr, addr->data, sizeof(in_addr));
--	    msg_info("pref %4d host %s/%s",
--		     addr->pref, addr->name,
--		     inet_ntoa(in_addr));
-+	if (
-+#ifdef INET6
-+		addr->class && addr->class != C_IN
-+#else
-+		addr->class != C_IN
-+#endif
-+		) {
-+	    msg_warn("skipping unsupported address (class=%u)", addr->class);
-+	    continue;
- 	}
-+	switch (addr->type) {
-+	case T_A:
-+	    if (addr->data_len != sizeof(sin->sin_addr)) {
-+		msg_warn("skipping invalid address (AAAA, len=%u)",
-+		    addr->data_len);
-+		continue;
-+	    }
-+	    sin = (struct sockaddr_in *)&ss;
-+	    memset(sin, 0, sizeof(*sin));
-+	    sin->sin_family = AF_INET;
-+#ifdef HAS_SA_LEN
-+	    sin->sin_len = sizeof(*sin);
-+#endif
-+	    memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
-+	    break;
-+#ifdef INET6
-+	case T_AAAA:
-+	    if (addr->data_len != sizeof(sin6->sin6_addr)) {
-+		msg_warn("skipping invalid address (AAAA, len=%u)",
-+		    addr->data_len);
-+		continue;
-+	    }
-+	    sin6 = (struct sockaddr_in6 *)&ss;
-+	    memset(sin6, 0, sizeof(*sin6));
-+	    sin6->sin6_family = AF_INET6;
-+#ifdef HAS_SA_LEN
-+	    sin6->sin6_len = sizeof(*sin6);
-+#endif
-+	    memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
-+	    break;
-+#endif
-+	default:
-+	    msg_warn("skipping unsupported address (type=%u)", addr->type);
-+	    continue;
-+	}
-+
-+#ifdef INET6
-+	(void)getnameinfo((struct sockaddr *)&ss, SS_LEN(ss),
-+	    hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
-+#else
-+	(void)inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
-+#endif
-+	msg_info("pref %4d host %s/%s", addr->pref, addr->name, hbuf);
-     }
-     msg_info("end %s address list", what);
- }
-@@ -153,15 +209,23 @@
- static DNS_RR *smtp_addr_one(DNS_RR *addr_list, char *host, unsigned pref, VSTRING *why)
- {
-     char   *myname = "smtp_addr_one";
-+#ifndef INET6
-     struct in_addr inaddr;
--    DNS_FIXED fixed;
-     DNS_RR *addr = 0;
-     DNS_RR *rr;
-     struct hostent *hp;
-+#else
-+    struct addrinfo hints, *res0, *res;
-+    int error = -1;
-+    char *addr;
-+    size_t addrlen;
-+#endif
-+    DNS_FIXED fixed;
- 
-     if (msg_verbose)
- 	msg_info("%s: host %s", myname, host);
- 
-+#ifndef INET6
-     /*
-      * Interpret a numerical name as an address.
-      */
-@@ -228,6 +292,49 @@
-     /*
-      * No further alternatives for host lookup.
-      */
-+#else
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_STREAM;
-+    error = getaddrinfo(host, NULL, &hints, &res0);
-+    if (error) {
-+	switch (error) {
-+	case EAI_AGAIN:
-+	    smtp_errno = SMTP_ERR_RETRY;
-+	    break;
-+	default:
-+	    vstring_sprintf(why, "[%s]: %s", host,gai_strerror(error));
-+	    if (smtp_errno != SMTP_ERR_RETRY)
-+		smtp_errno = SMTP_ERR_FAIL;
-+	    break;
-+	}
-+	return (addr_list);
-+    }
-+    for (res = res0; res; res = res->ai_next) {
-+	memset((char *) &fixed, 0, sizeof(fixed));
-+	switch (res->ai_family) {
-+	case AF_INET6:
-+	    /* XXX not scope friendly */
-+	    fixed.type = T_AAAA;
-+	    addr = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
-+	    addrlen = sizeof(struct in6_addr);
-+	    break;
-+	case AF_INET:
-+	    fixed.type = T_A;
-+	    addr = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
-+	    addrlen = sizeof(struct in_addr);
-+	    break;
-+	default:
-+	    msg_warn("%s: unknown address family %d for %s",
-+	        myname, res->ai_family, host);
-+	    continue;
-+	}
-+	addr_list = dns_rr_append(addr_list,
-+	    dns_rr_create(host, &fixed, pref, addr, addrlen));
-+    }
-+    if (res0)
-+	freeaddrinfo(res0);
-+#endif
-     return (addr_list);
- }
- 
-@@ -265,6 +372,9 @@
-     INET_ADDR_LIST *proxy;
-     DNS_RR *addr;
-     int     i;
-+#ifdef INET6
-+    struct sockaddr *sa;
-+#endif
- 
- #define INADDRP(x) ((struct in_addr *) (x))
- 
-@@ -272,27 +382,75 @@
-     proxy = proxy_inet_addr_list();
- 
-     for (addr = addr_list; addr; addr = addr->next) {
--
- 	/*
- 	 * Find out if this mail system is listening on this address.
- 	 */
--	for (i = 0; i < self->used; i++)
-+	for (i = 0; i < self->used; i++) {
-+#ifdef INET6
-+	    sa = (struct sockaddr *)&self->addrs[i];
-+	    switch(addr->type) {
-+	    case T_AAAA:
-+		/* XXX scope */
-+		if (sa->sa_family != AF_INET6)
-+		    break;
-+		if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr,
-+			addr->data, sizeof(struct in6_addr)) == 0) {
-+		    return(addr);
-+		}
-+		break;
-+	    case T_A:
-+		if (sa->sa_family != AF_INET)
-+		    break;
-+		if (memcmp(&((struct sockaddr_in *)sa)->sin_addr,
-+			addr->data, sizeof(struct in_addr)) == 0) {
-+		    return(addr);
-+		}
-+		break;
-+	    }
-+#else
- 	    if (INADDRP(addr->data)->s_addr == self->addrs[i].s_addr) {
- 		if (msg_verbose)
- 		    msg_info("%s: found self at pref %d", myname, addr->pref);
- 		return (addr);
- 	    }
-+#endif
-+	}
-+    }
- 
-+    for (addr = addr_list; addr; addr = addr->next) {
- 	/*
- 	 * Find out if this mail system has a proxy listening on this
- 	 * address.
- 	 */
- 	for (i = 0; i < proxy->used; i++)
-+#ifdef INET6
-+	    sa = (struct sockaddr *)&proxy->addrs[i];
-+	    switch(addr->type) {
-+	    case T_AAAA:
-+		/* XXX scope */
-+		if (sa->sa_family != AF_INET6)
-+		    break;
-+		if (memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr,
-+			addr->data, sizeof(struct in6_addr)) == 0) {
-+		    return(addr);
-+		}
-+		break;
-+	    case T_A:
-+		if (sa->sa_family != AF_INET)
-+		    break;
-+		if (memcmp(&((struct sockaddr_in *)sa)->sin_addr,
-+			addr->data, sizeof(struct in_addr)) == 0) {
-+		    return(addr);
-+		}
-+		break;
-+	    }
-+#else
- 	    if (INADDRP(addr->data)->s_addr == proxy->addrs[i].s_addr) {
- 		if (msg_verbose)
- 		    msg_info("%s: found proxy at pref %d", myname, addr->pref);
- 		return (addr);
- 	    }
-+#endif
-     }
- 
-     /*
-@@ -333,6 +491,29 @@
-     return (a->pref - b->pref);
- }
- 
-+#ifdef INET6
-+static int smtp_compare_pref_aaaa_first(DNS_RR *a, DNS_RR *b)
-+{
-+    if (a->pref != b->pref)
-+	return (a->pref - b->pref);
-+    if (a->type == T_AAAA)
-+	return -1;
-+    else if (b->type == T_AAAA)
-+	return 1;
-+    return 0;
-+}
-+
-+static int smtp_compare_host_aaaa_first(DNS_RR *a, DNS_RR *b)
-+{
-+    if (a->type == b->type)
-+	return 0;
-+    if (a->type == T_AAAA)
-+	return -1;
-+    return 1;
-+}
-+
-+#endif
-+
- /* smtp_domain_addr - mail exchanger address lookup */
- 
- DNS_RR *smtp_domain_addr(char *name, int misc_flags, VSTRING *why)
-@@ -440,7 +621,11 @@
- 	}
- 	if (addr_list && addr_list->next && var_smtp_rand_addr) {
- 	    addr_list = dns_rr_shuffle(addr_list);
-+#ifdef INET6
-+	    addr_list = dns_rr_sort(addr_list, smtp_compare_pref_aaaa_first);
-+#else
- 	    addr_list = dns_rr_sort(addr_list, smtp_compare_pref);
-+#endif
- 	}
- 	break;
-     case DNS_NOTFOUND:
-@@ -478,6 +663,10 @@
-     }
-     if (addr_list && addr_list->next && var_smtp_rand_addr)
- 	addr_list = dns_rr_shuffle(addr_list);
-+#ifdef INET6
-+    if (addr_list && addr_list->next)
-+	addr_list = dns_rr_sort(addr_list, smtp_compare_host_aaaa_first);
-+#endif
-     if (msg_verbose)
- 	smtp_print_addr(host, addr_list);
-     return (addr_list);
-diff -urNad postfix-release/src/smtp/smtp.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.c
---- postfix-release/src/smtp/smtp.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.c	2005-02-03 10:22:13.065095572 -0700
-@@ -225,6 +225,9 @@
- /* .IP "\fBsmtp_bind_address (empty)\fR"
- /*	An optional numerical network address that the SMTP client should
- /*	bind to when making a connection.
-+/* .IP "\fBsmtp_bind_address6 (empty)\fR"
-+/*	An optional numerical IPv6 network address that the SMTP client should
-+/*	bind to when making a connection.
- /* .IP "\fBsmtp_helo_name ($myhostname)\fR"
- /*	The hostname to send in the SMTP EHLO or HELO command.
- /* .IP "\fBsmtp_host_lookup (dns)\fR"
-@@ -284,6 +287,9 @@
- #include <mail_conf.h>
- #include <debug_peer.h>
- #include <flush_clnt.h>
-+#ifdef USE_TLS
-+#include <pfixtls.h>
-+#endif
- 
- /* Single server skeleton. */
- 
-@@ -322,6 +328,7 @@
- char   *var_smtp_sasl_passwd;
- bool    var_smtp_sasl_enable;
- char   *var_smtp_bind_addr;
-+char   *var_smtp_bind_addr6;
- bool    var_smtp_rand_addr;
- int     var_smtp_pix_thresh;
- int     var_smtp_pix_delay;
-@@ -333,6 +340,19 @@
- bool    var_smtp_send_xforward;
- int     var_smtp_mxaddr_limit;
- int     var_smtp_mxsess_limit;
-+#ifdef USE_TLS
-+bool    var_smtp_use_tls;
-+bool    var_smtp_enforce_tls;
-+char   *var_smtp_tls_per_site;
-+#ifdef USE_SSL
-+int     var_smtp_starttls_tmout;
-+char   *var_smtp_sasl_tls_opts;
-+char   *var_smtp_sasl_tls_verified_opts;
-+bool    var_smtp_tls_enforce_peername;
-+int     var_smtp_tls_scert_vd;
-+bool    var_smtp_tls_note_starttls_offer;
-+#endif
-+#endif
- 
-  /*
-   * Global variables. smtp_errno is set by the address lookup routines and by
-@@ -453,6 +473,18 @@
- 	msg_warn("%s is true, but SASL support is not compiled in",
- 		 VAR_SMTP_SASL_ENABLE);
- #endif
-+#ifdef USE_TLS
-+    /*
-+     * Initialize the TLS data before entering the chroot jail
-+     */
-+    if (var_smtp_use_tls || var_smtp_enforce_tls || var_smtp_tls_per_site[0])
-+#ifdef USE_SSL
-+	pfixtls_init_clientengine(var_smtp_tls_scert_vd);
-+#else
-+	msg_warn("TLS has been selected, but TLS support is not compiled in");
-+#endif
-+    smtp_tls_list_init();
-+#endif
- 
-     /*
-      * Flush client.
-@@ -493,9 +525,19 @@
- 	VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
- 	VAR_SMTP_SASL_PASSWD, DEF_SMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0,
- 	VAR_SMTP_SASL_OPTS, DEF_SMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0,
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	VAR_SMTP_SASL_TLS_OPTS, DEF_SMTP_SASL_TLS_OPTS, &var_smtp_sasl_tls_opts, 0, 0,
-+	VAR_SMTP_SASL_TLSV_OPTS, DEF_SMTP_SASL_TLSV_OPTS, &var_smtp_sasl_tls_verified_opts, 0, 0,
-+#endif
-+#endif
- 	VAR_SMTP_BIND_ADDR, DEF_SMTP_BIND_ADDR, &var_smtp_bind_addr, 0, 0,
-+	VAR_SMTP_BIND_ADDR6, DEF_SMTP_BIND_ADDR6, &var_smtp_bind_addr6, 0, 0,
- 	VAR_SMTP_HELO_NAME, DEF_SMTP_HELO_NAME, &var_smtp_helo_name, 1, 0,
- 	VAR_SMTP_HOST_LOOKUP, DEF_SMTP_HOST_LOOKUP, &var_smtp_host_lookup, 1, 0,
-+#ifdef USE_TLS
-+	VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0,
-+#endif
- 	0,
-     };
-     static CONFIG_TIME_TABLE time_table[] = {
-@@ -511,12 +553,22 @@
- 	VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
- 	VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
- 	VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	VAR_SMTP_STARTTLS_TMOUT, DEF_SMTP_STARTTLS_TMOUT, &var_smtp_starttls_tmout, 1, 0,
-+#endif
-+#endif
- 	0,
-     };
-     static CONFIG_INT_TABLE int_table[] = {
- 	VAR_SMTP_LINE_LIMIT, DEF_SMTP_LINE_LIMIT, &var_smtp_line_limit, 0, 0,
- 	VAR_SMTP_MXADDR_LIMIT, DEF_SMTP_MXADDR_LIMIT, &var_smtp_mxaddr_limit, 0, 0,
- 	VAR_SMTP_MXSESS_LIMIT, DEF_SMTP_MXSESS_LIMIT, &var_smtp_mxsess_limit, 0, 0,
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
-+#endif
-+#endif
- 	0,
-     };
-     static CONFIG_BOOL_TABLE bool_table[] = {
-@@ -530,6 +582,14 @@
- 	VAR_SMTP_QUOTE_821_ENV, DEF_SMTP_QUOTE_821_ENV, &var_smtp_quote_821_env,
- 	VAR_SMTP_DEFER_MXADDR, DEF_SMTP_DEFER_MXADDR, &var_smtp_defer_mxaddr,
- 	VAR_SMTP_SEND_XFORWARD, DEF_SMTP_SEND_XFORWARD, &var_smtp_send_xforward,
-+#ifdef USE_TLS
-+	VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls,
-+	VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls,
-+#ifdef USE_SSL
-+	VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
-+	VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
-+#endif
-+#endif
- 	0,
-     };
- 
-diff -urNad postfix-release/src/smtp/smtp_connect.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_connect.c
---- postfix-release/src/smtp/smtp_connect.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_connect.c	2005-02-03 10:22:13.066095349 -0700
-@@ -46,6 +46,7 @@
- /* System library. */
- 
- #include <sys_defs.h>
-+#include <stdlib.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-@@ -86,37 +87,246 @@
- #include <debug_peer.h>
- #include <deliver_pass.h>
- #include <mail_error.h>
-+#ifdef USE_TLS
-+#include <pfixtls.h>
-+#endif
- 
- /* DNS library. */
- 
- #include <dns.h>
- 
-+#ifdef INET6
-+#define GAI_STRERROR(error) \
-+	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
-+#endif
-+
- /* Application-specific. */
- 
- #include "smtp.h"
- #include "smtp_addr.h"
- 
-+/* smtp_force_bind: bind() address */
-+
-+static void smtp_force_bind(const char *bind_addr,
-+			    const char *bind_var,
-+			    int sock,
-+			    int af)
-+{
-+    /*
-+     * If the bind() call fails, this is considered a non-fatal error.
-+     * All address conversion errors are fatal.
-+     */
-+    char   *myname = "smtp_force_bind";
-+#ifdef INET6
-+    char    hbuf[NI_MAXHOST];
-+    int     aierr;
-+    struct addrinfo hints, *res;
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = af;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
-+    snprintf(hbuf, sizeof(hbuf), "%s", bind_addr);
-+    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
-+    if (aierr == EAI_NONAME)
-+	msg_fatal("%s: bad %s parameter: \"%s\"",
-+		  myname, bind_var, bind_addr);
-+    if (aierr != 0) {
-+	if (msg_verbose)
-+	    msg_warn("%s: getaddrinfo(%s): %s",
-+		     myname, hbuf, GAI_STRERROR(aierr));
-+	return;
-+    }
-+    aierr = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
-+			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
-+    if (aierr != 0) {
-+	msg_warn("%s: getnameinfo(): %s",
-+		 myname, GAI_STRERROR(aierr));
-+	freeaddrinfo(res);
-+	return;
-+    }
-+    if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
-+	msg_warn("%s: bind %s: %m", myname, hbuf);
-+    else if (msg_verbose)
-+	msg_info("%s: bind %s", myname, hbuf);
-+    freeaddrinfo(res);
-+#else /* INET6 */
-+    struct sockaddr_in sin;
-+
-+    memset(&sin, 0, sizeof(sin));
-+    sin.sin_family = AF_INET;
-+#ifdef HAS_SA_LEN
-+    sin.sin_len = sizeof(sin);
-+#endif
-+    sin.sin_addr.s_addr = inet_addr(bind_addr);
-+    if (sin.sin_addr.s_addr == INADDR_NONE) {
-+	msg_fatal("%s: bad %s parameter: \"%s\"",
-+		  myname, bind_var, bind_addr);
-+	return;
-+    }
-+    if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
-+	msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
-+    else if (msg_verbose)
-+	msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
-+#endif /* INET6 */
-+}
-+
-+/* smtp_virtual_bind - bind() when acting as virtual host */
-+
-+static void smtp_virtual_bind(int sock, int af)
-+{
-+    char    *myname = "smtp_virtual_bind";
-+    INET_ADDR_LIST *addr_list;
-+    int     count;
-+
-+#ifdef INET6
-+    int     i, pos;
-+    char    hbuf[NI_MAXHOST];
-+    int     aierr;
-+    struct sockaddr *sa;
-+    struct addrinfo hints, *loopback = NULL, *res = NULL;
-+
-+    /*
-+     * Check whether we are acting as a virtual host
-+     */
-+    count = 0;
-+    pos = 0;
-+    addr_list = own_inet_addr_list();
-+    for (i = 0; count < 2 && i < addr_list->used; i++)
-+	if (((struct sockaddr *)&addr_list->addrs[i])->sa_family == af)
-+	    count++, pos = i;
-+    if (count != 1)
-+	return;
-+
-+    /*
-+     * Bind the source address.
-+     */
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = af;
-+    hints.ai_socktype = SOCK_STREAM;
-+    aierr = getaddrinfo(NULL, "0", &hints, &loopback);
-+    if (aierr != 0) {
-+	loopback = NULL;
-+	msg_warn("%s: getaddrinfo(\"0\"): %s",
-+		 myname, GAI_STRERROR(aierr));
-+    }
-+
-+    sa = (struct sockaddr *)&addr_list->addrs[pos];
-+    aierr = getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
-+			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
-+    if (aierr != 0)
-+	msg_fatal("%s: getnameinfo() (AF=%d): %s",
-+		  myname, af, GAI_STRERROR(aierr));
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = af;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_NUMERICHOST | AI_PASSIVE;
-+    aierr = getaddrinfo(hbuf, NULL, &hints, &res);
-+    if (aierr != 0)
-+	msg_fatal("%s: getaddrinfo(\"%s\"): %s",
-+		  myname, hbuf, GAI_STRERROR(aierr));
-+
-+    if (res->ai_addrlen != loopback->ai_addrlen
-+	|| memcmp(res->ai_addr, loopback->ai_addr, res->ai_addrlen) != 0) {
-+	if (bind(sock, res->ai_addr, res->ai_addrlen) < 0)
-+	    msg_warn("%s: bind %s: %m", myname, hbuf);
-+	else if (msg_verbose)
-+	    msg_info("%s: bind %s", myname, hbuf);
-+    } else if (msg_verbose) {
-+	msg_info("%s: not calling bind(): unusable source "
-+		 "address from \"%s\"", myname, hbuf);
-+    }
-+    if (res)
-+	freeaddrinfo(res);
-+    if (loopback)
-+	freeaddrinfo(loopback);
-+
-+#else /* INET6 */
-+
-+    struct sockaddr_in sin;
-+    unsigned long inaddr;	/*XXX BAD!*/
-+
-+    /*
-+     * Check whether we are acting as a virtual host
-+     */
-+    addr_list = own_inet_addr_list();
-+    count = addr_list->used;
-+    if (count != 1)
-+	return;
-+
-+    /*
-+     * Bind the source address.
-+     */
-+    memset(&sin, 0, sizeof(sin));
-+    sin.sin_family = AF_INET;
-+#ifdef HAS_SA_LEN
-+    sin.sin_len = sizeof(sin);
-+#endif
-+    memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
-+    inaddr = (unsigned long)ntohl(sin.sin_addr.s_addr);
-+    if (!IN_CLASSA(inaddr)
-+	|| !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
-+	if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
-+	    msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
-+	else if (msg_verbose)
-+	    msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
-+    }
-+#endif /* INET6 */
-+}
-+
- /* smtp_connect_addr - connect to explicit address */
- 
--static SMTP_SESSION *smtp_connect_addr(DNS_RR *addr, unsigned port,
-+static SMTP_SESSION *smtp_connect_addr(char *dest, DNS_RR *addr, unsigned port,
- 				               VSTRING *why)
- {
-     char   *myname = "smtp_connect_addr";
--    struct sockaddr_in sin;
--    int     sock;
-+#ifdef INET6
-+    struct sockaddr_storage ss;
-+#else
-+    struct sockaddr ss;
-+#endif
-+    struct sockaddr *sa;
-+    struct sockaddr_in *sin;
-+#ifdef INET6
-+    struct sockaddr_in6 *sin6;
-+#endif
-+    SOCKADDR_SIZE salen;
-+#ifdef INET6
-+    char hbuf[NI_MAXHOST];
-+#else
-+    char hbuf[sizeof("255.255.255.255") + 1];
-+#endif
-+    int     sock = -1;
-     INET_ADDR_LIST *addr_list;
-     int     conn_stat;
-     int     saved_errno;
-     VSTREAM *stream;
-     int     ch;
--    unsigned long inaddr;
-+    char    *bind_addr;
-+    char    *bind_var;
-+#ifdef INET6
-+    char    *addr6_ptr = NULL;
-+#endif
-+
-+    sa = (struct sockaddr *)&ss;
-+    sin = (struct sockaddr_in *)&ss;
-+#ifdef INET6
-+    sin6 = (struct sockaddr_in6 *)&ss;
-+#endif
- 
-     smtp_errno = SMTP_ERR_NONE;			/* Paranoia */
- 
-     /*
-      * Sanity checks.
-      */
--    if (addr->data_len > sizeof(sin.sin_addr)) {
-+#ifdef INET6
-+    if (((addr->type==T_A) && (addr->data_len > sizeof(sin->sin_addr))) ||
-+	((addr->type==T_AAAA) && (addr->data_len > sizeof(sin6->sin6_addr))))
-+#else
-+    if (addr->data_len > sizeof(sin->sin_addr))
-+#endif
-+    {
- 	msg_warn("%s: skip address with length %d", myname, addr->data_len);
- 	smtp_errno = SMTP_ERR_RETRY;
- 	return (0);
-@@ -125,65 +335,111 @@
-     /*
-      * Initialize.
-      */
--    memset((char *) &sin, 0, sizeof(sin));
--    sin.sin_family = AF_INET;
--
--    if ((sock = socket(sin.sin_family, SOCK_STREAM, 0)) < 0)
--	msg_fatal("%s: socket: %m", myname);
--
-+    switch (addr->type) {
-+#ifdef INET6
-+    case T_AAAA:
-+	bind_addr = "";
-+	bind_var = VAR_SMTP_BIND_ADDR6;
-+	if (*var_smtp_bind_addr6) {
-+	    addr6_ptr = mystrdup(var_smtp_bind_addr6);
-+	    if (*addr6_ptr == '[' && addr6_ptr[strlen(addr6_ptr) - 1] == ']') {
-+		addr6_ptr[strlen(addr6_ptr) - 1] = 0;
-+		bind_addr = addr6_ptr + 1;
-+	    } else {
-+		msg_warn("%s: skip incorrectly bracketed IPv6 address in %s",
-+		    myname, VAR_SMTP_BIND_ADDR6);
-+	    }
-+	}
-+	memset(sin6, 0, sizeof(*sin6));
-+	sin6->sin6_family = AF_INET6;
-+	salen = sizeof(*sin6);
-+	break;
-+#endif
-+    default: /* T_A: */
-+	bind_addr = var_smtp_bind_addr;
-+	bind_var = VAR_SMTP_BIND_ADDR;
-+	memset(sin, 0, sizeof(*sin));
-+	sin->sin_family = AF_INET;
-+	salen = sizeof(*sin);
-+	break;
-+    }
-+#ifdef HAS_SA_LEN
-+    sa->sa_len = salen;
-+#endif
-+    if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0) {
-+#ifdef INET6
-+	if (addr6_ptr)
-+		myfree(addr6_ptr);
-+	vstring_sprintf(why, "socket to %s[%s]: %m",
-+                        addr->name, hbuf);
-+	if (errno != EAFNOSUPPORT)
-+#endif
-+	    msg_warn("%s: socket: %m", myname);
-+	smtp_errno = SMTP_ERR_RETRY;
-+	return (0);
-+    }
-+		    
-     /*
-      * Allow the sysadmin to specify the source address, for example, as "-o
-      * smtp_bind_address=x.x.x.x" in the master.cf file.
-      */
--    if (*var_smtp_bind_addr) {
--	sin.sin_addr.s_addr = inet_addr(var_smtp_bind_addr);
--	if (sin.sin_addr.s_addr == INADDR_NONE)
--	    msg_fatal("%s: bad %s parameter: %s",
--		      myname, VAR_SMTP_BIND_ADDR, var_smtp_bind_addr);
--	if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
--	    msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
--	if (msg_verbose)
--	    msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
--    }
--
--    /*
--     * When running as a virtual host, bind to the virtual interface so that
--     * the mail appears to come from the "right" machine address.
--     */
--    else if ((addr_list = own_inet_addr_list())->used == 1) {
--	memcpy((char *) &sin.sin_addr, addr_list->addrs, sizeof(sin.sin_addr));
--	inaddr = ntohl(sin.sin_addr.s_addr);
--	if (!IN_CLASSA(inaddr)
--	    || !(((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)) {
--	    if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
--		msg_warn("%s: bind %s: %m", myname, inet_ntoa(sin.sin_addr));
--	    if (msg_verbose)
--		msg_info("%s: bind %s", myname, inet_ntoa(sin.sin_addr));
--	}
-+    if (bind_addr && *bind_addr) {
-+	smtp_force_bind(bind_addr, bind_var, sock, sa->sa_family);
-+#ifdef INET6
-+	if (addr6_ptr)
-+		myfree(addr6_ptr);
-+#endif
-+    } else {
-+	/*
-+	 * When running as a virtual host, bind to the virtual interface so that
-+	 * the mail appears to come from the "right" machine address.
-+	 */
-+	smtp_virtual_bind(sock, sa->sa_family);
-     }
- 
-     /*
-      * Connect to the SMTP server.
-      */
--    sin.sin_port = port;
--    memcpy((char *) &sin.sin_addr, addr->data, sizeof(sin.sin_addr));
-+    switch (addr->type) {
-+#ifdef INET6
-+    case T_AAAA:
-+	/* XXX scope unfriendly */
-+	memset(sin6, 0, sizeof(*sin6));
-+	sin6->sin6_port = port;
-+	sin6->sin6_family = AF_INET6;
-+	salen = sizeof(*sin6);
-+	memcpy(&sin6->sin6_addr, addr->data, sizeof(sin6->sin6_addr));
-+	inet_ntop(AF_INET6, &sin6->sin6_addr, hbuf, sizeof(hbuf));
-+	break;
-+#endif
-+    default: /* T_A */
-+	memset(sin, 0, sizeof(*sin));
-+	sin->sin_port = port;
-+	sin->sin_family = AF_INET;
-+	salen = sizeof(*sin);
-+	memcpy(&sin->sin_addr, addr->data, sizeof(sin->sin_addr));
-+	inet_ntop(AF_INET, &sin->sin_addr, hbuf, sizeof(hbuf));
-+	break;
-+    }
-+#ifdef HAS_SA_LEN
-+    sa->sa_len = salen;
-+#endif
- 
-     if (msg_verbose)
- 	msg_info("%s: trying: %s[%s] port %d...",
--		 myname, addr->name, inet_ntoa(sin.sin_addr), ntohs(port));
-+		 myname, addr->name, hbuf, ntohs(port));
-     if (var_smtp_conn_tmout > 0) {
- 	non_blocking(sock, NON_BLOCKING);
--	conn_stat = timed_connect(sock, (struct sockaddr *) & sin,
--				  sizeof(sin), var_smtp_conn_tmout);
-+	conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout);
- 	saved_errno = errno;
- 	non_blocking(sock, BLOCKING);
- 	errno = saved_errno;
-     } else {
--	conn_stat = sane_connect(sock, (struct sockaddr *) & sin, sizeof(sin));
-+	conn_stat = sane_connect(sock, sa, salen);
-     }
-     if (conn_stat < 0) {
- 	vstring_sprintf(why, "connect to %s[%s]: %m",
--			addr->name, inet_ntoa(sin.sin_addr));
-+			addr->name, hbuf);
- 	smtp_errno = SMTP_ERR_RETRY;
- 	close(sock);
- 	return (0);
-@@ -193,8 +449,8 @@
-      * Skip this host if it takes no action within some time limit.
-      */
-     if (read_wait(sock, var_smtp_helo_tmout) < 0) {
--	vstring_sprintf(why, "connect to %s[%s]: read timeout",
--			addr->name, inet_ntoa(sin.sin_addr));
-+	vstring_sprintf(why, "connect to %s [%s]: read timeout",
-+			addr->name, hbuf);
- 	smtp_errno = SMTP_ERR_RETRY;
- 	close(sock);
- 	return (0);
-@@ -206,13 +462,17 @@
-     stream = vstream_fdopen(sock, O_RDWR);
-     if ((ch = VSTREAM_GETC(stream)) == VSTREAM_EOF) {
- 	vstring_sprintf(why, "connect to %s[%s]: server dropped connection without sending the initial SMTP greeting",
--			addr->name, inet_ntoa(sin.sin_addr));
-+			addr->name, hbuf);
- 	smtp_errno = SMTP_ERR_RETRY;
- 	vstream_fclose(stream);
- 	return (0);
-     }
-     vstream_ungetc(stream, ch);
--    return (smtp_session_alloc(stream, addr->name, inet_ntoa(sin.sin_addr)));
-+#ifndef USE_TLS
-+    return (smtp_session_alloc(stream, addr->name, hbuf));
-+#else
-+    return (smtp_session_alloc(dest, stream, addr->name, hbuf));
-+#endif
- }
- 
- /* smtp_parse_destination - parse destination */
-@@ -247,6 +507,7 @@
- 	    msg_fatal("unknown service: %s/%s", service, protocol);
- 	*portp = sp->s_port;
-     }
-+
-     return (buf);
- }
- 
-@@ -348,7 +609,7 @@
- 	    next = addr->next;
- 	    if (++addr_count == var_smtp_mxaddr_limit)
- 		next = 0;
--	    if ((state->session = smtp_connect_addr(addr, port, why)) != 0) {
-+	    if ((state->session = smtp_connect_addr(host, addr, port, why)) != 0) {
- 		state->features = 0;		/* XXX should be SESSION info */
- 		if (++sess_count == var_smtp_mxsess_limit)
- 		    next = 0;
-diff -urNad postfix-release/src/smtp/smtp.h /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.h
---- postfix-release/src/smtp/smtp.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp.h	2005-02-03 10:22:13.066095349 -0700
-@@ -27,6 +27,9 @@
-   * Global library.
-   */
- #include <deliver_request.h>
-+#ifdef USE_TLS
-+#include <pfixtls.h>
-+#endif
- 
-  /*
-   * State information associated with each SMTP delivery. We're bundling the
-@@ -113,9 +116,20 @@
-     char   *addr;			/* mail exchanger */
-     char   *namaddr;			/* mail exchanger */
-     int     best;			/* most preferred host */
-+#ifdef USE_TLS
-+    int     tls_use_tls;		/* can do TLS */
-+    int     tls_enforce_tls;		/* must do TLS */
-+    int     tls_enforce_peername;	/* cert must match */
-+    tls_info_t tls_info;		/* TLS connection state */
-+#endif
- } SMTP_SESSION;
- 
-+#ifndef USE_TLS
- extern SMTP_SESSION *smtp_session_alloc(VSTREAM *, char *, char *);
-+#else
-+extern void smtp_tls_list_init(void);
-+extern SMTP_SESSION *smtp_session_alloc(char *, VSTREAM *, char *, char *);
-+#endif
- extern void smtp_session_free(SMTP_SESSION *);
- 
-  /*
-diff -urNad postfix-release/src/smtp/smtp_proto.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_proto.c
---- postfix-release/src/smtp/smtp_proto.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_proto.c	2005-02-03 10:22:13.067095126 -0700
-@@ -102,6 +102,9 @@
- #include <quote_821_local.h>
- #include <mail_proto.h>
- #include <mime_state.h>
-+#ifdef USE_TLS
-+#include <pfixtls.h>
-+#endif
- 
- /* Application-specific. */
- 
-@@ -184,6 +187,10 @@
- 	XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
- 	0, 0,
-     };
-+#ifdef USE_TLS
-+    int     oldfeatures;
-+    int     rval;
-+#endif
- 
-     /*
-      * Prepare for disaster.
-@@ -257,6 +264,10 @@
- 	return (0);
-     }
- 
-+#ifdef USE_TLS
-+    if (var_smtp_always_ehlo)
-+	state->features |= SMTP_FEATURE_ESMTP;
-+#endif
-     /*
-      * Pick up some useful features offered by the SMTP server. XXX Until we
-      * have a portable routine to convert from string to off_t with proper
-@@ -268,6 +279,9 @@
-      * MicroSoft implemented AUTH based on an old draft.
-      */
-     lines = resp->str;
-+#ifdef USE_TLS
-+    oldfeatures = state->features;		/* remember */
-+#endif
-     while ((words = mystrtok(&lines, "\n")) != 0) {
- 	if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t=")) != 0) {
- 	    if (strcasecmp(word, "8BITMIME") == 0)
-@@ -288,6 +302,10 @@
- 			state->size_limit = off_cvt_string(word);
- 		}
- 	    }
-+#ifdef USE_TLS
-+	    else if (strcasecmp(word, "STARTTLS") == 0)
-+		state->features |= SMTP_FEATURE_STARTTLS;
-+#endif
- #ifdef USE_SASL_AUTH
- 	    else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0)
- 		smtp_sasl_helo_auth(state, words);
-@@ -307,6 +325,130 @@
- 	msg_info("server features: 0x%x size %.0f",
- 		 state->features, (double) state->size_limit);
- 
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+    if ((state->features & SMTP_FEATURE_STARTTLS) &&
-+	(var_smtp_tls_note_starttls_offer) &&
-+	(!(session->tls_enforce_tls || session->tls_use_tls)))
-+ 	msg_info("Host offered STARTTLS: [%s]", session->host);
-+    if ((session->tls_enforce_tls) &&
-+	!(state->features & SMTP_FEATURE_STARTTLS))
-+    {
-+	/*
-+	 * We are enforced to use TLS but it is not offered, so we will give
-+	 * up on this host. We won't even try STARTTLS, because we could
-+	 * receive a "500 command unrecognized" which would bounce the
-+	 * message. We instead want to delay until STARTTLS becomes
-+	 * available.
-+	 */
-+	return (smtp_site_fail(state, 450, "Could not start TLS: not offered"));
-+    }
-+    if ((session->tls_enforce_tls) && !pfixtls_clientengine) {
-+	/*
-+	 * We would like to start client TLS, but our own TLS-engine is
-+	 * not running.
-+	 */
-+	return (smtp_site_fail(state, 450,
-+		 "Could not start TLS: our TLS-engine not running"));
-+    }
-+    if ((state->features & SMTP_FEATURE_STARTTLS) &&
-+	((session->tls_use_tls && pfixtls_clientengine) ||
-+	 (session->tls_enforce_tls))) {
-+	/*
-+         * Try to use the TLS feature
-+         */
-+	smtp_chat_cmd(state, "STARTTLS");
-+	if ((resp = smtp_chat_resp(state))->code / 100 != 2) {
-+	    state->features &= ~SMTP_FEATURE_STARTTLS;
-+	    /*
-+	     * At this point a political decision is necessary. If we
-+	     * enforce usage of tls, we have to close the connection
-+	     * now.
-+	     */
-+	    if (session->tls_enforce_tls)
-+		return (smtp_site_fail(state, resp->code,
-+					 "host %s refused to start TLS: %s",
-+					   session->host,
-+					   translit(resp->str, "\n", " ")));
-+	} else {
-+	    if (rval = pfixtls_start_clienttls(session->stream,
-+					       var_smtp_starttls_tmout,
-+					       session->tls_enforce_peername,
-+					       session->host,
-+					       &(session->tls_info)))
-+		return (smtp_site_fail(state, 450,
-+				 "Could not start TLS: client failure"));
-+
-+
-+	    /*
-+	     * Now the connection is established and maybe we do have a
-+	     * validated cert with a CommonName in it.
-+	     * In enforce_peername state, the handshake would already have
-+	     * been terminated so the check here is for logging only!
-+	     */
-+	    if (session->tls_info.peer_CN != NULL) {
-+		if (!session->tls_info.peer_verified) {
-+		    msg_info("Peer certificate could not be verified");
-+		    if (session->tls_enforce_tls) {
-+			pfixtls_stop_clienttls(session->stream,
-+					       var_smtp_starttls_tmout, 1,
-+					       &(session->tls_info));
-+			return(smtp_site_fail(state, 450, "TLS-failure: Could not verify certificate"));
-+		    }
-+		}
-+	    } else if (session->tls_enforce_tls) {
-+		pfixtls_stop_clienttls(session->stream,
-+				       var_smtp_starttls_tmout, 1,
-+				       &(session->tls_info));
-+		return (smtp_site_fail(state, 450, "TLS-failure: Cannot verify hostname"));
-+	    }
-+
-+	    /*
-+	     * At this point we have to re-negotiate the "EHLO" to reget
-+	     * the feature-list
-+	     */
-+	    state->features = oldfeatures;
-+#ifdef USE_SASL_AUTH
-+	    if (state->sasl_mechanism_list) {
-+		myfree(state->sasl_mechanism_list);
-+		state->sasl_mechanism_list = 0;
-+	    }
-+#endif
-+	    if (state->features & SMTP_FEATURE_ESMTP) {
-+		smtp_chat_cmd(state, "EHLO %s", var_myhostname);
-+		if ((resp = smtp_chat_resp(state))->code / 100 != 2)
-+		    state->features &= ~SMTP_FEATURE_ESMTP;
-+	    }
-+	    lines = resp->str;
-+	    (void) mystrtok(&lines, "\n");
-+	    while ((words = mystrtok(&lines, "\n")) != 0) {
-+		if (mystrtok(&words, "- ") &&
-+		    (word = mystrtok(&words, " \t=")) != 0) {
-+		    if (strcasecmp(word, "8BITMIME") == 0)
-+			state->features |= SMTP_FEATURE_8BITMIME;
-+		    else if (strcasecmp(word, "PIPELINING") == 0)
-+			state->features |= SMTP_FEATURE_PIPELINING;
-+		    else if (strcasecmp(word, "SIZE") == 0)
-+			state->features |= SMTP_FEATURE_SIZE;
-+		    else if (strcasecmp(word, "STARTTLS") == 0)
-+			state->features |= SMTP_FEATURE_STARTTLS;
-+#ifdef USE_SASL_AUTH
-+		    else if (var_smtp_sasl_enable &&
-+			     strcasecmp(word, "AUTH") == 0)
-+			smtp_sasl_helo_auth(state, words);
-+#endif
-+		}
-+	    }
-+	    /*
-+	     * Actually, at this point STARTTLS should not be offered
-+	     * anymore, so we could check for a protocol violation, but
-+	     * what should we do then?
-+	     */
-+
-+	}
-+    }
-+#endif
-+#endif
- #ifdef USE_SASL_AUTH
-     if (var_smtp_sasl_enable && (state->features & SMTP_FEATURE_AUTH))
- 	return (smtp_sasl_helo_login(state));
-diff -urNad postfix-release/src/smtp/smtp_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_sasl_glue.c
---- postfix-release/src/smtp/smtp_sasl_glue.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_sasl_glue.c	2005-02-03 10:22:13.068094903 -0700
-@@ -197,6 +197,16 @@
-     return (SASL_OK);
- }
- 
-+static int smtp_sasl_getpath(void * context, char ** path)
-+{
-+#if SASL_VERSION_MAJOR >= 2
-+    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
-+#else
-+    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
-+#endif
-+    return SASL_OK;
-+}
-+
- /* smtp_sasl_get_user - username lookup call-back routine */
- 
- static int smtp_sasl_get_user(void *context, int unused_id, const char **result,
-@@ -298,6 +308,7 @@
-      */
-     static sasl_callback_t callbacks[] = {
- 	{SASL_CB_LOG, &smtp_sasl_log, 0},
-+	{SASL_CB_GETPATH,&smtp_sasl_getpath, 0},
- 	{SASL_CB_LIST_END, 0, 0}
-     };
- 
-diff -urNad postfix-release/src/smtp/smtp_session.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_session.c
---- postfix-release/src/smtp/smtp_session.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_session.c	2005-02-03 10:22:13.068094903 -0700
-@@ -42,15 +42,50 @@
- #include <vstream.h>
- #include <stringops.h>
- 
-+#ifdef USE_TLS
-+#include <mail_params.h>
-+#include <maps.h>
-+#include <pfixtls.h>
-+#endif
-+
- /* Application-specific. */
- 
- #include "smtp.h"
- 
-+#ifdef USE_TLS
-+/* static lists */
-+static MAPS *tls_per_site;
-+
-+/* smtp_tls_list_init - initialize lists */
-+
-+void smtp_tls_list_init(void)
-+{
-+    tls_per_site = maps_create(VAR_SMTP_TLS_PER_SITE, var_smtp_tls_per_site,
-+			       DICT_FLAG_LOCK);
-+}
-+
-+#endif
- /* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
- 
-+#ifndef USE_TLS
- SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, char *host, char *addr)
-+#else
-+SMTP_SESSION *smtp_session_alloc(char *dest, VSTREAM *stream, char *host, char *addr)
-+#endif
- {
-     SMTP_SESSION *session;
-+#ifdef USE_TLS
-+    const char *lookup;
-+    char *lookup_key;
-+    int host_dont_use = 0;
-+    int host_use = 0;
-+    int host_enforce = 0;
-+    int host_enforce_peername = 0;
-+    int recipient_dont_use = 0;
-+    int recipient_use = 0;
-+    int recipient_enforce = 0;
-+    int recipient_enforce_peername = 0;
-+#endif
- 
-     session = (SMTP_SESSION *) mymalloc(sizeof(*session));
-     session->stream = stream;
-@@ -58,6 +93,63 @@
-     session->addr = mystrdup(addr);
-     session->namaddr = concatenate(host, "[", addr, "]", (char *) 0);
-     session->best = 1;
-+#ifdef USE_TLS
-+    session->tls_use_tls = session->tls_enforce_tls = 0;
-+    session->tls_enforce_peername = 0;
-+#ifdef USE_SSL
-+    lookup_key = lowercase(mystrdup(host));
-+    if (lookup = maps_find(tls_per_site, lookup_key, 0)) {
-+	if (!strcasecmp(lookup, "NONE"))
-+	    host_dont_use = 1;
-+	else if (!strcasecmp(lookup, "MAY"))
-+	    host_use = 1;
-+	else if (!strcasecmp(lookup, "MUST"))
-+	    host_enforce = host_enforce_peername = 1;
-+	else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
-+	    host_enforce = 1;
-+	else
-+	    msg_warn("Unknown TLS state for receiving host %s: '%s', using default policy", session->host, lookup);
-+    }
-+    myfree(lookup_key);
-+    lookup_key = lowercase(mystrdup(dest));
-+    if (lookup = maps_find(tls_per_site, dest, 0)) {
-+	if (!strcasecmp(lookup, "NONE"))
-+	    recipient_dont_use = 1;
-+	else if (!strcasecmp(lookup, "MAY"))
-+	    recipient_use = 1;
-+	else if (!strcasecmp(lookup, "MUST"))
-+	    recipient_enforce = recipient_enforce_peername = 1;
-+	else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
-+	    recipient_enforce = 1;
-+	else
-+	    msg_warn("Unknown TLS state for recipient domain %s: '%s', using default policy", dest, lookup);
-+    }
-+    myfree(lookup_key);
-+
-+    if ((var_smtp_enforce_tls && !host_dont_use && !recipient_dont_use) || host_enforce ||
-+	 recipient_enforce)
-+	session->tls_enforce_tls = session->tls_use_tls = 1;
-+
-+    /*
-+     * Set up peername checking. We want to make sure that a MUST* entry in
-+     * the tls_per_site table always has precedence. MUST always must lead to
-+     * a peername check, MUST_NOPEERMATCH must always disable it. Only when
-+     * no explicit setting has been found, the default will be used.
-+     * There is the case left, that both "host" and "recipient" settings
-+     * conflict. In this case, the "host" setting wins.
-+     */
-+    if (host_enforce && host_enforce_peername)
-+	session->tls_enforce_peername = 1;
-+    else if (recipient_enforce && recipient_enforce_peername)
-+	session->tls_enforce_peername = 1;
-+    else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
-+	session->tls_enforce_peername = 1;
-+
-+    else if ((var_smtp_use_tls && !host_dont_use && !recipient_dont_use) || host_use || recipient_use)
-+      session->tls_use_tls = 1;
-+#endif
-+    session->tls_info = tls_info_zero;
-+#endif
-     return (session);
- }
- 
-@@ -65,6 +157,13 @@
- 
- void    smtp_session_free(SMTP_SESSION *session)
- {
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+    vstream_fflush(session->stream);
-+    pfixtls_stop_clienttls(session->stream, var_smtp_starttls_tmout, 0,
-+			   &(session->tls_info));
-+#endif
-+#endif
-     vstream_fclose(session->stream);
-     myfree(session->host);
-     myfree(session->addr);
-diff -urNad postfix-release/src/smtp/smtp_unalias.c /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_unalias.c
---- postfix-release/src/smtp/smtp_unalias.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtp/smtp_unalias.c	2005-02-03 10:22:13.068094903 -0700
-@@ -86,7 +86,11 @@
-     if ((result = htable_find(cache, name)) == 0) {
- 	fqdn = vstring_alloc(10);
- 	if (dns_lookup_types(name, smtp_unalias_flags, (DNS_RR **) 0,
--			     fqdn, (VSTRING *) 0, T_MX, T_A, 0) != DNS_OK)
-+			     fqdn, (VSTRING *) 0, T_MX, T_A,
-+#ifdef INET6
-+			     T_AAAA,
-+#endif
-+			     0) != DNS_OK)
- 	    vstring_strcpy(fqdn, name);
- 	htable_enter(cache, name, result = vstring_export(fqdn));
-     }
-diff -urNad postfix-release/src/smtpd/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtpd/Makefile.in
---- postfix-release/src/smtpd/Makefile.in	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/Makefile.in	2005-02-03 10:22:13.069094680 -0700
-@@ -150,6 +150,7 @@
- smtpd.o: ../../include/namadr_list.h
- smtpd.o: ../../include/input_transp.h
- smtpd.o: ../../include/mail_server.h
-+smtpd.o: ../../include/pfixtls.h
- smtpd.o: smtpd_token.h
- smtpd.o: smtpd.h
- smtpd.o: smtpd_check.h
-@@ -179,6 +180,7 @@
- smtpd_chat.o: ../../include/cleanup_user.h
- smtpd_chat.o: ../../include/mail_error.h
- smtpd_chat.o: ../../include/name_mask.h
-+smtpd_chat.o: ../../include/pfixtls.h
- smtpd_chat.o: smtpd.h
- smtpd_chat.o: ../../include/mail_stream.h
- smtpd_chat.o: smtpd_chat.h
-@@ -233,6 +235,7 @@
- smtpd_check.o: ../../include/is_header.h
- smtpd_check.o: smtpd.h
- smtpd_check.o: ../../include/mail_stream.h
-+smtpd_check.o: ../../include/pfixtls.h
- smtpd_check.o: smtpd_sasl_glue.h
- smtpd_check.o: smtpd_check.h
- smtpd_peer.o: smtpd_peer.c
-@@ -247,6 +250,7 @@
- smtpd_peer.o: ../../include/vstream.h
- smtpd_peer.o: ../../include/iostuff.h
- smtpd_peer.o: ../../include/attr.h
-+smtpd_peer.o: ../../include/pfixtls.h
- smtpd_peer.o: smtpd.h
- smtpd_peer.o: ../../include/argv.h
- smtpd_peer.o: ../../include/mail_stream.h
-@@ -329,6 +333,7 @@
- smtpd_state.o: ../../include/vstring.h
- smtpd_state.o: ../../include/argv.h
- smtpd_state.o: ../../include/mail_stream.h
-+smtpd_state.o: ../../include/pfixtls.h
- smtpd_state.o: smtpd_chat.h
- smtpd_state.o: smtpd_sasl_glue.h
- smtpd_token.o: smtpd_token.c
-@@ -338,6 +343,7 @@
- smtpd_token.o: smtpd_token.h
- smtpd_token.o: ../../include/vstring.h
- smtpd_token.o: ../../include/vbuf.h
-+smtpd_token.o: ../../include/pfixtls.h
- smtpd_xforward.o: smtpd_xforward.c
- smtpd_xforward.o: ../../include/sys_defs.h
- smtpd_xforward.o: ../../include/mymalloc.h
-diff -urNad postfix-release/src/smtpd/smtpd.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.c
---- postfix-release/src/smtpd/smtpd.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.c	2005-02-03 10:22:13.072094011 -0700
-@@ -652,6 +652,9 @@
- #include <anvil_clnt.h>
- #endif
- #include <flush_clnt.h>
-+#ifdef USE_TLS
-+#include <pfixtls.h>
-+#endif
- 
- /* Single-threaded server skeleton. */
- 
-@@ -677,6 +680,9 @@
-   */
- int     var_smtpd_rcpt_limit;
- int     var_smtpd_tmout;
-+#ifdef USE_TLS
-+char   *var_relay_ccerts;
-+#endif
- int     var_smtpd_soft_erlim;
- int     var_smtpd_hard_erlim;
- int     var_queue_minfree;		/* XXX use off_t */
-@@ -759,7 +765,21 @@
- int     var_smtpd_crate_limit;
- int     var_smtpd_cconn_limit;
- char   *var_smtpd_hoggers;
-+#endif
- 
-+#ifdef USE_TLS
-+bool    var_smtpd_use_tls;
-+bool    var_smtpd_enforce_tls;
-+bool    var_smtpd_tls_wrappermode;
-+#ifdef USE_SSL
-+int     var_smtpd_starttls_tmout;
-+bool    var_smtpd_tls_auth_only;
-+bool    var_smtpd_tls_ask_ccert;
-+bool    var_smtpd_tls_req_ccert;
-+int     var_smtpd_tls_ccert_vd;
-+bool    var_smtpd_tls_received_header;
-+char   *var_smtpd_sasl_tls_opts;
-+#endif
- #endif
- 
-  /*
-@@ -943,11 +963,27 @@
-     if (var_disable_vrfy_cmd == 0)
- 	smtpd_chat_reply(state, "250-VRFY");
-     smtpd_chat_reply(state, "250-ETRN");
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+    if ((state->tls_use_tls || state->tls_enforce_tls) && (!state->tls_active))
-+	smtpd_chat_reply(state, "250-STARTTLS");
-+#endif
-+#endif
- #ifdef USE_SASL_AUTH
-     if (var_smtpd_sasl_enable && !sasl_client_exception(state)) {
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	if (!state->tls_auth_only || state->tls_active) {
-+#endif
-+#endif
- 	smtpd_chat_reply(state, "250-AUTH %s", state->sasl_mechanism_list);
- 	if (var_broken_auth_clients)
- 	    smtpd_chat_reply(state, "250-AUTH=%s", state->sasl_mechanism_list);
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	}
-+#endif
-+#endif
-     }
- #endif
-     if (namadr_list_match(verp_clients, state->name, state->addr))
-@@ -1505,12 +1541,81 @@
-     state->rcpt_overshoot = 0;
- }
- 
-+#ifdef USE_TLS
-+/* CN_sanitize - make sure, the CN-string is well behaved */
-+
-+static void CN_sanitize(char *CNstring)
-+{
-+    int i;
-+    int len;
-+    int parencount;
-+
-+    /*
-+     * The information included in the CN (CommonName) of the peer and its
-+     * issuer can be included into the Received: header line. The characters
-+     * allowed as well as comment nesting are limited by RFC822.
