[pkg-kolab] r837 - in postfix/trunk/debian: . patches po
noel at alioth.debian.org
noel at alioth.debian.org
Fri May 2 10:36:07 UTC 2008
Author: noel
Date: 2008-05-02 10:36:05 +0000 (Fri, 02 May 2008)
New Revision: 837
Added:
postfix/trunk/debian/compat
postfix/trunk/debian/main.cf.in
postfix/trunk/debian/patches/10man-names.dpatch
postfix/trunk/debian/patches/10myorigin.dpatch
postfix/trunk/debian/patches/10postfix-script.dpatch
postfix/trunk/debian/patches/10tls.dpatch
postfix/trunk/debian/patches/10tlsmgr.dpatch
postfix/trunk/debian/patches/10warnings.dpatch
postfix/trunk/debian/patches/30hurd.dpatch
postfix/trunk/debian/po/ca.po
postfix/trunk/debian/po/gl.po
postfix/trunk/debian/po/pt.po
postfix/trunk/debian/po/sv.po
postfix/trunk/debian/po/vi.po
postfix/trunk/debian/postfix-cdb.README.Debian
postfix/trunk/debian/postfix-cdb.copyright
postfix/trunk/debian/postfix-cdb.dirs
postfix/trunk/debian/postfix-cdb.files
postfix/trunk/debian/postfix-cdb.postinst
postfix/trunk/debian/postfix-cdb.prerm
postfix/trunk/debian/postfix.config
postfix/trunk/debian/postfix.copyright
postfix/trunk/debian/postfix.postinst
postfix/trunk/debian/postfix.postrm
postfix/trunk/debian/postfix.preinst
postfix/trunk/debian/postfix.prerm
postfix/trunk/debian/postfix.shlibs
postfix/trunk/debian/postfix_groups.pl
Removed:
postfix/trunk/debian/conffiles
postfix/trunk/debian/config
postfix/trunk/debian/copyright
postfix/trunk/debian/patches/10hostname.dpatch
postfix/trunk/debian/patches/50tls.dpatch
postfix/trunk/debian/patches/60hpux.dpatch
postfix/trunk/debian/patches/master.cf.local
postfix/trunk/debian/postfix-tls.copyright
postfix/trunk/debian/postfix-tls.dirs
postfix/trunk/debian/postfix-tls.postinst
postfix/trunk/debian/postfix-tls.postrm
postfix/trunk/debian/postfix-tls.preinst
postfix/trunk/debian/postfix-tls.prerm
postfix/trunk/debian/postinst
postfix/trunk/debian/postrm
postfix/trunk/debian/preinst
postfix/trunk/debian/prerm
postfix/trunk/debian/shlibs
postfix/trunk/debian/tls-patch
Modified:
postfix/trunk/debian/README.Debian
postfix/trunk/debian/arch-version
postfix/trunk/debian/changelog
postfix/trunk/debian/control
postfix/trunk/debian/dirs
postfix/trunk/debian/functions
postfix/trunk/debian/init.d
postfix/trunk/debian/ip-down.d
postfix/trunk/debian/ip-up.d
postfix/trunk/debian/lintian-override
postfix/trunk/debian/patches/00list
postfix/trunk/debian/patches/10cyrus.dpatch
postfix/trunk/debian/patches/10greylist.dpatch
postfix/trunk/debian/patches/10main.cf.dpatch
postfix/trunk/debian/patches/10man.dpatch
postfix/trunk/debian/patches/10master.cf.dpatch
postfix/trunk/debian/patches/10rmail.dpatch
postfix/trunk/debian/patches/10smtplinelength.dpatch
postfix/trunk/debian/patches/20maps.dpatch
postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch
postfix/trunk/debian/po/cs.po
postfix/trunk/debian/po/de.po
postfix/trunk/debian/po/es.po
postfix/trunk/debian/po/fr.po
postfix/trunk/debian/po/it.po
postfix/trunk/debian/po/ja.po
postfix/trunk/debian/po/nl.po
postfix/trunk/debian/po/pt_BR.po
postfix/trunk/debian/po/ru.po
postfix/trunk/debian/po/templates.pot
postfix/trunk/debian/postfix-doc.dirs
postfix/trunk/debian/postfix-ldap.README.Debian
postfix/trunk/debian/rules
postfix/trunk/debian/templates
Log:
etch version of postfix with two additional postfix patches: 30-kolab.dpatch and 40-kolab-ldap-leafonly.dpatch
Modified: postfix/trunk/debian/README.Debian
===================================================================
--- postfix/trunk/debian/README.Debian 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/README.Debian 2008-05-02 10:36:05 UTC (rev 837)
@@ -2,12 +2,20 @@
and the source from upstream:
1. The Debian install is chrooted by default.
-2. IPV6 support is present and enabled.
-3. TLS/SASL support is found in the postfix-tls package.
-4. Dynamically loadable map support.
-5. For policy reasons:
- a. SASL configuration is found in /etc/postfix/sasl
+2. Dynamically loadable map support.
+3. For policy reasons:
+ a. SASL configuration goes in /etc/postfix/sasl
b. myhostname=/path/to/file is supported (and used) in main.cf
+4. smtp_line_length_limit defaults to 0, instead of 990, in absolute
+ violation of the RFC. Note that mailers in the path will still
+ potentially split the line, though. This will be removed at some
+ point in the future.
+5. IPV6 support is enabled: postfix listens on ipv6/ipv4 by default,
+ (see: inet_protocols)
+6. TLS/SASL support is enabled.
+7. rmail comes from sendmail, not from postfix.
+8. The upstream main.cf is delivered as /usr/share/postfix/main.cf.dist,
+ rather than cluttering /etc/postfix/main.cf with comments.
Known caveats:
1. The dynamically loadable modules are not found in the chroot.
Modified: postfix/trunk/debian/arch-version
===================================================================
--- postfix/trunk/debian/arch-version 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/arch-version 2008-05-02 10:36:05 UTC (rev 837)
@@ -1 +1 @@
-lamont at debian.org--2004/postfix--debian--2.1--patch-6
+lamont at debian.org--2005/postfix--merged--2.3--patch-81
Modified: postfix/trunk/debian/changelog
===================================================================
--- postfix/trunk/debian/changelog 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/changelog 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,17 +1,576 @@
-postfix (2.1.5-10kolab2) unstable; urgency=low
+postfix (2.3.8-3~kolab.credativ1) etch-backport; urgency=low
- * Build for Kolab sarge
- * Add patch (40-kolab-ldap-leafonly.dpatch)
+ * etch backport with kolab Patch:
+ - 30-kolab.dpatch
+ - 40-kolab-ldap-leafonly.dpatch
- -- Noèl Köthe <noel.koethe at credativ.de> Tue, 27 Jun 2006 13:24:31 +0200
+ -- Noèl Köthe <noel.koethe at credativ.de> Fri, 02 May 2008 11:30:48 +0200
-postfix (2.1.5-10kolab1) unstable; urgency=low
+postfix (2.3.8-2) unstable; urgency=low
- * Build for Kolab
- * Add patch (30-kolab.dpatch)
+ * Updated Czech debconf template. Closes: #414392
- -- Steffen Joeris <steffen.joeris at skolelinux.de> Wed, 11 Jan 2006 15:55:55 +0000
+ -- LaMont Jones <lamont at debian.org> Mon, 12 Mar 2007 22:42:23 -0600
+postfix (2.3.8-1) unstable; urgency=low
+
+ * New upstream version:
+ - Workaround: GNU POP3D creates a new mailbox and deletes the
+ old one. Postfix now backs off and retries delivery later,
+ instead of appending mail to a deleted file. File:
+ global/mbox_open.c.
+ - Workaround: Disable SSL/TLS ciphers when the underlying
+ symmetric algorithm is not available in the OpenSSL crypto
+ library at the required bit strength. Problem observed with
+ SunOS 5.10's bundled OpenSSL 0.9.7 and AES 256. Also possible
+ with OpenSSL 0.9.8 and CAMELLIA 256. Root cause fixed in
+ upcoming OpenSSL 0.9.7m, 0.9.8e and 0.9.9 releases. Victor
+ Duchovni, Morgan Stanley. Files: src/smtp/smtp_proto.c,
+ src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_client.c,
+ src/tls/tls_misc.c and src/tls/tls_server.c.
+ * Correct check for new (empty) answer to root alias debconf question.
+ Introduced in 2.3.6-2. Closes: #413610, #413086
+
+ -- LaMont Jones <lamont at debian.org> Mon, 5 Mar 2007 21:43:22 -0700
+
+postfix (2.3.7-4) unstable; urgency=low
+
+ * New russian, portugese, spanish, galician debconf templates.
+ Closes: #411941, #412205, #412413, #412494
+
+ -- LaMont Jones <lamont at debian.org> Mon, 26 Feb 2007 14:04:32 -0700
+
+postfix (2.3.7-3) unstable; urgency=low
+
+ * Really fix update-inetd's verboseness, by running it after dh_stop.
+ Closes: #410871
+
+ -- LaMont Jones <lamont at debian.org> Wed, 14 Feb 2007 21:41:37 -0700
+
+postfix (2.3.7-2) unstable; urgency=low
+
+ * Don't let update-inetd spew garbage to debconf. Closes: #410871
+
+ -- LaMont Jones <lamont at debian.org> Tue, 13 Feb 2007 21:47:27 -0700
+
+postfix (2.3.7-1) unstable; urgency=low
+
+ * New upstream version
+ - Bugfix (introduced Postfix 2.3): when creating an alias map
+ on a NIS-enabled system, don't case-fold the YP_MASTER_NAME
+ and YP_LAST_MODIFIED lookup keys. This requires that an
+ application can turn off case folding on the fly. This is
+ a point fix. A complete fix requires updates to other map
+ types and to the proxymap protocol, which is too much change
+ for a stable release.
+ - Bugfix (introduced 20011008): after return from a nested
+ access restriction, possible longjump into exited stack
+ frame upon configuration error or table lookup error.
+ - Workaround: don't insert empty-line header/body separator
+ into malformed MIME attachments, to avoid breaking digital
+ signatures. This change introduces ambiguity. Postfix still
+ treats the remainder of the attachment as body content;
+ header_checks rules will not detect forbidden MIME types
+ inside a message/rfc822 attachment. With the empty-line
+ header/body separator no longer inserted by Postfix, other
+ software may process the malformed attachment differently,
+ and thus may become exposed to forbidden MIME types. This
+ is back-ported from Postfix 2.4.
+ - Bugfix: match lists didn't implement ![ipv6address].
+ * New fr.po
+ * Updated postfix_groups.pl. Closes: #409009, #409010
+
+ -- LaMont Jones <lamont at debian.org> Wed, 31 Jan 2007 12:45:49 -0700
+
+postfix (2.3.6-2) unstable; urgency=low
+
+ * Fix preinst checking mydomain. Closes: #407790, #408089
+ * Deal with debconf silliness. Closes: #387646
+ * Don't directly call initscript in prerm.
+ * Updated Dutch, Czech, Galician templates. Closes: #407433, #407832, #407959
+ * Change the "I'm stupid enough to not want a root alias" answer from the
+ localization-problematic 'NONE' to the empty string, and mark it
+ non-translatable. Closes: #389675
+ - changes to ca.po, de.po, gl.po, ja.po, nl.po for same
+
+ -- LaMont Jones <lamont at debian.org> Tue, 23 Jan 2007 07:46:45 -0700
+
+postfix (2.3.6-1) unstable; urgency=low
+
+ * New upstream version
+ * French debconf template. Closes: #404132
+ * Galician debconf template. Closes: #404573
+ * fix typos in debconf messages. Closes: #399916
+ * Catalan debconf template. Closes: #405320
+
+ -- LaMont Jones <lamont at debian.org> Fri, 5 Jan 2007 19:31:31 -0700
+
+postfix (2.3.5-3) unstable; urgency=low
+
+ * Fix typo. Closes: #403121
+ * German translation update. Closes: #403310
+
+ -- LaMont Jones <lamont at debian.org> Sat, 16 Dec 2006 06:30:17 -0700
+
+postfix (2.3.5-2) unstable; urgency=low
+
+ * Don't call update-inetd in postinst if it's not there. Fixes Ubuntu
+ bug #73511. Not yet reported in Debian.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 13 Dec 2006 09:04:10 -0700
+
+postfix (2.3.5-1) unstable; urgency=low
+
+ * New upstream version
+ * mydomain needs some cleanup if we're upgrading from < 2.3.5-1 on a machine
+ where hostname(2) is a short name. Bug introduced in 2.3.3-2. Closes: #402788
+
+ -- LaMont Jones <lamont at debian.org> Tue, 12 Dec 2006 15:33:53 -0700
+
+postfix (2.3.4-3) unstable; urgency=high
+
+ * Fix broken tls patch. Closes: #397771, #398534
+
+ -- LaMont Jones <lamont at debian.org> Wed, 6 Dec 2006 14:09:25 -0700
+
+postfix (2.3.4-2) unstable; urgency=low
+
+ * Fix sasl patch.. Thanks again to Fabian Fagerholm. Closes: #398245
+ * New ja.po. Closes: #398599
+ * New de.po. Closes: #399918
+ * New fr.po. Closes: #399998
+
+ -- LaMont Jones <lamont at debian.org> Thu, 23 Nov 2006 22:53:16 -0700
+
+postfix (2.3.4-1) unstable; urgency=low
+
+ * SASL split conf and plugin directories. Thanks to Fabian Fagerholm for
+ the patch. Closes: #397771
+ * New upstream version.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 9 Nov 2006 10:36:45 -0700
+
+postfix (2.3.3-4) unstable; urgency=low
+
+ * Empty /etc/mailname was incorrectly handled. Closes: #387641
+ * updated spanish,french translations. Closes: #393770, #391884
+ * also copy /etc/nss_mdns.config into the chroot. Closes: #393716
+
+ -- LaMont Jones <lamont at debian.org> Wed, 18 Oct 2006 10:46:48 -0600
+
+postfix (2.3.3-3) unstable; urgency=low
+
+ * Fix rfc1035_violation template entry. Closes: #393087
+ * Add catalan transations. (debian/po/ca.po) Closes: #393090
+ * Need to have libcdb1, not just tinycdb without the .so
+ * Fix postfix-cdb so that it actually works.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 15 Oct 2006 21:11:54 -0600
+
+postfix (2.3.3-2) unstable; urgency=low
+
+ * Add postfix-cdb package, which supports tinycdb maps.
+ Closes: #183163
+ * Detect and die nicely on emty myorigin file. Closes: #322602
+ * Drop 10hostname.dpatch, which was only needed for installing
+ postfix inside of debian-installer. Closes: #333646
+ * cleanup confusing debconf question. Closes: #387646
+
+ -- LaMont Jones <lamont at debian.org> Tue, 19 Sep 2006 09:04:02 -0600
+
+postfix (2.3.3-1) unstable; urgency=low
+
+ * New upstream version with various bug fixes.
+ * use invoke-rc.d in preinst. Closes: #381167
+ * Suggest: resolvconf
+ * Fix section 8postfix man page headers to say '8postfix', to fix lintian
+ errors.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 29 Aug 2006 08:49:35 -0600
+
+postfix (2.3.2-1) unstable; urgency=low
+
+ * New upstream version: more milter fixes.
+ * Update japanese translations. Closes: #379951
+ * Move prng_exch back to $queue_directory from /etc (where it
+ lived for all of 2.2...) Closes: #380285
+
+ -- LaMont Jones <lamont at debian.org> Mon, 31 Jul 2006 23:50:43 -0600
+
+postfix (2.3.1-1) unstable; urgency=low
+
+ * New upstream.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 24 Jul 2006 23:42:21 -0600
+
+postfix (2.3.0-2) unstable; urgency=low
+
+ * init script needs to deal with queue_directory being non-standard.
+ Closes: #379357
+ * Fix .so-using man pages. Closes: #358935
+
+ -- LaMont Jones <lamont at debian.org> Mon, 24 Jul 2006 10:42:18 -0600
+
+postfix (2.3.0-1) unstable; urgency=low
+
+ * New upstream release. Closes: #378074, #378109
+ Thanks to Pascal A Dupuis for the patch migration work.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 13 Jul 2006 08:28:02 -0600
+
+postfix (2.3-20060611-1) experimental; urgency=low
+
+ * New upstream release
+
+ -- LaMont Jones <lamont at debian.org> Wed, 14 Jun 2006 15:15:50 -0600
+
+postfix (2.2.10-2) unstable-UNRELEASED; urgency=low
+
+ * Drop conffiles listed under /etc, since debhelper does that for us now.
+ Closes: #356768
+ * Add portugese translations. Close: #363134
+
+ -- LaMont Jones <lamont at debian.org> Wed, 19 Apr 2006 11:37:05 -0600
+
+postfix (2.3-20060405-1) experimental; urgency=low
+
+ * New upstream version
+
+ -- LaMont Jones <lamont at debian.org> Fri, 7 Apr 2006 08:38:45 -0600
+
+postfix (2.2.10-1) unstable; urgency=low
+
+ * New upstream version
+ * Add Galician debconf translations. Closes: #361255
+
+ -- LaMont Jones <lamont at debian.org> Fri, 7 Apr 2006 08:20:32 -0600
+
+postfix (2.2.9-4) unstable; urgency=low
+
+ * When lo is configured, don't bother having i[pf]-up.d/postfix
+ restart postfix. Thanks to Scott James Remnant.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 5 Apr 2006 23:28:58 -0600
+
+postfix (2.3-20060403-1) experimental; urgency=low
+
+ * New upstream version
+
+ -- LaMont Jones <lamont at debian.org> Wed, 5 Apr 2006 22:42:03 -0600
+
+postfix (2.2.9-3) unstable; urgency=low
+
+ * Don't override the admin's changes to inet_protocols. Closes: #359272
+ * Update description of satellite system, including in several
+ translations. Closes: #359271
+ * Add buildsystem support for Hurd. Closes: #356392
+ * New Czech translations. Closes: #356559
+ * Include fixes for pcre maps and sendmail -t/MIME issues.
+ - Workaround: null-terminate the input after stripping CR,
+ and before passing the input to the MIME processor. Leandro
+ Santi. The fix, a rewrite of the MIME processor input
+ handling, is too much change for a stable release. File:
+ sendmail/sendmail.c.
+ - Workaround: the PCRE library reports an inappropriate error
+ code (invalid substring) when $number refers to a valid ()
+ expression that matches the null string. This caused fatal
+ run-time errors. File: dict_pcre.c.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 5 Apr 2006 22:22:16 -0600
+
+postfix (2.3-20060315-1) experimental; urgency=low
+
+ * New upstream
+
+ -- LaMont Jones <lamont at debian.org> Sat, 18 Mar 2006 22:55:36 -0700
+
+postfix (2.2.9-1) unstable; urgency=low
+
+ * New upstream, fixes various TLS/SASL bugs.
+
+ -- LaMont Jones <lamont at debian.org> Fri, 24 Feb 2006 10:10:26 -0700
+
+postfix (2.2.8-10) unstable; urgency=low
+
+ * Don't call permit_sasl_auth in smtpd checks if sasl is not enabled.
+ Thanks to Sven Mueller <debian at incase.de> and Victor Duchovni.
+ Closes: #351675
+ * if ssl-cert created a cert, then configure smtpd to use it (only
+ on fresh installation)
+ * make sure usr/lib/zoneinfo exists in the chroot before using it.
+ Closes: #163861
+ * init.d start must return 0 when already running. Closes: #351466
+ * Make mydomain selection in postinst conform to resolver library method.
+ Closes: #351937
+
+ -- LaMont Jones <lamont at debian.org> Thu, 23 Feb 2006 11:08:23 -0700
+
+postfix (2.3-20060207-1) experimental; urgency=low
+
+ * New upstream
+
+ -- LaMont Jones <lamont at debian.org> Mon, 13 Feb 2006 08:59:02 -0700
+
+postfix (2.3-20060126-1) experimental; urgency=low
+
+ * Merge in 2.2.8-9 fix
+
+ -- LaMont Jones <lamont at debian.org> Sat, 28 Jan 2006 08:36:19 -0700
+
+postfix (2.2.8-9) unstable; urgency=low
+
+ * ifup/down need to deal with /var not being writable (by exiting).
+ Closes: launchpad.net/29925
+
+ -- LaMont Jones <lamont at debian.org> Sat, 28 Jan 2006 08:33:43 -0700
+
+postfix (2.3-20060126-0) experimental; urgency=low
+
+ * New upstream version
+ * add the now-necessary -DUSE_CYRUS_SASL. Closes: #350151
+ * deliver lmtp symlink. Closes: #350158
+
+ -- LaMont Jones <lamont at debian.org> Fri, 27 Jan 2006 12:06:49 -0700
+
+postfix (2.2.8-8) unstable; urgency=low
+
+ * init.d stop needs to be more thurough in killing master. Closes: #349950
+ * ifup should be quiet when /usr is not mounted. Closes launchpad.net/29788
+
+ -- LaMont Jones <lamont at debian.org> Fri, 27 Jan 2006 12:09:43 -0700
+
+postfix (2.3-20060123-0) experimental; urgency=low
+
+ * New upstream version
+
+ -- LaMont Jones <lamont at debian.org> Mon, 23 Jan 2006 16:40:28 -0700
+
+postfix (2.2.8-7) unstable; urgency=low
+
+ * Drop /dev/{u,}random creation, add a note to
+ /usr/share/doc/postfix-ldap/README.Debian. Closes: #349244
+
+ -- LaMont Jones <lamont at debian.org> Mon, 23 Jan 2006 16:50:56 -0700
+
+postfix (2.2.8-6) unstable; urgency=low
+
+ * postfix startup issues. Closes: #348645
+ * copy /dev/random and /dev/urandom into the chroot for ldaps.
+ Closes: #348835.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 19 Jan 2006 10:40:40 -0700
+
+postfix (2.2.8-5) unstable; urgency=low
+
+ * maildrop lives in /usr/bin, not /usr/local/bin. Ubuntu Bug#25069
+ * bump standards version. Closes: #318913
+
+ -- LaMont Jones <lamont at debian.org> Mon, 16 Jan 2006 14:33:48 -0700
+
+postfix (2.3-20060112-0) experimental; urgency=low
+
+ * New upstream
+
+ -- LaMont Jones <lamont at debian.org> Thu, 12 Jan 2006 16:19:40 -0700
+
+postfix (2.3-20060103-0.1) experimental; urgency=low
+
+ * resync with 2.2
+
+ -- LaMont Jones <lamont at debian.org> Mon, 9 Jan 2006 18:12:21 -0700
+
+postfix (2.2.8-4) unstable; urgency=low
+
+ * Fix init.d cleanup patch
+
+ -- LaMont Jones <lamont at debian.org> Wed, 11 Jan 2006 14:59:00 -0700
+
+postfix (2.2.8-3) unstable; urgency=low
+
+ * Make init.d script closer to upstream.
+ * French and swedish debconf translations. Closes: #347609, #347619
+
+ -- LaMont Jones <lamont at debian.org> Wed, 11 Jan 2006 13:26:03 -0700
+
+postfix (2.3-20060103-0) experimental; urgency=low
+
+ * New upstream.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 9 Jan 2006 18:12:21 -0700
+
+postfix (2.2.8-2) unstable; urgency=low
+
+ * Fix shlib symlink error.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 5 Jan 2006 17:42:59 -0700
+
+postfix (2.2.8-1) unstable; urgency=low
+
+ * New upstream version
+ - an EHLO I/O error after STARTTLS was reported as STARTTLS error
+ - the *SQL, proxy and LDAP maps were not defined in user-land
+ commands such as postqueue
+ - regex maps didn't correctly convert $$ -> $ in some cases
+ - Anvil server terminated after max_idle seconds
+ - 2.2.6 server garbage response code caused delivery problems,
+ turned off.
+
+ -- LaMont Jones <lamont at debian.org> Thu, 5 Jan 2006 00:07:53 -0700
+
+postfix (2.2.7-2) unstable; urgency=low
+
+ * Make mailman service run privileged. sigh. Closes: #315939
+ * Add comment about myorigin=/etc/mailname being the default to main.cf
+ * Document /usr/share/postfix/main.cf.dist in README.Debian.
+ * Really listen on ipv6 ports in the default install. Closes: #345961
+ - config selects the default answer to the low priority question based
+ on whether or not ipv6/ipv4 are installed at that time.
+ * allow libmysqlclient14-dev to satisfy build-deps as well as 15.
+ * Suggest: sasl2-bin, libsasl2-modules. Closes: #345664, #265375
+ * Run newaliases instead of postalias with hardcoded parameters, so that we
+ use $alias_database like we should.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 4 Jan 2006 11:26:11 -0700
+
+postfix (2.2.7-1) unstable; urgency=low
+
+ * New upstream:
+ - LMTP client would reuse a session after a negative reply to the
+ RSET command.
+ - the best_mx_transport, mailbox_transport and fallback_transport
+ features did not write a per-recipient defer logfile record when
+ the target delivery agent was broken.
+ * use libmysqlclient15-dev
+
+ -- LaMont Jones <lamont at debian.org> Fri, 23 Dec 2005 20:24:16 -0700
+
+postfix (2.2.6-1) unstable; urgency=low
+
+ * New upstream.
+ - the *SQL clients did not uniformly choose the database host from
+ the available pool
+ - raise the "policy violation" flag when a client request exceeds
+ a concurrency or rate limit.
+ - don't do smtpd_end_of_data_restrictions after the transaction
+ failed due to, e.g., a write error.
+ - two messages could get the same message ID due to a race
+ condition. This time window was increased when queue file creation
+ was postponed from MAIL FROM until the first accepted RCPT TO. The
+ window is closed again.
+ - the queue manager did not write a per-recipient defer logfile record
+ when the delivery agent crashed after the initial handshake with the
+ queue manager, and before reporting the delivery status to the queue
+ manager.
+ - moved code around from one place to another to make REDIRECT, FILTER,
+ HOLD and DISCARD access(5) table actions work in
+ smtpd_end_of_data_restrictions. PREPEND will not be fixed; it must
+ be specified before the message content is received.
+ * Updated Italian translations. Closes: #336925
+ * Swedish translations. Closes: #339746
+ * Switch to libdb4.3. Closes: #336488
+ * Add Replaces: mail-transport-agent. Closes: #325624
+ * Merge changes from ubuntu.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 7 Dec 2005 15:39:11 -0700
+
+postfix (2.2.4-1) unstable; urgency=low
+
+ * New upstream bug-fix version
+ * postgresql fix from Martin Pitt (via Ubuntu):
+ - transition to new PostgreSQL architecture.
+ - debian/control: Changed build dependency postgresql-dev to libpq-dev.
+ - debian/rules: Use pg_config to determine include directory.
+ * New translations:
+ * Italian from Cristian Rigamonti <cri at linux.it>. Closes: #311411
+ * Russian from Yuriy Talakan' <yt at amur.elektra.ru>. Closes: #310055
+ * Fix typo in if-down.d. Closes: #313355
+ * Vietnamese translations from Clytie Siddall. Closes: #317118
+
+ -- LaMont Jones <lamont at debian.org> Wed, 6 Jul 2005 09:57:05 -0600
+
+postfix (2.2.3-3) unstable; urgency=low
+
+ * Shorter, more friendly patch to have mantools/postlink work. Thanks
+ to Brendan O'Dea.
+ * Fix pgsql map initialization in the case of missing 'hosts' declaration.
+ Closes: #307967
+ * Remove extraneous -d option from bsmtp invocation. Closes: #309114
+
+ -- LaMont Jones <lamont at debian.org> Wed, 18 May 2005 22:12:14 -0600
+
+postfix (2.2.3-2) unstable; urgency=low
+
+ * The 'hell with sdbm' release.
+ * provide sdbm.[ch], and define HAS_SDBM, so things still work.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 4 May 2005 14:23:03 -0600
+
+postfix (2.2.3-1) unstable; urgency=low
+
+ * New upstream version
+ * really fix sdbm entry in dynamicmaps.cf. Closes: #305586
+ * provide/conflict: postfix-tls for easier upgrade.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 2 May 2005 20:45:57 -0600
+
+postfix (2.2.2-3) unstable; urgency=low
+
+ * Updated czech translations. Closes: #307168
+ * Updated french translations. Closes: #306083
+ * Updated japanese translations. Closes: #306942
+ * Add RUNNING check to ip-down.d. Might fix: #306851
+ * Fix libdb symlink for building. Closes: #305447
+ * Missing sdbm entry in dynamicmaps.cf. Closes: #305586
+ * add mailman entry. Closes: #297869
+
+ -- LaMont Jones <lamont at debian.org> Mon, 2 May 2005 10:13:22 -0600
+
+postfix (2.2.2-2) unstable; urgency=low
+
+ * Closes: #304559
+ - fix shlib symlinks.
+ - use upstream's default for inet_protocols. Also Closes: #304753
+ * Only start in postinst if the user has a main.cf. Closes: #304871
+ * Include 10tls in 00list.. :-( Closes: #304920
+ * At the end of postinst, warn if root has no alias. Closes: #293889
+ * Fix tlsmgr entry in master.cf if needed.
+
+ -- LaMont Jones <lamont at debian.org> Tue, 19 Apr 2005 10:00:57 -0600
+
+postfix (2.2.2-1) unstable; urgency=low
+
+ * New upstream version
+ * Restore use of /etc/postfix/sasl2 for sasl config stuff.
+ (/usr/lib/sasl2 is not a configuration directory, after all...)
+ Reported by Iacopo Spalletti, Bernhard Schmidt <berni at birkenwald.de>
+ Closes: #301423
+ * Don't deliver /usr/share/doc/postfix-tls. Reported by Iacopo Spalletti
+ * cleanup README.Debian
+ * Fix shlib deliveries. Closes: #294207, #285111, #295789
+
+ -- LaMont Jones <lamont at debian.org> Tue, 12 Apr 2005 08:49:08 -0600
+
+postfix (2.2.1-0) experimental; urgency=low
+
+ * New upstream version
+
+ -- LaMont Jones <lamont at ubuntu.com> Thu, 17 Mar 2005 19:23:07 -0700
+
+postfix (2.2-20050211-2) UNRELEASED; urgency=low
+
+ * re-sync changes from 2.1 tree
+
+ -- LaMont Jones <lamont at debian.org> Mon, 7 Mar 2005 12:33:34 -0700
+
+postfix (2.1.5-10) UNRELEASED; urgency=low
+
+ * Create a root alias on initial install (unless ~root/.forward
+ exists), even if /etc/aliases exists from some previous MTA.
+ Closes: #293889
+ * Get rid of failure messages during _shutdown_, too.
+
+ -- LaMont Jones <lamont at debian.org> Mon, 7 Mar 2005 12:33:34 -0700
+
postfix (2.1.5-9) unstable; urgency=low
* more cleanup in if-up.d script. Closes: #297127
@@ -32,6 +591,56 @@
-- LaMont Jones <lamont at debian.org> Tue, 22 Feb 2005 20:10:19 -0700
+postfix (2.2-20050211-1) experimental; urgency=low
+
+ * New upstream version
+
+ -- LaMont Jones <lamont at debian.org> Sat, 12 Feb 2005 00:20:00 -0700
+
+postfix (2.2-20050209-1) experimental; urgency=low
+
+ * New upstream version.
+ * Merge postfix-tls package into postfix package.
+
+ -- LaMont Jones <lamont at debian.org> Wed, 9 Feb 2005 16:57:00 -0700
+
+postfix (2.2-20050206-1) experimental; urgency=low
+
+ * New upstream version
+ * output address rewriting
+ * mx_session_limit fixes
+
+ -- LaMont Jones <lamont at debian.org> Mon, 7 Feb 2005 12:46:02 -0700
+
+postfix (2.2-20050205-1) experimental; urgency=low
+
+ * New upstream version
+ - Feature: REPLACE command in header/body_checks (implemented
+ as a combination of PREPEND and IGNORE) by Bastiaan Bakker.
+ - Cleanup: linted the manual pages for consistency in the
+ way manuals are referenced, and in the presentation of
+ command examples.
+
+ -- LaMont Jones <lamont at debian.org> Sun, 6 Feb 2005 16:13:53 -0700
+
+postfix (2.2-20050203-1) experimental; urgency=low
+
+ * New upstream version, includes TLS and IPv6 support.
+ - Postfix version 2.2 IP version 6 support is based on the Postfix/IPv6
+ patch by Dean Strik, but differs in a few minor ways.
+ - Network protocol support including DNS lookup is selected with
+ the inet_protocols parameter instead of the inet_interfaces parameter.
+ This is needed so that Postfix will not attempt to deliver mail
+ via IPv6 when the system has no IPv6 connectivity.
+ - The lmtp_bind_address6 feature was omitted. The Postfix LMTP
+ client will be absorbed into the SMTP client, so there is no reason
+ to keep adding features to the LMTP client.
+ - The cidr-based address matching code was rewritten. The new
+ behavior is believed to be closer to expectation. The results may
+ be incompatible with that of the Postfix/IPv6 patch.
+
+ -- LaMont Jones <lamont at debian.org> Sat, 5 Feb 2005 11:51:06 -0700
+
postfix (2.1.5-6) unstable; urgency=low
* inet_interfaces=loopback-only from 2.2 snapshot. Closes: #293250, #292086
Added: postfix/trunk/debian/compat
===================================================================
--- postfix/trunk/debian/compat (rev 0)
+++ postfix/trunk/debian/compat 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1 @@
+4
Deleted: postfix/trunk/debian/conffiles
===================================================================
--- postfix/trunk/debian/conffiles 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/conffiles 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,9 +0,0 @@
-/etc/init.d/postfix
-/etc/ppp/ip-up.d/postfix
-/etc/ppp/ip-down.d/postfix
-/etc/network/if-up.d/postfix
-/etc/network/if-down.d/postfix
-/etc/postfix/postfix-script
-/etc/postfix/post-install
-/etc/postfix/postfix-files
-/etc/resolvconf/update-libc.d/postfix
Deleted: postfix/trunk/debian/config
===================================================================
--- postfix/trunk/debian/config 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/config 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,355 +0,0 @@
-#!/usr/bin/perl -w
-# -*-CPerl-*-
-# Script to configure Postfix.
-# Based on code by Colin Walters <walters at cis.ohio-state.edu>,
-# and John Goerzen <jgoerzen at progenylinux.com>.
-
-use Debconf::Client::ConfModule qw(:all);
-use Fcntl;
-
-my $version = version(2.0);
-capb("backup");
-title("Postfix Configuration");
-
-# begin configuration script
-
-my $topstate;
-my $back;
-my $noninteractive;
-
-# Regexps for checking domain names, blatantly stolen from exim config
-my $rfc1035_label_re= '[0-9A-Za-z]([-0-9A-Za-z]*[0-9A-Za-z])?';
-my $rfc1035_domain_re= "$rfc1035_label_re(\\.$rfc1035_label_re)*";
-my $network_re= '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}';
-
-$topstate = "start";
-
-while ($topstate ne "done") {
- TOPSTATE: {
- if ($topstate eq "start") {
- if (fget("postfix/main_mailer_type", "isdefault") eq "true") {
- if (-f "/etc/postfix/main.cf") {
- set("postfix/main_mailer_type", "No configuration");
- }
- }
- $noninteractive = (((input("high", "postfix/main_mailer_type"))[0]) == 30);
- if ($noninteractive) {
- my $mailertype = get("postfix/main_mailer_type");
- if ($mailertype eq "No configuration") {
- # We can't display a note here, because it could send mail,
- # which isn't configured...
- #$noninteractive = ((input("critical", "postfix/not_configured"))[0] == 30);
- #go();
- $topstate="ending-setup";
- } else {
- $topstate="root";
- }
- } else {
- go();
- $back = (((go())[0]) == 30);
- $mailertype = get("postfix/main_mailer_type");
- if ($mailertype eq "No configuration") {
- $topstate="ending-setup";
- } else {
- fset("postfix/main_mailer_type", "changed", "true");
- if ($back) {
- fset("postfix/main_mailer_type", "isdefault", "true");
- fset("postfix/db2_db3_upgrade", "isdefault", "true");
- } else {
- fset("postfix/main_mailer_type", "changed", "true");
- $topstate = "root";
- if (!(($mailertype eq "Internet with smarthost") ||
- ($mailertype eq "Satellite system") ||
- ($mailertype eq "HP"))) {
- set("postfix/relayhost", "");
- fset("postfix/relayhost", "changed", "true");
- }
- }
- }
- }
- }
-
- if ($topstate eq "root") {
- if (fget("postfix/root_address", "isdefault") eq "true") {
- open(F,"getent passwd 1000|");
- @l=<F>;
- close(F);
- if ($#l > 0) {
- $l[0] =~ s/:.*$//;
- set("postfix/root_address",$l[0]);
- fset("postfix/root_address", "changed", "true");
- }
- }
- $noninteractive = (((input("medium", "postfix/root_address"))[0]) == 30);
- if (!$noninteractive) {
- go();
- fset("postfix/root_address", "changed", "true");
- }
- $topstate="mailname";
- }
-
- if ($topstate eq "mailname") {
- my $mailertype = get("postfix/main_mailer_type");
- if (fget("postfix/mailname", "isdefault") eq "true") {
- my $mailname;
- if (-f "/etc/mailname") {
- $mailname =`cat /etc/mailname`;
- chomp $mailname;
- } else {
- $mailname = `hostname --fqdn 2>/dev/null` || "localdomain";
- chomp $mailname;
- }
- set("postfix/mailname", $mailname);
- }
- $noninteractive = (((input("high", "postfix/mailname"))[0]) == 30);
- if ($noninteractive) {
- $topstate = "relayhost";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/main_mailer_type", "isdefault", "true");
- fset("postfix/mailname", "isdefault", "true");
- $topstate = "type";
- } else {
- # error checking
- my $mailname = get("postfix/mailname");
- fset("postfix/mailname", "changed", "true");
- if (not ($mailname =~ /$rfc1035_domain_re/)) {
- set("postfix/rfc1035_violation", "false");
- fset("postfix/rfc1035_violation", "isdefault", "true");
- subst("postfix/rfc1035_violation", "enteredstring", $mailname);
- $noninteractive = (((input("high", "postfix/rfc1035_violation"))[0]) == 30);
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/mailname", "isdefault", "true");
- # and back around to ask mailname again.
- }
- if (get("postfix/rfc1035_violation") eq "true") {
- # they wanted to continue despite the error
- $topstate = "relayhost";
- } else {
- fset("postfix/mailname", "isdefault", "true");
- # and back around to ask mailname again.
- }
- } else {
- # their mailname passed error checking, go on
- $topstate = "relayhost";
- }
- }
- }
- }
-
- if ($topstate eq "relayhost") {
- my $mailertype = get("postfix/main_mailer_type");
- if (($mailertype eq "Internet with smarthost") || ($mailertype eq "Satellite system")) {
- if (fget("postfix/relayhost", "isdefault") eq "true") {
- my $hostname = `hostname --domain` || "localdomain";
- chomp $hostname;
- my $relayname = "smtp." . $hostname;
- set("postfix/relayhost", $relayname);
- }
- $noninteractive = (((input("high", "postfix/relayhost"))[0]) == 30);
- } else {
- # skip relayhost if we're an "Internet site" or a "Local only"
- $topstate = "destinations";
- $noninteractive=1;
- }
- if ($noninteractive) {
- $topstate = "destinations";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/mailname", "isdefault", "true");
- fset("postfix/relayhost", "isdefault", "true");
- $topstate = "mailname"; # we skip back to the last question of
- # equal or higher priority
- } else {
- fset("postfix/relayhost", "changed", "true");
- $topstate = "destinations";
- }
- }
- }
-
- if ($topstate eq "destinations") {
- my $mailertype = get("postfix/main_mailer_type");
- my $hostname = `hostname --fqdn` || "localhost";
- chomp $hostname;
- my $domain = `hostname --domain` || "localdomain";
- chomp $domain;
- my $mailname = get("postfix/mailname") || "localhost";
- my $destinations;
- my $priority="medium";
- if (fget("postfix/destinations", "set") eq "true") {
- if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
- if (open(POSTCONF, "postconf -h mydestination |")) {
- $destinations=<POSTCONF>;
- close(POSTCONF);
- chomp $destinations;
- set("postfix/destinations", $destinations);
- }
- }
- } else {
- if ($mailertype eq "Internet Site") {
- if ($mailname eq $hostname) {
- $destinations = join ", ",($mailname, "localhost." . $domain, ", localhost");
- } else {
- $destinations = join ", ",($mailname, $hostname, "localhost." . $domain . ", localhost");
- }
- } else {
- # don't accept mail for $mailname by default if we have a relayhost or local only mail,
- # unless the mailname bears no resemblance to $myorigin.
- $destinations = join ", ",($hostname, "localhost." . $domain . ", localhost" );
- unless ( $hostname =~ m/(^|[\.])$mailname$/ ) {
- $destinations = $mailname . ", " . $destinations;
- }
- }
- set("postfix/destinations", $destinations);
- fset("postfix/destinations","set","true");
- }
- if ($mailertype eq "Local only") {
- $priority="low";
- }
- $noninteractive = (((input($priority, "postfix/destinations"))[0]) == 30);
- if ($noninteractive) {
- $topstate = "chattr";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/relayhost", "isdefault", "true");
- fset("postfix/destinations", "isdefault", "true");
- $topstate = "relayhost";
- } else {
- fset("postfix/destinations", "changed", "true");
- $topstate = "chattr";
- }
- }
- }
-
- if ($topstate eq "chattr") {
- $noninteractive = (((input("medium", "postfix/chattr"))[0]) == 30);
- if ($noninteractive) {
- $topstate = "mynetworks";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/destinations", "isdefault", "true");
- fset("postfix/chattr", "isdefault", "true");
- $topstate = "destinations";
- } else {
- fset("postfix/chattr", "changed", "true");
- $topstate = "mynetworks";
- }
- }
- }
-
- if ($topstate eq "mynetworks") {
- if ((-x "/usr/sbin/postconf") && (-f "/etc/postfix/main.cf")) {
- my $mynetworks;
- if (open(POSTCONF, "postconf -h mynetworks |")) {
- $mynetworks=<POSTCONF>;
- close(POSTCONF);
- chomp $mynetworks;
- set("postfix/mynetworks", $mynetworks);
- }
- }
- $noninteractive = (((input("low", "postfix/mynetworks"))[0]) == 30);
- if ($noninteractive) {
- $topstate = "procmail";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/chattr", "isdefault", "true");
- fset("postfix/mynetworks", "isdefault", "true");
- $topstate = "chattr";
- } else {
- fset("postfix/mynetworks", "changed", "true");
- $topstate = "procmail";
- }
- }
- }
-
- if ($topstate eq "procmail") {
- if (fget("postfix/procmail", "isdefault") eq "true") {
- my $pmdefault="false";
- if (-x "/usr/bin/procmail") {
- $pmdefault="true";
- }
- set("postfix/procmail", $pmdefault);
- }
- if (-x "/usr/bin/procmail") {
- $noninteractive = (((input("low", "postfix/procmail"))[0]) == 30);
- } else {
- $noninteractive = 1;
- }
- if ($noninteractive) {
- $topstate = "mailbox_limit";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/mynetworks", "isdefault", "true");
- fset("postfix/procmail", "isdefault", "true");
- $topstate = "mynetworks";
- } else {
- fset("postfix/procmail", "changed", "true");
- $topstate = "mailbox_limit";
- }
- }
- }
-
- if ($topstate eq "mailbox_limit") {
- $noninteractive = (((input("low", "postfix/mailbox_limit"))[0]) == 30);
- if ($noninteractive) {
- $topstate = "recipient_delim";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/procmail", "isdefault", "true");
- fset("postfix/mailbox_limit", "isdefault", "true");
- $topstate = "procmail";
- } else {
- fset("postfix/mailbox_limit", "changed", "true");
- $topstate = "recipient_delim";
- }
- }
- }
-
- if ($topstate eq "recipient_delim") {
- $noninteractive = (((input("low", "postfix/recipient_delim"))[0]) == 30);
- if ($noninteractive) {
- $topstate = "ending-setup";
- } else {
- $back = (((go())[0]) == 30);
- if ($back) {
- fset("postfix/mailbox_limit", "isdefault", "true");
- fset("postfix/recipient_delim", "isdefault", "true");
- $topstate = "mailbox_limit";
- } else {
- my $delim = get("postfix/recipient_delim");
- if (length($delim) > 1) {
- fset("postfix/bad_recipient_delimiter","isdefault","true");
- subst("postfix/bad_recipient_delimiter", "enteredstring", $delim);
- $noninteractive = (((input("low", "postfix/bad_recipient_delimiter"))[0]) == 30);
- fset("postfix/recipient_delim","isdefault","true");
- # and do it again...
- } else {
- fset("postfix/recipient_delim", "changed", "true");
- $topstate = "ending-setup";
- }
- }
- }
- }
-
- if ($topstate eq "ending-setup") {
- if ($ARGV[1] eq "reconfigure") {
- # touch /var/lib/postfix/reload
- sysopen RESTARTFILE, "/var/spool/postfix/reload", O_CREAT;
- close RESTARTFILE;
- } else {
- # touch /var/lib/postfix/restart
- sysopen RESTARTFILE, "/var/spool/postfix/restart", O_CREAT;
- close RESTARTFILE;
- }
- $topstate = "done";
- }
- } # end TOPSTATE
-} # end while ($topstate ne q(done))
Modified: postfix/trunk/debian/control
===================================================================
--- postfix/trunk/debian/control 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/control 2008-05-02 10:36:05 UTC (rev 837)
@@ -2,22 +2,19 @@
Section: mail
Priority: extra
Maintainer: LaMont Jones <lamont at debian.org>
-Standards-Version: 3.5.2.0
-Build-Depends: debhelper (>= 4.1.16), libdb4.2-dev, libgdbm-dev, libldap2-dev (>=2.1), libpcre3-dev, libmysqlclient10-dev, patch, libssl-dev (>=0.9.7-1), libsasl2-dev, postgresql-dev, po-debconf (>= 0.5.0), groff-base, dpatch
+Standards-Version: 3.7.2.0
+Build-Depends: debhelper (>= 4.1.16), po-debconf (>= 0.5.0), groff-base, patch, dpatch, lsb-release, libdb4.3-dev, libgdbm-dev, libldap2-dev (>=2.1), libpcre3-dev, libmysqlclient15-dev|libmysqlclient14-dev, libssl-dev (>=0.9.7-1), libsasl2-dev, libpq-dev, libcdb-dev
Package: postfix
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser (>=3.48), dpkg (>= 1.8.3)
-Recommends: mail-reader, resolvconf
-Replaces: postfix-doc (<<1.1.7-0), postfix-tls
-Suggests: procmail, postfix-mysql, postfix-pgsql, postfix-ldap, postfix-pcre
-Conflicts: mail-transport-agent, smail, libnss-db (<< 2.2-3), postfix-tls (<< 2.0-0)
-Provides: mail-transport-agent
+Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser (>=3.48), dpkg (>= 1.8.3), lsb-base (>=3.0-6), ssl-cert
+Recommends: mail-reader
+Replaces: postfix-doc (<<1.1.7-0), postfix-tls, mail-transport-agent
+Suggests: procmail, postfix-mysql, postfix-pgsql, postfix-ldap, postfix-pcre, sasl2-bin, libsasl2-modules, resolvconf, postfix-cdb
+Conflicts: mail-transport-agent, smail, libnss-db (<< 2.2-3), postfix-tls
+Provides: mail-transport-agent, postfix-tls
Description: A high-performance mail transport agent
${Description}
- .
- This package does not have SASL or TLS support. For SASL and TLS support,
- install postfix-tls.
Package: postfix-ldap
Architecture: any
@@ -28,6 +25,15 @@
This provides support for LDAP maps in Postfix. If you plan to use LDAP maps
with Postfix, you need this.
+Package: postfix-cdb
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
+Description: CDB map support for Postfix
+ ${Description}
+ .
+ This provides support for CDB (constant database) maps in Postfix. If you
+ plan to use CDB maps with Postfix, you need this.
+
Package: postfix-pcre
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
@@ -75,14 +81,3 @@
${Description}
.
This package provides documentation for Postfix.
-
-Package: postfix-tls
-Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${Source-Version})
-Conflicts: postfix-snap-tls
-Recommends: mail-reader
-Description: TLS and SASL support for Postfix
- ${Description}
- .
- This package adds support for TLS (see RFC 2487) and SASL (see RFC 2554) to
- Postfix.
Deleted: postfix/trunk/debian/copyright
===================================================================
--- postfix/trunk/debian/copyright 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/copyright 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,326 +0,0 @@
-This is the Debian GNU/Linux prepackaged version of Postfix, a mail transport
-agent.
-
-Postfix was created by Wietse Venema <wietse at porcupine.org>; the Debian
-package has been assembled by LaMont Jones <lamont at debian.org> from sources
-available from http://www.postfix.org.
-
-
- Copyright (c) 1999, International Business Machines Corporation
- and others. All Rights Reserved.
-
-The following copyright and license applies to this software:
-
- IBM PUBLIC LICENSE VERSION 1.0 - SECURE MAILER
-
- THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS IBM PUBLIC
- LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE
- PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
-
- 1. DEFINITIONS
-
- "Contribution" means:
- a) in the case of International Business Machines Corporation ("IBM"),
- the Original Program, and
- b) in the case of each Contributor,
- i) changes to the Program, and
- ii) additions to the Program;
- where such changes and/or additions to the Program originate
- from and are distributed by that particular Contributor.
- A Contribution 'originates' from a Contributor if it was added
- to the Program by such Contributor itself or anyone acting on
- such Contributor's behalf.
- Contributions do not include additions to the Program which:
- (i) are separate modules of software distributed in conjunction
- with the Program under their own license agreement, and
- (ii) are not derivative works of the Program.
-
- "Contributor" means IBM and any other entity that distributes the Program.
-
- "Licensed Patents " mean patent claims licensable by a Contributor which
- are necessarily infringed by the use or sale of its Contribution alone
- or when combined with the Program.
-
- "Original Program" means the original version of the software accompanying
- this Agreement as released by IBM, including source code, object code
- and documentation, if any.
-
- "Program" means the Original Program and Contributions.
-
- "Recipient" means anyone who receives the Program under this Agreement,
- including all Contributors.
-
- 2. GRANT OF RIGHTS
-
- a) Subject to the terms of this Agreement, each Contributor hereby
- grants Recipient a non-exclusive, worldwide, royalty-free copyright
- license to reproduce, prepare derivative works of, publicly display,
- publicly perform, distribute and sublicense the Contribution of such
- Contributor, if any, and such derivative works, in source code and
- object code form.
-
- b) Subject to the terms of this Agreement, each Contributor hereby
- grants Recipient a non-exclusive, worldwide, royalty-free patent
- license under Licensed Patents to make, use, sell, offer to sell,
- import and otherwise transfer the Contribution of such Contributor,
- if any, in source code and object code form. This patent license
- shall apply to the combination of the Contribution and the Program
- if, at the time the Contribution is added by the Contributor, such
- addition of the Contribution causes such combination to be covered
- by the Licensed Patents. The patent license shall not apply to any
- other combinations which include the Contribution. No hardware per
- se is licensed hereunder.
-
- c) Recipient understands that although each Contributor grants the
- licenses to its Contributions set forth herein, no assurances are
- provided by any Contributor that the Program does not infringe the
- patent or other intellectual property rights of any other entity.
- Each Contributor disclaims any liability to Recipient for claims
- brought by any other entity based on infringement of intellectual
- property rights or otherwise. As a condition to exercising the rights
- and licenses granted hereunder, each Recipient hereby assumes sole
- responsibility to secure any other intellectual property rights
- needed, if any. For example, if a third party patent license
- is required to allow Recipient to distribute the Program, it is
- Recipient's responsibility to acquire that license before distributing
- the Program.
-
- d) Each Contributor represents that to its knowledge it has sufficient
- copyright rights in its Contribution, if any, to grant the copyright
- license set forth in this Agreement.
-
- 3. REQUIREMENTS
-
- A Contributor may choose to distribute the Program in object code form
- under its own license agreement, provided that:
- a) it complies with the terms and conditions of this Agreement; and
- b) its license agreement:
- i) effectively disclaims on behalf of all Contributors all
- warranties and conditions, express and implied, including
- warranties or conditions of title and non-infringement, and
- implied warranties or conditions of merchantability and fitness
- for a particular purpose;
- ii) effectively excludes on behalf of all Contributors all
- liability for damages, including direct, indirect, special,
- incidental and consequential damages, such as lost profits;
- iii) states that any provisions which differ from this Agreement
- are offered by that Contributor alone and not by any other
- party; and
- iv) states that source code for the Program is available from
- such Contributor, and informs licensees how to obtain it in a
- reasonable manner on or through a medium customarily used for
- software exchange.
-
- When the Program is made available in source code form:
- a) it must be made available under this Agreement; and
- b) a copy of this Agreement must be included with each copy of the
- Program.
-
- Each Contributor must include the following in a conspicuous location
- in the Program:
-
- Copyright (c) 1997,1998,1999, International Business Machines
- Corporation and others. All Rights Reserved.
-
- In addition, each Contributor must identify itself as the originator of
- its Contribution, if any, in a manner that reasonably allows subsequent
- Recipients to identify the originator of the Contribution.
-
- 4. COMMERCIAL DISTRIBUTION
-
- Commercial distributors of software may accept certain responsibilities
- with respect to end users, business partners and the like. While this
- license is intended to facilitate the commercial use of the Program, the
- Contributor who includes the Program in a commercial product offering
- should do so in a manner which does not create potential liability for
- other Contributors. Therefore, if a Contributor includes the Program in
- a commercial product offering, such Contributor ("Commercial Contributor")
- hereby agrees to defend and indemnify every other Contributor
- ("Indemnified Contributor") against any losses, damages and costs
- (collectively "Losses") arising from claims, lawsuits and other legal
- actions brought by a third party against the Indemnified Contributor to
- the extent caused by the acts or omissions of such Commercial Contributor
- in connection with its distribution of the Program in a commercial
- product offering. The obligations in this section do not apply to any
- claims or Losses relating to any actual or alleged intellectual property
- infringement. In order to qualify, an Indemnified Contributor must:
- a) promptly notify the Commercial Contributor in writing of such claim,
- and
- b) allow the Commercial Contributor to control, and cooperate with
- the Commercial Contributor in, the defense and any related
- settlement negotiations. The Indemnified Contributor may
- participate in any such claim at its own expense.
-
- For example, a Contributor might include the Program in a commercial
- product offering, Product X. That Contributor is then a Commercial
- Contributor. If that Commercial Contributor then makes performance
- claims, or offers warranties related to Product X, those performance
- claims and warranties are such Commercial Contributor's responsibility
- alone. Under this section, the Commercial Contributor would have to
- defend claims against the other Contributors related to those performance
- claims and warranties, and if a court requires any other Contributor to
- pay any damages as a result, the Commercial Contributor must pay those
- damages.
-
- 5. NO WARRANTY
-
- EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED
- ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
- EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
- CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
- PARTICULAR PURPOSE. Each Recipient is solely responsible for determining
- the appropriateness of using and distributing the Program and assumes
- all risks associated with its exercise of rights under this Agreement,
- including but not limited to the risks and costs of program errors,
- compliance with applicable laws, damage to or loss of data, programs or
- equipment, and unavailability or interruption of operations.
-
- 6. DISCLAIMER OF LIABILITY
-
- EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR
- ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING
- WITHOUT LIMITATION LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION
- OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF
- ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
- 7. GENERAL
-
- If any provision of this Agreement is invalid or unenforceable under
- applicable law, it shall not affect the validity or enforceability of
- the remainder of the terms of this Agreement, and without further action
- by the parties hereto, such provision shall be reformed to the minimum
- extent necessary to make such provision valid and enforceable.
-
- If Recipient institutes patent litigation against a Contributor with
- respect to a patent applicable to software (including a cross-claim or
- counterclaim in a lawsuit), then any patent licenses granted by that
- Contributor to such Recipient under this Agreement shall terminate
- as of the date such litigation is filed. In addition, If Recipient
- institutes patent litigation against any entity (including a cross-claim
- or counterclaim in a lawsuit) alleging that the Program itself (excluding
- combinations of the Program with other software or hardware) infringes
- such Recipient's patent(s), then such Recipient's rights granted under
- Section 2(b) shall terminate as of the date such litigation is filed.
-
- All Recipient's rights under this Agreement shall terminate if it fails
- to comply with any of the material terms or conditions of this Agreement
- and does not cure such failure in a reasonable period of time after
- becoming aware of such noncompliance. If all Recipient's rights under
- this Agreement terminate, Recipient agrees to cease use and distribution
- of the Program as soon as reasonably practicable. However, Recipient's
- obligations under this Agreement and any licenses granted by Recipient
- relating to the Program shall continue and survive.
-
- IBM may publish new versions (including revisions) of this Agreement
- from time to time. Each new version of the Agreement will be given a
- distinguishing version number. The Program (including Contributions)
- may always be distributed subject to the version of the Agreement under
- which it was received. In addition, after a new version of the Agreement
- is published, Contributor may elect to distribute the Program (including
- its Contributions) under the new version. No one other than IBM has the
- right to modify this Agreement. Except as expressly stated in Sections
- 2(a) and 2(b) above, Recipient receives no rights or licenses to the
- intellectual property of any Contributor under this Agreement, whether
- expressly, by implication, estoppel or otherwise. All rights in the
- Program not expressly granted under this Agreement are reserved.
-
- This Agreement is governed by the laws of the State of New York and the
- intellectual property laws of the United States of America. No party to
- this Agreement will bring a legal action under this Agreement more than
- one year after the cause of action arose. Each party waives its rights
- to a jury trial in any resulting litigation.
-
-The following license applies to rmail, distributed with Postfix:
-
- SENDMAIL LICENSE
-
- The following license terms and conditions apply, unless a different
- license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor,
- Emeryville, CA 94608, or by electronic mail at license at sendmail.com.
-
- License Terms:
-
- Use, Modification and Redistribution (including distribution of any
- modified or derived work) in source and binary forms is permitted only if
- each of the following conditions is met:
-
- 1. Redistributions qualify as "freeware" or "Open Source Software" under
- one of the following terms:
-
- (a) Redistributions are made at no charge beyond the reasonable cost of
- materials and delivery.
-
- (b) Redistributions are accompanied by a copy of the Source Code or by an
- irrevocable offer to provide a copy of the Source Code for up to three
- years at the cost of materials and delivery. Such redistributions
- must allow further use, modification, and redistribution of the Source
- Code under substantially the same terms as this license. For the
- purposes of redistribution "Source Code" means the complete compilable
- and linkable source code of sendmail including all modifications.
-
- 2. Redistributions of source code must retain the copyright notices as they
- appear in each source code file, these license terms, and the
- disclaimer/limitation of liability set forth as paragraph 6 below.
-
- 3. Redistributions in binary form must reproduce the Copyright Notice,
- these license terms, and the disclaimer/limitation of liability set
- forth as paragraph 6 below, in the documentation and/or other materials
- provided with the distribution. For the purposes of binary distribution
- the "Copyright Notice" refers to the following language:
- "Copyright (c) 1998-2000 Sendmail, Inc. All rights reserved."
-
- 4. Neither the name of Sendmail, Inc. nor the University of California nor
- the names of their contributors may be used to endorse or promote
- products derived from this software without specific prior written
- permission. The name "sendmail" is a trademark of Sendmail, Inc.
-
- 5. All redistributions must comply with the conditions imposed by the
- University of California on certain embedded code, whose copyright
- notice and conditions for redistribution are as follows:
-
- (a) Copyright (c) 1988, 1993 The Regents of the University of
- California. All rights reserved.
-
- (b) Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- (i) Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- (ii) Redistributions in binary form must reproduce the above
- copyright notice, this list of conditions and the following
- disclaimer in the documentation and/or other materials provided
- with the distribution.
-
- (iii) Neither the name of the University nor the names of its
- contributors may be used to endorse or promote products derived
- from this software without specific prior written permission.
-
- 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY
- SENDMAIL, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
- WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
- NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF
- CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-
- $Revision: 1.1.4.3 $, Last updated $Date: 2003/07/23 16:13:15 $
-
-The TLS patch was written by Lutz Jänicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>.
-Downlaoded from ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls, it has the
-following license:
-
- This software is free. You can do with it whatever you want. I would
- however kindly ask you to acknowledge the use of this package, if you
- are going use it in your software, which you might be going to
- distribute. I would also like to receive a note if you are a satisfied
- user :-)
Modified: postfix/trunk/debian/dirs
===================================================================
--- postfix/trunk/debian/dirs 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/dirs 2008-05-02 10:36:05 UTC (rev 837)
@@ -4,6 +4,7 @@
etc/ppp/ip-down.d
etc/network/if-up.d
etc/network/if-down.d
+etc/postfix/sasl
usr/bin
usr/sbin
usr/lib/postfix
Modified: postfix/trunk/debian/functions
===================================================================
--- postfix/trunk/debian/functions 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/functions 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,3 +1,4 @@
+DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
addmap()
{
name=$1
Modified: postfix/trunk/debian/init.d
===================================================================
--- postfix/trunk/debian/init.d 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/init.d 2008-05-02 10:36:05 UTC (rev 837)
@@ -18,64 +18,93 @@
test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0
+. /lib/lsb/init-functions
+DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)
+
+running() {
+ queue=$(postconf -h queue_directory 2>/dev/null || echo /var/spool/postfix)
+ if [ -f ${queue}/pid/master.pid ]; then
+ pid=$(sed 's/ //g' ${queue}/pid/master.pid)
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //; s/.*\///')
+ if [ "X$exe" = "Xmaster" ]; then
+ echo y
+ fi
+ fi
+}
case "$1" in
start)
- echo -n "Starting mail transport agent: Postfix"
+ log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
+ RUNNING=$(running)
+ if [ -n "$RUNNING" ]; then
+ log_end_msg 0
+ else
+ # see if anything is running chrooted.
+ NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
- # see if anything is running chrooted.
- NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)
+ if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
+ # Make sure that the chroot environment is set up correctly.
+ oldumask=$(umask)
+ umask 022
+ cd $(postconf -h queue_directory)
- if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
- # Make sure that the chroot environment is set up correctly.
- oldumask=$(umask)
- umask 022
- cd $(postconf -h queue_directory)
+ # if we're using unix:passwd.byname, then we need to add etc/passwd.
+ local_maps=$(postconf -h local_recipient_maps)
+ if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
+ if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
+ sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
+ chmod a+r etc/passwd
+ fi
+ fi
- # if we're using unix:passwd.byname, then we need to add etc/passwd.
- local_maps=$(postconf -h local_recipient_maps)
- if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
- if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
- sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
- chmod a+r etc/passwd
- fi
+ FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
+ etc/nsswitch.conf etc/nss_mdns.config"
+ for file in $FILES; do
+ [ -d ${file%/*} ] || mkdir -p ${file%/*}
+ if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
+ if [ -f ${file} ]; then chmod a+rX ${file}; fi
+ done
+ rm -f usr/lib/zoneinfo/localtime
+ mkdir -p usr/lib/zoneinfo
+ ln -sf /etc/localtime usr/lib/zoneinfo/localtime
+ rm -f lib/libnss_*so*
+ tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
+ umask $oldumask
fi
- FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
- etc/nsswitch.conf"
- for file in $FILES; do
- [ -d ${file%/*} ] || mkdir -p ${file%/*}
- if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
- if [ -f ${file} ]; then chmod a+rX ${file}; fi
- done
- rm -f usr/lib/zoneinfo/localtime
- ln -sf /etc/localtime usr/lib/zoneinfo/localtime
- rm -f lib/libnss_*so*
- tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
- umask $oldumask
+ if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
fi
-
- start-stop-daemon --start --exec ${DAEMON} -- start 2>&1 |
- (grep -v 'starting the Postfix' 1>&2 || /bin/true)
- echo "."
;;
stop)
- echo -n "Stopping mail transport agent: Postfix"
- ${DAEMON} stop 2>&1 |
- (grep -v 'stopping the Postfix' 1>&2 || /bin/true)
- echo "."
+ RUNNING=$(running)
+ log_daemon_msg "Stopping Postfix Mail Transport Agent" postfix
+ if [ -n "$RUNNING" ]; then
+ if ${DAEMON} quiet-stop; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ else
+ log_end_msg 0
+ fi
;;
restart)
- $0 stop || true
+ $0 stop
$0 start
;;
force-reload|reload)
- echo -n "Reloading Postfix configuration..."
- ${DAEMON} reload 2>&1 |
- (grep -v 'refreshing the Postfix' 1>&2 || /bin/true)
- echo "done."
+ log_action_begin_msg "Reloading Postfix configuration"
+ if ${DAEMON} quiet-reload; then
+ log_action_end_msg 0
+ else
+ log_action_end_msg 1
+ fi
;;
flush|check|abort)
@@ -83,7 +112,7 @@
;;
*)
- echo "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
+ log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
exit 1
;;
esac
Modified: postfix/trunk/debian/ip-down.d
===================================================================
--- postfix/trunk/debian/ip-down.d 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/ip-down.d 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,12 +1,34 @@
#!/bin/sh -e
-# Called when ppp disconnects
+# Called when an interface disconnects
# Written by LaMont Jones <lamont at debian.org>
# start or reload Postfix as needed
+
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+ exit 0
+fi
+
+RUNNING=""
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -f /var/spool/postfix/pid/master.pid ]; then
+ pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+ if [ "X$exe" = "Xmaster" ]; then
+ RUNNING="y"
+ fi
+fi
+
if [ ! -x /sbin/resolvconf ]; then
- cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
- /etc/init.d/postfix reload >/dev/null 2>&1
+ f=/etc/resolv.conf
+ if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+ exit 0
+ fi
+ if [ -n "$RUNNING" ]; then
+ /etc/init.d/postfix reload >/dev/null 2>&1
+ fi
fi
exit 0
Modified: postfix/trunk/debian/ip-up.d
===================================================================
--- postfix/trunk/debian/ip-up.d 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/ip-up.d 2008-05-02 10:36:05 UTC (rev 837)
@@ -2,20 +2,42 @@
# Called when a new interface comes up
# Written by LaMont Jones <lamont at debian.org>
-# start or reload Postfix as needed
-if [ ! -x /sbin/resolvconf ]; then
- cp /etc/resolv.conf $(postconf -h queue_directory)/etc/resolv.conf
- /etc/init.d/postfix reload >/dev/null 2>&1
+# don't bother to restart postfix when lo is configured.
+if [ "$IFACE" = "lo" ]; then
+ exit 0
fi
+# If /usr isn't mounted yet, silently bail.
+if [ ! -d /usr/lib/postfix ]; then
+ exit 0
+fi
+
+RUNNING=""
# If master is running, force a queue run to unload any mail that is
# hanging around. Yes, sendmail is a symlink...
if [ -f /var/spool/postfix/pid/master.pid ]; then
pid=$(sed 's/ //g' /var/spool/postfix/pid/master.pid)
- exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //')
- if [ "X$exe" = "X/usr/lib/postfix/master" ]; then
- if [ -x /usr/sbin/sendmail ]; then
- /usr/sbin/sendmail -q
- fi
+ exe=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* //;s/.*\///')
+ if [ "X$exe" = "Xmaster" ]; then
+ RUNNING="y"
fi
fi
+
+# start or reload Postfix as needed
+if [ ! -x /sbin/resolvconf ]; then
+ f=/etc/resolv.conf
+ if ! cp $f $(postconf -h queue_directory)$f 2>/dev/null; then
+ exit 0
+ fi
+ if [ -n "$RUNNING" ]; then
+ /etc/init.d/postfix reload >/dev/null 2>&1
+ fi
+fi
+
+# If master is running, force a queue run to unload any mail that is
+# hanging around. Yes, sendmail is a symlink...
+if [ -n "$RUNNING" ]; then
+ if [ -x /usr/sbin/sendmail ]; then
+ /usr/sbin/sendmail -q >/dev/null 2>&1
+ fi
+fi
Modified: postfix/trunk/debian/lintian-override
===================================================================
--- postfix/trunk/debian/lintian-override 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/lintian-override 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,3 +1,4 @@
# Lintian doesn't know how to parse the damn files.
postfix: postinst-unsafe-ldconfig
postfix: postrm-unsafe-ldconfig
+postfix: package-name-doesnt-match-sonames
Added: postfix/trunk/debian/main.cf.in
===================================================================
--- postfix/trunk/debian/main.cf.in (rev 0)
+++ postfix/trunk/debian/main.cf.in 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,16 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (@@DISTRO@@)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
Modified: postfix/trunk/debian/patches/00list
===================================================================
--- postfix/trunk/debian/patches/00list 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/00list 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,13 +1,17 @@
10cyrus
10greylist
-10hostname
10main.cf
10man
+10man-names
10master.cf
+10myorigin
+10postfix-script
10rmail
10smtplinelength
+10tls
+10tlsmgr
+10warnings
20maps
-50tls
-60hpux
+30hurd
30-kolab
-40-kolab-ldap-leafonly.dpatch
+40-kolab-ldap-leafonly
Modified: postfix/trunk/debian/patches/10cyrus.dpatch
===================================================================
--- postfix/trunk/debian/patches/10cyrus.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10cyrus.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -5,9 +5,9 @@
## DP: No description.
@DPATCH@
-diff -urNad postfix-2.1.5/README_FILES/CYRUS_README /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README
---- postfix-2.1.5/README_FILES/CYRUS_README 2004-04-11 15:05:32.000000000 -0600
-+++ /tmp/dpep.PCT31n/postfix-2.1.5/README_FILES/CYRUS_README 2004-12-27 22:18:15.721024714 -0700
+diff -urNad work/README_FILES/CYRUS_README /tmp/dpep.QH9rwq/work/README_FILES/CYRUS_README
+--- work/README_FILES/CYRUS_README 2005-02-05 11:40:32.000000000 -0700
++++ /tmp/dpep.QH9rwq/work/README_FILES/CYRUS_README 2005-02-05 11:59:04.618649066 -0700
@@ -3,3 +3,4 @@
-------------------------------------------------------------------------------
This document will be made available via http://www.postfix.org/.
Modified: postfix/trunk/debian/patches/10greylist.dpatch
===================================================================
--- postfix/trunk/debian/patches/10greylist.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10greylist.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -5,9 +5,9 @@
## DP: No description.
@DPATCH@
-diff -urNad postfix-2.1.5/examples/smtpd-policy/greylist.pl /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl
---- postfix-2.1.5/examples/smtpd-policy/greylist.pl 2004-02-10 18:37:27.000000000 -0700
-+++ /tmp/dpep.TDysRy/postfix-2.1.5/examples/smtpd-policy/greylist.pl 2004-12-27 22:18:25.645891286 -0700
+diff -urNad work/examples/smtpd-policy/greylist.pl /tmp/dpep.77gsTr/work/examples/smtpd-policy/greylist.pl
+--- work/examples/smtpd-policy/greylist.pl 2005-02-05 11:40:32.000000000 -0700
++++ /tmp/dpep.77gsTr/work/examples/smtpd-policy/greylist.pl 2005-02-05 11:59:23.325491096 -0700
@@ -73,7 +73,7 @@
# In case of database corruption, this script saves the database as
# $database_name.time(), so that the mail system does not get stuck.
Deleted: postfix/trunk/debian/patches/10hostname.dpatch
===================================================================
--- postfix/trunk/debian/patches/10hostname.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10hostname.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,40 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 10hostname.dpatch by LaMont Jones <lamont at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
- at DPATCH@
-diff -urNad postfix-2.1.5/src/util/get_hostname.c /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c
---- postfix-2.1.5/src/util/get_hostname.c 2001-01-28 07:00:12.000000000 -0700
-+++ /tmp/dpep.AXM3Gz/postfix-2.1.5/src/util/get_hostname.c 2004-12-27 22:18:38.981024795 -0700
-@@ -33,6 +33,7 @@
- #include <sys/param.h>
- #include <string.h>
- #include <unistd.h>
-+#include <netdb.h>
-
- #if (MAXHOSTNAMELEN < 256)
- #undef MAXHOSTNAMELEN
-@@ -55,6 +56,7 @@
- const char *get_hostname(void)
- {
- char namebuf[MAXHOSTNAMELEN + 1];
-+ struct hostent *hp;
-
- /*
- * The gethostname() call is not (or not yet) in ANSI or POSIX, but it is
-@@ -66,9 +68,11 @@
- if (gethostname(namebuf, sizeof(namebuf)) < 0)
- msg_fatal("gethostname: %m");
- namebuf[MAXHOSTNAMELEN] = 0;
-- if (valid_hostname(namebuf, DO_GRIPE) == 0)
-+ if (!(hp = gethostbyname(namebuf)))
-+ msg_fatal("gethostbyname: %m");
-+ if (valid_hostname(hp->h_name, DO_GRIPE) == 0)
- msg_fatal("unable to use my own hostname");
-- my_host_name = mystrdup(namebuf);
-+ my_host_name = mystrdup(hp->h_name);
- }
- return (my_host_name);
- }
Modified: postfix/trunk/debian/patches/10main.cf.dpatch
===================================================================
--- postfix/trunk/debian/patches/10main.cf.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10main.cf.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -5,9 +5,9 @@
## DP: No description.
@DPATCH@
-diff -urNad postfix-2.1.5/conf/main.cf /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf
---- postfix-2.1.5/conf/main.cf 2004-12-27 22:02:52.879396736 -0700
-+++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf 2004-12-27 22:18:47.208256287 -0700
+diff -urNad work/conf/main.cf /tmp/dpep.OjJjJG/work/conf/main.cf
+--- work/conf/main.cf 2005-02-05 11:40:32.000000000 -0700
++++ /tmp/dpep.OjJjJG/work/conf/main.cf 2005-02-05 12:00:42.124976820 -0700
@@ -27,7 +27,7 @@
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
@@ -70,7 +70,7 @@
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
-+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
++smtpd_banner = $myhostname ESMTP $mail_name (@@DISTRO@@)
+
# PARALLEL DELIVERY TO THE SAME DESTINATION
@@ -84,18 +84,3 @@
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
-diff -urNad postfix-2.1.5/conf/main.cf.debian /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian
---- postfix-2.1.5/conf/main.cf.debian 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.wXGn65/postfix-2.1.5/conf/main.cf.debian 2004-12-27 22:18:47.208256287 -0700
-@@ -0,0 +1,11 @@
-+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
-+
-+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-+biff = no
-+
-+# appending .domain is the MUA's job.
-+append_dot_mydomain = no
-+
-+# Uncomment the next line to generate "delayed mail" warnings
-+#delay_warning_time = 4h
-+
Added: postfix/trunk/debian/patches/10man-names.dpatch
===================================================================
--- postfix/trunk/debian/patches/10man-names.dpatch (rev 0)
+++ postfix/trunk/debian/patches/10man-names.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,25 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10man-names.dpatch by <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Moving man pages to 8postfix requires a few fixes
+
+ at DPATCH@
+diff -urNad postfix~/man/man8/defer.8 postfix/man/man8/defer.8
+--- postfix~/man/man8/defer.8 2006-07-24 10:24:44.000000000 -0600
++++ postfix/man/man8/defer.8 2006-07-24 10:41:29.000000000 -0600
+@@ -1 +1 @@
+-.so man8/bounce.8
++.so man8/bounce.8postfix
+diff -urNad postfix~/man/man8/lmtp.8 postfix/man/man8/lmtp.8
+--- postfix~/man/man8/lmtp.8 2006-07-24 10:24:44.000000000 -0600
++++ postfix/man/man8/lmtp.8 2006-07-24 10:41:29.000000000 -0600
+@@ -1 +1 @@
+-.so man8/smtp.8
++.so man8/smtp.8postfix
+diff -urNad postfix~/man/man8/trace.8 postfix/man/man8/trace.8
+--- postfix~/man/man8/trace.8 2006-07-24 10:24:44.000000000 -0600
++++ postfix/man/man8/trace.8 2006-07-24 10:41:29.000000000 -0600
+@@ -1 +1 @@
+-.so man8/bounce.8
++.so man8/bounce.8postfix
Modified: postfix/trunk/debian/patches/10man.dpatch
===================================================================
--- postfix/trunk/debian/patches/10man.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10man.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -5,943 +5,22 @@
## DP: No description.
@DPATCH@
-diff -urNad postfix-release/man/Makefile.in /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in
---- postfix-release/man/Makefile.in 2004-12-27 22:31:17.051071712 -0700
-+++ /tmp/dpep.ZyQ85Z/postfix-release/man/Makefile.in 2004-12-27 22:39:32.648539161 -0700
-@@ -3,6 +3,8 @@
- # For now, just hard-coded rules for daemons, commands, config files.
+diff -urNad debian-2.2/mantools/postlink /tmp/dpep.F70AKp/debian-2.2/mantools/postlink
+--- debian-2.2/mantools/postlink 2005-05-04 14:42:14.000000000 -0600
++++ /tmp/dpep.F70AKp/debian-2.2/mantools/postlink 2005-05-05 10:18:23.000000000 -0600
+@@ -12,6 +12,7 @@
- DAEMONS = man8/bounce.8 man8/defer.8 man8/cleanup.8 man8/error.8 man8/local.8 \
-+ man8/qmqp-sink.8 man8/qmqp-source.8 \
-+ man8/smtp-sink.8 man8/smtp-source.8 \
- man8/lmtp.8 man8/master.8 man8/pickup.8 man8/pipe.8 man8/qmgr.8 \
- man8/showq.8 man8/smtp.8 man8/smtpd.8 man8/trivial-rewrite.8 \
- man8/oqmgr.8 man8/spawn.8 man8/flush.8 man8/virtual.8 man8/qmqpd.8 \
-@@ -103,6 +105,12 @@
- (cmp -s junk $? || mv junk $?)
- ../mantools/srctoman $? >$@
+ # Glue together words that were broken across line breaks.
-+man8/qmqp-sink.8: ../src/smtpstone/qmqp-sink.c
-+ ../mantools/srctoman $? >$@
-+
-+man8/qmqp-source.8: ../src/smtpstone/qmqp-source.c
-+ ../mantools/srctoman $? >$@
-+
- man8/qmqpd.8: ../src/qmqpd/qmqpd.c
- ../mantools/fixman ../proto/postconf.proto $? >junk && \
- (cmp -s junk $? || mv junk $?)
-@@ -123,6 +131,12 @@
- (cmp -s junk $? || mv junk $?)
- ../mantools/srctoman $? >$@
-
-+man8/smtp-sink.8: ../src/smtpstone/smtp-sink.c
-+ ../mantools/srctoman $? >$@
-+
-+man8/smtp-source.8: ../src/smtpstone/smtp-source.c
-+ ../mantools/srctoman $? >$@
-+
- man8/smtpd.8: ../src/smtpd/smtpd.c
- ../mantools/fixman ../proto/postconf.proto $? >junk && \
- (cmp -s junk $? || mv junk $?)