-+     */
-+
-+    len = strlen(CNstring);
-+    /*
-+     * The Received: header can only contain characters. Make sure that only
-+     * acceptable characters are printed. Maybe we could allow more, but
-+     * not everything makes sense inside a CommonName.
-+     */
-+    for (i = 0; i < len; i++) 
-+	if (!((CNstring[i] >= 'A') && (CNstring[i] <='Z')) &&
-+	    !((CNstring[i] >= 'a') && (CNstring[i] <='z')) &&
-+	    !((CNstring[i] >= '0') && (CNstring[i] <='9')) &&
-+	    (CNstring[i] != '(') && (CNstring[i] != ')') &&
-+	    (CNstring[i] != '[') && (CNstring[i] != ']') &&
-+	    (CNstring[i] != '{') && (CNstring[i] != '}') &&
-+	    (CNstring[i] != '<') && (CNstring[i] != '>') &&
-+	    (CNstring[i] != '?') && (CNstring[i] != '!') &&
-+	    (CNstring[i] != ';') && (CNstring[i] != ':') &&
-+	    (CNstring[i] != '"') && (CNstring[i] != '\'') &&
-+	    (CNstring[i] != '/') && (CNstring[i] != '|') &&
-+	    (CNstring[i] != '+') && (CNstring[i] != '&') &&
-+	    (CNstring[i] != '~') && (CNstring[i] != '@') &&
-+	    (CNstring[i] != '#') && (CNstring[i] != '$') &&
-+	    (CNstring[i] != '%') && (CNstring[i] != '&') &&
-+	    (CNstring[i] != '^') && (CNstring[i] != '*') &&
-+	    (CNstring[i] != '_') && (CNstring[i] != '-') &&
-+	    (CNstring[i] != '.') && (CNstring[i] != ' '))
-+	    CNstring[i] = '?';
-+
-+    /*
-+     * This information will go into the Received: header inside a comment.
-+     * Since comments can be nested, parentheses '(' and ')' must match.
-+     */
-+    parencount = 0;
-+    for (i = 0; i < len; i++) {
-+	if (CNstring[i] == '(')
-+	    parencount++;
-+	else if (CNstring[i] == ')')
-+	    parencount--;
-+    }
-+    /*
-+     * The necessary condition is violated. Do YOU know, where to correct?
-+     * I don't know, so I will practically remove all parentheses.
-+     */
-+    if (parencount != 0) {
-+	for (i = 0; i < len; i++)
-+	    if ((CNstring[i] == '(') || (CNstring[i] == ')'))
-+		CNstring[i] = '/';
-+    }
-+}
-+
-+#endif
- /* data_cmd - process DATA command */
- 
- static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
- {
-     char   *err;
-     char   *start;
-+#ifdef USE_TLS
-+    char   *peer_CN;
-+    char   *issuer_CN;
-+#endif
-     int     len;
-     int     curr_rec_type;
-     int     prev_rec_type;
-@@ -1601,9 +1706,42 @@
-      */
-     if (!state->proxy || state->xforward.flags == 0) {
- 	out_fprintf(out_stream, REC_TYPE_NORM,
--		    "Received: from %s (%s [%s])",
-+		    "Received: from %s (%s [%s%s])",
- 		    state->helo_name ? state->helo_name : state->name,
--		    state->name, state->addr);
-+		    state->name, state->addr_tag, state->addr);
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	if (var_smtpd_tls_received_header && state->tls_active) {
-+	    out_fprintf(out_stream, REC_TYPE_NORM,
-+			"\t(using %s with cipher %s (%d/%d bits))",
-+			state->tls_info.protocol, state->tls_info.cipher_name,
-+			state->tls_info.cipher_usebits,
-+			state->tls_info.cipher_algbits);
-+	    if (state->tls_info.peer_CN) {
-+		peer_CN = mystrdup(state->tls_info.peer_CN);
-+		CN_sanitize(peer_CN);
-+		issuer_CN = mystrdup(state->tls_info.issuer_CN);
-+		CN_sanitize(issuer_CN);
-+		if (state->tls_info.peer_verified)
-+		    out_fprintf(out_stream, REC_TYPE_NORM,
-+			"\t(Client CN \"%s\", Issuer \"%s\" (verified OK))",
-+			peer_CN, issuer_CN);
-+		else
-+		    out_fprintf(out_stream, REC_TYPE_NORM,
-+			"\t(Client CN \"%s\", Issuer \"%s\" (not verified))",
-+			peer_CN, issuer_CN);
-+		myfree(issuer_CN);
-+		myfree(peer_CN);
-+	    }
-+	    else if (var_smtpd_tls_ask_ccert)
-+		out_fprintf(out_stream, REC_TYPE_NORM,
-+			    "\t(Client did not present a certificate)");
-+	    else
-+		out_fprintf(out_stream, REC_TYPE_NORM,
-+			    "\t(No client certificate requested)");
-+	}
-+#endif
-+#endif
- 	if (state->rcpt_count == 1 && state->recipient) {
- 	    out_fprintf(out_stream, REC_TYPE_NORM,
- 			state->cleanup ? "\tby %s (%s) with %s id %s" :
-@@ -2310,6 +2448,92 @@
-     }
- }
- 
-+#ifdef USE_TLS
-+static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
-+{
-+    char   *err;
-+
-+#ifdef USE_SSL
-+    if (argc != 1) {
-+	state->error_mask |= MAIL_ERROR_PROTOCOL;
-+	smtpd_chat_reply(state, "501 Syntax: STARTTLS");
-+	return (-1);
-+    }
-+    if (state->tls_active != 0) {
-+	state->error_mask |= MAIL_ERROR_PROTOCOL;
-+	smtpd_chat_reply(state, "554 Error: TLS already active");
-+	return (-1);
-+    }
-+    if (state->tls_use_tls == 0) {
-+	state->error_mask |= MAIL_ERROR_PROTOCOL;
-+	smtpd_chat_reply(state, "502 Error: command not implemented");
-+	return (-1);
-+    }
-+    if (!pfixtls_serverengine) {
-+	smtpd_chat_reply(state, "454 TLS not available due to temporary reason");
-+	return (0);
-+    }
-+    smtpd_chat_reply(state, "220 Ready to start TLS");
-+    vstream_fflush(state->client);
-+    /*
-+     * When deciding about continuing the handshake, we will stop when a
-+     * client certificate was _required_ and none was presented or the
-+     * verification failed. This however does only make sense when TLS is
-+     * enforced. Otherwise we would happily perform perform the SMTP
-+     * transaction without any STARTTLS at all! So only have the handshake
-+     * fail when TLS is also enforced.
-+     */
-+    if (pfixtls_start_servertls(state->client, var_smtpd_starttls_tmout,
-+				state->name, state->addr, &(state->tls_info),
-+			(var_smtpd_tls_req_ccert && state->tls_enforce_tls))) {
-+	/*
-+         * Typically the connection is hanging at this point, so
-+         * we should try to shut it down by force! Unfortunately this
-+         * problem is not addressed in postfix!
-+         */
-+	return (-1);
-+    }
-+    state->tls_active = 1;
-+    helo_reset(state);
-+#ifdef USE_SASL_AUTH
-+    if (var_smtpd_sasl_enable) {
-+	/*
-+	 * When TLS is enabled, another set of AUTH methods may be offered,
-+	 * for example plain text methods that would not be offered without
-+	 * encryption protection. Reconnect with a different set of options.
-+	 */
-+	smtpd_sasl_disconnect(state);
-+	smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
-+			   var_smtpd_sasl_tls_opts);
-+	smtpd_sasl_auth_reset(state);
-+    }
-+#endif
-+    mail_reset(state);
-+    rcpt_reset(state);
-+    return (0);
-+#else
-+    state->error_mask |= MAIL_ERROR_PROTOCOL;
-+    smtpd_chat_reply(state, "502 Error: command not implemented");
-+    return (-1);
-+#endif
-+}
-+
-+static void tls_reset(SMTPD_STATE *state)
-+{
-+    int failure = 0;
-+
-+    if (state->reason && state->where && strcmp(state->where, SMTPD_AFTER_DOT))
-+	failure = 1;
-+#ifdef USE_SSL
-+    vstream_fflush(state->client);
-+    if (state->tls_active)
-+	pfixtls_stop_servertls(state->client, var_smtpd_starttls_tmout,
-+			       failure, &(state->tls_info));
-+#endif
-+    state->tls_active = 0;
-+}
-+
-+#endif
-  /*
-   * The table of all SMTP commands that we know. Set the junk limit flag on
-   * any command that can be repeated an arbitrary number of times without
-@@ -2328,6 +2552,12 @@
-     "HELO", helo_cmd, SMTPD_CMD_FLAG_LIMIT,
-     "EHLO", ehlo_cmd, SMTPD_CMD_FLAG_LIMIT,
- 
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+    "STARTTLS", starttls_cmd, 0,
-+#endif
-+#endif
-+
- #ifdef USE_SASL_AUTH
-     "AUTH", smtpd_sasl_auth_cmd, 0,
- #endif
-@@ -2488,9 +2718,36 @@
- 		state->error_count++;
- 		continue;
- 	    }
-+#ifdef USE_TLS
-+	    if (state->tls_enforce_tls &&
-+		!state->tls_active &&
-+		cmdp->action != starttls_cmd &&
-+		cmdp->action != noop_cmd &&
-+		cmdp->action != ehlo_cmd &&
-+		cmdp->action != quit_cmd) {
-+		smtpd_chat_reply(state,
-+				 "530 Must issue a STARTTLS command first");
-+		state->error_count++;
-+		continue;
-+	    }
-+#endif
- 	    state->where = cmdp->name;
-+#ifndef USE_TLS
- 	    if (cmdp->action(state, argc, argv) != 0)
-+#else
-+	    if (cmdp->action(state, argc, argv) != 0) {
-+#endif
- 		state->error_count++;
-+#ifdef USE_TLS
-+		/*
-+		 * Die after TLS negotiation failure, as there is no
-+		 * stable way to recover from a possible mixture of
-+		 * TLS and SMTP protocol from the client.
-+		 */
-+		if (cmdp->action == starttls_cmd)
-+		    break;
-+	    }
-+#endif
- 	    if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
- 		&& state->junk_cmds++ > var_smtpd_junk_cmd_limit)
- 		state->error_count++;
-@@ -2530,6 +2787,9 @@
-      * Cleanup whatever information the client gave us during the SMTP
-      * dialog.
-      */
-+#ifdef USE_TLS
-+    tls_reset(state);
-+#endif
-     helo_reset(state);
- #ifdef USE_SASL_AUTH
-     if (var_smtpd_sasl_enable)
-@@ -2562,6 +2822,60 @@
-      * machines.
-      */
-     smtpd_state_init(&state, stream);
-+#ifdef USE_TLS
-+
-+#ifdef USE_SSL
-+    if (SMTPD_STAND_ALONE((&state))) {
-+	state.tls_use_tls = 0;
-+	state.tls_enforce_tls = 0;
-+	state.tls_auth_only = 0;
-+    }
-+    else {
-+	state.tls_use_tls = var_smtpd_use_tls | var_smtpd_enforce_tls;
-+	state.tls_enforce_tls = var_smtpd_enforce_tls;
-+	if (var_smtpd_tls_wrappermode) {
-+	    /*
-+	     * TLS has been set to wrapper mode, meaning that we run on a
-+	     * seperate port and we must switch to TLS layer before actually
-+	     * performing the SMTP protocol. This implies enforce-mode.
-+	     */
-+	    state.tls_use_tls = state.tls_enforce_tls = 1;
-+	    if (pfixtls_start_servertls(state.client, var_smtpd_starttls_tmout,
-+					state.name, state.addr, &state.tls_info,
-+					var_smtpd_tls_req_ccert)) {
-+	    /*
-+	     * Typically the connection is hanging at this point, so
-+	     * we should try to shut it down by force! Unfortunately this
-+	     * problem is not addressed in postfix!
-+	     */
-+		return;
-+	    }
-+	    state.tls_active = 1;
-+#ifdef USE_SASL_AUTH
-+	    if (var_smtpd_sasl_enable) {
-+		/*
-+		 * When TLS is enabled, another set of AUTH methods may be
-+		 * offered, for example plain text methods that would not be
-+		 * offered without encryption protection. Reconnect with a
-+		 * different set of options.
-+		 */
-+		smtpd_sasl_disconnect(&state);
-+		smtpd_sasl_connect(&state, VAR_SMTPD_SASL_TLS_OPTS,
-+				   var_smtpd_sasl_tls_opts);
-+		smtpd_sasl_auth_reset(&state);
-+    	    }
-+#endif
-+	}
-+	if (var_smtpd_tls_auth_only || state.tls_enforce_tls)
-+	    state.tls_auth_only = 1;
-+    }
-+#else
-+    state.tls_use_tls = 0;
-+    state.tls_enforce_tls = 0;
-+    state.tls_auth_only = 0;
-+#endif
-+
-+#endif
-     msg_info("connect from %s[%s]", state.name, state.addr);
- 
-     /*
-@@ -2611,7 +2925,9 @@
- 
- static void pre_jail_init(char *unused_name, char **unused_argv)
- {
-+#ifndef USE_TLS
- 
-+#endif
-     /*
-      * Initialize blacklist/etc. patterns before entering the chroot jail, in
-      * case they specify a filename pattern.
-@@ -2639,6 +2955,23 @@
- 	msg_warn("%s is true, but SASL support is not compiled in",
- 		 VAR_SMTPD_SASL_ENABLE);
- #endif
-+#ifdef USE_TLS
-+    /*
-+     * Keys can only be loaded when running with superuser permissions.
-+     * When called from "sendmail -bs" this is not the case, but STARTTLS
-+     * is not used in this scenario anyhow.
-+     */
-+    if (geteuid() == 0) {
-+      if (var_smtpd_use_tls || var_smtpd_enforce_tls
-+	  || var_smtpd_tls_wrappermode)
-+#ifdef USE_SSL
-+	pfixtls_init_serverengine(var_smtpd_tls_ccert_vd,
-+				  var_smtpd_tls_ask_ccert);
-+#else
-+	msg_warn("TLS has been selected but TLS support is not compiled in");
-+#endif
-+    }
-+#endif
- 
-     /*
-      * flush client.
-@@ -2677,6 +3010,9 @@
-     if (var_smtpd_crate_limit || var_smtpd_cconn_limit)
- 	anvil_clnt = anvil_clnt_create();
- #endif
-+#ifdef USE_TLS
-+
-+#endif
- }
- 
- /* main - the main program */
-@@ -2713,6 +3049,11 @@
- 	VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
- 	VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
- #endif
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
-+#endif
-+#endif
- 	0,
-     };
-     static CONFIG_TIME_TABLE time_table[] = {
-@@ -2723,6 +3064,11 @@
- 	VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
- 	VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
- 	VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
-+#endif
-+#endif
- 	0,
-     };
-     static CONFIG_BOOL_TABLE bool_table[] = {
-@@ -2736,6 +3082,17 @@
- 	VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
- 	VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
- 	VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
-+#ifdef USE_TLS
-+	VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
-+	VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
-+	VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
-+#ifdef USE_SSL
-+	VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
-+	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
-+	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
-+	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
-+#endif
-+#endif
- 	0,
-     };
-     static CONFIG_STR_TABLE str_table[] = {
-@@ -2777,6 +3134,12 @@
- #ifdef SNAPSHOT
- 	VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
- #endif
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_relay_ccerts, 0, 0,
-+	VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
-+#endif
-+#endif
- 	0,
-     };
-     static CONFIG_RAW_TABLE raw_table[] = {
-@@ -2799,3 +3162,6 @@
- 		       MAIL_SERVER_POST_INIT, post_jail_init,
- 		       0);
- }
-+#ifdef USE_TLS
-+
-+#endif
-diff -urNad postfix-release/src/smtpd/smtpd_check.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_check.c
---- postfix-release/src/smtpd/smtpd_check.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_check.c	2005-02-03 10:22:13.074093565 -0700
-@@ -151,6 +151,7 @@
- #include <setjmp.h>
- #include <stdlib.h>
- #include <unistd.h>
-+#include <errno.h>
- 
- #ifdef STRCASECMP_IN_STRINGS_H
- #include <strings.h>
-@@ -185,6 +186,9 @@
- #include <string_list.h>
- #include <namadr_list.h>
- #include <domain_list.h>
-+#ifdef USE_TLS
-+#include <string_list.h>
-+#endif
- #include <mail_params.h>
- #include <canon_addr.h>
- #include <resolve_clnt.h>
-@@ -269,6 +273,11 @@
- static DOMAIN_LIST *relay_domains;
- static NAMADR_LIST *mynetworks;
- static NAMADR_LIST *perm_mx_networks;
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+static MAPS *relay_ccerts;
-+#endif
-+#endif
- 
-  /*
-   * How to do parent domain wildcard matching, if any.
-@@ -352,6 +361,8 @@
-     defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2))
- #define DEFER_IF_REJECT3(state, class, fmt, a1, a2, a3) \
-     defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2), (a3))
-+#define DEFER_IF_REJECT4(state, class, fmt, a1, a2, a3, a4) \
-+    defer_if(&(state)->defer_if_reject, (class), (fmt), (a1), (a2), (a3), (a4))
- #define DEFER_IF_PERMIT2(state, class, fmt, a1, a2) do { \
-     if ((state)->warn_if_reject == 0) \
- 	defer_if(&(state)->defer_if_permit, (class), (fmt), (a1), (a2)); \
-@@ -563,6 +574,12 @@
-     perm_mx_networks =
- 	namadr_list_init(match_parent_style(VAR_PERM_MX_NETWORKS),
- 			 var_perm_mx_networks);
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+    relay_ccerts = maps_create(VAR_RELAY_CCERTS, var_relay_ccerts,
-+			       DICT_FLAG_LOCK);
-+#endif
-+#endif
- 
-     /*
-      * Pre-parse and pre-open the recipient maps.
-@@ -1056,6 +1073,38 @@
- 
- static int permit_auth_destination(SMTPD_STATE *state, char *recipient);
- 
-+#ifdef USE_TLS
-+/* permit_tls_clientcerts - OK/DUNNO for message relaying */
-+
-+#ifdef USE_SSL
-+static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
-+{
-+    char   *low_name;
-+    const char *found;
-+
-+    if (state->tls_info.peer_verified && permit_all_certs) {
-+	if (msg_verbose)
-+	    msg_info("Relaying allowed for all verified client certificates");
-+	return(SMTPD_CHECK_OK);
-+    }
-+
-+    if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
-+	low_name = lowercase(mystrdup(state->tls_info.peer_fingerprint));
-+	found = maps_find(relay_ccerts, low_name, DICT_FLAG_FIXED);
-+	myfree(low_name);
-+	if (found) {
-+	    if (msg_verbose)
-+		msg_info("Relaying allowed for certified client: %s", found);
-+	    return (SMTPD_CHECK_OK);
-+	} else if (msg_verbose)
-+	    msg_info("relay_clientcerts: No match for fingerprint '%s'",
-+		     state->tls_info.peer_fingerprint);
-+    }
-+    return (SMTPD_CHECK_DUNNO);
-+}
-+#endif
-+
-+#endif
- /* check_relay_domains - OK/FAIL for message relaying */
- 
- static int check_relay_domains(SMTPD_STATE *state, char *recipient,
-@@ -1196,8 +1245,16 @@
- static int all_auth_mx_addr(SMTPD_STATE *state, char *host,
- 		            const char *reply_name, const char *reply_class)
- {
-+    size_t len;
-     char   *myname = "all_auth_mx_addr";
--    struct in_addr addr;
-+    char   *addr;
-+    struct in_addr addr4;
-+#ifdef INET6
-+    struct in6_addr addr6;
-+    char   hbuf[NI_MAXHOST];
-+#else
-+    char   *hbuf;
-+#endif
-     DNS_RR *rr;
-     DNS_RR *addr_list;
-     int     dns_status;
-@@ -1214,7 +1271,9 @@
-     /*
-      * Verify that all host addresses are within permit_mx_backup_networks.
-      */
--    dns_status = dns_lookup(host, T_A, 0, &addr_list, (VSTRING *) 0, (VSTRING *) 0);
-+    dns_status = dns_lookup_types(host, 0, (DNS_RR **) &addr_list,
-+				  (VSTRING *) 0,
-+				  (VSTRING *) 0, RR_ADDR_TYPES, 0);
-     if (dns_status != DNS_OK) {
- 	DEFER_IF_REJECT3(state, MAIL_ERROR_POLICY,
- 	"450 <%s>: %s rejected: Unable to look up host %s as mail exchanger",
-@@ -1222,16 +1281,28 @@
- 	return (NOPE);
-     }
-     for (rr = addr_list; rr != 0; rr = rr->next) {
--	if (rr->data_len > sizeof(addr)) {
-+#ifdef INET6
-+	if (rr->type == T_AAAA)
-+	    len = sizeof(addr6), addr = (char *) &addr6;
-+	else /* T_A */
-+#endif
-+	    len = sizeof(addr4), addr = (char *) &addr4;
-+	if (rr->data_len > len) {
- 	    msg_warn("%s: skipping address length %d for host %s",
- 		     state->queue_id, rr->data_len, host);
- 	    continue;
- 	}
--	memcpy((char *) &addr, rr->data, sizeof(addr));
-+	memcpy(addr, rr->data, len);
-+#ifdef INET6
-+	inet_ntop(rr->type == T_AAAA ? AF_INET6 : AF_INET,
-+		addr, hbuf, sizeof(hbuf));
-+#else
-+	hbuf = inet_ntoa(*(struct in_addr *)addr);
-+#endif
- 	if (msg_verbose)
--	    msg_info("%s: checking: %s", myname, inet_ntoa(addr));
-+	    msg_info("%s: checking: %s", myname, hbuf);
- 
--	if (!namadr_list_match(perm_mx_networks, host, inet_ntoa(addr))) {
-+	if (!namadr_list_match(perm_mx_networks, host, hbuf)) {
- 
- 	    /*
- 	     * Reject: at least one IP address is not listed in
-@@ -1239,7 +1310,7 @@
- 	     */
- 	    if (msg_verbose)
- 		msg_info("%s: address %s for %s does not match %s",
--		       myname, inet_ntoa(addr), host, VAR_PERM_MX_NETWORKS);
-+		       myname, hbuf, host, VAR_PERM_MX_NETWORKS);
- 	    dns_rr_free(addr_list);
- 	    return (NOPE);
- 	}
-@@ -1253,6 +1324,50 @@
- static int has_my_addr(SMTPD_STATE *state, const char *host,
- 		            const char *reply_name, const char *reply_class)
- {
-+#ifdef INET6
-+    char   *myname = "has_my_addr";
-+    struct addrinfo hints, *res, *res0;
-+    int error;
-+    char hbuf[NI_MAXHOST];
-+
-+    if (msg_verbose)
-+	msg_info("%s: host %s", myname, host);
-+
-+    /*
-+     * If we can't lookup the host, defer rather than reject
-+     */
-+#define YUP	1
-+#define NOPE	0
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_DGRAM;
-+    error = getaddrinfo(host, NULL, &hints, &res0);
-+    if (error) {
-+	DEFER_IF_REJECT4(state, MAIL_ERROR_POLICY,
-+	  "450 <%s>: %s rejected: Mail exchanger lookup error for %s: %s",
-+			 reply_name, reply_class, host, gai_strerror(error));
-+	return (NOPE);
-+    }
-+    for (res = res0; res; res = res->ai_next) {
-+	if (msg_verbose) {
-+	    if (getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, sizeof(hbuf),
-+		    NULL, 0, NI_NUMERICHOST)) {
-+		strncpy(hbuf, "???", sizeof(hbuf));
-+	    }
-+	    msg_info("%s: addr %s", myname, hbuf);
-+	}
-+	if (own_inet_addr(res->ai_addr)) {
-+	    freeaddrinfo(res0);
-+	    return (YUP);
-+	}
-+    }
-+    freeaddrinfo(res0);
-+    if (msg_verbose)
-+	msg_info("%s: host %s: no match", myname, host);
-+
-+    return (NOPE);
-+#else
-     char   *myname = "has_my_addr";
-     struct in_addr addr;
-     char  **cpp;
-@@ -1291,6 +1406,7 @@
- 	msg_info("%s: host %s: no match", myname, host);
- 
-     return (NOPE);
-+#endif
- }
- 
- /* i_am_mx - is this machine listed as MX relay */
-@@ -2029,6 +2145,10 @@
-     char   *addr;
-     const char *value;
-     DICT   *dict;
-+    int     delim;
-+#ifdef INET6
-+    struct in6_addr a6;
-+#endif
- 
-     if (msg_verbose)
- 	msg_info("%s: %s", myname, address);
-@@ -2039,6 +2159,12 @@
- #define CHK_ADDR_RETURN(x,y) { *found = y; return(x); }
- 
-     addr = STR(vstring_strcpy(error_text, address));
-+#ifdef INET6
-+    if (inet_pton(AF_INET6, addr, &a6) == 1)
-+	delim = ':';
-+    else
-+#endif
-+	delim = '.';
- 
-     if ((dict = dict_handle(table)) == 0)
- 	msg_panic("%s: dictionary not found: %s", myname, table);
-@@ -2052,7 +2178,7 @@
- 		msg_fatal("%s: table lookup problem", table);
- 	}
- 	flags = PARTIAL;
--    } while (split_at_right(addr, '.'));
-+    } while (split_at_right(addr, delim));
- 
-     CHK_ADDR_RETURN(SMTPD_CHECK_DUNNO, MISSED);
- }
-@@ -2110,11 +2236,17 @@
-     DNS_RR *server_list;
-     DNS_RR *server;
-     int     found = 0;
-+#ifdef INET6
-+    int     error;
-+    char   *addr;
-+    struct addrinfo hints, *res, *res0;
-+#else
-     struct in_addr addr;
-     struct hostent *hp;
-+    char  **cpp;
-+#endif
-     char   *addr_string;
-     int     status;
--    char  **cpp;
-     static DNS_FIXED fixed;
- 
-     /*
-@@ -2175,6 +2307,50 @@
-     /*
-      * Check the hostnames first, then the addresses.
-      */
-+#ifdef INET6
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_DGRAM;
-+    hints.ai_flags = AI_CANONNAME;
-+    for (server = server_list; server != 0; server = server->next) {
-+	error = getaddrinfo((char *)server->data, NULL, &hints, &res0);
-+	if (error) {
-+	    msg_warn("Unable to look up %s host %s for %s %s: %s",
-+		dns_strtype(type), (char *) server->data,
-+		reply_class, reply_name, GAI_STRERROR(error));
-+	    continue;
-+	}
-+	if (msg_verbose)
-+	    msg_info("%s: %s hostname check: %s",
-+		     myname, dns_strtype(type), (char *) server->data);
-+	if ((status = check_domain_access(state, table, (char *) server->data,
-+					  FULL, &found, reply_name, reply_class,
-+					  def_acl)) != 0 || found)
-+	    CHECK_SERVER_RETURN(status);
-+	for (res = res0; res; res = res->ai_next) {
-+	    switch (res->ai_family) {
-+	    case AF_INET6:
-+		addr = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
-+		break;
-+	    case AF_INET:
-+		addr = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
-+		break;
-+	    default:
-+		msg_warn("%s: unknown address family %d for %s",
-+			 myname, res->ai_family, (char *) server->data);
-+		continue;
-+	    }
-+	    addr_string = mymalloc(NI_MAXHOST);
-+	    inet_ntop(res->ai_family, addr, addr_string, NI_MAXHOST);
-+	    status = check_addr_access(state, table, addr_string, FULL,
-+				       &found, reply_name, reply_class,
-+				       def_acl);
-+	    myfree(addr_string);
-+	    if (status != 0 || found)
-+		CHECK_SERVER_RETURN(status);
-+	}
-+    }
-+#else
-     for (server = server_list; server != 0; server = server->next) {
- 	if (msg_verbose)
- 	    msg_info("%s: %s hostname check: %s",
-@@ -2210,6 +2386,7 @@
- 		CHECK_SERVER_RETURN(status);
- 	}
-     }
-+#endif
-     CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
- }
- 
-@@ -2475,6 +2652,7 @@
-      * Do the query. If the DNS lookup produces no definitive reply, give the
-      * requestor the benefit of the doubt. We can't block all email simply
-      * because an RBL server is unavailable.
-+     * Don't do this for AAAA records. Yet.
-      */
-     why = vstring_alloc(10);
-     dns_status = dns_lookup(query, T_A, 0, &addr_list, (VSTRING *) 0, why);
-@@ -2644,12 +2822,15 @@
-     int     i;
-     SMTPD_RBL_STATE *rbl;
-     const char *reply_addr;
-+#ifdef INET6
-+    struct in_addr a;
-+#endif
- 
-     if (msg_verbose)
- 	msg_info("%s: %s %s", myname, reply_class, addr);
- 
-     /*
--     * IPv4 only for now
-+     * IPv4 / IPv6-mapped IPv4 (if supported) only for now
-      */
- #ifdef INET6
-     if (inet_pton(AF_INET, addr, &a) != 1)
-@@ -3238,6 +3419,14 @@
- #else
- 		msg_warn("restriction `%s' ignored: no SASL support", name);
- #endif
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
-+	  status = permit_tls_clientcerts(state, 1);
-+	} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
-+	  status = permit_tls_clientcerts(state, 0);
-+#endif
-+#endif
- 	} else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
- 	    if (state->recipient)
- 		status = reject_unknown_address(state, state->recipient,
-@@ -3948,6 +4137,9 @@
- char   *var_etrn_checks = "";
- char   *var_data_checks = "";
- char   *var_relay_domains = "";
-+#ifdef USE_TLS
-+char   *var_relay_ccerts = "";
-+#endif
- char   *var_mynetworks = "";
- char   *var_notify_classes = "";
- 
-diff -urNad postfix-release/src/smtpd/smtpd.h /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.h
---- postfix-release/src/smtpd/smtpd.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd.h	2005-02-03 10:22:13.075093342 -0700
-@@ -32,6 +32,9 @@
-   * Global library.
-   */
- #include <mail_stream.h>
-+#ifdef USE_TLS
-+#include <pfixtls.h>
-+#endif
- 
-  /*
-   * Variables that keep track of conversation state. There is only one SMTP
-@@ -62,6 +65,7 @@
-     time_t  time;			/* start of MAIL FROM transaction */
-     char   *name;			/* client hostname */
-     char   *addr;			/* client host address string */
-+    char   *addr_tag;			/* address family prefix */
-     char   *namaddr;			/* combined name and address */
-     int     peer_code;			/* 2=ok, 4=soft, 5=hard */
-     int     error_count;		/* reset after DOT */
-@@ -136,6 +140,13 @@
-      * XFORWARD server state.
-      */
-     SMTPD_XFORWARD_ATTR xforward;	/* up-stream logging info */
-+#ifdef USE_TLS
-+    int     tls_active;
-+    int     tls_use_tls;
-+    int     tls_enforce_tls;
-+    int     tls_auth_only;
-+    tls_info_t tls_info;
-+#endif
- } SMTPD_STATE;
- 
- #define SMTPD_STATE_XFORWARD_INIT  (1<<0)	/* xforward preset done */
-diff -urNad postfix-release/src/smtpd/smtpd_peer.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_peer.c
---- postfix-release/src/smtpd/smtpd_peer.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_peer.c	2005-02-03 10:22:13.076093119 -0700
-@@ -63,6 +63,20 @@
- #include <netdb.h>
- #include <string.h>
- 
-+/* Utility library. */
-+
-+#include <msg.h>
-+#include <mymalloc.h>
-+#include <valid_hostname.h>
-+#include <stringops.h>
-+#ifdef INET6
-+#include <inet_addr_list.h>	/* for NI_WITHSCOPEID */
-+#endif
-+
-+/* Global library. */
-+
-+#include <mail_proto.h>
-+
-  /*
-   * Older systems don't have h_errno. Even modern systems don't have
-   * hstrerror().
-@@ -84,17 +98,11 @@
-     )
- #endif
- 
--/* Utility library. */
--
--#include <msg.h>
--#include <mymalloc.h>
--#include <valid_hostname.h>
--#include <stringops.h>
--
--/* Global library. */
--
--#include <mail_proto.h>
--
-+#ifdef INET6
-+#define GAI_STRERROR(error) \
-+	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
-+#endif
-+	
- /* Application-specific. */
- 
- #include "smtpd.h"
-@@ -103,21 +111,24 @@
- 
- void    smtpd_peer_init(SMTPD_STATE *state)
- {
--    struct sockaddr_in sin;
--    SOCKADDR_SIZE len = sizeof(sin);
-+    char  *myname = "smtpd_peer_init";
-+#ifdef INET6
-+    struct sockaddr_storage ss;
-+#else
-+    struct sockaddr ss;
-+    struct in_addr *in;
-     struct hostent *hp;
--    int     i;
-+#endif
-+    struct sockaddr *sa;
-+    SOCKADDR_SIZE len;
- 
--    /*
--     * Avoid suprious complaints from Purify on Solaris.
--     */
--    memset((char *) &sin, 0, len);
-+    sa = (struct sockaddr *)&ss;
-+    len = sizeof(ss);
- 
-     /*
-      * Look up the peer address information.
-      */
--    if (getpeername(vstream_fileno(state->client),
--		    (struct sockaddr *) & sin, &len) >= 0) {
-+    if (getpeername(vstream_fileno(state->client), sa, &len) >= 0) {
- 	errno = 0;
-     }
- 
-@@ -133,24 +144,111 @@
-     /*
-      * Look up and "verify" the client hostname.
-      */
--    else if (errno == 0 && sin.sin_family == AF_INET) {
--	state->addr = mystrdup(inet_ntoa(sin.sin_addr));
--	hp = gethostbyaddr((char *) &(sin.sin_addr),
--			   sizeof(sin.sin_addr), AF_INET);
--	if (hp == 0) {
-+    else if (errno == 0 && (sa->sa_family == AF_INET
-+#ifdef INET6
-+			    || sa->sa_family == AF_INET6
-+#endif
-+	     )) {
-+#ifdef INET6
-+	char hbuf[NI_MAXHOST];
-+	char abuf[NI_MAXHOST];
-+	char rabuf[NI_MAXHOST];
-+	struct addrinfo hints, *res0 = NULL, *res;
-+	char *colonp;
-+#else
-+	char abuf[sizeof("255.255.255.255") + 1];
-+	char *hbuf;
-+#endif
-+	int error = -1;
-+
-+#ifdef INET6
-+	error = getnameinfo(sa, len, abuf, sizeof(abuf), NULL, 0,
-+			    NI_NUMERICHOST | NI_WITHSCOPEID);
-+	if (error)
-+	    msg_fatal("%s: numeric getnameinfo lookup for peer: error %s",
-+		      myname, GAI_STRERROR(error));
-+
-+	/*
-+	 * Convert an IPv4-mapped IPv6-address to 'true' IPv4 address
-+	 * early on. We have no need for the mapped form in logging,
-+	 * hostname verification and access checks.
-+	 */
-+	if (sa->sa_family == AF_INET6
-+	    && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)
-+	    && (colonp = strrchr(abuf, ':')) != NULL) {
-+	    struct addrinfo hints, *res0;
-+	    if (msg_verbose > 1)
-+		msg_info("%s: rewriting V4-mapped address \"%s\" to \"%s\"",
-+			 myname, abuf, colonp + 1);
-+	    state->addr = mystrdup(colonp + 1);
-+	    /*
-+	     * We create new socket information so getnameinfo() will be
-+	     * performed on the rewritten IPv4 address.
-+	     */
-+	    memset(&hints, 0, sizeof(hints));
-+	    hints.ai_family = AF_INET;
-+	    hints.ai_socktype = SOCK_STREAM;
-+	    hints.ai_flags = AI_NUMERICHOST;
-+	    error = getaddrinfo(state->addr, NULL, &hints, &res0);
-+	    if (error)
-+		msg_panic("%s: getaddrinfo(\"%s\", NULL, "
-+			  "{AF_INET,SOCK_STREAM,AI_NUMERICHOST}, "
-+			  "&res0): %s", myname, state->addr,
-+			  GAI_STRERROR(error));
-+	    len = res0->ai_addrlen;
-+	    memcpy((char *)sa, res0->ai_addr, len);
-+	} else {
-+	    state->addr = mystrdup(abuf);
-+	}
-+
-+	/*
-+	 * RFC 2821 section 4.1.3: IPv6 address literals in SMTP
-+	 * mail headers are prepended with tag 'IPv6' and a colon.
-+	 */
-+	if (sa->sa_family == AF_INET6)
-+	    state->addr_tag = "IPv6:";
-+
-+	error = getnameinfo(sa, len, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD);
-+#else
-+	in = &((struct sockaddr_in *)sa)->sin_addr;
-+	inet_ntop(AF_INET, in, abuf, sizeof(abuf));
-+	state->addr = mystrdup(abuf);
-+	hbuf = NULL;
-+	hp = gethostbyaddr((char *)in, sizeof(*in), AF_INET);
-+	if (hp) {
-+	    error = 0;
-+		hbuf = mystrdup(hp->h_name);
-+	} else
-+	    error = 1;
-+#endif
-+	if (error) {
- 	    state->name = mystrdup(CLIENT_NAME_UNKNOWN);
-+#ifdef INET6
-+	    if (error != EAI_NONAME)
-+		msg_warn("%s: getnameinfo(%s,,,,,,NI_NAMEREQD) error %s",
-+			 myname, abuf, GAI_STRERROR(error));
-+	    /*
-+	     * XXX: There are other error codes from GAI that should
-+	     * result in only a temporary error code from this daemon.
-+	     * This also applies to get{addr,name}info() results
-+	     * below.
-+	     */
-+	    state->peer_code = (error == EAI_AGAIN ?
-+				SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM);
-+#else
- 	    state->peer_code = (h_errno == TRY_AGAIN ?
- 				SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM);
--	} else if (valid_hostaddr(hp->h_name, DONT_GRIPE)) {
-+#endif
-+	} else if (valid_hostaddr(hbuf, DONT_GRIPE)) {
- 	    msg_warn("numeric result %s in address->name lookup for %s",
--		     hp->h_name, state->addr);
-+		     hbuf, state->addr);
- 	    state->name = mystrdup(CLIENT_NAME_UNKNOWN);
- 	    state->peer_code = SMTPD_PEER_CODE_PERM;
--	} else if (!valid_hostname(hp->h_name, DONT_GRIPE)) {
-+	} else if (!valid_hostname(hbuf, DONT_GRIPE)) {
- 	    state->name = mystrdup(CLIENT_NAME_UNKNOWN);
- 	    state->peer_code = SMTPD_PEER_CODE_PERM;
- 	} else {
--	    state->name = mystrdup(hp->h_name);	/* hp->name is clobbered!! */
-+	    state->name = mystrdup(hbuf);
- 	    state->peer_code = SMTPD_PEER_CODE_OK;
- 
- 	    /*
-@@ -162,17 +260,55 @@
- 	state->peer_code = code; \
-     }
- 
--	    hp = gethostbyname(state->name);	/* clobbers hp->name!! */
-+#ifdef INET6
-+	    memset(&hints, 0, sizeof(hints));
-+	    hints.ai_family = AF_UNSPEC;
-+	    hints.ai_socktype = SOCK_STREAM;
-+	    error = getaddrinfo(state->name, NULL, &hints, &res0);
-+	    if (error) {
-+		msg_warn("%s: %s: hostname %s verification failed: %s",
-+			 myname, state->addr, state->name,
-+			 GAI_STRERROR(error));
-+		REJECT_PEER_NAME(state, (error == EAI_AGAIN ?
-+				SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
-+	    } else {
-+		for (res = res0; res; res = res->ai_next) {
-+		    if (res->ai_family != sa->sa_family)
-+			continue;
-+		    error = getnameinfo(res->ai_addr, res->ai_addrlen,
-+					rabuf, sizeof(rabuf), NULL, 0,
-+					NI_NUMERICHOST | NI_WITHSCOPEID);
-+		    if (error) {
-+			msg_warn("%s: %s: hostname %s verification failed: %s",
-+				 myname, state->addr, state->name,
-+				 GAI_STRERROR(error));
-+			REJECT_PEER_NAME(state, SMTPD_PEER_CODE_TEMP);
-+			break;
-+		    }
-+		    if (strcmp(state->addr, rabuf) == 0)
-+			break;	    /* keep peer name */
-+		}
-+		if (res == NULL) {
-+		    msg_warn("%s: %s: address not listed for hostname %s",
-+			     myname, state->addr, state->name);
-+		    REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
-+		}
-+	    }
-+	    if (res0)
-+		freeaddrinfo(res0);
-+#else
-+	    hp = gethostbyname(state->name);
- 	    if (hp == 0) {
- 		msg_warn("%s: hostname %s verification failed: %s",
- 			 state->addr, state->name, HSTRERROR(h_errno));
- 		REJECT_PEER_NAME(state, (h_errno == TRY_AGAIN ?
--			      SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
--	    } else if (hp->h_length != sizeof(sin.sin_addr)) {
-+			    SMTPD_PEER_CODE_TEMP : SMTPD_PEER_CODE_PERM));
-+	    } else if (hp->h_length != sizeof(*in)) {
- 		msg_warn("%s: hostname %s verification failed: bad address size %d",
- 			 state->addr, state->name, hp->h_length);
- 		REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
- 	    } else {
-+		int i;
- 		for (i = 0; /* void */ ; i++) {
- 		    if (hp->h_addr_list[i] == 0) {
- 			msg_warn("%s: address not listed for hostname %s",
-@@ -180,12 +316,11 @@
- 			REJECT_PEER_NAME(state, SMTPD_PEER_CODE_PERM);
- 			break;
- 		    }
--		    if (memcmp(hp->h_addr_list[i],
--			       (char *) &sin.sin_addr,
--			       sizeof(sin.sin_addr)) == 0)
-+		    if (memcmp(hp->h_addr_list[i], (char *)in, sizeof(*in)) == 0)
- 			break;			/* keep peer name */
- 		}
- 	    }
-+#endif
- 	}
-     }
- 
-diff -urNad postfix-release/src/smtpd/smtpd_sasl_glue.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_glue.c
---- postfix-release/src/smtpd/smtpd_sasl_glue.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_glue.c	2005-02-03 10:22:13.076093119 -0700
-@@ -181,6 +181,16 @@
-     return SASL_OK;
- }
- 
-+static int smtpd_sasl_getpath(void * context, char ** path)
-+{
-+#if SASL_VERSION_MAJOR >= 2
-+    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
-+#else
-+    *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
-+#endif
-+    return SASL_OK;
-+}
-+
-  /*
-   * SASL callback interface structure. These call-backs have no per-session
-   * context.
-@@ -189,6 +199,7 @@
- 
- static sasl_callback_t callbacks[] = {
-     {SASL_CB_LOG, &smtpd_sasl_log, NO_CALLBACK_CONTEXT},
-+    {SASL_CB_GETPATH,&smtpd_sasl_getpath, NO_CALLBACK_CONTEXT},
-     {SASL_CB_LIST_END, 0, 0}
- };
- 
-diff -urNad postfix-release/src/smtpd/smtpd_sasl_proto.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_proto.c
---- postfix-release/src/smtpd/smtpd_sasl_proto.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_sasl_proto.c	2005-02-03 10:22:13.076093119 -0700
-@@ -129,6 +129,15 @@
- 	smtpd_chat_reply(state, "503 Error: authentication not enabled");
- 	return (-1);
-     }
-+#ifdef USE_TLS
-+#ifdef USE_SSL
-+    if (state->tls_auth_only && !state->tls_active) {
-+	state->error_mask |= MAIL_ERROR_PROTOCOL;
-+	smtpd_chat_reply(state, "538 Encryption required for requested authentication mechanism");
-+	return (-1);
-+    }
-+#endif
-+#endif
-     if (state->sasl_username) {
- 	state->error_mask |= MAIL_ERROR_PROTOCOL;
- 	smtpd_chat_reply(state, "503 Error: already authenticated");
-diff -urNad postfix-release/src/smtpd/smtpd_state.c /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_state.c
---- postfix-release/src/smtpd/smtpd_state.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpd/smtpd_state.c	2005-02-03 10:22:13.076093119 -0700
-@@ -77,6 +77,7 @@
-     state->notify_mask = name_mask(VAR_NOTIFY_CLASSES, mail_error_masks,
- 				   var_notify_classes);
-     state->helo_name = 0;
-+    state->addr_tag = "";
-     state->queue_id = 0;
-     state->cleanup = 0;
-     state->dest = 0;
-@@ -111,6 +112,13 @@
-     state->saved_flags = 0;
-     state->instance = vstring_alloc(10);
-     state->seqno = 0;
-+#ifdef USE_TLS
-+    state->tls_active = 0;
-+    state->tls_use_tls = 0;
-+    state->tls_enforce_tls = 0;
-+    state->tls_info = tls_info_zero;
-+    state->tls_auth_only = 0;
-+#endif
- 
- #ifdef USE_SASL_AUTH
-     if (SMTPD_STAND_ALONE(state))
-diff -urNad postfix-release/src/smtpstone/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/Makefile.in
---- postfix-release/src/smtpstone/Makefile.in	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/Makefile.in	2005-02-03 10:22:13.077092896 -0700
-@@ -33,7 +33,7 @@
- 
- tests:	test
- 
--update: ../../bin/smtp-source ../../bin/smtp-sink ../../bin/qmqp-source
-+update: ../../bin/smtp-source ../../bin/smtp-sink ../../bin/qmqp-source ../../bin/qmqp-sink
- 
- ../../bin/smtp-source: smtp-source
- 	cp $? $@
-diff -urNad postfix-release/src/smtpstone/qmqp-sink.c /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/qmqp-sink.c
---- postfix-release/src/smtpstone/qmqp-sink.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/qmqp-sink.c	2005-02-03 10:22:13.077092896 -0700
-@@ -275,7 +275,7 @@
-     } else {
- 	if (strncmp(argv[optind], "inet:", 5) == 0)
- 	    argv[optind] += 5;
--	sock = inet_listen(argv[optind], backlog, BLOCKING);
-+	sock = inet_listen(argv[optind], backlog, BLOCKING, 1);
-     }
- 
-     /*
-diff -urNad postfix-release/src/smtpstone/smtp-sink.c /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/smtp-sink.c
---- postfix-release/src/smtpstone/smtp-sink.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/smtpstone/smtp-sink.c	2005-02-03 10:22:13.077092896 -0700
-@@ -692,7 +692,7 @@
-     } else {
- 	if (strncmp(argv[optind], "inet:", 5) == 0)
- 	    argv[optind] += 5;
--	sock = inet_listen(argv[optind], backlog, BLOCKING);
-+	sock = inet_listen(argv[optind], backlog, BLOCKING, 1);
-     }
- 
-     /*
-diff -urNad postfix-release/src/tlsmgr/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/Makefile.in
---- postfix-release/src/tlsmgr/Makefile.in	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/Makefile.in	2005-02-03 10:22:13.077092896 -0700
-@@ -0,0 +1,94 @@
-+SHELL	= /bin/sh
-+SRCS	= ../global/pfixtls.c tlsmgr.c
-+OBJS	= tlsmgr.o
-+HDRS	=
-+TESTSRC	=
-+WARN	= -W -Wformat -Wimplicit -Wmissing-prototypes \
-+	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
-+	-Wunused
-+DEFS	= -I. -I$(INC_DIR) -D$(SYSTYPE)
-+CFLAGS	= $(DEBUG) $(OPT) $(DEFS)
-+TESTPROG= 
-+PROG	= tlsmgr
-+INC_DIR	= ../../include
-+LIBS	= ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libutil.a ../../lib/pfixtls.o
-+TLSO    = pfixtls.o
-+
-+$(TLSO):;	$(CC) $(CFLAGS) -c ../global/pfixtls.c
-+
-+.c.o:;	$(CC) $(CFLAGS) -c $*.c
-+
-+$(PROG):	$(OBJS) $(LIBS)
-+	$(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
-+
-+Makefile: Makefile.in
-+	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs; cat $?) >$@
-+
-+test:	$(TESTPROG)
-+
-+update: ../../lib/$(TLSO) ../../libexec/$(PROG)
-+
-+../../lib/$(TLSO): $(TLSO)
-+	cp $(TLSO) ../../lib
-+
-+../../libexec/$(PROG): $(PROG)
-+	cp $(PROG) ../../libexec
-+
-+printfck: $(OBJS) $(PROG)
-+	rm -rf printfck
-+	mkdir printfck
-+	cp *.h printfck
-+	sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
-+	set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
-+	cd printfck; make "INC_DIR=../../../../include" `cd ../..; ls *.o`
-+
-+lint:
-+	lint $(DEFS) $(SRCS) $(LINTFIX)
-+
-+clean:
-+	rm -f *.o *core $(PROG) $(TESTPROG) junk pfixtls.c
-+	rm -rf printfck
-+
-+tidy:	clean
-+
-+depend: $(MAKES)
-+	(sed '1,/^# do not edit/!d' Makefile.in; \
-+	set -e; for i in [a-z][a-z0-9]*.c; do \
-+	    $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
-+	    -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
-+	done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
-+	@make -f Makefile.in Makefile
-+
-+# do not edit below this line - it is generated by 'make depend'
-+tlsmgr.o: tlsmgr.c
-+tlsmgr.o: ../../include/sys_defs.h
-+tlsmgr.o: ../../include/msg.h
-+tlsmgr.o: ../../include/events.h
-+tlsmgr.o: ../../include/vstream.h
-+tlsmgr.o: ../../include/vbuf.h
-+tlsmgr.o: ../../include/dict.h
-+tlsmgr.o: ../../include/argv.h
-+tlsmgr.o: ../../include/vstring.h
-+tlsmgr.o: ../../include/stringops.h
-+tlsmgr.o: ../../include/mymalloc.h
-+tlsmgr.o: ../../include/connect.h
-+tlsmgr.o: ../../include/myflock.h
-+tlsmgr.o: ../../include/mail_conf.h
-+tlsmgr.o: ../../include/mail_params.h
-+tlsmgr.o: ../../include/iostuff.h
-+tlsmgr.o: ../../include/master_proto.h
-+tlsmgr.o: ../../include/mail_server.h
-+tlsmgr.o: ../../include/pfixtls.h
-+pfixtls.o: ../global/pfixtls.c
-+pfixtls.o: ../../include/sys_defs.h
-+pfixtls.o: ../../include/iostuff.h
-+pfixtls.o: ../../include/mymalloc.h
-+pfixtls.o: ../../include/vstring.h
-+pfixtls.o: ../../include/vstream.h
-+pfixtls.o: ../../include/dict.h
-+pfixtls.o: ../../include/myflock.h
-+pfixtls.o: ../../include/stringops.h
-+pfixtls.o: ../../include/msg.h
-+pfixtls.o: ../../include/connect.h
-+pfixtls.o: ../../include/mail_params.h
-+pfixtls.o: ../../include/pfixtls.h
-diff -urNad postfix-release/src/tlsmgr/tlsmgr.c /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/tlsmgr.c
---- postfix-release/src/tlsmgr/tlsmgr.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/tlsmgr/tlsmgr.c	2005-02-03 10:22:13.078092673 -0700
-@@ -0,0 +1,600 @@
-+#ifdef USE_TLS
-+/*++
-+/* NAME
-+/*	tlsmgr 8
-+/* SUMMARY
-+/*	Postfix TLS session cache and PRNG handling manager
-+/* SYNOPSIS
-+/*	\fBtlsmgr\fR [generic Postfix daemon options]
-+/* DESCRIPTION
-+/*	The tlsmgr process does housekeeping on the session cache database
-+/*	files. It runs through the databases and removes expired entries
-+/*	and entries written by older (incompatible) versions.