-diff -urNad postfix-release/mantools/postlink /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink
---- postfix-release/mantools/postlink 2004-12-27 22:31:17.054071067 -0700
-+++ /tmp/dpep.ZyQ85Z/postfix-release/mantools/postlink 2004-12-27 22:39:32.651538517 -0700
-@@ -47,360 +47,360 @@
- p
- d
- }
-- s;[[:<:]]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
-- s;[[:<:]]debugger_command[[:>:]];<a href="postconf.5.html#debugger_command">&</a>;g
-- s;[[:<:]]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[[:>:]];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
-- s;[[:<:]]access_map_reject_code[[:>:]];<a href="postconf.5.html#access_map_reject_code">&</a>;g
-- s;[[:<:]]address_verify_default_transport[[:>:]];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
-- s;[[:<:]]address_verify_local_transport[[:>:]];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
-- s;[[:<:]]address_verify_map[[:>:]];<a href="postconf.5.html#address_verify_map">&</a>;g
-- s;[[:<:]]address_verify_negative_cache[[:>:]];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
-- s;[[:<:]]address_verify_negative_expire_time[[:>:]];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
-- s;[[:<:]]address_verify_negative_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
-- s;[[:<:]]address_verify_poll_count[[:>:]];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
-- s;[[:<:]]address_verify_poll_delay[[:>:]];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
-- s;[[:<:]]address_verify_positive_expire_time[[:>:]];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
-- s;[[:<:]]address_verify_positive_refresh_time[[:>:]];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
-- s;[[:<:]]address_verify_relay_transport[[:>:]];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
-- s;[[:<:]]address_verify_relayhost[[:>:]];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
-- s;[[:<:]]address_verify_sender[[:>:]];<a href="postconf.5.html#address_verify_sender">&</a>;g
-- s;[[:<:]]address_verify_service_name[[:>:]];<a href="postconf.5.html#address_verify_service_name">&</a>;g
-- s;[[:<:]]address_verify_transport_maps[[:>:]];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
-- s;[[:<:]]address_verify_virtual_transport[[:>:]];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
-- s;[[:<:]]alias_database[[:>:]];<a href="postconf.5.html#alias_database">&</a>;g
-- s;[[:<:]]alias_maps[[:>:]];<a href="postconf.5.html#alias_maps">&</a>;g
-- s;[[:<:]]allow_mail_to_commands[[:>:]];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
-- s;[[:<:]]allow_mail_to_files[[:>:]];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
-- s;[[:<:]]allow_min_user[[:>:]];<a href="postconf.5.html#allow_min_user">&</a>;g
-- s;[[:<:]]allow_percent_hack[[:>:]];<a href="postconf.5.html#allow_percent_hack">&</a>;g
-- s;[[:<:]]allow_untrusted_routing[[:>:]];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
-- s;[[:<:]]alternate_config_directories[[:>:]];<a href="postconf.5.html#alternate_config_directories">&</a>;g
-- s;[[:<:]]always_bcc[[:>:]];<a href="postconf.5.html#always_bcc">&</a>;g
-- s;[[:<:]]anvil_rate_time_unit[[:>:]];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
-- s;[[:<:]]append_at_myorigin[[:>:]];<a href="postconf.5.html#append_at_myorigin">&</a>;g
-- s;[[:<:]]append_dot_mydomain[[:>:]];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
-- s;[[:<:]]application_event_drain_time[[:>:]];<a href="postconf.5.html#application_event_drain_time">&</a>;g
-- s;[[:<:]]backwards_bounce_logfile_compatibility[[:>:]];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
-- s;[[:<:]]berkeley_db_create_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
-- s;[[:<:]]berkeley_db_read_buffer_size[[:>:]];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
-- s;[[:<:]]best_mx_transport[[:>:]];<a href="postconf.5.html#best_mx_transport">&</a>;g
-- s;[[:<:]]biff[[:>:]];<a href="postconf.5.html#biff">&</a>;g
-- s;[[:<:]]body_checks[[:>:]];<a href="postconf.5.html#body_checks">&</a>;g
-- s;[[:<:]]body_checks_size_limit[[:>:]];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
-- s;[[:<:]]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
-- s;[[:<:]]bounce_queue_lifetime[[:>:]];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
-- s;[[:<:]]bounce_service_name[[:>:]];<a href="postconf.5.html#bounce_service_name">&</a>;g
-- s;[[:<:]]bounce_size_limit[[:>:]];<a href="postconf.5.html#bounce_size_limit">&</a>;g
-- s;[[:<:]]broken_sasl_auth_clients[[:>:]];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
-- s;[[:<:]]canonical_maps[[:>:]];<a href="postconf.5.html#canonical_maps">&</a>;g
-- s;[[:<:]]cleanup_service_name[[:>:]];<a href="postconf.5.html#cleanup_service_name">&</a>;g
-- s;[[:<:]]anvil_status_update_time[[:>:]];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
-- s;[[:<:]]command_directory[[:>:]];<a href="postconf.5.html#command_directory">&</a>;g
-- s;[[:<:]]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#command_expansion_filter">&</a>;g
-- s;[[:<:]]command_time_limit[[:>:]];<a href="postconf.5.html#command_time_limit">&</a>;g
-- s;[[:<:]]config_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#config_directory">&</a>;g
-- s;[[:<:]]con[-</bB>]*\n*[ <bB>]*tent_filter[[:>:]];<a href="postconf.5.html#content_filter">&</a>;g
-- s;[[:<:]]daemon_directory[[:>:]];<a href="postconf.5.html#daemon_directory">&</a>;g
-- s;[[:<:]]daemon_timeout[[:>:]];<a href="postconf.5.html#daemon_timeout">&</a>;g
-- s;[[:<:]]debug_peer_level[[:>:]];<a href="postconf.5.html#debug_peer_level">&</a>;g
-- s;[[:<:]]debug_peer_list[[:>:]];<a href="postconf.5.html#debug_peer_list">&</a>;g
-- s;[[:<:]]default_database_type[[:>:]];<a href="postconf.5.html#default_database_type">&</a>;g
-- s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[[:>:]];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
-- s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[[:>:]];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
-- s;[[:<:]]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[[:>:]];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
-- s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[[:>:]];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
-- s;[[:<:]]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
-- s;[[:<:]]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
-- s;[[:<:]]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[[:>:]];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
-- s;[[:<:]]default_privs[[:>:]];<a href="postconf.5.html#default_privs">&</a>;g
-- s;[[:<:]]default_process_limit[[:>:]];<a href="postconf.5.html#default_process_limit">&</a>;g
-- s;[[:<:]]default_rbl_reply[[:>:]];<a href="postconf.5.html#default_rbl_reply">&</a>;g
-- s;[[:<:]]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#default_recipient_limit">&</a>;g
-- s;[[:<:]]default_transport[[:>:]];<a href="postconf.5.html#default_transport">&</a>;g
-- s;[[:<:]]default_verp_delimiters[[:>:]];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
-- s;[[:<:]]defer_code[[:>:]];<a href="postconf.5.html#defer_code">&</a>;g
-- s;[[:<:]]defer_service_name[[:>:]];<a href="postconf.5.html#defer_service_name">&</a>;g
-- s;[[:<:]]defer_transports[[:>:]];<a href="postconf.5.html#defer_transports">&</a>;g
-- s;[[:<:]]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
-- s;[[:<:]]delay_warning_time[[:>:]];<a href="postconf.5.html#delay_warning_time">&</a>;g
-- s;[[:<:]]deliver_lock_attempts[[:>:]];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
-- s;[[:<:]]deliver_lock_delay[[:>:]];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
-- s;[[:<:]]disable_dns_lookups[[:>:]];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
-- s;[[:<:]]disable_mime_input_processing[[:>:]];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
-- s;[[:<:]]disable_mime_output_conversion[[:>:]];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
-- s;[[:<:]]disable_verp_bounces[[:>:]];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
-- s;[[:<:]]disable_vrfy_command[[:>:]];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
-- s;[[:<:]]dont_remove[[:>:]];<a href="postconf.5.html#dont_remove">&</a>;g
-- s;[[:<:]]double_bounce_sender[[:>:]];<a href="postconf.5.html#double_bounce_sender">&</a>;g
-- s;[[:<:]]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[[:>:]];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
-- s;[[:<:]]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#empty_address_recipient">&</a>;g
-- s;[[:<:]]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#enable_original_recipient">&</a>;g
-- s;[[:<:]]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#error_notice_recipient">&</a>;g
-- s;[[:<:]]error_service_name[[:>:]];<a href="postconf.5.html#error_service_name">&</a>;g
-- s;[[:<:]]expand_owner_alias[[:>:]];<a href="postconf.5.html#expand_owner_alias">&</a>;g
-- s;[[:<:]]export_environment[[:>:]];<a href="postconf.5.html#export_environment">&</a>;g
-- s;[[:<:]]fallback_relay[[:>:]];<a href="postconf.5.html#fallback_relay">&</a>;g
-- s;[[:<:]]fallback_transport[[:>:]];<a href="postconf.5.html#fallback_transport">&</a>;g
-- s;[[:<:]]fast_flush_domains[[:>:]];<a href="postconf.5.html#fast_flush_domains">&</a>;g
-- s;[[:<:]]fast_flush_purge_time[[:>:]];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
-- s;[[:<:]]fast_flush_refresh_time[[:>:]];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
-- s;[[:<:]]fault_injection_code[[:>:]];<a href="postconf.5.html#fault_injection_code">&</a>;g
-- s;[[:<:]]flush_service_name[[:>:]];<a href="postconf.5.html#flush_service_name">&</a>;g
-- s;[[:<:]]fork_attempts[[:>:]];<a href="postconf.5.html#fork_attempts">&</a>;g
-- s;[[:<:]]fork_delay[[:>:]];<a href="postconf.5.html#fork_delay">&</a>;g
-- s;[[:<:]]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[[:>:]];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
-- s;[[:<:]]for[-</bB>]*\n* *[<bB>]*ward_path[[:>:]];<a href="postconf.5.html#forward_path">&</a>;g
-- s;[[:<:]]hash_queue_depth[[:>:]];<a href="postconf.5.html#hash_queue_depth">&</a>;g
-- s;[[:<:]]hash_queue_names[[:>:]];<a href="postconf.5.html#hash_queue_names">&</a>;g
-- s;[[:<:]]header_address_token_limit[[:>:]];<a href="postconf.5.html#header_address_token_limit">&</a>;g
-- s;[[:<:]]header_checks[[:>:]];<a href="postconf.5.html#header_checks">&</a>;g
-- s;[[:<:]]header_size_limit[[:>:]];<a href="postconf.5.html#header_size_limit">&</a>;g
-- s;[[:<:]]helpful_warnings[[:>:]];<a href="postconf.5.html#helpful_warnings">&</a>;g
-- s;[[:<:]]home_mailbox[[:>:]];<a href="postconf.5.html#home_mailbox">&</a>;g
-- s;[[:<:]]hopcount_limit[[:>:]];<a href="postconf.5.html#hopcount_limit">&</a>;g
-- s;[[:<:]]html_direc[-</bB>]*\n*[ <bB>]*tory[[:>:]];<a href="postconf.5.html#html_directory">&</a>;g
-- s;[[:<:]]ignore_mx_lookup_error[[:>:]];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
-- s;[[:<:]]import_environment[[:>:]];<a href="postconf.5.html#import_environment">&</a>;g
-- s;[[:<:]]in_flow_delay[[:>:]];<a href="postconf.5.html#in_flow_delay">&</a>;g
-- s;[[:<:]]inet_interfaces[[:>:]];<a href="postconf.5.html#inet_interfaces">&</a>;g
-- s;[[:<:]]initial_destination_concurrency[[:>:]];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
-- s;[[:<:]]invalid_hostname_reject_code[[:>:]];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
-- s;[[:<:]]ipc_idle[[:>:]];<a href="postconf.5.html#ipc_idle">&</a>;g
-- s;[[:<:]]ipc_timeout[[:>:]];<a href="postconf.5.html#ipc_timeout">&</a>;g
-- s;[[:<:]]ipc_ttl[[:>:]];<a href="postconf.5.html#ipc_ttl">&</a>;g
-- s;[[:<:]]line_length_limit[[:>:]];<a href="postconf.5.html#line_length_limit">&</a>;g
-- s;[[:<:]]lmtp_cache_connection[[:>:]];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
-- s;[[:<:]]lmtp_connect_timeout[[:>:]];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
-- s;[[:<:]]lmtp_data_done_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
-- s;[[:<:]]lmtp_data_init_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
-- s;[[:<:]]lmtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
-- s;[[:<:]]lmtp_lhlo_timeout[[:>:]];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
-- s;[[:<:]]lmtp_mail_timeout[[:>:]];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
-- s;[[:<:]]lmtp_quit_timeout[[:>:]];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
-- s;[[:<:]]lmtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
-- s;[[:<:]]lmtp_rset_timeout[[:>:]];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
-- s;[[:<:]]lmtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
-- s;[[:<:]]lmtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
-- s;[[:<:]]lmtp_sasl_security_options[[:>:]];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
-- s;[[:<:]]lmtp_send_xforward_command[[:>:]];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
-- s;[[:<:]]lmtp_skip_quit_response[[:>:]];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
-- s;[[:<:]]lmtp_tcp_port[[:>:]];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
-- s;[[:<:]]lmtp_xforward_timeout[[:>:]];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
-- s;[[:<:]]local_command_shell[[:>:]];<a href="postconf.5.html#local_command_shell">&</a>;g
-- s;[[:<:]]local_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
-- s;[[:<:]]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
-- s;[[:<:]]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[[:>:]];<a href="postconf.5.html#local_recipient_maps">&</a>;g
-- s;[[:<:]]local_transport[[:>:]];<a href="postconf.5.html#local_transport">&</a>;g
-- s;[[:<:]]luser_relay[[:>:]];<a href="postconf.5.html#luser_relay">&</a>;g
-- s;[[:<:]]mail_name[[:>:]];<a href="postconf.5.html#mail_name">&</a>;g
-- s;[[:<:]]mail_owner[[:>:]];<a href="postconf.5.html#mail_owner">&</a>;g
-- s;[[:<:]]mail_release_date[[:>:]];<a href="postconf.5.html#mail_release_date">&</a>;g
-- s;[[:<:]]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[[:>:]];<a href="postconf.5.html#mail_spool_directory">&</a>;g
-- s;[[:<:]]mail_version[[:>:]];<a href="postconf.5.html#mail_version">&</a>;g
-- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command[[:>:]];<a href="postconf.5.html#mailbox_command">&</a>;g
-- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_command_maps[[:>:]];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
-- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[[:>:]];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
-- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_size_limit[[:>:]];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
-- s;[[:<:]]mail[-</bB>]*\n* *[<bB>]*box_transport[[:>:]];<a href="postconf.5.html#mailbox_transport">&</a>;g
-- s;[[:<:]]mailq_path[[:>:]];<a href="postconf.5.html#mailq_path">&</a>;g
-- s;[[:<:]]manpage_directory[[:>:]];<a href="postconf.5.html#manpage_directory">&</a>;g
-- s;[[:<:]]maps_rbl_domains[[:>:]];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
-- s;[[:<:]]maps_rbl_reject_code[[:>:]];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
-- s;[[:<:]]masquerade_classes[[:>:]];<a href="postconf.5.html#masquerade_classes">&</a>;g
-- s;[[:<:]]masquerade_domains[[:>:]];<a href="postconf.5.html#masquerade_domains">&</a>;g
-- s;[[:<:]]masquerade_exceptions[[:>:]];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
-- s;[[:<:]]max_idle[[:>:]];<a href="postconf.5.html#max_idle">&</a>;g
-- s;[[:<:]]max_use[[:>:]];<a href="postconf.5.html#max_use">&</a>;g
-- s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[[:>:]];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
-- s;[[:<:]]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[[:>:]];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
-- s;[[:<:]]message_size_limit[[:>:]];<a href="postconf.5.html#message_size_limit">&</a>;g
-- s;[[:<:]]mime_boundary_length_limit[[:>:]];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
-- s;[[:<:]]mime_header_checks[[:>:]];<a href="postconf.5.html#mime_header_checks">&</a>;g
-- s;[[:<:]]mime_nesting_limit[[:>:]];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
-- s;[[:<:]]minimal_backoff_time[[:>:]];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
-- s;[[:<:]]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[[:>:]];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
-- s;[[:<:]]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[[:>:]];<a href="postconf.5.html#mydestination">&</a>;g
-- s;[[:<:]]mydomain[[:>:]];<a href="postconf.5.html#mydomain">&</a>;g
-- s;[[:<:]]myhostname[[:>:]];<a href="postconf.5.html#myhostname">&</a>;g
-- s;[[:<:]]mynetworks[[:>:]];<a href="postconf.5.html#mynetworks">&</a>;g
-- s;[[:<:]]mynetworks_style[[:>:]];<a href="postconf.5.html#mynetworks_style">&</a>;g
-- s;[[:<:]]myorigin[[:>:]];<a href="postconf.5.html#myorigin">&</a>;g
-- s;[[:<:]]nested_header_checks[[:>:]];<a href="postconf.5.html#nested_header_checks">&</a>;g
-- s;[[:<:]]newaliases_path[[:>:]];<a href="postconf.5.html#newaliases_path">&</a>;g
-- s;[[:<:]]non_fqdn_reject_code[[:>:]];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
-- s;[[:<:]]notify_classes[[:>:]];<a href="postconf.5.html#notify_classes">&</a>;g
-- s;[[:<:]]owner_request_special[[:>:]];<a href="postconf.5.html#owner_request_special">&</a>;g
-- s;[[:<:]]parent_domain_matches_subdomains[[:>:]];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
-- s;[[:<:]]permit_mx_backup_networks[[:>:]];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
-- s;[[:<:]]pickup_service_name[[:>:]];<a href="postconf.5.html#pickup_service_name">&</a>;g
-- s;[[:<:]]prepend_delivered_header[[:>:]];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
-- s;[[:<:]]process_id[[:>:]];<a href="postconf.5.html#process_id">&</a>;g
-- s;[[:<:]]process_id_directory[[:>:]];<a href="postconf.5.html#process_id_directory">&</a>;g
-- s;[[:<:]]process_name[[:>:]];<a href="postconf.5.html#process_name">&</a>;g
-- s;[[:<:]]propagate_unmatched_extensions[[:>:]];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
-- s;[[:<:]]proxy_interfaces[[:>:]];<a href="postconf.5.html#proxy_interfaces">&</a>;g
-- s;[[:<:]]proxy_read_maps[[:>:]];<a href="postconf.5.html#proxy_read_maps">&</a>;g
-- s;[[:<:]]qmgr_clog_warn_time[[:>:]];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
-- s;[[:<:]]qmgr_fudge_factor[[:>:]];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
-- s;[[:<:]]qmgr_message_active_limit[[:>:]];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
-- s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
-- s;[[:<:]]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[[:>:]];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
-- s;[[:<:]]qmqpd_authorized_clients[[:>:]];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
-- s;[[:<:]]qmqpd_error_delay[[:>:]];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
-- s;[[:<:]]qmqpd_timeout[[:>:]];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
-- s;[[:<:]]queue_directory[[:>:]];<a href="postconf.5.html#queue_directory">&</a>;g
-- s;[[:<:]]queue_file_attribute_count_limit[[:>:]];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
-- s;[[:<:]]queue_minfree[[:>:]];<a href="postconf.5.html#queue_minfree">&</a>;g
-- s;[[:<:]]queue_run_delay[[:>:]];<a href="postconf.5.html#queue_run_delay">&</a>;g
-- s;[[:<:]]queue_service_name[[:>:]];<a href="postconf.5.html#queue_service_name">&</a>;g
-- s;[[:<:]]rbl_reply_maps[[:>:]];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
-- s;[[:<:]]readme_directory[[:>:]];<a href="postconf.5.html#readme_directory">&</a>;g
-- s;[[:<:]]receive_override_options[[:>:]];<a href="postconf.5.html#receive_override_options">&</a>;g
-- s;[[:<:]]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[[:>:]];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
-- s;[[:<:]]no_address_mappings[[:>:]];<a href="postconf.5.html#no_address_mappings">&</a>;g
-- s;[[:<:]]no_header_body_checks[[:>:]];<a href="postconf.5.html#no_header_body_checks">&</a>;g
-- s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[[:>:]];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
-- s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[[:>:]];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
-- s;[[:<:]]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[[:>:]];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
-- s;[[:<:]]reject_code[[:>:]];<a href="postconf.5.html#reject_code">&</a>;g
-- s;[[:<:]]relay_domains[[:>:]];<a href="postconf.5.html#relay_domains">&</a>;g
-- s;[[:<:]]relay_domains_reject_code[[:>:]];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
-- s;[[:<:]]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[[:>:]];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
-- s;[[:<:]]relay_transport[[:>:]];<a href="postconf.5.html#relay_transport">&</a>;g
-- s;[[:<:]]relayhost[[:>:]];<a href="postconf.5.html#relayhost">&</a>;g
-- s;[[:<:]]relocated_maps[[:>:]];<a href="postconf.5.html#relocated_maps">&</a>;g
-- s;[[:<:]]require_home_directory[[:>:]];<a href="postconf.5.html#require_home_directory">&</a>;g
-- s;[[:<:]]resolve_dequoted_address[[:>:]];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
-- s;[[:<:]]rewrite_service_name[[:>:]];<a href="postconf.5.html#rewrite_service_name">&</a>;g
-- s;[[:<:]]sample_directory[[:>:]];<a href="postconf.5.html#sample_directory">&</a>;g
-- s;[[:<:]]sender_based_routing[[:>:]];<a href="postconf.5.html#sender_based_routing">&</a>;g
-- s;[[:<:]]sender_bcc_maps[[:>:]];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
-- s;[[:<:]]sender_canonical_maps[[:>:]];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
-- s;[[:<:]]sendmail_path[[:>:]];<a href="postconf.5.html#sendmail_path">&</a>;g
-- s;[[:<:]]service_throttle_time[[:>:]];<a href="postconf.5.html#service_throttle_time">&</a>;g
-- s;[[:<:]]setgid_group[[:>:]];<a href="postconf.5.html#setgid_group">&</a>;g
-- s;[[:<:]]show_user_unknown_table_name[[:>:]];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
-- s;[[:<:]]showq_service_name[[:>:]];<a href="postconf.5.html#showq_service_name">&</a>;g
-- s;[[:<:]]smtp_always_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
-- s;[[:<:]]smtp_bind_address[[:>:]];<a href="postconf.5.html#smtp_bind_address">&</a>;g
-- s;[[:<:]]smtp_connect_timeout[[:>:]];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
-- s;[[:<:]]smtp_data_done_timeout[[:>:]];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
-- s;[[:<:]]smtp_data_init_timeout[[:>:]];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
-- s;[[:<:]]smtp_data_xfer_timeout[[:>:]];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
-- s;[[:<:]]smtp_defer_if_no_mx_address_found[[:>:]];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
-- s;[[:<:]]lmtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
-- s;[[:<:]]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
-- s;[[:<:]]relay_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
-- s;[[:<:]]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
-- s;[[:<:]]resolve_null_domain[[:>:]];<a href="postconf.5.html#resolve_null_domain">&</a>;g
-- s;[[:<:]]smtp_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
-- s;[[:<:]]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[[:>:]];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
-- s;[[:<:]]smtp_helo_name[[:>:]];<a href="postconf.5.html#smtp_helo_name">&</a>;g
-- s;[[:<:]]smtp_helo_timeout[[:>:]];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
-- s;[[:<:]]smtp_host_lookup[[:>:]];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
-- s;[[:<:]]smtp_line_length_limit[[:>:]];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
-- s;[[:<:]]smtp_mail_timeout[[:>:]];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
-- s;[[:<:]]smtp_mx_address_limit[[:>:]];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
-- s;[[:<:]]smtp_mx_session_limit[[:>:]];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
-- s;[[:<:]]smtp_never_send_ehlo[[:>:]];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
-- s;[[:<:]]smtp_pix_workaround_delay_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
-- s;[[:<:]]smtp_pix_workaround_threshold_time[[:>:]];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
-- s;[[:<:]]smtp_quit_timeout[[:>:]];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
-- s;[[:<:]]smtp_quote_rfc821_envelope[[:>:]];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
-- s;[[:<:]]smtp_randomize_addresses[[:>:]];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
-- s;[[:<:]]smtp_rcpt_timeout[[:>:]];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
-- s;[[:<:]]smtp_rset_timeout[[:>:]];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
-- s;[[:<:]]smtp_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
-- s;[[:<:]]smtp_sasl_password_maps[[:>:]];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
-- s;[[:<:]]smtp_sasl_security_options[[:>:]];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
-- s;[[:<:]]smtp_send_xforward_command[[:>:]];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
-- s;[[:<:]]smtp_skip_4xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
-- s;[[:<:]]smtp_skip_5xx_greeting[[:>:]];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
-- s;[[:<:]]smtp_skip_quit_response[[:>:]];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
-- s;[[:<:]]smtp_xforward_timeout[[:>:]];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
-- s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[[:>:]];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
-- s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
-- s;[[:<:]]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[[:>:]];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
-- s;[[:<:]]smtpd_banner[[:>:]];<a href="postconf.5.html#smtpd_banner">&</a>;g
-- s;[[:<:]]smtpd_client_connection_count_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
-- s;[[:<:]]smtpd_client_connection_limit_exceptions[[:>:]];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
-- s;[[:<:]]smtpd_client_connection_rate_limit[[:>:]];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
-- s;[[:<:]]smtpd_client_restrictions[[:>:]];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
-- s;[[:<:]]smtpd_data_restrictions[[:>:]];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
-- s;[[:<:]]smtpd_delay_reject[[:>:]];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
-- s;[[:<:]]smtpd_error_sleep_time[[:>:]];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
-- s;[[:<:]]smtpd_etrn_restrictions[[:>:]];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
-- s;[[:<:]]smtpd_expansion_filter[[:>:]];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
-- s;[[:<:]]smtpd_hard_error_limit[[:>:]];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
-- s;[[:<:]]smtpd_helo_required[[:>:]];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
-- s;[[:<:]]smtpd_helo_restrictions[[:>:]];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
-- s;[[:<:]]smtpd_history_flush_threshold[[:>:]];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
-- s;[[:<:]]smtpd_junk_command_limit[[:>:]];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
-- s;[[:<:]]smtpd_noop_commands[[:>:]];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
-- s;[[:<:]]smtpd_null_access_lookup_key[[:>:]];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
-- s;[[:<:]]smtpd_recipient_overshoot_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
-- s;[[:<:]]smtpd_policy_service_max_idle[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
-- s;[[:<:]]smtpd_policy_service_max_ttl[[:>:]];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
-- s;[[:<:]]smtpd_policy_service_timeout[[:>:]];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
-- s;[[:<:]]smtpd_proxy_ehlo[[:>:]];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
-- s;[[:<:]]smtpd_proxy_filter[[:>:]];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
-- s;[[:<:]]smtpd_proxy_timeout[[:>:]];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
-- s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[[:>:]];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
-- s;[[:<:]]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[[:>:]];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
-- s;[[:<:]]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
-- s;[[:<:]]smtpd_reject_unlisted_sender[[:>:]];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
-- s;[[:<:]]smtpd_restriction_classes[[:>:]];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
-- s;[[:<:]]smtpd_sasl_application_name[[:>:]];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
-- s;[[:<:]]smtpd_sasl_auth_enable[[:>:]];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
-- s;[[:<:]]smtpd_sasl_exceptions_networks[[:>:]];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
-- s;[[:<:]]smtpd_sasl_local_domain[[:>:]];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
-- s;[[:<:]]smtpd_sasl_security_options[[:>:]];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
-- s;[[:<:]]smtpd_sender_login_maps[[:>:]];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
-- s;[[:<:]]smtpd_sender_restrictions[[:>:]];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
-- s;[[:<:]]smtpd_soft_error_limit[[:>:]];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
-- s;[[:<:]]smtpd_timeout[[:>:]];<a href="postconf.5.html#smtpd_timeout">&</a>;g
-- s;[[:<:]]soft_bounce[[:>:]];<a href="postconf.5.html#soft_bounce">&</a>;g
-- s;[[:<:]]stale_lock_time[[:>:]];<a href="postconf.5.html#stale_lock_time">&</a>;g
-- s;[[:<:]]strict_7bit_headers[[:>:]];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
-- s;[[:<:]]strict_8bitmime[[:>:]];<a href="postconf.5.html#strict_8bitmime">&</a>;g
-- s;[[:<:]]strict_8bitmime_body[[:>:]];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
-- s;[[:<:]]strict_mime_encoding_domain[[:>:]];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
-- s;[[:<:]]strict_rfc821_envelopes[[:>:]];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
-- s;[[:<:]]sun_mailtool_compatibility[[:>:]];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
-- s;[[:<:]]swap_bangpath[[:>:]];<a href="postconf.5.html#swap_bangpath">&</a>;g
-- s;[[:<:]]syslog_facility[[:>:]];<a href="postconf.5.html#syslog_facility">&</a>;g
-- s;[[:<:]]syslog_name[[:>:]];<a href="postconf.5.html#syslog_name">&</a>;g
-- s;[[:<:]]trace_service_name[[:>:]];<a href="postconf.5.html#trace_service_name">&</a>;g
-- s;[[:<:]]transport_maps[[:>:]];<a href="postconf.5.html#transport_maps">&</a>;g
-- s;[[:<:]]transport_retry_time[[:>:]];<a href="postconf.5.html#transport_retry_time">&</a>;g
-- s;[[:<:]]trigger_timeout[[:>:]];<a href="postconf.5.html#trigger_timeout">&</a>;g
-- s;[[:<:]]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[[:>:]];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
-- s;[[:<:]]unknown_address_reject_code[[:>:]];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
-- s;[[:<:]]unknown_client_reject_code[[:>:]];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
-- s;[[:<:]]unknown_hostname_reject_code[[:>:]];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
-- s;[[:<:]]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
-- s;[[:<:]]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[[:>:]];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
-- s;[[:<:]]unknown_virtual_alias_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
-- s;[[:<:]]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[[:>:]];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
-- s;[[:<:]]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[[:>:]];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
-- s;[[:<:]]unverified_sender_reject_code[[:>:]];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
-- s;[[:<:]]verp_delimiter_filter[[:>:]];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[[:>:]];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[[:>:]];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_maps[[:>:]];<a href="postconf.5.html#virtual_maps">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[[:>:]];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[[:>:]];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[[:>:]];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[[:>:]];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[[:>:]];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[[:>:]];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[[:>:]];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[[:>:]];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_transport[[:>:]];<a href="postconf.5.html#virtual_transport">&</a>;g
-- s;[[:<:]]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[[:>:]];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
-+ s;[\[{(<]autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#authorized_verp_clients">&</a>;g
-+ s;[\[{(<]debugger_command[\]})>];<a href="postconf.5.html#debugger_command">&</a>;g
-+ s;[\[{(<]2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent[\]})>];<a href="postconf.5.html#2bounce_notice_recipient">&</a>;g
-+ s;[\[{(<]access_map_reject_code[\]})>];<a href="postconf.5.html#access_map_reject_code">&</a>;g
-+ s;[\[{(<]address_verify_default_transport[\]})>];<a href="postconf.5.html#address_verify_default_transport">&</a>;g
-+ s;[\[{(<]address_verify_local_transport[\]})>];<a href="postconf.5.html#address_verify_local_transport">&</a>;g
-+ s;[\[{(<]address_verify_map[\]})>];<a href="postconf.5.html#address_verify_map">&</a>;g
-+ s;[\[{(<]address_verify_negative_cache[\]})>];<a href="postconf.5.html#address_verify_negative_cache">&</a>;g
-+ s;[\[{(<]address_verify_negative_expire_time[\]})>];<a href="postconf.5.html#address_verify_negative_expire_time">&</a>;g
-+ s;[\[{(<]address_verify_negative_refresh_time[\]})>];<a href="postconf.5.html#address_verify_negative_refresh_time">&</a>;g
-+ s;[\[{(<]address_verify_poll_count[\]})>];<a href="postconf.5.html#address_verify_poll_count">&</a>;g
-+ s;[\[{(<]address_verify_poll_delay[\]})>];<a href="postconf.5.html#address_verify_poll_delay">&</a>;g
-+ s;[\[{(<]address_verify_positive_expire_time[\]})>];<a href="postconf.5.html#address_verify_positive_expire_time">&</a>;g
-+ s;[\[{(<]address_verify_positive_refresh_time[\]})>];<a href="postconf.5.html#address_verify_positive_refresh_time">&</a>;g
-+ s;[\[{(<]address_verify_relay_transport[\]})>];<a href="postconf.5.html#address_verify_relay_transport">&</a>;g
-+ s;[\[{(<]address_verify_relayhost[\]})>];<a href="postconf.5.html#address_verify_relayhost">&</a>;g
-+ s;[\[{(<]address_verify_sender[\]})>];<a href="postconf.5.html#address_verify_sender">&</a>;g
-+ s;[\[{(<]address_verify_service_name[\]})>];<a href="postconf.5.html#address_verify_service_name">&</a>;g
-+ s;[\[{(<]address_verify_transport_maps[\]})>];<a href="postconf.5.html#address_verify_transport_maps">&</a>;g
-+ s;[\[{(<]address_verify_virtual_transport[\]})>];<a href="postconf.5.html#address_verify_virtual_transport">&</a>;g
-+ s;[\[{(<]alias_database[\]})>];<a href="postconf.5.html#alias_database">&</a>;g
-+ s;[\[{(<]alias_maps[\]})>];<a href="postconf.5.html#alias_maps">&</a>;g
-+ s;[\[{(<]allow_mail_to_commands[\]})>];<a href="postconf.5.html#allow_mail_to_commands">&</a>;g
-+ s;[\[{(<]allow_mail_to_files[\]})>];<a href="postconf.5.html#allow_mail_to_files">&</a>;g
-+ s;[\[{(<]allow_min_user[\]})>];<a href="postconf.5.html#allow_min_user">&</a>;g
-+ s;[\[{(<]allow_percent_hack[\]})>];<a href="postconf.5.html#allow_percent_hack">&</a>;g
-+ s;[\[{(<]allow_untrusted_routing[\]})>];<a href="postconf.5.html#allow_untrusted_routing">&</a>;g
-+ s;[\[{(<]alternate_config_directories[\]})>];<a href="postconf.5.html#alternate_config_directories">&</a>;g
-+ s;[\[{(<]always_bcc[\]})>];<a href="postconf.5.html#always_bcc">&</a>;g
-+ s;[\[{(<]anvil_rate_time_unit[\]})>];<a href="postconf.5.html#anvil_rate_time_unit">&</a>;g
-+ s;[\[{(<]append_at_myorigin[\]})>];<a href="postconf.5.html#append_at_myorigin">&</a>;g
-+ s;[\[{(<]append_dot_mydomain[\]})>];<a href="postconf.5.html#append_dot_mydomain">&</a>;g
-+ s;[\[{(<]application_event_drain_time[\]})>];<a href="postconf.5.html#application_event_drain_time">&</a>;g
-+ s;[\[{(<]backwards_bounce_logfile_compatibility[\]})>];<a href="postconf.5.html#backwards_bounce_logfile_compatibility">&</a>;g
-+ s;[\[{(<]berkeley_db_create_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_create_buffer_size">&</a>;g
-+ s;[\[{(<]berkeley_db_read_buffer_size[\]})>];<a href="postconf.5.html#berkeley_db_read_buffer_size">&</a>;g
-+ s;[\[{(<]best_mx_transport[\]})>];<a href="postconf.5.html#best_mx_transport">&</a>;g
-+ s;[\[{(<]biff[\]})>];<a href="postconf.5.html#biff">&</a>;g
-+ s;[\[{(<]body_checks[\]})>];<a href="postconf.5.html#body_checks">&</a>;g
-+ s;[\[{(<]body_checks_size_limit[\]})>];<a href="postconf.5.html#body_checks_size_limit">&</a>;g
-+ s;[\[{(<]bounce_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#bounce_notice_recipient">&</a>;g
-+ s;[\[{(<]bounce_queue_lifetime[\]})>];<a href="postconf.5.html#bounce_queue_lifetime">&</a>;g
-+ s;[\[{(<]bounce_service_name[\]})>];<a href="postconf.5.html#bounce_service_name">&</a>;g
-+ s;[\[{(<]bounce_size_limit[\]})>];<a href="postconf.5.html#bounce_size_limit">&</a>;g
-+ s;[\[{(<]broken_sasl_auth_clients[\]})>];<a href="postconf.5.html#broken_sasl_auth_clients">&</a>;g
-+ s;[\[{(<]canonical_maps[\]})>];<a href="postconf.5.html#canonical_maps">&</a>;g
-+ s;[\[{(<]cleanup_service_name[\]})>];<a href="postconf.5.html#cleanup_service_name">&</a>;g
-+ s;[\[{(<]anvil_status_update_time[\]})>];<a href="postconf.5.html#anvil_status_update_time">&</a>;g
-+ s;[\[{(<]command_directory[\]})>];<a href="postconf.5.html#command_directory">&</a>;g
-+ s;[\[{(<]command_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#command_expansion_filter">&</a>;g
-+ s;[\[{(<]command_time_limit[\]})>];<a href="postconf.5.html#command_time_limit">&</a>;g
-+ s;[\[{(<]config_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#config_directory">&</a>;g
-+ s;[\[{(<]con[-</bB>]*\n*[ <bB>]*tent_filter[\]})>];<a href="postconf.5.html#content_filter">&</a>;g
-+ s;[\[{(<]daemon_directory[\]})>];<a href="postconf.5.html#daemon_directory">&</a>;g
-+ s;[\[{(<]daemon_timeout[\]})>];<a href="postconf.5.html#daemon_timeout">&</a>;g
-+ s;[\[{(<]debug_peer_level[\]})>];<a href="postconf.5.html#debug_peer_level">&</a>;g
-+ s;[\[{(<]debug_peer_list[\]})>];<a href="postconf.5.html#debug_peer_list">&</a>;g
-+ s;[\[{(<]default_database_type[\]})>];<a href="postconf.5.html#default_database_type">&</a>;g
-+ s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost[\]})>];<a href="postconf.5.html#default_delivery_slot_cost">&</a>;g
-+ s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount[\]})>];<a href="postconf.5.html#default_delivery_slot_discount">&</a>;g
-+ s;[\[{(<]default_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan[\]})>];<a href="postconf.5.html#default_delivery_slot_loan">&</a>;g
-+ s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_concurrency_limit[\]})>];<a href="postconf.5.html#default_destination_concurrency_limit">&</a>;g
-+ s;[\[{(<]default_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_destination_recipient_limit">&</a>;g
-+ s;[\[{(<]default_extra_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_extra_recipient_limit">&</a>;g
-+ s;[\[{(<]default_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots[\]})>];<a href="postconf.5.html#default_minimum_delivery_slots">&</a>;g
-+ s;[\[{(<]default_privs[\]})>];<a href="postconf.5.html#default_privs">&</a>;g
-+ s;[\[{(<]default_process_limit[\]})>];<a href="postconf.5.html#default_process_limit">&</a>;g
-+ s;[\[{(<]default_rbl_reply[\]})>];<a href="postconf.5.html#default_rbl_reply">&</a>;g
-+ s;[\[{(<]default_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#default_recipient_limit">&</a>;g
-+ s;[\[{(<]default_transport[\]})>];<a href="postconf.5.html#default_transport">&</a>;g
-+ s;[\[{(<]default_verp_delimiters[\]})>];<a href="postconf.5.html#default_verp_delimiters">&</a>;g
-+ s;[\[{(<]defer_code[\]})>];<a href="postconf.5.html#defer_code">&</a>;g
-+ s;[\[{(<]defer_service_name[\]})>];<a href="postconf.5.html#defer_service_name">&</a>;g
-+ s;[\[{(<]defer_transports[\]})>];<a href="postconf.5.html#defer_transports">&</a>;g
-+ s;[\[{(<]delay_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#delay_notice_recipient">&</a>;g
-+ s;[\[{(<]delay_warning_time[\]})>];<a href="postconf.5.html#delay_warning_time">&</a>;g
-+ s;[\[{(<]deliver_lock_attempts[\]})>];<a href="postconf.5.html#deliver_lock_attempts">&</a>;g
-+ s;[\[{(<]deliver_lock_delay[\]})>];<a href="postconf.5.html#deliver_lock_delay">&</a>;g
-+ s;[\[{(<]disable_dns_lookups[\]})>];<a href="postconf.5.html#disable_dns_lookups">&</a>;g
-+ s;[\[{(<]disable_mime_input_processing[\]})>];<a href="postconf.5.html#disable_mime_input_processing">&</a>;g
-+ s;[\[{(<]disable_mime_output_conversion[\]})>];<a href="postconf.5.html#disable_mime_output_conversion">&</a>;g
-+ s;[\[{(<]disable_verp_bounces[\]})>];<a href="postconf.5.html#disable_verp_bounces">&</a>;g
-+ s;[\[{(<]disable_vrfy_command[\]})>];<a href="postconf.5.html#disable_vrfy_command">&</a>;g
-+ s;[\[{(<]dont_remove[\]})>];<a href="postconf.5.html#dont_remove">&</a>;g
-+ s;[\[{(<]double_bounce_sender[\]})>];<a href="postconf.5.html#double_bounce_sender">&</a>;g
-+ s;[\[{(<]dupli[-</bB>]*\n* *[<bB>]*cate_filter_limit[\]})>];<a href="postconf.5.html#duplicate_filter_limit">&</a>;g
-+ s;[\[{(<]empty_address_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#empty_address_recipient">&</a>;g
-+ s;[\[{(<]enable_original_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#enable_original_recipient">&</a>;g
-+ s;[\[{(<]error_notice_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#error_notice_recipient">&</a>;g
-+ s;[\[{(<]error_service_name[\]})>];<a href="postconf.5.html#error_service_name">&</a>;g
-+ s;[\[{(<]expand_owner_alias[\]})>];<a href="postconf.5.html#expand_owner_alias">&</a>;g
-+ s;[\[{(<]export_environment[\]})>];<a href="postconf.5.html#export_environment">&</a>;g
-+ s;[\[{(<]fallback_relay[\]})>];<a href="postconf.5.html#fallback_relay">&</a>;g
-+ s;[\[{(<]fallback_transport[\]})>];<a href="postconf.5.html#fallback_transport">&</a>;g
-+ s;[\[{(<]fast_flush_domains[\]})>];<a href="postconf.5.html#fast_flush_domains">&</a>;g
-+ s;[\[{(<]fast_flush_purge_time[\]})>];<a href="postconf.5.html#fast_flush_purge_time">&</a>;g
-+ s;[\[{(<]fast_flush_refresh_time[\]})>];<a href="postconf.5.html#fast_flush_refresh_time">&</a>;g
-+ s;[\[{(<]fault_injection_code[\]})>];<a href="postconf.5.html#fault_injection_code">&</a>;g
-+ s;[\[{(<]flush_service_name[\]})>];<a href="postconf.5.html#flush_service_name">&</a>;g
-+ s;[\[{(<]fork_attempts[\]})>];<a href="postconf.5.html#fork_attempts">&</a>;g
-+ s;[\[{(<]fork_delay[\]})>];<a href="postconf.5.html#fork_delay">&</a>;g
-+ s;[\[{(<]forward_expan[-</bB>]*\n* *[<bB>]*sion_filter[\]})>];<a href="postconf.5.html#forward_expansion_filter">&</a>;g
-+ s;[\[{(<]for[-</bB>]*\n* *[<bB>]*ward_path[\]})>];<a href="postconf.5.html#forward_path">&</a>;g
-+ s;[\[{(<]hash_queue_depth[\]})>];<a href="postconf.5.html#hash_queue_depth">&</a>;g
-+ s;[\[{(<]hash_queue_names[\]})>];<a href="postconf.5.html#hash_queue_names">&</a>;g
-+ s;[\[{(<]header_address_token_limit[\]})>];<a href="postconf.5.html#header_address_token_limit">&</a>;g
-+ s;[\[{(<]header_checks[\]})>];<a href="postconf.5.html#header_checks">&</a>;g
-+ s;[\[{(<]header_size_limit[\]})>];<a href="postconf.5.html#header_size_limit">&</a>;g
-+ s;[\[{(<]helpful_warnings[\]})>];<a href="postconf.5.html#helpful_warnings">&</a>;g
-+ s;[\[{(<]home_mailbox[\]})>];<a href="postconf.5.html#home_mailbox">&</a>;g
-+ s;[\[{(<]hopcount_limit[\]})>];<a href="postconf.5.html#hopcount_limit">&</a>;g
-+ s;[\[{(<]html_direc[-</bB>]*\n*[ <bB>]*tory[\]})>];<a href="postconf.5.html#html_directory">&</a>;g
-+ s;[\[{(<]ignore_mx_lookup_error[\]})>];<a href="postconf.5.html#ignore_mx_lookup_error">&</a>;g
-+ s;[\[{(<]import_environment[\]})>];<a href="postconf.5.html#import_environment">&</a>;g
-+ s;[\[{(<]in_flow_delay[\]})>];<a href="postconf.5.html#in_flow_delay">&</a>;g
-+ s;[\[{(<]inet_interfaces[\]})>];<a href="postconf.5.html#inet_interfaces">&</a>;g
-+ s;[\[{(<]initial_destination_concurrency[\]})>];<a href="postconf.5.html#initial_destination_concurrency">&</a>;g
-+ s;[\[{(<]invalid_hostname_reject_code[\]})>];<a href="postconf.5.html#invalid_hostname_reject_code">&</a>;g
-+ s;[\[{(<]ipc_idle[\]})>];<a href="postconf.5.html#ipc_idle">&</a>;g
-+ s;[\[{(<]ipc_timeout[\]})>];<a href="postconf.5.html#ipc_timeout">&</a>;g
-+ s;[\[{(<]ipc_ttl[\]})>];<a href="postconf.5.html#ipc_ttl">&</a>;g
-+ s;[\[{(<]line_length_limit[\]})>];<a href="postconf.5.html#line_length_limit">&</a>;g
-+ s;[\[{(<]lmtp_cache_connection[\]})>];<a href="postconf.5.html#lmtp_cache_connection">&</a>;g
-+ s;[\[{(<]lmtp_connect_timeout[\]})>];<a href="postconf.5.html#lmtp_connect_timeout">&</a>;g
-+ s;[\[{(<]lmtp_data_done_timeout[\]})>];<a href="postconf.5.html#lmtp_data_done_timeout">&</a>;g
-+ s;[\[{(<]lmtp_data_init_timeout[\]})>];<a href="postconf.5.html#lmtp_data_init_timeout">&</a>;g
-+ s;[\[{(<]lmtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#lmtp_data_xfer_timeout">&</a>;g
-+ s;[\[{(<]lmtp_lhlo_timeout[\]})>];<a href="postconf.5.html#lmtp_lhlo_timeout">&</a>;g
-+ s;[\[{(<]lmtp_mail_timeout[\]})>];<a href="postconf.5.html#lmtp_mail_timeout">&</a>;g
-+ s;[\[{(<]lmtp_quit_timeout[\]})>];<a href="postconf.5.html#lmtp_quit_timeout">&</a>;g
-+ s;[\[{(<]lmtp_rcpt_timeout[\]})>];<a href="postconf.5.html#lmtp_rcpt_timeout">&</a>;g
-+ s;[\[{(<]lmtp_rset_timeout[\]})>];<a href="postconf.5.html#lmtp_rset_timeout">&</a>;g
-+ s;[\[{(<]lmtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#lmtp_sasl_auth_enable">&</a>;g
-+ s;[\[{(<]lmtp_sasl_password_maps[\]})>];<a href="postconf.5.html#lmtp_sasl_password_maps">&</a>;g
-+ s;[\[{(<]lmtp_sasl_security_options[\]})>];<a href="postconf.5.html#lmtp_sasl_security_options">&</a>;g
-+ s;[\[{(<]lmtp_send_xforward_command[\]})>];<a href="postconf.5.html#lmtp_send_xforward_command">&</a>;g
-+ s;[\[{(<]lmtp_skip_quit_response[\]})>];<a href="postconf.5.html#lmtp_skip_quit_response">&</a>;g
-+ s;[\[{(<]lmtp_tcp_port[\]})>];<a href="postconf.5.html#lmtp_tcp_port">&</a>;g
-+ s;[\[{(<]lmtp_xforward_timeout[\]})>];<a href="postconf.5.html#lmtp_xforward_timeout">&</a>;g
-+ s;[\[{(<]local_command_shell[\]})>];<a href="postconf.5.html#local_command_shell">&</a>;g
-+ s;[\[{(<]local_destination_concurrency_limit[\]})>];<a href="postconf.5.html#local_destination_concurrency_limit">&</a>;g
-+ s;[\[{(<]local_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#local_destination_recipient_limit">&</a>;g
-+ s;[\[{(<]local_recip[-</bB>]*\n* *[<bB>]*ient_maps[\]})>];<a href="postconf.5.html#local_recipient_maps">&</a>;g
-+ s;[\[{(<]local_transport[\]})>];<a href="postconf.5.html#local_transport">&</a>;g
-+ s;[\[{(<]luser_relay[\]})>];<a href="postconf.5.html#luser_relay">&</a>;g
-+ s;[\[{(<]mail_name[\]})>];<a href="postconf.5.html#mail_name">&</a>;g
-+ s;[\[{(<]mail_owner[\]})>];<a href="postconf.5.html#mail_owner">&</a>;g
-+ s;[\[{(<]mail_release_date[\]})>];<a href="postconf.5.html#mail_release_date">&</a>;g
-+ s;[\[{(<]mail_spool_direc[-</bB>]*\n* *[<bB>]*tory[\]})>];<a href="postconf.5.html#mail_spool_directory">&</a>;g
-+ s;[\[{(<]mail_version[\]})>];<a href="postconf.5.html#mail_version">&</a>;g
-+ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command[\]})>];<a href="postconf.5.html#mailbox_command">&</a>;g
-+ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_command_maps[\]})>];<a href="postconf.5.html#mailbox_command_maps">&</a>;g
-+ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_deliv[-</Bb>]*\n* *[<Bb>]*ery_lock[\]})>];<a href="postconf.5.html#mailbox_delivery_lock">&</a>;g
-+ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_size_limit[\]})>];<a href="postconf.5.html#mailbox_size_limit">&</a>;g
-+ s;[\[{(<]mail[-</bB>]*\n* *[<bB>]*box_transport[\]})>];<a href="postconf.5.html#mailbox_transport">&</a>;g
-+ s;[\[{(<]mailq_path[\]})>];<a href="postconf.5.html#mailq_path">&</a>;g
-+ s;[\[{(<]manpage_directory[\]})>];<a href="postconf.5.html#manpage_directory">&</a>;g
-+ s;[\[{(<]maps_rbl_domains[\]})>];<a href="postconf.5.html#maps_rbl_domains">&</a>;g
-+ s;[\[{(<]maps_rbl_reject_code[\]})>];<a href="postconf.5.html#maps_rbl_reject_code">&</a>;g
-+ s;[\[{(<]masquerade_classes[\]})>];<a href="postconf.5.html#masquerade_classes">&</a>;g
-+ s;[\[{(<]masquerade_domains[\]})>];<a href="postconf.5.html#masquerade_domains">&</a>;g
-+ s;[\[{(<]masquerade_exceptions[\]})>];<a href="postconf.5.html#masquerade_exceptions">&</a>;g
-+ s;[\[{(<]max_idle[\]})>];<a href="postconf.5.html#max_idle">&</a>;g
-+ s;[\[{(<]max_use[\]})>];<a href="postconf.5.html#max_use">&</a>;g
-+ s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_backoff_time[\]})>];<a href="postconf.5.html#maximal_backoff_time">&</a>;g
-+ s;[\[{(<]maxi[-</bB>]*\n*[ <bB>]*mal_queue_lifetime[\]})>];<a href="postconf.5.html#maximal_queue_lifetime">&</a>;g
-+ s;[\[{(<]message_size_limit[\]})>];<a href="postconf.5.html#message_size_limit">&</a>;g
-+ s;[\[{(<]mime_boundary_length_limit[\]})>];<a href="postconf.5.html#mime_boundary_length_limit">&</a>;g
-+ s;[\[{(<]mime_header_checks[\]})>];<a href="postconf.5.html#mime_header_checks">&</a>;g
-+ s;[\[{(<]mime_nesting_limit[\]})>];<a href="postconf.5.html#mime_nesting_limit">&</a>;g
-+ s;[\[{(<]minimal_backoff_time[\]})>];<a href="postconf.5.html#minimal_backoff_time">&</a>;g
-+ s;[\[{(<]multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce_reject_code[\]})>];<a href="postconf.5.html#multi_recipient_bounce_reject_code">&</a>;g
-+ s;[\[{(<]mydes[-</bB>]*\n*[ <bB>]*tina[-</bB>]*\n*[ <bB>]*tion[\]})>];<a href="postconf.5.html#mydestination">&</a>;g
-+ s;[\[{(<]mydomain[\]})>];<a href="postconf.5.html#mydomain">&</a>;g
-+ s;[\[{(<]myhostname[\]})>];<a href="postconf.5.html#myhostname">&</a>;g
-+ s;[\[{(<]mynetworks[\]})>];<a href="postconf.5.html#mynetworks">&</a>;g
-+ s;[\[{(<]mynetworks_style[\]})>];<a href="postconf.5.html#mynetworks_style">&</a>;g
-+ s;[\[{(<]myorigin[\]})>];<a href="postconf.5.html#myorigin">&</a>;g
-+ s;[\[{(<]nested_header_checks[\]})>];<a href="postconf.5.html#nested_header_checks">&</a>;g
-+ s;[\[{(<]newaliases_path[\]})>];<a href="postconf.5.html#newaliases_path">&</a>;g
-+ s;[\[{(<]non_fqdn_reject_code[\]})>];<a href="postconf.5.html#non_fqdn_reject_code">&</a>;g
-+ s;[\[{(<]notify_classes[\]})>];<a href="postconf.5.html#notify_classes">&</a>;g
-+ s;[\[{(<]owner_request_special[\]})>];<a href="postconf.5.html#owner_request_special">&</a>;g
-+ s;[\[{(<]parent_domain_matches_subdomains[\]})>];<a href="postconf.5.html#parent_domain_matches_subdomains">&</a>;g
-+ s;[\[{(<]permit_mx_backup_networks[\]})>];<a href="postconf.5.html#permit_mx_backup_networks">&</a>;g
-+ s;[\[{(<]pickup_service_name[\]})>];<a href="postconf.5.html#pickup_service_name">&</a>;g
-+ s;[\[{(<]prepend_delivered_header[\]})>];<a href="postconf.5.html#prepend_delivered_header">&</a>;g
-+ s;[\[{(<]process_id[\]})>];<a href="postconf.5.html#process_id">&</a>;g
-+ s;[\[{(<]process_id_directory[\]})>];<a href="postconf.5.html#process_id_directory">&</a>;g
-+ s;[\[{(<]process_name[\]})>];<a href="postconf.5.html#process_name">&</a>;g
-+ s;[\[{(<]propagate_unmatched_extensions[\]})>];<a href="postconf.5.html#propagate_unmatched_extensions">&</a>;g
-+ s;[\[{(<]proxy_interfaces[\]})>];<a href="postconf.5.html#proxy_interfaces">&</a>;g
-+ s;[\[{(<]proxy_read_maps[\]})>];<a href="postconf.5.html#proxy_read_maps">&</a>;g
-+ s;[\[{(<]qmgr_clog_warn_time[\]})>];<a href="postconf.5.html#qmgr_clog_warn_time">&</a>;g
-+ s;[\[{(<]qmgr_fudge_factor[\]})>];<a href="postconf.5.html#qmgr_fudge_factor">&</a>;g
-+ s;[\[{(<]qmgr_message_active_limit[\]})>];<a href="postconf.5.html#qmgr_message_active_limit">&</a>;g
-+ s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#qmgr_message_recipient_limit">&</a>;g
-+ s;[\[{(<]qmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum[\]})>];<a href="postconf.5.html#qmgr_message_recipient_minimum">&</a>;g
-+ s;[\[{(<]qmqpd_authorized_clients[\]})>];<a href="postconf.5.html#qmqpd_authorized_clients">&</a>;g
-+ s;[\[{(<]qmqpd_error_delay[\]})>];<a href="postconf.5.html#qmqpd_error_delay">&</a>;g
-+ s;[\[{(<]qmqpd_timeout[\]})>];<a href="postconf.5.html#qmqpd_timeout">&</a>;g
-+ s;[\[{(<]queue_directory[\]})>];<a href="postconf.5.html#queue_directory">&</a>;g
-+ s;[\[{(<]queue_file_attribute_count_limit[\]})>];<a href="postconf.5.html#queue_file_attribute_count_limit">&</a>;g
-+ s;[\[{(<]queue_minfree[\]})>];<a href="postconf.5.html#queue_minfree">&</a>;g
-+ s;[\[{(<]queue_run_delay[\]})>];<a href="postconf.5.html#queue_run_delay">&</a>;g
-+ s;[\[{(<]queue_service_name[\]})>];<a href="postconf.5.html#queue_service_name">&</a>;g
-+ s;[\[{(<]rbl_reply_maps[\]})>];<a href="postconf.5.html#rbl_reply_maps">&</a>;g
-+ s;[\[{(<]readme_directory[\]})>];<a href="postconf.5.html#readme_directory">&</a>;g
-+ s;[\[{(<]receive_override_options[\]})>];<a href="postconf.5.html#receive_override_options">&</a>;g
-+ s;[\[{(<]no_unknown_recip[-</bB>]*\n* *[<bB>]*ient_checks[\]})>];<a href="postconf.5.html#no_unknown_recipient_checks">&</a>;g
-+ s;[\[{(<]no_address_mappings[\]})>];<a href="postconf.5.html#no_address_mappings">&</a>;g
-+ s;[\[{(<]no_header_body_checks[\]})>];<a href="postconf.5.html#no_header_body_checks">&</a>;g
-+ s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_bcc_maps[\]})>];<a href="postconf.5.html#recipient_bcc_maps">&</a>;g
-+ s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_canonical_maps[\]})>];<a href="postconf.5.html#recipient_canonical_maps">&</a>;g
-+ s;[\[{(<]recip[-</bB>]*\n* *[<bB>]*ient_delim[-</bB>]*\n* *[<bB>]*iter[\]})>];<a href="postconf.5.html#recipient_delimiter">&<\/a>;g
-+ s;[\[{(<]reject_code[\]})>];<a href="postconf.5.html#reject_code">&</a>;g
-+ s;[\[{(<]relay_domains[\]})>];<a href="postconf.5.html#relay_domains">&</a>;g
-+ s;[\[{(<]relay_domains_reject_code[\]})>];<a href="postconf.5.html#relay_domains_reject_code">&</a>;g
-+ s;[\[{(<]relay_recipi[-</bB>]*\n*[ <bB>]*ent_maps[\]})>];<a href="postconf.5.html#relay_recipient_maps">&</a>;g
-+ s;[\[{(<]relay_transport[\]})>];<a href="postconf.5.html#relay_transport">&</a>;g
-+ s;[\[{(<]relayhost[\]})>];<a href="postconf.5.html#relayhost">&</a>;g
-+ s;[\[{(<]relocated_maps[\]})>];<a href="postconf.5.html#relocated_maps">&</a>;g
-+ s;[\[{(<]require_home_directory[\]})>];<a href="postconf.5.html#require_home_directory">&</a>;g
-+ s;[\[{(<]resolve_dequoted_address[\]})>];<a href="postconf.5.html#resolve_dequoted_address">&</a>;g
-+ s;[\[{(<]rewrite_service_name[\]})>];<a href="postconf.5.html#rewrite_service_name">&</a>;g
-+ s;[\[{(<]sample_directory[\]})>];<a href="postconf.5.html#sample_directory">&</a>;g
-+ s;[\[{(<]sender_based_routing[\]})>];<a href="postconf.5.html#sender_based_routing">&</a>;g
-+ s;[\[{(<]sender_bcc_maps[\]})>];<a href="postconf.5.html#sender_bcc_maps">&</a>;g
-+ s;[\[{(<]sender_canonical_maps[\]})>];<a href="postconf.5.html#sender_canonical_maps">&</a>;g
-+ s;[\[{(<]sendmail_path[\]})>];<a href="postconf.5.html#sendmail_path">&</a>;g
-+ s;[\[{(<]service_throttle_time[\]})>];<a href="postconf.5.html#service_throttle_time">&</a>;g
-+ s;[\[{(<]setgid_group[\]})>];<a href="postconf.5.html#setgid_group">&</a>;g
-+ s;[\[{(<]show_user_unknown_table_name[\]})>];<a href="postconf.5.html#show_user_unknown_table_name">&</a>;g
-+ s;[\[{(<]showq_service_name[\]})>];<a href="postconf.5.html#showq_service_name">&</a>;g
-+ s;[\[{(<]smtp_always_send_ehlo[\]})>];<a href="postconf.5.html#smtp_always_send_ehlo">&</a>;g
-+ s;[\[{(<]smtp_bind_address[\]})>];<a href="postconf.5.html#smtp_bind_address">&</a>;g
-+ s;[\[{(<]smtp_connect_timeout[\]})>];<a href="postconf.5.html#smtp_connect_timeout">&</a>;g
-+ s;[\[{(<]smtp_data_done_timeout[\]})>];<a href="postconf.5.html#smtp_data_done_timeout">&</a>;g
-+ s;[\[{(<]smtp_data_init_timeout[\]})>];<a href="postconf.5.html#smtp_data_init_timeout">&</a>;g
-+ s;[\[{(<]smtp_data_xfer_timeout[\]})>];<a href="postconf.5.html#smtp_data_xfer_timeout">&</a>;g
-+ s;[\[{(<]smtp_defer_if_no_mx_address_found[\]})>];<a href="postconf.5.html#smtp_defer_if_no_mx_address_found">&</a>;g
-+ s;[\[{(<]lmtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#lmtp_destination_concurrency_limit">&</a>;g
-+ s;[\[{(<]lmtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#lmtp_destination_recipient_limit">&</a>;g
-+ s;[\[{(<]relay_destination_concurrency_limit[\]})>];<a href="postconf.5.html#relay_destination_concurrency_limit">&</a>;g
-+ s;[\[{(<]relay_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#relay_destination_recipient_limit">&</a>;g
-+ s;[\[{(<]resolve_null_domain[\]})>];<a href="postconf.5.html#resolve_null_domain">&</a>;g
-+ s;[\[{(<]smtp_destination_concurrency_limit[\]})>];<a href="postconf.5.html#smtp_destination_concurrency_limit">&</a>;g
-+ s;[\[{(<]smtp_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtp_destination_recipient_limit">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_concurrency_limit[\]})>];<a href="postconf.5.html#virtual_destination_concurrency_limit">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_destination_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#virtual_destination_recipient_limit">&</a>;g
-+ s;[\[{(<]smtp_helo_name[\]})>];<a href="postconf.5.html#smtp_helo_name">&</a>;g
-+ s;[\[{(<]smtp_helo_timeout[\]})>];<a href="postconf.5.html#smtp_helo_timeout">&</a>;g
-+ s;[\[{(<]smtp_host_lookup[\]})>];<a href="postconf.5.html#smtp_host_lookup">&</a>;g
-+ s;[\[{(<]smtp_line_length_limit[\]})>];<a href="postconf.5.html#smtp_line_length_limit">&</a>;g
-+ s;[\[{(<]smtp_mail_timeout[\]})>];<a href="postconf.5.html#smtp_mail_timeout">&</a>;g
-+ s;[\[{(<]smtp_mx_address_limit[\]})>];<a href="postconf.5.html#smtp_mx_address_limit">&</a>;g
-+ s;[\[{(<]smtp_mx_session_limit[\]})>];<a href="postconf.5.html#smtp_mx_session_limit">&</a>;g
-+ s;[\[{(<]smtp_never_send_ehlo[\]})>];<a href="postconf.5.html#smtp_never_send_ehlo">&</a>;g
-+ s;[\[{(<]smtp_pix_workaround_delay_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_delay_time">&</a>;g
-+ s;[\[{(<]smtp_pix_workaround_threshold_time[\]})>];<a href="postconf.5.html#smtp_pix_workaround_threshold_time">&</a>;g
-+ s;[\[{(<]smtp_quit_timeout[\]})>];<a href="postconf.5.html#smtp_quit_timeout">&</a>;g
-+ s;[\[{(<]smtp_quote_rfc821_envelope[\]})>];<a href="postconf.5.html#smtp_quote_rfc821_envelope">&</a>;g
-+ s;[\[{(<]smtp_randomize_addresses[\]})>];<a href="postconf.5.html#smtp_randomize_addresses">&</a>;g
-+ s;[\[{(<]smtp_rcpt_timeout[\]})>];<a href="postconf.5.html#smtp_rcpt_timeout">&</a>;g
-+ s;[\[{(<]smtp_rset_timeout[\]})>];<a href="postconf.5.html#smtp_rset_timeout">&</a>;g
-+ s;[\[{(<]smtp_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtp_sasl_auth_enable">&</a>;g
-+ s;[\[{(<]smtp_sasl_password_maps[\]})>];<a href="postconf.5.html#smtp_sasl_password_maps">&</a>;g
-+ s;[\[{(<]smtp_sasl_security_options[\]})>];<a href="postconf.5.html#smtp_sasl_security_options">&</a>;g
-+ s;[\[{(<]smtp_send_xforward_command[\]})>];<a href="postconf.5.html#smtp_send_xforward_command">&</a>;g
-+ s;[\[{(<]smtp_skip_4xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_4xx_greeting">&</a>;g
-+ s;[\[{(<]smtp_skip_5xx_greeting[\]})>];<a href="postconf.5.html#smtp_skip_5xx_greeting">&</a>;g
-+ s;[\[{(<]smtp_skip_quit_response[\]})>];<a href="postconf.5.html#smtp_skip_quit_response">&</a>;g
-+ s;[\[{(<]smtp_xforward_timeout[\]})>];<a href="postconf.5.html#smtp_xforward_timeout">&</a>;g
-+ s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_verp_clients[\]})>];<a href="postconf.5.html#smtpd_authorized_verp_clients">&</a>;g
-+ s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xclient_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xclient_hosts">&</a>;g
-+ s;[\[{(<]smtpd_autho[-</bB>]*\n*[ <bB>]*rized_xforward_hosts[\]})>];<a href="postconf.5.html#smtpd_authorized_xforward_hosts">&</a>;g
-+ s;[\[{(<]smtpd_banner[\]})>];<a href="postconf.5.html#smtpd_banner">&</a>;g
-+ s;[\[{(<]smtpd_client_connection_count_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_count_limit">&</a>;g
-+ s;[\[{(<]smtpd_client_connection_limit_exceptions[\]})>];<a href="postconf.5.html#smtpd_client_connection_limit_exceptions">&</a>;g
-+ s;[\[{(<]smtpd_client_connection_rate_limit[\]})>];<a href="postconf.5.html#smtpd_client_connection_rate_limit">&</a>;g
-+ s;[\[{(<]smtpd_client_restrictions[\]})>];<a href="postconf.5.html#smtpd_client_restrictions">&</a>;g
-+ s;[\[{(<]smtpd_data_restrictions[\]})>];<a href="postconf.5.html#smtpd_data_restrictions">&</a>;g
-+ s;[\[{(<]smtpd_delay_reject[\]})>];<a href="postconf.5.html#smtpd_delay_reject">&</a>;g
-+ s;[\[{(<]smtpd_error_sleep_time[\]})>];<a href="postconf.5.html#smtpd_error_sleep_time">&</a>;g
-+ s;[\[{(<]smtpd_etrn_restrictions[\]})>];<a href="postconf.5.html#smtpd_etrn_restrictions">&</a>;g
-+ s;[\[{(<]smtpd_expansion_filter[\]})>];<a href="postconf.5.html#smtpd_expansion_filter">&</a>;g
-+ s;[\[{(<]smtpd_hard_error_limit[\]})>];<a href="postconf.5.html#smtpd_hard_error_limit">&</a>;g
-+ s;[\[{(<]smtpd_helo_required[\]})>];<a href="postconf.5.html#smtpd_helo_required">&</a>;g
-+ s;[\[{(<]smtpd_helo_restrictions[\]})>];<a href="postconf.5.html#smtpd_helo_restrictions">&</a>;g
-+ s;[\[{(<]smtpd_history_flush_threshold[\]})>];<a href="postconf.5.html#smtpd_history_flush_threshold">&</a>;g
-+ s;[\[{(<]smtpd_junk_command_limit[\]})>];<a href="postconf.5.html#smtpd_junk_command_limit">&</a>;g
-+ s;[\[{(<]smtpd_noop_commands[\]})>];<a href="postconf.5.html#smtpd_noop_commands">&</a>;g
-+ s;[\[{(<]smtpd_null_access_lookup_key[\]})>];<a href="postconf.5.html#smtpd_null_access_lookup_key">&</a>;g
-+ s;[\[{(<]smtpd_recipient_overshoot_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_overshoot_limit">&</a>;g
-+ s;[\[{(<]smtpd_policy_service_max_idle[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_idle">&</a>;g
-+ s;[\[{(<]smtpd_policy_service_max_ttl[\]})>];<a href="postconf.5.html#smtpd_policy_service_max_ttl">&</a>;g
-+ s;[\[{(<]smtpd_policy_service_timeout[\]})>];<a href="postconf.5.html#smtpd_policy_service_timeout">&</a>;g
-+ s;[\[{(<]smtpd_proxy_ehlo[\]})>];<a href="postconf.5.html#smtpd_proxy_ehlo">&</a>;g
-+ s;[\[{(<]smtpd_proxy_filter[\]})>];<a href="postconf.5.html#smtpd_proxy_filter">&</a>;g
-+ s;[\[{(<]smtpd_proxy_timeout[\]})>];<a href="postconf.5.html#smtpd_proxy_timeout">&</a>;g
-+ s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit[\]})>];<a href="postconf.5.html#smtpd_recipient_limit">&</a>;g
-+ s;[\[{(<]smtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions[\]})>];<a href="postconf.5.html#smtpd_recipient_restrictions">&</a>;g
-+ s;[\[{(<]smtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_recipient">&</a>;g
-+ s;[\[{(<]smtpd_reject_unlisted_sender[\]})>];<a href="postconf.5.html#smtpd_reject_unlisted_sender">&</a>;g
-+ s;[\[{(<]smtpd_restriction_classes[\]})>];<a href="postconf.5.html#smtpd_restriction_classes">&</a>;g
-+ s;[\[{(<]smtpd_sasl_application_name[\]})>];<a href="postconf.5.html#smtpd_sasl_application_name">&</a>;g
-+ s;[\[{(<]smtpd_sasl_auth_enable[\]})>];<a href="postconf.5.html#smtpd_sasl_auth_enable">&</a>;g
-+ s;[\[{(<]smtpd_sasl_exceptions_networks[\]})>];<a href="postconf.5.html#smtpd_sasl_exceptions_networks">&</a>;g
-+ s;[\[{(<]smtpd_sasl_local_domain[\]})>];<a href="postconf.5.html#smtpd_sasl_local_domain">&</a>;g
-+ s;[\[{(<]smtpd_sasl_security_options[\]})>];<a href="postconf.5.html#smtpd_sasl_security_options">&</a>;g
-+ s;[\[{(<]smtpd_sender_login_maps[\]})>];<a href="postconf.5.html#smtpd_sender_login_maps">&</a>;g
-+ s;[\[{(<]smtpd_sender_restrictions[\]})>];<a href="postconf.5.html#smtpd_sender_restrictions">&</a>;g
-+ s;[\[{(<]smtpd_soft_error_limit[\]})>];<a href="postconf.5.html#smtpd_soft_error_limit">&</a>;g
-+ s;[\[{(<]smtpd_timeout[\]})>];<a href="postconf.5.html#smtpd_timeout">&</a>;g
-+ s;[\[{(<]soft_bounce[\]})>];<a href="postconf.5.html#soft_bounce">&</a>;g
-+ s;[\[{(<]stale_lock_time[\]})>];<a href="postconf.5.html#stale_lock_time">&</a>;g
-+ s;[\[{(<]strict_7bit_headers[\]})>];<a href="postconf.5.html#strict_7bit_headers">&</a>;g
-+ s;[\[{(<]strict_8bitmime[\]})>];<a href="postconf.5.html#strict_8bitmime">&</a>;g
-+ s;[\[{(<]strict_8bitmime_body[\]})>];<a href="postconf.5.html#strict_8bitmime_body">&</a>;g
-+ s;[\[{(<]strict_mime_encoding_domain[\]})>];<a href="postconf.5.html#strict_mime_encoding_domain">&</a>;g
-+ s;[\[{(<]strict_rfc821_envelopes[\]})>];<a href="postconf.5.html#strict_rfc821_envelopes">&</a>;g
-+ s;[\[{(<]sun_mailtool_compatibility[\]})>];<a href="postconf.5.html#sun_mailtool_compatibility">&</a>;g
-+ s;[\[{(<]swap_bangpath[\]})>];<a href="postconf.5.html#swap_bangpath">&</a>;g
-+ s;[\[{(<]syslog_facility[\]})>];<a href="postconf.5.html#syslog_facility">&</a>;g
-+ s;[\[{(<]syslog_name[\]})>];<a href="postconf.5.html#syslog_name">&</a>;g
-+ s;[\[{(<]trace_service_name[\]})>];<a href="postconf.5.html#trace_service_name">&</a>;g
-+ s;[\[{(<]transport_maps[\]})>];<a href="postconf.5.html#transport_maps">&</a>;g
-+ s;[\[{(<]transport_retry_time[\]})>];<a href="postconf.5.html#transport_retry_time">&</a>;g
-+ s;[\[{(<]trigger_timeout[\]})>];<a href="postconf.5.html#trigger_timeout">&</a>;g
-+ s;[\[{(<]undisclosed_recip[-</bB>]*\n* *[<bB>]*ients_header[\]})>];<a href="postconf.5.html#undisclosed_recipients_header">&</a>;g
-+ s;[\[{(<]unknown_address_reject_code[\]})>];<a href="postconf.5.html#unknown_address_reject_code">&</a>;g
-+ s;[\[{(<]unknown_client_reject_code[\]})>];<a href="postconf.5.html#unknown_client_reject_code">&</a>;g
-+ s;[\[{(<]unknown_hostname_reject_code[\]})>];<a href="postconf.5.html#unknown_hostname_reject_code">&</a>;g
-+ s;[\[{(<]unknown_local_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unknown_local_recipient_reject_code">&</a>;g
-+ s;[\[{(<]unknown_relay_recipi[-</bB>]*\n*[ <bB>]*ent_reject_code[\]})>];<a href="postconf.5.html#unknown_relay_recipient_reject_code">&</a>;g
-+ s;[\[{(<]unknown_virtual_alias_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_alias_reject_code">&</a>;g
-+ s;[\[{(<]unknown_virtual_mail[-</bB>]*\n* *[<bB>]*box_reject_code[\]})>];<a href="postconf.5.html#unknown_virtual_mailbox_reject_code">&</a>;g
-+ s;[\[{(<]unverified_recip[-</bB>]*\n* *[<bB>]*ient_reject_code[\]})>];<a href="postconf.5.html#unverified_recipient_reject_code">&</a>;g
-+ s;[\[{(<]unverified_sender_reject_code[\]})>];<a href="postconf.5.html#unverified_sender_reject_code">&</a>;g
-+ s;[\[{(<]verp_delimiter_filter[\]})>];<a href="postconf.5.html#verp_delimiter_filter">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_domains[\]})>];<a href="postconf.5.html#virtual_alias_domains">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_expansion_limit[\]})>];<a href="postconf.5.html#virtual_alias_expansion_limit">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_maps[\]})>];<a href="postconf.5.html#virtual_alias_maps">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_maps[\]})>];<a href="postconf.5.html#virtual_maps">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_alias_recursion_limit[\]})>];<a href="postconf.5.html#virtual_alias_recursion_limit">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_gid_maps[\]})>];<a href="postconf.5.html#virtual_gid_maps">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_base[\]})>];<a href="postconf.5.html#virtual_mailbox_base">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_domains[\]})>];<a href="postconf.5.html#virtual_mailbox_domains">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_limit[\]})>];<a href="postconf.5.html#virtual_mailbox_limit">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_lock[\]})>];<a href="postconf.5.html#virtual_mailbox_lock">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_mail[-</bB>]*\n* *[<bB>]*box_maps[\]})>];<a href="postconf.5.html#virtual_mailbox_maps">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_minimum_uid[\]})>];<a href="postconf.5.html#virtual_minimum_uid">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_transport[\]})>];<a href="postconf.5.html#virtual_transport">&</a>;g
-+ s;[\[{(<]vir[-</bB>]*\n*[ <bB>]*tual_uid_maps[\]})>];<a href="postconf.5.html#virtual_uid_maps">&</a>;g
-
- # Undo hyperlinks of manual pages with the same name as parameters.