-+/*
-+/*	The tlsmgr is responsible for the PRNG handling. The used internal
-+/*	OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
-+/*	is initially seeded at startup from an external source (EGD or
-+/*	/dev/urandom) and additional seed is obtained later during program
-+/*	run at a configurable period. The exact time of seed query is
-+/*	using random information and is equally distributed in the range of
-+/*	[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
-+/*	having a default of 1 hour.
-+/*
-+/*	Tlsmgr can be run chrooted and with dropped privileges, as it will
-+/*	connect to the entropy source at startup.
-+/*
-+/*	The PRNG is additionally seeded internally by the data found in the
-+/*	session cache and timevalues.
-+/*
-+/*	Tlsmgr reads the old value of the exchange file at startup to keep
-+/*	entropy already collected during previous runs.
-+/*
-+/*	From the PRNG random pool a cryptographically strong 1024 byte random
-+/*	sequence is written into the PRNG exchange file. The file is updated
-+/*	periodically with the time changing randomly from
-+/*	[0-\fBtls_random_prng_update_period\fR].
-+/* STANDARDS
-+/* SECURITY
-+/* .ad
-+/* .fi
-+/*	Tlsmgr is not security-sensitive. It only deals with external data
-+/*	to be fed into the PRNG, the contents is never trusted. The session
-+/*	cache housekeeping will only remove entries if expired and will never
-+/*	touch the contents of the cached data.
-+/* DIAGNOSTICS
-+/*	Problems and transactions are logged to the syslog daemon.
-+/* BUGS
-+/*	There is no automatic means to limit the number of entries in the
-+/*	session caches and/or the size of the session cache files.
-+/* CONFIGURATION PARAMETERS
-+/* .ad
-+/* .fi
-+/*	The following \fBmain.cf\fR parameters are especially relevant to
-+/*	this program. See the Postfix \fBmain.cf\fR file for syntax details
-+/*	and for default values. Use the \fBpostfix reload\fR command after
-+/*	a configuration change.
-+/* .SH Session Cache
-+/* .ad
-+/* .fi
-+/* .IP \fBsmtpd_tls_session_cache_database\fR
-+/*	Name of the SDBM file (type sdbm:) containing the SMTP server session
-+/*	cache. If the file does not exist, it is created.
-+/* .IP \fBsmtpd_tls_session_cache_timeout\fR
-+/*	Expiry time of SMTP server session cache entries in seconds. Entries
-+/*	older than this are removed from the session cache. A cleanup-run is
-+/*	performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
-+/*	seconds. Default is 3600 (= 1 hour).
-+/* .IP \fBsmtp_tls_session_cache_database\fR
-+/*	Name of the SDBM file (type sdbm:) containing the SMTP client session
-+/*	cache. If the file does not exist, it is created.
-+/* .IP \fBsmtp_tls_session_cache_timeout\fR
-+/*	Expiry time of SMTP client session cache entries in seconds. Entries
-+/*	older than this are removed from the session cache. A cleanup-run is
-+/*	performed periodically every \fBsmtp_tls_session_cache_timeout\fR
-+/*	seconds. Default is 3600 (= 1 hour).
-+/* .SH Pseudo Random Number Generator
-+/* .ad
-+/* .fi
-+/* .IP \fBtls_random_source\fR
-+/*	Name of the EGD socket or device or regular file to obtain entropy
-+/*	from. The type of entropy source must be specified by preceding the
-+/*      name with the appropriate type: egd:/path/to/egd_socket,
-+/*      dev:/path/to/devicefile, or /path/to/regular/file.
-+/*	tlsmgr opens \fBtls_random_source\fR and tries to read
-+/*	\fBtls_random_bytes\fR from it.
-+/* .IP \fBtls_random_bytes\fR
-+/*	Number of bytes to be read from \fBtls_random_source\fR.
-+/*	Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
-+/* .IP \fBtls_random_exchange_name\fR
-+/*	Name of the file written by tlsmgr and read by smtp and smtpd at
-+/*	startup. The length is 1024 bytes. Default value is
-+/*	/etc/postfix/prng_exch.
-+/* .IP \fBtls_random_reseed_period\fR
-+/*	Time in seconds until the next reseed from external sources is due.
-+/*	This is the maximum value. The actual point in time is calculated
-+/*	with a random factor equally distributed between 0 and this maximum
-+/*	value. Default is 3600 (= 60 minutes).
-+/* .IP \fBtls_random_prng_update_period\fR
-+/*	Time in seconds until the PRNG exchange file is updated with new
-+/*	pseude random values. This is the maximum value. The actual point
-+/*	in time is calculated with a random factor equally distributed
-+/*	between 0 and this maximum value. Default is 60 (= 1 minute).
-+/* SEE ALSO
-+/*	smtp(8) SMTP client
-+/*	smtpd(8) SMTP server
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/*--*/
-+
-+/* System library. */
-+
-+#include <sys_defs.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <ctype.h>
-+#include <errno.h>
-+#include <string.h>
-+#include <sys/time.h>			/* gettimeofday, not POSIX */
-+
-+/* OpenSSL library. */
-+#ifdef USE_SSL
-+#include <openssl/rand.h>		/* For the PRNG */
-+#endif
-+
-+/* Utility library. */
-+
-+#include <msg.h>
-+#include <events.h>
-+#include <dict.h>
-+#include <stringops.h>
-+#include <mymalloc.h>
-+#include <connect.h>
-+#include <myflock.h>
-+
-+/* Global library. */
-+
-+#include <mail_conf.h>
-+#include <mail_params.h>
-+#include <pfixtls.h>
-+
-+/* Master process interface */
-+
-+#include <master_proto.h>
-+#include <mail_server.h>
-+
-+/* Application-specific. */
-+
-+#ifdef USE_SSL
-+ /*
-+  * Tunables.
-+  */
-+char   *var_tls_rand_source;
-+int	var_tls_rand_bytes;
-+int	var_tls_reseed_period;
-+int	var_tls_prng_upd_period;
-+
-+static int rand_exch_fd;
-+static int rand_source_dev_fd = -1;
-+static int rand_source_socket_fd = -1;
-+static int srvr_scache_db_active;
-+static int clnt_scache_db_active;
-+static DICT *srvr_scache_db = NULL;
-+static DICT *clnt_scache_db = NULL;
-+
-+static void tlsmgr_prng_upd_event(int unused_event, char *dummy)
-+{
-+    struct timeval tv;
-+    unsigned char buffer[1024];
-+    int next_period;
-+
-+    /*
-+     * It is time to update the PRNG exchange file. Since other processes might
-+     * have added entropy, we do this in a read_stir-back_write cycle.
-+     */
-+    GETTIMEOFDAY(&tv);
-+    RAND_seed(&tv, sizeof(struct timeval));
-+
-+    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) != 0)
-+	msg_fatal("Could not lock random exchange file: %s",
-+		  strerror(errno));
-+
-+    lseek(rand_exch_fd, 0, SEEK_SET);
-+    if (read(rand_exch_fd, buffer, 1024) < 0)
-+	msg_fatal("reading exchange file failed");
-+    RAND_seed(buffer, 1024);
-+
-+    RAND_bytes(buffer, 1024);
-+    lseek(rand_exch_fd, 0, SEEK_SET);
-+    if (write(rand_exch_fd, buffer, 1024) != 1024)
-+	msg_fatal("Writing exchange file failed");
-+
-+    if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) != 0)
-+	msg_fatal("Could not unlock random exchange file: %s",
-+		  strerror(errno));
-+
-+    /*
-+     * Make prediction difficult for outsiders and calculate the time for the
-+     * next execution randomly.
-+     */
-+    next_period = (var_tls_prng_upd_period * buffer[0]) / 255;
-+    event_request_timer(tlsmgr_prng_upd_event, dummy, next_period);
-+}
-+
-+
-+static void tlsmgr_reseed_event(int unused_event, char *dummy)
-+{
-+    int egd_success;
-+    int next_period;
-+    int rand_bytes;
-+    char buffer[255];
-+    struct timeval tv;
-+    unsigned char randbyte;
-+
-+    /*
-+     * It is time to reseed the PRNG.
-+     */
-+
-+    GETTIMEOFDAY(&tv);
-+    RAND_seed(&tv, sizeof(struct timeval));
-+    if (rand_source_dev_fd != -1) {
-+	rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
-+	if (rand_bytes > 0)
-+	    RAND_seed(buffer, rand_bytes);
-+	else if (rand_bytes < 0) {
-+	    msg_fatal("Read from entropy device %s failed",
-+		      var_tls_rand_source);
-+	}
-+    } else if (rand_source_socket_fd != -1) {
-+	egd_success = 0;
-+	buffer[0] = 1;
-+	buffer[1] = var_tls_rand_bytes;
-+	if (write(rand_source_socket_fd, buffer, 2) != 2)
-+	    msg_info("Could not talk to %s", var_tls_rand_source);
-+	else if (read(rand_source_socket_fd, buffer, 1) != 1)
-+	    msg_info("Could not read info from %s", var_tls_rand_source);
-+	else {
-+	    rand_bytes = buffer[0];
-+	    if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
-+		msg_info("Could not read data from %s", var_tls_rand_source);
-+	    else {
-+		egd_success = 1;
-+		RAND_seed(buffer, rand_bytes);
-+	    }
-+	}
-+	if (!egd_success) {
-+	    msg_info("Lost connection to EGD-device, exiting to reconnect.");
-+	    exit(0);
-+	}
-+    } else if (*var_tls_rand_source) {
-+	rand_bytes = RAND_load_file(var_tls_rand_source, var_tls_rand_bytes);
-+    }
-+
-+    /*
-+     * Make prediction difficult for outsiders and calculate the time for the
-+     * next execution randomly.
-+     */
-+    RAND_bytes(&randbyte, 1);
-+    next_period = (var_tls_reseed_period * randbyte) / 255;
-+    event_request_timer(tlsmgr_reseed_event, dummy, next_period);
-+}
-+
-+
-+static int tlsmgr_do_scache_check(DICT *scache_db, int scache_timeout,
-+				  int start)
-+{
-+    int func;
-+    int len;
-+    int n;
-+    int delete = 0;
-+    int result;
-+    struct timeval tv;
-+    const char *member;
-+    const char *value;
-+    char *member_copy;
-+    unsigned char nibble, *data;
-+    pfixtls_scache_info_t scache_info;
-+
-+    GETTIMEOFDAY(&tv);
-+    RAND_seed(&tv, sizeof(struct timeval));
-+
-+    /*
-+     * Run through the given dictionary and check the stored sessions.
-+     * If "start" is set to 1, a new run is initiated, otherwise the next
-+     * item is accessed. The state is internally kept in the DICT.
-+     */
-+    if (start)
-+	func = DICT_SEQ_FUN_FIRST;
-+    else
-+	func = DICT_SEQ_FUN_NEXT;
-+    result = dict_seq(scache_db, func, &member, &value);
-+
-+    if (result > 0)
-+	return 0;	/* End of list reached */
-+    else if (result < 0)
-+	msg_fatal("Database fault, should already be caught.");
-+    else {
-+	member_copy = mystrdup(member);
-+	len = strlen(value);
-+	RAND_seed(value, len);		/* Use it to increase entropy */
-+	if (len < 2 * sizeof(pfixtls_scache_info_t))
-+	    delete = 1;		/* Messed up, delete */
-+	else if (len > 2 * sizeof(pfixtls_scache_info_t))
-+	    len = 2 * sizeof(pfixtls_scache_info_t);
-+	if (!delete) {
-+	    data = (unsigned char *)(&scache_info);
-+	    memset(data, 0, len / 2);
-+	    for (n = 0; n < len; n++) {
-+            if ((value[n] >= '0') && (value[n] <= '9'))
-+                nibble = value[n] - '0';
-+            else
-+                nibble = value[n] - 'A' + 10;
-+            if (n % 2)
-+                data[n / 2] |= nibble;
-+            else
-+                data[n / 2] |= (nibble << 4);
-+        }
-+
-+        if ((scache_info.scache_db_version != scache_db_version) ||
-+            (scache_info.openssl_version != openssl_version) ||
-+            (scache_info.timestamp + scache_timeout < time(NULL)))
-+	    delete = 1;
-+	}
-+	if (delete)
-+	    result = dict_del(scache_db, member_copy);
-+	myfree(member_copy);
-+    }
-+
-+    if (delete && result)
-+	msg_info("Could not delete %s", member);
-+    return 1;
-+
-+}
-+
-+static void tlsmgr_clnt_cache_run_event(int unused_event, char *dummy)
-+{
-+
-+    /*
-+     * This routine runs when it is time for another tls session cache scan.
-+     * Make sure this routine gets called again in the future.
-+     */
-+    clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db, 
-+				var_smtp_tls_scache_timeout, 1);
-+    event_request_timer(tlsmgr_clnt_cache_run_event, dummy,
-+		 var_smtp_tls_scache_timeout);
-+}
-+
-+
-+static void tlsmgr_srvr_cache_run_event(int unused_event, char *dummy)
-+{
-+
-+    /*
-+     * This routine runs when it is time for another tls session cache scan.
-+     * Make sure this routine gets called again in the future.
-+     */
-+    srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
-+				var_smtpd_tls_scache_timeout, 1);
-+    event_request_timer(tlsmgr_srvr_cache_run_event, dummy,
-+		 var_smtpd_tls_scache_timeout);
-+}
-+
-+
-+static DICT *tlsmgr_cache_open(const char *dbname)
-+{
-+    DICT *retval;
-+    char *dbpagname;
-+    char *dbdirname;
-+
-+    /*
-+     * First, try to find out the real name of the database file, so that
-+     * it can be removed.
-+     */
-+    if (!strncmp(dbname, "sdbm:", 5)) {
-+	dbpagname = concatenate(dbname + 5, ".pag", NULL);
-+	REMOVE(dbpagname);
-+	myfree(dbpagname);
-+	dbdirname = concatenate(dbname + 5, ".dir", NULL);
-+	REMOVE(dbdirname);
-+	myfree(dbdirname);
-+    }
-+    else {
-+	msg_warn("Only type sdbm: supported: %s", dbname);
-+	return NULL;
-+    }
-+
-+    /*
-+     * Now open the dictionary. Do it with O_EXCL, so that we only open a
-+     * fresh file. If we cannot open it with a fresh file, then we won't
-+     * touch it.
-+     */
-+    retval = dict_open(dbname, O_RDWR | O_CREAT | O_EXCL,
-+	      DICT_FLAG_DUP_REPLACE | DICT_FLAG_LOCK | DICT_FLAG_SYNC_UPDATE);
-+    if (!retval)
-+	msg_warn("Could not create dictionary %s", dbname);
-+    return retval;
-+}
-+
-+/* tlsmgr_trigger_event - respond to external trigger(s) */
-+
-+static void tlsmgr_trigger_event(char *buf, int len,
-+			               char *unused_service, char **argv)
-+{
-+    /*
-+     * Sanity check. This service takes no command-line arguments.
-+     */
-+    if (argv[0])
-+	msg_fatal("unexpected command-line argument: %s", argv[0]);
-+
-+}
-+
-+/* tlsmgr_loop - queue manager main loop */
-+
-+static int tlsmgr_loop(char *unused_name, char **unused_argv)
-+{
-+    /*
-+     * This routine runs as part of the event handling loop, after the event
-+     * manager has delivered a timer or I/O event (including the completion
-+     * of a connection to a delivery process), or after it has waited for a
-+     * specified amount of time. The result value of qmgr_loop() specifies
-+     * how long the event manager should wait for the next event.
-+     */
-+#define DONT_WAIT	0
-+#define WAIT_FOR_EVENT	(-1)
-+
-+    if (clnt_scache_db_active)
-+	clnt_scache_db_active = tlsmgr_do_scache_check(clnt_scache_db,
-+					var_smtp_tls_scache_timeout, 0);
-+    if (srvr_scache_db_active)
-+	srvr_scache_db_active = tlsmgr_do_scache_check(srvr_scache_db,
-+					var_smtpd_tls_scache_timeout, 0);
-+    if (clnt_scache_db_active || srvr_scache_db_active)
-+	return (DONT_WAIT);
-+    return (WAIT_FOR_EVENT);
-+}
-+
-+/* pre_accept - see if tables have changed */
-+
-+static void pre_accept(char *unused_name, char **unused_argv)
-+{
-+    if (dict_changed()) {
-+	msg_info("table has changed -- exiting");
-+	exit(0);
-+    }
-+}
-+
-+/* tlsmgr_pre_init - pre-jail initialization */
-+
-+static void tlsmgr_pre_init(char *unused_name, char **unused_argv)
-+{
-+    int rand_bytes;
-+    unsigned char buffer[255];
-+
-+    /*
-+     * Access the external sources for random seed. We may not be able to
-+     * access them again if we are sent to chroot jail, so we must leave
-+     * dev: and egd: type sources open.
-+     */
-+    if (*var_tls_rand_source) {
-+        if (!strncmp(var_tls_rand_source, "dev:", 4)) {
-+	    /*
-+	     * Source is a random device
-+	     */
-+	    rand_source_dev_fd = open(var_tls_rand_source + 4, 0, 0);
-+	    if (rand_source_dev_fd == -1) 
-+		msg_fatal("Could not open entropy device %s",
-+			  var_tls_rand_source);
-+	    if (var_tls_rand_bytes > 255)
-+		var_tls_rand_bytes = 255;
-+	    rand_bytes = read(rand_source_dev_fd, buffer, var_tls_rand_bytes);
-+	    RAND_seed(buffer, rand_bytes);
-+	} else if (!strncmp(var_tls_rand_source, "egd:", 4)) {
-+	    /*
-+	     * Source is a EGD compatible socket
-+	     */
-+	    rand_source_socket_fd = unix_connect(var_tls_rand_source +4,
-+						 BLOCKING, 10);
-+	    if (rand_source_socket_fd == -1)
-+		msg_fatal("Could not connect to %s", var_tls_rand_source);
-+	    if (var_tls_rand_bytes > 255)
-+		var_tls_rand_bytes = 255;
-+	    buffer[0] = 1;
-+	    buffer[1] = var_tls_rand_bytes;
-+	    if (write(rand_source_socket_fd, buffer, 2) != 2)
-+		msg_fatal("Could not talk to %s", var_tls_rand_source);
-+	    if (read(rand_source_socket_fd, buffer, 1) != 1)
-+		msg_fatal("Could not read info from %s", var_tls_rand_source);
-+	    rand_bytes = buffer[0];
-+	    if (read(rand_source_socket_fd, buffer, rand_bytes) != rand_bytes)
-+		msg_fatal("Could not read data from %s", var_tls_rand_source);
-+	    RAND_seed(buffer, rand_bytes);
-+	} else {
-+	    rand_bytes = RAND_load_file(var_tls_rand_source,
-+					var_tls_rand_bytes);
-+	}
-+    }
-+
-+    /*
-+     * Now open the PRNG exchange file
-+     */
-+    if (*var_tls_rand_exch_name) {
-+	rand_exch_fd = open(var_tls_rand_exch_name, O_RDWR | O_CREAT, 0600);
-+    }
-+
-+    /*
-+     * Finally, open the session cache files. Remove old files, if still there.
-+     * If we could not remove the old files, something is pretty wrong and we
-+     * won't touch it!!
-+     */
-+    if (*var_smtp_tls_scache_db)
-+	clnt_scache_db = tlsmgr_cache_open(var_smtp_tls_scache_db);
-+    if (*var_smtpd_tls_scache_db)
-+	srvr_scache_db = tlsmgr_cache_open(var_smtpd_tls_scache_db);
-+}
-+
-+/* qmgr_post_init - post-jail initialization */
-+
-+static void tlsmgr_post_init(char *unused_name, char **unused_argv)
-+{
-+    unsigned char buffer[1024];
-+
-+    /*
-+     * This routine runs after the skeleton code has entered the chroot jail.
-+     * Prevent automatic process suicide after a limited number of client
-+     * requests or after a limited amount of idle time.
-+     */
-+    var_use_limit = 0;
-+    var_idle_limit = 0;
-+
-+    /*
-+     * Complete thie initialization by reading the additional seed from the
-+     * PRNG exchange file. Don't care how many bytes were actually read, just
-+     * seed buffer into the PRNG, regardless of its contents.
-+     */
-+    if (rand_exch_fd >= 0) {
-+	if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) == -1)
-+	    msg_fatal("Could not lock random exchange file: %s",
-+		      strerror(errno));
-+	read(rand_exch_fd, buffer, 1024);
-+	if (myflock(rand_exch_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) == -1)
-+	    msg_fatal("Could not unlock random exchange file: %s",
-+		      strerror(errno));
-+	RAND_seed(buffer, 1024);
-+	tlsmgr_prng_upd_event(0, (char *) 0);
-+	tlsmgr_reseed_event(0, (char *) 0);
-+    }
-+
-+    clnt_scache_db_active = 0;
-+    srvr_scache_db_active = 0;
-+    if (clnt_scache_db)
-+	tlsmgr_clnt_cache_run_event(0, (char *) 0);
-+    if (srvr_scache_db)
-+	tlsmgr_srvr_cache_run_event(0, (char *) 0);
-+}
-+
-+
-+/* main - the main program */
-+
-+int     main(int argc, char **argv)
-+{
-+    static CONFIG_STR_TABLE str_table[] = {
-+	VAR_TLS_RAND_SOURCE, DEF_TLS_RAND_SOURCE, &var_tls_rand_source, 0, 0,
-+	0,
-+    };
-+    static CONFIG_TIME_TABLE time_table[] = {
-+	VAR_TLS_RESEED_PERIOD, DEF_TLS_RESEED_PERIOD, &var_tls_reseed_period, 0, 0,
-+	VAR_TLS_PRNG_UPD_PERIOD, DEF_TLS_PRNG_UPD_PERIOD, &var_tls_prng_upd_period, 0, 0,
-+	0,
-+    };
-+    static CONFIG_INT_TABLE int_table[] = {
-+	VAR_TLS_RAND_BYTES, DEF_TLS_RAND_BYTES, &var_tls_rand_bytes, 0, 0,
-+	0,
-+    };
-+
-+    /*
-+     * Use the trigger service skeleton, because no-one else should be
-+     * monitoring our service port while this process runs, and because we do
-+     * not talk back to the client.
-+     */
-+    trigger_server_main(argc, argv, tlsmgr_trigger_event,
-+			MAIL_SERVER_TIME_TABLE, time_table,
-+			MAIL_SERVER_INT_TABLE, int_table,
-+			MAIL_SERVER_STR_TABLE, str_table,
-+			MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
-+			MAIL_SERVER_POST_INIT, tlsmgr_post_init,
-+			MAIL_SERVER_LOOP, tlsmgr_loop,
-+			MAIL_SERVER_PRE_ACCEPT, pre_accept,
-+			0);
-+    trigger_server_main(argc, argv, tlsmgr_trigger_event,
-+			MAIL_SERVER_PRE_INIT, tlsmgr_pre_init,
-+			0);
-+}
-+
-+#else
-+int     main(int argc, char **argv)
-+{
-+    msg_fatal("Do not run tlsmgr with TLS support compiled in\n");
-+}
-+#endif
-+#endif
-diff -urNad postfix-release/src/util/dict_cidr.c /tmp/dpep.cXJuVH/postfix-release/src/util/dict_cidr.c
---- postfix-release/src/util/dict_cidr.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/dict_cidr.c	2005-02-03 10:22:13.079092450 -0700
-@@ -27,6 +27,13 @@
- /*	IBM T.J. Watson Research
- /*	P.O. Box 704
- /*	Yorktown Heights, NY 10598, USA
-+/*
-+/*	Dean C. Strik
-+/*	Department ICT Services
-+/*	Eindhoven University of Technology
-+/*	P.O. Box 513
-+/*	5600 MB  Eindhoven, Netherlands
-+/*	E-mail: <dean at ipnet6.org>
- /*--*/
- 
- /* System library. */
-@@ -39,6 +46,11 @@
- #include <netinet/in.h>
- #include <arpa/inet.h>
- 
-+#include <errno.h>
-+#include <sys/types.h>
-+#include <sys/socket.h>
-+#include <netdb.h>
-+
- #ifndef INADDR_NONE
- #define INADDR_NONE 0xffffffff
- #endif
-@@ -53,17 +65,15 @@
- #include <readlline.h>
- #include <dict.h>
- #include <dict_cidr.h>
--#include <split_at.h>
-+#include <match_ops.h>
- 
- /* Application-specific. */
- 
-  /*
-   * Each rule in a CIDR table is parsed and stored in a linked list.
--  * Obviously all this is IPV4 specific and needs to be redone for IPV6.
-   */
- typedef struct DICT_CIDR_ENTRY {
--    unsigned long net_bits;		/* network portion of address */
--    unsigned long mask_bits;		/* network mask */
-+    ADDR_PATTERN *pattern;		/* address pattern structure */
-     char   *value;			/* lookup result */
-     struct DICT_CIDR_ENTRY *next;	/* next entry */
- } DICT_CIDR_ENTRY;
-@@ -73,27 +83,72 @@
-     DICT_CIDR_ENTRY *head;		/* first entry */
- } DICT_CIDR;
- 
--#define BITS_PER_ADDR   32
-+#define BITS_PER_ADDR_V4   32
-+#define BITS_PER_ADDR_V6   128
- 
- /* dict_cidr_lookup - CIDR table lookup */
- 
- static const char *dict_cidr_lookup(DICT *dict, const char *key)
- {
-+    char   *myname = "dict_cidr_lookup";
-+
-     DICT_CIDR *dict_cidr = (DICT_CIDR *) dict;
-     DICT_CIDR_ENTRY *entry;
--    unsigned long addr;
-+#ifdef INET6
-+    struct addrinfo hints, *res0;
-+    int     aierr;
-+#else
-+    struct sockaddr_in sin;
-+#endif
- 
-     if (msg_verbose)
--	msg_info("dict_cidr_lookup: %s: %s", dict_cidr->dict.name, key);
-+	msg_info("%s: %s: %s", myname, dict_cidr->dict.name, key);
- 
--    if ((addr = inet_addr(key)) == INADDR_NONE)
-+#ifdef INET6
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_NUMERICHOST;
-+    /*
-+     * Since access maps call the CIDR map first with the
-+     * hostname and only then with the addresses, we just
-+     * return 0 when an entry isn't numeric, as expressed
-+     * by the EAI_NONAME error.
-+     */
-+    aierr = getaddrinfo(key, NULL, &hints, &res0);
-+    if (aierr == EAI_NONAME) {
-+	if (msg_verbose)
-+	    msg_info("%s: non-address key \"%s\"",
-+		     myname, key);
- 	return (0);
--
-+    }
-+    if (aierr != 0)
-+	msg_fatal("%s: getaddrinfo(%s): %s",
-+		  myname, key, GAI_STRERROR(aierr));
-     for (entry = dict_cidr->head; entry; entry = entry->next)
--	if ((addr & entry->mask_bits) == entry->net_bits)
-+	if (match_sockaddr(res0->ai_addr,
-+			   entry->pattern->addr,
-+			   entry->pattern->masklen)) {
-+	    freeaddrinfo(res0);
- 	    return (entry->value);
-+	}
-+    freeaddrinfo(res0);
-+    return (0);
-+
-+#else /* INET6 */
- 
-+    memset(&sin, 0, sizeof(sin));
-+    sin.sin_family = AF_INET;
-+    sin.sin_addr.s_addr = inet_addr(key);
-+    if (sin.sin_addr.s_addr == INADDR_NONE)
-+	return (0);
-+    for (entry = dict_cidr->head; entry; entry = entry->next)
-+	if (match_sockaddr((struct sockaddr *)&sin, entry->pattern->addr,
-+			   entry->pattern->masklen))
-+	    return (entry->value);
-     return (0);
-+
-+#endif
- }
- 
- /* dict_cidr_close - close the CIDR table */
-@@ -106,6 +161,7 @@
- 
-     for (entry = dict_cidr->head; entry; entry = next) {
- 	next = entry->next;
-+	addr_pattern_free(entry->pattern);
- 	myfree(entry->value);
- 	myfree((char *) entry);
-     }
-@@ -120,11 +176,9 @@
-     DICT_CIDR_ENTRY *rule;
-     char   *key;
-     char   *value;
--    char   *mask;
--    int     mask_shift;
--    unsigned long net_bits;
--    unsigned long mask_bits;
--    struct in_addr net_addr;
-+    ADDR_PATTERN *pattern;
-+    VSTRING *lookup_err;
-+    int    lookup_res;
- 
-     /*
-      * Split the rule into key and value. We already eliminated leading
-@@ -152,53 +206,35 @@
-     }
- 
-     /*
--     * Parse the key into network and mask, and destroy the key. Treat a bare
--     * network address as /32.
--     * 
--     * We need explicit code for /0. The result of << is undefined when the
--     * shift is greater or equal to the number of bits in the shifted
--     * operand.
-+     * We rewrite the key to standard notation, and check the validity of
-+     * the pattern.
-+     * We cannot use MATCH_FLAG_STRICT_ADDR since access checks try not only
-+     * the numerical address but the resolved hostname as well.
-      */
--    if ((mask = split_at(key, '/')) != 0) {
--	if (!alldig(mask) || (mask_shift = atoi(mask)) > BITS_PER_ADDR
--	    || (net_bits = inet_addr(key)) == INADDR_NONE) {
--	    msg_warn("cidr map %s, line %d: bad net/mask pattern: \"%s/%s\": "
--		     "skipping this rule", mapname, lineno, key, mask);
--	    return (0);
--	}
--	mask_bits = mask_shift > 0 ?
--	    htonl((0xffffffff) << (BITS_PER_ADDR - mask_shift)) : 0;
--	if (net_bits & ~mask_bits) {
--	    net_addr.s_addr = (net_bits & mask_bits);
--	    msg_warn("cidr map %s, line %d: net/mask pattern \"%s/%s\" with "
--		     "non-null host portion: skipping this rule",
--		     mapname, lineno, key, mask);
--	    msg_warn("specify \"%s/%d\" if this is really what you want",
--		     inet_ntoa(net_addr), mask_shift);
--	    return (0);
--	}
--    } else {
--	if ((net_bits = inet_addr(key)) == INADDR_NONE) {
--	    msg_warn("cidr map %s, line %d: bad address pattern: \"%s\": "
--		     "skipping this rule", mapname, lineno, key);
--	    return (0);
--	}
--	mask_shift = 32;
--	mask_bits = htonl(0xffffffff);
-+    lookup_err = vstring_alloc(100);
-+    lookup_res = std_addr_pattern(MATCH_FLAG_NOLOOKUP |
-+				  MATCH_FLAG_NONNULL_HOST,
-+				  key, &pattern, lookup_err);
-+    if (pattern == NULL) {
-+	if (lookup_res == 0 && VSTRING_LEN(lookup_err) != 0)
-+	    msg_warn("cidr map %s, line %d: %s: skipping this rule",
-+		     mapname, lineno, vstring_str(lookup_err));
-+	vstring_free(lookup_err);
-+	return (0);
-     }
-+    vstring_free(lookup_err);
- 
-     /*
-      * Bundle up the result.
-      */
-     rule = (DICT_CIDR_ENTRY *) mymalloc(sizeof(DICT_CIDR_ENTRY));
--    rule->net_bits = net_bits;
--    rule->mask_bits = mask_bits;
-+    rule->pattern = pattern;
-     rule->value = mystrdup(value);
-     rule->next = 0;
- 
-     if (msg_verbose)
--	msg_info("dict_cidr_open: %s: %lu/%d %s",
--		 mapname, rule->net_bits, mask_shift, rule->value);
-+	msg_info("dict_cidr_open: %s: %s/%d %s",
-+		 mapname, pattern->pattern, pattern->masklen, rule->value);
- 
-     return (rule);
- }
-diff -urNad postfix-release/src/util/get_port.c /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.c
---- postfix-release/src/util/get_port.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.c	2005-02-03 10:22:13.079092450 -0700
-@@ -0,0 +1,65 @@
-+/*++
-+/* NAME
-+/*	get_port 3
-+/* SUMMARY
-+/*	trivial host and port extracter
-+/* SYNOPSIS
-+/*	#include <get_port.h>
-+/*
-+/*	char	*get_port(data)
-+/*	char	*data;
-+/*
-+/* DESCRIPTION
-+/* 	get_port() extract host name or ip address from
-+/* 	strings such as [3ffe:902:12::10]:25, [::1]
-+/* 	or 192.168.0.1:25, and null-terminates the
-+/* 	\fIdata\fR at the first occurrence of port separator.
-+/* DIAGNOSTICS
-+/* 	If port not found return null pointer.
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	BSD Style (or BSD like) license.
-+/* AUTHOR(S)
-+/*	Arkadiusz Mi¶kiewicz <misiek at pld.org.pl>
-+/*	Wroclaw, POLAND
-+/*--*/
-+
-+/* System libraries */
-+
-+#include <sys_defs.h>
-+#include <string.h>
-+
-+/* Utility library. */
-+
-+#include "get_port.h"
-+
-+/* get_port - extract port number from string */
-+
-+char *get_port(char *data)
-+{
-+	const char *escl=strchr(data,'[');
-+	const char *sepl=strchr(data,':');
-+	char *escr=strrchr(data,']');
-+	char *sepr=strrchr(data,':');
-+
-+	/* extract from "[address]:port" or "[address]"*/
-+	if (escl && escr)
-+	{
-+		memmove(data, data + 1, strlen(data) - strlen(escr));
-+		data[strlen(data) - strlen(escr) - 1] = 0;
-+		*escr++ = 0;
-+		if (*escr == ':')
-+			escr++;
-+		return (*escr ? escr : NULL);
-+	}
-+	/* extract from "address:port" or "address" */
-+	if ((sepl == sepr) && sepr && sepl)
-+	{
-+		*sepr++ = 0;
-+		return sepr;
-+	}
-+
-+	/* return empty string */
-+	return NULL;
-+}
-diff -urNad postfix-release/src/util/get_port.h /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.h
---- postfix-release/src/util/get_port.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/get_port.h	2005-02-03 10:22:13.079092450 -0700
-@@ -0,0 +1,28 @@
-+#ifndef _GET_PORT_H_INCLUDED_
-+#define _GET_PORT_H_INCLUDED_
-+
-+/*++
-+/* NAME
-+/*	get_port 3h
-+/* SUMMARY
-+/*	trivial host and port extracter
-+/* SYNOPSIS
-+/*	#include <get_port.h>
-+/* DESCRIPTION
-+/* .nf
-+
-+ /* External interface. */
-+
-+extern char *get_port(char *);
-+
-+
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	BSD Style (or BSD like) license.
-+/* AUTHOR(S)
-+/*	Arkadiusz Mi¶kiewicz <misiek at pld.org.pl>
-+/*	Wroclaw, POLAND
-+/*--*/
-+
-+#endif
-diff -urNad postfix-release/src/util/inet_addr_host.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_host.c
---- postfix-release/src/util/inet_addr_host.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_host.c	2005-02-03 10:22:13.080092227 -0700
-@@ -38,7 +38,10 @@
- #include <sys_defs.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-+#include <sys/socket.h>
- #include <netdb.h>
-+#include <stdlib.h>
-+#include <string.h>
- 
- #ifndef INADDR_NONE
- #define INADDR_NONE 0xffffffff
-@@ -46,17 +49,68 @@
- 
- /* Utility library. */
- 
-+#include <mymalloc.h>
- #include <inet_addr_list.h>
- #include <inet_addr_host.h>
-+#ifdef TEST
-+#include <msg.h>
-+#endif
- 
- /* inet_addr_host - look up address list for host */
- 
- int     inet_addr_host(INET_ADDR_LIST *addr_list, const char *hostname)
- {
-+#ifdef INET6
-+    int s;
-+    struct addrinfo hints, *res0, *res;
-+    int error;
-+    char *hbuf, *hname;
-+#else
-     struct hostent *hp;
-     struct in_addr addr;
-+#endif
-     int     initial_count = addr_list->used;
- 
-+#ifdef INET6
-+
-+    /*
-+     * The use of square brackets around an IPv6 addresses is
-+     * required, even though we don't enforce it as it'd make
-+     * the code unnecessarily complicated.
-+     */
-+    hbuf = mystrdup(hostname);
-+    if (*hbuf == '[' && hbuf[strlen(hbuf) - 1] == ']') {
-+	hbuf[strlen(hbuf) - 1] = '\0';
-+	hname = hbuf + 1;
-+    } else {
-+	hname = hbuf;
-+    }
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_DGRAM;
-+    error = getaddrinfo(hname, NULL, &hints, &res0);
-+
-+    if (error == 0) {
-+	for (res = res0; res; res = res->ai_next) {
-+	    if (res->ai_family != AF_INET && res->ai_family != AF_INET6)
-+		continue;
-+	    /*
-+	     * filter out address families that are not supported
-+	     * XXX is this socket necessary? --dean
-+	     */
-+	    s = socket(res->ai_family, SOCK_DGRAM, 0);
-+	    if (s < 0)
-+		continue;
-+	    if (close(s))
-+		msg_warn("inet_addr_host: close(): %m");
-+
-+	    inet_addr_list_append(addr_list, res->ai_addr);
-+	}
-+	freeaddrinfo(res0);
-+    }
-+    myfree(hbuf);
-+#else
-     if ((addr.s_addr = inet_addr(hostname)) != INADDR_NONE) {
- 	inet_addr_list_append(addr_list, &addr);
-     } else {
-@@ -65,9 +119,12 @@
- 		inet_addr_list_append(addr_list,
- 				    (struct in_addr *) * hp->h_addr_list++);
-     }
-+#endif
-+
-     return (addr_list->used - initial_count);
- }
- 
-+
- #ifdef TEST
- 
- #include <msg.h>
-@@ -78,6 +135,8 @@
- {
-     INET_ADDR_LIST addr_list;
-     int     i;
-+    struct sockaddr *sa;
-+    char hbuf[NI_MAXHOST];
- 
-     msg_vstream_init(argv[0], VSTREAM_ERR);
- 
-@@ -89,8 +148,12 @@
- 	if (inet_addr_host(&addr_list, *argv) == 0)
- 	    msg_fatal("not found: %s", *argv);
- 
--	for (i = 0; i < addr_list.used; i++)
--	    vstream_printf("%s\n", inet_ntoa(addr_list.addrs[i]));
-+	for (i = 0; i < addr_list.used; i++) {
-+	    sa = (struct sockaddr *)&addr_list.addrs[i];
-+	    getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf), NULL, 0,
-+		    NI_NUMERICHOST);
-+	    vstream_printf("%s\n", hbuf);
-+	}
- 	vstream_fflush(VSTREAM_OUT);
-     }
-     inet_addr_list_free(&addr_list);
-diff -urNad postfix-release/src/util/inet_addr_list.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.c
---- postfix-release/src/util/inet_addr_list.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.c	2005-02-03 10:22:13.080092227 -0700
-@@ -51,6 +51,13 @@
- #include <arpa/inet.h>
- #include <stdlib.h>
- 
-+#include <netdb.h>
-+
-+#ifdef INET6
-+#include <string.h>
-+#include <sys/socket.h>
-+#endif
-+
- /* Utility library. */
- 
- #include <msg.h>
-@@ -64,14 +71,43 @@
-     int     init_size;
- 
-     list->used = 0;
--    list->size = 0;
-     init_size = 2;
--    list->addrs = (struct in_addr *) mymalloc(sizeof(*list->addrs) * init_size);
-+#ifdef INET6
-+    list->addrs = (struct sockaddr_storage *)
-+#else
-+    list->addrs = (struct in_addr *)
-+#endif
-+	mymalloc(sizeof(*list->addrs) * init_size);
-     list->size = init_size;
- }
- 
- /* inet_addr_list_append - append address to internet address list */
- 
-+#ifdef INET6
-+void    inet_addr_list_append(INET_ADDR_LIST *list, 
-+                              struct sockaddr * addr)
-+{
-+    char   *myname = "inet_addr_list_append";
-+    char    hbuf[NI_MAXHOST];
-+    int     new_size;
-+
-+    if (msg_verbose > 1) {
-+	if (getnameinfo(addr, SA_LEN(addr), hbuf, sizeof(hbuf), NULL, 0,
-+	    NI_NUMERICHOST)) {
-+	    strncpy(hbuf, "??????", sizeof(hbuf));
-+	}
-+	msg_info("%s: %s", myname, hbuf);
-+    }
-+
-+    if (list->used >= list->size) {
-+	new_size = list->size * 2;
-+	list->addrs = (struct sockaddr_storage *)
-+	    myrealloc((char *)list->addrs, sizeof(*list->addrs) * new_size);
-+	list->size = new_size;
-+    }
-+    memcpy(&list->addrs[list->used++], addr, SA_LEN(addr));
-+}
-+#else
- void    inet_addr_list_append(INET_ADDR_LIST *list, struct in_addr * addr)
- {
-     char   *myname = "inet_addr_list_append";
-@@ -83,20 +119,39 @@
-     if (list->used >= list->size) {
- 	new_size = list->size * 2;
- 	list->addrs = (struct in_addr *)
--	    myrealloc((char *) list->addrs, sizeof(*list->addrs) * new_size);
-+	    myrealloc((char *)list->addrs, sizeof(*list->addrs) * new_size);
- 	list->size = new_size;
-     }
-     list->addrs[list->used++] = *addr;
- }
-+#endif
- 
- /* inet_addr_list_comp - compare addresses */
- 
- static int inet_addr_list_comp(const void *a, const void *b)
- {
-+#ifdef INET6
-+    char   ha[NI_MAXHOST], hb[NI_MAXHOST];
-+    int    nierr;
-+    int    niflags = NI_NUMERICHOST | NI_WITHSCOPEID;
-+    struct sockaddr *sa, *sb;
-+
-+    sa = (struct sockaddr *)a, sb = (struct sockaddr *)b;
-+    if (sa->sa_family != sb->sa_family)
-+	return (sa->sa_family - sb->sa_family);
-+    nierr = getnameinfo(sa, SA_LEN(sa), ha, sizeof(ha), NULL, 0, niflags);
-+    if (nierr)
-+	msg_fatal("inet_addr_list_comp: getnameinfo(ha) error %d", nierr);
-+    nierr = getnameinfo(sb, SA_LEN(sb), hb, sizeof(hb), NULL, 0, niflags);
-+    if (nierr)
-+	msg_fatal("inet_addr_list_comp: getnameinfo(hb) error %d", nierr);
-+    return strcmp(ha, hb);
-+#else
-     const struct in_addr *a_addr = (const struct in_addr *) a;
-     const struct in_addr *b_addr = (const struct in_addr *) b;
- 
-     return (a_addr->s_addr - b_addr->s_addr);
-+#endif
- }
- 
- /* inet_addr_list_uniq - weed out duplicates */
-@@ -141,7 +196,9 @@
-   */
- #include <inet_addr_host.h>
- 
--static void inet_addr_list_print(INET_ADDR_LIST *list)
-+#ifndef DEBUG6
-+static
-+#endif void inet_addr_list_print(INET_ADDR_LIST *list)
- {
-     int     n;
- 
-diff -urNad postfix-release/src/util/inet_addr_list.h /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.h
---- postfix-release/src/util/inet_addr_list.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_list.h	2005-02-03 10:22:13.080092227 -0700
-@@ -16,19 +16,55 @@
-   */
- #include <netinet/in.h>
- 
-+#ifndef SA_LEN
-+# ifndef HAS_SA_LEN
-+#  define SA_LEN(x)	(((x)->sa_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
-+#  define SS_LEN(x)	(((x).ss_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
-+# else
-+#  define SA_LEN(x)       ((x)->sa_len)
-+#  define SS_LEN(x)       ((x).ss_len)
-+# endif
-+#else
-+# ifndef SS_LEN
-+#  define SS_LEN(x)	(((x).ss_family == AF_INET6) ? sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
-+# endif
-+#endif
-+
-  /*
-   * External interface.
-   */
- typedef struct INET_ADDR_LIST {
-     int     used;			/* nr of elements in use */
-     int     size;			/* actual list size */
-+#ifdef INET6
-+    struct sockaddr_storage *addrs;   /* payload */
-+#else
-     struct in_addr *addrs;		/* payload */
-+#endif
- } INET_ADDR_LIST;
- 
- extern void inet_addr_list_init(INET_ADDR_LIST *);
- extern void inet_addr_list_free(INET_ADDR_LIST *);
- extern void inet_addr_list_uniq(INET_ADDR_LIST *);
-+#ifdef INET6
-+struct sockaddr;
-+extern void inet_addr_list_append(INET_ADDR_LIST *, struct sockaddr *);
-+#else
- extern void inet_addr_list_append(INET_ADDR_LIST *, struct in_addr *);
-+#endif
-+
-+/*
-+ * NI_WITHSCOPEID is defined on most systems, but usually not implemented.
-+ * Only on KAME? Use without implementation will result in EAI_BADFLAGS.
-+ */
-+#ifdef INET6
-+# ifndef INET6_KAME
-+#  ifdef NI_WITHSCOPEID
-+#   undef NI_WITHSCOPEID
-+#  endif
-+#  define NI_WITHSCOPEID 0
-+# endif
-+#endif
- 
- /* LICENSE
- /* .ad
-diff -urNad postfix-release/src/util/inet_addr_local.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.c
---- postfix-release/src/util/inet_addr_local.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.c	2005-02-03 10:22:13.081092004 -0700
-@@ -6,9 +6,10 @@
- /* SYNOPSIS
- /*	#include <inet_addr_local.h>
- /*
--/*	int	inet_addr_local(addr_list, mask_list)
-+/*	int	inet_addr_local(addr_list, mask_list, addr_family)
- /*	INET_ADDR_LIST *addr_list;
- /*	INET_ADDR_LIST *mask_list;
-+/*	int addr_family;
- /* DESCRIPTION
- /*	inet_addr_local() determines all active IP interface addresses
- /*	of the local system. Any address found is appended to the
-@@ -17,6 +18,9 @@
- /*
- /*	The mask_list is either a null pointer, or it is a list that
- /*	receives the netmasks of the interface addresses that were found.
-+/*	
-+/*	The addr_family is ether AF_UNSPEC, AF_INET or AF_INET6
-+/*
- /* DIAGNOSTICS
- /*	Fatal errors: out of memory.
- /* SEE ALSO
-@@ -30,6 +34,13 @@
- /*	IBM T.J. Watson Research
- /*	P.O. Box 704
- /*	Yorktown Heights, NY 10598, USA
-+/*
-+/*	Dean C. Strik
-+/*	Department ICT
-+/*	Eindhoven University of Technology
-+/*	P.O. Box 513
-+/*	5600 MB  Eindhoven, Netherlands
-+/*	E-mail: <dean at ipnet6.org>
- /*--*/
- 
- /* System library. */
-@@ -47,6 +58,13 @@
- #endif
- #include <errno.h>
- #include <string.h>
-+#ifdef INET6
-+#include <netdb.h>
-+#include <stdio.h>
-+#endif
-+#ifdef HAVE_GETIFADDRS
-+#include <ifaddrs.h>
-+#endif
- 
- /* Utility library. */
- 
-@@ -57,39 +75,300 @@
- #include <inet_addr_local.h>
- 
-  /*
-+  * IF IPV6 SUPPORT IS ENABLED:
-+  *
-+  * In the non-getifaddrs() version, we determine the interface addresses
-+  * using the SIOCG(L)IFCONF. However, it is operating system dependent
-+  * whether this also results in IPv6 addresses configuration. Another
-+  * issue is that there is no good method to determine the netmask /
-+  * prefixlen for IPv6 addresses.
-+  * We will therefore use OS dependent methods. An overview:
-+  *  - Use SIOCGLIFCONF when available -> this supports both IPv4/IPv6
-+  *    addresses. Also, with SIOCGLIFNETMASK we can obtain the netmask /
-+  *    prefixlen for either address family.