-
-@@ -424,7 +424,7 @@
- s/[<bB>]*pickup[</bB>]*(8)/<a href="pickup.8.html">&<\/a>/g
- s/[<bB>]*pipe[</bB>]*(8)/<a href="pipe.8.html">&<\/a>/g
- s/[<bB>]*oqmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
-- s/[<bB>]*[[:<:]]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
-+ s/[<bB>]*[\[{(<]qmgr[</bB>]*(8)/<a href="qmgr.8.html">&<\/a>/g
- s/[<bB>]*qmqpd[</bB>]*(8)/<a href="qmqpd.8.html">&<\/a>/g
- s/[<bB>]*showq[</bB>]*(8)/<a href="showq.8.html">&<\/a>/g
- s/[<bB>]*smtp[</bB>]*(8)/<a href="smtp.8.html">&<\/a>/g
-@@ -475,9 +475,9 @@
-
- # Hyperlink README document names
-
-- s/[[:<:]][A-Z_]*_README[[:>:]]/<a href="&.html">&<\/a>/g
-- s/[[:<:]]INSTALL[[:>:]]/<a href="&.html">&<\/a>/g
-- s/[[:<:]]OVERVIEW[[:>:]]/<a href="&.html">&<\/a>/g
-+ s/[\[{(<][A-Z_]*_README[\]})>]/<a href="&.html">&<\/a>/g
-+ s/[\[{(<]INSTALL[\]})>]/<a href="&.html">&<\/a>/g
-+ s/[\[{(<]OVERVIEW[\]})>]/<a href="&.html">&<\/a>/g
- s/"type:table"/"<a href="DATABASE_README.html">type:table<\/a>"/g
-
- # Split manual page hyperlinks across newlines
-@@ -486,61 +486,61 @@
-
- # Access restrictions - generic
-
-- s;[[:<:]]check_policy_service[[:>:]];<a href="postconf.5.html#check_policy_service">&</a>;g
-- s;[[:<:]]defer_if_permit[[:>:]];<a href="postconf.5.html#defer_if_permit">&</a>;g
-- s;[[:<:]]defer_if_reject[[:>:]];<a href="postconf.5.html#defer_if_reject">&</a>;g
-- s;[[:<:]]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[[:>:]];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
-- s;[[:<:]]reject_unauth_pipelining[[:>:]];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
-- s;[[:<:]]warn_if_reject[[:>:]];<a href="postconf.5.html#warn_if_reject">&</a>;g
-+ s;[\[{(<]check_policy_service[\]})>];<a href="postconf.5.html#check_policy_service">&</a>;g
-+ s;[\[{(<]defer_if_permit[\]})>];<a href="postconf.5.html#defer_if_permit">&</a>;g
-+ s;[\[{(<]defer_if_reject[\]})>];<a href="postconf.5.html#defer_if_reject">&</a>;g
-+ s;[\[{(<]reject_multi_recip[-</bB>]*\n* *[<bB>]*ient_bounce[\]})>];<a href="postconf.5.html#reject_multi_recipient_bounce">&</a>;g
-+ s;[\[{(<]reject_unauth_pipelining[\]})>];<a href="postconf.5.html#reject_unauth_pipelining">&</a>;g
-+ s;[\[{(<]warn_if_reject[\]})>];<a href="postconf.5.html#warn_if_reject">&</a>;g
-
- # Access restrictions - client
-
-- s;[[:<:]]check_client_access[[:>:]];<a href="postconf.5.html#check_client_access">&</a>;g
-- s;[[:<:]]permit_mynetworks[[:>:]];<a href="postconf.5.html#permit_mynetworks">&</a>;g
-- s;[[:<:]]reject_unknown_client[[:>:]];<a href="postconf.5.html#reject_unknown_client">&</a>;g
-- s;[[:<:]]reject_rbl_client[[:>:]];<a href="postconf.5.html#reject_rbl_client">&</a>;g
-- s;[[:<:]]reject_rhsbl_client[[:>:]];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
-+ s;[\[{(<]check_client_access[\]})>];<a href="postconf.5.html#check_client_access">&</a>;g
-+ s;[\[{(<]permit_mynetworks[\]})>];<a href="postconf.5.html#permit_mynetworks">&</a>;g
-+ s;[\[{(<]reject_unknown_client[\]})>];<a href="postconf.5.html#reject_unknown_client">&</a>;g
-+ s;[\[{(<]reject_rbl_client[\]})>];<a href="postconf.5.html#reject_rbl_client">&</a>;g
-+ s;[\[{(<]reject_rhsbl_client[\]})>];<a href="postconf.5.html#reject_rhsbl_client">&</a>;g
-
- # Access restrictions - helo
-
-- s;[[:<:]]check_helo_access[[:>:]];<a href="postconf.5.html#check_helo_access">&</a>;g
-- s;[[:<:]]reject_invalid_hostname[[:>:]];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
-- s;[[:<:]]reject_non_fqdn_hostname[[:>:]];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
-- s;[[:<:]]reject_unknown_hostname[[:>:]];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
-+ s;[\[{(<]check_helo_access[\]})>];<a href="postconf.5.html#check_helo_access">&</a>;g
-+ s;[\[{(<]reject_invalid_hostname[\]})>];<a href="postconf.5.html#reject_invalid_hostname">&</a>;g
-+ s;[\[{(<]reject_non_fqdn_hostname[\]})>];<a href="postconf.5.html#reject_non_fqdn_hostname">&</a>;g
-+ s;[\[{(<]reject_unknown_hostname[\]})>];<a href="postconf.5.html#reject_unknown_hostname">&</a>;g
-
- # Access restrictions - sender
-
-- s;[[:<:]]check_sender_access[[:>:]];<a href="postconf.5.html#check_sender_access">&</a>;g
-- s;[[:<:]]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[[:>:]];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
-- s;[[:<:]]reject_non_fqdn_sender[[:>:]];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
-- s;[[:<:]]reject_rhsbl_sender[[:>:]];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
-- s;[[:<:]]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[[:>:]];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
-- s;[[:<:]]reject_unauthenticated_sender_login_mismatch[[:>:]];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
-- s;[[:<:]]reject_unknown_sender_domain[[:>:]];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
-- s;[[:<:]]reject_unlisted_sender[[:>:]];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
-- s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[[:>:]];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
-+ s;[\[{(<]check_sender_access[\]})>];<a href="postconf.5.html#check_sender_access">&</a>;g
-+ s;[\[{(<]\(reject_authenti\)\([-</bB>]*\n*[ <bB>]*\)\(cated_sender_login_mismatch\)[\]})>];<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\1<\/a>\2<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">\3</a>;g
-+ s;[\[{(<]reject_non_fqdn_sender[\]})>];<a href="postconf.5.html#reject_non_fqdn_sender">&</a>;g
-+ s;[\[{(<]reject_rhsbl_sender[\]})>];<a href="postconf.5.html#reject_rhsbl_sender">&</a>;g
-+ s;[\[{(<]reject_sender_login_mis[-</bB>]*\n*[ <bB>]*match[\]})>];<a href="postconf.5.html#reject_sender_login_mismatch">&</a>;g
-+ s;[\[{(<]reject_unauthenticated_sender_login_mismatch[\]})>];<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">&</a>;g
-+ s;[\[{(<]reject_unknown_sender_domain[\]})>];<a href="postconf.5.html#reject_unknown_sender_domain">&</a>;g
-+ s;[\[{(<]reject_unlisted_sender[\]})>];<a href="postconf.5.html#reject_unlisted_sender">&</a>;g
-+ s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_sender[\]})>];<a href="postconf.5.html#reject_unverified_sender">&</a>;g
-
- # Access restrictions - recip[-</bB>]*\n* *[<bB>]*ient
-
-- s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_access[[:>:]];<a href="postconf.5.html#check_recipient_access">&</a>;g
-- s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[[:>:]];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
-- s;[[:<:]]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[[:>:]];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
-- s;[[:<:]]permit_auth_destination[[:>:]];<a href="postconf.5.html#permit_auth_destination">&</a>;g
-- s;[[:<:]]permit_mx_backup[[:>:]];<a href="postconf.5.html#permit_mx_backup">&</a>;g
-- s;[[:<:]]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
-- s;[[:<:]]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
-- s;[[:<:]]reject_unauth_destination[[:>:]];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
-- s;[[:<:]]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[[:>:]];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
-- s;[[:<:]]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
-- s;[[:<:]]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[[:>:]];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
-+ s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_access[\]})>];<a href="postconf.5.html#check_recipient_access">&</a>;g
-+ s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_mx_access[\]})>];<a href="postconf.5.html#check_recipient_mx_access">&</a>;g
-+ s;[\[{(<]check_recip[-</bB>]*\n* *[<bB>]*ient_ns_access[\]})>];<a href="postconf.5.html#check_recipient_ns_access">&</a>;g
-+ s;[\[{(<]permit_auth_destination[\]})>];<a href="postconf.5.html#permit_auth_destination">&</a>;g
-+ s;[\[{(<]permit_mx_backup[\]})>];<a href="postconf.5.html#permit_mx_backup">&</a>;g
-+ s;[\[{(<]reject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_non_fqdn_recipient">&</a>;g
-+ s;[\[{(<]reject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_rhsbl_recipient">&</a>;g
-+ s;[\[{(<]reject_unauth_destination[\]})>];<a href="postconf.5.html#reject_unauth_destination">&</a>;g
-+ s;[\[{(<]reject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain[\]})>];<a href="postconf.5.html#reject_unknown_recipient_domain">&</a>;g
-+ s;[\[{(<]reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unlisted_recipient">&</a>;g
-+ s;[\[{(<]reject_unveri[-</bB>]*\n*[ <bB>]*fied_recip[-</bB>]*\n* *[<bB>]*ient[\]})>];<a href="postconf.5.html#reject_unverified_recipient">&</a>;g
-
- # Access restrictions - etrn
-
-- s;[[:<:]]check_etrn_access[[:>:]];<a href="postconf.5.html#check_etrn_access">&</a>;g
-+ s;[\[{(<]check_etrn_access[\]})>];<a href="postconf.5.html#check_etrn_access">&</a>;g
-
- # Split parameter or restriction hyperlinks across line breaks
-
-- s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[[:>:]]\([-</bB>]*\n *[<bB>]*\)[[:<:]]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
-+ s/\(<a href="[^"]*">\)\([-a-z0-9_]*\)[\]})>]\([-</bB>]*\n *[<bB>]*\)[\[{(<]\([-a-z0-9_]*\)\(<\/a>\)/\1\2\5\3\1\4\5/
-
- # Glue manual/parameter/restriction hyperlinks without line breaks.
-
-@@ -551,7 +551,7 @@
-
- s/\(http:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
- s/\(ftp:\/\/[^ ,"()]*[^ ,"():;!?.]\)/<a href="\1">\1<\/a>/
-- s/[[:<:]]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
-+ s/[\[{(<]RFC *\([1-9][0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
-
- # Hyperlink phrases not in headers.
-
-@@ -572,32 +572,32 @@
- s/relay domains*/<a href="ADDRESS_CLASS_README.html#relay_domain_class">&<\/a>/
- s/default domains*/<a href="ADDRESS_CLASS_README.html#default_domain_class">&<\/a>/
- s/mydestination domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">&<\/a>/
-- s/[[:<:]]"*maildrop"* *queues*[[:>:]]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
-- s/[[:<:]]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
-- s/[[:<:]]\("*incoming"*\) and[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
-- s/[[:<:]]\("*incoming"*\) or[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
-- s/[[:<:]]"*incoming"* *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
-- s/<b> *incoming *<\/b> *queues*[[:>:]]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
-- s/[[:<:]]"*active"* *queues*[[:>:]]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
-- s/[[:<:]]"*deferred"* *queues*[[:>:]]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
-- s/[[:<:]]"*hold"* *queues*[[:>:]]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
-- s/[[:<:]]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
-+ s/[\[{(<]"*maildrop"* *queues*[\]})>]/<a href="QSHAPE_README.html#maildrop_queue">&<\/a>/
-+ s/[\[{(<]\("*maildrop"*\),/<a href="QSHAPE_README.html#maildrop_queue">\1<\/a>,/
-+ s/[\[{(<]\("*incoming"*\) and[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> and/
-+ s/[\[{(<]\("*incoming"*\) or[\]})>]/<a href="QSHAPE_README.html#incoming_queue">\1<\/a> or/
-+ s/[\[{(<]"*incoming"* *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
-+ s/<b> *incoming *<\/b> *queues*[\]})>]/<a href="QSHAPE_README.html#incoming_queue">&<\/a>/
-+ s/[\[{(<]"*active"* *queues*[\]})>]/<a href="QSHAPE_README.html#active_queue">&<\/a>/
-+ s/[\[{(<]"*deferred"* *queues*[\]})>]/<a href="QSHAPE_README.html#deferred_queue">&<\/a>/
-+ s/[\[{(<]"*hold"* *queues*[\]})>]/<a href="QSHAPE_README.html#hold_queue">&<\/a>/
-+ s/[\[{(<]\("*hold"*\),/<a href="QSHAPE_README.html#hold_queue">\1<\/a>,/
-
- # Hyperlink map types.
-
-- s/[[:<:]]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
-- s/[[:<:]]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
-- s/[[:<:]]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
-- s/[[:<:]]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
-- s/[[:<:]]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
-- s/[[:<:]]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
-- s/[[:<:]]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
-- #s/[[:<:]]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
-+ s/[\[{(<]\(cidr\):/<a href="cidr_table.5.html">\1<\/a>:/g
-+ s/[\[{(<]\(pcre\):/<a href="pcre_table.5.html">\1<\/a>:/g
-+ s/[\[{(<]\(proxy\):/<a href="proxymap.8.html">\1<\/a>:/g
-+ s/[\[{(<]\(pgsql\):/<a href="pgsql_table.5.html">\1<\/a>:/g
-+ s/[\[{(<]\(mysql\):/<a href="mysql_table.5.html">\1<\/a>:/g
-+ s/[\[{(<]\(ldap\):/<a href="ldap_table.5.html">\1<\/a>:/g
-+ s/[\[{(<]\(regexp\):/<a href="regexp_table.5.html">\1<\/a>:/g
-+ #s/[\[{(<]\(tcp\):/<a href="tcp_table.5.html">\1<\/a>:/g
-
- # Do nice links for smtp:host:port etc.
-
-- s/[[:<:]]\(error\):/<a href="error.8.html">\1<\/a>:/g
-- s/[[:<:]]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
-- s/[[:<:]]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
-+ s/[\[{(<]\(error\):/<a href="error.8.html">\1<\/a>:/g
-+ s/[\[{(<]\(smtp\):/<a href="smtp.8.html">\1<\/a>:/g
-+ s/[\[{(<]\(lmtp\):/<a href="lmtp.8.html">\1<\/a>:/g
-
- ' "$@"
++ {
+ Again:
+ if (/-[<\/bB>]*$/) {
+ $_ .= "\n";
+@@ -20,6 +21,7 @@
+ chop if $len1 < length;
+ goto Again;
+ }
++ }
+ if (/<[Aa] *[HhNn][RrAa][EeMm][FfEe] *=/) {
+ print;
+ $printit = 0;
Modified: postfix/trunk/debian/patches/10master.cf.dpatch
===================================================================
--- postfix/trunk/debian/patches/10master.cf.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10master.cf.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -5,34 +5,42 @@
## DP: No description.
@DPATCH@
-diff -urNad postfix-2.1.5/conf/master.cf /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf
---- postfix-2.1.5/conf/master.cf 2004-12-27 22:02:52.864399960 -0700
-+++ /tmp/dpep.YcxBnZ/postfix-2.1.5/conf/master.cf 2004-12-27 22:19:03.606731307 -0700
-@@ -77,26 +77,26 @@
+diff -urNad --exclude=CVS --exclude=.svn ./conf/master.cf /tmp/dpep-work.FpuCe6/postfix--wietse--2.2--patch-8/conf/master.cf
+--- ./conf/master.cf 2005-11-09 13:42:38.000000000 -0700
++++ /tmp/dpep-work.FpuCe6/postfix--wietse--2.2--patch-8/conf/master.cf 2006-01-09 17:56:07.000000000 -0700
+@@ -6,41 +6,41 @@
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
-smtp inet n - n - - smtpd
--#submission inet n - n - - smtpd
+-#submission inet n - n - - smtpd
+smtp inet n - - - - smtpd
-+#submission inet n - - - - smtpd
- # -o smtpd_etrn_restrictions=reject
++#submission inet n - - - - smtpd
+ # -o smtpd_enforce_tls=yes
+ # -o smtpd_sasl_auth_enable=yes
+ # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+-#smtps inet n - n - - smtpd
++#smtps inet n - - - - smtpd
+ # -o smtpd_tls_wrappermode=yes
+ # -o smtpd_sasl_auth_enable=yes
+ # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-#628 inet n - n - - qmqpd
-pickup fifo n - n 60 1 pickup
-cleanup unix n - n - 0 cleanup
--qmgr fifo n - n 300 1 qmgr
++#628 inet n - - - - qmqpd
++pickup fifo n - - 60 1 pickup
++cleanup unix n - - - 0 cleanup
+ qmgr fifo n - n 300 1 qmgr
-#qmgr fifo n - n 300 1 oqmgr
+-tlsmgr unix - - n 1000? 1 tlsmgr
-rewrite unix - - n - - trivial-rewrite
-bounce unix - - n - 0 bounce
-defer unix - - n - 0 bounce
-trace unix - - n - 0 bounce
-verify unix - - n - 1 verify
-flush unix n - n 1000? 0 flush
-+#628 inet n - - - - qmqpd
-+pickup fifo n - - 60 1 pickup
-+cleanup unix n - - - 0 cleanup
-+qmgr fifo n - - 300 1 qmgr
+#qmgr fifo n - - 300 1 oqmgr
++tlsmgr unix - - - 1000? 1 tlsmgr
+rewrite unix - - - - - trivial-rewrite
+bounce unix - - - - 0 bounce
+defer unix - - - - 0 bounce
@@ -41,21 +49,34 @@
+flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
-smtp unix - - n - - smtp
++smtp unix - - - - - smtp
+ # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
-relay unix - - n - - smtp
-+smtp unix - - - - - smtp
+relay unix - - - - - smtp
+ -o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
-showq unix n - n - - showq
-error unix - - n - - error
+-discard unix - - n - - discard
+showq unix n - - - - showq
+error unix - - - - - error
++discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
- lmtp unix - - n - - lmtp
-@@ -109,18 +109,16 @@
+-lmtp unix - - n - - lmtp
+-anvil unix - - n - 1 anvil
+-scache unix - - n - 1 scache
++lmtp unix - - - - - lmtp
++anvil unix - - - - 1 anvil
++scache unix - - - - 1 scache
#
+ # ====================================================================
+ # Interfaces to non-Postfix software. Be sure to examine the manual
+@@ -55,16 +55,7 @@
+ # Also specify in main.cf: maildrop_destination_recipient_limit=1
+ #
maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+- flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
-#
-# The Cyrus deliver program has changed incompatibly, multiple times.
-#
@@ -65,17 +86,19 @@
-# Also specify in main.cf: cyrus_destination_recipient_limit=1
-cyrus unix - n n - - pipe
- user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
- uucp unix - n n - - pipe
- flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
++ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+ #
+ # See the Postfix UUCP_README file for configuration details.
+ #
+@@ -76,4 +67,10 @@
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
- flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
-+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
++ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
++mailman unix - n n - - pipe
++ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
++ ${nexthop} ${user}
+
-+# only used by postfix-tls
-+#tlsmgr fifo - - n 300 1 tlsmgr
-+#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
-+#587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
Added: postfix/trunk/debian/patches/10myorigin.dpatch
===================================================================
--- postfix/trunk/debian/patches/10myorigin.dpatch (rev 0)
+++ postfix/trunk/debian/patches/10myorigin.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,73 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10myorigin.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Allow myorigin to be /path/to/file
+
+ at DPATCH@
+diff -urNad postfix~/src/global/mail_params.c postfix/src/global/mail_params.c
+--- postfix~/src/global/mail_params.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mail_params.c 2006-10-18 10:39:22.000000000 -0600
+@@ -157,6 +157,8 @@
+ #include <valid_hostname.h>
+ #include <stringops.h>
+ #include <safe.h>
++#include <safe_open.h>
++#include <mymalloc.h>
+ #ifdef HAS_DB
+ #include <dict_db.h>
+ #endif
+@@ -433,6 +435,40 @@
+ (long) var_sgid_gid);
+ }
+
++static char *read_file(const char *name)
++{
++ char *ret;
++ VSTRING *why=vstring_alloc(1);
++ VSTRING *new_name=vstring_alloc(1);
++ VSTREAM *vp=safe_open(name, O_RDONLY, 0, NULL, -1, -1, why);
++
++ /*
++ * Ugly macros to make complex expressions less unreadable.
++ */
++#define SKIP(start, var, cond) \
++ for (var = start; *var && (cond); var++);
++
++#define TRIM(s) { \
++ char *p; \
++ for (p = (s) + strlen(s); p > (s) && ISSPACE(p[-1]); p--); \
++ *p = 0; \
++ }
++
++ if (!vp) {
++ msg_fatal("%s: unable to open: %s",name,vstring_str(why));
++ }
++ vstring_get_nonl(new_name,vp);
++ vstream_fclose(vp);
++ SKIP(vstring_str(new_name),ret,ISSPACE(*ret));
++ ret=mystrdup(ret);
++ if (*ret) { /* empty strings are shared */
++ TRIM(ret);
++ }
++ vstring_free(why);
++ vstring_free(new_name);
++ return ret;
++}
++
+ /* mail_params_init - configure built-in parameters */
+
+ void mail_params_init()
+@@ -584,6 +620,12 @@
+ * Variables that are needed by almost every program.
+ */
+ get_mail_conf_str_table(other_str_defaults);
++ if (*var_myorigin=='/') {
++ char *origin=read_file(var_myorigin);
++ if (!origin || !*origin)
++ msg_fatal("myorigin file %s is empty",var_myorigin);
++ var_myorigin=origin;
++ }
+ get_mail_conf_int_table(other_int_defaults);
+ get_mail_conf_bool_table(bool_defaults);
+ get_mail_conf_time_table(time_defaults);
Added: postfix/trunk/debian/patches/10postfix-script.dpatch
===================================================================
--- postfix/trunk/debian/patches/10postfix-script.dpatch (rev 0)
+++ postfix/trunk/debian/patches/10postfix-script.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,88 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## postfix-script2.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad --exclude=CVS --exclude=.svn ./conf/postfix-script /tmp/dpep-work.gXE1m7/postfix/conf/postfix-script
+--- ./conf/postfix-script 2005-04-14 10:14:16.000000000 -0600
++++ /tmp/dpep-work.gXE1m7/postfix/conf/postfix-script 2006-01-18 23:21:34.000000000 -0700
+@@ -42,6 +42,13 @@
+ FATAL="$LOGGER -p fatal"
+ PANIC="$LOGGER -p panic"
+
++if [ "X${1#quiet-}" != "X${1}" ]; then
++ INFO=:
++ x=${1#quiet-}
++ shift
++ set -- $x "$@"
++fi
++
+ umask 022
+ SHELL=/bin/sh
+
+@@ -84,6 +91,20 @@
+ echo "Stop postfix"
+ ;;
+
++quick-start)
++
++ $daemon_directory/master -t 2>/dev/null || {
++ $FATAL the Postfix mail system is already running
++ exit 1
++ }
++ $config_directory/postfix-script quick-check || {
++ $FATAL Postfix integrity check failed!
++ exit 1
++ }
++ $INFO starting the Postfix mail system
++ $daemon_directory/master &
++ ;;
++
+ start)
+
+ $daemon_directory/master -t 2>/dev/null || {
+@@ -125,7 +146,7 @@
+
+ $daemon_directory/master -t 2>/dev/null && {
+ $FATAL the Postfix mail system is not running
+- exit 1
++ exit 0
+ }
+ $INFO stopping the Postfix mail system
+ kill `sed 1q pid/master.pid`
+@@ -135,7 +156,7 @@
+
+ $daemon_directory/master -t 2>/dev/null && {
+ $FATAL the Postfix mail system is not running
+- exit 1
++ exit 0
+ }
+ $INFO aborting the Postfix mail system
+ kill `sed 1q pid/master.pid`
+@@ -169,9 +190,7 @@
+ exit 0
+ ;;
+
+-check-fatal)
+- # This command is NOT part of the public interface.
+-
++quick-check)
+ $SHELL $config_directory/post-install create-missing || {
+ $WARN unable to create missing queue directories
+ exit 1
+@@ -183,6 +202,13 @@
+ $FATAL no $config_directory/master.cf file found
+ exit 1
+ }
++ exit 0
++ ;;
++
++check-fatal)
++ # This command is NOT part of the public interface.
++
++ $config_directory/postfix-script quick-check
+
+ # See if all queue files are in the right place. This is slow.
+ # We must scan all queues for mis-named queue files before the
Modified: postfix/trunk/debian/patches/10rmail.dpatch
===================================================================
--- postfix/trunk/debian/patches/10rmail.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10rmail.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -5,25 +5,20 @@
## DP: No description.
@DPATCH@
-diff -urNad postfix-2.1.5/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in
---- postfix-2.1.5/Makefile.in 2004-12-27 22:02:52.848403399 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/Makefile.in 2004-12-27 22:19:13.392627752 -0700
-@@ -1,10 +1,11 @@
- SHELL = /bin/sh
- WARN = -Wmissing-prototypes -Wformat
--OPTS = 'CC=$(CC)'
-+OPTS = "CC=$(CC)"
- DIRS = src/util src/global src/dns src/master src/postfix src/smtpstone \
- src/sendmail src/error src/pickup src/cleanup src/smtpd src/local \
- src/lmtp src/trivial-rewrite src/qmgr src/oqmgr src/smtp src/bounce \
+diff -urNad debian-2.2/Makefile.in /tmp/dpep.a1Cna5/debian-2.2/Makefile.in
+--- debian-2.2/Makefile.in 2005-04-14 10:14:15.671108333 -0600
++++ /tmp/dpep.a1Cna5/debian-2.2/Makefile.in 2005-04-14 10:44:57.466696469 -0600
+@@ -7,6 +7,7 @@
src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \
-+ rmail \
src/postkick src/postlock src/postlog src/postmap src/postqueue \
src/postsuper src/qmqpd src/spawn src/flush src/verify \
- src/virtual src/proxymap
-diff -urNad postfix-2.1.5/rmail/LICENSE /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE
---- postfix-2.1.5/rmail/LICENSE 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/LICENSE 2004-12-27 22:19:13.392627752 -0700
++ rmail \
+ src/virtual src/proxymap src/anvil src/scache src/discard src/tlsmgr
+ MANDIRS = proto man html
+
+diff -urNad debian-2.2/rmail/LICENSE /tmp/dpep.a1Cna5/debian-2.2/rmail/LICENSE
+--- debian-2.2/rmail/LICENSE 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/LICENSE 2005-04-14 10:44:57.466696469 -0600
@@ -0,0 +1,79 @@
+ SENDMAIL LICENSE
+
@@ -104,9 +99,9 @@
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+$Revision: 1.1.2.1 $, Last updated $Date: 2004/12/28 05:34:15 $
-diff -urNad postfix-2.1.5/rmail/Makefile.in /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in
---- postfix-2.1.5/rmail/Makefile.in 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/Makefile.in 2004-12-27 22:19:13.392627752 -0700
+diff -urNad debian-2.2/rmail/Makefile.in /tmp/dpep.a1Cna5/debian-2.2/rmail/Makefile.in
+--- debian-2.2/rmail/Makefile.in 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/Makefile.in 2005-04-14 10:44:57.467695793 -0600
@@ -0,0 +1,56 @@
+SHELL = /bin/sh
+SRCS = rmail.c
@@ -164,9 +159,9 @@
+
+# do not edit below this line - it is generated by 'make depend'
+rmail.o: rmail.c
-diff -urNad postfix-2.1.5/rmail/rmail.8 /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8
---- postfix-2.1.5/rmail/rmail.8 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.8 2004-12-27 22:19:13.393627537 -0700
+diff -urNad debian-2.2/rmail/rmail.8 /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.8
+--- debian-2.2/rmail/rmail.8 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.8 2005-04-14 10:44:57.467695793 -0600
@@ -0,0 +1,49 @@
+.\" Copyright (c) 1998, 1999 Sendmail, Inc. and its suppliers.
+.\" All rights reserved.
@@ -217,9 +212,9 @@
+.B Rmail
+should not reside in
+/bin.
-diff -urNad postfix-2.1.5/rmail/rmail.c /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c
---- postfix-2.1.5/rmail/rmail.c 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.5gIPzk/postfix-2.1.5/rmail/rmail.c 2004-12-27 22:19:13.393627537 -0700
+diff -urNad debian-2.2/rmail/rmail.c /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.c
+--- debian-2.2/rmail/rmail.c 1969-12-31 17:00:00.000000000 -0700
++++ /tmp/dpep.a1Cna5/debian-2.2/rmail/rmail.c 2005-04-14 10:44:57.468695117 -0600
@@ -0,0 +1,475 @@
+/*
+ * Copyright (c) 1998-2000 Sendmail, Inc. and its suppliers.
Modified: postfix/trunk/debian/patches/10smtplinelength.dpatch
===================================================================
--- postfix/trunk/debian/patches/10smtplinelength.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/10smtplinelength.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -5,15 +5,18 @@
## DP: No description.
@DPATCH@
-diff -urNad postfix-2.1.5/src/global/mail_params.h /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h
---- postfix-2.1.5/src/global/mail_params.h 2004-12-27 22:21:10.756399492 -0700
-+++ /tmp/dpep.k6WNIS/postfix-2.1.5/src/global/mail_params.h 2004-12-27 22:21:15.100465701 -0700
-@@ -837,7 +837,7 @@
+diff -urNad --exclude=CVS --exclude=.svn ./src/global/mail_params.h /tmp/dpep-work.r5zWix/postfix--wietse--2.2--patch-8/src/global/mail_params.h
+--- ./src/global/mail_params.h 2006-01-03 11:56:40.000000000 -0700
++++ /tmp/dpep-work.r5zWix/postfix--wietse--2.2--patch-8/src/global/mail_params.h 2006-01-09 17:58:24.000000000 -0700
+@@ -997,9 +997,9 @@
extern bool var_smtp_rand_addr;
#define VAR_SMTP_LINE_LIMIT "smtp_line_length_limit"
-#define DEF_SMTP_LINE_LIMIT 990
+#define DEF_SMTP_LINE_LIMIT 0
+ #define VAR_LMTP_LINE_LIMIT "lmtp_line_length_limit"
+-#define DEF_LMTP_LINE_LIMIT 990
++#define DEF_LMTP_LINE_LIMIT 0
extern int var_smtp_line_limit;
#define VAR_SMTP_PIX_THRESH "smtp_pix_workaround_threshold_time"
Added: postfix/trunk/debian/patches/10tls.dpatch
===================================================================
--- postfix/trunk/debian/patches/10tls.dpatch (rev 0)
+++ postfix/trunk/debian/patches/10tls.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,118 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10tls.dpatch by LaMont Jones <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Debian tweaks to the default tls config
+
+ at DPATCH@
+diff -urNad postfix~/conf/main.cf.tls postfix/conf/main.cf.tls
+--- postfix~/conf/main.cf.tls 1969-12-31 17:00:00.000000000 -0700
++++ postfix/conf/main.cf.tls 2006-12-06 13:16:29.000000000 -0700
+@@ -0,0 +1,11 @@
++
++# TLS parameters
++smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
++smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
++smtpd_use_tls=yes
++smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
++smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
++
++# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
++# information on enabling SSL in the smtp client.
++
+diff -urNad postfix~/src/global/mail_params.h postfix/src/global/mail_params.h
+--- postfix~/src/global/mail_params.h 2006-12-06 13:16:28.000000000 -0700
++++ postfix/src/global/mail_params.h 2006-12-06 13:16:29.000000000 -0700
+@@ -591,7 +591,7 @@
+ extern int var_dup_filter_limit;
+
+ #define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
+-#define DEF_TLS_RAND_EXCH_NAME "${config_directory}/prng_exch"
++#define DEF_TLS_RAND_EXCH_NAME "${queue_directory}/prng_exch"
+ extern char *var_tls_rand_exch_name;
+
+ #define VAR_TLS_RAND_SOURCE "tls_random_source"
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_client.c postfix/src/xsasl/xsasl_cyrus_client.c
+--- postfix~/src/xsasl/xsasl_cyrus_client.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_client.c 2006-12-06 13:25:12.000000000 -0700
+@@ -222,6 +222,10 @@
+ */
+ static sasl_callback_t callbacks[] = {
+ {SASL_CB_LOG, &xsasl_cyrus_log, 0},
++ {SASL_CB_GETPATH,&xsasl_getpath, 0},
++#ifdef SASL_CB_GETCONFPATH
++ {SASL_CB_GETCONFPATH,&xsasl_getconfpath, 0},
++#endif
+ {SASL_CB_LIST_END, 0, 0}
+ };
+
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_common.h postfix/src/xsasl/xsasl_cyrus_common.h
+--- postfix~/src/xsasl/xsasl_cyrus_common.h 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_common.h 2006-12-06 13:25:29.000000000 -0700
+@@ -16,12 +16,18 @@
+ */
+ #if defined(USE_SASL_AUTH) && defined(USE_CYRUS_SASL)
+
++#include <sasl.h>
++
+ #define NO_SASL_LANGLIST ((const char *) 0)
+ #define NO_SASL_OUTLANG ((const char **) 0)
+ #define xsasl_cyrus_strerror(status) \
+ sasl_errstring((status), NO_SASL_LANGLIST, NO_SASL_OUTLANG)
+ extern int xsasl_cyrus_log(void *, int, const char *);
+ extern int xsasl_cyrus_security_parse_opts(const char *);
++extern int xsasl_getpath(void * context, char ** path);
++#ifdef SASL_CB_GETCONFPATH
++extern int xsasl_getconfpath(void * context, char ** path);
++#endif
+
+ #endif
+
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_log.c postfix/src/xsasl/xsasl_cyrus_log.c
+--- postfix~/src/xsasl/xsasl_cyrus_log.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_log.c 2006-12-06 13:25:50.000000000 -0700
+@@ -28,6 +28,7 @@
+ /* System library. */
+
+ #include <sys_defs.h>
++#include <string.h>
+
+ /* Utility library. */
+
+@@ -101,4 +102,22 @@
+ return (SASL_OK);
+ }
+
++int xsasl_getpath(void * context, char ** path)
++{
++#if SASL_VERSION_MAJOR >= 2
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++#else
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl");
++#endif
++ return SASL_OK;
++}
++
++#ifdef SASL_CB_GETCONFPATH
++int xsasl_getconfpath(void * context, char ** path)
++{
++ *path = strdup("/etc/postfix/sasl:/usr/lib/sasl2");
++ return SASL_OK;
++}
++#endif
++
+ #endif
+diff -urNad postfix~/src/xsasl/xsasl_cyrus_server.c postfix/src/xsasl/xsasl_cyrus_server.c
+--- postfix~/src/xsasl/xsasl_cyrus_server.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/xsasl/xsasl_cyrus_server.c 2006-12-06 13:25:58.000000000 -0700
+@@ -174,6 +174,10 @@
+
+ static sasl_callback_t callbacks[] = {
+ {SASL_CB_LOG, &xsasl_cyrus_log, NO_CALLBACK_CONTEXT},
++ {SASL_CB_GETPATH,&xsasl_getpath, 0},
++#ifdef SASL_CB_GETCONFPATH
++ {SASL_CB_GETCONFPATH,&xsasl_getconfpath, 0},
++#endif
+ {SASL_CB_LIST_END, 0, 0}
+ };
+
Added: postfix/trunk/debian/patches/10tlsmgr.dpatch
===================================================================
--- postfix/trunk/debian/patches/10tlsmgr.dpatch (rev 0)
+++ postfix/trunk/debian/patches/10tlsmgr.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10tlsmgr.dpatch by "Pascal A. Dupuis" <Pascal.Dupuis at worldonline.be>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix FTBFS in tlsmgr
+
+ at DPATCH@
+diff -urNad postfix-2.3~/src/tlsmgr/tlsmgr.c postfix-2.3/src/tlsmgr/tlsmgr.c
+--- postfix-2.3~/src/tlsmgr/tlsmgr.c 2006-07-13 08:22:56.000000000 -0600
++++ postfix-2.3/src/tlsmgr/tlsmgr.c 2006-07-13 08:43:06.000000000 -0600
+@@ -213,6 +213,7 @@
+ * Tunables.
+ */
+ char *var_tls_rand_source;
++int var_tls_daemon_rand_bytes;
+ int var_tls_rand_bytes;
+ int var_tls_reseed_period;
+ int var_tls_prng_exch_period;
Added: postfix/trunk/debian/patches/10warnings.dpatch
===================================================================
--- postfix/trunk/debian/patches/10warnings.dpatch (rev 0)
+++ postfix/trunk/debian/patches/10warnings.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10warnings.dpatch by <lamont at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad --exclude=CVS --exclude=.svn ./src/global/dict_ldap.c /tmp/dpep-work.1J5k3l/postfix/src/global/dict_ldap.c
+--- ./src/global/dict_ldap.c 2005-04-14 10:14:18.000000000 -0600
++++ /tmp/dpep-work.1J5k3l/postfix/src/global/dict_ldap.c 2006-02-13 10:38:22.000000000 -0700
+@@ -273,7 +273,7 @@
+ * character requires quoting per the RFC.
+ */
+ while (*sub)
+- if ((len = strcspn(sub, " \t\"#+,;<>\\")) > 0) {
++ if ((len = strcspn((char*)sub, " \t\"#+,;<>\\")) > 0) {
+ vstring_strncat(result, sub, len);
+ sub += len;
+ } else
+@@ -295,7 +295,7 @@
+ * parameter and then this more comprehensive mechanism.
+ */
+ while (*sub)
+- if ((len = strcspn(sub, "*()\\")) > 0) {
++ if ((len = strcspn((char*)sub, "*()\\")) > 0) {
+ vstring_strncat(result, sub, len);
+ sub += len;
+ } else
Modified: postfix/trunk/debian/patches/20maps.dpatch
===================================================================
--- postfix/trunk/debian/patches/20maps.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/20maps.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -2,69 +2,49 @@
## 20maps.dpatch by LaMont Jones <lamont at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+## DP: patches to build dynamic maps and shared libs
@DPATCH@
-diff -urNad postfix-release/conf/postfix-files /tmp/dpep.TxugCA/postfix-release/conf/postfix-files
---- postfix-release/conf/postfix-files 2004-12-27 22:28:28.638273359 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/conf/postfix-files 2004-12-27 22:29:11.315099642 -0700
-@@ -62,6 +62,9 @@
- $queue_directory/saved:d:$mail_owner:-:700:ucr
+diff -urNad postfix~/conf/postfix-files postfix/conf/postfix-files
+--- postfix~/conf/postfix-files 2006-07-24 23:42:11.000000000 -0600
++++ postfix/conf/postfix-files 2006-10-15 20:55:26.000000000 -0600
+@@ -63,6 +63,12 @@
$queue_directory/trace:d:$mail_owner:-:700:ucr
+ $daemon_directory/anvil:f:root:-:755
$daemon_directory/bounce:f:root:-:755
++$daemon_directory/dict_cdb.so:f:root:-:755
+$daemon_directory/dict_ldap.so:f:root:-:755
+$daemon_directory/dict_pcre.so:f:root:-:755
+$daemon_directory/dict_mysql.so:f:root:-:755
++$daemon_directory/dict_tcp.so:f:root:-:755
++$daemon_directory/dict_sdbm.so:f:root:-:755
$daemon_directory/cleanup:f:root:-:755
+ $daemon_directory/discard:f:root:-:755
$daemon_directory/error:f:root:-:755
- $daemon_directory/flush:f:root:-:755
-@@ -81,6 +84,10 @@
+@@ -85,6 +91,11 @@
$daemon_directory/trivial-rewrite:f:root:-:755
$daemon_directory/verify:f:root:-:755
$daemon_directory/virtual:f:root:-:755
+/usr/lib/libpostfix-dns.so.1:f:root:-:755
+/usr/lib/libpostfix-global.so.1:f:root:-:755
++/usr/lib/libpostfix-tls.so.1:f:root:-:755
+/usr/lib/libpostfix-master.so.1:f:root:-:755
+/usr/lib/libpostfix-util.so.1:f:root:-:755
$daemon_directory/nqmgr:h:$daemon_directory/qmgr
+ $daemon_directory/lmtp:h:$daemon_directory/smtp
$command_directory/postalias:f:root:-:755
- $command_directory/postcat:f:root:-:755
-@@ -100,6 +107,7 @@
- $config_directory/access:f:root:-:644:p
+@@ -107,6 +118,7 @@
$config_directory/aliases:f:root:-:644:p
+ $config_directory/bounce.cf.default:f:root:-:644
$config_directory/canonical:f:root:-:644:p
+$config_directory/dynamicmaps.cf:f:root:-:644:p
$config_directory/cidr_table:f:root:-:644:o
- $config_directory/header_checks:f:root:-:644:p
- $config_directory/install.cf:f:root:-:644:o
-diff -urNad postfix-release/makedefs /tmp/dpep.TxugCA/postfix-release/makedefs
---- postfix-release/makedefs 2004-12-27 22:28:28.639273144 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/makedefs 2004-12-27 22:29:11.315099642 -0700
-@@ -208,6 +208,20 @@
- # CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
- # GDBM_LIBS=gdbm
- # fi
-+
-+ # XXX: post-sarge
-+ # But, we'll keep shipping it (with error generation) until
-+ # sarge releases.
-+ if [ -f /usr/include/gdbm-ndbm.h ]
-+ then
-+ CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm-ndbm.h>'"
-+ GDBM_LIBS=gdbm_compat
-+ elif [ -f /usr/include/gdbm/ndbm.h ]
-+ then
-+ CCARGS="$CCARGS -DHAS_DBM -DHAS_GDBM -DPATH_NDBM_H='<gdbm/ndbm.h>'"
-+ GDBM_LIBS=gdbm
-+ fi
-+
- SYSLIBS="-ldb"
- for name in nsl resolv $GDBM_LIBS
- do
-diff -urNad postfix-release/src/dns/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in
---- postfix-release/src/dns/Makefile.in 2004-12-27 22:28:28.639273144 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/dns/Makefile.in 2004-12-27 22:29:11.315099642 -0700
-@@ -12,7 +12,7 @@
+ $config_directory/generic:f:root:-:644:p
+ $config_directory/generics:f:root:-:644:o
+diff -urNad postfix~/src/dns/Makefile.in postfix/src/dns/Makefile.in
+--- postfix~/src/dns/Makefile.in 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/dns/Makefile.in 2006-10-15 20:55:26.000000000 -0600
+@@ -14,7 +14,7 @@
LIB_DIR = ../../lib
INC_DIR = ../../include
@@ -73,8 +53,8 @@
all: $(LIB)
-@@ -24,12 +24,10 @@
- tests: test
+@@ -31,12 +31,10 @@
+ root_tests:
$(LIB): $(OBJS)
- $(AR) $(ARFL) $(LIB) $?
@@ -87,52 +67,45 @@
update: $(LIB_DIR)/$(LIB) $(HDRS)
-for i in $(HDRS); \
-diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in
---- postfix-release/src/global/Makefile.in 2004-12-27 22:28:28.640272930 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/Makefile.in 2004-12-27 22:29:11.316099427 -0700
-@@ -3,6 +3,7 @@
- canon_addr.c cfg_parser.c cleanup_strerror.c cleanup_strflags.c \
- clnt_stream.c debug_peer.c debug_process.c defer.c \
- deliver_completed.c deliver_flock.c deliver_pass.c deliver_request.c \
-+ dict_sdbm.c sdbm.c \
- dict_ldap.c dict_mysql.c dict_pgsql.c dict_proxy.c domain_list.c \
- dot_lockfile.c dot_lockfile_as.c ext_prop.c file_id.c flush_clnt.c \
- header_opts.c header_token.c hold_message.c input_transp.c \
-@@ -27,7 +28,7 @@
+diff -urNad postfix~/src/global/Makefile.in postfix/src/global/Makefile.in
+--- postfix~/src/global/Makefile.in 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/Makefile.in 2006-10-15 20:55:26.000000000 -0600
+@@ -32,7 +32,7 @@
canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
- clnt_stream.o debug_peer.o debug_process.o defer.o \
- deliver_completed.o deliver_flock.o deliver_pass.o deliver_request.o \
-- dict_ldap.o dict_mysql.o dict_pgsql.o dict_proxy.o domain_list.o \
-+ dict_proxy.o domain_list.o \
- dot_lockfile.o dot_lockfile_as.o ext_prop.o file_id.o flush_clnt.o \
- header_opts.o header_token.o hold_message.o input_transp.o \
- is_header.o log_adhoc.o mail_addr.o mail_addr_crunch.o \
-@@ -51,6 +52,7 @@
- canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
- debug_peer.h debug_process.h defer.h deliver_completed.h \
- deliver_flock.h deliver_pass.h deliver_request.h dict_ldap.h \
-+ dict_sdbm.h sdbm.h \
- dict_mysql.h dict_pgsql.h dict_proxy.h domain_list.h dot_lockfile.h \
- dot_lockfile_as.h ext_prop.h file_id.h flush_clnt.h header_opts.h \
- header_token.h hold_message.h input_transp.h is_header.h \
-@@ -84,10 +86,14 @@
+ clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \
+ defer.o deliver_completed.o deliver_flock.o deliver_pass.o \
+- deliver_request.o dict_ldap.o dict_mysql.o dict_pgsql.o \
++ deliver_request.o \
+ dict_proxy.o domain_list.o dot_lockfile.o dot_lockfile_as.o \
+ dsb_scan.o dsn.o dsn_buf.o dsn_mask.o dsn_print.o dsn_util.o \
+ ehlo_mask.o ext_prop.o file_id.o flush_clnt.o header_opts.o \
+@@ -45,7 +45,7 @@
+ mail_params.o mail_pathname.o mail_queue.o mail_run.o \
+ mail_scan_dir.o mail_stream.o mail_task.o mail_trigger.o maps.o \
+ mark_corrupt.o match_parent_style.o mbox_conf.o mbox_open.o \
+- mime_state.o mkmap_cdb.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
++ mime_state.o mkmap_db.o mkmap_dbm.o mkmap_open.o \
+ mkmap_sdbm.o msg_stats_print.o msg_stats_scan.o mynetworks.o \
+ mypwd.o namadr_list.o off_cvt.o opened.o own_inet_addr.o \
+ pipe_command.o post_mail.o quote_821_local.o quote_822_local.o \
+@@ -97,10 +97,14 @@
LIB_DIR = ../../lib
INC_DIR = ../../include
MAKES =
-+SDBMSO = dict_sdbm.so
+LDAPSO = dict_ldap.so
+MYSQLSO = dict_mysql.so
+PGSQLSO = dict_pgsql.so
++CDBSO = dict_cdb.so
-.c.o:; $(CC) $(CFLAGS) -c $*.c
+.c.o:; $(CC) -fPIC $(CFLAGS) -c $*.c
-all: $(LIB)
-+all: $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO)
++all: $(LIB) $(CDBSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO)
- Makefile: Makefile.in
- (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
-@@ -95,14 +101,36 @@
+ $(OBJS): ../../conf/makedefs.out
+
+@@ -110,14 +114,39 @@
test: $(TESTPROG)
$(LIB): $(OBJS)
@@ -140,9 +113,12 @@
- $(RANLIB) $(LIB)
+ gcc -shared -Wl,-soname,libpostfix-global.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
+
-+$(SDBMSO): dict_sdbm.o sdbm.o
-+ gcc -shared -Wl,-soname,dict_sdbm.so -o $@ dict_sdbm.o sdbm.o -L. -lutil -lglobal
++$(CDBSO): dict_cdb.o mkmap_cdb.o
++ gcc -shared -Wl,-soname,dict_cdb.so -o $@ $? -lcdb -L. -lutil
+
++dict_cdb.o: ../util/dict_cdb.c
++ $(CC) -fPIC $(CFLAGS) -c $?
++
+$(LDAPSO): dict_ldap.o
+ gcc -shared -Wl,-soname,dict_ldap.so -o $@ $? -lldap -llber -L../../lib -lutil -L. -lglobal
+
@@ -157,8 +133,8 @@
- $(RANLIB) $(LIB_DIR)/$(LIB)
-update: $(LIB_DIR)/$(LIB) $(HDRS)
-+$(LIB_DIR)/$(SDBMSO): $(SDBMSO)
-+ cp $(SDBMSO) $(LIB_DIR)
++$(LIB_DIR)/$(CDBSO): $(CDBSO)
++ cp $(CDBSO) $(LIB_DIR)
+
+$(LIB_DIR)/$(LDAPSO): $(LDAPSO)
+ cp $(LDAPSO) $(LIB_DIR)
@@ -169,564 +145,923 @@
+$(LIB_DIR)/$(PGSQLSO): $(PGSQLSO)
+ cp $(PGSQLSO) $(LIB_DIR)
+
-+update: $(LIB_DIR)/$(LIB) $(LIB_DIR)/${LDAPSO} $(LIB_DIR)/${MYSQLSO} $(LIB_DIR)/${PGSQLSO} $(LIB_DIR)/$(SDBMSO) $(HDRS)
++update: $(LIB_DIR)/$(LIB) $(LIB_DIR)/${CDBSO} $(LIB_DIR)/${LDAPSO} $(LIB_DIR)/${MYSQLSO} $(LIB_DIR)/${PGSQLSO} $(HDRS)
-for i in $(HDRS); \
do \
cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
-@@ -354,7 +382,7 @@
+@@ -403,7 +432,7 @@
lint $(DEFS) $(SRCS) $(LINTFIX)
clean:
- rm -f *.o $(LIB) *core $(TESTPROG) junk
-+ rm -f *.o $(LIB) $(SDBMSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) *core $(TESTPROG) junk
++ rm -f *.o $(LIB) $(CDBSO) $(LDAPSO) $(MYSQLSO) $(PGSQLSO) *core $(TESTPROG) junk
rm -rf printfck
tidy: clean
-@@ -569,6 +597,10 @@
- dict_proxy.o: mail_params.h
- dict_proxy.o: clnt_stream.h
- dict_proxy.o: dict_proxy.h
-+dict_sdbm.o: ../../include/sys_defs.h
-+dict_sdbm.o: sdbm.h
-+dict_sdbm.o: dict_sdbm.c
-+dict_sdbm.o: dict_sdbm.h
- domain_list.o: domain_list.c
- domain_list.o: ../../include/sys_defs.h
- domain_list.o: ../../include/match_list.h
-@@ -643,6 +675,10 @@
- hold_message.o: ../../include/vstream.h
- hold_message.o: mail_params.h
- hold_message.o: hold_message.h
-+inet_interfaces_to_af.o: inet_interfaces_to_af.c
-+inet_interfaces_to_af.o: ../../include/sys_defs.h
-+inet_interfaces_to_af.o: mail_params.h
-+inet_interfaces_to_af.o: inet_interfaces_to_af.h
- input_transp.o: input_transp.c
- input_transp.o: ../../include/sys_defs.h
- input_transp.o: ../../include/name_mask.h
-@@ -1088,6 +1124,7 @@
- own_inet_addr.o: ../../include/vbuf.h
- own_inet_addr.o: mail_params.h
- own_inet_addr.o: own_inet_addr.h
-+own_inet_addr.o: inet_interfaces_to_af.h
- pipe_command.o: pipe_command.c
- pipe_command.o: ../../include/sys_defs.h
- pipe_command.o: ../../include/msg.h
-@@ -1220,6 +1257,8 @@
- rewrite_clnt.o: mail_params.h
- rewrite_clnt.o: clnt_stream.h
- rewrite_clnt.o: rewrite_clnt.h
-+sdbm.o: sdbm.c
-+sdbm.o: sdbm.h
- sent.o: sent.c
- sent.o: ../../include/sys_defs.h
- sent.o: ../../include/msg.h
-diff -urNad postfix-release/src/global/dict_sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c
---- postfix-release/src/global/dict_sdbm.c 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.c 2004-12-27 22:29:11.317099212 -0700
-@@ -0,0 +1,469 @@
-+/*++
-+/* NAME
-+/* dict_sdbm 3
-+/* SUMMARY
-+/* dictionary manager interface to SDBM files
-+/* SYNOPSIS
-+/* #include <dict_sdbm.h>
-+/*
-+/* DICT *dict_sdbm_open(path, open_flags, dict_flags)
-+/* const char *name;
-+/* const char *path;
-+/* int open_flags;
-+/* int dict_flags;
-+/* DESCRIPTION
-+/* dict_sdbm_open() opens the named SDBM database and makes it available
-+/* via the generic interface described in dict_open(3).
-+/* DIAGNOSTICS
-+/* Fatal errors: cannot open file, file write error, out of memory.
-+/* SEE ALSO
-+/* dict(3) generic dictionary manager
-+/* sdbm(3) data base subroutines
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/* The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/* Wietse Venema
-+/* IBM T.J. Watson Research
-+/* P.O. Box 704
-+/* Yorktown Heights, NY 10598, USA
-+/*--*/
+diff -urNad postfix~/src/global/mail_conf.c postfix/src/global/mail_conf.c
+--- postfix~/src/global/mail_conf.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mail_conf.c 2006-10-15 20:55:26.000000000 -0600
+@@ -175,6 +175,13 @@
+ path = concatenate(var_config_dir, "/", "main.cf", (char *) 0);
+ dict_load_file(CONFIG_DICT, path);
+ myfree(path);
+
-+#include "sys_defs.h"
++#ifndef NO_DYNAMIC_MAPS
++ path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++ dict_open_dlinfo(path);
++ myfree(path);
++#endif
+
-+/* System library. */
+ }
+
+ /* mail_conf_eval - expand macros in string */
+diff -urNad postfix~/src/global/mail_dict.c postfix/src/global/mail_dict.c
+--- postfix~/src/global/mail_dict.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mail_dict.c 2006-10-15 20:55:26.000000000 -0600
+@@ -45,6 +45,7 @@
+
+ static DICT_OPEN_INFO dict_open_info[] = {
+ DICT_TYPE_PROXY, dict_proxy_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_LDAP
+ DICT_TYPE_LDAP, dict_ldap_open,
+ #endif
+@@ -54,6 +55,7 @@
+ #ifdef HAS_PGSQL
+ DICT_TYPE_PGSQL, dict_pgsql_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+ 0,
+ };
+
+diff -urNad postfix~/src/global/mail_params.c postfix/src/global/mail_params.c
+--- postfix~/src/global/mail_params.c 2006-10-15 20:55:25.000000000 -0600
++++ postfix/src/global/mail_params.c 2006-10-15 20:55:26.000000000 -0600
+@@ -77,6 +77,7 @@
+ /* char *var_export_environ;
+ /* char *var_debug_peer_list;
+ /* int var_debug_peer_level;
++/* int var_command_maxtime;
+ /* int var_in_flow_delay;
+ /* int var_fault_inj_code;
+ /* char *var_bounce_service;
+@@ -249,6 +250,7 @@
+ char *var_export_environ;
+ char *var_debug_peer_list;
+ int var_debug_peer_level;
++int var_command_maxtime;
+ int var_fault_inj_code;
+ char *var_bounce_service;
+ char *var_cleanup_service;
+@@ -260,6 +262,7 @@
+ char *var_error_service;
+ char *var_flush_service;
+ char *var_verify_service;
++char *var_scache_service;
+ char *var_trace_service;
+ int var_db_create_buf;
+ int var_db_read_buf;
+diff -urNad postfix~/src/global/mkmap_open.c postfix/src/global/mkmap_open.c
+--- postfix~/src/global/mkmap_open.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/global/mkmap_open.c 2006-10-15 20:57:13.000000000 -0600
+@@ -78,14 +78,16 @@
+ * types that exist as files. Network-based maps are not of interest.
+ */
+ typedef struct {
+- char *type;
++ const char *type;
+ MKMAP *(*before_open) (const char *);
+ } MKMAP_OPEN_INFO;
+
+ MKMAP_OPEN_INFO mkmap_types[] = {
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_CDB
+ DICT_TYPE_CDB, mkmap_cdb_open,
+ #endif
++#endif
+ #ifdef HAS_SDBM
+ DICT_TYPE_SDBM, mkmap_sdbm_open,
+ #endif
+@@ -152,7 +154,16 @@
+ */
+ for (mp = mkmap_types; /* void */ ; mp++) {
+ if (mp->type == 0)
++#ifndef NO_DYNAMIC_MAPS
++ {
++ static MKMAP_OPEN_INFO oi;
++ oi.before_open=(MKMAP*(*)(const char*))dict_mkmap_func(type);
++ oi.type=type;
++ mp=&oi;
++ }
++#else
+ msg_fatal("unsupported map type: %s", type);
++#endif
+ if (strcmp(type, mp->type) == 0)
+ break;
+ }
+diff -urNad postfix~/src/master/Makefile.in postfix/src/master/Makefile.in
+--- postfix~/src/master/Makefile.in 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/master/Makefile.in 2006-10-15 20:55:26.000000000 -0600
+@@ -20,7 +20,7 @@
+ INC_DIR = ../../include
+ BIN_DIR = ../../libexec
+
+-.c.o:; $(CC) $(CFLAGS) -c $*.c
++.c.o:; $(CC) `for i in $(LIB_OBJ); do [ $$i = $@ ] && echo -fPIC; done` $(CFLAGS) -c $*.c
+
+ all: $(PROG) $(LIB)
+
+@@ -39,12 +39,10 @@
+ root_tests:
+
+ $(LIB): $(LIB_OBJ)
+- $(AR) $(ARFL) $(LIB) $?
+- $(RANLIB) $(LIB)
++ gcc -shared -Wl,-soname,libpostfix-master.so.1 -o $(LIB) $(LIB_OBJ) $(LIBS) $(SYSLIBS)
+
+ $(LIB_DIR)/$(LIB): $(LIB)
+ cp $(LIB) $(LIB_DIR)/$(LIB)
+- $(RANLIB) $(LIB_DIR)/$(LIB)
+
+ $(BIN_DIR)/$(PROG): $(PROG)
+ cp $(PROG) $(BIN_DIR)
+diff -urNad postfix~/src/postconf/postconf.c postfix/src/postconf/postconf.c
+--- postfix~/src/postconf/postconf.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/postconf/postconf.c 2006-10-15 20:55:26.000000000 -0600
+@@ -898,6 +898,16 @@
+ {
+ ARGV *maps_argv;
+ int i;
++#ifndef NO_DYNAMIC_MAPS
++ char *path;
++ char *config_dir;
+
-+#include <sys/stat.h>
-+#include <string.h>
-+#include <unistd.h>
++ var_config_dir = mystrdup((config_dir = safe_getenv(CONF_ENV_PATH)) != 0 ?
++ config_dir : DEF_CONFIG_DIR); /* XXX */
++ path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
++ dict_open_dlinfo(path);
++ myfree(path);
++#endif
+
+ maps_argv = dict_mapnames();
+ for (i = 0; i < maps_argv->argc; i++)
+diff -urNad postfix~/src/postmap/postmap.c postfix/src/postmap/postmap.c
+--- postfix~/src/postmap/postmap.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/postmap/postmap.c 2006-10-15 20:55:26.000000000 -0600
+@@ -5,7 +5,7 @@
+ /* Postfix lookup table management
+ /* SYNOPSIS
+ /* .fi
+-/* \fBpostmap\fR [\fB-Nfinoprsvw\fR] [\fB-c \fIconfig_dir\fR]
++/* \fBpostmap\fR [\fB-Nfinoprsuvw\fR] [\fB-c \fIconfig_dir\fR]
+ /* [\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
+ /* [\fIfile_type\fR:]\fIfile_name\fR ...
+ /* DESCRIPTION
+@@ -109,6 +109,8 @@
+ /* as the original input order.
+ /* This feature is available in Postfix version 2.2 and later,
+ /* and is not available for all database types.
++/* .IP \fB-u\fR
++/* Upgrade the database to the current version.
+ /* .IP \fB-v\fR
+ /* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
+ /* options make the software increasingly verbose.
+@@ -531,6 +533,18 @@
+ dict_close(dict);
+ }
+
++/* postmap_upgrade - upgrade a map */
+
-+/* Utility library. */
-+
-+#include "msg.h"
-+#include "mymalloc.h"
-+#include "htable.h"
-+#include "iostuff.h"
-+#include "vstring.h"
-+#include "myflock.h"
-+#include "stringops.h"
-+#include "dict.h"
-+#include "dict_sdbm.h"
-+#include "sdbm.h"
-+
-+/* Application-specific. */
-+
-+typedef struct {
-+ DICT dict; /* generic members */
-+ SDBM *dbm; /* open database */
-+ char *path; /* pathname */
-+} DICT_SDBM;
-+
-+/* dict_sdbm_lookup - find database entry */
-+
-+static const char *dict_sdbm_lookup(DICT *dict, const char *name)
++static int postmap_upgrade(const char *map_type, const char *map_name)
+{
-+ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+ datum dbm_key;
-+ datum dbm_value;
-+ static VSTRING *buf;
-+ const char *result = 0;
++ DICT *dict;
+
-+ dict_errno = 0;
++ dict = dict_open3(map_type, map_name, O_RDWR,
++ DICT_FLAG_LOCK|DICT_FLAG_UPGRADE);
++ dict_close(dict);
++ return (dict != 0);
++}
+
-+ /*
-+ * Acquire an exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
-+ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
-+
-+ /*
-+ * See if this DBM file was written with one null byte appended to key
-+ * and value.
-+ */
-+ if (dict->flags & DICT_FLAG_TRY1NULL) {
-+ dbm_key.dptr = (void *) name;
-+ dbm_key.dsize = strlen(name) + 1;
-+ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
-+ if (dbm_value.dptr != 0) {
-+ dict->flags &= ~DICT_FLAG_TRY0NULL;
-+ result = dbm_value.dptr;
+ /* usage - explain */
+
+ static NORETURN usage(char *myname)
+@@ -549,6 +563,7 @@
+ int postmap_flags = POSTMAP_FLAG_AS_OWNER | POSTMAP_FLAG_SAVE_PERM;
+ int open_flags = O_RDWR | O_CREAT | O_TRUNC;
+ int dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_FIX;
++ int upgrade = 0;
+ char *query = 0;
+ char *delkey = 0;
+ int sequence = 0;
+@@ -588,7 +603,7 @@
+ /*
+ * Parse JCL.
+ */
+- while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rsvw")) > 0) {
++ while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rsuvw")) > 0) {
+ switch (ch) {
+ default:
+ usage(argv[0]);
+@@ -602,8 +617,8 @@
+ msg_fatal("out of memory");
+ break;
+ case 'd':
+- if (sequence || query || delkey)
+- msg_fatal("specify only one of -s -q or -d");
++ if (sequence || query || delkey || upgrade)
++ msg_fatal("specify only one of -s -q -u or -d");
+ delkey = optarg;
+ break;
+ case 'f':
+@@ -623,8 +638,8 @@
+ postmap_flags &= ~POSTMAP_FLAG_SAVE_PERM;
+ break;
+ case 'q':
+- if (sequence || query || delkey)
+- msg_fatal("specify only one of -s -q or -d");
++ if (sequence || query || delkey || upgrade)
++ msg_fatal("specify only one of -s -q -u or -d");
+ query = optarg;
+ break;
+ case 'r':
+@@ -632,10 +647,15 @@
+ dict_flags |= DICT_FLAG_DUP_REPLACE;
+ break;
+ case 's':
+- if (query || delkey)
+- msg_fatal("specify only one of -s or -q or -d");
++ if (query || delkey || upgrade)
++ msg_fatal("specify only one of -s or -q -u or -d");
+ sequence = 1;
+ break;
++ case 'u':
++ if (sequence || query || delkey || upgrade)
++ msg_fatal("specify only one of -s -q -u or -d");
++ upgrade=1;
++ break;
+ case 'v':
+ msg_verbose++;
+ break;
+@@ -701,6 +721,21 @@
+ exit(0);
+ }
+ exit(1);
++ } else if (upgrade) { /* Upgrade the map(s) */
++ int success = 1;
++ if (optind + 1 > argc)
++ usage(argv[0]);
++ while (optind < argc) {
++ if ((path_name = split_at(argv[optind], ':')) != 0) {
++ success &= postmap_upgrade(argv[optind], path_name);
++ } else {
++ success &= postmap_upgrade(var_db_type, path_name);
++ }
++ if (!success)
++ exit(1);
++ optind++;
+ }
-+ }
++ exit(0);
+ } else { /* create/update map(s) */
+ if (optind + 1 > argc)
+ usage(argv[0]);
+diff -urNad postfix~/src/tls/Makefile.in postfix/src/tls/Makefile.in
+--- postfix~/src/tls/Makefile.in 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/tls/Makefile.in 2006-10-15 20:55:26.000000000 -0600
+@@ -22,7 +22,7 @@
+ INC_DIR = ../../include
+ MAKES =
+
+-.c.o:; $(CC) $(CFLAGS) -c $*.c
++.c.o:; $(CC) -fPIC $(CFLAGS) -c $*.c
+
+ all: $(LIB)
+
+@@ -38,12 +38,10 @@
+ root_tests:
+
+ $(LIB): $(OBJS)
+- $(AR) $(ARFL) $(LIB) $?
+- $(RANLIB) $(LIB)
++ gcc -shared -Wl,-soname,libpostfix-tls.so.1 -o $(LIB) $(OBJS) $(LIBS) $(SYSLIBS)
+
+ $(LIB_DIR)/$(LIB): $(LIB)
+ cp $(LIB) $(LIB_DIR)
+- $(RANLIB) $(LIB_DIR)/$(LIB)
+
+ update: $(LIB_DIR)/$(LIB) $(HDRS)
+ -for i in $(HDRS); \
+diff -urNad postfix~/src/util/Makefile.in postfix/src/util/Makefile.in
+--- postfix~/src/util/Makefile.in 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/Makefile.in 2006-10-15 20:55:26.000000000 -0600
+@@ -1,4 +1,4 @@
+-SHELL = /bin/sh
++cdb = /bin/sh
+ SRCS = alldig.c allprint.c argv.c argv_split.c attr_clnt.c attr_print0.c \
+ attr_print64.c attr_print_plain.c attr_scan0.c attr_scan64.c \
+ attr_scan_plain.c auto_clnt.c base64_code.c basename.c binhash.c \
+@@ -30,21 +30,21 @@
+ username.c valid_hostname.c vbuf.c vbuf_print.c vstream.c \
+ vstream_popen.c vstring.c vstring_vstream.c watchdog.c writable.c \
+ write_buf.c write_wait.c sane_basename.c format_tv.c allspace.c \
+- allascii.c load_file.c
++ allascii.c load_file.c load_lib.c sdbm.c
+ OBJS = alldig.o allprint.o argv.o argv_split.o attr_clnt.o attr_print0.o \
+ attr_print64.o attr_print_plain.o attr_scan0.o attr_scan64.o \
+ attr_scan_plain.o auto_clnt.o base64_code.o basename.o binhash.o \
+ chroot_uid.o cidr_match.o clean_env.o close_on_exec.o concatenate.o \
+- ctable.o dict.o dict_alloc.o dict_cdb.o dict_cidr.o dict_db.o \
++ ctable.o dict.o dict_alloc.o dict_cidr.o dict_db.o \
+ dict_dbm.o dict_debug.o dict_env.o dict_ht.o dict_ni.o dict_nis.o \
+- dict_nisplus.o dict_open.o dict_pcre.o dict_regexp.o dict_sdbm.o \
+- dict_static.o dict_tcp.o dict_unix.o dir_forest.o doze.o dummy_read.o \
++ dict_nisplus.o dict_open.o dict_regexp.o dict_sdbm.o \
++ dict_static.o dict_unix.o dir_forest.o doze.o dummy_read.o \
+ dummy_write.o duplex_pipe.o environ.o events.o exec_command.o \
+ fifo_listen.o fifo_trigger.o file_limit.o find_inet.o fsspace.o \
+ fullname.o get_domainname.o get_hostname.o hex_code.o hex_quote.o \
+ host_port.o htable.o inet_addr_host.o inet_addr_list.o \
+ inet_addr_local.o inet_connect.o inet_listen.o inet_proto.o \
+- inet_trigger.o line_wrap.o lowercase.o lstat_as.o mac_expand.o \
++ inet_trigger.o line_wrap.o lowercase.o lstat_as.o mac_expand.o load_lib.o sdbm.o \
+ mac_parse.o make_dirs.o mask_addr.o match_list.o match_ops.o msg.o \
+ msg_output.o msg_syslog.o msg_vstream.o mvect.o myaddrinfo.o myflock.o \
+ mymalloc.o myrand.o mystrtok.o name_code.o name_mask.o netstring.o \
+@@ -76,7 +76,7 @@
+ msg_output.h msg_syslog.h msg_vstream.h mvect.h myaddrinfo.h myflock.h \
+ mymalloc.h myrand.h name_code.h name_mask.h netstring.h nvtable.h \
+ open_as.h open_lock.h percentm.h posix_signals.h readlline.h ring.h \
+- safe.h safe_open.h sane_accept.h sane_connect.h sane_fsops.h \
++ safe.h safe_open.h sane_accept.h sane_connect.h sane_fsops.h sdbm.h load_lib.h \
+ sane_socketpair.h sane_time.h scan_dir.h set_eugid.h set_ugid.h \
+ sigdelay.h sock_addr.h spawn_command.h split_at.h stat_as.h \
+ stringops.h sys_defs.h timed_connect.h timed_wait.h trigger.h \
+@@ -88,6 +88,8 @@
+ CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+ FILES = Makefile $(SRCS) $(HDRS)
+ INCL =
++PCRESO = dict_pcre.so
++TCPSO = dict_tcp.so
+ LIB = libutil.a
+ TESTPROG= dict_open dup2_pass_on_exec events exec_command fifo_open \
+ fifo_rdonly_bug fifo_rdwr_bug fifo_trigger fsspace fullname \
+@@ -102,10 +104,11 @@
+
+ LIB_DIR = ../../lib
+ INC_DIR = ../../include
++LIBS = $(LIB_DIR)/$(LIB) $(LIB_DIR)/$(PCRESO) $(LIB_DIR)/$(TCPSO)
+
+-.c.o:; $(CC) $(CFLAGS) -c $*.c
++.c.o:; $(CC) -fPIC $(CFLAGS) -c $*.c
+
+-all: $(LIB)
++all: $(LIB) $(PCRESO) $(TCPSO)
+
+ $(OBJS): ../../conf/makedefs.out
+
+@@ -114,15 +117,25 @@
+
+ test: $(TESTPROG)
+
++$(PCRESO): dict_pcre.o
++ gcc -shared -Wl,-soname,dict_pcre.so -o $@ $? -lpcre -L. -lutil
+
-+ /*
-+ * See if this DBM file was written with no null byte appended to key and
-+ * value.
-+ */
-+ if (result == 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
-+ dbm_key.dptr = (void *) name;
-+ dbm_key.dsize = strlen(name);
-+ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
-+ if (dbm_value.dptr != 0) {
-+ if (buf == 0)
-+ buf = vstring_alloc(10);
-+ vstring_strncpy(buf, dbm_value.dptr, dbm_value.dsize);
-+ dict->flags &= ~DICT_FLAG_TRY1NULL;
-+ result = vstring_str(buf);
-+ }
-+ }
++$(TCPSO): dict_tcp.o
++ gcc -shared -Wl,-soname,dict_tcp.so -o $@ $? -L. -lutil
+
-+ /*
-+ * Release the exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
+ $(LIB): $(OBJS)
+- $(AR) $(ARFL) $(LIB) $?
+- $(RANLIB) $(LIB)
++ gcc -shared -Wl,-soname,libpostfix-util.so.1 -o $(LIB) $(OBJS) -ldl $(SYSLIBS)
+
+ $(LIB_DIR)/$(LIB): $(LIB)
+ cp $(LIB) $(LIB_DIR)
+- $(RANLIB) $(LIB_DIR)/$(LIB)
+
+-update: $(LIB_DIR)/$(LIB) $(HDRS)
++$(LIB_DIR)/$(PCRESO): $(PCRESO)
++ cp $(PCRESO) $(LIB_DIR)
+
-+ return (result);
-+}
++$(LIB_DIR)/$(TCPSO): $(TCPSO)
++ cp $(TCPSO) $(LIB_DIR)
+
-+/* dict_sdbm_update - add or update database entry */
++update: $(LIBS) $(HDRS)
+ -for i in $(HDRS); \
+ do \
+ cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
+@@ -144,7 +157,8 @@
+ lint $(SRCS)
+
+ clean:
+- rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAKES) *.tmp
++ rm -f *.o $(LIB) $(PCRESO) $(TCPSO) *core $(TESTPROG) \
++ junk $(MAKES) *.tmp
+ rm -rf printfck
+
+ tidy: clean
+diff -urNad postfix~/src/util/dict.h postfix/src/util/dict.h
+--- postfix~/src/util/dict.h 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict.h 2006-10-15 20:55:26.000000000 -0600
+@@ -65,6 +65,7 @@
+ #define DICT_FLAG_NO_UNAUTH (1<<13) /* disallow unauthenticated data */
+ #define DICT_FLAG_FOLD_FIX (1<<14) /* case-fold key with fixed-case map */
+ #define DICT_FLAG_FOLD_MUL (1<<15) /* case-fold key with multi-case map */
++#define DICT_FLAG_UPGRADE (1<<30) /* Upgrade the db */
+ #define DICT_FLAG_FOLD_ANY (DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL)
+
+ /* IMPORTANT: Update the dict_mask[] table when the above changes */
+@@ -109,6 +110,11 @@
+ extern DICT *dict_open(const char *, int, int);
+ extern DICT *dict_open3(const char *, const char *, int, int);
+ extern void dict_open_register(const char *, DICT *(*) (const char *, int, int));
++#ifndef NO_DYNAMIC_MAPS
++extern void dict_open_dlinfo(const char *path);
++typedef void* (*dict_mkmap_func_t)(const char *);
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type);
++#endif
+
+ #define dict_get(dp, key) (dp)->lookup((dp), (key))
+ #define dict_put(dp, key, val) (dp)->update((dp), (key), (val))
+diff -urNad postfix~/src/util/dict_db.c postfix/src/util/dict_db.c
+--- postfix~/src/util/dict_db.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict_db.c 2006-10-15 20:55:26.000000000 -0600
+@@ -658,6 +658,12 @@
+ msg_fatal("set DB cache size %d: %m", dict_db_cache_size);
+ if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
+ msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
++ if (dict_flags & DICT_FLAG_UPGRADE) {
++ if (msg_verbose)
++ msg_info("upgrading database %s",db_path);
++ if ((errno = db->upgrade(db,db_path,0)) != 0)
++ msg_fatal("upgrade of database %s: %m",db_path);
++ }
+ #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
+ if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
+ msg_fatal("open database %s: %m", db_path);
+diff -urNad postfix~/src/util/dict_dbm.c postfix/src/util/dict_dbm.c
+--- postfix~/src/util/dict_dbm.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict_dbm.c 2006-10-15 20:55:26.000000000 -0600
+@@ -401,6 +401,10 @@
+ char *dbm_path;
+ int lock_fd;
+
++#ifdef HAVE_GDBM
++ msg_fatal("%s: gdbm maps use locking that is incompatible with postfix. Use a hash map instead.",
++ path);
++#endif
+ /*
+ * Note: DICT_FLAG_LOCK is used only by programs that do fine-grained (in
+ * the time domain) locking while accessing individual database records.
+diff -urNad postfix~/src/util/dict_open.c postfix/src/util/dict_open.c
+--- postfix~/src/util/dict_open.c 2006-07-24 10:24:45.000000000 -0600
++++ postfix/src/util/dict_open.c 2006-10-15 20:55:26.000000000 -0600
+@@ -44,6 +44,8 @@
+ /* DICT *(*open) (const char *, int, int);
+ /*
+ /* ARGV *dict_mapnames()
++/*
++/* void (*)() dict_mkmap_func(const char *dict_type)
+ /* DESCRIPTION
+ /* This module implements a low-level interface to multiple
+ /* physical dictionary types.
+@@ -156,6 +158,9 @@
+ /*
+ /* dict_mapnames() returns a sorted list with the names of all available
+ /* dictionary types.
++/*
++/* dict_mkmap_func() returns a pointer to the mkmap setup function
++/* for the given map type, as given in /etc/dynamicmaps.cf
+ /* DIAGNOSTICS
+ /* Fatal error: open error, unsupported dictionary type, attempt to
+ /* update non-writable dictionary.
+@@ -180,6 +185,9 @@
+ #include <strings.h>
+ #endif
+
++#include <sys/stat.h>
++#include <unistd.h>
+
-+static void dict_sdbm_update(DICT *dict, const char *name, const char *value)
-+{
-+ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+ datum dbm_key;
-+ datum dbm_value;
-+ int status;
+ /* Utility library. */
+
+ #include <argv.h>
+@@ -204,6 +212,27 @@
+ #include <split_at.h>
+ #include <htable.h>
+
++#ifndef NO_DYNAMIC_MAPS
++#include <load_lib.h>
++#include <vstring.h>
++#include <vstream.h>
++#include <vstring_vstream.h>
++#include <mvect.h>
+
-+ dbm_key.dptr = (void *) name;
-+ dbm_value.dptr = (void *) value;
-+ dbm_key.dsize = strlen(name);
-+ dbm_value.dsize = strlen(value);
++ /*
++ * Interface for dynamic map loading.
++ */
++typedef struct {
++ const char *pattern;
++ const char *soname;
++ const char *openfunc;
++ const char *mkmapfunc;
++} DLINFO;
+
-+ /*
-+ * If undecided about appending a null byte to key and value, choose a
-+ * default depending on the platform.
-+ */
-+ if ((dict->flags & DICT_FLAG_TRY1NULL)
-+ && (dict->flags & DICT_FLAG_TRY0NULL)) {
-+#ifdef DBM_NO_TRAILING_NULL
-+ dict->flags &= ~DICT_FLAG_TRY1NULL;
++static DLINFO *dict_dlinfo;
++static DLINFO *dict_open_dlfind(const char *type);
++#endif
++
+ /*
+ * lookup table for available map types.
+ */
+@@ -213,14 +242,18 @@
+ } DICT_OPEN_INFO;
+
+ static DICT_OPEN_INFO dict_open_info[] = {
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_CDB
+ DICT_TYPE_CDB, dict_cdb_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+ DICT_TYPE_ENVIRON, dict_env_open,
+ DICT_TYPE_UNIX, dict_unix_open,
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef SNAPSHOT
+ DICT_TYPE_TCP, dict_tcp_open,
+ #endif
++#endif
+ #ifdef HAS_SDBM
+ DICT_TYPE_SDBM, dict_sdbm_open,
+ #endif
+@@ -240,9 +273,11 @@
+ #ifdef HAS_NETINFO
+ DICT_TYPE_NETINFO, dict_ni_open,
+ #endif
++#ifndef MAX_DYNAMIC_MAPS
+ #ifdef HAS_PCRE
+ DICT_TYPE_PCRE, dict_pcre_open,
+ #endif
++#endif /* MAX_DYNAMIC_MAPS */
+ #ifdef HAS_POSIX_REGEXP
+ DICT_TYPE_REGEXP, dict_regexp_open,
+ #endif
+@@ -300,8 +335,31 @@
+ dict_type, dict_name);
+ if (dict_open_hash == 0)
+ dict_open_init();
+- if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0)
+- msg_fatal("unsupported dictionary type: %s", dict_type);
++ if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0) {
++#ifdef NO_DYNAMIC_MAPS
++ msg_fatal("%s: unsupported dictionary type: %s", myname, dict_type);
+#else
-+ dict->flags &= ~DICT_FLAG_TRY0NULL;
++ struct stat st;
++ LIB_FN fn[2];
++ DICT *(*open) (const char *, int, int);
++ DLINFO *dl=dict_open_dlfind(dict_type);
++ if (!dl)
++ msg_fatal("%s: unsupported dictionary type: %s: Is the postfix-%s package installed?", myname, dict_type, dict_type);
++ if (stat(dl->soname,&st) < 0) {
++ msg_fatal("%s: unsupported dictionary type: %s (%s not found. Is the postfix-%s package installed?)",
++ myname, dict_type, dl->soname, dict_type);
++ }
++ fn[0].name = dl->openfunc;
++ fn[0].ptr = (void**)&open;
++ fn[1].name = NULL;
++ load_library_symbols(dl->soname, fn, NULL);
++ dict_open_register(dict_type, open);
++ dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type);
+#endif
+ }
-+
-+ /*
-+ * Optionally append a null byte to key and value.