-+  *  - On Linux, read IPv6 addresses / prefixlengths from a file in the
-+  *    /proc filesystem. Linux does not return IPv6 addresses in
-+  *    SIOCGIFCONF.
-+  *  - On other systems without getifaddrs(), we expect SIOCGIFCONF
-+  *    to return IPv6 addresses. Since SIOCGIFNETMASK does not work for
-+  *    IPv6 addresses, we will always set the prefixlen to 64 (subnet)
-+  *    However, it is suggested you set the mynetworks variable(s)
-+  *    manually then.
-+  *    XXX: We duplicate some code. In this case, I think this is better
-+  *    than really drowning in the #ifdefs...
-+  * -- Dean Strik (dcs)
-+  */
-+
-+ /*
-   * Support for variable-length addresses.
-   */
-+#ifdef HAS_SIOCGLIF
-+#else /* HAS_SIOCGLIF */
-+#endif /* HAS_SIOCGLIF */
-+
-+/* decode_scope - separate scope ID from IPv6 address */
-+
-+#ifdef INET6
-+static struct sockaddr *decode_scope(struct sockaddr *sa,
-+				     struct sockaddr_in6 *sin6)
-+{
-+#ifdef INET6_KAME
-+    memcpy(sin6, sa, sa->sa_len);	/* size sin6 >> size sa */
-+    /* decode scoped address notation */
-+    if ((IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) ||
-+	    IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) &&
-+	    sin6->sin6_scope_id == 0) {
-+	sin6->sin6_scope_id = ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]);
-+	sin6->sin6_addr.s6_addr[2] = sin6->sin6_addr.s6_addr[3] = 0;
-+    }
-+    return (struct sockaddr *)sin6;
-+#else
-+    return (sa);
-+#endif
-+}
-+#endif
-+
-+/* ial_socket - make socket for ioctl() operations */
-+
-+static int ial_socket(int af)
-+{
-+    char  *myname = "inet_addr_local[socket]";
-+    int    sock;
-+
-+    /*
-+     * The host may not be actually configured with IPv6. When
-+     * IPv6 support is not actually in the kernel, don't consider
-+     * failure to create an IPv6 socket as fatal. This could be
-+     * tuned better though. For other families, the error is fatal.
-+     */
-+    if ((sock = socket(af, SOCK_DGRAM, 0)) < 0) {
-+#ifdef INET6
-+	if (af == AF_INET6) {
-+	    if (msg_verbose)
-+		msg_warn("%s: socket: %m", myname);
-+	    return (-1);
-+	}
-+#endif
-+	msg_fatal("%s: socket: %m", myname);
-+    }
-+    return (sock);
-+}
-+
-+
-+#ifdef HAVE_GETIFADDRS
-+
-+/*
-+ * The getifaddrs(3) function, introduced by BSD/OS, provides a
-+ * platform-independent way of requesting interface addresses,
-+ * including IPv6 addresses. The implementation however is not
-+ * present in all major operating systems.
-+ */
-+
-+/* ial_getifaddrs - determine IP addresses using getifaddrs(3) */
-+
-+static int ial_getifaddrs(INET_ADDR_LIST *addr_list,
-+			  INET_ADDR_LIST *mask_list,
-+			  int af)
-+{
-+    char *myname = "inet_addr_local[getifaddrs]";
-+    struct ifaddrs *ifap, *ifa;
-+    struct sockaddr *sa, *sam;
-+#ifdef INET6
-+    struct sockaddr_in6 addr6;
-+#else
-+    void *addr,*addrm;
-+#endif
-+
-+    if (getifaddrs(&ifap) < 0)
-+	msg_fatal("%s: getifaddrs: %m", myname);
-+
-+    /*
-+     * Get the address of each IP network interface. According to BIND we
-+     * must include interfaces that are down because the machine may still
-+     * receive packets for that address (yes, via some other interface).
-+     * Having no way to verify this claim on every machine, I will give them
-+     * the benefit of the doubt.
-+     */
-+
-+    for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
-+	if (!(ifa->ifa_flags & IFF_RUNNING) || ifa->ifa_addr == NULL) 
-+	    continue;
-+	sa = ifa->ifa_addr;
-+	sam = ifa->ifa_netmask;
-+	if (af != AF_UNSPEC && sa->sa_family != af)
-+	    continue;
-+	switch (sa->sa_family) {
-+	case AF_INET:
-+#ifndef INET6
-+	    addr = (void *)&((struct sockaddr_in *)sa)->sin_addr;
-+	    addrm = (void *)&((struct sockaddr_in *)ifa->ifa_netmask)->sin_addr;
-+#endif
-+	    break;
-+#ifdef INET6
-+	case AF_INET6:
-+	    sa = decode_scope(sa, &addr6);
-+	    break;
-+#endif
-+	default:
-+	    continue;
-+	}
-+
-+#ifdef INET6
-+	inet_addr_list_append(addr_list, sa);
-+	if (mask_list != NULL) {
-+	    /*
-+	     * Unfortunately, sa_len/sa_family may be broken in
-+	     * the netmask sockaddr structure. We must fix this
-+	     * manually to have correct addresses.   --dcs
-+	     */
-+#ifdef HAS_SA_LEN
-+	    sam->sa_len = sa->sa_family == AF_INET6 ?
-+			  sizeof(struct sockaddr_in6) :
-+			  sizeof(struct sockaddr_in);
-+#endif
-+	    sam->sa_family = sa->sa_family;
-+	    inet_addr_list_append(mask_list, sam);
-+	}
-+#else
-+	inet_addr_list_append(addr_list, (struct in_addr *)addr);
-+	if (mask_list != NULL)
-+	    inet_addr_list_append(mask_list, (struct in_addr *)addrm);
-+#endif
-+    }
-+
-+    freeifaddrs(ifap);
-+    return (0);
-+}
-+#endif /* HAVE_GETIFADDRS */
-+
-+
-+#ifdef HAS_SIOCGLIF
-+
-+/*
-+ * The SIOCLIF* ioctls are the successors of SIOCGIF* on the Solaris
-+ * and HP/UX operating systems. The data is stored in sockaddr_storage
-+ * structure. Both IPv4 and IPv6 addresses are returned though these
-+ * calls.
-+ */
-+#define NEXT_INTERFACE(lifr) (lifr + 1)
-+#define LIFREQ_SIZE(lifr) sizeof(lifr[0])
-+#define ial_generic ial_siocglif
-+
-+/* ial_siocglif - determine IP addresses using ioctl(SIOCGLIF*) */
-+
-+static int ial_siocglif(INET_ADDR_LIST *addr_list,
-+			INET_ADDR_LIST *mask_list,
-+			int af)
-+{
-+    char *myname = "inet_addr_local[siocglif]";
-+    struct lifconf lifc;
-+    struct lifreq *lifr;
-+    struct lifreq *lifr_mask;
-+    struct lifreq *the_end;
-+    struct sockaddr *sa;
-+    struct sockaddr_in6 addr6;
-+    int   sock;
-+    VSTRING *buf;
-+
-+    if (af != AF_INET && af != AF_INET6)
-+	msg_fatal("%s: address family was %d, must be AF_INET (%d) or "
-+		  "AF_INET6 (%d)", myname, af, AF_INET, AF_INET6);
-+    sock = ial_socket(af);
-+    if (sock < 0)
-+	return (0);
-+    buf = vstring_alloc(1024);
-+    for (;;) {
-+	memset(&lifc, 0, sizeof(lifc));
-+	lifc.lifc_family = AF_UNSPEC;
-+	lifc.lifc_len = vstring_avail(buf);
-+	lifc.lifc_buf = vstring_str(buf);
-+	if (ioctl(sock, SIOCGLIFCONF, (char *) &lifc) < 0) {
-+	    if (errno != EINVAL)
-+		msg_fatal("%s: ioctl SIOCGLIFCONF: %m", myname);
-+	} else if (lifc.lifc_len < vstring_avail(buf) / 2)
-+	    break;
-+	VSTRING_SPACE(buf, vstring_avail(buf) * 2);
-+    }
-+
-+    the_end = (struct lifreq *) (lifc.lifc_buf + lifc.lifc_len);
-+    for (lifr = lifc.lifc_req; lifr < the_end;) {
-+	if (((struct sockaddr *)&lifr->lifr_addr)->sa_family != af) {
-+	    lifr = NEXT_INTERFACE(lifr);
-+	    continue;
-+	}
-+	if (af == AF_INET) {
-+	    if (((struct sockaddr_in *)&lifr->lifr_addr)->sin_addr.s_addr
-+		    == INADDR_ANY) {
-+		lifr = NEXT_INTERFACE(lifr);
-+		continue;
-+	    }
-+	    sa = (struct sockaddr *)&lifr->lifr_addr;
-+	} else if (af == AF_INET6) {
-+	    sa = decode_scope((struct sockaddr *)&lifr->lifr_addr, &addr6);
-+	    if (IN6_IS_ADDR_UNSPECIFIED(&addr6.sin6_addr)) {
-+		lifr = NEXT_INTERFACE(lifr);
-+		continue;
-+	    }
-+	}
-+	inet_addr_list_append(addr_list, sa);
-+	if (mask_list) {
-+	    lifr_mask = (struct lifreq *) mymalloc(sizeof(struct lifreq));
-+	    memcpy((char *)lifr_mask, (char *)lifr, sizeof(struct lifreq));
-+	    if (ioctl(sock, SIOCGLIFNETMASK, lifr_mask) < 0)
-+		msg_fatal("%s: ioctl(SIOCGLIFNETMASK): %m", myname);
-+	    /* XXX: Check whether sa_len/family are honoured --dcs */
-+	    inet_addr_list_append(mask_list,
-+				 (struct sockaddr *)&lifr_mask->lifr_addr);
-+	    myfree((char *)lifr_mask);
-+	}
-+	lifr = NEXT_INTERFACE(lifr);
-+    }
-+    vstring_free(buf);
-+    (void) close(sock);
-+    return (0);
-+}
-+
-+#else /* HAVE_SIOCGLIF */
-+
-+/*
-+ * The classic SIOCGIF* ioctls. Modern BSD operating systems will
-+ * also return IPv6 addresses through these structure. Note however
-+ * that recent versions of these operating systems have getifaddrs.
-+ */
-+#define ial_generic ial_siocgif
- #ifdef _SIZEOF_ADDR_IFREQ
- #define NEXT_INTERFACE(ifr) ((struct ifreq *) \
- 	((char *) ifr + _SIZEOF_ADDR_IFREQ(*ifr)))
- #define IFREQ_SIZE(ifr)	_SIZEOF_ADDR_IFREQ(*ifr)
--#else
-+#else /* _SIZEOF_ADDR_IFREQ */
- #ifdef HAS_SA_LEN
- #define NEXT_INTERFACE(ifr) ((struct ifreq *) \
- 	((char *) ifr + sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len))
- #define IFREQ_SIZE(ifr)	(sizeof(ifr->ifr_name) + ifr->ifr_addr.sa_len)
--#else
-+#else /* HAS_SA_LEN */
- #define NEXT_INTERFACE(ifr) (ifr + 1)
- #define IFREQ_SIZE(ifr)	sizeof(ifr[0])
--#endif
--#endif
-+#endif /* HAS_SA_LEN */
-+#endif /* _SIZEOF_ADDR_IFREQ */
- 
--/* inet_addr_local - find all IP addresses for this host */
-+/* ial_siocgif - determine IP addresses using ioctl(SIOCGIF*) */
- 
--int     inet_addr_local(INET_ADDR_LIST *addr_list, INET_ADDR_LIST *mask_list)
-+static int ial_siocgif(INET_ADDR_LIST *addr_list,
-+			INET_ADDR_LIST *mask_list,
-+			int af)
- {
--    char   *myname = "inet_addr_local";
-+    char *myname = "inet_addr_local[siocgif]";
-+    struct in_addr addr;
-     struct ifconf ifc;
-     struct ifreq *ifr;
--    struct ifreq *the_end;
--    int     sock;
--    VSTRING *buf = vstring_alloc(1024);
--    int     initial_count = addr_list->used;
--    struct in_addr addr;
-     struct ifreq *ifr_mask;
--
--    if ((sock = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
--	msg_fatal("%s: socket: %m", myname);
-+    struct ifreq *the_end;
-+#ifdef INET6
-+    struct sockaddr *sa;
-+    struct sockaddr_in6 addr6;
-+#endif
-+    int   sock;
-+    VSTRING *buf;
- 
-     /*
-      * Get the network interface list. XXX The socket API appears to have no
-@@ -106,6 +385,11 @@
-      * that the program can run out of memory due to a non-memory problem,
-      * making it more difficult than necessary to diagnose the real problem.
-      */
-+
-+    sock = ial_socket(af);
-+    if (sock < 0)
-+	return (0);
-+    buf = vstring_alloc(1024);
-     for (;;) {
- 	ifc.ifc_len = vstring_avail(buf);
- 	ifc.ifc_buf = vstring_str(buf);
-@@ -117,39 +401,199 @@
- 	VSTRING_SPACE(buf, vstring_avail(buf) * 2);
-     }
- 
--    /*
--     * Get the address of each IP network interface. According to BIND we
--     * must include interfaces that are down because the machine may still
--     * receive packets for that address (yes, via some other interface).
--     * Having no way to verify this claim on every machine, I will give them
--     * the benefit of the doubt.
--     */
-     the_end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len);
-     for (ifr = ifc.ifc_req; ifr < the_end;) {
--	if (ifr->ifr_addr.sa_family == AF_INET) {	/* IP interface */
--	    addr = ((struct sockaddr_in *) & ifr->ifr_addr)->sin_addr;
--	    if (addr.s_addr != INADDR_ANY) {	/* has IP address */
-+        if (ifr->ifr_addr.sa_family != af) {
-+	    ifr = NEXT_INTERFACE(ifr);
-+	    continue;
-+        }
-+	if (af == AF_INET) {
-+	    addr = ((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr;
-+	    if (addr.s_addr != INADDR_ANY) {
-+#ifdef INET6
-+		inet_addr_list_append(addr_list, &ifr->ifr_addr);
-+#else
- 		inet_addr_list_append(addr_list, &addr);
-+#endif
- 		if (mask_list) {
- 		    ifr_mask = (struct ifreq *) mymalloc(IFREQ_SIZE(ifr));
- 		    memcpy((char *) ifr_mask, (char *) ifr, IFREQ_SIZE(ifr));
- 		    if (ioctl(sock, SIOCGIFNETMASK, ifr_mask) < 0)
- 			msg_fatal("%s: ioctl SIOCGIFNETMASK: %m", myname);
--		    addr = ((struct sockaddr_in *) & ifr_mask->ifr_addr)->sin_addr;
-+#ifdef INET6
-+		    /*
-+		     * Note that this SIOCGIFNETMASK has truly screwed up
-+		     * the contents of sa_len/sa_family. We must fix this
-+		     * manually to have correct addresses.   --dcs
-+		     */
-+#ifdef HAS_SA_LEN
-+		    ifr_mask->ifr_addr.sa_len = sizeof(struct sockaddr_in);
-+#endif
-+		    ifr_mask->ifr_addr.sa_family = af;
-+		    inet_addr_list_append(mask_list, &ifr_mask->ifr_addr);
-+#else
-+		    addr = ((struct sockaddr_in *) &ifr_mask->ifr_addr)->sin_addr;
- 		    inet_addr_list_append(mask_list, &addr);
-+#endif
- 		    myfree((char *) ifr_mask);
- 		}
- 	    }
- 	}
-+#ifdef INET6
-+	else if (af == AF_INET6) {
-+	    sa = decode_scope(&ifr->ifr_addr, &addr6);
-+	    if (!(IN6_IS_ADDR_UNSPECIFIED(&addr6.sin6_addr))) {
-+	        inet_addr_list_append(addr_list, sa);
-+		if (mask_list) {
-+		    /* We can't know, and assume /64 for everything */
-+		    struct sockaddr_in6 mask6;
-+		    struct in6_addr *maddr6;
-+		    memcpy((char *)&mask6, (char *)&addr6,
-+			   sizeof(struct sockaddr_in6));
-+		    maddr6 = &mask6.sin6_addr;
-+		    maddr6->s6_addr[0]  = maddr6->s6_addr[1]  =
-+		    maddr6->s6_addr[2]  = maddr6->s6_addr[3]  =
-+		    maddr6->s6_addr[4]  = maddr6->s6_addr[5]  =
-+		    maddr6->s6_addr[6]  = maddr6->s6_addr[7]  = 0xff;
-+		    maddr6->s6_addr[8]  = maddr6->s6_addr[9]  =
-+		    maddr6->s6_addr[10] = maddr6->s6_addr[11] =
-+		    maddr6->s6_addr[12] = maddr6->s6_addr[13] =
-+		    maddr6->s6_addr[14] = maddr6->s6_addr[15] = 0x0;
-+		    inet_addr_list_append(mask_list,
-+					  (struct sockaddr *)&mask6);
-+		}
-+	    }
-+	}
-+#endif /* INET6 */
- 	ifr = NEXT_INTERFACE(ifr);
-     }
-     vstring_free(buf);
-     (void) close(sock);
-+    return (0);
-+}
-+#endif /* HAVE_SIOCGLIF */
-+
-+
-+#ifdef HAS_PROCNET_IFINET6
-+
-+/*
-+ * Linux does not provide proper calls to retrieve IPv6 interface
-+ * addresses. Instead, the addresses can be read from a file in the
-+ * /proc tree. The most important issue with this approach however
-+ * is that the /proc tree may not always be available, for example
-+ * in a chrooted environment or in "hardened" (sic) installations.
-+ */
-+
-+/* ial_procnet_ifinet6 - determine IPv6 addresses using /proc/net/if_inet6 */
-+
-+static int ial_procnet_ifinet6(INET_ADDR_LIST *addr_list,
-+			       INET_ADDR_LIST *mask_list)
-+{
-+    char *myname = "inet_addr_local[procnet_ifinet6]";
-+    FILE *f;
-+    char addr6p[8][5], addr6res[40], devname[20];
-+    int plen, scope, dad_status, if_idx, gaierror;
-+    struct addrinfo hints, *res, *res0;
-+
-+    if ((f = fopen(_PATH_PROCNET_IFINET6, "r")) != NULL) {
-+	while (fscanf(f, "%4s%4s%4s%4s%4s%4s%4s%4s %02x %02x %02x %02x %20s\n",
-+		addr6p[0], addr6p[1], addr6p[2], addr6p[3], addr6p[4],
-+		addr6p[5], addr6p[6], addr6p[7],
-+		&if_idx, &plen, &scope, &dad_status, devname) != EOF) {
-+	    sprintf(addr6res, "%s:%s:%s:%s:%s:%s:%s:%s",
-+		addr6p[0], addr6p[1], addr6p[2], addr6p[3],
-+		addr6p[4], addr6p[5], addr6p[6], addr6p[7]);
-+	    addr6res[sizeof(addr6res) - 1] = 0;
-+	    memset(&hints, 0, sizeof(hints));
-+	    hints.ai_flags = AI_NUMERICHOST;
-+	    hints.ai_family = AF_INET6;
-+	    hints.ai_socktype = SOCK_DGRAM;
-+	    gaierror = getaddrinfo(addr6res, NULL, &hints, &res0);
-+	    if (!gaierror) {
-+		for (res = res0; res; res = res->ai_next) {
-+		    struct sockaddr_in6 mask;
-+		    int i, rest;
-+		    inet_addr_list_append(addr_list, res->ai_addr);
-+		    memcpy((char *)&mask, res->ai_addr, res->ai_addrlen);
-+		    /* s6_addr32 is available on linux */
-+		    mask.sin6_addr.s6_addr32[0] =
-+		    mask.sin6_addr.s6_addr32[1] =
-+		    mask.sin6_addr.s6_addr32[2] =
-+		    mask.sin6_addr.s6_addr32[3] = ~0;
-+		    for (i = 3, rest = 128 - plen; i > -1; i--)
-+			if (rest > 31) {
-+			    mask.sin6_addr.s6_addr32[i] = htonl(0);
-+			    rest -= 32;
-+			} else {
-+			    mask.sin6_addr.s6_addr32[i] =
-+				htonl(~((1 << rest) - 1));
-+			    break;
-+			}
-+		    inet_addr_list_append(mask_list, (struct sockaddr *)&mask);
-+		}
-+		freeaddrinfo(res0);
-+	    }
-+	}
-+    } else if (msg_verbose) {
-+	msg_warn("%s: Couldn't open " _PATH_PROCNET_IFINET6
-+		 " for reading: %m", myname);
-+    }
-+    return (0);
-+}
-+#endif /* HAS_PROCNET_IFINET6 */
-+
-+
-+/* inet_addr_local - find all IP addresses for this host */
-+
-+int     inet_addr_local(INET_ADDR_LIST *addr_list, INET_ADDR_LIST *mask_list,
-+			int addr_family)
-+{
-+    char   *myname = "inet_addr_local";
-+    int     initial_count = addr_list->used;
-+    int     count;
-+
-+    /*
-+     * IP Version 4
-+     */
-+    if (addr_family == AF_INET || addr_family == AF_UNSPEC) {
-+	count = addr_list->used;
-+#if defined(HAVE_GETIFADDRS)
-+	ial_getifaddrs(addr_list, mask_list, AF_INET);
-+#else
-+	ial_generic(addr_list, mask_list, AF_INET);
-+#endif
-+	if (msg_verbose)
-+	    msg_info("%s: configured %d IPv4 addresses",
-+		     myname, addr_list->used - count);
-+    }
-+
-+    /*
-+     * IP Version 6
-+     */
-+    if (addr_family == AF_INET6 || addr_family == AF_UNSPEC) {
-+	count = addr_list->used;
-+#ifdef INET6
-+#if defined(HAS_PROCNET_IFINET6)
-+	ial_procnet_ifinet6(addr_list, mask_list);
-+#elif defined(HAVE_GETIFADDRS)
-+	ial_getifaddrs(addr_list, mask_list, AF_INET6);
-+#else
-+	ial_generic(addr_list, mask_list, AF_INET6);
-+#endif
-+	if (msg_verbose)
-+	    msg_info("%s: configured %d IPv6 addresses", myname,
-+		     addr_list->used - count);
-+#endif
-+    }
-+
-     return (addr_list->used - initial_count);
- }
- 
-+
- #ifdef TEST
-+/* XXX: Requires INET6 for now */
- 
-+#include <string.h>
- #include <vstream.h>
- #include <msg_vstream.h>
- 
-@@ -158,12 +602,14 @@
-     INET_ADDR_LIST addr_list;
-     INET_ADDR_LIST mask_list;
-     int     i;
-+    char abuf[NI_MAXHOST], mbuf[NI_MAXHOST];
-+    struct sockaddr *sa;
- 
-     msg_vstream_init(argv[0], VSTREAM_ERR);
- 
-     inet_addr_list_init(&addr_list);
-     inet_addr_list_init(&mask_list);
--    inet_addr_local(&addr_list, &mask_list);
-+    inet_addr_local(&addr_list, &mask_list, AF_UNSPEC);
- 
-     if (addr_list.used == 0)
- 	msg_fatal("cannot find any active network interfaces");
-@@ -172,8 +618,17 @@
- 	msg_warn("found only one active network interface");
- 
-     for (i = 0; i < addr_list.used; i++) {
--	vstream_printf("%s/", inet_ntoa(addr_list.addrs[i]));
--	vstream_printf("%s\n", inet_ntoa(mask_list.addrs[i]));
-+	sa = (struct sockaddr *)&addr_list.addrs[i];
-+	if (getnameinfo(sa, SA_LEN(sa), abuf, sizeof(abuf), NULL, 0,
-+		NI_NUMERICHOST)) {
-+	    strncpy(abuf, "???", sizeof(abuf));
-+	}
-+	sa = (struct sockaddr *)&mask_list.addrs[i];
-+	if (getnameinfo(sa, SA_LEN(sa), mbuf, sizeof(mbuf), NULL, 0,
-+		NI_NUMERICHOST)) {
-+	    strncpy(mbuf, "???", sizeof(mbuf));
-+	}
-+	vstream_printf("%s/%s\n", abuf, mbuf);
-     }
-     vstream_fflush(VSTREAM_OUT);
-     inet_addr_list_free(&addr_list);
-diff -urNad postfix-release/src/util/inet_addr_local.h /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.h
---- postfix-release/src/util/inet_addr_local.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_addr_local.h	2005-02-03 10:22:13.081092004 -0700
-@@ -19,7 +19,7 @@
-  /*
-   * External interface.
-   */
--extern int inet_addr_local(INET_ADDR_LIST *, INET_ADDR_LIST *);
-+extern int inet_addr_local(INET_ADDR_LIST *, INET_ADDR_LIST *, int);
- 
- /* LICENSE
- /* .ad
-diff -urNad postfix-release/src/util/inet_connect.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_connect.c
---- postfix-release/src/util/inet_connect.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_connect.c	2005-02-03 10:22:13.082091781 -0700
-@@ -55,6 +55,9 @@
- #include <string.h>
- #include <unistd.h>
- #include <errno.h>
-+#ifdef INET6
-+#include <netdb.h>
-+#endif
- 
- /* Utility library. */
- 
-@@ -74,7 +77,12 @@
-     char   *buf;
-     char   *host;
-     char   *port;
-+#ifdef INET6
-+    struct addrinfo hints, *res, *res0;
-+    int    error;
-+#else
-     struct sockaddr_in sin;
-+#endif
-     int     sock;
- 
-     /*
-@@ -82,14 +90,58 @@
-      * the local host.
-      */
-     buf = inet_parse(addr, &host, &port);
-+#ifdef INET6
-+    if (*host == 0)
-+	host = NULL;
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_NUMERICHOST;	/* find_inet_addr is numeric only */
-+    if (getaddrinfo(host, port, &hints, &res0))
-+	msg_fatal("host not found: %s", host);
-+#else
-     if (*host == 0)
- 	host = "localhost";
-     memset((char *) &sin, 0, sizeof(sin));
-     sin.sin_family = AF_INET;
-     sin.sin_addr.s_addr = find_inet_addr(host);
-     sin.sin_port = find_inet_port(port, "tcp");
-+#endif
-     myfree(buf);
- 
-+#ifdef INET6
-+    sock = -1;
-+    for (res = res0; res; res = res->ai_next) {
-+	if ((res->ai_family != AF_INET) && (res->ai_family != AF_INET6))
-+	    continue;
-+
-+	sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
-+	if (sock < 0)
-+	    continue;
-+	if (timeout > 0) {
-+	    non_blocking(sock, NON_BLOCKING);
-+	    if (timed_connect(sock, res->ai_addr, res->ai_addrlen, timeout) < 0) {
-+		close(sock);
-+		sock = -1;
-+		continue;
-+	    }
-+	    if (block_mode != NON_BLOCKING)
-+		non_blocking(sock, block_mode);
-+	    break;
-+	} else {
-+	    non_blocking(sock, block_mode);
-+	    if (connect(sock, res->ai_addr, res->ai_addrlen) < 0
-+		&& errno != EINPROGRESS) {
-+		close(sock);
-+		sock = -1;
-+		continue;
-+	    }
-+	    break;
-+	}
-+    }
-+    freeaddrinfo(res0);
-+    return sock;
-+#else
-     /*
-      * Create a client socket.
-      */
-@@ -122,4 +174,5 @@
- 	}
- 	return (sock);
-     }
-+#endif
- }
-diff -urNad postfix-release/src/util/inet_listen.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_listen.c
---- postfix-release/src/util/inet_listen.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_listen.c	2005-02-03 10:22:13.082091781 -0700
-@@ -6,7 +6,7 @@
- /* SYNOPSIS
- /*	#include <listen.h>
- /*
--/*	int	inet_listen(addr, backlog, block_mode)
-+/*	int	inet_listen(addr, backlog, block_mode, addinuse_fatal)
- /*	const char *addr;
- /*	int	backlog;
- /*	int	block_mode;
-@@ -51,11 +51,17 @@
- #include <sys_defs.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
-+#ifdef INET6
-+#if (! __GLIBC__ >= 2 && __GLIBC_MINOR__ >=1 )
-+#include <netinet6/in6.h>
-+#endif
-+#endif
- #include <arpa/inet.h>
- #include <netdb.h>
- #ifndef MAXHOSTNAMELEN
- #include <sys/param.h>
- #endif
-+#include <errno.h>
- #include <string.h>
- #include <unistd.h>
- 
-@@ -77,35 +83,116 @@
- 
- /* inet_listen - create inet-domain listener */
- 
--int     inet_listen(const char *addr, int backlog, int block_mode)
-+int     inet_listen(const char *addr, int backlog, int block_mode, int addrinuse_fatal)
- {
-+#ifdef INET6
-+    struct addrinfo *res, *res0, hints;
-+    int error;
-+#else
-+    struct ai {
-+	int ai_family;
-+	int ai_socktype;
-+	int ai_protocol;
-+	struct sockaddr *ai_addr;
-+	SOCKADDR_SIZE ai_addrlen;
-+	struct ai *ai_next;
-+    } *res, *res0, resbody;
-     struct sockaddr_in sin;
-+#endif
-     int     sock;
-     int     t = 1;
-+    int     addrinuse = 0;
-     char   *buf;
-     char   *host;
-     char   *port;
-+#ifdef INET6
-+    char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
-+#else
-+    char hbuf[sizeof("255.255.255.255") + 1];
-+    char pbuf[sizeof("255.255.255.255") + 1];
-+#endif
-+    char *cause = "unknown";
- 
-     /*
-      * Translate address information to internal form.
-      */
-     buf = inet_parse(addr, &host, &port);
--    memset((char *) &sin, 0, sizeof(sin));
-+#ifdef INET6
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
-+    hints.ai_family = AF_UNSPEC;
-+    hints.ai_socktype = SOCK_STREAM;
-+    error = getaddrinfo(*host ? host : NULL, *port ? port : "0", &hints, &res0);
-+    if (error) {
-+	msg_fatal("getaddrinfo: %s", gai_strerror(error));
-+    }
-+    myfree(buf);
-+#else
-+    memset(&sin, 0, sizeof(sin));
-     sin.sin_family = AF_INET;
-+#ifdef HAS_SA_LEN
-+    sin.sin_len = sizeof(sin);
-+#endif
-     sin.sin_port = find_inet_port(port, "tcp");
-     sin.sin_addr.s_addr = (*host ? find_inet_addr(host) : INADDR_ANY);
--    myfree(buf);
- 
--    /*
--     * Create a listener socket.
--     */
--    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
--	msg_fatal("socket: %m");
--    if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *) &t, sizeof(t)) < 0)
--	msg_fatal("setsockopt: %m");
--    if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
--	msg_fatal("bind %s port %d: %m", sin.sin_addr.s_addr == INADDR_ANY ?
--	       "INADDR_ANY" : inet_ntoa(sin.sin_addr), ntohs(sin.sin_port));
-+    memset(&resbody, 0, sizeof(resbody)); 
-+    resbody.ai_socktype = SOCK_STREAM;
-+    resbody.ai_family = AF_INET;
-+    resbody.ai_addr = (struct sockaddr *)&sin;
-+    resbody.ai_addrlen = sizeof(sin);
-+
-+    res0 = &resbody;
-+#endif
-+
-+    sock = -1;
-+    for (res = res0; res; res = res->ai_next) {
-+	if ((res->ai_family != AF_INET) && (res->ai_family != AF_INET6))
-+	    continue;
-+
-+	/*
-+	 * Create a listener socket.
-+	 */
-+	if ((sock = socket(res->ai_family, res->ai_socktype, 0)) < 0) {
-+	    cause = "socket";
-+	    continue;
-+	}
-+#ifdef IPV6_V6ONLY
-+	if (res->ai_family == AF_INET6 && setsockopt(sock,
-+	    IPPROTO_IPV6, IPV6_V6ONLY, (char *)&t, sizeof(t)) < 0) {
-+#ifdef DEBUG6
-+	    cause = "setsockopt(IPV6_V6ONLY)";
-+	    close(sock);
-+	    sock = -1;
-+	    continue;
-+#endif
-+	    ;
-+	}
-+#endif
-+	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (char *) &t, sizeof(t)) < 0) {
-+	    cause = "setsockopt(SO_REUSEADDR)";
-+	    close(sock);
-+	    sock = -1;
-+	    continue;
-+	}
-+
-+	if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
-+	    cause = "bind";
-+	    if (errno == EADDRINUSE)
-+		addrinuse = 1;
-+	    close(sock);
-+	    sock = -1;
-+	    continue;
-+	}
-+	break;
-+    }
-+    if (sock < 0 && (addrinuse_fatal || !addrinuse))
-+	msg_fatal("%s: %m", cause);
-+#ifdef INET6
-+    freeaddrinfo(res0);
-+#endif
-+    if (sock < 0)
-+	return -1;
-     non_blocking(sock, block_mode);
-     if (listen(sock, backlog) < 0)
- 	msg_fatal("listen: %m");
-diff -urNad postfix-release/src/util/inet_util.c /tmp/dpep.cXJuVH/postfix-release/src/util/inet_util.c
---- postfix-release/src/util/inet_util.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/inet_util.c	2005-02-03 10:22:13.082091781 -0700
-@@ -37,6 +37,7 @@
- /* System libraries. */
- 
- #include <sys_defs.h>
-+#include <string.h>
- 
- /* Utility library. */
- 
-@@ -48,14 +49,26 @@
- 
- char   *inet_parse(const char *addr, char **hostp, char **portp)
- {
--    char   *buf;
--
--    buf = mystrdup(addr);
--    if ((*portp = split_at_right(buf, ':')) != 0) {
-+    char   *buf, *brk;
-+#ifdef INET6
-+    if (*addr == '[') {
-+	buf = mystrdup(addr + 1);
-+	brk = strchr(buf, ']');
-+	if (brk == NULL) 
-+	    brk = buf;
-+    } else
-+#endif
-+	brk = buf = mystrdup(addr);
-+    if ((*portp = split_at_right(brk, ':')) != 0) {
- 	*hostp = buf;
-+#ifdef INET6
-+	if (brk > buf)
-+		*brk = '\0';
-+#endif
-     } else {
- 	*portp = buf;
- 	*hostp = "";
-     }
-     return (buf);
- }
-+
-diff -urNad postfix-release/src/util/listen.h /tmp/dpep.cXJuVH/postfix-release/src/util/listen.h
---- postfix-release/src/util/listen.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/listen.h	2005-02-03 10:22:13.083091558 -0700
-@@ -20,7 +20,7 @@
-   * Listener external interface.
-   */
- extern int unix_listen(const char *, int, int);
--extern int inet_listen(const char *, int, int);
-+extern int inet_listen(const char *, int, int, int);
- extern int fifo_listen(const char *, int, int);
- extern int stream_listen(const char *, int, int);
- 
-diff -urNad postfix-release/src/util/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/util/Makefile.in
---- postfix-release/src/util/Makefile.in	2005-02-03 10:22:12.225282899 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/Makefile.in	2005-02-03 10:22:13.083091558 -0700
-@@ -29,7 +29,8 @@
- 	vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
- 	write_buf.c write_wait.c auto_clnt.c attr_clnt.c attr_scan_plain.c \
- 	attr_print_plain.c sane_connect.c neuter.c name_code.c \
--	uppercase.c
-+	uppercase.c \
-+	get_port.c sock_addr.c
- OBJS	= alldig.o argv.o argv_split.o attr_print0.o attr_print64.o \
- 	attr_scan0.o attr_scan64.o base64_code.o basename.o binhash.o \
- 	chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
-@@ -59,7 +60,7 @@
- 	vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
- 	write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
- 	attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
--	uppercase.o load_lib.o
-+	uppercase.o load_lib.o get_port.o sock_addr.o
- HDRS	= argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
- 	connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
- 	dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
-@@ -79,7 +80,8 @@
- 	split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
- 	timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
- 	vbuf_print.h vstream.h vstring.h vstring_vstream.h watchdog.h \
--	auto_clnt.h attr_clnt.h sane_connect.h name_code.h
-+	auto_clnt.h attr_clnt.h sane_connect.h name_code.h \
-+	get_port.h sock_addr.h
- TESTSRC	= fifo_open.c fifo_rdwr_bug.c fifo_rdonly_bug.c select_bug.c \
- 	stream_test.c dup2_pass_on_exec.c
- DEFS	= -I. -D$(SYSTYPE)
-@@ -854,6 +856,7 @@
- get_domainname.o: mymalloc.h
- get_domainname.o: get_hostname.h
- get_domainname.o: get_domainname.h
-+get_port.o: sys_defs.h
- get_hostname.o: get_hostname.c
- get_hostname.o: sys_defs.h
- get_hostname.o: mymalloc.h
-@@ -975,6 +978,7 @@
- match_list.o: stringops.h
- match_list.o: argv.h
- match_list.o: dict.h
-+match_list.o: inet_util.h
- match_list.o: match_ops.h
- match_list.o: match_list.h
- match_ops.o: match_ops.c
-@@ -1192,6 +1196,8 @@
- skipblanks.o: stringops.h
- skipblanks.o: vstring.h
- skipblanks.o: vbuf.h
-+sock_addr.o: msg.h
-+sock_addr.o: sock_addr.h
- spawn_command.o: spawn_command.c
- spawn_command.o: sys_defs.h
- spawn_command.o: msg.h
-diff -urNad postfix-release/src/util/match_list.c /tmp/dpep.cXJuVH/postfix-release/src/util/match_list.c
---- postfix-release/src/util/match_list.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_list.c	2005-02-03 10:22:13.084091335 -0700
-@@ -125,7 +125,7 @@
- 		    list = match_list_parse(list, vstring_str(buf));
- 	    if (vstream_fclose(fp))
- 		msg_fatal("%s: read file %s: %m", myname, pattern);
--	} else if (strchr(pattern, ':') != 0) {	/* type:table */
-+	} else if ((strchr(pattern, ']') == 0) && (strchr(pattern, ':') != 0)) {	/* type:table */
- 	    if (buf == 0)
- 		buf = vstring_alloc(10);
- #define OPEN_FLAGS	O_RDONLY
-diff -urNad postfix-release/src/util/match_ops.c /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.c
---- postfix-release/src/util/match_ops.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.c	2005-02-03 10:22:13.085091112 -0700
-@@ -54,6 +54,15 @@
- /*	IBM T.J. Watson Research
- /*	P.O. Box 704
- /*	Yorktown Heights, NY 10598, USA
-+/*
-+/*	Takahiro Igarashi
-+/*
-+/*	Dean C. Strik
-+/*	Department ICT Services
-+/*	Eindhoven University of Technology
-+/*	P.O. Box 513
-+/*	5600 MB  Eindhoven, Netherlands
-+/*	E-mail: <dean at ipnet6.org>
- /*--*/
- 
- /* System library. */
-@@ -63,6 +72,11 @@
- #include <arpa/inet.h>
- #include <string.h>
- #include <stdlib.h>
-+#include <errno.h>
-+
-+#ifdef INT_MAX_IN_LIMITS_H
-+#include <limits.h>
-+#endif
- 
- #ifdef STRCASECMP_IN_STRINGS_H
- #include <strings.h>
-@@ -75,12 +89,42 @@
- /* Utility library. */
- 
- #include <msg.h>
-+#include <msg_output.h>
- #include <mymalloc.h>
- #include <split_at.h>
- #include <dict.h>
- #include <match_ops.h>
- #include <stringops.h>
- 
-+#define BITS_PER_ADDR_V4	32
-+#define BITS_PER_ADDR_V6	128
-+
-+#ifdef INET6
-+
-+/*
-+ * IPv6-enabled code was written by Takahiro Igarashi and Dean Strik.
-+ */
-+
-+#endif /* INET6 */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <syslog.h>
-+#include <fcntl.h>
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <string.h>
-+#include <netdb.h>
-+#include <arpa/inet.h>
-+#include <resolv.h>
-+
-+/* prototypes */
-+static PRINTFLIKE(2,3) void warning_msg(VSTRING *, const char *, ...);
-+#ifdef INET6
-+static int mask_comp(void *, void *, int);
-+#endif /* INET6 */
-+
- /* match_string - match a string literal */
- 
- int     match_string(int unused_flags, const char *string, const char *pattern)
-@@ -177,6 +221,7 @@
-     return (0);
- }
- 
-+#ifndef INET6
- /* match_parse_mask - parse net/mask pattern */
- 
- static int match_parse_mask(const char *pattern, unsigned long *net_bits,
-@@ -185,11 +230,9 @@
-     char   *saved_pattern;
-     char   *mask;
- 
--#define BITS_PER_ADDR	32
--
-     saved_pattern = mystrdup(pattern);
-     if ((mask = split_at(saved_pattern, '/')) != 0) {
--	if (!alldig(mask) || (*mask_shift = atoi(mask)) > BITS_PER_ADDR
-+	if (!alldig(mask) || (*mask_shift = atoi(mask)) > BITS_PER_ADDR_V4
- 	    || (*net_bits = inet_addr(saved_pattern)) == INADDR_NONE) {
- 	    msg_fatal("bad net/mask pattern: %s", pattern);
- 	}
-@@ -198,11 +241,357 @@
-     return (mask != 0);
- }
- 
-+#endif
-+
-+static void PRINTFLIKE(2,3) warning_msg(VSTRING *vp, const char *fmt,...)
-+{
-+    va_list ap;
-+    if (vp) {
-+	va_start(ap, fmt);
-+	vstring_vsprintf(vp, fmt, ap);
-+	va_end(ap);
-+    } else {
-+	va_start(ap, fmt);
-+	msg_vprintf(MSG_WARN, fmt, ap);
-+	va_end(ap);
-+    }
-+}
-+
-+/* v6addr_literal - copy IPv6 literal address from bracketed version */
-+/*                  Supports both plain addresses and addr/plen's    */
-+
-+static char *v6addr_literal(const char *pattern)
-+{
-+    size_t patlen;
-+    char *mypattern, *ptr;
-+
-+    if (pattern == NULL)
-+	msg_panic("v6_addr_literal: called with NULL pattern pointer");
-+    if (msg_verbose > 1)
-+	msg_info("v6addr_literal: input pattern %s", pattern);
-+
-+    patlen = strlen(pattern);
-+
-+    /*
-+     * Note that we allow two different presentation/configuration
-+     * formats for literal IPv6 (address/prefixlen) combinations.
-+     * These are [v6addr]/plen and [v6addr/plen]. The second should
-+     * be avoided and will be deprecated in later Postfix/v6 versions.
-+     */
-+    if (*pattern == '[') {
-+	mypattern = mystrdup(pattern + 1);
-+	if (pattern[patlen - 1] == ']') {
-+	    /*
-+	     * Format: "[v6addr]" or "[v6addr/plen]".
-+	     */
-+	    mypattern[patlen - 2] = '\0';
-+	} else if ((ptr = strchr(mypattern + 1, '/')) != NULL
-+		   && *--ptr == ']') {
-+	    /*
-+	     * Format: "[v6addr]/plen".
-+	     */
-+	    while (*ptr)
-+		ptr++[0] = ptr[1];
-+	}
-+    } else {
-+	mypattern = mystrdup(pattern);
-+    }
-+
-+    if (msg_verbose > 1)
-+	msg_info("v6addr_literal: debracketed to %s", mypattern);
-+
-+    return (mypattern);
-+}
-+
-+/* std_addr_pattern - standardize address pattern */
-+
-+int std_addr_pattern(int flags, const char *pattern,
-+		     ADDR_PATTERN **result, VSTRING *warnings)
-+{
-+    char   *myname = "std_addr_pattern";
-+    ADDR_PATTERN *res;
-+    int     mask;
-+#ifdef INET6
-+    int     pf;
-+    char   *mypattern, *plenp;
-+    int     bits_per_addr, aierr;
-+    struct addrinfo hints, *res0;
-+    struct sockaddr_storage *ss_pattern;
-+
-+    pf = PF_UNSPEC;
-+    *result = NULL;
-+
-+    if (pattern == NULL)
-+	msg_panic("%s: pattern may not be NULL!", myname);
-+
-+    /*
-+     * IPv6 addresses passed as pattern to match_hostaddr should start
-+     * with a bracket '[' and have a ']' closing. This is as specific
-+     * as it can get.
-+     */
-+    mypattern = v6addr_literal(pattern);
-+    if (*pattern == '[') {
-+	pf = PF_INET6;
-+    } else if (!(flags & (MATCH_FLAG_STRICT_ADDR|MATCH_FLAG_NOLOOKUP))) {
-+	/*
-+	 * Return if we find what appears to be a maptype:file entry.
-+	 * It's up to the caller of this function to handle this.
-+	 */
-+	if (strchr(pattern, ':') != NULL) {
-+	    myfree(mypattern);
-+	    return (1);
-+	}
-+    }
-+    plenp = split_at(mypattern, '/');
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = pf;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_NUMERICHOST;
-+    aierr = getaddrinfo(mypattern, NULL, &hints, &res0);
-+    /*
-+     * EAI_NONAME happens when the pattern was not supplied in a
-+     * valid printable form. This is a non-fatal error in strict
-+     * address pattern maps like the CIDR dictionary.
-+     */
-+    if (aierr == EAI_NONAME) {
-+	if (msg_verbose || (flags & MATCH_FLAG_STRICT_ADDR))
-+	    warning_msg(warnings,
-+			"%s: invalid address pattern \"%s\"",
-+			myname, mypattern);
-+	myfree(mypattern);
-+	return (0);
-+    }
-+    if (aierr != 0 && aierr != EAI_NONAME)
-+	msg_fatal("%s: getaddrinfo(%s): %s", myname, mypattern,
-+		  GAI_STRERROR(aierr));
-+    pf = res0->ai_family;
-+    switch (pf) {
-+    case AF_INET:
-+	bits_per_addr = BITS_PER_ADDR_V4;
-+	break;
-+    case AF_INET6:
-+	bits_per_addr = BITS_PER_ADDR_V6;
-+	break;
-+    default:
-+	warning_msg(warnings,
-+		    "%s: unsupported address family %d in lookup result "
-+		    "of \"%s\"", myname, pf, pattern);
-+	freeaddrinfo(res0);
-+	myfree(mypattern);
-+	return (0);
-+    }
-+    ss_pattern = (struct sockaddr_storage *)
-+		 mymalloc(sizeof(struct sockaddr_storage));
-+    memcpy(ss_pattern, (const void *)res0->ai_addr, res0->ai_addrlen);
-+    freeaddrinfo(res0);
-+
-+    if (plenp != NULL) {
-+	/*
-+	 * Split the pattern into an address and a prefix length
-+	 * We explicitly allow "/0"
-+	 */
-+	if (strcmp(plenp, "0")) {
-+	    mask = atoi(plenp);
-+	    if (mask <= 0 || mask > bits_per_addr) {
-+		warning_msg(warnings, "%s: bad net/mask pattern: %s",
-+			    myname, pattern);
-+		myfree(mypattern);
-+		myfree((char *)ss_pattern);
-+		return (0);
-+	    }
-+	} else {
-+	    mask = 0;
-+	}
-+    } else {
-+	/*
-+	 * A single address is considered a prefix with maximum prefix length.
-+	 */
-+	switch (pf) {
-+	    case AF_INET:
-+		mask = BITS_PER_ADDR_V4;
-+		break;
-+	    case AF_INET6:
-+		mask = BITS_PER_ADDR_V6;
-+		break;
-+	    default:
-+		msg_panic("%s: address family %d should not occur here",
-+			  myname, pf);
-+	}
-+    }
-+
-+    if (flags & MATCH_FLAG_NONNULL_HOST) {
-+	/*
-+	 * We require that the host portion of (address/plen) pairs be zero
-+	 * to reduce the impact of configuration errors.
-+	 */
-+	int non_null = 0;
-+
-+	if (mask != 0 && mask != bits_per_addr) {
-+	    int bytesl, bits;
-+	    char *addr = NULL;
-+	    unsigned char ac;
-+
-+	    switch (ss_pattern->ss_family) {
-+	    case AF_INET6:
-+		addr = (char *)(&((struct sockaddr_in6 *)ss_pattern)->sin6_addr);
-+		bits_per_addr = BITS_PER_ADDR_V6;
-+		break;
-+	    case AF_INET:
-+		addr = (char *)(&((struct sockaddr_in *)ss_pattern)->sin_addr);
-+		bits_per_addr = BITS_PER_ADDR_V4;
-+		break;
-+	    default:
-+		msg_panic("%s: address family %d should not occur here",
-+			  myname, pf);
-+	    }
-+	    bytesl = mask / 8;
-+	    bits = (bits_per_addr - mask) % 8;
-+	    if (bytesl == bits_per_addr / 8)
-+		non_null = 1;
-+	    else
-+		ac = addr[bytesl];
-+	    if (bits == 0)
-+		bits = 8;
-+	    if (!non_null && ac != (ac & 0xff << bits))
-+		non_null = 1;
-+	    while (!non_null && ++bytesl < bits_per_addr / 8)
-+		non_null = addr[bytesl] != 0;
-+	}
-+	if (non_null) {
-+	    warning_msg(warnings,
-+			"%s: net/mask pattern \"%s/%s\" "
-+			"with non-null host pattern",
-+			myname, mypattern, plenp);
-+	    myfree(mypattern);
-+	    return (0);
-+	}
-+    }
-+
-+#else /* INET6 */
-+
-+    char *mypattern, *plenp;
-+    int bits;
-+    unsigned long addr, addr0;
-+    struct sockaddr_in *ss_pattern;
-+
-+    *result = NULL;
-+
-+    if (!(flags & MATCH_FLAG_STRICT_ADDR) && strchr(pattern, ':') != 0)
-+	return (1);
-+
-+    mypattern = mystrdup(pattern);
-+    plenp = split_at(mypattern, '/');
-+    if (plenp == NULL) {
-+	bits = BITS_PER_ADDR_V4;
-+    } else {
-+	bits = atoi(plenp);
-+	if (bits <= 0 || bits > BITS_PER_ADDR_V4)
-+	warning_msg(warnings,
-+		    "%s: bad net/mask pattern: %s",
-+		    myname, pattern);
-+	myfree(mypattern);
-+	myfree((char *)ss_pattern);
-+	return (0);
-+    }
-+
-+    addr = inet_addr(mypattern);
-+    addr0 = htonl(0xffffffff << (BITS_PER_ADDR_V4 - bits));
-+    if ((flags & MATCH_FLAG_NONNULL_HOST) && (addr & ~addr0)) {
-+	warning_msg(warnings,
-+		    "%s: net/mask pattern \"%s/%s\" with "
-+		    "non-null host portion",
-+		    myname, mypattern, plenp);
-+	myfree(mypattern);
-+	return (0);
-+    }
-+
-+    /*
-+     * We make a sockaddr_in, but we don't use any of the fields
-+     * except the sin_addr member. Sockaddrs are used to create
-+     * an API that's closer to AF-independence.