-+ */
-+ if (dict->flags & DICT_FLAG_TRY1NULL) {
-+ dbm_key.dsize++;
-+ dbm_value.dsize++;
++ if (msg_verbose>1) {
++ msg_info("%s: calling %s open routine",myname,dict_type);
+ }
-+
-+ /*
-+ * Acquire an exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
-+
-+ /*
-+ * Do the update.
-+ */
-+ if ((status = sdbm_store(dict_sdbm->dbm, dbm_key, dbm_value,
-+ (dict->flags & DICT_FLAG_DUP_REPLACE) ? DBM_REPLACE : DBM_INSERT)) < 0)
-+ msg_fatal("error writing SDBM database %s: %m", dict_sdbm->path);
-+ if (status) {
-+ if (dict->flags & DICT_FLAG_DUP_IGNORE)
-+ /* void */ ;
-+ else if (dict->flags & DICT_FLAG_DUP_WARN)
-+ msg_warn("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
-+ else
-+ msg_fatal("%s: duplicate entry: \"%s\"", dict_sdbm->path, name);
+ if ((dict = dp->open(dict_name, open_flags, dict_flags)) == 0)
+ msg_fatal("opening %s:%s %m", dict_type, dict_name);
+ if (msg_verbose)
+@@ -309,6 +367,36 @@
+ return (dict);
+ }
+
++dict_mkmap_func_t dict_mkmap_func(const char *dict_type)
++{
++ char *myname="dict_mkmap_func";
++ struct stat st;
++ LIB_FN fn[2];
++ dict_mkmap_func_t mkmap;
++ DLINFO *dl;
++#ifndef NO_DYNAMIC_MAPS
++ if (!dict_dlinfo)
++ msg_fatal("dlinfo==NULL");
++ dl=dict_open_dlfind(dict_type);
++ if (!dl)
++ msg_fatal("%s: unsupported dictionary type: %s: Is the postfix-%s package installed?", myname, dict_type, dict_type);
++ if (stat(dl->soname,&st) < 0) {
++ msg_fatal("%s: unsupported dictionary type: %s (%s not found. Is the postfix-%s package installed?)",
++ myname, dict_type, dl->soname, dict_type);
+ }
++ if (!dl->mkmapfunc)
++ msg_fatal("%s: unsupported dictionary type: %s does not allow map creation.", myname, dict_type);
+
-+ /*
-+ * Release the exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++ fn[0].name = dl->mkmapfunc;
++ fn[0].ptr = (void**)&mkmap;
++ fn[1].name = NULL;
++ load_library_symbols(dl->soname, fn, NULL);
++ return mkmap;
++#else
++ return (void(*)())NULL;
++#endif
+}
+
+ /* dict_open_register - register dictionary type */
+
+ void dict_open_register(const char *type,
+@@ -342,6 +430,9 @@
+ HTABLE_INFO **ht;
+ DICT_OPEN_INFO *dp;
+ ARGV *mapnames;
++#ifndef NO_DYNAMIC_MAPS
++ DLINFO *dlp;
++#endif
+
+ if (dict_open_hash == 0)
+ dict_open_init();
+@@ -350,6 +441,13 @@
+ dp = (DICT_OPEN_INFO *) ht[0]->value;
+ argv_add(mapnames, dp->type, ARGV_END);
+ }
++#ifndef NO_DYNAMIC_MAPS
++ if (!dict_dlinfo)
++ msg_fatal("dlinfo==NULL");
++ for (dlp=dict_dlinfo; dlp->pattern; dlp++) {
++ argv_add(mapnames, dlp->pattern, ARGV_END);
++ }
++#endif
+ qsort((void *) mapnames->argv, mapnames->argc, sizeof(mapnames->argv[0]),
+ dict_sort_alpha_cpp);
+ myfree((char *) ht_info);
+@@ -357,6 +455,87 @@
+ return mapnames;
+ }
+
++#ifndef NO_DYNAMIC_MAPS
++#define STREQ(x,y) (x == y || (x[0] == y[0] && strcmp(x,y) == 0))
+
-+/* dict_sdbm_delete - delete one entry from the dictionary */
-+
-+static int dict_sdbm_delete(DICT *dict, const char *name)
++void dict_open_dlinfo(const char *path)
+{
-+ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+ datum dbm_key;
-+ int status = 1;
-+ int flags = 0;
++ char *myname="dict_open_dlinfo";
++ VSTREAM *conf_fp=vstream_fopen(path,O_RDONLY,0);
++ VSTRING *buf = vstring_alloc(100);
++ char *cp;
++ ARGV *argv;
++ MVECT vector;
++ int nelm=0;
++ int linenum=0;
+
-+ /*
-+ * Acquire an exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++ dict_dlinfo=(DLINFO*)mvect_alloc(&vector,sizeof(DLINFO),3,NULL,NULL);
+
-+ /*
-+ * See if this DBM file was written with one null byte appended to key
-+ * and value.
-+ */
-+ if (dict->flags & DICT_FLAG_TRY1NULL) {
-+ dbm_key.dptr = (void *) name;
-+ dbm_key.dsize = strlen(name) + 1;
-+ sdbm_clearerr(dict_sdbm->dbm);
-+ if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
-+ if (sdbm_error(dict_sdbm->dbm) != 0) /* fatal error */
-+ msg_fatal("error deleting from %s: %m", dict_sdbm->path);
-+ status = 1; /* not found */
-+ } else {
-+ dict->flags &= ~DICT_FLAG_TRY0NULL; /* found */
++ if (!conf_fp) {
++ msg_warn("%s: cannot open %s. No dynamic maps will be allowed.",
++ myname, path);
++ } else {
++ while (vstring_get_nonl(buf,conf_fp) != VSTREAM_EOF) {
++ cp = vstring_str(buf);
++ linenum++;
++ if (*cp == '#' || *cp == '\0')
++ continue;
++ argv = argv_split(cp, " \t");
++ if (argv->argc != 3 && argv->argc != 4) {
++ msg_fatal("%s: Expected \"pattern .so-name open-function [mkmap-function]\" at line %d",
++ myname, linenum);
++ }
++ if (STREQ(argv->argv[0],"*")) {
++ msg_warn("%s: wildcard dynamic map entry no longer supported.",
++ myname);
++ continue;
++ }
++ if (argv->argv[1][0] != '/') {
++ msg_fatal("%s: .so name must begin with a \"/\" at line %d",
++ myname, linenum);
++ }
++ if (nelm >= vector.nelm) {
++ dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+3);
++ }
++ dict_dlinfo[nelm].pattern = mystrdup(argv->argv[0]);
++ dict_dlinfo[nelm].soname = mystrdup(argv->argv[1]);
++ dict_dlinfo[nelm].openfunc = mystrdup(argv->argv[2]);
++ if (argv->argc==4)
++ dict_dlinfo[nelm].mkmapfunc = mystrdup(argv->argv[3]);
++ else
++ dict_dlinfo[nelm].mkmapfunc = NULL;
++ nelm++;
++ argv_free(argv);
+ }
+ }
-+
-+ /*
-+ * See if this DBM file was written with no null byte appended to key and
-+ * value.
-+ */
-+ if (status > 0 && (dict->flags & DICT_FLAG_TRY0NULL)) {
-+ dbm_key.dptr = (void *) name;
-+ dbm_key.dsize = strlen(name);
-+ sdbm_clearerr(dict_sdbm->dbm);
-+ if ((status = sdbm_delete(dict_sdbm->dbm, dbm_key)) < 0) {
-+ if (sdbm_error(dict_sdbm->dbm) != 0) /* fatal error */
-+ msg_fatal("error deleting from %s: %m", dict_sdbm->path);
-+ status = 1; /* not found */
-+ } else {
-+ dict->flags &= ~DICT_FLAG_TRY1NULL; /* found */
-+ }
++ if (nelm >= vector.nelm) {
++ dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+1);
+ }
-+
-+ /*
-+ * Release the exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
-+
-+ return (status);
++ dict_dlinfo[nelm].pattern = NULL;
++ dict_dlinfo[nelm].soname = NULL;
++ dict_dlinfo[nelm].openfunc = NULL;
++ dict_dlinfo[nelm].mkmapfunc = NULL;
++ if (conf_fp)
++ vstream_fclose(conf_fp);
++ vstring_free(buf);
+}
+
-+/* traverse the dictionary */
-+
-+static int dict_sdbm_sequence(DICT *dict, const int function,
-+ const char **key, const char **value)
++static DLINFO *dict_open_dlfind(const char *type)
+{
-+ char *myname = "dict_sdbm_sequence";
-+ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
-+ datum dbm_key;
-+ datum dbm_value;
-+ int status = 0;
-+ static VSTRING *key_buf;
-+ static VSTRING *value_buf;
++ DLINFO *dp;
+
-+ /*
-+ * Acquire an exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+ msg_fatal("%s: lock dictionary: %m", dict_sdbm->path);
++ if (!dict_dlinfo)
++ return NULL;
+
-+ /*
-+ * Determine and execute the seek function. It returns the key.
-+ */
-+ switch (function) {
-+ case DICT_SEQ_FUN_FIRST:
-+ dbm_key = sdbm_firstkey(dict_sdbm->dbm);
-+ break;
-+ case DICT_SEQ_FUN_NEXT:
-+ dbm_key = sdbm_nextkey(dict_sdbm->dbm);
-+ break;
-+ default:
-+ msg_panic("%s: invalid function: %d", myname, function);
++ for (dp=dict_dlinfo; dp->pattern; dp++) {
++ if (STREQ(dp->pattern,type))
++ return dp;
+ }
++ return NULL;
++}
+
-+ /*
-+ * Release the exclusive lock.
-+ */
-+ if ((dict->flags & DICT_FLAG_LOCK)
-+ && myflock(dict->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+ msg_fatal("%s: unlock dictionary: %m", dict_sdbm->path);
++#endif /* !NO_DYNAMIC_MAPS */
+
-+ if (dbm_key.dptr != 0 && dbm_key.dsize > 0) {
+ #ifdef TEST
+
+ /*
+diff -urNad postfix~/src/util/load_lib.c postfix/src/util/load_lib.c
+--- postfix~/src/util/load_lib.c 1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/load_lib.c 2006-10-15 20:55:26.000000000 -0600
+@@ -0,0 +1,135 @@
++/*++
++/* NAME
++/* load_lib 3
++/* SUMMARY
++/* library loading wrappers
++/* SYNOPSIS
++/* #include <load_lib.h>
++/*
++/* extern int load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++/* const char *libname;
++/* LIB_FN *libfuncs;
++/* LIB_FN *libdata;
++/*
++/* DESCRIPTION
++/* This module loads functions from libraries, returnine pointers
++/* to the named functions.
++/*
++/* load_library_symbols() loads all of the desired functions, and
++/* returns zero for success, or exits via msg_fatal().
++/*
++/* SEE ALSO
++/* msg(3) diagnostics interface
++/* DIAGNOSTICS
++/* Problems are reported via the msg(3) diagnostics routines:
++/* library not found, symbols not found, other fatal errors.
++/* LICENSE
++/* .ad
++/* .fi
++/* The Secure Mailer license must be distributed with this software.
++/* AUTHOR(S)
++/* LaMont Jones
++/* Hewlett-Packard Company
++/* 3404 Harmony Road
++/* Fort Collins, CO 80528, USA
++/*
++/* Wietse Venema
++/* IBM T.J. Watson Research
++/* P.O. Box 704
++/* Yorktown Heights, NY 10598, USA
++/*--*/
+
-+ /*
-+ * See if this DB file was written with one null byte appended to key
-+ * an d value or not. If necessary, copy the key.
-+ */
-+ if (((char *) dbm_key.dptr)[dbm_key.dsize - 1] == 0) {
-+ *key = dbm_key.dptr;
-+ } else {
-+ if (key_buf == 0)
-+ key_buf = vstring_alloc(10);
-+ vstring_strncpy(key_buf, dbm_key.dptr, dbm_key.dsize);
-+ *key = vstring_str(key_buf);
-+ }
++/* System libraries. */
+
-+ /*
-+ * Fetch the corresponding value.
-+ */
-+ dbm_value = sdbm_fetch(dict_sdbm->dbm, dbm_key);
++#include "sys_defs.h"
++#include <stdlib.h>
++#include <stddef.h>
++#include <string.h>
++#if defined(HAS_DLOPEN)
++#include <dlfcn.h>
++#elif defined(HAS_SHL_LOAD)
++#include <dl.h>
++#endif
+
-+ if (dbm_value.dptr != 0 && dbm_value.dsize > 0) {
++/* Application-specific. */
+
-+ /*
-+ * See if this DB file was written with one null byte appended to
-+ * key and value or not. If necessary, copy the key.
-+ */
-+ if (((char *) dbm_value.dptr)[dbm_value.dsize - 1] == 0) {
-+ *value = dbm_value.dptr;
-+ } else {
-+ if (value_buf == 0)
-+ value_buf = vstring_alloc(10);
-+ vstring_strncpy(value_buf, dbm_value.dptr, dbm_value.dsize);
-+ *value = vstring_str(value_buf);
-+ }
-+ } else {
++#include "msg.h"
++#include "load_lib.h"
+
-+ /*
-+ * Determine if we have hit the last record or an error
-+ * condition.
-+ */
-+ if (sdbm_error(dict_sdbm->dbm))
-+ msg_fatal("error seeking %s: %m", dict_sdbm->path);
-+ return (1); /* no error: eof/not found
-+ * (should not happen!) */
-+ }
-+ } else {
-+
-+ /*
-+ * Determine if we have hit the last record or an error condition.
-+ */
-+ if (sdbm_error(dict_sdbm->dbm))
-+ msg_fatal("error seeking %s: %m", dict_sdbm->path);
-+ return (1); /* no error: eof/not found */
-+ }
-+ return (0);
-+}
-+
-+/* dict_sdbm_close - disassociate from data base */
-+
-+static void dict_sdbm_close(DICT *dict)
++extern int load_library_symbols(const char * libname, LIB_FN * libfuncs, LIB_FN * libdata)
+{
-+ DICT_SDBM *dict_sdbm = (DICT_SDBM *) dict;
++ char *myname = "load_library_symbols";
++ LIB_FN *fn;
+
-+ sdbm_close(dict_sdbm->dbm);
-+ myfree(dict_sdbm->path);
-+ myfree((char *) dict_sdbm);
-+}
++#if defined(HAS_DLOPEN)
++ void *handle;
++ char *emsg;
+
-+/* dict_sdbm_open - open SDBM data base */
++ handle=dlopen(libname,RTLD_NOW);
++ emsg=dlerror();
++ if (emsg) {
++ msg_fatal("%s: dlopen failure loading %s: %s", myname, libname, emsg);
++ }
+
-+DICT *dict_sdbm_open(const char *path, int open_flags, int dict_flags)
-+{
-+ DICT_SDBM *dict_sdbm;
-+ struct stat st;
-+ SDBM *dbm;
-+ char *dbm_path;
-+ int lock_fd;
++ if (libfuncs) {
++ for (fn=libfuncs; fn->name; fn++) {
++ *(fn->ptr) = dlsym(handle,fn->name);
++ emsg=dlerror();
++ if (emsg) {
++ msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++ fn->name, libname, emsg);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++ }
++ }
++ }
+
-+ if (dict_flags & DICT_FLAG_LOCK) {
-+ dbm_path = concatenate(path, ".pag", (char *) 0);
-+ if ((lock_fd = open(dbm_path, open_flags, 0644)) < 0)
-+ msg_fatal("open database %s: %m", dbm_path);
-+ if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_SHARED) < 0)
-+ msg_fatal("shared-lock database %s for open: %m", dbm_path);
++ if (libdata) {
++ for (fn=libdata; fn->name; fn++) {
++ *(fn->ptr) = dlsym(handle,fn->name);
++ emsg=dlerror();
++ if (emsg) {
++ msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
++ fn->name, libname, emsg);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
++ }
++ }
+ }
++#elif defined(HAS_SHL_LOAD)
++ shl_t handle;
+
-+ /*
-+ * XXX SunOS 5.x has no const in dbm_open() prototype.
-+ */
-+ if ((dbm = sdbm_open((char *) path, open_flags, 0644)) == 0)
-+ msg_fatal("open database %s.{dir,pag}: %m", path);
++ handle = shl_load(libname,BIND_IMMEDIATE,0);
+
-+ if (dict_flags & DICT_FLAG_LOCK) {
-+ if (myflock(lock_fd, INTERNAL_LOCK, MYFLOCK_OP_NONE) < 0)
-+ msg_fatal("unlock database %s for open: %m", dbm_path);
-+ if (close(lock_fd) < 0)
-+ msg_fatal("close database %s: %m", dbm_path);
-+ myfree(dbm_path);
++ if (libfuncs) {
++ for (fn=libfuncs; fn->name; fn++) {
++ if (shl_findsym(&handle,fn->name,TYPE_PROCEDURE,fn->ptr) != 0) {
++ msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++ myname, fn->name, libname);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++ }
++ }
+ }
-+ dict_sdbm = (DICT_SDBM *) mymalloc(sizeof(*dict_sdbm));
-+ dict_sdbm->dict.lookup = dict_sdbm_lookup;
-+ dict_sdbm->dict.update = dict_sdbm_update;
-+ dict_sdbm->dict.delete = dict_sdbm_delete;
-+ dict_sdbm->dict.sequence = dict_sdbm_sequence;
-+ dict_sdbm->dict.close = dict_sdbm_close;
-+ dict_sdbm->dict.lock_fd = sdbm_dirfno(dbm);
-+ dict_sdbm->dict.stat_fd = sdbm_pagfno(dbm);
-+ if (fstat(dict_sdbm->dict.stat_fd, &st) < 0)
-+ msg_fatal("dict_sdbm_open: fstat: %m");
-+ dict_sdbm->dict.mtime = st.st_mtime;
-+ close_on_exec(sdbm_pagfno(dbm), CLOSE_ON_EXEC);
-+ close_on_exec(sdbm_dirfno(dbm), CLOSE_ON_EXEC);
-+ dict_sdbm->dict.flags = dict_flags | DICT_FLAG_FIXED;
-+ if ((dict_flags & (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL)) == 0)
-+ dict_sdbm->dict.flags |= (DICT_FLAG_TRY0NULL | DICT_FLAG_TRY1NULL);
-+ dict_sdbm->dbm = dbm;
-+ dict_sdbm->path = mystrdup(path);
+
-+ return (&dict_sdbm->dict);
-+}
++ if (libdata) {
++ for (fn=libdata; fn->name; fn++) {
++ if (shl_findsym(&handle,fn->name,TYPE_DATA,fn->ptr) != 0) {
++ msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
++ myname, fn->name, libname);
++ }
++ if (msg_verbose>1) {
++ msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
++ }
++ }
++ }
+
-+#include "mkmap.h"
-+
-+typedef struct MKMAP_DBM {
-+ MKMAP mkmap; /* parent class */
-+ char *lock_file; /* path name */
-+ int lock_fd; /* -1 or open locked file */
-+} MKMAP_DBM;
-+
-+/* mkmap_dbm_after_close - clean up after closing database */
-+
-+static void mkmap_sdbm_after_close(MKMAP *mp)
-+{
-+ MKMAP_DBM *mkmap = (MKMAP_DBM *) mp;
-+
-+ if (mkmap->lock_fd >= 0 && close(mkmap->lock_fd) < 0)
-+ msg_warn("close %s: %m", mkmap->lock_file);
-+ myfree(mkmap->lock_file);
++#else
++ msg_fatal("%s: need dlopen or shl_load support for dynamic libraries",
++ myname);
++#endif
++ return 0;
+}
+diff -urNad postfix~/src/util/load_lib.h postfix/src/util/load_lib.h
+--- postfix~/src/util/load_lib.h 1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/load_lib.h 2006-10-15 20:55:26.000000000 -0600
+@@ -0,0 +1,41 @@
++#ifndef _LOAD_LIB_H_INCLUDED_
++#define _LOAD_LIB_H_INCLUDED_
+
-+/* mkmap_sdbm_open - create or open database */
-+
-+MKMAP *mkmap_sdbm_open(const char *path)
-+{
-+ MKMAP_DBM *mkmap = (MKMAP_DBM *) mymalloc(sizeof(*mkmap));
-+ char *pag_file;
-+ int pag_fd;
-+
-+ /*
-+ * Fill in the generic members.
-+ */
-+ mkmap->lock_file = concatenate(path, ".dir", (char *) 0);
-+ mkmap->mkmap.open = dict_sdbm_open;
-+ mkmap->mkmap.after_open = 0;
-+ mkmap->mkmap.after_close = mkmap_sdbm_after_close;
-+
-+ /*
-+ * Unfortunately, not all systems support locking on open(), so we open
-+ * the .dir and .pag files before truncating them. Keep one file open for
-+ * locking.
-+ */
-+ if ((mkmap->lock_fd = open(mkmap->lock_file, O_CREAT | O_RDWR, 0644)) < 0)
-+ msg_fatal("open %s: %m", mkmap->lock_file);
-+
-+ pag_file = concatenate(path, ".pag", (char *) 0);
-+ if ((pag_fd = open(pag_file, O_CREAT | O_RDWR, 0644)) < 0)
-+ msg_fatal("open %s: %m", pag_file);
-+ if (close(pag_fd))
-+ msg_warn("close %s: %m", pag_file);
-+ myfree(pag_file);
-+
-+ /*
-+ * Get an exclusive lock - we're going to change the database so we can't
-+ * have any spectators.
-+ */
-+ if (myflock(mkmap->lock_fd, INTERNAL_LOCK, MYFLOCK_OP_EXCLUSIVE) < 0)
-+ msg_fatal("lock %s: %m", mkmap->lock_file);
-+
-+ return (&mkmap->mkmap);
-+}
-+
-diff -urNad postfix-release/src/global/dict_sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h
---- postfix-release/src/global/dict_sdbm.h 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/dict_sdbm.h 2004-12-27 22:29:11.317099212 -0700
-@@ -0,0 +1,36 @@
-+#ifndef _DICT_SDBM_H_INCLUDED_
-+#define _DICT_SDBM_H_INCLUDED_
-+
+/*++
+/* NAME
-+/* dict_dbm 3h
++/* load_lib 3h
+/* SUMMARY
-+/* dictionary manager interface to DBM files
++/* library loading wrappers
+/* SYNOPSIS
-+/* #include <dict_dbm.h>
++/* #include "load_lib.h"
+/* DESCRIPTION
+/* .nf
+
+ /*
-+ * Utility library.
-+ */
-+#include <dict.h>
-+
-+ /*
+ * External interface.
+ */
-+#define DICT_TYPE_SDBM "sdbm"
-+extern DICT *dict_sdbm_open(const char *, int, int);
++/* NULL name terminates list */
++typedef struct LIB_FN {
++ const char *name;
++ void **ptr;
++} LIB_FN;
+
++extern int load_library_symbols(const char *, LIB_FN *, LIB_FN *);
++
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
++/* LaMont Jones
++/* Hewlett-Packard Company
++/* 3404 Harmony Road
++/* Fort Collins, CO 80528, USA
++/*
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
@@ -734,126 +1069,9 @@
+/*--*/
+
+#endif
-diff -urNad postfix-release/src/global/mail_conf.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c
---- postfix-release/src/global/mail_conf.c 2004-12-27 22:28:28.642272500 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_conf.c 2004-12-27 22:29:11.318098997 -0700
-@@ -175,6 +175,13 @@
- path = concatenate(var_config_dir, "/", "main.cf", (char *) 0);
- dict_load_file(CONFIG_DICT, path);
- myfree(path);
-+
-+#ifndef NO_DYNAMIC_MAPS
-+ path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
-+ dict_open_dlinfo(path);
-+ myfree(path);
-+#endif
-+
- }
-
- /* mail_conf_eval - expand macros in string */
-diff -urNad postfix-release/src/global/mail_dict.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c
---- postfix-release/src/global/mail_dict.c 2004-12-27 22:28:28.642272500 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_dict.c 2004-12-27 22:29:11.318098997 -0700
-@@ -45,6 +45,7 @@
-
- static DICT_OPEN_INFO dict_open_info[] = {
- DICT_TYPE_PROXY, dict_proxy_open,
-+#ifndef MAX_DYNAMIC_MAPS
- #ifdef HAS_LDAP
- DICT_TYPE_LDAP, dict_ldap_open,
- #endif
-@@ -54,6 +55,7 @@
- #ifdef HAS_PGSQL
- DICT_TYPE_PGSQL, dict_pgsql_open,
- #endif
-+#endif /* MAX_DYNAMIC_MAPS */
- 0,
- };
-
-diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c
---- postfix-release/src/global/mail_params.c 2004-12-27 22:28:28.643272285 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mail_params.c 2004-12-27 22:29:11.318098997 -0700
-@@ -149,6 +149,8 @@
- #include <valid_hostname.h>
- #include <stringops.h>
- #include <safe.h>
-+#include <safe_open.h>
-+#include <mymalloc.h>
- #ifdef HAS_DB
- #include <dict_db.h>
- #endif
-@@ -422,6 +424,38 @@
- (long) var_sgid_gid);
- }
-
-+static char *read_file(const char *name)
-+{
-+ char *ret;
-+ VSTRING *why=vstring_alloc(1);
-+ VSTRING *new_name=vstring_alloc(1);
-+ VSTREAM *vp=safe_open(name, O_RDONLY, 0, NULL, -1, -1, why);
-+
-+ /*
-+ * Ugly macros to make complex expressions less unreadable.
-+ */
-+#define SKIP(start, var, cond) \
-+ for (var = start; *var && (cond); var++);
-+
-+#define TRIM(s) { \
-+ char *p; \
-+ for (p = (s) + strlen(s); p > (s) && ISSPACE(p[-1]); p--); \
-+ *p = 0; \
-+ }
-+
-+ if (!vp) {
-+ msg_fatal("%s: unable to open: %s",name,vstring_str(why));
-+ }
-+ vstring_get_nonl(new_name,vp);
-+ vstream_fclose(vp);
-+ SKIP(vstring_str(new_name),ret,ISSPACE(*ret));
-+ ret=mystrdup(ret);
-+ TRIM(ret);
-+ vstring_free(why);
-+ vstring_free(new_name);
-+ return ret;
-+}
-+
- /* mail_params_init - configure built-in parameters */
-
- void mail_params_init()
-@@ -563,6 +597,9 @@
- * Variables that are needed by almost every program.
- */
- get_mail_conf_str_table(other_str_defaults);
-+ if (*var_myorigin=='/') {
-+ var_myorigin=read_file(var_myorigin);
-+ }
- get_mail_conf_int_table(other_int_defaults);
- get_mail_conf_bool_table(bool_defaults);
- get_mail_conf_time_table(time_defaults);
-diff -urNad postfix-release/src/global/mkmap_open.c /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c
---- postfix-release/src/global/mkmap_open.c 2004-12-27 22:28:28.643272285 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/mkmap_open.c 2004-12-27 22:29:11.318098997 -0700
-@@ -144,7 +144,16 @@
- */
- for (mp = mkmap_types; /* void */ ; mp++) {
- if (mp->type == 0)
-+#ifndef NO_DYNAMIC_MAPS
-+ {
-+ static MKMAP_OPEN_INFO oi;
-+ oi.before_open=dict_mkmap_func(type);
-+ oi.type=type;
-+ mp=&oi;
-+ }
-+#else
- msg_fatal("unsupported map type: %s", type);
-+#endif
- if (strcmp(type, mp->type) == 0)
- break;
- }
-diff -urNad postfix-release/src/global/sdbm.c /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c
---- postfix-release/src/global/sdbm.c 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.c 2004-12-27 22:29:11.320098567 -0700
+diff -urNad postfix~/src/util/sdbm.c postfix/src/util/sdbm.c
+--- postfix~/src/util/sdbm.c 1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/sdbm.c 2006-10-15 20:55:26.000000000 -0600
@@ -0,0 +1,972 @@
+/*++
+/* NAME
@@ -1827,9 +2045,9 @@
+ return db;
+}
+
-diff -urNad postfix-release/src/global/sdbm.h /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h
---- postfix-release/src/global/sdbm.h 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/global/sdbm.h 2004-12-27 22:29:11.320098567 -0700
+diff -urNad postfix~/src/util/sdbm.h postfix/src/util/sdbm.h
+--- postfix~/src/util/sdbm.h 1969-12-31 17:00:00.000000000 -0700
++++ postfix/src/util/sdbm.h 2006-10-15 20:55:26.000000000 -0600
@@ -0,0 +1,97 @@
+/*++
+/* NAME
@@ -1928,789 +2146,18 @@
+#define BADMESS /* generate a message for worst case:
+ cannot make room after SPLTMAX splits */
+#endif /* UTIL_SDBM_H */
-diff -urNad postfix-release/src/master/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in
---- postfix-release/src/master/Makefile.in 2004-12-27 22:28:28.645271855 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/master/Makefile.in 2004-12-27 22:29:11.320098567 -0700
-@@ -20,7 +20,7 @@
- INC_DIR = ../../include
- BIN_DIR = ../../libexec
-
--.c.o:; $(CC) $(CFLAGS) -c $*.c
-+.c.o:; $(CC) `for i in $(LIB_OBJ); do [ $$i = $@ ] && echo -fPIC; done` $(CFLAGS) -c $*.c
-
- all: $(PROG) $(LIB)
-
-@@ -35,12 +35,10 @@
- tests: test
-
- $(LIB): $(LIB_OBJ)
-- $(AR) $(ARFL) $(LIB) $?
-- $(RANLIB) $(LIB)
-+ gcc -shared -Wl,-soname,libpostfix-master.so.1 -o $(LIB) $(LIB_OBJ) $(LIBS) $(SYSLIBS)
-
- $(LIB_DIR)/$(LIB): $(LIB)
- cp $(LIB) $(LIB_DIR)/$(LIB)
-- $(RANLIB) $(LIB_DIR)/$(LIB)
-
- $(BIN_DIR)/$(PROG): $(PROG)
- cp $(PROG) $(BIN_DIR)
-diff -urNad postfix-release/src/postconf/postconf.c /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c
---- postfix-release/src/postconf/postconf.c 2004-12-27 22:28:28.646271640 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/postconf/postconf.c 2004-12-27 22:29:11.321098352 -0700
-@@ -822,6 +822,16 @@
- {
- ARGV *maps_argv;
- int i;
-+#ifndef NO_DYNAMIC_MAPS
-+ char *path;
-+ char *config_dir;
-+
-+ var_config_dir = mystrdup((config_dir = safe_getenv(CONF_ENV_PATH)) != 0 ?
-+ config_dir : DEF_CONFIG_DIR); /* XXX */
-+ path = concatenate(var_config_dir, "/", "dynamicmaps.cf", (char *) 0);
-+ dict_open_dlinfo(path);
-+ myfree(path);
-+#endif
-
- maps_argv = dict_mapnames();
- for (i = 0; i < maps_argv->argc; i++)
-diff -urNad postfix-release/src/postmap/postmap.c /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c
---- postfix-release/src/postmap/postmap.c 2004-12-27 22:28:28.647271425 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/postmap/postmap.c 2004-12-27 22:29:11.321098352 -0700
-@@ -5,7 +5,7 @@
- /* Postfix lookup table management
- /* SYNOPSIS
- /* .fi
--/* \fBpostmap\fR [\fB-Nfinoprvw\fR] [\fB-c \fIconfig_dir\fR]
-+/* \fBpostmap\fR [\fB-Nfinopruvw\fR] [\fB-c \fIconfig_dir\fR]
- /* [\fB-d \fIkey\fR] [\fB-q \fIkey\fR]
- /* [\fIfile_type\fR:]\fIfile_name\fR ...
- /* DESCRIPTION
-@@ -92,6 +92,8 @@
- /* .IP \fB-r\fR
- /* When updating a table, do not warn about duplicate entries; silently
- /* replace them.
-+/* .IP \fB-u\fR
-+/* Upgrade the database to the current version.
- /* .IP \fB-v\fR
- /* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
- /* options make the software increasingly verbose.
-@@ -102,7 +104,7 @@
- /* Arguments:
- /* .IP \fIfile_type\fR
- /* The database type. To find out what types are supported, use
--/* the "\fBpostconf -m" command.
-+/* the "\fBpostconf -m\fR" command.
- /*
- /* The \fBpostmap\fR command can query any supported file type,
- /* but it can create only the following file types:
-@@ -484,6 +486,18 @@
- return (status == 0);
- }
-
-+/* postmap_upgrade - upgrade a map */
-+
-+static int postmap_upgrade(const char *map_type, const char *map_name)
-+{
-+ DICT *dict;
-+
-+ dict = dict_open3(map_type, map_name, O_RDWR,
-+ DICT_FLAG_LOCK|DICT_FLAG_UPGRADE);
-+ dict_close(dict);
-+ return (dict != 0);
-+}
-+
- /* usage - explain */
-
- static NORETURN usage(char *myname)
-@@ -504,6 +518,7 @@
- int dict_flags = DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_KEY;
- char *query = 0;
- char *delkey = 0;
-+ int upgrade=0;
- int found;
-
- /*
-@@ -540,7 +555,7 @@
- /*
- * Parse JCL.
- */
-- while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rvw")) > 0) {
-+ while ((ch = GETOPT(argc, argv, "Nc:d:finopq:ruvw")) > 0) {
- switch (ch) {
- default:
- usage(argv[0]);
-@@ -554,8 +569,8 @@
- msg_fatal("out of memory");
- break;
- case 'd':
-- if (query || delkey)
-- msg_fatal("specify only one of -q or -d");
-+ if (query || delkey || upgrade)
-+ msg_fatal("specify only one of -q or -d or -u");
- delkey = optarg;
- break;
- case 'f':
-@@ -575,14 +590,19 @@
- postmap_flags &= ~POSTMAP_FLAG_SAVE_PERM;
- break;
- case 'q':
-- if (query || delkey)
-- msg_fatal("specify only one of -q or -d");
-+ if (query || delkey || upgrade)
-+ msg_fatal("specify only one of -q or -d or -u");
- query = optarg;
- break;
- case 'r':
- dict_flags &= ~(DICT_FLAG_DUP_WARN | DICT_FLAG_DUP_IGNORE);
- dict_flags |= DICT_FLAG_DUP_REPLACE;
- break;
-+ case 'u':
-+ if (query || delkey || upgrade)
-+ msg_fatal("specify only one of -q or -d or -u");
-+ upgrade=1;
-+ break;
- case 'v':
- msg_verbose++;
- break;
-@@ -633,6 +653,21 @@
- optind++;
- }
- exit(1);
-+ } else if (upgrade) { /* Upgrade the map(s) */
-+ int success = 1;
-+ if (optind + 1 > argc)
-+ usage(argv[0]);
-+ while (optind < argc) {
-+ if ((path_name = split_at(argv[optind], ':')) != 0) {
-+ success &= postmap_upgrade(argv[optind], path_name);
-+ } else {
-+ success &= postmap_upgrade(var_db_type, path_name);
-+ }
-+ if (!success)
-+ exit(1);
-+ optind++;
-+ }
-+ exit(0);
- } else { /* create/update map(s) */
- if (optind + 1 > argc)
- usage(argv[0]);
-diff -urNad postfix-release/src/util/Makefile.in /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in
---- postfix-release/src/util/Makefile.in 2004-12-27 22:28:28.648271210 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/Makefile.in 2004-12-27 22:29:11.322098138 -0700
-@@ -4,6 +4,7 @@
- chroot_uid.c clean_env.c close_on_exec.c concatenate.c ctable.c \
- dict.c dict_alloc.c dict_db.c dict_dbm.c dict_debug.c dict_env.c \
- dict_cidr.c dict_ht.c dict_ni.c dict_nis.c \
-+ load_lib.c \
- dict_nisplus.c dict_open.c dict_pcre.c dict_regexp.c \
- dict_static.c dict_tcp.c dict_unix.c dir_forest.c doze.c \
- duplex_pipe.c environ.c events.c exec_command.c fifo_listen.c \
-@@ -34,8 +35,8 @@
- chroot_uid.o clean_env.o close_on_exec.o concatenate.o ctable.o \
- dict.o dict_alloc.o dict_db.o dict_dbm.o dict_debug.o dict_env.o \
- dict_cidr.o dict_ht.o dict_ni.o dict_nis.o \
-- dict_nisplus.o dict_open.o dict_pcre.o dict_regexp.o \
-- dict_static.o dict_tcp.o dict_unix.o dir_forest.o doze.o \
-+ dict_nisplus.o dict_open.o dict_regexp.o \
-+ dict_static.o dict_unix.o dir_forest.o doze.o \
- duplex_pipe.o environ.o events.o exec_command.o fifo_listen.o \
- fifo_trigger.o file_limit.o find_inet.o fsspace.o fullname.o \
- get_domainname.o get_hostname.o hex_quote.o host_port.o htable.o \
-@@ -58,10 +59,11 @@
- vstream_popen.o vstring.o vstring_vstream.o watchdog.o writable.o \
- write_buf.o write_wait.o auto_clnt.o attr_clnt.o attr_scan_plain.o \
- attr_print_plain.o sane_connect.o $(STRCASE) neuter.o name_code.o \
-- uppercase.o
-+ uppercase.o load_lib.o
- HDRS = argv.h attr.h base64_code.h binhash.h chroot_uid.h clean_env.h \
- connect.h ctable.h dict.h dict_db.h dict_dbm.h dict_env.h \
- dict_cidr.h dict_ht.h dict_ni.h dict_nis.h \
-+ load_lib.h \
- dict_nisplus.h dict_pcre.h dict_regexp.h \
- dict_static.h dict_tcp.h dict_unix.h dir_forest.h events.h \
- exec_command.h find_inet.h fsspace.h fullname.h get_domainname.h \
-@@ -72,7 +74,7 @@
- msg_syslog.h msg_vstream.h mvect.h myflock.h mymalloc.h myrand.h \
- name_mask.h netstring.h nvtable.h open_as.h open_lock.h \
- percentm.h posix_signals.h readlline.h ring.h safe.h safe_open.h \
-- sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h \
-+ sane_accept.h sane_fsops.h sane_socketpair.h sane_time.h load_lib.h \
- scan_dir.h set_eugid.h set_ugid.h sigdelay.h spawn_command.h \
- split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h \
- timed_wait.h trigger.h username.h valid_hostname.h vbuf.h \
-@@ -84,6 +86,8 @@
- CFLAGS = $(DEBUG) $(OPT) $(DEFS)
- FILES = Makefile $(SRCS) $(HDRS)
- INCL =
-+PCRESO = dict_pcre.so
-+TCPSO = dict_tcp.so
- LIB = libutil.a
- TESTPROG= dict_open dup2_pass_on_exec events exec_command fifo_open \
- fifo_rdonly_bug fifo_rdwr_bug fifo_trigger fsspace fullname \
-@@ -96,8 +100,9 @@
-
- LIB_DIR = ../../lib
- INC_DIR = ../../include
-+LIBS = $(LIB_DIR)/$(LIB) $(LIB_DIR)/$(PCRESO) $(LIB_DIR)/$(TCPSO)
-
--.c.o:; $(CC) $(CFLAGS) -c $*.c
-+.c.o:; $(CC) -fPIC $(CFLAGS) -c $*.c
-
- all: $(LIB)
-
-@@ -106,15 +111,25 @@
-
- test: $(TESTPROG)
-
-+$(PCRESO): dict_pcre.o
-+ gcc -shared -Wl,-soname,dict_pcre.so -o $@ $? -lpcre -L. -lutil
-+
-+$(TCPSO): dict_tcp.o
-+ gcc -shared -Wl,-soname,dict_tcp.so -o $@ $? -L. -lutil
-+
- $(LIB): $(OBJS)
-- $(AR) $(ARFL) $(LIB) $?