-+     */
-+    ss_pattern = (struct sockaddr_in *)mymalloc(sizeof(struct sockaddr_in));
-+    memset(ss_pattern, 0, sizeof(*ss_pattern));
-+    ss_pattern->sin_family = AF_INET;
-+    ss_pattern->sin_addr.s_addr = addr;
-+
-+#endif	/* INET6 */
-+
-+    res = addr_pattern_init();
-+    res->addr = (struct sockaddr *)ss_pattern;
-+    res->masklen = mask;
-+    res->opattern = mystrdup(pattern);
-+    res->pattern = mypattern;
-+    *result = res;
-+
-+    return (1);
-+}
-+
- /* match_hostaddr - match host by address */
- 
-+/* XXX: the IPv4-only version does not yet use std_addr_pattern --dean */
-+
- int     match_hostaddr(int unused_flags, const char *addr, const char *pattern)
- {
-     char   *myname = "match_hostaddr";
-+#ifdef INET6
-+    size_t  patlen;
-+    char   *plenp;
-+    int     aierr, res, ret, mask;
-+    struct addrinfo hints, *res0;
-+    struct sockaddr_storage ss_addr, ss_mask;
-+    ADDR_PATTERN *mask_info;
-+
-+    ret = 0;
-+    if (msg_verbose)
-+	msg_info("%s: %s ~? %s", myname, addr, pattern);
-+
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = PF_UNSPEC;
-+    hints.ai_socktype = SOCK_STREAM;
-+    hints.ai_flags = AI_NUMERICHOST;
-+    aierr = getaddrinfo(addr, NULL, &hints, &res0);
-+    /*
-+     * The access maps checks run both hostname and address through this.
-+     * E.g. the CIDR map checks both the hostname and address. Checking the
-+     * hostname in a CIDR map will yield no result but may not give an
-+     * EAI_NONAME error since it is correct that the hostname cannot be
-+     * interpreted numerically.
-+     */
-+    if (aierr != 0 && aierr != EAI_NONAME)
-+	msg_fatal("%s: getaddrinfo(%s): %s", myname, addr, GAI_STRERROR(aierr));
-+    memcpy(&ss_addr, (const void *)res0->ai_addr, res0->ai_addrlen);
-+    freeaddrinfo(res0);
-+
-+    res = std_addr_pattern(MATCH_FLAG_NONE, pattern, &mask_info, NULL);
-+    if (mask_info == NULL) {
-+	/*
-+	 * Try dictionary lookup. This can be case insensitive.
-+	 */
-+	if (res && strchr(pattern, ':') != 0) {
-+	    if (dict_lookup(pattern, addr) != NULL)
-+		return 1;
-+	}
-+	return 0;
-+    }
-+    
-+    /*
-+     * Try an exact match with the host address (IPv4 only)
-+     */
-+    if (mask_info->addr->sa_family == AF_INET &&
-+			    strcasecmp(pattern, addr) == 0) {
-+	addr_pattern_free(mask_info);
-+	return 1;
-+    }
-+
-+    res = match_sockaddr((struct sockaddr *)&ss_addr,
-+			 mask_info->addr, mask_info->masklen);
-+    addr_pattern_free(mask_info);
-+    return (res != 0);
-+    
-+
-+#else
-     unsigned int mask_shift;
-     unsigned long mask_bits;
-     unsigned long net_bits;
-@@ -219,7 +608,8 @@
-      * Try dictionary lookup. This can be case insensitive. XXX Probably
-      * should also try again after stripping least significant octets.
-      */
--    if (strchr(pattern, ':') != 0) {
-+    if (strchr(pattern, ':') != 0)
-+    {
- 	if (dict_lookup(pattern, addr) != 0)
- 	    return (1);
- 	if (dict_errno != 0)
-@@ -238,14 +628,15 @@
-      * In a net/mask pattern, the mask is specified as the number of bits of
-      * the network part.
-      */
-+	    
-     if (match_parse_mask(pattern, &net_bits, &mask_shift)) {
- 	addr_bits = inet_addr(addr);
- 	if (addr_bits == INADDR_NONE)
- 	    msg_fatal("%s: bad address argument: %s", myname, addr);
- 	mask_bits = mask_shift > 0 ?
--	    htonl((0xffffffff) << (BITS_PER_ADDR - mask_shift)) : 0;
-+		htonl((0xffffffff) << (BITS_PER_ADDR_V4 - mask_shift)) : 0;
- 	if ((addr_bits & mask_bits) == net_bits)
--	    return (1);
-+	    return 1;
- 	if (net_bits & ~mask_bits) {
- 	    net_addr.s_addr = (net_bits & mask_bits);
- 	    msg_fatal("net/mask pattern %s has a non-null host portion; "
-@@ -254,4 +645,120 @@
- 	}
-     }
-     return (0);
-+#endif
- }
-+
-+int
-+match_sockaddr(const struct sockaddr *addr, const struct sockaddr *mask,
-+	       int masklen)
-+{
-+    /*
-+     * I generally hate to do so, but this function just asks for
-+     * #ifdef INET6... address comparison in the IPv4 only case is
-+     * utterly trivial, completely unlike the mixed AF case.
-+     */
-+#ifdef INET6
-+    if (addr->sa_family == AF_INET) {
-+	if (mask->sa_family == AF_INET6) {
-+	    if (IN6_IS_ADDR_V4MAPPED(
-+			&((struct sockaddr_in6 *)mask)->sin6_addr)) {
-+	        /* IPv4 address but IPv4-mapped-IPv6 netmask... */
-+		if (masklen < 0 || masklen > BITS_PER_ADDR_V4)
-+		    return 0;
-+	        return mask_comp(&((struct sockaddr_in *)addr)->sin_addr.s_addr,
-+		    &((struct sockaddr_in6 *)mask)->sin6_addr.s6_addr[12],
-+		    masklen);
-+	    }
-+	    /* IPv4 address yet IPv6 mask. No match */
-+	    return 0;
-+        }
-+	/* IPv4 address, IPv4 netmask */
-+	if (masklen < 0 || masklen > BITS_PER_ADDR_V4)
-+	    return 0;
-+	return mask_comp(&((struct sockaddr_in *)addr)->sin_addr.s_addr,
-+			 &((struct sockaddr_in *)mask)->sin_addr.s_addr,
-+			 masklen);
-+    } else if (addr->sa_family == AF_INET6) {
-+	/* IPv6 address, IPv6 netmask */
-+	struct sockaddr_in6 *addr6, *mask6;
-+	addr6 = (struct sockaddr_in6 *)addr;
-+	mask6 = (struct sockaddr_in6 *)mask;
-+
-+	if (IN6_IS_ADDR_V4MAPPED(&addr6->sin6_addr)) {
-+	    /* V4-mapped IPv6 address */
-+	    struct sockaddr_in addr4;
-+	    memset(&addr4, 0, sizeof(addr4));
-+#ifdef HAS_SA_LEN
-+	    addr4.sin_len = sizeof(addr4);
-+#endif
-+	    addr4.sin_family = AF_INET;
-+	    memcpy(&addr4.sin_addr.s_addr, &addr6->sin6_addr.s6_addr[12], 4);
-+	    if (masklen > BITS_PER_ADDR_V4 && masklen <= BITS_PER_ADDR_V6)
-+		masklen -= BITS_PER_ADDR_V6 - BITS_PER_ADDR_V4;
-+	    return match_sockaddr((struct sockaddr *)&addr4, mask, masklen);
-+	}
-+	/* True IPv6, finally... */
-+        if (masklen < 0 || masklen > BITS_PER_ADDR_V6)
-+	    return 0;
-+	if (mask->sa_family != AF_INET6 ||
-+		IN6_IS_ADDR_V4MAPPED(&mask6->sin6_addr))
-+	    return 0;
-+#ifdef INET6_KAME
-+	if (IN6_IS_ADDR_SITELOCAL(&addr6->sin6_addr))
-+	    if (!IN6_IS_ADDR_SITELOCAL(&mask6->sin6_addr) ||
-+		    addr6->sin6_scope_id != mask6->sin6_scope_id)
-+		return 0;
-+	if (IN6_IS_ADDR_LINKLOCAL(&addr6->sin6_addr))
-+	    if (!IN6_IS_ADDR_LINKLOCAL(&mask6->sin6_addr) ||
-+		    addr6->sin6_scope_id != mask6->sin6_scope_id)
-+		return 0;
-+#endif
-+	return mask_comp(&addr6->sin6_addr.s6_addr,
-+			 &mask6->sin6_addr.s6_addr,
-+			 masklen);
-+    }
-+    /* Unsupported address family */
-+    return 0;
-+#else /* INET6 */
-+    /*
-+     * Trivial for IPv4...
-+     */
-+    return (addr->sa_family == mask->sa_family &&
-+	    ((struct sockaddr_in *)addr)->sin_addr.s_addr ==
-+	    ((struct sockaddr_in *)mask)->sin_addr.s_addr);
-+#endif /* INET6 */
-+}
-+
-+static int
-+mask_comp(void *addr, void *mask, int masklen)
-+{
-+    int bytes, bit;
-+
-+    bytes = masklen / 8;
-+    bit = 8 - masklen % 8;
-+    if (memcmp(addr, mask, bytes) != 0)
-+	return 0;
-+    if (bit != 8) {
-+	char *a = addr, *b = mask;
-+	if ((a[bytes] & (0xff << bit)) != (b[bytes] & (0xff << bit)))
-+	    return 0;
-+    }
-+    return 1;
-+}
-+
-+ADDR_PATTERN *
-+addr_pattern_init() {
-+    ADDR_PATTERN *p;
-+    p = (ADDR_PATTERN *)mymalloc(sizeof(ADDR_PATTERN));
-+    memset(p, 0, sizeof(ADDR_PATTERN));
-+    return p;
-+}
-+
-+void
-+addr_pattern_free(ADDR_PATTERN *p) {
-+    if (p->addr) myfree((char *)p->addr);
-+    if (p->pattern) myfree(p->pattern);
-+    if (p->opattern) myfree(p->opattern);
-+    myfree((char *)p);
-+}
-+
-diff -urNad postfix-release/src/util/match_ops.h /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.h
---- postfix-release/src/util/match_ops.h	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/match_ops.h	2005-02-03 10:22:13.085091112 -0700
-@@ -11,15 +11,40 @@
- /* DESCRIPTION
- /* .nf
- 
-+ /*
-+  * Utility library.
-+  */
-+#include <vstring.h>
-+
-  /* External interface. */
- 
- #define MATCH_FLAG_NONE		0
- #define MATCH_FLAG_PARENT	(1<<0)
--#define MATCH_FLAG_ALL		(MATCH_FLAG_PARENT)
-+#define MATCH_FLAG_STRICT_ADDR	(1<<1)
-+#define MATCH_FLAG_NOLOOKUP	(1<<2)
-+#define MATCH_FLAG_NONNULL_HOST	(1<<3)
-+#define MATCH_FLAG_ALL		(MATCH_FLAG_PARENT | MATCH_FLAG_NOLOOKUP | MATCH_FLAG_NONNULL_HOST)
-+
-+#define GAI_STRERROR(error) \
-+	((error == EAI_SYSTEM) ? strerror(errno) : gai_strerror(error))
-+
-+ /* Data structures. */
-+
-+typedef struct ADDR_PATTERN {
-+    struct sockaddr *addr;		/* pointer to sockaddr(_storage) address */
-+    size_t masklen;			/* prefix length */
-+    char  *pattern;			/* modified pattern */
-+    char  *opattern;			/* original string pattern */
-+} ADDR_PATTERN;
- 
- extern int match_string(int, const char *, const char *);
- extern int match_hostname(int, const char *, const char *);
- extern int match_hostaddr(int, const char *, const char *);
-+extern int std_addr_pattern(int, const char *, ADDR_PATTERN **, VSTRING *);
-+extern int match_sockaddr(const struct sockaddr *, const struct sockaddr *, int);
-+
-+extern ADDR_PATTERN * addr_pattern_init(void);
-+extern void addr_pattern_free(ADDR_PATTERN *);
- 
- /* LICENSE
- /* .ad
-@@ -30,6 +55,13 @@
- /*	IBM T.J. Watson Research
- /*	P.O. Box 704
- /*	Yorktown Heights, NY 10598, USA
-+/*
-+/*	Dean C. Strik
-+/*	Department ICT Services
-+/*	Eindhoven University of Technology
-+/*	P.O. Box 513
-+/*	5600 MB  Eindhoven, Netherlands
-+/*	E-mail: <dean at ipnet6.org>
- /*--*/
- 
- #endif
-diff -urNad postfix-release/src/util/sock_addr.c /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.c
---- postfix-release/src/util/sock_addr.c	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.c	2005-02-03 10:22:13.085091112 -0700
-@@ -0,0 +1,169 @@
-+/*++
-+/* NAME
-+/*	sock_addr 3
-+/* SUMMARY
-+/*	sockaddr utilities
-+/* SYNOPSIS
-+/*	#include <sock_addr.h>
-+/*
-+/*	int	sock_addr_cmp_addr(sa, sb)
-+/*	const struct sockaddr *sa;
-+/*	const struct sockaddr *sb;
-+/*
-+/*	int	sock_addr_cmp_port(sa, sb)
-+/*	const struct sockaddr *sa;
-+/*	const struct sockaddr *sb;
-+/*
-+/*	int	SOCK_ADDR_EQ_ADDR(sa, sb)
-+/*	const struct sockaddr *sa;
-+/*	const struct sockaddr *sb;
-+/*
-+/*	int	SOCK_ADDR_EQ_PORT(sa, sb)
-+/*	const struct sockaddr *sa;
-+/*	const struct sockaddr *sb;
-+/*
-+/*	int	sock_addr_in_loopback(sa)
-+/*	const struct sockaddr *sa;
-+/* AUXILIARY MACROS
-+/*	struct sockaddr *SOCK_ADDR_PTR(ptr)
-+/*	unsigned char SOCK_ADDR_FAMILY(ptr)
-+/*	unsigned char SOCK_ADDR_LEN(ptr)
-+/*
-+/*	struct sockaddr_in *SOCK_ADDR_IN_PTR(ptr)
-+/*	unsigned char SOCK_ADDR_IN_FAMILY(ptr)
-+/*	unsigned short SOCK_ADDR_IN_PORT(ptr)
-+/*	struct in_addr SOCK_ADDR_IN_ADDR(ptr)
-+/*	struct in_addr IN_ADDR(ptr)
-+/*
-+/*	struct sockaddr_in6 *SOCK_ADDR_IN6_PTR(ptr)
-+/*	unsigned char SOCK_ADDR_IN6_FAMILY(ptr)
-+/*	unsigned short SOCK_ADDR_IN6_PORT(ptr)
-+/*	struct in6_addr SOCK_ADDR_IN6_ADDR(ptr)
-+/*	struct in6_addr IN6_ADDR(ptr)
-+/* DESCRIPTION
-+/*	These utilities take protocol-independent address structures
-+/*	and perform protocol-dependent operations on structure members.
-+/*	Some of the macros described here are called unsafe,
-+/*	because they evaluate one or more arguments multiple times.
-+/*
-+/*	sock_addr_cmp_addr() or sock_addr_cmp_port() compare the
-+/*	address family and network address or port fields for
-+/*	equality, and return indication of the difference between
-+/*	their arguments:  < 0 if the first argument is "smaller",
-+/*	0 for equality, and > 0 if the first argument is "larger".
-+/*
-+/*	The unsafe macros SOCK_ADDR_EQ_ADDR() or SOCK_ADDR_EQ_PORT()
-+/*	compare compare the address family and network address or
-+/*	port fields for equality, and return non-zero when their
-+/*	arguments differ.
-+/*
-+/*	sock_addr_in_loopback() determines if the argument specifies
-+/*	a loopback address.
-+/*
-+/*	The SOCK_ADDR_PTR() macro casts a generic pointer to (struct
-+/*	sockaddr *).  The name is upper case for consistency not
-+/*	safety.  SOCK_ADDR_FAMILY() and SOCK_ADDR_LEN() return the
-+/*	address family and length of the real structure that hides
-+/*	inside a generic sockaddr structure. On systems where struct
-+/*	sockaddr has no sa_len member, SOCK_ADDR_LEN() cannot be
-+/*	used as lvalue.
-+/*
-+/*	The macros SOCK_ADDR_IN{,6}_{PTR,FAMILY,PORT,ADDR}() cast
-+/*	a generic pointer to a specific socket address structure
-+/*	pointer, or access a specific socket address structure
-+/*	member. These can be used as lvalues.
-+/*
-+/*	The unsafe INADDR() and IN6_ADDR() macros dereference a
-+/*	generic pointer to a specific address structure.
-+/* DIAGNOSTICS
-+/*	Panic: unsupported address family.
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/*	Wietse Venema
-+/*	IBM T.J. Watson Research
-+/*	P.O. Box 704
-+/*	Yorktown Heights, NY 10598, USA
-+/*--*/
-+
-+/* System library. */
-+
-+#include <sys_defs.h>
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <string.h>
-+
-+/* Utility library. */
-+
-+#include <msg.h>
-+#include <sock_addr.h>
-+
-+/* sock_addr_cmp_addr - compare addresses for equality */
-+
-+int     sock_addr_cmp_addr(const struct sockaddr * sa,
-+			           const struct sockaddr * sb)
-+{
-+    if (sa->sa_family != sb->sa_family)
-+	return (sa->sa_family - sb->sa_family);
-+
-+    /*
-+     * With IPv6 address structures, assume a non-hostile implementation that
-+     * stores the address as a contiguous sequence of bits. Any holes in the
-+     * sequence would invalidate the use of memcmp().
-+     */
-+    if (sa->sa_family == AF_INET) {
-+	return (SOCK_ADDR_IN_ADDR(sa).s_addr - SOCK_ADDR_IN_ADDR(sb).s_addr);
-+#ifdef INET6
-+    } else if (sa->sa_family == AF_INET6) {
-+	return (memcmp((char *) &(SOCK_ADDR_IN6_ADDR(sa)),
-+		       (char *) &(SOCK_ADDR_IN6_ADDR(sb)),
-+		       sizeof(SOCK_ADDR_IN6_ADDR(sa))));
-+#endif
-+    } else {
-+	msg_panic("sock_addr_cmp_addr: unsupported address family %d",
-+		  sa->sa_family);
-+    }
-+}
-+
-+/* sock_addr_cmp_port - compare ports for equality */
-+
-+int     sock_addr_cmp_port(const struct sockaddr * sa,
-+			           const struct sockaddr * sb)
-+{
-+    if (sa->sa_family != sb->sa_family)
-+	return (sa->sa_family - sb->sa_family);
-+
-+    if (sa->sa_family == AF_INET) {
-+	return (SOCK_ADDR_IN_PORT(sa) - SOCK_ADDR_IN_PORT(sb));
-+#ifdef INET6
-+    } else if (sa->sa_family == AF_INET6) {
-+	return (SOCK_ADDR_IN6_PORT(sa) - SOCK_ADDR_IN6_PORT(sb));
-+#endif
-+    } else {
-+	msg_panic("sock_addr_cmp_port: unsupported address family %d",
-+		  sa->sa_family);
-+    }
-+}
-+
-+/* sock_addr_in_loopback - determine if address is loopback */
-+
-+int sock_addr_in_loopback(const struct sockaddr * sa)
-+{
-+    unsigned long inaddr;
-+
-+    if (sa->sa_family == AF_INET) {
-+	inaddr = ntohl(SOCK_ADDR_IN_ADDR(sa).s_addr);
-+	return (IN_CLASSA(inaddr)
-+		&& ((inaddr & IN_CLASSA_NET) >> IN_CLASSA_NSHIFT)
-+		== IN_LOOPBACKNET);
-+#ifdef INET6
-+    } else if (sa->sa_family == AF_INET6) {
-+	return (IN6_IS_ADDR_LOOPBACK(&SOCK_ADDR_IN6_ADDR(sa)));
-+#endif
-+    } else {
-+	msg_panic("sock_addr_in_loopback: unsupported address family %d",
-+		  sa->sa_family);
-+    }
-+}
-diff -urNad postfix-release/src/util/sock_addr.h /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.h
---- postfix-release/src/util/sock_addr.h	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/sock_addr.h	2005-02-03 10:22:13.085091112 -0700
-@@ -0,0 +1,95 @@
-+#ifndef _SOCK_ADDR_EQ_H_INCLUDED_
-+#define _SOCK_ADDR_EQ_H_INCLUDED_
-+
-+/*++
-+/* NAME
-+/*	sock_addr 3h
-+/* SUMMARY
-+/*	socket address utilities
-+/* SYNOPSIS
-+/*	#include <sock_addr.h>
-+/* DESCRIPTION
-+/* .nf
-+
-+ /*
-+  * System library.
-+  */
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <string.h>
-+
-+ /*
-+  * External interface.
-+  */
-+#define SOCK_ADDR_PTR(ptr)	((struct sockaddr *)(ptr))
-+#define SOCK_ADDR_FAMILY(ptr)	SOCK_ADDR_PTR(ptr)->sa_family
-+#ifdef HAS_SA_LEN
-+#define SOCK_ADDR_LEN(ptr)	SOCK_ADDR_PTR(ptr)->sa_len
-+#endif
-+
-+#define SOCK_ADDR_IN_PTR(sa)	((struct sockaddr_in *)(sa))
-+#define SOCK_ADDR_IN_FAMILY(sa)	SOCK_ADDR_IN_PTR(sa)->sin_family
-+#define SOCK_ADDR_IN_PORT(sa)	SOCK_ADDR_IN_PTR(sa)->sin_port
-+#define SOCK_ADDR_IN_ADDR(sa)	SOCK_ADDR_IN_PTR(sa)->sin_addr
-+#define IN_ADDR(ia)		(*((struct in_addr *) (ia)))
-+
-+extern int sock_addr_cmp_addr(const struct sockaddr *, const struct sockaddr *);
-+extern int sock_addr_cmp_port(const struct sockaddr *, const struct sockaddr *);
-+extern int sock_addr_in_loopback(const struct sockaddr *);
-+
-+#ifdef INET6
-+
-+#ifndef HAS_SA_LEN
-+#define SOCK_ADDR_LEN(sa) \
-+    (SOCK_ADDR_PTR(sa)->sa_family == AF_INET6 ? \
-+     sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in))
-+#endif
-+
-+#define SOCK_ADDR_IN6_PTR(sa)	((struct sockaddr_in6 *)(sa))
-+#define SOCK_ADDR_IN6_FAMILY(sa) SOCK_ADDR_IN6_PTR(sa)->sin6_family
-+#define SOCK_ADDR_IN6_PORT(sa)	SOCK_ADDR_IN6_PTR(sa)->sin6_port
-+#define SOCK_ADDR_IN6_ADDR(sa)	SOCK_ADDR_IN6_PTR(sa)->sin6_addr
-+#define IN6_ADDR(ia)		(*((struct in6_addr *) (ia)))
-+
-+#define SOCK_ADDR_EQ_ADDR(sa, sb) \
-+    ((SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
-+      && SOCK_ADDR_IN_ADDR(sa).s_addr == SOCK_ADDR_IN_ADDR(sb).s_addr) \
-+     || (SOCK_ADDR_FAMILY(sa) == AF_INET6 && SOCK_ADDR_FAMILY(sb) == AF_INET6 \
-+         && memcmp((char *) &(SOCK_ADDR_IN6_ADDR(sa)), \
-+                   (char *) &(SOCK_ADDR_IN6_ADDR(sb)), \
-+                   sizeof(SOCK_ADDR_IN6_ADDR(sa))) == 0))
-+
-+#define SOCK_ADDR_EQ_PORT(sa, sb) \
-+    ((SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
-+      && SOCK_ADDR_IN_PORT(sa) == SOCK_ADDR_IN_PORT(sb)) \
-+     || (SOCK_ADDR_FAMILY(sa) == AF_INET6 && SOCK_ADDR_FAMILY(sb) == AF_INET6 \
-+         && SOCK_ADDR_IN6_PORT(sa) == SOCK_ADDR_IN6_PORT(sb)))
-+
-+#else
-+
-+#ifndef HAS_SA_LEN
-+#define SOCK_ADDR_LEN(sa)	sizeof(struct sockaddr_in)
-+#endif
-+
-+#define SOCK_ADDR_EQ_ADDR(sa, sb) \
-+    (SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
-+     && SOCK_ADDR_IN_ADDR(sa).s_addr == SOCK_ADDR_IN_ADDR(sb).s_addr)
-+
-+#define SOCK_ADDR_EQ_PORT(sa, sb) \
-+    (SOCK_ADDR_FAMILY(sa) == AF_INET && SOCK_ADDR_FAMILY(sb) == AF_INET \
-+     && SOCK_ADDR_IN_PORT(sa) == SOCK_ADDR_IN_PORT(sb))
-+
-+#endif
-+
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/*	The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/*	Wietse Venema
-+/*	IBM T.J. Watson Research
-+/*	P.O. Box 704
-+/*	Yorktown Heights, NY 10598, USA
-+/*--*/
-+
-+#endif
-diff -urNad postfix-release/src/util/sys_defs.h /tmp/dpep.cXJuVH/postfix-release/src/util/sys_defs.h
---- postfix-release/src/util/sys_defs.h	2005-02-03 10:22:12.228282230 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/sys_defs.h	2005-02-03 10:22:13.086090889 -0700
-@@ -108,6 +108,14 @@
- #define SOCKOPT_SIZE	socklen_t
- #endif
- 
-+#if !defined(NOGETIFADDRS) && ( \
-+    (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 105000000) \
-+    || (defined(__FreeBSD__) && __FreeBSD__ >= 4) \
-+    || (defined(OpenBSD) && OpenBSD >= 200003) \
-+    || defined(USAGI_LIBINET6))
-+#define HAVE_GETIFADDRS
-+#endif
-+
-  /*
-   * UNIX on MAC.
-   */
-@@ -293,6 +301,7 @@
- #define FIONREAD_IN_SYS_FILIO_H
- #define USE_STATVFS
- #define STATVFS_IN_SYS_STATVFS_H
-+#define INT_MAX_IN_LIMITS_H
- #define STREAM_CONNECTIONS		/* avoid UNIX-domain sockets */
- #define LOCAL_LISTEN	stream_listen
- #define LOCAL_ACCEPT	stream_accept
-@@ -300,6 +309,9 @@
- #define LOCAL_TRIGGER	stream_trigger
- #define HAS_VOLATILE_LOCKS
- #define BROKEN_READ_SELECT_ON_TCP_SOCKET
-+#ifdef INET6
-+#define HAS_SIOCGLIF
-+#endif
- 
- /*
-  * Allow build environment to override paths.
-@@ -573,6 +585,10 @@
- #define SOCKADDR_SIZE	socklen_t
- #define SOCKOPT_SIZE	socklen_t
- #endif
-+#ifdef INET6
-+#define HAS_PROCNET_IFINET6
-+#define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
-+#endif
- #endif
- 
- #ifdef LINUX1
-@@ -601,6 +617,10 @@
- #define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
- #define NATIVE_COMMAND_DIR "/usr/sbin"
- #define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
-+#ifdef INET6
-+#define HAS_PROCNET_IFINET6
-+#define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
-+#endif
- #endif
- 
-  /*
-diff -urNad postfix-release/src/util/valid_hostname.c /tmp/dpep.cXJuVH/postfix-release/src/util/valid_hostname.c
---- postfix-release/src/util/valid_hostname.c	2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/util/valid_hostname.c	2005-02-03 10:22:13.086090889 -0700
-@@ -53,6 +53,13 @@
- #include <string.h>
- #include <ctype.h>
- 
-+#ifdef INET6
-+#include <netinet/in.h>
-+#include <sys/socket.h>
-+#include <arpa/inet.h>
-+#include <netdb.h>
-+#endif
-+
- /* Utility library. */
- 
- #include "msg.h"
-@@ -109,7 +116,23 @@
- 		    msg_warn("%s: misplaced hyphen: %.100s", myname, name);
- 		return (0);
- 	    }
--	} else {
-+	}
-+#ifdef INET6
-+	else if (ch == ':') {
-+	    struct addrinfo hints, *res;
-+
-+	    memset(&hints, 0, sizeof(hints));
-+	    hints.ai_family = AF_INET6;
-+	    hints.ai_socktype = SOCK_STREAM;	/*dummy*/
-+	    hints.ai_flags = AI_NUMERICHOST;
-+	    if (getaddrinfo(name, "0", &hints, &res) == 0) {
-+		freeaddrinfo(res);
-+		return 1;
-+	    } else
-+		return 0;
-+	}
-+#endif
-+	else {
- 	    if (gripe)
- 		msg_warn("%s: invalid character %d(decimal): %.100s",
- 			 myname, ch, name);
-@@ -131,6 +154,12 @@
-     return (1);
- }
- 
-+#ifdef INET6_KAME
-+#define INET6_ADDR_PRES_CHARS ":./0123456789abcdefABCDEF%"
-+#else
-+#define INET6_ADDR_PRES_CHARS ":./0123456789abcdefABCDEF"
-+#endif
-+
- /* valid_hostaddr - test dotted quad string for correctness */
- 
- int     valid_hostaddr(const char *addr, int gripe)
-@@ -141,6 +170,9 @@
-     int     byte_count = 0;
-     int     byte_val = 0;
-     int     ch;
-+#ifdef INET6
-+    struct addrinfo hints, *res;
-+#endif
- 
- #define BYTES_NEEDED	4
- 
-@@ -153,11 +185,22 @@
- 	return (0);
-     }
- 
-+#ifdef INET6
-+    memset(&hints, 0, sizeof(hints));
-+    hints.ai_family = AF_INET6;
-+    hints.ai_socktype = SOCK_STREAM;	/*dummy*/
-+    hints.ai_flags = AI_NUMERICHOST;
-+    if (getaddrinfo(addr, "0", &hints, &res) == 0) {
-+	freeaddrinfo(res);
-+	return 1;
-+    }
-+#endif
-+
-     /*
-      * Preliminary IPV6 support.
-      */
-     if (strchr(addr, ':')) {
--	if (*(cp = addr + strspn(addr, ":./0123456789abcdefABCDEF")) != 0) {
-+	if (*(cp = addr + strspn(addr, INET6_ADDR_PRES_CHARS)) != 0) {
- 	    if (gripe)
- 		msg_warn("%s: invalid character %d(decimal): %.100s",
- 			 myname, *cp, addr);
-diff -urNad postfix-release/tls/ACKNOWLEDGEMENTS /tmp/dpep.cXJuVH/postfix-release/tls/ACKNOWLEDGEMENTS
---- postfix-release/tls/ACKNOWLEDGEMENTS	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/ACKNOWLEDGEMENTS	2005-02-03 10:22:13.087090666 -0700
-@@ -0,0 +1,56 @@
-+- Walcir Fontanini <walcir at densis.fee.unicamp.br>
-+  * tested on Solaris 2.5 and and reported missing "snprintf()"
-+    -> was fixed in pfixtls-0.1.2
-+  * contributed the script to add fingerprints
-+	contributed/fp.csh
-+
-+- Matti Aarnio <matti.aarnio at sonera.fi> (www.zmailer.org)
-+  * updated pfixtls_dump to need fewer strcat and strcpy calls.
-+
-+- Cerebus <cerebus at sackheads.org>
-+  * Missing variable initialization in client mode enable STARTTLS
-+    negotiation even when not wanted.
-+    -> fixed in pfixtls-0.2.8 
-+
-+- Bodo Moeller <bode at openssl.org>
-+  * The SSL connection was not shut down at the end of the session, because
-+    SSL_CTX_set_quiet_shutdown() was set. This however did not mean "do a
-+    quiet shutdown" but "do not shutdown SSL".
-+    -> fixed in pfixtls-0.3.3
-+
-+- Jeff Johnson <jeff at websitefactory.net>
-+  * noted that the patch code will not compile with SSL disabled anymore,
-+    because a ´#ifdef HAS_SSL #endif´ encapsulation was missing in
-+    smtp/smtp_connect.c. This must have been in since the very beginning
-+    of client mode support (0.2.x).
-+    -> fixed in 0.3.6
-+
-+- Craig Sanders <craig at taz.net.au>
-+  * noted that the Received: header does not contain sufficient information
-+    whether a client certificate was not requested or not presented.
-+    He also reminded me that the session cache must be cleared when
-+    experimenting with the setup and certificates, what is not explained
-+    in the documenation.
-+    -> fixed in 0.4.4
-+
-+- Claus Assmann <ca+tls at esmtp.org>
-+  * pointed out that the Received: header logging about the TLS state violated
-+    RFC822. The TLS information must be in comment form "(info)".
-+    -> fixed in 0.6.3
-+
-+- Wietse Venema <wietse at porcupine.org>
-+  * uncounted important suggestions to start the integration into the Postfix
-+    mainstream code.
-+  * code adjustments in the dict_*() database code to allow easier inclusion
-+    and use for session caching, and this is only the beginning :-)
-+    -> started reprogramming Postfix/TLS to fit both Wietse's and my
-+       requirements as of 0.6.0
-+
-+- Damien Miller <djm at mindrot.org>
-+  * Found mismatch between documentation and code with regard to logging.
-+    -> fixed in 0.6.6
-+
-+- Deti Fliegl <fliegl at cs.tum.edu>
-+  * Provided an initial patch to support SubjectAlternativeName/dNSName
-+    checks.
-+    -> added in 0.8.14
-diff -urNad postfix-release/tls/CHANGES /tmp/dpep.cXJuVH/postfix-release/tls/CHANGES
---- postfix-release/tls/CHANGES	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/CHANGES	2005-02-03 10:22:13.091089774 -0700
-@@ -0,0 +1,2401 @@
-+2004/04/27	= Re-release 0.8.18 ==
-+
-+2004/04/27
-+  - Postfix 2.1.0 has been released. Some minor patch conflicts with respect
-+    to the actual code and build environment.
-+  - Due to the restructuring of the documentation the old sample-*.cf
-+    files are no longer available.
-+    Took documentation already adopted by Wietse for the 2.1-RC2-IPV6+TLS
-+    snapshot.
-+
-+2004/02/09	== Re-release 0.8.18 ==
-+
-+2004/02/09
-+  - Postfix 2.0.18-20040205 is available, patchkit applies without
-+    problems.
-+
-+2004/02/02	== Release 0.8.18 ==
-+
-+2004/02/02
-+  - Incorporated Luca Berra's information into the patchkit and ran tests
-+    with my own versions.
-+
-+2004/02/01
-+  - Reports about server side SMTP failure with Carsten's patch can be
-+    found on postfix-users.
-+    'Luca Berra' <bluca at comedia.it> informs, that he discoverd another
-+    failure of the GNU patch program with a misplaced patch hunk in
-+    smtpd.c
-+
-+2004/01/30
-+  - Edited in additional #ifdef USE_SSL conditionals. If the TLS patch
-+    is applied but not activated (USE_SSL is not defined), a warning is
-+    printed as soon as TLS shall be used.
-+
-+2004/01/23
-+  - Postfix 2.0.18-20040122 is now available. Several patch conflicts occur.
-+    Even more: one hunk of the patch (which is provided in unified diff)
-+    fails in smtp.c and causes a segmentation violation.
-+    Carsten Hoeger <choeger at suse.de> provides an adapted patch kit.
-+
-+2004/01/02	== Released 0.8.17 ==
-+
-+2004/01/02
-+  - Postfix-2.0.16-20031231 is released. No patch conflicts.
-+  - Changed autoresponder for TLS tests to "The Postfix Book" echo
-+    responder (provided by Patrick Koetter and Ralf Hildebrandt).
-+
-+2003/12/30
-+  - Postfix-2.0.16-20031226 is released. No patch conflicts.
-+
-+2003/12/26
-+  - Postfix-2.0.16-20031224 is released. Resolved patch conflicts.
-+
-+2003/12/16
-+  - Postfix-2.0.16-20031215 is released. Resolved patch conflicts.
-+  - src/global/pfixtls.c: changed occurance of "ssize_t" to "size_t"
-+    as some quite old operating systems do no have ssize_t
-+    (Reported by Klaus Jaehne <kj at uue.org> for SunOS 4.1.4).
-+  - src/global/pfixtls.c: both the client and the server engine did
-+    print out messages even when tls_loglevel was set to 0 (reported
-+    by Florian Effenberger <florian at effenberger.org>): evaluate loglevel
-+    before printing any message.
-+
-+2003/11/17	== Re-released 0.8.16 ==
-+
-+2003/11/17
-+  - Postfix 2.0.16-20031113 is released. Some minor patch conflicts.
-+
-+2003/10/27	== Re-released 0.8.16 ==
-+
-+2003/10/24
-+  - Postfix 2.0.16-20031022 is released. Some minor patch conflicts.
-+
-+2003/09/23	== Re-released 0.8.16 ==
-+
-+2003/09/23
-+  - Postfix 2.0.16 and 2.0.16-20030921 are now available.
-+    Resolved some minor patch conflicts.
-+
-+2003/09/10	== Released 0.8.16 ==
-+
-+2003/09/09
-+  - Postfix 2.0.15 has been released including another workaround for
-+    select() on Solaris problems. It contains additional code to catch
-+    EAGAIN on read() in the timed_read() routine (and the respective
-+    precautions in timed_write()
-+  - Note: this fix is not yet part of Postfix 2.0.14-20030812.
-+  - Added corresponding code to pfixtls_timed_read()/_write().
-+  - Changed SSL wrappermode behaviour: use smtpd_sasl_tls_security_options
-+    instead of smtpd_sasl_security_options as is to be expected because TLS
-+    is active. (Bug reported by Bob Snyder <rsnyder at toontown.erial.nj.us>.)
-+
-+2003/08/29      == Re-released 0.8.15 ==
-+
-+2003/08/29
-+  - Adapted patchkit to Postfix 2.0.14. No patch conflicts.
-+
-+2003/07/17	== Re-released 0.8.15a (-20030715 only) ==
-+
-+2003/07/16
-+  - Experimental version Postfix 2.0.14-20030715 is released, including
-+    the SASL changes. Resolved some minor patch conflicts.
-+
-+2003/07/11	== Released 0.8.15a (-20030706 only) ==
-+
-+2003/07/11
-+  - Received error report about about TLS failing with the new smtpd_proxy
-+    feature including instructions on how to reproduce.
-+    (Did receive an earlier report on 2003/07/09, that however indicated other
-+    setup problems, so that the actual problem was not visible.)
-+  - Analysis: when introducing the new smtpd_proxy feature, different mechnisms
-+    where introduced to either write to the cleanup daemon (as before) or to
-+    the smtpd_proxy connection. Functions and streams are now expressed in
-+    out_fprintf() function pointers etc. being assigned accordingly.
-+    When updating to 0.8.15/2.0.13-20030706 this change was missed and the
-+    routine adding the TLS information to the Received: headers did use the
-+    older rec_fprintf() functions etc. This did work fine for the traditional
-+    connection to the cleanup service, but naturally failed for smtpd_proxy
-+    (with a segmentation violation).
-+    Solution: access out_stream via the according pointers.
-+  - The 2.0.13 stable version is not affected.
-+
-+2003/07/08	== Released 0.8.15 ==
-+
-+2003/07/07
-+  - Postfix 2.0.13 and 2.0.13-20030706 are released.
-+    Patchkit for 2.0.13 applies cleanly.
-+    Patchkit for 2.0.13-20030607 requires several adaptations (patch conflicts,
-+    no functional changes).
-+  - Slightly modified SASL interface code (smpt[d]_sasl_glue layer) to
-+    allow setting the security policy during session setup instead of
-+    process start. This allows to actually choose SASL mechanisms available
-+    depending on the availability of TLS encryption and authentication.
-+    New parameters: smtpd_sasl_tls_security_options,
-+    smtp_sasl_tls_security_options, smtp_sasl_tls_verified_security_options
-+  - Submitted change to SASL interface to Wietse, who accepted the change
-+    as part of the Snapshot line.
-+
-+2003/06/19	== Released 0.8.14 ==
-+
-+2003/06/19
-+  - Add support for SubjectAlternativeName "dNSName" entries in certificate
-+    checking (applies for client mode only).
-+    If the client connects to the server, it does check the list of dNSName
-+    entries against the expected hostname (therefore allowing the server to
-+    have multiple identities). As described in RFC2818 (HTTP over TLS),
-+    CommonName (CN) entries are only checked, if no dNSName entries are found
-+    at all.
-+    Initial patch proposed by Deti Fliegl <fliegl at cs.tum.edu>, reworked to
-+    follow the RFC2818 rules and some cleanup.
-+
-+2003/06/18
-+  - Checked out similar settings, found another missing entry:
-+    var_smtp_scert_vd was missing src/smtp/smtp.c.
-+  - Renamed HAS_SSL to USE_SSL for compilation (have to use -DUSE_SSL
-+    in the future). Currently pfixtls.h will take care of setting
-+    USE_SSL, when HAS_SSL has been defined.
-+
-+2003/06/17
-+  - Received bug reports about Postfix/TLS failing (connection closing)
-+    after having finished the "STARTTLS"/"220 Ready to start TLS"
-+    dialogue. (Actually the first report came in via private mail on
-+    2003/06/12, but the information was too diffuse to track down).
-+    Tracking down became possible after it became clear, that only Solaris
-+    systems are affected.
-+    Analysis:
-+    * As of 2003/06/09 postfix uses non-blocking socket I/O for the SMTP
-+      connection on Solaris platforms. This requires using "select()" style
-+      waiting before read() or write() access (which are not prepared EAGAIN
-+      or EWOULDBLOCK in the Postfix case and therefore indicate error).
-+    * As the var_smtpd_starttls_tmout variable is not correctly initialized
-+      (value is 0), the select() style function is not called, therefore
-+      read() fails with EAGAIN and the connection is closed due to a
-+      presumed error condition.
-+    * The initialization of the variable should be done in the time_table[]
-+      list during main().
-+      The entry however was lost during the patch adaptation from 0.7.13e
-+      to 0.7.14-snap20020107 on 2002/01/07.
-+    Impact:
-+    * On Solaris systems, STARTTLS fails during handshake (server only).
-+    * On other systems, the TLS negotiation phase is not protected by the
-+      smtpd_starttls_tmout (default 300s) value and may hang until the
-+      watchdog kills smtpd, if the client does not continue the handshake.
-+    Restored var_smtpd_starttls_tmout variable initialization.
-+
-+2003/06/12	== Re-released 0.8.13 ==
-+
-+2003/06/11
-+  - Adapted to snapshot 2.0.12-20030611. No patch conflicts.
-+
-+2003/06/11
-+  - Adapted to snapshot 2.0.11-20030609. One minor patch conflict.
-+
-+2003/05/23	== Re-released 0.8.13 ==
-+
-+2003/05/23
-+  - First release against snapshot 2.0.10-20030523.
-+
-+2003/04/26	== Re-released 0.8.13 ==
-+
-+2003/04/26
-+  - Updated patchkit to apply to Postfix 2.0.9.
-+  - Updated patchkit-name to reflect the release of OpenSSL 0.9.7b.
-+
-+2003/03/06	== Re-released 0.8.13 ==
-+
-+2003/03/06
-+  - Postfix 2.0.6 has been released. No patch conflicts.
-+
-+2003/03/02	== Re-released 0.8.13 ==
-+
-+2003/03/02
-+  - Postfix 2.0.4 has been released. "patch" should work with some warnings
-+    about moved line numbers.
-+  - OpenSSL 0.9.7a has been released. No visible changes with respect to
-+    Postfix/TLS.
-+
-+2003/01/26	== Re-released 0.8.13 ==
-+
-+2003/01/26
-+  - Postfix 2.0.3 has been released. One minor patch-conflict.
-+
-+2003/01/13	== Released 0.8.13 ==
-+
-+2003/01/13
-+  - Postfix 2.0.1 has been released. Some minor patch conflicts resolved.
-+  - Added HOWTO documents contributed by Justin Davies <justin at palmcoder.net>
-+    to the contribution area.
-+  - Added RFC3207 (SMTP Service Extension for Secure SMTP over Transport Layer
-+    Security) to the documentation. RFC3207 is the successor of RFC2487.
-+  - Updated TODO list to reflect release ideas up to the release of
-+    Postfix/TLS 0.9.0. (Or will it finally be 1.0.0? :-)
-+
-+2002/12/30
-+  - OpenSSL 0.9.7 has been released. Postfix/TLS works best with the new
-+    0.9.7 release.
-+
-+2002/12/24	== Re-released 0.8.12 ==
-+
-+2002/12/24
-+  - Postfix 2.0.0.1 has been released. Resolved one minor patch conflict.
-+
-+2002/12/20	== Re-released 0.8.12 ==
-+
-+2002/12/20
-+  - Postfix snapshot 1.1.12-20021214 has been released. Resolved minor
-+    patch conflicts.
-+
-+2002/12/15	== Re-released 0.8.12 ==
-+
-+2002/12/15
-+  - Postfix snapshot 1.1.12-20021214 has been released. Two minor patch
-+    conflicts.
-+
-+2002/12/06	== Released 0.8.12 ==
-+
-+2002/12/06
-+  - OpenSSL 0.9.6h has been released. Update documentation and filenames
-+    to reflect this new release.
-+  - Minor bug fix: when calling "sendmail -bs", smtpd is not run with
-+    superuser permissions, therefore the loading of the private key fails.
-+    STARTTLS is not used anyway, so the key is not needed anyway, but the
-+    failure to load creates a misleading warning.
-+    Do not initialize TLS engine at all when not started with superuser
-+    permissions.
-+
-+2002/12/03
-+  - Postfix snapshot 1.1.12-20021203 has been released. Resolved one patch
-+    conflict.
-+
-+2002/11/01	== Re-released 0.8.11a ==
-+
-+2002/11/01
-+  - Postfix snapshot 1.1.11-20021031 has been released. No patch conflicts.
-+
-+2002/10/30	== Re-released 0.8.11a ==
-+
-+2002/10/30
-+  - Postfix snapshot 1.1.11-20021029 has been released. No patch conflicts.
-+
-+2002/09/30      == Re-released 0.8.11a ==
-+
-+2002/09/30
-+  - Postfix snapshot 1.1.11-20020928 has been released. No patch conflices.
-+
-+2002/09/24
-+  - Postfix snapshot 1.1.11-20020923 has been released. Adapt patchkit.
-+
-+2002/09/19	== Re-released 0.8.11a ==
-+
-+2002/09/18
-+  - Postfix snapshot 1.1.11-20020917 has been released. Adapt patchkit.
-+
-+2002/08/23	== Re-released 0.8.11a ==
-+
-+2002/08/23
-+  - Postfix snapshot 1.1.11-20020822 has been released. Adapt patchkit.
-+
-+2002/08/20
-+  - Postfix snapshot 1.1.11-20020819 has been released with several
-+    enhancements and changes. Adapt patchkit (minor issues).
-+
-+2002/08/12
-+  - OpenSSL has experienced several (security critical) updates.
-+
-+2002/07/26	== Re-released 0.8.11a ==
-+
-+2002/07/26
-+  - On popular demand, a new diff for the snapshot version of Postfix
-+    is created: postfix-1.1.11-20020719.
-+
-+2002/06/18	== Re-released 0.8.11a ==
-+
-+2002/06/18
-+  - On popular demand, a new diff for the snapshot versions of Postfix
-+    is created: postfix-1.1.11-20020613.
-+
-+2002/06/03	== Released 0.8.11a ==
-+
-+2002/06/03
-+  - When compiling with SSL but without SASL, compilation fails due to
-+    the modification of state->sasl_mechanism_list that is not part of the
-+    "state" structure when SASL is not compiled in.
-+    This bug was introduced in version 0.8.11.
-+    Bug reported and patch supplied by Bernd Matthes
-+    <bernd.matthes at gemplus.com>.
-+
-+2002/05/29	== Released 0.8.11 ==
-+
-+2002/05/29
-+  - Postfix 1.1.11 is released.
-+
-+2002/05/25
-+  - Fix processing of options after STARTTLS handshaking: AUTH= was not
-+    handled, as the "=" was not recognized as for the extension list for
-+    the case without TLS. (The TLS case was a copy of an older version
-+    of the code not yet containing the "=" and the change in the main
-+    code slipped through without noting the difference, hence the option
-+    as not added to the TLS part.
-+    Found by "Christoph Vogel" <Christoph.Vogel at Corbach.de>.
-+
-+2002/05/24
-+  - Bug reported by "Christoph Vogel" <Christoph.Vogel at Corbach.de>:
-+    Client side AUTH does not work, if STARTTLS is used: if a server
-+    announces AUTH and STARTTLS, AUTH is being used if TLS is disabled.
-+    Once TLS is enabled, AUTH is still offered by the server, but the
-+    client does not use it any longer.
-+    Reason: when AUTH is offered, not only the SMTP_REATURE_AUTH flag
-+    is set in state->features, but also the available mechanisms are
-+    remembered in state->sasl_mechanism_list. As AUTH may be offered
-+    twice by some hosts (in the correct "AUTH mech" form and the older
-+    and deprecated "AUTH=mech" form), a check against processing the
-+    line twice is included in smtp_sasl_helo_auth(). This check now
-+    prevented the correct processing in the second evaluation of the
-+    ESMTP extensions offered after the STARTTLS activation.
-+    Solution: reset state->sasl_mechanism_list before processing the
-+    extension list just like state->features.
-+
-+2002/05/15	== Released 0.8.10 ==
-+
-+2002/05/15
-+  - Postfix 1.1.10 has been released. No changes.
-+
-+2002/05/14	== Released 0.8.9 ==
-+
-+2002/05/14
-+  - Postfix 1.1.9 has been released. Patchkit requires a small adjustment
-+    (supplied by Tuomo Soini <tis at foobar.fi>).
-+
-+2002/05/10	== Released 0.8.8 ==
-+
-+2002/05/10
-+  - OpenSSL 0.9.6d has been released. Release the unchanged patchkit
-+    with a new version number and under a new filename to indicate
-+    that it should be built against 0.9.6d (it has the session caching
-+    failure of 0.9.6c fixed). Update documentation accordingly.
-+
-+2002/05/05
-+  - Postfix 1.1.8 has been released, the patchkit applies cleanly.
-+
-+2002/04/03	== Re-released 0.8.7 ==
-+
-+2002/04/03
-+  - Postfix 1.1.7 has been released, the patchkit applies cleanly.
-+    Re-released the patchkit.
-+
-+2002/03/29	== Released 0.8.7 ==
-+
-+2002/03/29
-+  - Postfix/TLS did not honor the per-recipient-switching-off in SMTP
-+    client mode via tls_per_site (per-host-switching off was honored).
-+    Patch by Will Day <wd at hpgx.net>.
-+
-+2002/03/27	== Released 0.8.6 ==
-+
-+2002/03/27
-+  - Postfix 1.1.6 has been released. Adapted patchkit to resolve minor
-+    patch conflict. (Template provided by Simon Matter
-+    <simon.matter at ch.sauter-bc.com>)
-+
-+2002/03/13	== Released 0.8.5 ==
-+
-+2002/03/13
-+  - Postfix 1.1.5 has been released. The patchkit would apply cleanly, but
-+    obviously the "lock_fd" change that applies to dict_dbm.c (Wietse)
-+    also has to be applied to dict_sdbm.c. Tuomo Soini <tis at foobar.fi>
-+    kindly provided this change.
-+
-+2002/02/25	== Released 0.8.4 ==
-+
-+2002/02/25
-+  - Postfix 1.1.4 became visible. One patch conflict in a Makefile
-+    (Carsten Hoeger <choeger at suse.de>).
-+
-+2002/02/21
-+  - Dates in this CHANGES document were showing 2001 even though 2002 already
-+    began :-). Fixed. (Marvin Solomon <solomon at conceptshopping.com>)
-+
-+2002/02/07
-+  - Bug in the documentation (setup.html): the main.cf variables for the
-+    SMTP server process have to be named smtpd_* instead of smtp_*.
-+    Found by Andreas Piesk <a.piesk at gmx.net>.
-+
-+2002/02/03	== Released 0.8.3 ==
-+
-+2002/02/03
-+  - Patch from Andreas Piesk <a.piesk at gmx.net>: remove some compiler warnings
-+    by using explicit type casts in hexdump print statements.
-+  - Re-released otherwise unchanged patchkit against Postfix-1.1.3.
-+
-+2002/01/30	== Released 0.8.2 ==
-+
-+2002/01/30
-+  - Re-released unchanged patchkit against Postfix-1.1.2.
-+
-+2002/01/24	== Released 0.8.1 ==
-+
-+2002/01/24
-+  - Postfix-1.1.1 has been released. The patchkit needed some small adjustment.
-+  - Both Tuomo Soini <tis at foobar.fi> and Carsten Hoeger <choeger at suse.de>
-+    helped out with this small adjustment. As a side effect of Carsten's
-+    complete pfixtls.diff, which I compared after applying Tuomo's adjustment,
-+    I found that pfixtls.c contained several wrong "'" characters: on the
-+    german keyboard there is an accent looking like the apostroph but producing
-+    a different binary code. Obviously on Carsten's machine the code was
-+    changed which became obvious during the comparison.
-+    (Conclusion: I wrote the comments affected on my SuSE-Linux PC at home with
-+    german keyboard. In my university-office I do have HP-UX workstations
-+    with US keyboards.)
-+
-+2002/01/22	== Released 0.8.0 ==
-+
-+2002/01/22
-+  - Received a comment from Wietse on the mailing list, that it is better
-+    to resolve the "standalone" issue by using the already available
-+    SMTPD_STAND_ALONE() macro in smtpd. Undid 0.7.16 change and made
-+    new change in smtpd.c.
-+  - Updated links in the References section of the documentation.
-+
-+2002/01/21	== Released 0.7.16 ==
-+
-+2002/01/21
-+  - When calling "sendmail -bs" and STARTTLS is enabled, smtpd tries to
-+    read the private key and fails due to insufficient permissions (smtpd
-+    is run with the privileges of the user). This case is caught since
-+    version 0.6.18 of the Postfix/TLS patchkit: STARTTLS is still being
-+    offered but a "465 temporary failure" message is issued. Some mailers
-+    (read this: PINE) will then refuse to continue. (And an irritating
-+    error message indicating the failure to read the key will be logged.)
-+    Experienced by "Lucky Green" <shamrock at cypherpunks.to> .
-+  - Solution: Disable STARTTLS when running "sendmail -bs" by adding
-+    "-o smtpd_use_tls=no -o smtpd_enforce_tls=no" to smtpd's arguments
-+    upon startup. Using STARTTLS does not make sense in simulated
-+    SMTP mode.
-+
-+2002/01/18	== Released 0.7.15 ==
-+
-+2002/01/18
-+  - Postfix 1.1.0 has been released. The patchkit for the former snapshot
-+    version applied cleanly and now becomes the patchkit for the stable
-+    version.
-+
-+2002/01/16	== Released 0.7.14a ==
-+
-+2002/01/16
-+  - Snapshot-20020115 is released. Adapted patchkit.
-+  - Add Postfix/TLS entries into the new conf/postfix-files
-+    (Tuomo Soini <tis at s.foobar.fi>, Carsten Hoeger <choeger at suse.de>).
-+
-+2002/01/14
-+   - OpenSSL: a user reported that session caching stopped working for him
-+     with OpenSSL 0.9.6c. I found that this is also true for my own
-+     Postfix/TLS installation.
-+     Solution: server side session caching is broken in OpenSSL 0.9.6c when
-+     using non-blocking semantics (Postfix/TLS is affected as it uses
-+     BIO-pairs); sessions are simply not added to the cache. This bug
-+     is not security relevant. A fix has been applied to the OpenSSL source
-+     tree for the next release.
-+
-+2002/01/08	== Released 0.7.14 ==
-+
-+2002/01/07
-+  - New snapshots released as release candidates. Adapted the patchkit
-+    to snapshot-20020107. Moved our production servers from 20010228-pl08
-+    to snapshot-20020107 with the adapted patchkit.
-+  - Fix documentation: tlsmgr can be run chrooted since a long time.
-+
-+2001/12/21
-+  - OpenSSL 0.9.6c is released. Postfix/TLS is fully compatible.
-+
-+2001/12/19	== Released 0.7.13e ==
-+
-+2001/12/19
-+  - Adapted patchkit to snapshot-20011217.
-+
-+2001/12/12	== Released 0.7.13d ==
-+
-+2001/12/12
-+  - Adapted patchkit to snapshot-20011210. Adaption provided by
-+    Tuomo Soini <tis at foobar.fi>.
-+
-+2001/11/28	== Released 0.7.13c ==
-+
-+2001/11/28
-+  - Adapted patchkit to snapshot-20011127.
-+
-+2001/11/26	== Released 0.7.13b ==
-+
-+2001/11/26
-+  - Adapted patchkit to snapshot-20011125.
-+
-+2001/11/22	== Released 0.7.13a ==
-+
-+2001/11/22
-+  - Adapted patchkit to snapshot-20011121.
-+
-+2001/11/15	== Released 0.7.13 ==
-+
-+2001/11/15
-+  - Adapted patchkit to postfix-20010228-pl08 and snapshot-20011115.
-+
-+2001/11/06	== Re-released 0.7.12 ==
-+
-+2001/11/06
-+  - Snapshot-20011105 released. No patch conflicts, but in order to have
-+    the pfixtls-* filename and home page entry reflect the new version,
-+    I'll re-release 0.7.12.
-+
-+2001/11/05	== Released 0.7.12 ==
-+
-+2001/11/05
-+  - Release of Postfix-20010228-pl06 and snapshot-20011104. The snapshot
-+    version had some minor patch conflicts to be resolved.
-+
-+2001/10/14	== Released 0.7.11 ==
-+
-+2001/10/14
-+  - Bug fix (client mode): when the peername is checked against the CommonName
-+    in the certificate, the comparison does not correclty ignore the case
-+    (the peername as returned by DNS query or set in the transport map
-+    is not transformed to lower case). This bug was introduced in 0.7.5.
-+
-+2001/10/09	== Released 0.7.10 ==
-+
-+2001/10/09
-+  - Snapshot-20011008 is released. Some minor adaptions are required to
-+    sort out patch conflicts.
-+
-+2001/09/28
-+  - Received patch from Uwe Ohse <use at ohse.de>: There is a bug in sdbm's
-+    handling of the .dir file, that also applies to Postfix/TLS.
-+    The problem only appears for large databases.
-+  - The example entries in conf/master.cf for the submission and smtps services
-+    use "chroot=y" flags, while the Postfix default is "chroot=n". This could
-+    lead to hardly explainable problems when users did not note this fact
-+    during setup.
-+    Fixed example entries to also use "chroot=n" default.
-+
-+2001/09/18
-+  - Wietse releases Postfix-20010228-pl05. The patch applies cleanly with
-+    "patch -p1 ...", so it is not necessary to release a new patchkit.
-+
-+2001/09/04	== Released 0.7.9 ==
-+
-+2001/09/04
-+  - Due to unititialized variable in smtpd_state.c, AUTH may not be offered
-+    without TLS even though smtpd_tls_auth_only was not enabled.
-+    (Patch from Nick Simicich <njs at scifi.squawk.com>.)
-+
-+2001/08/29
-+  - In the snapshot-20010808 version of 0.7.9, the "tlsmgr" line in the sample
-+    conf/master.cf is missing (reported by Will Day <wd at hpgx.net>). Fixed.
-+
-+2001/08/27	== Released 0.7.8 ==
-+
-+2001/08/27
-+  - Received bugreport about issuer_CN imprints consisting of long strings
-+    of nonsense. This only appeard with certificates issued from a certain
-+    CA (RSA Data Security Inc., Secure Server Certification Authority).
-+    (Will Day <wd at hpgx.net>)
-+  - The problem: the issuer data of this certificate is:
-+        Issuer
-+          C=US
-+          O=RSA Data Security, Inc.
-+          OU=Secure Server Certification Authority
-+    It does not contain a CN (CommonName) field. OpenSSL's
-+    X509_NAME_get_text_by_NID() function does not catch this condition
-+    (no error flag set), but it also does not set the name in the memory
-+    location specified.
-+  - Solution:
-+    1. Preset the memory for the string to '\0', so that a string of length
-+       0 is obtained on the failure described above.
-+    2. When no CN data is available, use the O (Organization) field
-+       instead. The data are used for logging only (it is the issuer, not
-+       the subject name), so this change does not affect functionality.
-+
-+2001/08/22	== Released 0.7.7 ==
-+
-+2001/08/22
-+  - Found one more bug: erronously called SSL_get_ex_new_index() instead
-+    of SSL_SESSION_get_ex_new_index() (note the _SESSION missing). This
-+    could be responsible for the failure at the locations found during
-+    debugging. Works fine on HP-UX (did also before), must cross check
-+    at home...
-+
-+2001/08/21
-+  - Received report, that smtp (client) fails with signal 11 (platform:
-+    linux redhat). Cannot reproduce any problem on HP-UX (did run 1
-+    week in production before release). But malloc() and stack strategies
-+    are different between platforms.
-+  - Can reproduce the failure on my Linux PC at home :-(.
-+  - Found one bug in new_session_cb(): on successfull external caching,
-+    success is reported by a return value of 1. This however must be another
-+    bug, as it has nothing to do with the locations of the failure, when
-+    analyzing the core dumps/running under debugger.
-+    Still getting SIGSEGV...
-+
-+2001/08/20	== Released 0.7.6 ==
-+
-+2001/08/20
-+  - Following "popular demand" implemented new feature and configuration option
-+    "smtpd_tls_auth_only": Only allow authentication using the AUTH protocol,
-+    when the TLS encryption layer is active. Default is "no" in order to
-+    keep compatiblity to postfix without TLS patch.
-+    This option does not distinguish between different AUTH mechanisms.
-+
-+2001/08/16	== Released 0.7.5 ==
-+
-+2001/08/15
-+  - The new session cache handling is working now at my site for quite some
-+    time.
-+  - Client side: modified peername matching code, such that wildcard
-+    certificates can be used. Matching is done as in HTTP/TLS: only the
-+    leftmost part of the hostname may be replaced by a '*'.
-+
-+2001/08/09
-+  - Further debugged the CRYPTO_set_ex_data() functionality.
-+  - Unified "external cache write" and "external cache remove" callbacks
-+    for client and server side. The "external cache read" functions are not
-+    that easy to combine, as the lookup keys are quite different and do not
-+    match the fixed interface to the callback function.
-+  - Change shutdown behaviour according to SSL_shutdown(). When SSL_shutdown()
-+    returns, the shutdown handshake may not be complete, if we were the first
-+    party to send the shutdown alert. We must call SSL_shutdown() again,
-+    to wait for the peer's alert.
-+
-+2001/08/08
-+  - Postfix snapshot 20010808 is being released.
-+
-+2001/08/08
-+  - Rewrite server side to remove externally cached sessions via callback.
-+  - Rewrite client side to remove externally cached sessions via callback.
-+    This turns out to be more difficult as expected, as the client side
-+    session cache is sorted by hostnames, but the callbacks are called
-+    with the SSL_SESSION objects. The information must be stored into the
-+    SSL_SESSION objects by using the CRYPTO_set_ex_data() functionality,
-+    the documentation of which, ahem, ...
-+  - Reloading sessions stays separate, as the functionality is different.
-+
-+2001/08/07
-+  - Started reworking the session cache code.
-+    * On the server side the retrieval from the external cache and the writing
-+      to the cache are handled by callback functions. The removal is handled
-+      directly.
-+    * On the client side, all session cache operations are performed explicitly.
-+    * The explicit handling is on the client side is bad, as it requires a
-+      quite complicated logic to detect session reuse and the appropriate
-+      handling.
-+    * The explicit handling of session removal on both sides is bad, as
-+      the OpenSSL library will remove sessions (on session failure) according
-+      to the TLS specifications automatically, so we want to take advantage
-+      of this feature and have the externally cached sessions removed as
-+      required via callback.
-+  - First step: on the client side, also use the new_session_cb(), so that
-+    new sessions are automatically saved to the external cache on creation.
-+
-+2001/08/01
-+  - Postfix-20010228-pl04 is being released.
-+
-+2001/07/11	== Released 0.7.4 ==
-+
-+2001/07/10
-+  - Postfix snapshot 20010709 was released. Resolved some minor patch
-+    conflicts.
-+
-+2001/07/10
-+  - OpenSSL 0.9.6b has been released including a security fix for the
-+    libraries internal pseudo random number generator.
-+    * Note: to exploit the weakness, an attacker must be able to retrieve
-+      single random bytes. As in Postfix/TLS random bytes are only used
-+      indirectly during the SSL handshake, an attacker could never access
-+      the PRNG in the way required to exploit the weakness.
-+    * Postfix/TLS is therefore not vulnerable (as are most (all?) applications
-+      utilizing the SSL layer).
-+    * The OpenSSL team however recommends to upgrade or install the bugfix
-+      included in the announcement in any case.
-+    * Details can be found at http://www.openssl.org/
-+
-+2001/05/31	== Released 0.7.3a ==
-+
-+2001/05/30
-+  - Report from <Andre.Konopka at Presse-Data.de>: TLS logging does not work.
-+    Reason: parameters are not evaluated in mail_params.c, as the corresponding
-+    lines for other_int_defaults[] were missing from the patch. This
-+    only affected the 0.7.3-snapshot version, the version for "stable"
-+    is correct.
-+    I will release 0.7.3a with this fix only for the snapshot version to keep
-+    version numbering consistent with the "stable" version.
-+
-+2001/05/28	== Released 0.7.3 ==
-+
-+2001/05/28
-+  - Upgraded to snapshot-20010425: resolved some minor patch conflicts.
-+    No functional changes.
-+
-+2001/05/16
-+  - Received french documentation (doc_french/) contributed by
-+    Etienne Roulland <Etienne.Roulland at univ-poitiers.fr>.
-+
-+2001/05/03	== Released 0.7.2 ==
-+
-+2001/05/03
-+  - Postfix-Snapshot 20010502 is released. Bernhard Rosenkraenzer
-+    <bero at redhat.de> supplies an adapted patch for Postfix/TLS, as the
-+    normal patch has several rejections because of code changes;
-+    functionality has not changed.
-+
-+2001/05/01
-+  - Patchlevel 02 of Postfix 20010228 is being released. The Postfix/TLS
-+    patchkit applies cleanly when using the "-p1" switch to patch.
-+
-+2001/04/09	== Released 0.7.1 ==
-+
-+2001/04/06
-+  - OpenSSL 0.9.6a is released. It contains several bugfixes and will become
-+    the recommended version to be used with Postfix/TLS.
-+    I will run some more test and then re-release Postfix/TLS (without
-+    additional changes to the source) as 0.7.1 to make people aware of the
-+    new versions of Postfix and OpenSSL.
-+
-+2001/04/05
-+  - Hint from Bodo Moeller <moeller at cdc.informatik.tu-darmstadt.de>:
-+    the "Known Bugs" section in doc/test.html actually contains bugs
-+    of clients and/or interoperatbility problems. Better name it
-+    "Known interoperability problems" and rename the entries
-+    "Postfix/TLS server" and "Postfix/TLS client" to improve clarity.
-+
-+2001/03/29
-+  - Patchlevel 01 of Postfix 20010228 is being released. The Postfix/TLS
-+    patchkit applies cleanly when using the "-p1" switch to patch.
-+    OpenSSL 0.9.6a will be out within the next handful of days, so I will
-+    delay the release of a new patchlevel until then.
-+
-+2001/03/01	== Released 0.7.0 ==
-+  - IMPORTANT: If you are upgrading from a much older version, you will find
-+    that some configuration options have changed over time (fingerprints are
-+    now handled with ':'. check_relay_ccerts is now permit_tls_clientcerts.
-+    Session caching has been reworked.)
-+    It is recommended to re-read the sample-tls.cf file or the html version
-+    in the documentation.
-+
-+2001/03/01
-+  - Wietse has announced the _release_ version (non-beta) or postfix:
-+    20010228!
-+  - Applied the Patchkit to the _release_ version (not the snapshot version).
-+    Resolved one minor patch conflict.
-+  - So, it's time to call this Postfix/TLS 0.7.0.
-+
-+2001/02/26	== Released 0.6.38 ==
-+
-+2001/02/26
-+  - Snapshot-20010225 has been released. Resolved one minor patch conflict.
-+
-+2001/02/23	== Released 0.6.37 ==
-+
-+2001/02/23
-+  - Snapshot-20010222 has been announced as RELEASE CANDIDAT. Resolved one
-+    minor patch conflict.
-+  - Removed "check_relay_ccerts" restriction which has been replaced
-+    by "permit_tls_clientcerts" in 0.6.24. (Was left in until now for
-+    transition.)
-+  - Do not try to save session data > 8kB, since this cannot be handled
-+    by SDBM. (This is more or less academical, since I have never met a
-+    session even half that large.)
-+
-+2001/02/19	== Released 0.6.36 ==
-+
-+2001/02/05
-+  - Snapshot-20010204 has been released. Resolved one minor patch conflict.
-+
-+2001/02/03	== Released 0.6.35 ==
-+
-+2001/02/03
-+  - Snapshot-20010202 has been released. Resolved one minor patch conflict.
-+
-+2001/01/29	== Released 0.6.34 ==
-+
-+2001/01/29
-+  - Snapshot-20010128 has been released. Resolved some minor patch conflicts.
-+
-+2001/01/11	== Released 0.6.33 ==
-+
-+2001/01/10
-+  - Discussion in Thread "When to get peer certificate?" continues and it
-+    comes out, that cross references between datastructures are well maintained
-+    inside OpenSSL. A fact not well known due to lack of documentation
-+    (seems I am facing some more work on the OpenSSL manpages :-).
-+  - Moved around data needed for the certificate verification: a lot of
-+    "static" entries globally needed inside pfixtls.c could now be moved
-+    into the connection specific TLScontext.
-+
-+2001/01/07	== Released 0.6.32 ==
-+
-+2001/01/07
-+  - Since now the checks at handshake stage (in pfixtls.c) are more strict,
-+    some of the checks in smptd.c and smtp_proto.c could be removed.
-+    At a later point I can probably move even more checks into pfixtls.c...
-+
-+2001/01/05
-+  - Had a discussion with Ari Pirinen <aripirin at europe.com> on openssl-users
-+    (Thread: When to get peer certificate?) about the earliest possible
-+    place to check the CommonName of the peer against the expected name.
-+    (This is what smtp does when enforcing the peername of the server it
-+    is connecting to.)
-+    The final result was, that the check can already been done inside the
-+    verifiy_callback() routine even before the handshake is completed.
-+    The positive side effect is, that since the session is never completly
-+    established, it is also not cached on either client or server.
-+  - Since this is a good idea, I have extended the verify_callback in
-+    src/global/pfixtls.c to check the CommonName of the peer (if applicable)
-+    and have the handshake shut down immediatly on failure. I have also
-+    changed the behaviour so that whenever a positive certificate verification
-+    is required, the handshake is shut down immediatly.
-+    (The versions up to now did delay these checks until the session was
-+    established and then shut down the connection. I had established this
-+    practice while working on BIO-pairs and running into a bug in
-+    OpenSSL 0.9.5 (fixed now) and with the verify depth.)
-+
-+2000/12/23	== Released 0.6.31 ==
-+
-+2000/12/23
-+  - Bug: When only enabling smtpd_tls_wrappermode and not additionally setting
-+    smtpd_use_tls or smtpd_enforce_tls, the TLS engine was not fired up on
-+    startup of smtpd
-+    Fixed: also start TLS engine when only smtpd_tls_wrappermode is enabled.
-+    (Experienced by "Fiamingo, Frank" <FiamingF at strsoh.org>)
-+
-+2000/12/18	== Released 0.6.30 ==
-+
-+2000/12/18
-+  - New snapshot 20001217 has been released. Due to the change of "timeout"
-+    parameters now being its own class and table, the old patchkit does not
-+    apply cleanly!
-+  - Checked out Postfix/TLS parameters being timeout values and put them into
-+    the new style time parameter table. This allows to specify time values
-+    like 3600s or 1h. Updated sample configuration to reflect this new style.
-+  - "Fiamingo, Frank" <FiamingF at strsoh.org> pointed out to me, that there are
-+    three parameters in src/global/mail_params.h (namely DEF_TLS_RAND_EXCH_NAME,
-+    DEF_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CA_FILE) that are hardcoded as
-+    "/etc/postfix/something".
-+    This does not match the usual style of postfix, where no paths are
-+    hardcoded this way. I have removed the defaults for CERT_FILE and CA_FILE.
-+    The RAND_EXCH is needed for good PRNG seeding on systems without
-+    /dev/urandom, I however don't know yet, how to rearrange this requirement.
-+    I could use the Postfix internal mechanisms to enforce a parameter, but
-+    this would annoy people having compiled in TLS but not activated. 
-+
-+2000/12/13	== Released 0.6.29 ==
-+
-+2000/12/13
-+  - Snapshot-20001212 has been released.
-+  - Undid bugfixes for 20001210 which now are included in the new snapshot.
-+
-+2000/12/12	== Released 0.6.28 ==
-+
-+2000/12/12
-+  - Added bugfix provided by Wietse on postfix-users at postfix.org for
-+    "postconf -m" behaviour.
-+
-+2000/12/11
-+  - New snapshot-20001210 released. Some patch conflicts occur. Additionally
-+    * adjusted calls to myflock() to changed interface,
-+    * fixed bug in smtpd_sasl_glue(), where a change to the name_mask()
-+      call was not applied in the original snapshot.
-+
-+2000/12/05	== Released 0.6.27 ==
-+
-+2000/12/04
-+  - Print informational message "SSL session removed" only when
-+    var_smtp[d]_loglevel >= 2. (Proposed by Craig Sanders <cas at taz.net.au>.)
-+  - Extend logging of "setting up TLS connection from/to" and corresponding
-+    success/failure messages so that they include the hostname/ip address.
-+    This way it is much easier to automatically analyze errors by simply
-+    grepping for e.g. "SSL_accept error" and immediately get the peer
-+    causing the problem without further logfile processing.
-+    (Proposed by Craig Sanders <cas at taz.net.au>.)
-+  - When experiencing a TLS failure due to TLS-enforced failure in client mode
-+    (no certificate or hostname/certificate mismatch etc), immediately shut
-+    down the TLS mode with "failure" indication, so that the SSL session is
-+    removed immediately. This way a new session is always enforced in the
-+    case the peer has fixed the problem; no need to wait for the timeout.
-+
-+2000/11/29	== Released 0.6.26 ==
-+
-+2000/11/29
-+  - Found security relevant bug in the OpenSSL library: the verify_result
-+    stating whether or not the certificate verification succeeded is not
-+    stored in the session data to be cached and reused.
-+  - This bug was found during the development of Postfix/TLS around one
-+    year ago, the bug in the library was however only fixed for the server
-+    side. At that time I also tested the server side behaviour but ommitted
-+    to check the client side, too.
-+  - Versions before Postfix/TLS 0.4.4 experienced this problem for both
-+    server and client side. Before 0.6.0 a workaround was active for both
-+    sides, which has been removed at 0.6.0 in the believe that the bug
-+    was gone (I only tested the server side, which was fixed).
-+  - Fixed that bug in OpenSSL also for the client side (I can do this myelf
-+    now that I have been invited to join the OpenSSL developers team :-).
-+    The fix is availabe as of today and will be part of the 0.9.7 release
-+    of OpenSSL (or 0.9.6a, if this release will be published).
-+  - Included a workaround inside Postfix/TLS for OpenSSL library versions
-+    before 0.9.6a or 0.9.7, respectively.
-+
-+********************** Begin Description
-+
-+  - By not caching the verify_result for the client side, the following
-+    behaviour could appear:
-+  * The problem can only appear when smtp_tls_session_cache_database
-+    is activated.
-+  * smtp_use_tls = yes
-+   X On the first connection, the certificate fails verification, failure
-+     is logged:
-+      smtp[*]: Unverified: subject_CN=serv01.aet.tu-cottbus.de, issuer_CN=BTU-CA
-+     For any following connections until the session times out (default 1 hour),
-+     the peer certificate seems to pass verification:
-+      smtp[*]: Verified: subject_CN=serv01.aet.tu-cottbus.de, issuer_CN=BTU-CA
-+   X Security Impact:
-+     Unverified certificates are logged as if verification had succeeded.
-+  * smtp_enforce_tls = yes
-+   X After the verification failure, the session is never correctly established
-+     and hence not reused.
-+   X Security impact:
-+     None, as the session is never reused.
-+  * smtp_enforce_tls = yes after smtp_tls_enforce_tls = yes for a server.
-+   X If the session has been recorded with use_tls and then for this server
-+     enforce_tls is set, the wrong verify_result could be used within the
-+     session cache timeout (default = 1 hour).
-+   X Security impact:
-+     If TLS shall be enforced for a recipient, there is a window of approx.
-+     one hour from setting the "enforce_tls" switch until a verification
-+     failure is noted. For this to happen, a TLS session to that server must
-+     have been used with use_tls set and the not-verifiable certificate must
-+     have been recorded in that session.
-+  - Evaluation:
-+    Even though this _is_ a security problem, I consider risk to be *low*,
-+    given the conditions under which the problem might occur.
-+
-+********************** End Description
-+
-+2000/11/27	== Released 0.6.25 ==
-+
-+2000/11/26
-+  - Added "permit_tls_all_clientcerts" for smtpd_recipient_restrictions.
-+    When this option is enabled, any valid client certificate allows relaying.
-+    This can be practical, if e.g. a company has a special CA to create
-+    these certificates and only this CA is "trusted". It however does not
-+    allow finer control, so if e.g. an employee leaves, he could still
-+    relay. Postfix/TLS does not (yet) allow CRL (certificate revocation lists).
-+    (Added on popular demand.)
-+  - Make the client behaviour more configurabe: when enforcing TLS connections,
-+    the peer's name is checked against the CommonName in its certificate.
-+    New configuration variable "smtp_tls_enforce_peername" (default=yes)
-+    can now be used to accept peername!=CommonName. The server's certificate
-+    must still pass the verifcation process against a trusted CA!
-+    In tls_per_site, the according key is MUST_NOPEERMATCH.
-+    (Added on demand.)
-+
-+2000/11/24
-+  - If the server requires a client certificate and no certificate is presented
-+    or the certificate fails verification, the connection is shut down but
-+    no information is logged.
-+    -> add according msg_info() in smtpd/smtpd.c:startls_cmd().
-+  - If TLS is not enforced, it does not make sense for a server to require a
-+    client certificate. If no STARTTLS is issued, the SMTP would continue
-+    anyway, so why shut down when TLS is activated without verifyable client
-+    certificate?
-+    -> ignore smtpd_tls_req_ccert=yes, if TLS is not enforced and only treat
-+       like smtpd_tls_ask_ccert = yes with an according information logged.
-+
-+2000/11/22	== Released 0.6.24 ==
-+
-+2000/11/22
-+  - Installed on my own servers and changed configuration to use the new
-+    "permit_tls_clientcerts" option name. Patchkit will be released after
-+    some hours of successfull operation.
-+
-+2000/11/21
-+  - New snapshot-20001121 is being released. The patch applies without any
-+    conflict when applied with "patch -p1", so no need to rush out an updated
-+    patchkit.
-+  - Rename the smtpd_recipient_restrictions option from "check_relay_ccerts"
-+    to "permit_tls_clientcerts" to better match the naming scheme.
-+    Leave in the old option for now to not break existing configurations.
-+    The final incompatible removing is scheduled of release 0.7.0 of the
-+    patchkit which will be matching the next "stable" release of postfix.
-+  - There is no manual page for tlsmgr.8 (pointed out by Terje Elde
-+    <terje at thinksec.com>).
-+    Fix the comments at the beginning of tlsmgr.c and create tlsmgr.8.
-+  - In the session cache code an additional 20 bytes were allocated when
-+    converting SSL_SESSION data to binary using i2d_SSL_SESSION().
-+    In adding these 20 bytes to the size listed by i2d_SSL_SESSION() I followed
-+    the example in the OpenSSL source (PEM_ASN1_write()). These 20 bytes are
-+    only added since when writing the PEM, a 20 byte checksum is added, so
-+    we don't need it in our case -> removed.
-+    (Researched after Carlos Vicente <cvicente at mat.upc.es> asked what these
-+    20 bytes are good for :-)
-+
-+2000/10/30	== Re-Released 0.6.23 ==
-+
-+2000/10/30
-+  - Postfix snapshot-20001030 with an important bug fix is made available.
-+    The patchkit applies without any problem (patch -p1).
-+    Hence, I re-release the 0.66.23 release for the new snapshot.
-+
-+2000/10/30	== Released 0.6.23 ==
-+
-+2000/10/30
-+  - New Postfix snapshot 20001029 available with some important bug fix.
-+    Adjusted patchkit (only minor conflicts).
-+
-+2000/10/27
-+  - The CN_sanitize function (src/smtpd/smtpd.c) that shall make sure that
-+    no illegal sign is included into the Received: header does not work
-+    on systems were "char" is unsigned by default.
-+    (Linux on s390, found by Carsten Hoeger <choeger at suse.de>)
-+    -> Worked out a more precise (even though not looking elegant) solution
-+    that checks out all acceptable characters.
-+  - Sent new smptd.c to Carsten Hoeger for testing, will wait with new
-+    Postfix/TLS release.
-+
-+2000/10/06	== Released 0.6.22 ==
-+
-+2000/10/06
-+  - snapshot-20001005 has been released, featuring fast ETRN. Only some minor
-+    patch conflicts needed to be resolved.
-+
-+2000/09/28	== Released 0.6.21 ==
-+
-+2000/09/28
-+  - snapshot-20000924 seems to be somewhat longer lasting. I have been asked
-+    for a new Postfix/TLS release against snapshot-20000924, hence I will
-+    create one.
-+  - Running OpenSSL 0.9.6 for a week now to my full satisfaction. I will bump
-+    bump up the Postfix/TLS version counting to include "0.9.6", even though
-+    it will still run fine with 0.9.5a.
-+
-+2000/09/25/
-+  - snapshot-20000924 is available; only small adjustments.
-+  - Wietse seems to release new snaphots on a daily basis, it doesn't make
-+    sense to follow with a new Postfix/TLS release every day.
-+
-+2000/09/23	== Released 0.6.20 ==
-+
-+2000/09/23
-+  - Recompile OpenSSL-0.9.6-beta3 with the change and reinstall old pfixtls.c:
-+    works again. Hence, all versions of Postfix/TLS working against 0.9.5a
-+    will also work again 0.9.6-final, which shall be released on 2000/09/24!
-+  - Wietse releases snapshot-20000923, patchkit adapted.
-+  - Went through the "install.html" document to add a remark about
-+    OpenSSL-0.9.6. This document is of historic quality but did not fit
-+    actual versions of Postfix/TLS, we are far beyond OpenSSL 0.9.2: Updated.
-+
-+2000/09/22
-+  - Wietse releases snapshot-20000922. The source directory hierarchie has
-+    changed, so the patch needs to be adjusted at several places.
-+  - Run tests against OpenSSL 0.9.6-beta3: problems occur!
-+    * Certificates are no longer verified, since an informationa flag about the
-+      CA certificate search process is written into the error storage and
-+      thus misinterpreted as verification failure.
-+    * Changed Postfix/TLS source to maintain its own error storage based on
-+      the verify_callback, send out according warning to Postfix/TLS mailing
-+      list.
-+    * Unfortunately, this will break all older versions of Postfix/TLS.
-+      Sent out analysis to OpenSSL-bugs at openssl.org.
-+    * Additional change is made to OpenSSL: the new behaviour is only activated
-+      when a special flag is set, so compatibility is restored!
-+
-+2000/09/21
-+  - Wietse releases snapshot-20000921. Some minor patch conflicts resolved.
-+
-+2000/09/14	== Released 0.6.19 ==
-+
-+2000/09/14
-+  - Received a bug report: Postfix/TLS will accept a mail even though
-+    smtpd_req_ccert=yes (require use of client certificate) and no
-+    client certificate is presented.
-+    Reason: when no client certificate is presented SSL_get_verify_result()
-+    will return X509_V_OK, since this is the default value.
-+    Solution: only set "peer_verified" internal information, if the
-+    verify_result is X509_V_OK _and_ a peer certificate is available.
-+    Remark: This default value does not make too much sense. I will file
-+    a bug report/patch before the next release of OpenSSL...
-+
-+2000/09/03	== Released 0.6.18 ==
-+
-+2000/09/03
-+  - When calling "sendmail -bs", smtpd is started without root privileges,
-+    hence it cannot open the private key file and the session cache database.
-+    Since the database routines do not offer a graceful return (only fatal
-+    and abort), this leads to a failure when TLS and session caching is
-+    activated.
-+    This affects PINE users (noted by Craig Sanders <cas at taz.net.au>).
-+    Solution: Try to read the private key first; if that fails, we can
-+    gracefully recover and won't touch the session cache database at all.
-+  - When STARTTLS is configured for smtpd but does not work (e.g. because of
-+    unaccessible keys), smtpd answers with "465 TLS not available due to
-+    temporary reasons". After that the connection was closed, this is however
-+    not necessary, as the client may decide to continue without TLS activated.
-+  - Craig Sanders <cas at taz.net.au> contributes a script to automatically
-+    generate the keys and certificates for Postfix/TLS usage. Added
-+    "make-postfix-cert.sh" to the contributed/ directory.
-+
-+2000/09/02	== Released 0.6.17 ==
-+
-+2000/09/02
-+  - Craig Sanders <cas at taz.net.au> reports that he has connection problems
-+    with a site; the message in the log is:
-+    SSL_connect error 0
-+    8847:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:956:SSL alert number 10:
-+    * This is the error caused by the faulty TLS implementation with
-+      CommunigatePro. The bug is fixed in later versions of CommunigatePro,
-+      The site shall be contacted, they should update.
-+  - More important, he reports a segmentation fault immediately after this
-+    problem.
-+  - Bug: when not using session caching and an error occurs during the TLS
-+    handshake, pfixtls_start_clienttls() tried to remove the erronous
-+    session from a non-existant session cache.
-+    Fix: check the existence of the session cache before trying to access it.
-+    Comment: at all other places in the code this condition was already
-+             caught.
-+  - Remark: actually session caching was configured, but the configuration
-+    variable was mistyped because...
-+       it was wrong in conf/sample-tls.cf and doc/conf.html.
-+    The correct values are "smtp[d]_tls_session_cache_database" instead of
-+    "smtp[d]_tls_use_session_cache_database".
-+    Unfortunately this is not flagged by Postfix...
-+
-+2000/08/25	== Released 0.6.16 ==
-+
-+2000/08/25
-+  - Make sure, that the smtp[d] processes will try to access the "daemon"
-+    entropy sources, but will only print an info when not available. Using
-+    the PRNG-exchange file, they can happily run without.
-+  - Moved HAS_SSL checks, such that the package compiles also when configured
-+    without -DHAS_SSL.
-+
-+2000/08/24
-+  - Changed the handling of the PRNG-exchange file. Until now it was written
-+    by tlsmgr and read by the smtp[d] daemons. This had the disadvantage, that
-+    until tlsmgr rewrote new bytes to the file, all starting daemons read the
-+    same seed (to which some more bits, but not too much were added).
-+  - Now the file is handled in read->stir into pool->write back mode, so that
-+    every daemon will add its own entropy bits.
-+  - The smtp[d] processes will do so when starting, when opening a TLS
-+    connection and when closing.
-+  - The tlsmgr will also read back the file and add it to its pool, so that
-+    no entropy is lost.
-+  - This change significantly increases the "self seeding" capability of
-+    the TLS service.
-+
-+2000/08/09
-+  - Cleaned up the new PRNG-seeding.
-+  - When tlsmgr looses connection to an EGD-source (because it was restarted),
-+    tlsmgr performes an exit(0), so that a newly started tlsmgr can reconnect.
-+    [chroot/dropped privileges].
-+
-+2000/08/04
-+  - Introduced new entropy sources for single daemons:
-+    * tls_daemon_random_source
-+    Using this source (same style as for tlsmgr), each starting daemon can
-+    obtain additional entropy (32 bytes by default). The PRNG-exchange file
-+    is still read.
-+  - I am not sure about the policy for this feature. If such a source is
-+    given, should a failure be considered fatal?
-+
-+2000/07/23
-+  - Started reworking the PRNG seeding:
-+    * tlsmgr now recognizes tls_random_source as
-+      dev:/dev/urandom		/* Direct read from device file */
-+      egd:/path/to/socket       /* Connection via EGD-socket */
-+      /path/of/plain-file
-+    * If a dev: or egd: is given, tlsmgr will connect and keep the connection
-+      open, so that it now can run in chroot-mode with dropped privileges.
-+  - Since EGD can be drained, but the connection is permanently open, only
-+    suck a small number of bytes (default 32) at a time, but do it more
-+    often.
-+
-+2000/08/09	== Released 0.6.15 ==
-+
-+2000/08/09
-+  - Traced through OpenSSL to learn more about the verify_callback-feature.
-+    The callback is called several times. When it returns "1", the handshake
-+    will continue, when it calls "0", the handshake will immediately fail
-+    (and Postfix/TLS will also close the TCP connection).
-+  - Following the sample in the OpenSSL-apps, the verification chain depth
-+    was the only property triggering this effect, so this stood hidden until
-+    now. Obviously, users having longer chains did set the verifcation
-+    depth accordingly or they gave up, since this was never reported...
-+  - Changed the behaviour of verify_callback() to never return "0", such that
-+    we can deal with the verification result later in a more consistent manner.
-+    If we only enable and not enforce, we simply want to ignore problems with
-+    the certificate.
-+  - verify_callback() did not print out all information, since the wrong
-+    state variables (pfixtls_*active instead of pfixtls_*engine) were
-+    checked. The *active state variables are only set later.
-+    As the verify process now became rather narrative, the normal logging
-+    is only done in loglevel 2!
-+  - Arrrghhh. The conf/sample-tls.cf _and_ the html-docu (which is actually
-+    copied from conf/sample-tls.cf) has wrong names for the verification-
-+    depth parameters. *_vd instead of *_verifydepth and ccert<->scert.
-+    [Wondering, why this never popped up before...]
-+  - Changed the default-verifydepth to "5" which should suffice for most
-+    cases. Maybe the limit could also be completely removed, but we should
-+    at least receive a warning hint when something goes wild.
-+    Since OpenSSL>=0.9.5 is required for Postfix/TLS anyway, certificate chain
-+    verification can now be used, so the caution applied before is no longer
-+    necessary.
-+
-+2000/08/08
-+  - Tracked down the double-free() call in smtp with Efence. SSL_free()
-+    does call SSL_SESSION_free() on the negotiated session. Hence, I must
-+    not call SSL_SESSION_free() on the session in question, it will be
-+    removed anyway.
-+  - Also tracked down the certificate chain feature. Reason is the
-+    verify_callback() in global/pfixtls.c. It flags a chain depth that
-+    is too long as fatal, hence the connection is immediately closed.
-+
-+2000/08/04
-+  - Received information from Alain Thivillon <Alain.Thivillon at hsc.fr>:
-+    FreeBSD-CURRENT offers malloc() with additional checks enabled.
-+    After successfully delivering, smtp dumps core with free() called
-+    twice in TLS mode.
-+  - I noted, that there is a communication problem with his site an my new
-+    certificate issued by the universities computer center (which has a chain
-+    depth of 2). Step back to the old self certificate for the time being.
-+
-+2000/07/27	== Released 0.6.14 ==
-+
-+2000/07/27
-+  - Introduced new configuration parameter "smtpd_tls_wrappermode" that
-+    enables the (deprecated) old style SSL-wrapping around SMTP. It could
-+    be run on a different port (once smtps=465) was recommended for this
-+    services.
-+    This method is used by old versions of Outlook (Express), the Mac versions
-+    and even actual versions, when not run on port 25.
-+    [Actually it was only a handful of lines, so it doesn't hurt too much,
-+    even though it does not follow any RFC.]
-+  - I recommend using this option only from master.cf. Example lines added
-+    to conf/master.cf and description added to Postfix/TLS-doc/conf.html.
-+  - When having SASL enabled and TLS-enforce mode in "smtpd", only offer
-+    AUTH, when TLS has been activated. Otherwise the client might simply
-+    send the unencrypted credentials before it receives
-+      530 Must issue a STARTTLS command first
-+    and an eavesdropper already has what he was looking for.
-+
-+2000/07/19	== Released 0.6.13 ==
-+
-+2000/07/19
-+  - Changed the library-initializaton call to new naming scheme
-+    (SSLeay_add_ssl_algorithms() to OpenSSL_add_ssl_algorithms() :-).
-+  - Updated documentation to reflect the use of chain certificates with
-+    CAfile and smtp[d]_tls_cert_file (see 2000/07/06).
-+  - Documentation: the interoperability problem with CommunigatePro has been
-+    solved: CommunigatePro violated the TLS-RFC and has been fixed.
-+  - Typo: It is "to stir" not "to stirl" :-)
-+
-+2000/07/06
-+  - Received certificate for our site from our computer center. It's a chain
-+    certificate. Now load the cert with SSL_CTX_use_certificate_chain_file(),
-+    in order to better load the chain CA certificates.
-+
-+2000/07/04
-+  - Reported Wietse about a possible problem in the SASL code, a relay check
-+    may also be performed if sasl was not enabled and might lead to unwanted
-+    relay.
-+    As the fix is in my own codebase, I will leave it Postfix/TLS until a
-+    new snapshot (or final release) is available.
-+
-+2000/06/02	== Released 0.6.12 ==
-+
-+2000/06/02
-+  - Adapted to Snapshot-20000531 (minor patch conflict).
-+  - Cleaned up some old header file dependencies in global/pfixtls.c and
-+    global/Makefile.in that are no longer needed due to the interface changes
-+    (timed_read()/write()) in 0.6.7.
-+
-+2000/05/29	== Released 0.6.11 ==
-+
-+2000/05/29
-+  - Following Bodo Moeller's analysis, the error is due to a mismatch between
-+    the CA certificate accessible in the smtp[d]_tls_CAfile and the one used
-+    in the actual certificate (smtp[d]_tls_cert_file).
-+    Daniel Miller fixed his setup and the problem is gone.
-+  - Introduced a workaround into Postfix/TLS: if the padding error is found,
-+    it is removed from the error-queue by Postfix/TLS, in order to protect
-+    more sites from experiencing this problem.
-+  - Added a warning to conf/sample-tls.cf
-+  - Updated to the latest snapshot-20000528.
-+
-+2000/05/27
-+  - After some fiddling around working through the binary certificate data to
-+    see where it is modified at 0.6.10, I actually note, that both 0.6.9 and
-+    0.6.10 choke on the data. Now going back up through the functions very
-+    fast reveals the problem:
-+    * The certificate supplied triggers the "RSA-padding" error in any case.
-+      Since the certificate authencity is not enforced on OpenSSL-library level
-+      but inside postfix later, the error is not enforced.
-+      The error messages generated stay however in the error queue.
-+      - For blocking sockets, the SSL_accept()/connect() calls return
-+	"success", so the error-queue is never checked.
-+      - With BIO-pairs, the error queue is checked to find out, whether the
-+	function has just to be called again to continue the handshake, so
-+	the error messages are found and the connection is shut down due to
-+	the error condition.
-+  - Submitted bug report to Bodo Moeller. Bug fix is checked into the OpenSSL
-+    CVS archive: if the error is ignored during the handshake, clear the
-+    error-queue.
-+    * The next release of OpenSSL will behave consistently.
-+  - This leaves open the question, why the RSA-padding error is issued in the
-+    first place. Sent a query to the OpenSSL-* mailing lists.
-+
-+2000/05/26
-+  - A second site experiencing this problem pops up.
-+    -> Issued a warning to the postfix_tls mailing list.
-+
-+2000/05/24
-+  - Contacted Damien Miller <djm at mindrot.org>. He did not change his TLS setup
-+    in the last time. He is running Postfix/TLS-0.6.6.
-+  - Contacted Bodo Moeller <moeller at cdc.informatik.tu-darmstadt.de>, the author
-+    of the BIO-pair part of OpenSSL for some debugging hints. Received several
-+    worthful remarks on what to look for.
-+  - Checked byte-for-byte the data fed into the OpenSSL-library. It does not
-+    differ between 0.6.9 and 0.6.10, so my handling seems to be actually
-+    correct.
-+
-+2000/05/23
-+  - A communication error occurs when talking to mail.mindrot.org:
-+    SSL_accept error -1
-+    10264:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
-+    10264:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:396:
-+    10264:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object call:a_verify.c:109:
-+  - The error occurs both in client and server mode. 0.6.9 does not show
-+    this problem.
-+  - Tried to connect with several other sites, all connections are fine,
-+    this includes sendmail and qmail peers; hence decided to not recall 0.6.10.
-+
-+2000/05/23	== Released 0.6.10 ==
-+
-+2000/05/23
-+  - Sent a note to openssl-dev at openssl.org about the behaviour of SSL_free()
-+    and BIO_free(), hoping for some clarification whether my way of doing
-+    it is the recommended way.
-+  - Run the software in production mode on my own servers...
-+  - Finished writing the in-source documentation.
-+  - Updated sample-tls.cf and sample-smtp[d].cf to reflect the new timeout
-+    parameters.
-+
-+2000/05/21
-+  - Removed error messages produced by the now non-blocking behaviour of the
-+    TLS layer [apps_ssl_info_callback()].
-+
-+2000/05/20
-+  - Took results home and tried to run it on my Linux-box: SEGV after
-+    successfully handling the SMTP session!!
-+    * It seems that the SSL_free() and BIO_free() functions interact.
-+      SSL_free() releases the underlying BIO and it will bomb out when
-+      it is then explicitely BIO_free()'ed again and vice versa.
-+    * It did not bomb out on HP-UX, but such things happen. I however want to
-+      know, why the example program does not fail...
-+    * With respect to the bevaviour as is, SSL_free(TLScontext->con);
-+      BIO_free(TLScontext->network_bio) and not touching
-+      TLScontext->internal_bio works.
-+  - Introduced special timeout values for the TLS negotiation stage, as the
-+    timeout values may change with protocol state (suggested by Wietse).
-+  - Started writing a full description of the BIO-pair concept and its
-+    special treatment into the pfixtls.c sourcecode.
-+
-+2000/05/19
-+  - Systematicly implemented a generalized layer handling:
-+    * do_tls_operation() is the generic handler for all SSL_*() input/output
-+      functions. It deals with the non-blocking behaviour of this functions,
-+      requiring appropriate retrys.
-+    * network_biopair_interop() handles the interaction between the socket/fd
-+      and the buffering BIO-pair.
-+
-+2000/05/18
-+  - Based on the example in openssl-0.9.5a/ssl/ssltest.c realized the first
-+    usage of BIO-pairs. (Can do server handshaking.)
-+  - Learned, that the BIO-pair has its own buffering that needs its own
-+    flushing. It is not enough to relay on the SSL_ERROR_WANT_READ/WRITE
-+    state information.
-+
-+2000/05/17	== Released 0.6.9 ==
-+  - Important: the seperator in the relay-fingerprints is now ':'!!!
-+    Don't forget to change your relay_clientcerts databases.
-+
-+2000/05/16
-+  - Changed pfixtls.c to only use the interface described in util/vstream.c
-+    for handling the VSTREAM.
-+    * Added vstream_context() macro to the VSTREAM-interface.
-+  - Introduce TLScontext to identify the connection instead of the file
-+    descriptor. Move all static data (SSL structure and information gathered
-+    about the connection) into the context.
-+    The TLScontext is allocated on TLS-start for a connection and saved with
-+    the VSTREAM, so several streams can be used at the same time.
-+  - Removed "pfixtls_setfd()" as it is no longer needed.
-+  - Changed the relay_clientcerts list from string_list_* to maps_* interface
-+    to allow usage of ":" in the list.
-+    THIS IS AN INCOMPATIBLE CHANGE!!!!
-+  - Updated documentation accordingly.
-+
-+2000/05/12	== Re-released 0.6.8 ==
-+
-+2000/05/12
-+  - Wietse announces snapshot-20000511 with an important bugfix.
-+  - Since upgrading from 20000507 to 20000511 is highly recommended,
-+    Postfix/TLS 0.6.8 is re-released for this snapshot (the patch applied
-+    cleanly, just the name of the toplevel directory has changed).
-+
-+2000/05/11	== Released 0.6.8 ==
-+
-+2000/05/11
-+  - Unlike expected I found some time to install the latest cyrus-sasl-1.5.21
-+    and test some parts the integration. It does, well, work as advertised
-+    (and the advertisement in SASL_README is not too optimistic).
-+  - When checking all of the rejected patch-snippets for 0.6.6->0.6.7
-+    I missed the parameter "smtpd_enforce_tls" (noted since I wanted to
-+    enforce TLS encryption while playing around with plaintext passwords)
-+    in the static CONFIG_BOOL_TABLE bool_table[] = {..} in smtpd/smtpd.c
-+    -> I will immediately release a corrected version 0.6.8.
-+
-+2000/05/11	== Released 0.6.7 ==
-+
-+2000/05/11
-+  - The latest sendmail.8.11.0.Beta1 includes STARTTLS support; it is available
-+    in source code and also uses OpenSSL.
-+
-+2000/05/10
-+  - After having it running at home (Linux) I also install it at work for
-+    the field test.
-+  - No time to install the SASL kit, so this part stays untested as of now.
-+
-+2000/05/09
-+  - Downloaded snaphot and apply the patchkit.
-+  - Straightened out the rejected parts of the patch.
-+  - Due to the new layering with timed_read() and timed_write() functions
-+    the integration of the TLS layer needed special adjustment.
-+    * When TLS is active, the timed_read() and timed_write() functions are
-+      replaced by the corresponding pfixtls_timed_read() and
-+      pfixtls_timed_write() functions. When the TLS functionality is stopped,
-+      the old functions are restored.
-+    * The names of the pfixtls_timed_*() functions are looking into the future,
-+      because they are working as before, the timeout functionality is not
-+      in, yet.
-+
-+2000/05/08
-+  - Wietse announces snapshot-20000507 with a lot of changes. Especially
-+    important: the I/O handling of the smtp-stream has been changed to
-+    a more layered technique that allows easier integration of the TLS layer.
-+
-+2000/04/27	== Released 0.6.6 ==
-+
-+2000/04/27
-+  - Fixed inconsistency between documentation and actual behaviour: peer
-+    certificate information was not logged at level 1 (found by
-+    Damien Miller <djm at mindrot.org>).
-+    * While at it: the logged information did not say whether the certificate
-+      data logged passed verification or not: fixed. (The information logged
-+      in the Received: header already contained that information.)
-+  - Backported dict_dbm.c from snapshot-20000309 with the updated
-+    dict_delete() behaviour (key not found is not considered fatal).
-+    Maintained dict_sdbm.c accordingly.
-+
-+2000/04/18	== Released 0.6.5 ==
-+  - Important:
-+    * New session cache mechanism SDBM. Please adapt your main.cf and delete
-+      any old ".db" session cache files manually.
-+
-+2000/04/18
-+  - I am using the SDBM session cache for a week right now and did not have
-+    any trouble, so I think its worth pushing it out.
-+  - I am not completely happy with the dict_del() behaviour of considering
-+    a not-found key fatal. It might happen when the smtp[d] processes would
-+    be allowed to delete themselves. They are not as of now, so I accept it
-+    for now but will reconsider it.
-+  - Updated documentation accordingly.
-+
-+2000/04/17
-+  - Received corrections for the HTML-docs from Ralf Hildebrandt
-+    <R.Hildebrandt at tu-bs.de>.
-+
-+2000/04/11
-+  - Transfered SDBM from home (Linux-testbed :-) to work [found and fixed some
-+    small items when compiling on HP-UX]. Started running it under
-+    "real life" conditions.
-+
-+2000/04/07
-+  - Implemented "SDBM" Simple Database Management routines as also utilized in
-+    ModSSL. Of course, it requires reopening of the databases, so the
-+    routines are changed, that the _file_descriptors_ are left open, but
-+    the _in_memory_ database stuff (especially the cached data) is closed
-+    and reopened on access. This is what is really needed. The pagesize
-+    is increased from standard DBM compatibility to hold the session
-+    information.
-+    Additionally, this software is in the public domain, so no additional
-+    license problems arise.
-+  - The access goes through the dict_* interface, hence the locking is
-+    performed by myflock().
-+
-+2000/04/01	== Released 0.6.4 ==
-+
-+2000/04/01
-+  - Updated to the new patchlevel of Postfix (19991231-pl06), some parts of
-+    the patch were rejected due to changes in smtpd.
-+  - Changed patch name with respect of today's release of OpenSSL-0.9.5a.
-+    The code remained unchanged.
-+    
-+2000/03/25-31
-+  - The cached informations are not deleted by "tlsmgr" even though stored
-+    and retrieved by the smtp[d] processess. Strange.
-+  - Spend some large amount of time digging through the Berkeley DB
-+    documentation and code.
-+    * It claims that Berkeley DB is multi-process capable. Caveat: it takes
-+      the very complicated "transaction model", that I did not use until now.
-+      Hence the session cache does not work as is.
-+    * Even with transaction model, Berkeley DB requires re-opening of the
-+      databases to get rid of cached information. F*ck.
-+  - Finally, I give up on Berkeley DB for session caching. It will never
-+    work for us. Even if it would, it requires a large amount of helper files
-+    and it seems, that the transaction environment is somewhat fragile when it
-+    comes to some problem. I won't rely on it.
-+
-+2000/03/28	== Released 0.6.3 ==
-+
-+2000/03/28
-+  - As has been pointed out to me, the TLS information in the Received:
-+    header is not conform to RFC822.
-+  - The TLS protocol and peer CN information is now included in '()', so
-+    that it is a comment.
-+
-+2000/03/21	== Released 0.6.2 ==
-+
-+2000/03/21
-+  - I have been running DB based session caching with the changes for some
-+    more time now without problems. Am I really confident? No, not really.
-+    I remember the trouble I had with Berkeley DB and sendmail on HP-UX.
-+    I don't think I really trust it.
-+  - Realized single "smtp_tls_per_site" lookup. I cannot use the more or
-+    less comfortable "domain_list" lookups as before, since these do not
-+    return the value, just found or not :-(.
-+    Hence the lookup is realized with maps and exact lookup. I never tried
-+    regexp. But if I understand the docs correctly, it should be possible to
-+    use it here to realize wildcard lookups, if it would not have been
-+    disabled :-(.
-+  - Summary:
-+    * Session Cache will be cleaned at "postfix reload" or "postfix start"
-+    * New table "smtp_tls_per_site"
-+    * Gone: "smtp_tls_[use/enforce]_[recipients/sites]"
-+
-+
-+2000/03/16
-+  - Changed pfixtls.c, so that it will only open Session Cache databases,
-+    that are already available. tlsmgr is responsible for creation.
-+  - Change tlsmgr.c, such that session cache databases will be removed before
-+    opening, so that fresh databases are used whenever postfix is restarted.
-+    This means, that session information is not kept over a postfix stop/start
-+    or reload sequence, but it also means, that issuing a postfix reload will
-+    clean the session cache.
-+    I don't use simple dict_open with O_TRUNC, because this would not help
-+    against database files, that are locked by hanging smtp[d] processes.
-+    If you think it will also solve the "hang" problem described for
-+    2000/03/15: in a certain sense it can, since tlsmgr will be killed by
-+    the watchdog and new, fresh cache files are installed, but that is not
-+    more than an ugly hack. It must be solved in a clean manner.
-+
-+2000/03/15
-+  - Experienced some strange problem with Berkeley DB based session cache.
-+    The DB routines hang while trying to delete an entry. I did save the
-+    corresponding "hash:" file and could reproduce it (and walk through
-+    the endless loop with a debugger), but I didn't find the reason why.
-+    Since during "db->del" the database is exclusively locked all other
-+    processes hang however, so this is really bad!!!!!!!!
-+
-+2000/03/12	== Released 0.6.1 ==
-+
-+2000/03/12
-+  - Created tls_info_t structure to hold all information about the active
-+    TLS connection. Remove all global variables except those for the
-+    running client/server engines (those might be replaced with global
-+    variables in smtpd/smtp, though).
-+  - Added field "dNSName" to the structure (still unused). This will be
-+    used with X503v3 extensions.
-+  - Cleaned up TODO, since some items are now done...
-+
-+2000/03/11
-+  - Added missing #include <sys/time.h> to tlsmgr.c. (Worked without on HP-UX,
-+    showed up on Linux.)
-+  - Bug: removal of server side sessions from the cache in case of trouble
-+    failed, because uppercase hex was used instead of lowercase for the key.
-+    This does not affect removal of expired sessions by tlsmgr.
-+  - Stepped up to postfix-19991231-pl05.
-+
-+2000/03/09	== Released 0.6.0 ==
-+  - Important:
-+    * This release features an additional daemon, the "tlsmgr", please update
-+      your master.cf accordingly.
-+    * This release does not use the /var/spool/postfix/TLS* directories
-+      anymore. Remove them and re-install the original postfix-script.
-+    * Check the new/changed configuration parameters tls_random* and
-+      smtp[d]_tls_session_cache*.
-+    * This release will only work with OpenSSL >= 0.9.5!!!!!
-+
-+2000/03/09
-+  - Testcompilation of Postfix/TLS without -DSSL and the OpenSSL includes and
-+    libraries passed.
-+  - Worked through tlsmgr.c to remove unneeded header files.
-+  - Wrote documentation for tlsmgr.c.
-+  - Updated documentation on top of pfixtls.c.
-+  - Put (char *) casts into the myfree() calls, where necessary, to make the
-+    HP compiler happy.
-+  - Updated html PRNG documentation in Postfix/TLS.
-+
-+2000/03/08
-+  - Finished first version of "tlsmgr". Does run through session cache
-+    databases and detects and deletes (*) old sessions.
-+  * Had to realize SYNC_UPDATES for the dict_db_delete() function and patch
-+    the flag handling within the function. Changes sent to Wietse.
-+  - Restored qmgr to its original state.
-+  - Extended pfixtls.c to need an additional "needs_095_or_later()" function
-+    when compiled with an older version of postfix.
-+  - The session cache is now enabled, when a database filename is given.
-+    smtp[d]_tls_use_session_cache configuration parameters removed,
-+    updated documenation accordingly.
-+  - Moved the PRNG handling to tlsmgr, applying the new model. tlsmgr will
-+    query external sources at startup and will then feed a PRNG exchange
-+    file with random data in intervals of configurable (but random driven)
-+    length.
-+    If running outside chroot, tlsmgr can query the entropy source (e.g.
-+    EGD or /dev/urandom) again and so increase entropy with time. If the
-+    entropy sources don't limit access, the tlsmgr can run with "postfix"
-+    privileges. Mine does.
-+    -> master.cf became a new entry.
-+  - tlsmgr is realized as a trigger server and has the "fifo" entry. Actually,
-+    it does not take any input. One could utilize it to feed back some entropy
-+    from running smtp[d] processes, but I think this would overload the
-+    issue.
-+  - I will release a 0.6.0 pre-version as is. tlsmgr still lacks the detailed
-+    information in the header and the interface description in pfixtls.c
-+    probably is also not longer up do date.
-+
-+2000/03/07
-+  - Since defective session data can cause SEGFAULTs, it is now armored
-+    by a leading structure that does contain a session cache version and
-+    the postfix library version before the timestamp. If a session does
-+    not match exactly the version numbers, it is immediately discarded
-+    and deleted to avoid harm.
-+  - Removed the seperate storage of the peer's certificate verify_result,
-+    so starting from this moment, Postfix/TLS will only work safely with
-+    OpenSSL >= 0.9.5!!!
-+  - Ported server side session cache routines to the client side; works.
-+  - Analyzed structure of "qmgr" to understand consequences for the planned
-+    "tlsmgr" daemon. Transferred the sceleton.
-+  - Received word from sendmail, a (at least preliminary) TLS enabled test
-+    address is "bounce at esmtp.org".
-+
-+2000/03/06
-+  - Wietse supplied a change to the dict/dict_db mechanism to allow for
-+    synchronous updates.
-+    Session cache updates for the server side seem to work now, removal of
-+    old sessions (when called from the client) integrated.
-+
-+2000/03/05
-+  - Got the database style session cache to run for the server side (at least
-+    partial). The removal of old sessions is not yet realized.
-+    [There are several man pages for OpenSSL as of 0.9.5, but the i2d etc
-+    interfaces are not belong them, so I had to study the source code instead.]
-+  * What is not working by now is the synchronization of the memory database
-+    to disk. It only is synchronized automatically upon close. It would be
-+    necessary to sync after each update or delete, but this is not implemented
-+    in Wietse's dict library. I will post an according proposal.
-+
-+2000/03/04
-+  - Wietse posts a patch to select "EHLO" negotiation even if ESMTP is
-+    not recognized from the 220 greeting. Activating this flag will however
-+    break compatibility with mailers, that simply close the connection
-+    upon EHLO. I don't know how the large the number of these broken mailers
-+    is, but activating "smtp_always_send_ehlo" is a tradeoff.
-+  - Integrated Wietse's patch into Postfix/TLS.
-+
-+2000/03/03
-+  - Received update from Matti Aarnio (Zmailer) is now for some time able
-+    to do server _and_ client side TLS. Updated documenation accordingly.
-+    When testing, Postfix client to Zmailer server failed, because
-+    Zmailer announces with "ESMTP+IDENT" and Postfix does not recognize
-+    the ESMTP token (must be seperate), so only HELO is used and STARTTLS
-+    is not offered by the Zmailer server. Informed Matti accordingly,
-+    will wait until the problem is resolved before actually publishing
-+    the update.
-+  - Enhanced the documentation by listing automatic reply services at which
-+    interoperability can be tested.
-+
-+2000/03/02
-+  - Went through the Postfix source to check out the database routines.
-+    It should be possible to move session caching from directory/file-
-+    based to database. Since DBM only allows blocks (key+contents) of
-+    1024 bytes and a session is larger, only Berkeley DB can be used.
-+    Put some first bits into Postfix/TLS.
-+
-+2000/02/29	== Released 0.5.5 ==
-+
-+2000/02/29
-+  - OpenSSL 0.9.5 has been released. Since I want to promote 0.9.5, as it
-+    contains several bugfixes and enhancements, I release a new version
-+    of Postfix/TLS. My personal highlights:
-+    * The bug with Win32 Netscape not commencing after certificate storage
-+      unlocking should be fixed. (I will leave the not in however, as long
-+      as I have not positively checked it myself. Reproducibility...)
-+    * The bug, that the certificate verifiation result is not stored in the
-+      session cache (discovered for Postfix/TLS 0.4.4) is fixed. I will leave
-+      the Postfix/TLS workaround in as long as it will run with older versions
-+      of OpenSSL.
-+    * The OpenSSL commandline tools like "openssl gendh" now support EGD, so
-+      that the examples for generating the DH parameters now will really work
-+      with high quality random data :-)
-+    * The support of 56bit ciphers has lost its importance since 128bit
-+      versions of Netscape etc are now easily available...
-+  - This version does not feature source code changes but updated documenation
-+    when compared with 0.5.4:
-+    * List examples on how to generate good entropy for the PRNG seed in
-+      /etc/postfix/random_file.
-+  - Update the TODO document with respect to the discussion about session
-+    caching and other security items. This document is a very short summary,
-+    for the full discussion check the mail archive at
-+      http://www.aet.tu-cottbus.de/mailman/listinfo/postfix_tls/
-+
-+2000/02/26-28
-+  - Wietse considers including Postfix/TLS into the main release. A discussion
-+    about security relevant features, especially the session cache inside
-+    the chroot jail takes place.
-+    The discussion will definetely lead to some changes; I have however not
-+    decided on the first step, yet :-)
-+
-+2000/02/21	== RELEASED 0.5.4 ==
-+  - Important: Another directoy is created in /var/spool/postfix, so don't
-+    forget to install the new versions of conf/postfix-script-*sgid.
-+
-+2000/02/21
-+  - Finished the seed-exchange architecture by saving the random seed at exit
-+    of smtp and smtpd.
-+  - Wrote documentation for the PRNG handling to the documentation.
-+  - Tested on HP-UX (with a current OpenSSL-pre-0.9.5 snapshot and 0.9.4)
-+    and on SuSE-Linux (with 0.9.4).
-+  * THIS VERSION WILL STILL RUN WITH OPENSSL-0.9.4, but it will also run
-+    with OpenSSL-0.9.5. Older versions of Postfix/TLS will not, because the
-+    PRNG is not seeded!
-+
-+2000/02/19
-+  - Start to implement my own model of collecting entropy. All smtp and smtpd
-+    processes will record some items (mainly the time of actions) to add
-+    some entropy into the PRNG. The state is saved and used to re-seed by the
-+    smtp and smtpd processes, so that entropy adds up into the pool.
-+    The seeding by external file is additionally kept in order to be able
-+    to inject additional entropy.
-+
-+2000/02/18
-+  - Included routines to add random seed from a configurable file
-+    "rand_file_name". I don't want to retrieve the entropy from a real
-+    random system source, because the amount of entropy that can be collected
-+    is limited. We might hence stall. Let's think about this problem.
-+  - The SSL_CTX_load_verify_locations() has been fixed in the latest
-+    OpenSSL snapshot.
-+
-+2000/02/17
-+  - Tracked down the SSL_CTX_load_verify_locations() problem in the OpenSSL
-+    library. If more than one CA-certificate is loaded, a bogus return value 0
-+    is created, because the count of certs is checked to be "1" instead of
-+    allowing ">=1". Reported to openssl-dev.
-+
-+2000/02/16
-+  - Downloaded the latest openssl-SNAPSHOT-20000215 and installed it on
-+    my development machine, then recompiled Postfix/TLS and try to run it.
-+    * Failure: SSL_CTX_load_verify_locations() fails on reading the CAfile with
-+      return value 0, but no actual error is displayed.
-+      If the return value is not checked, the CA-certificates work, so that
-+      they are loaded and the error indicator seems to be bogus.
-+      Reported to openssl-dev mailing list.
-+    * Failure: OpenSSL has become picky about correct seeding of the PRNG
-+      Pseudo Random Number Generator. Installed some "testseed" that is
-+      actually not random, but then Postfix/TLS starts to work again. We
-+      will need some good random seed setup, probably reading from either
-+      /dev/random (if available) or from EGD.
-+      Found out during the experiments, that EGD is not that simple to use
-+      as described in some of my Postfix/TLS docs. Must be upgraded.
-+      Asked in the openssl-dev mailing list about the recommended amount
-+      of random data needed for seeding the PRNG. Ulf Moeller recommends
-+      a minimum of 128bit.
-+
-+2000/02/14	== Released 0.5.3 ==
-+
-+2000/02/14
-+  - OpenSSL 0.9.5 is to be released within the next hours/days. Since I intend
-+    to use some of its new features soon, I will re-release 0.5.2 as the last
-+    version that will run with 0.9.4 but for the latest postfix patchlevel.
-+  - No functional changes.
-+  - Updated patch for postfix-19991231-pl04.
-+
-+2000/01/28	== Released 0.5.2 ==
-+
-+2000/01/28
-+  - Stepped up the next postfix patchlevel postfix-19991231-pl03.
-+    No functional changes.
-+
-+2000/01/03	== Released 0.5.1 ==
-+
-+2000/01/03
-+  - Bug fixed: Don't specify a default value for "smtpd_tls_dcert_file",
-+    assuming that typically a DSA certificate is not used.
-+    Otherwise smtpd will try to read it on startup and the TLS engine won't
-+    start since it is not found.
-+    I didn't note this bug before today, because I could not install this
-+    release in a larger scale on my own servers due to a network failure
-+    of our campus backbone lastring from Dec 31 until today.
-+  - Stepped up to the just released postfix-19991231-pl01.
-+
-+2000/01/01	== Released 0.5.0 ==
-+
-+2000/01/01
-+  - Upgraded to the new postfix release 19991231.
-+
-+1999/12/30
-+  - Enabled support for DSA certificate and key for the server side. One
-+    can have both at the same time, the selected cipher decides which one
-+    is used. OpenSSL clients (like Postfix/TLS) will prefer the RSA cipher
-+    suites, if not especially changed in the cipher selection list.
-+    Netscape will only use the RSA cert.
-+  - The client side can only have one certificate. There is a way out by using
-+    a callback function, that will receive the list of acceptable CAs and
-+    then do some clever selection: SSL_CTX_set_client_cert_cb().
-+    I will however have to figure out, how it has to be prepared, it seems,
-+    that there is no example available.
-+  - I have been able to successfully generate a DSA CA and certificates for
-+    some Postfix hosts and to do authentication and relaying as expected.
-+    So now I have to document how it is done in a practical manner...
-+  - Moved up prerelease 0.5.0pre02 to the download site.
-+
-+1999/12/28
-+  - Moved up to SNAPSHOT-19991227.
-+  - Don't forget to check the return value when calling
-+    SSL_CTX_set_cipherlist().
-+  - Add code to load DH-parameters from disk.
-+  - Add configuration information for the new functionality: DH paramter
-+    support, possibility to influence the cipherlist.
-+  - Moved up prerelease 0.5.0pre01 to the download site.
-+
-+1999/12/25
-+  - Found some minutes to relax from the christmas business.
-+  - Applied the 0.4.7 patch to SNAPSHOT-19991223 and included the new changes
-+    of 1999/12/19.
-+    Once the new stable release of postfix is out, this minimum state will be
-+    the new Postfix/TLS patch: the new functionality will not influence
-+    stability, so it can stay in even if still unfinished.
-+
-+1999/12/23
-+  - Wietse announces SNAPSHOT-19991223: if no severe bugs are found, it will
-+    be promoted as next stable release soon. Good to have kept everything
-+    from yesterday.
-+
-+1999/12/22
-+  - Got a query from a Postfix/TLS user: the patch does not apply cleanly to
-+    SNAPSHOT-19991216 and he somehow messed up to integrate the rejected
-+    parts (it later turned out he just forgot on reject).
-+    Applied the patch myself and generated a diff, sent it to the user
-+    and of course kept a copy for myself, since I will have to apply it
-+    myself eventually once the next "stable" release of postfix is out.
-+
-+1999/12/19
-+  - Began modifications for 0.5.x:
-+    * Added configuration variables for specifying the cipherlist to be used
-+      smtpd_tls_cipherlist and smtp_tls_cipherlist. For the format, there
-+      is some (however sparse) documentation in the openssl package.
-+    * Call SSL_CTX_set_cipherlist() with these data.
-+    * Added default temporary DH parameters to pfixtls.c (only server side is
-+      necessary) and configuration variables to specify user generated
-+      parameters; they are however not used, yet.
-+      The default parameters were generated using the presumably good
-+      /dev/random source.
-+
-+1999/12/13	== Released 0.4.7 ==
-+
-+1999/12/13
-+  - Addendum to the last change: do also remove sessions, that could _not_
-+    be reused.
-+  - Updated configuration information:
-+    * As of OpenSSL 0.9.4, certificate chain verification is not sufficient,
-+      since the certificate purpose is not checked, so I recommend to add
-+      all intermediate CAs the the list of CAs and stay with a verification
-+      depth of 1.
-+      Work is in progress for 0.9.5.
-+  - Stepped up to the just released new patchlevel postfix-19990906-pl09.
-+
-+1999/12/10	== Released 0.4.6 ==
-+
-+1999/12/10
-+  - Realized changes implied below: Removed SSL_CTX_add_session() in the
-+    client startup; remove session on stop with SSL_SESSION_free().
-+  - In the morning there is a mail on the list, that Postfix might be
-+    crashed with a single "\" on the "CC:" line. Hence, we should expect
-+    a new patchlevel soon. Release the actual change anyway.
-+
-+1999/12/09
-+  - Read in the "openssl-users" mailing list, that SSL_CTX_add_session()
-+    is only intended for servers. On the client side, SSL_set_session()
-+    is sufficient.
-+    Additionally, the session should be explicitely freed, since
-+    SSL_set_session() will increment the usage count for the session.
-+    Explained by Bodo Moeller.
-+
-+1999/12/xx
-+  - Had a discussion (by email) with Bodo Moeller about DH/DSS. It seems
-+    I understand better now (after the discussion) how it works :-).
-+    Implementing it should not be too difficult but might take some more
-+    hours. Mentally scheduled it for Version "0.5.0" whenever this might
-+    be (rough guess: christmas vacation).
-+    Decided to hence not discuss this topic in the docs, since it might
-+    change in the near future anyway.
-+
-+1999/11/23
-+  - Discussion with rch at writeme.com (Richard) about implementing DH ciphers
-+    and DSA keys and certificates on the Postfix/TLS list: It does not work
-+    as of now.
-+
-+1999/11/15	== Released 0.4.5 ==
-+
-+1999/11/15
-+  - Applied patch to postfix-19990906-pl07 without problems. Well, let's
-+    release new version of Postfix/TLS, so that we look up to date.
-+  - Add the "DO NOT EDIT THIS FILE" to conf/sample-tls.cf.
-+
-+1999/11/08
-+  - Applied patch to the fresh release of postfix-19990906-pl06 without
-+    problems. Nothing else, so no new release of Postfix/TLS.
-+
-+1999/11/07	== Released 0.4.4 ==
-+
-+1999/11/07
-+  - Played around some more with the X509_verify_cert() function: when saving
-+    a session, neither the verify_result is saved nor the certificate chain
-+    necessary to re-verify. So there were two possibilities left: do a full
-+    renegotiation negating the benefit of session caching or
-+  - save the verify_result into to the session cache file and set the value
-+    when rereading from disk. This way the positive result of session caching
-+    is kept.
-+  - Make sure, the verify_result value is propagated as pfixtls_peer_verified
-+    and used where needed.
-+  - After experiencing some failures at TLS connection setup, the SSL_sessions
-+    are now freed again when closing. It seems, something is left over in the
-+    session structures, even though SSL_clear() is called.
-+
-+1999/11/06
-+  - When not asking for a client certificate, the "Received:" header will show
-+    the protocol and cipher, but silently omit the client CN (because they
-+    where not supplied). Noted by Craig Sanders <craig at taz.net.au>.
-+    The same holds, if a certificate is asked for, but none supplied.
-+    Now, in any case an appropriate information is added in the "Received:"
-+    header.
-+  - Added a hint to remove sessions from the cache during testing, since
-+    old information may still be in the cache. Also proposed by Craig
-+    Sanders <craig at taz.net.au>.
-+  - While at it: client CN and issuer CN are printed, but the verification
-+    state is not, so that the trust value of this data is not known.
-+    * Added (verify OK/not verified) to the Received: header.
-+    * Obtained information using the SSL_get_verify_result(SSL *con) call.
-+    * Learned, that the state is not saved in the session information, so
-+      that a recalled old session will always return "OK" even if the
-+      certificate failed the verification! Call it a bug in OpenSSL.
-+      Still investigating on a good way to work around this problem.
-+  - Fixed a bug in the syslog entries: The client CN is logged, but the
-+    issuer CN is not, because of a missing "%s" in the format string.
-+
-+1999/11/03	== Released 0.4.3 ==
-+
-+1999/11/03
-+  - Added some hints about security to the html documentation.
-+  - Tested the changes made two weeks ago at home in the large university
-+    setup. I was to a conference in between and didn't want to release
-+    the new version without having done some more tests.
-+
-+1999/10/17
-+  - Added another half a ton of comments (this time for the client side),
-+    yielding one ton alltogether...
-+
-+1999/10/16
-+  - Rearranged some of the TLS-engine initialization to improve readability.
-+  - Do not "free" the SSL connection, when it is not really necessary. Do only
-+    reset information about the TLS connection, when there was one. This is
-+    the better way instead of the quick fix applied for 0.4.2.
-+  - Added half a ton of comments to the TLS code (server side) to document
-+    what is done when and why, since there is no real documentation about
-+    the OpenSSL library.
-+
-+1999/10/11	== Released 0.4.2 ==
-+
-+1999/10/11
-+  - Fixed a severe bug introduced in 0.4.0: smtpd and smtp tried to flush
-+    old session from the session cache even when TLS was not enabled. Since
-+    no SSL-context was allocated, smtp would segfault on connection close.
-+
-+1999/10/10	== Released 0.4.1 ==
-+
-+1999/10/10
-+  - Added a long description of the session cache handling to the top of
-+    global/pfixtls.c.
-+  - There is a race condition when cleaning up the session cache in qmgr, that
-+    might lead to lost sessions in client mode. The worst consequence is an
-+    additional session negotiation, so we can live with it as of now.
-+    Bug described in qmgr/qmgr_tls.c.
-+  - Implemented immediate removal of session cache files with expired sessions
-+    when these are called. No need to first load and then discard them.
-+  - Implemented the requirement from RFC2246 to remove sessions, when
-+    connection failures occure (well actually, when TLS layer failures
-+    occur, but I cannot seperate this from another) for the server side.
-+    the client side is under work.
-+
-+1999/10/09
-+  - Set an absolut maximum length of 32 for the IDs used for session caching.
-+    This matches the default in OpenSSL, but I don´t want to see surprises
-+    when somebody sometimes will run into a longer session id.
-+
-+1999/10/05	== Released 0.4.0 ==
-+  - The new disk based session cache is a major step, so the minor release
-+    number is pushed to 0.4.
-+  - By now I think all necessary bells and whistles are in the code. What
-+    is left is a big code cleanup and some more testing before calling this
-+    patchkit "1.0.0".
-+  - Initiated Mailing List at
-+	http://www.aet.tu-cottbus.de/mailman/listinfo/postfix_tls
-+
-+1999/10/05
-+  - Some code cleanup.
-+  - Added new options to the documentation and the hint to update
-+    "postfix-script", because otherwise qmgr might fail!
-+
-+1999/10/03
-+  - Realized disc based session caching also for the Postfix/TLS client.
-+    Must go to real world testing now between hosts.
-+    And, of course, tune up the documentation, because users will have to
-+    install a new postfix-script, too.
-+
-+1999/10/02
-+  - The old sessions must be removed once they have timed out, so a process
-+    is needed that will scan through the list of old sessions and remove
-+    once they have expired.
-+    Lucky me: this is what qmgr usually does with deferred messages, so
-+    qmgr is extended only a little bit and will now also clean up the
-+    old sessions from the cache directory.
-+    And hey: it is good to see how easily this thing can be extended and
-+    functions can easily be reused. Postfix is an excellent peace of
-+    software engineering and there is no line of C++ or other "object
-+    oriented modern junk" in it. It should be recommended as an example
-+    to computer sience students.
-+
-+1999/09/28
-+  - I cannot use the mod_ssl way for session caching and I don´t want to
-+    spend an extra "gcache" daemon as ApacheSSL does. So I follow Wietse´s
-+    idea realized for his mail queues and create hash level based subdirectory
-+    structures. The good thing: I can cannibalize the mail_queue code.
-+    The bad thing: there is a path length of 100 chars fix coded in Wietse´s
-+    routines. It does hold for 32byte session ideas.
-+    Status: can save sessions to disk and recall them (server side).
-+
-+1999/09/26
-+  - Created new call backs for external session caching for the server side.
-+    In a first step, they can print out the session ids for the newly created
-+    session and when recalling a session.
-+    As the OpenSSL documentation on this is pretty sparse, Ben Laurie´s
-+    ApacheSSL code is very helpful, Ralph Engelschall´s Mod_SSL code for
-+    session caching is far more complicated.
-+
-+1999/09/23	== Released 0.3.10 ==
-+
-+1999/09/23
-+  - Debugging for 0.3.8/0.3.9 would have been so much easier, if the error
-+    messages put onto the error message stack from the OpenSSL library would
-+    have been printed out. The error was clearly stated from the library, I
-+    just didn't print it. Added pfixtls_print_errors() calls where missing
-+    after calls to the OpenSSL library.
-+    Sometimes I feel so old...
-+  - Used opportunity to upgrade to the latest postfix patchlevel 05:
-+    postfix-19990906-pl05.
-+
-+1999/09/19	== Released 0.3.9 ==
-+
-+1999/09/19
-+  - Added a "smtp_no_tls_sites" table to allow people to enable TLS negotiation
-+    globally and only omit it on a per site basis.
-+
-+1999/09/18
-+  - Finally found the bug described for 0.3.8: In the server setup, the
-+    SSL_CTX_set_session_id_context() call was missing. To find this, I
-+    had to trace through the OpenSSL library and when I finally found it
-+    in ssl/ssl_sess.c, there was an appropriate comment about this. I however
-+    have to find out why I didn´t receive the appropriate error message...
-+  - This bug was hidden during the first developing stages, as the shutdown
-+    sequence was not working correct, so the session was not cached.
-+
-+1999/09/17	== Released 0.3.8 ==
-+
-+1999/09/17
-+  - Something is strange with the session caching in smtpd server mode
-+    with Netscape 4.61 client. The first connection is fine, the next
-+    one hangs after the server fails with errors while reading the
-+    SSLv3 client hello C. (Found by Michael Stroeder <x_mst at propack-data.de>)
-+    Reproducable with OpenSSL 0.9.3a, 0.9.4 and SNAPSHOT 19990915, so
-+    the problem seems to be persistent. I will try to figure out the
-+    problem myself before reporting it to the developers. If I don't find
-+    it, maybe they do :-)
-+    Workaround: the cached session is removed after connection is closed.
-+    This will impose some time penalty on the negotiation. As the caching
-+    is local in the smtp processes and they time out anyway, the penalty
-+    should not be significant.
-+    The problem does not occure with Postfix/TLS clients.
-+
-+1999/09/13	== Released 0.3.7 ==
-+
-+1999/09/13
-+  - Ran tests, seems no further conflicts between Wietse's changes and my
-+    extensions.
-+
-+1999/09/09
-+  - Applied the patchkit 0.3.6 to postfix-19990906-pl02 and worked out
-+    the rejected part of the patch. From this point of view the patch
-+    is included. Now everything has to be retested.
-+
-+1999/09/09	== Released 0.3.6 ==
-+
-+1999/09/09
-+  - Added a missing ´#ifdef HAS_SSL #endif´ in smtp_connect.c.
-+    Noted by Jeff Johnson <jeff at websitefactory.net>.
-+  - HINT:
-+    On 1999/09/06 a new "stable" version of postfix was released.
-+    Future Postfix/TLS enhancements will be against this new version 19990906.
-+
-+1999/08/25	== Released 0.3.5 ==
-+
-+1999/08/25
-+  - Added Wietse's patch for postfix-19990601 to prevent crashing smtpd when
-+    VRFY is called without setting the sender with "MAIL FROM:" first.
-+
-+1999/08/13
-+  - Small changes to global/pfixtls.[ch]: Since we also support client STARTLS,
-+    we check the peers certificate, which may also be a "server" certificate
-+    (not just client). Hence I renamed "*ccert*" to "*peer*".
-+  - global/pfixtls.c: add some "const" to "char *" for OpenSSL library calls,
-+    to make gcc happy.
-+  - Extended comments in pfixtls.[ch] to better match Wietse's style.
-+
-+1999/08/12	== Released 0.3.4 ==
-+
-+1999/08/12
-+  - Enabled workarounds for known bugs in SSL-engines.
-+  - Tested with OpenSSL 0.9.4.
-+  - Windows95/NT: Problem with Netscape hanging on first connection when
-+    the client certificate database has to be unlocked cannot be reproduced
-+    anymore.
-+    I am happy, but I am also not sure what caused the problem to go away
-+    and I cannot figure out the security settings manually from the files...
-+
-+1999/08/11
-+  - Corrected loglevel handling: At some points smtpd_tls_loglevel was used
-+    instead of smtp_tls_loglevel (only noted at loglevels >= 2).
-+
-+1999/08/09	== Released 0.3.3 ==
-+
-+1999/08/09
-+  - Removed SSL_CTX_set_quiet_shutdown() as it does prevent the shutdown
-+    from actually being performed. In order to remove the annoying
-+    "SSL3 alert write:warning:close notify" it is now explicitly handled
-+    in apps_ssl_info_callback().
-+    Bug found by Bodo Moeller <bodo at openssl.org>.
-+
-+1999/08/06	== Released 0.3.2 ==
-+
-+1999/08/06
-+  - Add option "smtp_tls_note_starttls_offer" to collect information about
-+    hosts, that offered the STARTTLS feature without using it.
-+  - Shut up smtpd. Only print information about relaying based on certs
-+    when msg_verbose is true.
-+
-+1999/07/20
-+  - Added missing "const" in pfixtls.h (found by Juergen Scheiderer
-+    <jnschei at suse.de>). HP-UX ANSI-C didn't complain.
-+
-+1999/07/08	== Released 0.3.1 ==
-+
-+1999/07/08
-+  - New config variable "smtpd_tls_received_header". When "true", the protocol
-+    and cipher data as well as subject and issuer CN of the client certificate
-+    are included into the "Received:" header.
-+
-+1999/07/07
-+  - "starting TLS engine" message will only be printed when loglevel >=2
-+    to reduce unnecessary noise in the log files.
-+  - Added code to fetch the protocol (e.g. TLSv1) and the cipher used (by name
-+    and bits). Information is printed to the logfile.
-+
-+1999/07/01	== Released 0.3.0 ==
-+
-+1999/07/01
-+  - (Client mode) Bug fix: Don't try to use STARTTLS if it is not offered. The
-+    server we are connected to might not understand it and respond with a
-+    "500 command not understood", causing the email to bounce back, even
-+    when the lack of STARTTLS is just a temporary problem.
-+  - Updated documentation for the new per recipient/site TLS decisions.
-+
-+1999/06/30
-+  - Client mode: Added variables and routines to decide "per recipient" or
-+    "per host/site" whether to use/enforce TLS or not.
-+
-+1999/06/18	== Released 0.2.8 ==
-+
-+1999/06/18
-+  - In client mode the "use_tls" and "enforce_tls" internal variables were
-+    not initialized correctly, such that the client could try to use the
-+    STARTTLS negotiation even if not wanted. This error was introduced
-+    in 0.2.7.
-+    Noted by "Cerebus" <cerebus at sackheads.org>.
-+
-+1999/06/08	== Released 0.2.7 ==
-+
-+1999/06/08
-+  - Studied discussions in the IETF-apps-TLS mailing list: MS Exchange
-+    seems to offer STARTTLS even if not configured. Added this info to the
-+    documentation.
-+  - Updated Documentation regarding the changes made.
-+
-+1999/06/03
-+  - The subject-CommonName (CN) of the server certificate is extracted when
-+    connecting to a TLS server.
-+  - In "smtp_*_tls" mode, this subject-CommonName is matched against the
-+    hostname of the server. In "enforce" mode, the connection is droppend
-+    when the certified server name and the real hostname differ.
-+  - Added missing dependencies in smtp/Makefile.in (missing pfixtls.h since
-+    0.2.0).
-+
-+1999/06/02	== Released 0.2.6 ==
-+
-+1999/06/02
-+  - Adapted patchkit to postfix-19990601.
-+
-+1999/06/01	== Released 0.2.5 ==
-+
-+1999/06/01
-+  - Updated OpenSSL API to 0.9.3a -> position of include files has changed
-+    from <xxx.h> to <openssl/xxx.h>. No functional changes.
-+  - pkcs12 utility is now part of OpenSSL -> changed documentation
-+    accordingly.
-+
-+1999/05/20	== Released 0.2.4 ==
-+
-+1999/05/20
-+  - Updated postfix base 19990317 from pl04 to pl05.
-+
-+1999/05/14	== Released 0.2.3 ==
-+
-+1999/05/14
-+  - Fixed a bug in pfixtls_stop_*(): there was a ";" to much directly
-+    after "if (con);". This check is only done as a safety measure:
-+    When SSL is not started you should not stop it. This case could however
-+    only happen when the code in smtp[d] would be wrong, so it should never
-+    be necessary. (Bug found by Uwe Ohse <uwe at ohse.de>)
-+
-+1999/05/11	== Released 0.2.2 ==
-+
-+1999/05/11
-+  - Matti Aarnio: Reworked pfixtls_dump() to use fewer strcpy and strcat calls.
-+  - Added information about Matti Aarnio (author/maintainer of ZMailer)
-+    working on RFC2487 for ZMailer.
-+
-+1999/05/04	== Released 0.2.1 ==
-+
-+1999/05/04
-+  - Stuffed up the documenation to reflect the actual status. No change
-+    in functionality.
-+
-+1999/04/30	== Released 0.2.0 ==
-+
-+1999/04/30
-+  - Adjusted the changes in smtp*.c to Wietse's indentation style.
-+  - Sorry, the documentation about the client side has by now to be
-+    taken from sample-tls.conf. The documenation has to be rearranged
-+    in a larger scale.
-+
-+1999/04/29
-+  - Finished client support for STARTTLS in smtp; some testing done.
-+  - Fixed a race condition in smtpd: When in PIPELINE mode, the connection
-+    was switched back from SSL to normal mode before the buffers were
-+    flashed.
-+  - Adjusted the code in pfixtls.[ch] and additions in smtpd*.c to
-+    Wietse's indentation style.
-+
-+1999/04/28
-+  - Incorporated skeleton of STARTTLS support into smtp.
-+  - Introduced variables to control client STARTTLS to configuration.
-+
-+1999/04/15	== Released 0.1.5 ==
-+
-+1999/04/15
-+  - Adjusted pfixtls.diff to postfix-19990317-pl04.
-+
-+1999/04/14
-+  - Ported from OpenSSL the BIO_callback functions to dump out the negotiation
-+    and transmission for debugging purposes. The functions are triggered
-+    by the the new loglevels 3 and 4.
-+  - Call SSL_free() to get rid of the SSL connection structure not used
-+    anymore.
-+
-+1999/04/13	== Released 0.1.4 ==
-+
-+1999/04/13
-+  - Based on a hint in the openssl-users list added an SSL_set_accept_state()
-+    before the actual SSL_accept(). I don't really understand why, but the
-+    documentation of SSL is a bit short anyway.
-+
-+1999/04/11
-+  - Some more comments on certificates in the documentation.
-+
-+1999/04/10
-+  - Moved initialization of the pfixtls_server_engine to the pre_jail_init()
-+    section of smtpd, so that it is called with root privileges to read the
-+    key and cert information. The secret key of the server can now be protected
-+    by "chown root secretkey.pem; chmod 400 secretkey.pem".
-+    Additionally, this makes it possible to run smtpd in chroot jail, even
-+    though I didn't test that, yet. All information is read at smtpd startup
-+    time except the CAcerts in tls_CApath, which are checked at runtime.
-+    I have to look into that.
-+  - Updated documentation accordingly.
-+  - Rewrote the documentation with regard to the certificate setup and
-+    explaining the different types of certificates.
-+
-+1999/04/09
-+  - Introduced pfixtls_print_errors() which imitates BIO_print_errors()
-+    (the typical way to print error information in OpenSSL) but writes
-+    to syslog instead of a file handle.
-+    Hence we can get more informative error information.
-+
-+1999/04/08	== Released 0.1.3 ==
-+
-+1999/04/08
-+  - Stuffed up the documentation by reworking the references.
-+  - Added contributed script for automatic addition of fingerprints.
-+  - Added ACKNOWLEDGEMENTS file
-+
-+1999/04/06	== Released 0.1.2 ==
-+
-+1999/04/06
-+  - Portability: removed call of "snprintf()", as it is not available on
-+    some (older) UNIX versions (in this case Solaris 2.5).
-+  - Removed calls to "select()" when in TLS mode: Even though no new bytes
-+    arrive, there might be bytes left in the SSL buffer -> possible hang.
-+
-+1999/03/30	== Released 0.1.1 ==
-+
-+1999/03/30
-+  - Added disclaimer about export restrictions.
-+  - Fixed a bug in util/match_ops.c:
-+    When using dictionary lookup the compare was case sensitive by accident.
-+    Effect: Fingerprint matching did not work with databases, only for plain
-+    file.
-+    Bug report submitted to postfix author.
-+
-+1999/03/29	== Released first version 0.1.0 ==
-diff -urNad postfix-release/tls/contributed/00README /tmp/dpep.cXJuVH/postfix-release/tls/contributed/00README
---- postfix-release/tls/contributed/00README	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/00README	2005-02-03 10:22:13.091089774 -0700
-@@ -0,0 +1,22 @@
-+All entries in this directory have been contributed from other sources:
-+
-+- Frederic J. Hirsch <f.hirsch at opengroup.org>
-+  * loadcacert.pl:
-+	I "took" this one from his excellent introduction
-+	"Introducing SSL and Certificates using SSLeay"
-+	http://www.camb.opengroup.org/RI/www/prism/wwwj/index.html
-+
-+- Walcir Fontanini <walcir at densis.fee.unicamp.br>
-+  * fp.csh:
-+	add fingerprints to the list of client certs;
-+	be carefull to a adjust filenames and maptype as necessary
-+
-+- Craig Sanders <cas at taz.net.au>
-+  * make-postfix-cert.sh:
-+	automatically create certificates for postfix usage.
-+
-+- Justin Davies <justin at palmcoder.net>
-+  * SSL_CA-HOWTO.pdf/sgml
-+	SSL CA howto
-+  * Postfix_SSL-HOWTO.pdf/sgml
-+	Postfix/TLS howto
-diff -urNad postfix-release/tls/contributed/fp.csh /tmp/dpep.cXJuVH/postfix-release/tls/contributed/fp.csh
---- postfix-release/tls/contributed/fp.csh	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/fp.csh	2005-02-03 10:22:13.091089774 -0700
-@@ -0,0 +1,20 @@
-+#!/bin/csh -f
-+
-+##      fp.csh <username>
-+#               Generate a fingerprint from a X509 certificate
-+#               and updates /etc/postfix/relay_clientcerts
-+#               It presumes a user certificate in /etc/postfix/certs/
-+#               with name <username>-cert.pem
-+#       author: walcir fontanini (walcir at densis.fee.unicamp.br) Apr-08-1999
-+
-+set USER=$1
-+set FP=`/usr/local/ssl/bin/openssl x509 -fingerprint -in /etc/postfix/certs/$USER-cert.pem | grep Fingerprint | awk -F= '{print $2}' | tr ":" "_"`
-+
-+cat >> /etc/postfix/relay_clientcerts <<EOT
-+$FP $USER
-+EOT
-+
-+postmap dbm:/etc/postfix/relay_clientcerts
-+
-+exit
-+#
-diff -urNad postfix-release/tls/contributed/loadCAcert.pl /tmp/dpep.cXJuVH/postfix-release/tls/contributed/loadCAcert.pl
---- postfix-release/tls/contributed/loadCAcert.pl	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/loadCAcert.pl	2005-02-03 10:22:13.091089774 -0700
-@@ -0,0 +1,23 @@
-+#!/usr/local/bin/perl -T
-+
-+require 5.003;
-+use strict;
-+use CGI;
-+
-+my $cert_dir = "/usr/local/ssl/certs";
-+my $cert_file = "CAcert.pem";
-+
-+my $query = new CGI;
-+
-+my $kind = $query->param('FORMAT');
-+if($kind eq 'DER') { $cert_file = "CAcert.der"; }
-+
-+my $cert_path = "$cert_dir/$cert_file";
-+
-+open(CERT, "<$cert_path");
-+my $data = join '', <CERT>;
-+close(CERT);
-+print "Content-Type: application/x-x509-ca-cert\n";
-+print "Content-Length: ", length($data), "\n\n$data";
-+
-+1;
-diff -urNad postfix-release/tls/contributed/make-postfix-cert.sh /tmp/dpep.cXJuVH/postfix-release/tls/contributed/make-postfix-cert.sh
---- postfix-release/tls/contributed/make-postfix-cert.sh	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/make-postfix-cert.sh	2005-02-03 10:22:13.092089551 -0700
-@@ -0,0 +1,78 @@
-+#! /bin/sh
-+
-+# make-postfix-cert.sh
-+# by Craig Sanders <cas at taz.net.au>    2000-09-02
-+# this script is hereby placed in the public domain.
-+
-+# this script assumes that you already have a CA set up, as the openssl
-+# default "demoCA" under the current directory.  if you haven't done it
-+# already, run "/usr/lib/ssl/misc/CA.pl -newca" (or where the path to
-+# openssl's CA.pl script is on your system).
-+#
-+# then run this script like so: 
-+#
-+#    ./make-postfix-cert.sh hostname.your.domain.com
-+#
-+# it will create the certificate and key files for that host and put
-+# them into a subdirectory.
-+
-+site="$1"
-+
-+# edit these values to suit your site.
-+
-+COUNTRY="??"                  # ISO country code
-+PROVINCE="YOUR STATE OR PROVINCE"
-+LOCALITY="YOUR CITY"
-+ORGANISATION="YOUR ORG NAME"
-+ORG_UNIT=""
-+COMMON_NAME=$site
-+EMAIL="someone at your.domain.com"
-+
-+OPTIONAL_COMPANY_NAME=""
-+
-+# leave challenge password blank
-+CHALLENGE_PASSWORD=""
-+
-+# generate a certificate valid for 10 years
-+# (probably not a good idea if you care about authentication, but should
-+# be fine if you only care about encryption of the smtp session)
-+DAYS="-days 1825"
-+
-+# alternatively, make one valid for one year
-+#DAYS="-days 365"
-+
-+# create the certificate request
-+cat <<__EOF__ | openssl req -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
-+$COUNTRY
-+$PROVINCE
-+$LOCALITY
-+$ORGANISATION
-+$ORG_UNIT
-+$COMMON_NAME
-+$EMAIL
-+$CHALLENGE_PASSWORD
-+$OPTIONAL_COMPANY_NAME
-+__EOF__
-+
-+# sign it
-+openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem
-+
-+# move it
-+mkdir -p $site
-+mv newreq.pem $site/key.pem
-+chmod 400 $site/key.pem
-+mv newcert.pem $site/cert.pem
-+cd $site
-+
-+# create server.pem for smtpd
-+cat cert.pem ../demoCA/cacert.pem key.pem >server.pem
-+chmod 400 server.pem
-+
-+# create fingerprint file
-+openssl x509 -fingerprint -in cert.pem -noout > fingerprint
-+
-+# create pkcs12 certificate for netscape (probably not needed)
-+#openssl pkcs12 -export -in cert.pem -inkey key.pem \
-+#  -certfile ../demoCA/cacert.pem -name "$site" -out cert.p12
-+
-+cd ..
-diff -urNad postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf
---- postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.pdf	2005-02-03 10:22:13.092089551 -0700
-@@ -0,0 +1,310 @@
-+%PDF-1.3
-+%âãÏÓ
-+1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021210121659+0000)/Title(Postfix SSL HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
-+2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
-+3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
-+4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
-+5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
-+6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
-+7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
-+8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
-+9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
-+10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
-+11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
-+12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+13 0 obj<</Subtype/Link/Rect[85.2 519.3 265.7 537.2]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+14 0 obj<</Subtype/Link/Rect[108.0 492.0 237.2 505.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 600 0]>>endobj
-+15 0 obj<</Subtype/Link/Rect[108.0 478.8 179.8 491.8]/Border[0 0 0]/Dest[98 0 R/XYZ 0 368 0]>>endobj
-+16 0 obj<</Subtype/Link/Rect[85.2 447.5 257.8 465.4]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+17 0 obj<</Subtype/Link/Rect[108.0 420.2 221.7 433.2]/Border[0 0 0]/Dest[100 0 R/XYZ 0 501 0]>>endobj
-+18 0 obj<</Subtype/Link/Rect[108.0 407.0 239.4 420.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 300 0]>>endobj
-+19 0 obj<</Subtype/Link/Rect[85.2 375.7 474.3 393.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+20 0 obj<</Subtype/Link/Rect[108.0 348.4 240.0 361.4]/Border[0 0 0]/Dest[102 0 R/XYZ 0 594 0]>>endobj
-+21 0 obj<</Subtype/Link/Rect[85.2 317.1 185.5 335.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+22 0 obj<</Subtype/Link/Rect[85.2 284.9 131.0 302.7]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
-+23 0 obj<</Subtype/Link/Rect[72.0 255.5 93.4 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+24 0 obj<</Subtype/Link/Rect[176.5 255.5 200.6 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+25 0 obj<</Subtype/Link/Rect[241.9 255.5 283.8 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
-+26 0 obj<</Subtype/Link/Rect[72.0 74.1 93.4 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+27 0 obj<</Subtype/Link/Rect[134.6 74.1 176.5 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
-+28 0 obj<</Subtype/Link/Rect[176.5 74.1 200.6 87.1]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+29 0 obj<</Subtype/Link/Rect[200.6 74.1 241.9 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+30 0 obj<</Subtype/Link/Rect[241.9 74.1 283.8 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
-+31 0 obj[11 0 R
-+12 0 R
-+13 0 R
-+14 0 R
-+15 0 R
-+16 0 R
-+17 0 R
-+18 0 R
-+19 0 R
-+20 0 R
-+21 0 R
-+22 0 R
-+23 0 R
-+24 0 R
-+25 0 R
-+26 0 R
-+27 0 R
-+28 0 R
-+29 0 R
-+30 0 R]endobj
-+32 0 obj<</Subtype/Link/Rect[72.0 721.0 93.4 734.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+33 0 obj<</Subtype/Link/Rect[93.4 721.0 134.6 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+34 0 obj<</Subtype/Link/Rect[134.6 721.0 176.5 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
-+35 0 obj<</Subtype/Link/Rect[176.5 721.0 200.6 734.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+36 0 obj<</Subtype/Link/Rect[200.6 721.0 241.9 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+37 0 obj<</Subtype/Link/Rect[241.9 721.0 283.8 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
-+38 0 obj<</Subtype/Link/Rect[72.0 61.6 93.4 74.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+39 0 obj<</Subtype/Link/Rect[93.4 61.6 134.6 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+40 0 obj<</Subtype/Link/Rect[134.6 61.6 176.5 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
-+41 0 obj<</Subtype/Link/Rect[176.5 61.6 200.6 74.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+42 0 obj<</Subtype/Link/Rect[200.6 61.6 241.9 74.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+43 0 obj<</Subtype/Link/Rect[241.9 61.6 283.8 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
-+44 0 obj[32 0 R
-+33 0 R
-+34 0 R
-+35 0 R
-+36 0 R
-+37 0 R
-+38 0 R
-+39 0 R
-+40 0 R
-+41 0 R
-+42 0 R
-+43 0 R]endobj
-+45 0 obj<</Subtype/Link/Rect[72.0 267.6 93.4 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+46 0 obj<</Subtype/Link/Rect[93.4 267.6 134.6 280.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+47 0 obj<</Subtype/Link/Rect[134.6 267.6 176.5 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
-+48 0 obj<</Subtype/Link/Rect[176.5 267.6 200.6 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
-+49 0 obj<</Subtype/Link/Rect[200.6 267.6 241.9 280.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+50 0 obj<</Subtype/Link/Rect[241.9 267.6 283.8 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
-+51 0 obj<</Subtype/Link/Rect[72.0 112.6 93.4 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
-+52 0 obj<</Subtype/Link/Rect[93.4 112.6 134.6 125.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+53 0 obj<</Subtype/Link/Rect[134.6 112.6 176.5 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
-+54 0 obj<</Subtype/Link/Rect[200.6 112.6 241.9 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+55 0 obj<</Subtype/Link/Rect[241.9 112.6 283.8 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
-+56 0 obj[45 0 R
-+46 0 R
-+47 0 R
-+48 0 R
-+49 0 R
-+50 0 R
-+51 0 R
-+52 0 R
-+53 0 R
-+54 0 R
-+55 0 R]endobj
-+57 0 obj<</S/URI/URI(http://www.postfix.org)>>endobj
-+58 0 obj<</Subtype/Link/Rect[108.0 688.8 168.8 701.8]/Border[0 0 0]/A 57 0 R>>endobj
-+59 0 obj<</S/URI/URI(http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls)>>endobj
-+60 0 obj<</Subtype/Link/Rect[108.0 675.6 191.4 688.6]/Border[0 0 0]/A 59 0 R>>endobj
-+61 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
-+62 0 obj<</Subtype/Link/Rect[108.0 662.4 269.3 675.4]/Border[0 0 0]/A 61 0 R>>endobj
-+63 0 obj<</Subtype/Link/Rect[93.4 634.0 134.6 647.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+64 0 obj<</Subtype/Link/Rect[134.6 634.0 176.5 647.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
-+65 0 obj[58 0 R
-+60 0 R
-+62 0 R
-+63 0 R
-+64 0 R]endobj
-+66 0 obj<</Dests 67 0 R>>endobj
-+67 0 obj<</Kids[68 0 R]>>endobj
-+68 0 obj<</Limits[(postfix_ssl-howto-1.html)(toc6)]/Names[(postfix_ssl-howto-1.html)69 0 R(postfix_ssl-howto-2.html)70 0 R(postfix_ssl-howto-3.html)71 0 R(postfix_ssl-howto-4.html)72 0 R(postfix_ssl-howto-5.html)73 0 R(postfix_ssl-howto-6.html)74 0 R(postfix_ssl-howto.html)75 0 R(s1)76 0 R(s2)77 0 R(s3)78 0 R(s4)79 0 R(s5)80 0 R(s6)81 0 R(ss2.1)82 0 R(ss2.2)83 0 R(ss3.1)84 0 R(ss3.2)85 0 R(ss4.1)86 0 R(toc1)87 0 R(toc2)88 0 R(toc3)89 0 R(toc4)90 0 R(toc5)91 0 R(toc6)92 0 R]>>endobj
-+69 0 obj<</D[96 0 R/XYZ 0 268 0]>>endobj
-+70 0 obj<</D[96 0 R/XYZ 0 87 0]>>endobj
-+71 0 obj<</D[98 0 R/XYZ 0 61 0]>>endobj
-+72 0 obj<</D[100 0 R/XYZ 0 74 0]>>endobj
-+73 0 obj<</D[102 0 R/XYZ 0 280 0]>>endobj
-+74 0 obj<</D[102 0 R/XYZ 0 125 0]>>endobj
-+75 0 obj<</D[96 0 R/XYZ 0 734 0]>>endobj
-+76 0 obj<</D[96 0 R/XYZ 0 240 0]>>endobj
-+77 0 obj<</D[98 0 R/XYZ 0 733 0]>>endobj
-+78 0 obj<</D[100 0 R/XYZ 0 705 0]>>endobj
-+79 0 obj<</D[102 0 R/XYZ 0 718 0]>>endobj
-+80 0 obj<</D[102 0 R/XYZ 0 252 0]>>endobj
-+81 0 obj<</D[104 0 R/XYZ 0 733 0]>>endobj
-+82 0 obj<</D[98 0 R/XYZ 0 600 0]>>endobj
-+83 0 obj<</D[98 0 R/XYZ 0 368 0]>>endobj
-+84 0 obj<</D[100 0 R/XYZ 0 501 0]>>endobj
-+85 0 obj<</D[100 0 R/XYZ 0 300 0]>>endobj
-+86 0 obj<</D[102 0 R/XYZ 0 594 0]>>endobj
-+87 0 obj<</D[96 0 R/XYZ 0 569 0]>>endobj
-+88 0 obj<</D[96 0 R/XYZ 0 537 0]>>endobj
-+89 0 obj<</D[96 0 R/XYZ 0 465 0]>>endobj
-+90 0 obj<</D[96 0 R/XYZ 0 393 0]>>endobj
-+91 0 obj<</D[96 0 R/XYZ 0 334 0]>>endobj
-+92 0 obj<</D[96 0 R/XYZ 0 302 0]>>endobj
-+93 0 obj<</Type/Pages/Count 6/Kids[94 0 R
-+96 0 R
-+98 0 R
-+100 0 R
-+102 0 R
-+104 0 R
-+]>>endobj
-+94 0 obj<</Type/Page/Parent 93 0 R/Contents 95 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
-+95 0 obj<</Filter/FlateDecode/Length 90        >>stream
-+x
-ÂÁ
-+@@àû<Åä²fhV{Uä ÐNy R”$Ÿ¾ï"ÿeŽÂc>¨2Êš 	°¢â¼(
-+U'AaØ13lN†ó~ÖíEŒÚ~²>µj£‘>!šëendstream
-+endobj
-+96 0 obj<</Type/Page/Parent 93 0 R/Contents 97 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 31 0 R>>endobj
-+97 0 obj<</Filter/FlateDecode/Length 1533      >>stream
-+x¥VM“Û6½ï¯À­›¯¢/ëãÐCÛ4i:i“vÉ%Ú¦b6úp%Ù›ý÷} %‘v·{é¬×cè ð >êBüE”Ç”d´kn ēåëÏ7ü„²tÄÔPšÙdÔtã™
-EaD(~aï´Èñã¿×TIÀõ:AÀ+ âgë(ÖØ*Š8€µx/Ó"
-€y¤ðfƒ1Ïl¨Œ/0Ïä×Aî9ú6Д·ta}h™\ø&/^si ¦ŠÉbœÉ•¤\«¬”J<hÆÔ:Ô†MěÊáÂNX±Oé‚y&‚†9ç³€–¼(f-[b8ò&̲µ`žÉA…¼ôm –<‡z6P¤‡„TªLðP¦ŠÙ²ÆRåŒEa†&;з6æ’<Ô³9¥s¨Ý4çAœ¨MÄp›NXF˜!ú6ÂF9N‡z6Ð,¿ôå¡N at FÎsq1bõÎÄÜ®q|æ™\§‹ÂŽ¾
-4g«o-SæhÙÔ·Š“uPz¨o-²‹¤|»¡$,/|}Cüb-û˜Äta_Çþ„W³`ž‰b0ƒHw}hÆrã¡ÌZ\°.5T0f
-ÞÒ3ሀk„	GŒO	ÇuÉŽb°#kDœ”ˆy%_Ä¡œ±˜(Cúr¬Ýâä¡o4£qá88TÂBY·þ­£ùÓÏ%?ôOæ˜så,²˜ç–-&R¦b†<sÎOJò’îì'¹:Ì™¼g¾`’x‰¸ÊûÇÍÍË×%æ’6.Ÿ,/‚²Œi³—{'¤ÍîöC7Œ•ùF÷÷ïè—÷Ÿ6ï_lþ²N,#âv—ÄA‘²Ûí¯§a4-½Rg£»2EK§uq$œö·ç(WôJït³Õ=ÅaÛÕ™·º@ã°vs0á£Z2íØwûÓn4]KcGãAÓiÐÔU´ywÿ’s|0ãAžÏ‰ÿ¶ù! ƒi¿ðÚ!̱ïÎf¯g÷Þ:)Î ¤;™8ìÛhÕ¼‹nwýãq”å25íº¶Õ’ÄÊǏµB‚úÛHê„ÌÚÑìgêm¿¢Çî$9¨zè®6ô¼4).¬§­ôžP­BÖæ¬FM_õ#ïªêº{ ɧ׵zDå
-u½Á‹A*4F½õè›öFëâPZ4S¦@¶u¯û³îmÔ¹x9¹säýS×VæË©—bé¨zÕ Ï~êÿnêèîA~dzŸã,§Ë¨.Ô#)Úh%iš]ú| Wô	&ú.xIåÉ•íjƒ]æpYYâUÆyð¬ù^ϧ3³uYkÙÝj¦j
-+Yá‡îÑÛ9›çã>Sfн%ðé(éb€Ð>™7LÞ¦W§ô’ƒØ˜"`ò]«ÿg[Ö½6­LÅÇ#GÃés™ôδ_¯Ä’Jfeäw>lz}6Ýià9Ñԁž~lÓuòfhÈŽ—¯çò–‹r-g¤Ý‹&Î6ªkE‰xP¨&»ã©V=é;9¥¶8Zhm÷ü§r¤-f¢2ȼê»Æ:wÕDÈ,G³ÃwX¥Õxêõ°¢íii¤ºI«ÁØv›v¡Ì=+D;â? O·þ9ëË@MJ•©ñ£êzÖ5×ÝÕÕþs¡âÆ5Vª1µQ“<ÌÂ}ËúôýYÕ'm	ŸY¼½o·ÅÈB³'=fÕyP"n³ä*Ok—ñ½Jl§ûÑT¬µzÀH¡Ž¦C¦EI"¾*ðá}˜õ
-+ä|Õ4€KÑå^«ý…HòÑaG¾mPñ`F-‹‰˜Û2Ó±y©¿,åX­žeÚvyÿØ‚À½ý@j¿G7¹Ÿoû9<¨¾7]?|~aÇC1†ù¸ª|¯wf˜ê{8h¤(‡ÝîÆ	[½r`*+cŽ1\¦bO[ðî<0ͽþbL*0Üèj¾®R8¨×­ÚÖZ2å[m¾/qwrÀƒÂeYcÄÇ­-SZL/±c5F5RmƱִ5#ßï8éýõ
-=èÝ©7ããÜ¿œæ§Ïÿ³²P¸÷¼žGqÆ÷ÔÜ[îëòî“aP©½É"¦ãçÍÍ7ÿ .Ý>endstream
-+endobj
-+98 0 obj<</Type/Page/Parent 93 0 R/Contents 99 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
-+99 0 obj<</Filter/FlateDecode/Length 1220      >>stream
-+x•VÛnÛF}×WÒ°V$uu€u¹à[-E‹´Æš\Z“»ìîÒ®úÐoïÌ’ŒHYISr®gfÎÌŸƒü„°ˆ`2‡¤,€IÈ–0].ðo„_# ¼ã‹Sgø*ÎPg¾ŒX8‡8T	ˆ“aÄàV[—É¿€[à_n`#̳0oãO¨>…0¬•GÑ‚Mæh)¶ZÁ¦Ú¬ Ñ…°ðPÉÜÁ‹t[°UYjã Ó6›Ë1Z=«ç9¸-w -(!R‘Ò¿D«L>V†;‰u†"¬œ¦8…‘o4¡_È(©)‘Že£J&u¨,Õ#ìtå= Hµ÷bw¢k;ÆÉL&ô“O…ã2§Iø]+gtZyd#`ðkÇK¢Ë]×ú“ØWi÷Q×!š 4ÇÂ%㲩@*
-&¤ÍŽÁÚøGœ°(;!Ë%Š@RžÉ–«Ç:³R˜BZK˜ bÙ²4ò™Å°ÞÕ¥
-à” Í¨‹FÑ”Íæ8ÙêFkÇè§)£tڐ°#H®Ð)L±êRy	/ÒmºŸl¹˜öœ÷Ê]rÃÌØ:ª£
-·J%åÛ‡k\p©X’5QEs6%giy¦©S¨r©°=À–¤i±T'U!”cŒ}‘ïà}›}Ÿ>ä|Ü‚âf}\láÊôÞåö!»Ï°£àû^™ÇE`õÐÜkQ“|Q­Å—¼Ÿóu~FöêqWYAb|;ÑÀ?kæÝ×
-!
-&¾nûðÚ¤jÄÚj
-i¨@¹Æqz=Ɲîk°nuF{ïä3ÿÏKg¾¾ÅKØ7º8ïÅYå¶ÚH·ƒŽGø8l(
-;
-GUf5tDìÇ·ÿWS’àˆ–‰3q9R㈇VÆ«ÜõiÈ–"ñ¤–çè_xŸ9¾eUÏÁ8Û[]å)9ë–¡!oôÙDÛÝ!#Ü4‘´ˆØCXG#†²ýÑÞ~_ܨ¤O¼=ð (s¦\\ÖqÜíŠ!M¶"yªéŽpØ"W?¡j$:Ò¯Ú§Šbü§îÝ??$J8@îÈ™E´Y¢YõѬEÁ“[lv”V°	®S"EôçIŒ–n¬ö1¶²	/ñ²Áj!s`ŠüÞ8ˆü‹¢àP­ï`µ¹Šo[z±­>\Þ qÈ>üÞûhŒ"zõþv}»º\_¯¯ê{%ÝÍú·f!µ=XÅw×GÄâ³»¸©;uÇ
-Åaù~_­¯V}•ÍQqDáNð;UC]øWtÀD1’LÓÅØ+%.:|N	Ž/ZNÂÂ÷µå7µÜžµxV—ÇVTn$°CCÝ°÷×Ь|T8f´Wh–ˆúš¨¤gÒÎ<½È7Z×t(•ª/AsãgŒÆ¥Ý_þ„±Pj©Ü	ª~ñżaç!ŒŸ¹çú‘–`~˜)HIá)Èé«v ŒÑ¸¯H¼ÍÅ/Ü(P "ïQ[•çž"xŽgÛ	àe‡b¤‹/‰—𝯠Ž}oBœfnµjXdÙžFl:‡ù®™¤vºê>ÜüßP„£Fn´NëÓ¡†c—êt‰7ÆrŠG.]¤¿Š?þfÉi«endstream
-+endobj
-+100 0 obj<</Type/Page/Parent 93 0 R/Contents 101 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 44 0 R>>endobj
-+101 0 obj<</Filter/FlateDecode/Length 1602      >>stream
-+x•W]oÛ6}ϯ¸ÈËR VümGoi»vÚ5k<
-+ŒDÙ\$Ò¥8ޯ߹$%3ž—bh›T"ï×¹çRhˆ?#ZŒi2§¬:&C¼é|ýÈoh¾œãgEãQ2
-%ÝŸEÍÇÉ<Z‹+
-§É,ZŒŸ±:^¾0Ÿ±:¿N®cÛè™3%ËhÕe»˜'cš.ÈyŒµ¤Â•1~?ž#~¨Îý¿/.¬¸bú•ÃSWY¿äV¾ŽÃš+³[sU֏]MýÚÛÕÙÕ‡)F´*ЬùrA«ÜõhH«ìâgùÜÐ]-Ÿ”i-½3º‘º±túõ›ÕŸpvM£Psî“I2žÂãÅ$¡;c›B=“°$hõéž²RÁ›·:¤0/’Éò‹Î"šDÖxKoE—JØFÖø¥J²²~’uB«²„¿»Doîï?]q¬™™JZ´K”åžZ+‹¶L’„£i <\š·D¥¨×’r·úÎõ>Ž`ñ°‡?ö‘Saj’"ÛP.·¢n*”Ð'¥•^S³‘V†Ä,µ[âBdˆ96\¥ÈÚ¶Tv{Z«§`ÜCf÷¨³Bj¹,D[6´–A-K$ãêoLB¿›ÖÅ@`Í©e’sèÜō€lÙ Q™h$‰5Êfï0øzhQ0ç%Bß(“u£
-+gÔÁØ•ô«Ûm°®_qûÏ«» ¡1fgi°heÀ~g-úèJtÕrTx²&XÐ5¼àŽi‰l•(™ÚÅðœƒìs§š
-×Fä´u­LmÏ/™r}ÔÁ7 ˆ¦Û»£È"Ïkió´ihk¬U%Ü·èqhÌáf#<¶·wÔ٘­‡†T “Ò’²ÐkPVºôUùf‚vÇUç(
-+‘µ£jº½¿;Ý’SÍCåeéÑïÀq§^¢Ÿ4×Qn™›©= LèFçG° uæ£nU.I…
-+®b?§ôž0U«™O
-+Ì¢Ñæ¡–:«÷Û&S4okoàA<
-+oÑxs`KÓ¨—¦+[¡ÖmÍD`¯ß•¦×éBTªT¢æl+7’èܝèFîÒyëçÝ´vC`r°z”Æ<¶[ë!é"SÔäTU.‘²²ÝA8ëN/äD²õÈ°îLýYdš×r-êÜ
-eÏn { øQÀUÉz°>¡w}¢Ñ‡©sÌ	…X‹Ò}­æ-#f¥$Uàµw{?Š&#Š¸
-+è{Τ Ü^º-H5xévØã’Âv„=h¦ÛΦH`€}؍	>Ê 0­ÎB©!$ì µ­(ÙäêÃ,¦tþÕ©3ô…!Ç$ÈüÜoꎻ¡dŽ›¢6UDÆR¯0
-'ÉÓJYÊú@ó>›+ÙdW%>ƒ¯xxÂÎ>%Ô¬ TAš
-+ï3õN‡tÍGWÁ׺Á·¯9ß.â|žD	á{YìÀmÇeo2áí\à¹ÛwNrOâÁ<qâ×}ã戏‚àµc¶–ÒÓv#°7ÌÒV@òÐXœÉnªðßÌh¨¦Z††Á1ߝOØÁ—æ“–þ8e–r;ùxÕ‚Ê<
-+Ê¼–+Û`@ZœàÎÚì4.%'[38‚ë;ú4¦8¼Xç‚<E¦/!æ«L}ZZ{;_UdÕv8Ã/©n=™òαX’…Î_o»ÙJmmIϳá5
-â LfrÕœlq‹y™ñ¿Hv¸i[›¼
-˜Ïïg'D‚Y“@º·^ýâÈh÷‘iëÃýÿ9ˆèòí"ýw#–'0¹‘VÿА|F�ñ7/»1m™CßAM‹Û¦'q©~e_Gñz–¾¦gér‘¾_¤“iúî&}7MÇ‹ôí0ý0I—Òù<]Þ¤‹Eº|OKXð5ÉLÒ>¾êíp²˜¢•-/_Œ‰ñn0^Ï•U„5ü?%…[n_ω§?”ø:	¸ =™©q£Úí'žûé%"n´£J4ø^Ü›MmÚµŸFu×!|&¹‹þé/˜W?l–AJG×ãdÊ_£ø^õ7:ácƒ~úòÛêsnö
-ÈÝë_@Óå0Y.§øã­lÿãêì—³ •»bendstream
-+endobj
-+102 0 obj<</Type/Page/Parent 93 0 R/Contents 103 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>/Annots 56 0 R>>endobj
-+103 0 obj<</Filter/FlateDecode/Length 1758      >>stream
-+x¥WÛŽÛF}Ÿ¯(ø%2 áè6i?8;	¬³±#ØY=dSêÉVØMµ_¿§ªy­ÉÛ¢š]uêrN•þ¼šÓæt· eLIq5‹f¯7ÑŠVë;|^ào¥)“ƒÅí<Z\8€hÖüóëáÕå"Š© Å¦òÓÇ«ÁcA1¿ÒŸ
-šÏVÑíàpøŒÓÅúìêð§ñ&ÚïžÑ<ZN9âÅbï.D¼‰/Lww}tò¹®9‘`º“þ©¬;
-+Л[y&À›³€»;“BÝ}úûíÕÍû
-Íoq´ÍPÜ8Ž£MLÛTŠ4£m2YEôQ{oÊÕò{MNWG]‘·(v®Nô¨œNÉ–”á%]*Sz÷zûl¯h>–¯wÑ2†›tòi¯ËpïOéë|f¾PU—ö+[ïö¤àÅ“Íðm®ñµ¥T{]¦Ôd2‘äF—ž
-+•ìå[G*Ïí3 tÈ
-+er2£ëùŁóÖAHDŸ4•:Üó:Ï;D~¯<¥!;r˜ÌàES
-+	ÿsÀ‘èÊ;d פÀÊÈH‹h‹¨,,Gϸ’¦tàýgŸ»3³xCJo›”NÈþ~® êÀ™À'ç+“xcËQúñ®W^œ/S;qg`Ê(ÉÂ×mÅ&Ñøv¯ ªÒLÕßØà!U‰*éQs¶¤’ƒ®Ð£²q¾Ì°Ú{hªÞ‡I°4Bà«Úy˜>…þ¸ûð:¢÷¶â^)¸J¦D”y®ДBu€ãÑ6Ü@u)‰—3>ÊÅ }ʱe	M’<h-S¦æhÒZå”ØÒW6'ËD‘î‘tž“íz	…\qS®¢9H&¬
-+ýû™ÙÕ•Är{*¡(-liŸ™6LS öÙç¤
-s®j±ô\ ¤K8à¼A[&4†à 4ø¨gÙRÿ$ÿw¦h•”Ž¸5XG˜Ò°w 	|èœ5a &·7GŸF èZHƒ‹èw[C}òS™¤(ÓÏ”CD=lHãÿk{¡p@2 aԁ„Mº#z—¢¾Õì KD"„1mf[	ƒ×4OÈCfYÌøIbøG@?£
-ËXÆøz©ßqÿ°ˆh<éÓgqð†n´OnA[oþ«Ëgm
-+¡ÉƒK\ƒotA—¯Ý¿½äéþ-›‹píë[ £¤7tÒ#…º–€âh¶\2¶·ŽN¨*Ë€Óº%3Èt"g
-+“+¡4²ß”ƒ	׉<¨ÊSVÙ‚KD™J¸V(Ô¬Ò«9ÊùŠóöj
-+Þøl3%ä$}Zò¨ò]Th Ñ_`
-+­&®UÁ’Â5‚*¼&hTÛES‰k¯Ž¸ùlG^ƒ–6-±ËÄ9¡™S©:x[C03V=p•ÇˆÈ!œ³­›÷ýt{Ô?tºNH
-€³*~ë(˜üõõ€ÀŒ€sì¾R¥;X¤½P"@*®Ug·&4Ô—ÉÑO\eT€dô²¶öˆYFÏX.P¦ååBƤ-õx.}`æ‡Úf’ǯÈÁÎ6´•™ÄŸq=`Ù׏ÓfžŸdR|ãPl“t•³Û§¡Èp£á¹S tæ€Õ ~=L
-+UžM¼Òj§JãD…ց‡×ÓvT§´{cIExò–Gr‰v(Ä ©Gô‡$ð¬ˆU¦_¯Ý[“Û‡×ãNL„·Óˆ¬$®c‚MoÊ»Ê3OŠdoí¥¡:HÀ‹MXèdÏqƒŸíÙ5t»¢ñÈ3ñ¯µ¯sYù·ìUÔF‰ê§ÿœGÄfÝŠÍ?õO¿Túhlí裃ÑÑ寃¥áÎ|½„hHInÁuƒ D~’¼°o-«@G€ÌA8@*T	ºô%º¼Éh兏uŽ-´[tHïì<{A*´¨ÈÏâ£ÁLä·s»“AwîlP¸›£ªnðÖ
-ß=ÏÞ$L\··už¶|H-à ìð=õÑöÝïu‚
-aà=к§$÷•Ý
- 4ë¾ñ¡uu’`îguâ;”Š‰Ç>EG¶.Ü	«bñBœêÃ%tøh!Ä6ŸÒ霮ò`ð¾
-Jh½_A¥B^…ƒ1^g,ïxNÚ•`QØj¥Α‡ñÁDyÿšö
-ä)V±'üœ@ðö‰0óØjKe—í [º¯åG‹³høÍÅD€"žT#ǨöEXÁ\‚ü$¹Æ4æîÂND¡žd(²?Ú¾sô‡}Lž´rFWž­ƒž]¦Û_²pÝü„™oÑ*¦x9‹V‰mõP4úñçíŽáºyïún¶aý¿lWëY´^¯ð‹™í°ñwÛ«]ý±–Iÿendstream
-+endobj
-+104 0 obj<</Type/Page/Parent 93 0 R/Contents 105 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 65 0 R>>endobj
-+105 0 obj<</Filter/FlateDecode/Length 362       >>stream
-+x¥QËNÃ0¼û+öXqmÇñã
-+z¨h!–¸pkSQ hêç3NLëŠe<³»³ãO&Ià‘d•†V-\àäôyºg¥á‚LUrG-ËUT³¶ä
-$£0rcÜ ÎùÈ
- rlIJÏuFŽ…Êâ÷øD0<Ö¬ŽMO\aFF×'.ƒ¨-¯22Ç`½åeÆ"2Òb
-í,þÞ}C¦$LUÞ>MÉç/DG¡1oTFò:°é'YÁ~Ø ã—†ÂzH^PXM§ùv÷~¸
-+ok„¥¸£;•…ëɲ;ô›í‘f]ÛŒºUÒ–»xµ½(cé²Ë@²ÄUž»Lüþg§èƒº
-õ¯
-%oc×ÅsXÔqX(ǥǮÃãCsìi¹o¾·Ýׁnº]ßìú”K;K¯¸6".ò©ë9Í¢‡h¡HºÂ
-+[çAk'¸sz®ŠêÛÀÙþ¶ªendstream
-+endobj
-+106 0 obj<</Type/Catalog/Pages 93 0 R/PageLayout/SinglePage/OpenAction[96 0 R/XYZ null null 0]/PageMode/UseOutlines/PageLabels<</Nums[0<</P(title)>>1<</S/D/St 1/P()>>]>>>>endobj
-+xref
-+0 107 
-+0000000000 65535 f 
-+0000000015 00000 n 
-+0000000210 00000 n 
-+0000001776 00000 n 
-+0000001850 00000 n 
-+0000001928 00000 n 
-+0000002005 00000 n 
-+0000002084 00000 n 
-+0000002160 00000 n 
-+0000002241 00000 n 
-+0000002299 00000 n 
-+0000002357 00000 n 
-+0000002441 00000 n 
-+0000002541 00000 n 
-+0000002640 00000 n 
-+0000002741 00000 n 
-+0000002842 00000 n 
-+0000002941 00000 n 
-+0000003043 00000 n 
-+0000003145 00000 n 
-+0000003245 00000 n 
-+0000003347 00000 n 
-+0000003448 00000 n 
-+0000003549 00000 n 
-+0000003648 00000 n 
-+0000003748 00000 n 
-+0000003849 00000 n 
-+0000003945 00000 n 
-+0000004044 00000 n 
-+0000004142 00000 n 
-+0000004241 00000 n 
-+0000004340 00000 n 
-+0000004496 00000 n 
-+0000004594 00000 n 
-+0000004694 00000 n 
-+0000004795 00000 n 
-+0000004896 00000 n 
-+0000004996 00000 n 
-+0000005097 00000 n 
-+0000005194 00000 n 
-+0000005291 00000 n 
-+0000005390 00000 n 
-+0000005490 00000 n 
-+0000005588 00000 n 
-+0000005687 00000 n 
-+0000005787 00000 n 
-+0000005887 00000 n 
-+0000005986 00000 n 
-+0000006087 00000 n 
-+0000006189 00000 n 
-+0000006290 00000 n 
-+0000006391 00000 n 
-+0000006491 00000 n 
-+0000006591 00000 n 
-+0000006692 00000 n 
-+0000006794 00000 n 
-+0000006895 00000 n 
-+0000006988 00000 n 
-+0000007041 00000 n 
-+0000007126 00000 n 
-+0000007211 00000 n 
-+0000007296 00000 n 
-+0000007351 00000 n 
-+0000007436 00000 n 
-+0000007537 00000 n 
-+0000007638 00000 n 
-+0000007689 00000 n 
-+0000007721 00000 n 
-+0000007753 00000 n 
-+0000008240 00000 n 
-+0000008281 00000 n 
-+0000008321 00000 n 
-+0000008361 00000 n 
-+0000008402 00000 n 
-+0000008444 00000 n 
-+0000008486 00000 n 
-+0000008527 00000 n 
-+0000008568 00000 n 
-+0000008609 00000 n 
-+0000008651 00000 n 
-+0000008693 00000 n 
-+0000008735 00000 n 
-+0000008777 00000 n 
-+0000008818 00000 n 
-+0000008859 00000 n 
-+0000008901 00000 n 
-+0000008943 00000 n 
-+0000008985 00000 n 
-+0000009026 00000 n 
-+0000009067 00000 n 
-+0000009108 00000 n 
-+0000009149 00000 n 
-+0000009190 00000 n 
-+0000009231 00000 n 
-+0000009321 00000 n 
-+0000009474 00000 n 
-+0000009637 00000 n 
-+0000009831 00000 n 
-+0000011437 00000 n 
-+0000011626 00000 n 
-+0000012919 00000 n 
-+0000013124 00000 n 
-+0000014800 00000 n 
-+0000015005 00000 n 
-+0000016837 00000 n 
-+0000017024 00000 n 
-+0000017460 00000 n 
-+trailer
-+<</Size 107/Root 106 0 R/Info 1 0 R/ID[<c567b3b845f93fff5790763fa9931d35><c567b3b845f93fff5790763fa9931d35>]>>
-+startxref
-+17638
-+%%EOF
-diff -urNad postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml
---- postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml	1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/tls/contributed/Postfix_SSL-HOWTO.sgml	2005-02-03 10:22:13.093089328 -0700
-@@ -0,0 +1,349 @@
-+%PDF-1.3
-+%âãÏÓ
-+1 0 obj<</Producer(htmldoc 1.8.21 Copyright 1997-2002 Easy Software Products, All Rights Reserved.)/CreationDate(D:20021211094503+0000)/Title(Postfix SSL HOWTO)/Creator(SGML-Tools 1.0.9)>>endobj
-+2 0 obj<</Type/Encoding/Differences[ 32/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quotesingle/parenleft/parenright/asterisk/plus/comma/minus/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/grave/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 128/Euro 130/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE 145/quoteleft/quoteright/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe 159/Ydieresis/space/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]>>endobj
-+3 0 obj<</Type/Font/Subtype/Type1/BaseFont/Courier/Encoding 2 0 R>>endobj
-+4 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Roman/Encoding 2 0 R>>endobj
-+5 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Bold/Encoding 2 0 R>>endobj
-+6 0 obj<</Type/Font/Subtype/Type1/BaseFont/Times-Italic/Encoding 2 0 R>>endobj
-+7 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica/Encoding 2 0 R>>endobj
-+8 0 obj<</Type/Font/Subtype/Type1/BaseFont/Helvetica-Bold/Encoding 2 0 R>>endobj
-+9 0 obj<</Type/Font/Subtype/Type1/BaseFont/Symbol>>endobj
-+10 0 obj<</S/URI/URI(mailto:justin at palmcoder.net)>>endobj
-+11 0 obj<</Subtype/Link/Rect[72.0 680.2 174.1 698.0]/Border[0 0 0]/A 10 0 R>>endobj
-+12 0 obj<</Subtype/Link/Rect[85.2 551.5 182.0 569.4]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+13 0 obj<</Subtype/Link/Rect[85.2 519.3 265.7 537.2]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+14 0 obj<</Subtype/Link/Rect[108.0 492.0 237.2 505.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 600 0]>>endobj
-+15 0 obj<</Subtype/Link/Rect[108.0 478.8 179.8 491.8]/Border[0 0 0]/Dest[98 0 R/XYZ 0 368 0]>>endobj
-+16 0 obj<</Subtype/Link/Rect[85.2 447.5 257.8 465.4]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+17 0 obj<</Subtype/Link/Rect[108.0 420.2 221.7 433.2]/Border[0 0 0]/Dest[100 0 R/XYZ 0 501 0]>>endobj
-+18 0 obj<</Subtype/Link/Rect[108.0 407.0 239.4 420.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 300 0]>>endobj
-+19 0 obj<</Subtype/Link/Rect[85.2 375.7 474.3 393.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+20 0 obj<</Subtype/Link/Rect[108.0 348.4 240.0 361.4]/Border[0 0 0]/Dest[102 0 R/XYZ 0 594 0]>>endobj
-+21 0 obj<</Subtype/Link/Rect[85.2 317.1 185.5 335.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+22 0 obj<</Subtype/Link/Rect[85.2 284.9 131.0 302.7]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
-+23 0 obj<</Subtype/Link/Rect[72.0 255.5 93.4 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+24 0 obj<</Subtype/Link/Rect[176.5 255.5 200.6 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+25 0 obj<</Subtype/Link/Rect[241.9 255.5 283.8 268.5]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
-+26 0 obj<</Subtype/Link/Rect[72.0 74.1 93.4 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+27 0 obj<</Subtype/Link/Rect[134.6 74.1 176.5 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 569 0]>>endobj
-+28 0 obj<</Subtype/Link/Rect[176.5 74.1 200.6 87.1]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+29 0 obj<</Subtype/Link/Rect[200.6 74.1 241.9 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+30 0 obj<</Subtype/Link/Rect[241.9 74.1 283.8 87.1]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
-+31 0 obj[11 0 R
-+12 0 R
-+13 0 R
-+14 0 R
-+15 0 R
-+16 0 R
-+17 0 R
-+18 0 R
-+19 0 R
-+20 0 R
-+21 0 R
-+22 0 R
-+23 0 R
-+24 0 R
-+25 0 R
-+26 0 R
-+27 0 R
-+28 0 R
-+29 0 R
-+30 0 R]endobj
-+32 0 obj<</Subtype/Link/Rect[72.0 721.0 93.4 734.0]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+33 0 obj<</Subtype/Link/Rect[93.4 721.0 134.6 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 268 0]>>endobj
-+34 0 obj<</Subtype/Link/Rect[134.6 721.0 176.5 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 537 0]>>endobj
-+35 0 obj<</Subtype/Link/Rect[176.5 721.0 200.6 734.0]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+36 0 obj<</Subtype/Link/Rect[200.6 721.0 241.9 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+37 0 obj<</Subtype/Link/Rect[241.9 721.0 283.8 734.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
-+38 0 obj<</Subtype/Link/Rect[72.0 61.6 93.4 74.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+39 0 obj<</Subtype/Link/Rect[93.4 61.6 134.6 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 87 0]>>endobj
-+40 0 obj<</Subtype/Link/Rect[134.6 61.6 176.5 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 465 0]>>endobj
-+41 0 obj<</Subtype/Link/Rect[176.5 61.6 200.6 74.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+42 0 obj<</Subtype/Link/Rect[200.6 61.6 241.9 74.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+43 0 obj<</Subtype/Link/Rect[241.9 61.6 283.8 74.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
-+44 0 obj[32 0 R
-+33 0 R
-+34 0 R
-+35 0 R
-+36 0 R
-+37 0 R
-+38 0 R
-+39 0 R
-+40 0 R
-+41 0 R
-+42 0 R
-+43 0 R]endobj
-+45 0 obj<</Subtype/Link/Rect[72.0 267.6 93.4 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+46 0 obj<</Subtype/Link/Rect[93.4 267.6 134.6 280.6]/Border[0 0 0]/Dest[98 0 R/XYZ 0 61 0]>>endobj
-+47 0 obj<</Subtype/Link/Rect[134.6 267.6 176.5 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 393 0]>>endobj
-+48 0 obj<</Subtype/Link/Rect[176.5 267.6 200.6 280.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
-+49 0 obj<</Subtype/Link/Rect[200.6 267.6 241.9 280.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+50 0 obj<</Subtype/Link/Rect[241.9 267.6 283.8 280.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
-+51 0 obj<</Subtype/Link/Rect[72.0 112.6 93.4 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 125 0]>>endobj
-+52 0 obj<</Subtype/Link/Rect[93.4 112.6 134.6 125.6]/Border[0 0 0]/Dest[100 0 R/XYZ 0 74 0]>>endobj
-+53 0 obj<</Subtype/Link/Rect[134.6 112.6 176.5 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 334 0]>>endobj
-+54 0 obj<</Subtype/Link/Rect[200.6 112.6 241.9 125.6]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+55 0 obj<</Subtype/Link/Rect[241.9 112.6 283.8 125.6]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
-+56 0 obj[45 0 R
-+46 0 R
-+47 0 R
-+48 0 R
-+49 0 R
-+50 0 R
-+51 0 R
-+52 0 R
-+53 0 R
-+54 0 R
-+55 0 R]endobj
-+57 0 obj<</S/URI/URI(http://www.postfix.org)>>endobj
-+58 0 obj<</Subtype/Link/Rect[108.0 688.8 168.8 701.8]/Border[0 0 0]/A 57 0 R>>endobj
-+59 0 obj<</S/URI/URI(http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls)>>endobj
-+60 0 obj<</Subtype/Link/Rect[108.0 675.6 191.4 688.6]/Border[0 0 0]/A 59 0 R>>endobj
-+61 0 obj<</S/URI/URI(http://www.palmcoder.net)>>endobj
-+62 0 obj<</Subtype/Link/Rect[108.0 662.4 269.3 675.4]/Border[0 0 0]/A 61 0 R>>endobj
-+63 0 obj<</Subtype/Link/Rect[93.4 634.0 134.6 647.0]/Border[0 0 0]/Dest[102 0 R/XYZ 0 280 0]>>endobj
-+64 0 obj<</Subtype/Link/Rect[134.6 634.0 176.5 647.0]/Border[0 0 0]/Dest[96 0 R/XYZ 0 302 0]>>endobj
-+65 0 obj[58 0 R
-+60 0 R
-+62 0 R
-+63 0 R
-+64 0 R]endobj
-+66 0 obj<</Dests 67 0 R>>endobj
-+67 0 obj<</Kids[68 0 R]>>endobj
-+68 0 obj<</Limits[(postfix_ssl-howto-1.html)(toc6)]/Names[(postfix_ssl-howto-1.html)69 0 R(postfix_ssl-howto-2.html)70 0 R(postfix_ssl-howto-3.html)71 0 R(postfix_ssl-howto-4.html)72 0 R(postfix_ssl-howto-5.html)73 0 R(postfix_ssl-howto-6.html)74 0 R(postfix_ssl-howto.html)75 0 R(s1)76 0 R(s2)77 0 R(s3)78 0 R(s4)79 0 R(s5)80 0 R(s6)81 0 R(ss2.1)82 0 R(ss2.2)83 0 R(ss3.1)84 0 R(ss3.2)85 0 R(ss4.1)86 0 R(toc1)87 0 R(toc2)88 0 R(toc3)89 0 R(toc4)90 0 R(toc5)91 0 R(toc6)92 0 R]>>endobj
-+69 0 obj<</D[96 0 R/XYZ 0 268 0]>>endobj
-+70 0 obj<</D[96 0 R/XYZ 0 87 0]>>endobj
-+71 0 obj<</D[98 0 R/XYZ 0 61 0]>>endobj
-+72 0 obj<</D[100 0 R/XYZ 0 74 0]>>endobj
-+73 0 obj<</D[102 0 R/XYZ 0 280 0]>>endobj
-+74 0 obj<</D[102 0 R/XYZ 0 125 0]>>endobj
-+75 0 obj<</D[96 0 R/XYZ 0 734 0]>>endobj
-+76 0 obj<</D[96 0 R/XYZ 0 240 0]>>endobj
-+77 0 obj<</D[98 0 R/XYZ 0 733 0]>>endobj
-+78 0 obj<</D[100 0 R/XYZ 0 705 0]>>endobj
-+79 0 obj<</D[102 0 R/XYZ 0 718 0]>>endobj
-+80 0 obj<</D[102 0 R/XYZ 0 252 0]>>endobj
-+81 0 obj<</D[104 0 R/XYZ 0 733 0]>>endobj
-+82 0 obj<</D[98 0 R/XYZ 0 600 0]>>endobj
-+83 0 obj<</D[98 0 R/XYZ 0 368 0]>>endobj
-+84 0 obj<</D[100 0 R/XYZ 0 501 0]>>endobj
-+85 0 obj<</D[100 0 R/XYZ 0 300 0]>>endobj
-+86 0 obj<</D[102 0 R/XYZ 0 594 0]>>endobj
-+87 0 obj<</D[96 0 R/XYZ 0 569 0]>>endobj
-+88 0 obj<</D[96 0 R/XYZ 0 537 0]>>endobj
-+89 0 obj<</D[96 0 R/XYZ 0 465 0]>>endobj
-+90 0 obj<</D[96 0 R/XYZ 0 393 0]>>endobj
-+91 0 obj<</D[96 0 R/XYZ 0 334 0]>>endobj
-+92 0 obj<</D[96 0 R/XYZ 0 302 0]>>endobj
-+93 0 obj<</Type/Pages/Count 6/Kids[94 0 R
-+96 0 R
-+98 0 R
-+100 0 R
-+102 0 R
-+104 0 R
-+]>>endobj
-+94 0 obj<</Type/Page/Parent 93 0 R/Contents 95 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
-+95 0 obj<</Filter/FlateDecode/Length 90        >>stream
-+x
-+ÂÁ
-+@@àû<Åä²fhV{Uä ÐNy R”$Ÿ¾ï"ÿeŽÂc>¨2Êš 	°¢â¼(
-+U'AaØ13lN†ó~ÖíEŒÚ~²>µj£‘>!šëendstream
-+endobj
-+96 0 obj<</Type/Page/Parent 93 0 R/Contents 97 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F4 4 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R/Fc 9 0 R>>/XObject<<>>>>/Annots 31 0 R>>endobj
-+97 0 obj<</Filter/FlateDecode/Length 1533      >>stream
-+x¥VM“Û6½ï¯À­›¯¢/ëãÐCÛ4i:i“vÉ%Ú¦b6úp%Ù›ý÷} %‘v·{é¬×cè ð >êBüE”Ç”d´kn ēåëÏ7ü„²tÄÔPšÙdÔtã™
-+EaD(~aï´Èñã¿×TIÀõ:AÀ+ âgë(ÖØ*Š8€µx/Ó"
-+€y¤ðfƒ1Ïl¨Œ/0Ïä×Aî9ú6Д·ta}h™\ø&/^si ¦ŠÉbœÉ•¤\«¬”J<hÆÔ:Ô†MěÊáÂNX±Oé‚y&‚†9ç³€–¼(f-[b8ò&̲µ`žÉA…¼ôm –<‡z6P¤‡„TªLðP¦ŠÙ²ÆRåŒEa†&;з6æ’<Ô³9¥s¨Ý4çAœ¨MÄp›NXF˜!ú6ÂF9N‡z6Ð,¿ôå¡N at FÎsq1bõÎÄÜ®q|æ™\§‹ÂŽ¾
-+4g«o-SæhÙÔ·Š“uPz¨o-²‹¤|»¡$,/|}Cüb-û˜Äta_Çþ„W³`ž‰b0ƒHw}hÆrã¡ÌZ\°.5T0f
-+ÞÒ3ሀk„	GŒO	ÇuÉŽb°#kDœ”ˆy%_Ä¡œ±˜(Cúr¬Ýâä¡o4£qá88TÂBY·þ­£ùÓÏ%?ôOæ˜så,²˜ç–-&R¦b†<sÎOJò’îì'¹:Ì™¼g¾`’x‰¸ÊûÇÍÍË×%æ’6.Ÿ,/‚²Œi³—{'¤ÍîöC7Œ•ùF÷÷ïè—÷Ÿ6ï_lþ²N,#âv—ÄA‘²Ûí¯§a4-½Rg£»2EK§uq$œö·ç(WôJït³Õ=ÅaÛÕ™·º@ã°vs0á£Z2íØwûÓn4]KcGãAÓiÐÔU´ywÿ’s|0ãAžÏ‰ÿ¶ù! ƒi¿ðÚ!̱ïÎf¯g÷Þ:)Î ¤;™8ìÛhÕ¼‹nwýãq”å25íº¶Õ’ÄÊǏµB‚úÛHê„ÌÚÑìgêm¿¢Çî$9¨zè®6ô¼4).¬§­ôžP­BÖæ¬FM_õ#ïªêº{ ɧ׵zDå
-+u½Á‹A*4F½õè›öFëâPZ4S¦@¶u¯û³îmÔ¹x9¹säýS×VæË©—bé¨zÕ Ï~êÿnêèîA~dzŸã,§Ë¨.Ô#)Úh%iš]ú| Wô	&ú.xIåÉ•íjƒ]æpYYâUÆyð¬ù^ϧ3³uYkÙÝj¦j
-+Yá‡îÑÛ9›çã>Sfн%ðé(éb€Ð>™7LÞ¦W§ô’ƒØ˜"`ò]«ÿg[Ö½6­LÅÇ#GÃés™ôδ_¯Ä’Jfeäw>lz}6Ýià9Ñԁž~lÓuòfhÈŽ—¯çò–‹r-g¤Ý‹&Î6ªkE‰xP¨&»ã©V=é;9¥¶8Zhm÷ü§r¤-f¢2ȼê»Æ:wÕDÈ,G³ÃwX¥Õxêõ°¢íii¤ºI«ÁØv›v¡Ì=+D;â? O·þ9ëË@MJ•©ñ£êzÖ5×ÝÕÕþs¡âÆ5Vª1µQ“<ÌÂ}ËúôýYÕ'm	ŸY¼½o·ÅÈB³'=fÕyP"n³ä*Ok—ñ½Jl§ûÑT¬µzÀH¡Ž¦C¦EI"¾*ðá}˜õ
-+ä|Õ4€KÑå^«ý…HòÑaG¾mPñ`F-‹‰˜Û2Ó±y©¿,åX­žeÚvyÿØ‚À½ý@j¿G7¹Ÿoû9<¨¾7]?|~aÇC1†ù¸ª|¯wf˜ê{8h¤(‡ÝîÆ	[½r`*+cŽ1\¦bO[ðî<0ͽþbL*0Üèj¾®R8¨×­ÚÖZ2å[m¾/qwrÀƒÂeYcÄÇ­-SZL/±c5F5RmƱִ5#ßï8éýõ
-+=èÝ©7ããÜ¿œæ§Ïÿ³²P¸÷¼žGqÆ÷ÔÜ[îëòî“aP©½É"¦ãçÍÍ7ÿ .Ý>endstream
-+endobj
-+98 0 obj<</Type/Page/Parent 93 0 R/Contents 99 0 R/MediaBox[0 0 595 792]/Resources<</ProcSet[/PDF/Text]/Font<</F0 3 0 R/F4 4 0 R/F5 5 0 R/F6 6 0 R/F8 7 0 R/F9 8 0 R>>/XObject<<>>>>>>endobj
-+99 0 obj<</Filter/FlateDecode/Length 1220      >>stream
-+x•VÛnÛF}×WÒ°V$uu€u¹à[-E‹´Æš\Z“»ìîÒ®úÐoïÌ’ŒHYISr®gfÎÌŸƒü„°ˆ`2‡¤,€IÈ–0].ðo„_# ¼ã‹Sgø*ÎPg¾ŒX8‡8T	ˆ“aÄàV[—É¿€[à_n`#̳0oãO¨>…0¬•GÑ‚Mæh)¶ZÁ¦Ú¬ Ñ…°ðPÉÜÁ‹t[°UYjã Ó6›Ë1Z=«ç9¸-w -(!R‘Ò¿D«L>V†;‰u†"¬œ¦8…‘o4¡_È(©)‘Že£J&u¨,Õ#ìtå= Hµ÷bw¢k;ÆÉL&ô“O…ã2§Iø]+gtZyd#`ðkÇK¢Ë]×ú“ØWi÷Q×!š 4ÇÂ%㲩@*
-+&¤ÍŽÁÚøGœ°(;!Ë%Š@RžÉ–«Ç:³R˜BZK˜ bÙ²4ò™Å°ÞÕ¥
-+à” Í¨‹FÑ”Íæ8ÙêFkÇè§)£tڐ°#H®Ð)L±êRy	/ÒmºŸl¹˜öœ÷Ê]rÃÌØ:ª£
-+·J%åÛ‡k\p©X’5QEs6%giy¦©S¨r©°=À–¤i±T'U!”cŒ}‘ïà}›}Ÿ>ä|Ü‚âf}\láÊôÞåö!»Ï°£àû^™ÇE`õÐÜkQ“|Q­Å—¼Ÿóu~FöêqWYAb|;ÑÀ?kæÝ×
-+!
-+&¾nûðÚ¤jÄÚj
-+i¨@¹Æqz=Ɲîk°nuF{ïä3ÿÏKg¾¾ÅKØ7º8ïÅYå¶ÚH·ƒŽGø8l(
-+;
-+GUf5tDìÇ·ÿWS’àˆ–‰3q9R㈇VÆ«ÜõiÈ–"ñ¤–çè_xŸ9¾eUÏÁ8Û[]å)9ë–¡!oôÙDÛÝ!#Ü4‘´ˆØCXG#†²ýÑÞ~_ܨ¤O¼=ð (s¦\\ÖqÜíŠ!M¶"yªéŽpØ"W?¡j$:Ò¯Ú§Šbü§îÝ??$J8@îÈ™E´Y¢YõѬEÁ“[lv”V°	®S"EôçIŒ–n¬ö1¶²	/ñ²Áj!s`ŠüÞ8ˆü‹¢àP­ï`µ¹Šo[z±­>\Þ qÈ>üÞûhŒ"zõþv}»º\_¯¯ê{%ÝÍú·f!µ=XÅw×GÄâ³»¸©;uÇ
-+Åaù~_­¯V}•ÍQqDáNð;UC]øWtÀD1’LÓÅØ+%.:|N	Ž/ZNÂÂ÷µå7µÜžµxV—ÇVTn$°CCÝ°÷×Ь|T8f´Wh–ˆú