-- $(RANLIB) $(LIB)
-+ gcc -shared -Wl,-soname,libpostfix-util.so.1 -o $(LIB) $(OBJS) -ldl $(SYSLIBS)
-
- $(LIB_DIR)/$(LIB): $(LIB)
- cp $(LIB) $(LIB_DIR)
-- $(RANLIB) $(LIB_DIR)/$(LIB)
-
--update: $(LIB_DIR)/$(LIB) $(HDRS)
-+$(LIB_DIR)/$(PCRESO): $(PCRESO)
-+ cp $(PCRESO) $(LIB_DIR)
-+
-+$(LIB_DIR)/$(TCPSO): $(TCPSO)
-+ cp $(TCPSO) $(LIB_DIR)
-+
-+update: $(LIBS) $(HDRS)
- -for i in $(HDRS); \
- do \
- cmp -s $$i $(INC_DIR)/$$i 2>/dev/null || cp $$i $(INC_DIR); \
-@@ -136,7 +151,8 @@
- lint $(SRCS)
-
- clean:
-- rm -f *.o $(LIB) *core $(TESTPROG) junk $(MAKES) *.tmp
-+ rm -f *.o $(LIB) $(PCRESO) $(TCPSO) *core $(TESTPROG) \
-+ junk $(MAKES) *.tmp
- rm -rf printfck
-
- tidy: clean
-diff -urNad postfix-release/src/util/dict.h /tmp/dpep.TxugCA/postfix-release/src/util/dict.h
---- postfix-release/src/util/dict.h 2004-12-27 22:28:28.649270995 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict.h 2004-12-27 22:29:11.323097923 -0700
-@@ -61,6 +61,7 @@
- #define DICT_FLAG_NO_REGSUB (1<<11) /* disallow regexp substitution */
- #define DICT_FLAG_NO_PROXY (1<<12) /* disallow proxy mapping */
- #define DICT_FLAG_NO_UNAUTH (1<<13) /* disallow unauthenticated data */
-+#define DICT_FLAG_UPGRADE (1<<30) /* Upgrade the db */
-
- #define DICT_FLAG_PARANOID \
- (DICT_FLAG_NO_REGSUB | DICT_FLAG_NO_PROXY | DICT_FLAG_NO_UNAUTH)
-@@ -102,6 +103,11 @@
- extern DICT *dict_open(const char *, int, int);
- extern DICT *dict_open3(const char *, const char *, int, int);
- extern void dict_open_register(const char *, DICT *(*) (const char *, int, int));
-+#ifndef NO_DYNAMIC_MAPS
-+extern void dict_open_dlinfo(const char *path);
-+typedef void* (*dict_mkmap_func_t)(const char *);
-+dict_mkmap_func_t dict_mkmap_func(const char *dict_type);
-+#endif
-
- #define dict_get(dp, key) (dp)->lookup((dp), (key))
- #define dict_put(dp, key, val) (dp)->update((dp), (key), (val))
-diff -urNad postfix-release/src/util/dict_db.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c
---- postfix-release/src/util/dict_db.c 2004-12-27 22:28:28.649270995 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_db.c 2004-12-27 22:29:11.323097923 -0700
-@@ -548,6 +548,12 @@
- msg_fatal("set DB cache size %d: %m", dict_db_cache_size);
- if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
- msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
-+ if (dict_flags & DICT_FLAG_UPGRADE) {
-+ if (msg_verbose)
-+ msg_info("upgrading database %s",db_path);
-+ if ((errno = db->upgrade(db,db_path,0)) != 0)
-+ msg_fatal("upgrade of database %s: %m",db_path);
-+ }
- #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
- if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
- msg_fatal("open database %s: %m", db_path);
-diff -urNad postfix-release/src/util/dict_dbm.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c
---- postfix-release/src/util/dict_dbm.c 2004-12-27 22:28:28.650270780 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_dbm.c 2004-12-27 22:29:11.323097923 -0700
-@@ -371,6 +371,10 @@
- char *dbm_path;
- int lock_fd;
-
-+#ifdef HAVE_GDBM
-+ msg_error("%s: gdbm maps use locking that is incompatible with postfix. Use a hash map instead.",
-+ path);
-+#endif
- /*
- * Note: DICT_FLAG_LOCK is used only by programs that do fine-grained (in
- * the time domain) locking while accessing individual database records.
-diff -urNad postfix-release/src/util/dict_open.c /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c
---- postfix-release/src/util/dict_open.c 2004-12-27 22:28:28.650270780 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/dict_open.c 2004-12-27 22:29:35.775841614 -0700
-@@ -42,6 +42,10 @@
- /* dict_open_register(type, open)
- /* char *type;
- /* DICT *(*open) (const char *, int, int);
-+/*
-+/* ARGV *dict_mapnames()
-+/*
-+/* void (*)() dict_mkmap_func(const char *dict_type)
- /* DESCRIPTION
- /* This module implements a low-level interface to multiple
- /* physical dictionary types.
-@@ -135,6 +139,13 @@
- /* associated data structures.
- /*
- /* dict_open_register() adds support for a new dictionary type.
-+/*
-+/* dict_mapnames() returns an ARGV list containing all of the known
-+/* map types, including dynamic maps.
-+/*
-+/* dict_mkmap_func() returns a pointer to the mkmap setup function
-+/* for the given map type, as given in /etc/dynamicmaps.cf
-+/*
- /* DIAGNOSTICS
- /* Fatal error: open error, unsupported dictionary type, attempt to
- /* update non-writable dictionary.
-@@ -158,6 +169,9 @@
- #include <strings.h>
- #endif
-
-+#include <sys/stat.h>
-+#include <unistd.h>
-+
- /* Utility library. */
-
- #include <argv.h>
-@@ -180,6 +194,27 @@
- #include <split_at.h>
- #include <htable.h>
-
-+#ifndef NO_DYNAMIC_MAPS
-+#include <load_lib.h>
-+#include <vstring.h>
-+#include <vstream.h>
-+#include <vstring_vstream.h>
-+#include <mvect.h>
-+
-+ /*
-+ * Interface for dynamic map loading.
-+ */
-+typedef struct {
-+ const char *pattern;
-+ const char *soname;
-+ const char *openfunc;
-+ const char *mkmapfunc;
-+} DLINFO;
-+
-+static DLINFO *dict_dlinfo;
-+static DLINFO *dict_open_dlfind(const char *type);
-+#endif
-+
- /*
- * lookup table for available map types.
- */
-@@ -191,9 +226,11 @@
- static DICT_OPEN_INFO dict_open_info[] = {
- DICT_TYPE_ENVIRON, dict_env_open,
- DICT_TYPE_UNIX, dict_unix_open,
-+#ifndef MAX_DYNAMIC_MAPS
- #ifdef SNAPSHOT
- DICT_TYPE_TCP, dict_tcp_open,
- #endif
-+#endif
- #ifdef HAS_DBM
- DICT_TYPE_DBM, dict_dbm_open,
- #endif
-@@ -210,9 +247,11 @@
- #ifdef HAS_NETINFO
- DICT_TYPE_NETINFO, dict_ni_open,
- #endif
-+#ifndef MAX_DYNAMIC_MAPS
- #ifdef HAS_PCRE
- DICT_TYPE_PCRE, dict_pcre_open,
- #endif
-+#endif /* MAX_DYNAMIC_MAPS */
- #ifdef HAS_POSIX_REGEXP
- DICT_TYPE_REGEXP, dict_regexp_open,
- #endif
-@@ -267,8 +306,31 @@
-
- if (dict_open_hash == 0)
- dict_open_init();
-- if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0)
-- msg_fatal("unsupported dictionary type: %s", dict_type);
-+ if ((dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type)) == 0) {
-+#ifdef NO_DYNAMIC_MAPS
-+ msg_fatal("%s: unsupported dictionary type: %s", myname, dict_type);
-+#else
-+ struct stat st;
-+ LIB_FN fn[2];
-+ DICT *(*open) (const char *, int, int);
-+ DLINFO *dl=dict_open_dlfind(dict_type);
-+ if (!dl)
-+ msg_fatal("%s: unsupported dictionary type: %s: Is the postfix-%s package installed?", myname, dict_type, dict_type);
-+ if (stat(dl->soname,&st) < 0) {
-+ msg_fatal("%s: unsupported dictionary type: %s (%s not found. Is the postfix-%s package installed?)",
-+ myname, dict_type, dl->soname, dict_type);
-+ }
-+ fn[0].name = dl->openfunc;
-+ fn[0].ptr = (void**)&open;
-+ fn[1].name = NULL;
-+ load_library_symbols(dl->soname, fn, NULL);
-+ dict_open_register(dict_type, open);
-+ dp = (DICT_OPEN_INFO *) htable_find(dict_open_hash, dict_type);
-+#endif
-+ }
-+ if (msg_verbose>1) {
-+ msg_info("%s: calling %s open routine",myname,dict_type);
-+ }
- if ((dict = dp->open(dict_name, open_flags, dict_flags)) == 0)
- msg_fatal("opening %s:%s %m", dict_type, dict_name);
- if (msg_verbose)
-@@ -276,6 +338,36 @@
- return (dict);
- }
-
-+dict_mkmap_func_t dict_mkmap_func(const char *dict_type)
-+{
-+ char *myname="dict_mkmap_func";
-+ struct stat st;
-+ LIB_FN fn[2];
-+ dict_mkmap_func_t mkmap;
-+ DLINFO *dl;
-+#ifndef NO_DYNAMIC_MAPS
-+ if (!dict_dlinfo)
-+ msg_fatal("dlinfo==NULL");
-+ dl=dict_open_dlfind(dict_type);
-+ if (!dl)
-+ msg_fatal("%s: unsupported dictionary type: %s: Is the postfix-%s package installed?", myname, dict_type, dict_type);
-+ if (stat(dl->soname,&st) < 0) {
-+ msg_fatal("%s: unsupported dictionary type: %s (%s not found. Is the postfix-%s package installed?)",
-+ myname, dict_type, dl->soname, dict_type);
-+ }
-+ if (!dl->mkmapfunc)
-+ msg_fatal("%s: unsupported dictionary type: %s does not allow map creation.", myname, dict_type);
-+
-+ fn[0].name = dl->mkmapfunc;
-+ fn[0].ptr = (void**)&mkmap;
-+ fn[1].name = NULL;
-+ load_library_symbols(dl->soname, fn, NULL);
-+ return mkmap;
-+#else
-+ return (void(*)())NULL;
-+#endif
-+}
-+
- /* dict_open_register - register dictionary type */
-
- void dict_open_register(const char *type,
-@@ -302,6 +394,9 @@
- HTABLE_INFO **ht;
- DICT_OPEN_INFO *dp;
- ARGV *mapnames;
-+#ifndef NO_DYNAMIC_MAPS
-+ DLINFO *dlp;
-+#endif
-
- if (dict_open_hash == 0)
- dict_open_init();
-@@ -310,11 +405,99 @@
- dp = (DICT_OPEN_INFO *) ht[0]->value;
- argv_add(mapnames, dp->type, ARGV_END);
- }
-+#ifndef NO_DYNAMIC_MAPS
-+ if (!dict_dlinfo)
-+ msg_fatal("dlinfo==NULL");
-+ for (dlp=dict_dlinfo; dlp->pattern; dlp++) {
-+ argv_add(mapnames, dlp->pattern, ARGV_END);
-+ }
-+#endif
- myfree((char *) ht_info);
- argv_terminate(mapnames);
- return mapnames;
- }
-
-+#ifndef NO_DYNAMIC_MAPS
-+#define STREQ(x,y) (x == y || (x[0] == y[0] && strcmp(x,y) == 0))
-+
-+void dict_open_dlinfo(const char *path)
-+{
-+ char *myname="dict_open_dlinfo";
-+ VSTREAM *conf_fp=vstream_fopen(path,O_RDONLY,0);
-+ VSTRING *buf = vstring_alloc(100);
-+ char *cp;
-+ ARGV *argv;
-+ MVECT vector;
-+ int nelm=0;
-+ int linenum=0;
-+
-+ dict_dlinfo=(DLINFO*)mvect_alloc(&vector,sizeof(DLINFO),3,NULL,NULL);
-+
-+ if (!conf_fp) {
-+ msg_warn("%s: cannot open %s. No dynamic maps will be allowed.",
-+ myname, path);
-+ } else {
-+ while (vstring_get_nonl(buf,conf_fp) != VSTREAM_EOF) {
-+ cp = vstring_str(buf);
-+ linenum++;
-+ if (*cp == '#' || *cp == '\0')
-+ continue;
-+ argv = argv_split(cp, " \t");
-+ if (argv->argc != 3 && argv->argc != 4) {
-+ msg_fatal("%s: Expected \"pattern .so-name open-function [mkmap-function]\" at line %d",
-+ myname, linenum);
-+ }
-+ if (STREQ(argv->argv[0],"*")) {
-+ msg_warn("%s: wildcard dynamic map entry no longer supported.",
-+ myname);
-+ continue;
-+ }
-+ if (argv->argv[1][0] != '/') {
-+ msg_fatal("%s: .so name must begin with a \"/\" at line %d",
-+ myname, linenum);
-+ }
-+ if (nelm >= vector.nelm) {
-+ dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+3);
-+ }
-+ dict_dlinfo[nelm].pattern = mystrdup(argv->argv[0]);
-+ dict_dlinfo[nelm].soname = mystrdup(argv->argv[1]);
-+ dict_dlinfo[nelm].openfunc = mystrdup(argv->argv[2]);
-+ if (argv->argc==4)
-+ dict_dlinfo[nelm].mkmapfunc = mystrdup(argv->argv[3]);
-+ else
-+ dict_dlinfo[nelm].mkmapfunc = NULL;
-+ nelm++;
-+ argv_free(argv);
-+ }
-+ }
-+ if (nelm >= vector.nelm) {
-+ dict_dlinfo=(DLINFO*)mvect_realloc(&vector,vector.nelm+1);
-+ }
-+ dict_dlinfo[nelm].pattern = NULL;
-+ dict_dlinfo[nelm].soname = NULL;
-+ dict_dlinfo[nelm].openfunc = NULL;
-+ dict_dlinfo[nelm].mkmapfunc = NULL;
-+ if (conf_fp)
-+ vstream_fclose(conf_fp);
-+ vstring_free(buf);
-+}
-+
-+static DLINFO *dict_open_dlfind(const char *type)
-+{
-+ DLINFO *dp;
-+
-+ if (!dict_dlinfo)
-+ return NULL;
-+
-+ for (dp=dict_dlinfo; dp->pattern; dp++) {
-+ if (STREQ(dp->pattern,type))
-+ return dp;
-+ }
-+ return NULL;
-+}
-+
-+#endif /* !NO_DYNAMIC_MAPS */
-+
- #ifdef TEST
-
- /*
-diff -urNad postfix-release/src/util/load_lib.c /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c
---- postfix-release/src/util/load_lib.c 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.c 2004-12-27 22:29:11.324097708 -0700
-@@ -0,0 +1,135 @@
-+/*++
-+/* NAME
-+/* load_lib 3
-+/* SUMMARY
-+/* library loading wrappers
-+/* SYNOPSIS
-+/* #include <load_lib.h>
-+/*
-+/* extern int load_library_symbols(const char *, LIB_FN *, LIB_FN *);
-+/* const char *libname;
-+/* LIB_FN *libfuncs;
-+/* LIB_FN *libdata;
-+/*
-+/* DESCRIPTION
-+/* This module loads functions from libraries, returnine pointers
-+/* to the named functions.
-+/*
-+/* load_library_symbols() loads all of the desired functions, and
-+/* returns zero for success, or exits via msg_fatal().
-+/*
-+/* SEE ALSO
-+/* msg(3) diagnostics interface
-+/* DIAGNOSTICS
-+/* Problems are reported via the msg(3) diagnostics routines:
-+/* library not found, symbols not found, other fatal errors.
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/* The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/* LaMont Jones
-+/* Hewlett-Packard Company
-+/* 3404 Harmony Road
-+/* Fort Collins, CO 80528, USA
-+/*
-+/* Wietse Venema
-+/* IBM T.J. Watson Research
-+/* P.O. Box 704
-+/* Yorktown Heights, NY 10598, USA
-+/*--*/
-+
-+/* System libraries. */
-+
-+#include "sys_defs.h"
-+#include <stdlib.h>
-+#include <stddef.h>
-+#include <string.h>
-+#if defined(HAS_DLOPEN)
-+#include <dlfcn.h>
-+#elif defined(HAS_SHL_LOAD)
-+#include <dl.h>
-+#endif
-+
-+/* Application-specific. */
-+
-+#include "msg.h"
-+#include "load_lib.h"
-+
-+extern int load_library_symbols(const char * libname, LIB_FN * libfuncs, LIB_FN * libdata)
-+{
-+ char *myname = "load_library_symbols";
-+ LIB_FN *fn;
-+
-+#if defined(HAS_DLOPEN)
-+ void *handle;
-+ char *emsg;
-+
-+ handle=dlopen(libname,RTLD_NOW);
-+ emsg=dlerror();
-+ if (emsg) {
-+ msg_fatal("%s: dlopen failure loading %s: %s", myname, libname, emsg);
-+ }
-+
-+ if (libfuncs) {
-+ for (fn=libfuncs; fn->name; fn++) {
-+ *(fn->ptr) = dlsym(handle,fn->name);
-+ emsg=dlerror();
-+ if (emsg) {
-+ msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
-+ fn->name, libname, emsg);
-+ }
-+ if (msg_verbose>1) {
-+ msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
-+ }
-+ }
-+ }
-+
-+ if (libdata) {
-+ for (fn=libdata; fn->name; fn++) {
-+ *(fn->ptr) = dlsym(handle,fn->name);
-+ emsg=dlerror();
-+ if (emsg) {
-+ msg_fatal("%s: dlsym failure looking up %s in %s: %s", myname,
-+ fn->name, libname, emsg);
-+ }
-+ if (msg_verbose>1) {
-+ msg_info("loaded %s = %lx",fn->name, *((long*)(fn->ptr)));
-+ }
-+ }
-+ }
-+#elif defined(HAS_SHL_LOAD)
-+ shl_t handle;
-+
-+ handle = shl_load(libname,BIND_IMMEDIATE,0);
-+
-+ if (libfuncs) {
-+ for (fn=libfuncs; fn->name; fn++) {
-+ if (shl_findsym(&handle,fn->name,TYPE_PROCEDURE,fn->ptr) != 0) {
-+ msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
-+ myname, fn->name, libname);
-+ }
-+ if (msg_verbose>1) {
-+ msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
-+ }
-+ }
-+ }
-+
-+ if (libdata) {
-+ for (fn=libdata; fn->name; fn++) {
-+ if (shl_findsym(&handle,fn->name,TYPE_DATA,fn->ptr) != 0) {
-+ msg_fatal("%s: shl_findsym failure looking up %s in %s: %m",
-+ myname, fn->name, libname);
-+ }
-+ if (msg_verbose>1) {
-+ msg_info("loaded %s = %x",fn->name, *((long*)(fn->ptr)));
-+ }
-+ }
-+ }
-+
-+#else
-+ msg_fatal("%s: need dlopen or shl_load support for dynamic libraries",
-+ myname);
-+#endif
-+ return 0;
-+}
-diff -urNad postfix-release/src/util/load_lib.h /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h
---- postfix-release/src/util/load_lib.h 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/load_lib.h 2004-12-27 22:29:11.324097708 -0700
-@@ -0,0 +1,41 @@
-+#ifndef _LOAD_LIB_H_INCLUDED_
-+#define _LOAD_LIB_H_INCLUDED_
-+
-+/*++
-+/* NAME
-+/* load_lib 3h
-+/* SUMMARY
-+/* library loading wrappers
-+/* SYNOPSIS
-+/* #include "load_lib.h"
-+/* DESCRIPTION
-+/* .nf
-+
-+ /*
-+ * External interface.
-+ */
-+/* NULL name terminates list */
-+typedef struct LIB_FN {
-+ const char *name;
-+ void **ptr;
-+} LIB_FN;
-+
-+extern int load_library_symbols(const char *, LIB_FN *, LIB_FN *);
-+
-+/* LICENSE
-+/* .ad
-+/* .fi
-+/* The Secure Mailer license must be distributed with this software.
-+/* AUTHOR(S)
-+/* LaMont Jones
-+/* Hewlett-Packard Company
-+/* 3404 Harmony Road
-+/* Fort Collins, CO 80528, USA
-+/*
-+/* Wietse Venema
-+/* IBM T.J. Watson Research
-+/* P.O. Box 704
-+/* Yorktown Heights, NY 10598, USA
-+/*--*/
-+
-+#endif
-diff -urNad postfix-release/src/util/sys_defs.h /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h
---- postfix-release/src/util/sys_defs.h 2004-12-27 22:28:28.652270351 -0700
-+++ /tmp/dpep.TxugCA/postfix-release/src/util/sys_defs.h 2004-12-27 22:29:11.325097493 -0700
-@@ -550,11 +550,25 @@
+diff -urNad postfix~/src/util/sys_defs.h postfix/src/util/sys_defs.h
+--- postfix~/src/util/sys_defs.h 2006-08-29 08:17:05.000000000 -0600
++++ postfix/src/util/sys_defs.h 2006-10-15 20:55:26.000000000 -0600
+@@ -655,6 +655,7 @@
+ #define INTERNAL_LOCK MYFLOCK_STYLE_FLOCK
+ #define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */
+ #define HAS_FSYNC
++#define HAS_SDBM
+ #define HAS_DB
+ #define DEF_DB_TYPE "hash"
+ #define ALIAS_DB_MAP "hash:/etc/aliases"
+@@ -667,11 +668,25 @@
#define UNIX_DOMAIN_CONNECT_BLOCKS_FOR_ACCEPT
#define PREPEND_PLUS_TO_OPTSTRING
#define HAS_POSIX_REGEXP
@@ -2736,7 +2183,7 @@
#if __GLIBC__ >= 2 && __GLIBC_MINOR__ >= 1
#define SOCKADDR_SIZE socklen_t
#define SOCKOPT_SIZE socklen_t
-@@ -620,6 +634,7 @@
+@@ -757,6 +772,7 @@
#define USE_STATFS
#define STATFS_IN_SYS_VFS_H
#define HAS_POSIX_REGEXP
@@ -2744,7 +2191,7 @@
#define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
#define NATIVE_MAILQ_PATH "/usr/bin/mailq"
#define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
-@@ -655,6 +670,7 @@
+@@ -794,6 +810,7 @@
#define USE_STATFS
#define STATFS_IN_SYS_VFS_H
#define HAS_POSIX_REGEXP
@@ -2752,7 +2199,7 @@
#define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
#define NATIVE_MAILQ_PATH "/usr/bin/mailq"
#define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
-@@ -692,6 +708,7 @@
+@@ -833,6 +850,7 @@
#define USE_STATFS
#define STATFS_IN_SYS_VFS_H
#define HAS_POSIX_REGEXP
Added: postfix/trunk/debian/patches/30hurd.dpatch
===================================================================
--- postfix/trunk/debian/patches/30hurd.dpatch (rev 0)
+++ postfix/trunk/debian/patches/30hurd.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -0,0 +1,115 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 30hurd.dpatch by Marc Dequènes (Duck) <Duck at DuckCorp.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: patches to build on Hurd (buildsys configuration)
+
+ at DPATCH@
+diff -Nur postfix-2.2.9_old/makedefs postfix-2.2.9/makedefs
+--- postfix-2.2.9_old/makedefs 2006-01-03 22:50:25.000000000 +0100
++++ postfix-2.2.9/makedefs 2006-03-11 13:12:49.000000000 +0100
+@@ -259,6 +259,38 @@
+ 2.[0-3].*) CCARGS="$CCARGS -DNO_IPV6";;
+ esac
+ ;;
++ GNU*)
++ SYSTYPE=GNU
++ # Postfix no longer needs DB 1.85 compatibility
++ if [ -f /usr/include/db.h ]
++ then
++ : we are all set
++ elif [ -f /usr/include/db/db.h ]
++ then
++ CCARGS="$CCARGS -I/usr/include/db"
++ else
++ # No, we're not going to try db1 db2 db3 etc.
++ # On a properly installed system, Postfix builds
++ # by including <db.h> and by linking with -ldb
++ echo "No <db.h> include file found." 1>&2
++ echo "Install the appropriate db*-devel package first." 1>&2
++ echo "See the RELEASE_NOTES file for more information." 1>&2
++ exit 1
++ fi
++ SYSLIBS="-ldb"
++ for name in nsl resolv
++ do
++ for lib in /usr/lib64 /lib64 /usr/lib /lib
++ do
++ test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
++ SYSLIBS="$SYSLIBS -l$name"
++ break
++ }
++ done
++ done
++ # currently no IPv6 support on Hurd
++ CCARGS="$CCARGS -DNO_IPV6"
++ ;;
+ IRIX*.5.*) SYSTYPE=IRIX5
+ # Use the native compiler by default
+ : ${CC=cc} ${DEBUG="-g3"}
+diff -Nur postfix-2.2.9_old/src/util/sys_defs.h postfix-2.2.9/src/util/sys_defs.h
+--- postfix-2.2.9_old/src/util/sys_defs.h 2006-01-03 22:52:17.000000000 +0100
++++ postfix-2.2.9/src/util/sys_defs.h 2006-03-11 14:29:44.000000000 +0100
+@@ -687,6 +687,62 @@
+ #endif
+
+ /*
++ * GNU.
++ */
++#ifdef GNU
++#define SUPPORTED
++#include <sys/types.h>
++#include <features.h>
++#define USE_PATHS_H
++#define HAS_FCNTL_LOCK
++#define INTERNAL_LOCK MYFLOCK_STYLE_FCNTL
++#define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */
++#define HAS_FSYNC
++#define HAS_SDBM
++#define HAS_DB
++#define DEF_DB_TYPE "hash"
++#define ALIAS_DB_MAP "hash:/etc/aliases"
++#define HAS_NIS
++#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
++#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
++#define FIONREAD_IN_TERMIOS_H
++#define USE_STATFS
++#define STATFS_IN_SYS_VFS_H
++#define UNIX_DOMAIN_CONNECT_BLOCKS_FOR_ACCEPT
++#define PREPEND_PLUS_TO_OPTSTRING
++#define HAS_POSIX_REGEXP
++#define HAS_DLOPEN
++#define NATIVE_SENDMAIL_PATH "/usr/sbin/sendmail"
++#define NATIVE_MAILQ_PATH "/usr/bin/mailq"
++#define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
++#define NATIVE_COMMAND_DIR "/usr/sbin"
++#ifdef DEBIAN
++#define NATIVE_DAEMON_DIR "/usr/lib/postfix"
++#ifndef DEF_MANPAGE_DIR
++#define DEF_MANPAGE_DIR "/usr/share/man"
++#endif
++#ifndef DEF_SAMPLE_DIR
++#define DEF_SAMPLE_DIR "/usr/share/doc/postfix/examples"
++#endif
++#ifndef DEF_README_DIR
++#define DEF_README_DIR "/usr/share/doc/postfix"
++#endif
++#else
++#define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
++#endif
++#define SOCKADDR_SIZE socklen_t
++#define SOCKOPT_SIZE socklen_t
++#ifndef NO_IPV6
++# define HAS_IPV6
++# define HAS_PROCNET_IFINET6
++# define _PATH_PROCNET_IFINET6 "/proc/net/if_inet6"
++#endif
++#define CANT_USE_SEND_RECV_MSG
++#define DEF_SMTP_CACHE_DEMAND 0
++#define HAS_DEV_URANDOM /* introduced in 1.1 */
++#endif
++
++ /*
+ * HPUX11 was copied from HPUX10, but can perhaps be trimmed down a bit.
+ */
+ #ifdef HPUX11
Modified: postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch
===================================================================
--- postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/40-kolab-ldap-leafonly.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -11,35 +11,35 @@
+++ ./src/global/dict_ldap.c 2005-07-19 02:46:30.000000000 +0200
@@ -60,6 +60,10 @@
/* .IP special_result_attribute
- /* The attribute(s) of directory entries that can contain DNs or URLs.
- /* If found, a recursive subsequent search is done using their values.
+ /* The attribute(s) of directory entries that can contain DNs or URLs.
+ /* If found, a recursive subsequent search is done using their values.
+/* .IP exclude_internal
+/* Used in conjunction with \fIspecial_result_attribute\fR. If set to
+/* yes, only matching objects without \fIspecial_result_attribute\fR
+/* attributes are included in the result. The default is no.
/* .IP scope
- /* LDAP search scope: sub, base, or one.
+ /* LDAP search scope: sub, base, or one.
/* .IP bind
-@@ -226,6 +230,7 @@ typedef struct {
+@@ -229,6 +233,7 @@
char *search_base;
ARGV *result_attributes;
- int num_attributes; /* rest of list is DN's. */
+ int num_attributes; /* rest of list is DN's. */
+ int exclude_internal;
int bind;
char *bind_dn;
char *bind_pw;
-@@ -717,6 +722,7 @@ static void dict_ldap_get_values(DICT_LD
- char *myname = "dict_ldap_get_values";
- struct timeval tv;
+@@ -767,6 +772,7 @@
+ int valcount;
LDAPURLDesc *url;
+ const char *myname = "dict_ldap_get_values";
+ int is_leaf;
-
- tv.tv_sec = dict_ldap->timeout;
- tv.tv_usec = 0;
-@@ -744,6 +750,27 @@ static void dict_ldap_get_values(DICT_LD
- dict_ldap->size_limit);
- dict_errno = DICT_ERR_RETRY;
- }
+
+ if (++recursion == 1)
+ expansion = 0;
+@@ -791,6 +797,28 @@
+ dict_ldap->size_limit);
+ dict_errno = DICT_ERR_RETRY;
+ }
+
+ /*
+ * The number of ordinary attributes is "num_attributes". We run through
@@ -61,28 +61,29 @@
+ }
+ }
+ }
- for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
- attr != NULL;
- ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
-@@ -791,6 +818,7 @@ static void dict_ldap_get_values(DICT_LD
- */
- if (i < dict_ldap->num_attributes) {
- /* Ordinary result attribute */
-+ if(is_leaf) {
- for (i = 0; vals[i] != NULL; i++) {
- if (db_common_expand(dict_ldap->ctx,
- dict_ldap->result_format, vals[i],
-@@ -809,6 +837,7 @@ static void dict_ldap_get_values(DICT_LD
- msg_info("%s[%d]: search returned %ld value(s) for"
- " requested result attribute %s",
- myname, recursion, i, attr);
-+ }
- } else if (recursion < dict_ldap->recursion_limit
- && dict_ldap->result_attributes->argv[i]) {
- /* Special result attribute */
-@@ -1351,6 +1380,11 @@ DICT *dict_ldap_open(const char *ldaps
++
+ for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
+ attr != NULL;
+ ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
+@@ -840,6 +868,7 @@
+ */
+ if (i < dict_ldap->num_attributes) {
+ /* Ordinary result attribute */
++ if(is_leaf) {
+ for (i = 0; i < valcount; i++) {
+ if (db_common_expand(dict_ldap->ctx,
+ dict_ldap->result_format,
+@@ -859,6 +888,7 @@
+ msg_info("%s[%d]: search returned %ld value(s) for"
+ " requested result attribute %s",
+ myname, recursion, i, attr);
++ }
+ } else if (recursion < dict_ldap->recursion_limit
+ && dict_ldap->result_attributes->argv[i]) {
+ /* Special result attribute */
+@@ -1395,6 +1425,11 @@
myfree(attr);
-
+
/*
+ * get configured value of "exclude_internal", default to no
+ */
Deleted: postfix/trunk/debian/patches/50tls.dpatch
===================================================================
--- postfix/trunk/debian/patches/50tls.dpatch 2008-05-02 10:29:40 UTC (rev 836)
+++ postfix/trunk/debian/patches/50tls.dpatch 2008-05-02 10:36:05 UTC (rev 837)
@@ -1,30277 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 50tls.dpatch by LaMont Jones <lamont at debian.org>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
- at DPATCH@
-diff -urNad postfix-release/conf/postfix-files /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files
---- postfix-release/conf/postfix-files 2005-02-03 10:22:12.216284906 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/conf/postfix-files 2005-02-03 10:22:12.846144411 -0700
-@@ -81,6 +81,7 @@
- $daemon_directory/smtp:f:root:-:755
- $daemon_directory/smtpd:f:root:-:755
- $daemon_directory/spawn:f:root:-:755
-+$daemon_directory/tlsmgr:f:root:-:755
- $daemon_directory/trivial-rewrite:f:root:-:755
- $daemon_directory/verify:f:root:-:755
- $daemon_directory/virtual:f:root:-:755
-@@ -173,6 +174,7 @@
- $manpage_directory/man8/smtp.8:f:root:-:644
- $manpage_directory/man8/smtpd.8:f:root:-:644
- $manpage_directory/man8/spawn.8:f:root:-:644
-+$manpage_directory/man8/tlsmgr.8:f:root:-:644
- $manpage_directory/man8/trace.8:f:root:-:644
- $manpage_directory/man8/trivial-rewrite.8:f:root:-:644
- $manpage_directory/man8/verify.8:f:root:-:644
-@@ -184,6 +186,7 @@
- $sample_directory/sample-debug.cf:f:root:-:644:o
- $sample_directory/sample-filter.cf:f:root:-:644:o:o
- $sample_directory/sample-flush.cf:f:root:-:644:o
-+$sample_directory/sample-ipv6.cf:f:root:-:644:o
- $sample_directory/sample-ldap.cf:f:root:-:644:o
- $sample_directory/sample-lmtp.cf:f:root:-:644:o
- $sample_directory/sample-local.cf:f:root:-:644:o
-@@ -204,6 +207,7 @@
- $sample_directory/sample-scheduler.cf:f:root:-:644:o
- $sample_directory/sample-smtp.cf:f:root:-:644:o
- $sample_directory/sample-smtpd.cf:f:root:-:644:o
-+$sample_directory/sample-tls.cf:f:root:-:644:o
- $sample_directory/sample-transport.cf:f:root:-:644:o
- $sample_directory/sample-verify.cf:f:root:-:644:o
- $sample_directory/sample-virtual.cf:f:root:-:644:o
-@@ -222,6 +226,7 @@
- $readme_directory/FILTER_README:f:root:-:644
- $readme_directory/HOSTING_README:f:root:-:644:o
- $readme_directory/INSTALL:f:root:-:644
-+$readme_directory/IPV6_README:f:root:-:644
- $readme_directory/LDAP_README:f:root:-:644
- $readme_directory/LINUX_README:f:root:-:644
- $readme_directory/LMTP_README:f:root:-:644
-diff -urNad postfix-release/IPv6-ChangeLog /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog
---- postfix-release/IPv6-ChangeLog 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/IPv6-ChangeLog 2005-02-03 10:22:12.847144188 -0700
-@@ -0,0 +1,470 @@
-+ChangeLog for Dean Strik's IPv6 patch for Postfix. The patch is based on
-+PLD's patch, which in turn seems to be based on KAME's. For more information:
-+
-+ http://www.ipnet6.org/postfix/
-+
-+---------------------------------------------------------------------
-+
-+Version 1.24 Postfix release 2.1.1
-+ Postfix release 2.0.20
-+ Postfix snapshot 2.0.19-20040312
-+ Postfix snapshot 2.2-20040504
-+
-+ Bugfix: Prefixlen non-noll host portion validation (in CIDR maps
-+ for example) yielded incorrect results sometimes because signed
-+ arithmetic was used instad of unsigned.
-+ File: util/match_ops.c
-+
-+ Patch correction: The TLS+IPv6 patch for Postfix 2.1.0 missed
-+ the master.cf update (used for new installattions). Added it
-+ back.
-+
-+Version 1.23 Postfix release 2.1.0
-+ Postfix release 2.0.20
-+ Postfix snapshot 2.0.19-20040312
-+
-+ Patch fixes: Several code fixes to make the patch compile
-+ and work correctly when compiled without IPv6 support.
-+
-+ Bugfix (Solaris only?): address family length was not updated
-+ which could cause client hostname validation errors.
-+ File: smtpd/smtpd_peer.c
-+
-+ Portability: added support for Darwin 7.3+. This may need
-+ some further testing.
-+
-+ Cleanup: Restructure and redocument interface address
-+ retrieval functions. (This reduced the number of preprocessor
-+ statements from 99 to 93 ;)
-+ File: util/inet_addr_local.c
-+
-+ Cleanup: make several explicit casts to have compilers shut
-+ their pie holes about uninteresting things.
-+
-+Version 1.22 Postfix release 2.0.19
-+ Postfix snapshot 2.0.19-20040312
-+
-+ Feature: Support "inet_interfaces = IPv4:all" and
-+ "inet_interfaces = IPv6:all", to restrict postfix to use
-+ either IPv4-only or IPv6-only. A more complete implementation
-+ will be part of a future patch. (Slightly modified) patch by
-+ Michal Ludvig, SuSE.
-+ Files: util/interfaces_to_af.[ch], util/inet_addr_local.c,
-+ global/own_inet_addr.c, global/wildcard_inet_addr.[ch],
-+ master/master_ent.ch
-+
-+ Bugfix: In Postfix snapshots, a #define was misplaced with
-+ the effect that IPv6 subnets were not included in auto-
-+ generated $mynetworks (i.e., mynetworks not defined in main.cf,
-+ when also mynetworks_style=subnet) on Linux 2.x systems.
-+ File: utils/sys_defs.h
-+
-+Version 1.21a Postfix snapshots 2.0.18-2004{0122,0205,0209}
-+ 2.0.19-20040312
-+
-+ TLS/snapshot version: Update TLS patch to 0.8.18-20040122.
-+ Performed as a total repatch. 0.8.18 is cleaner with tls_*
-+ variables if TLS is not actually compiled in.
-+
-+Version 1.21 Postfix releases 2.0.18 - 2.0.19
-+ Postfix snapshot 2.0.16-20031231
-+
-+ Bugfix: The SMTP client could fail to setup a connection,
-+ erroring with a bogus "getaddrinfo(...): hostname nor servname
-+ provided" warning, because the wrong address was selected.
-+ File: smtp/smtp_connect.c
-+
-+ Safety: in dynamically growing data structures, update the
-+ length info after (instead of before) updating the data size.
-+ File: util/inet_addr_list.c
-+
-+Version 1.20 Postfix release 2.0.16
-+ Postfix snapshot 2.0.16-20031207
-+
-+ Bugfix: The SMTP client would abort when binding to specific
-+ IPv6 addresses.
-+ File: smtp/smtp_connect.c
-+
-+ Synchronisation/bugfix: LMTP source address binding is identical
-+ to the SMTP source binding setup, avoiding the need for
-+ lmtp_bind_address(6) if inet_interfaces is set to a single
-+ host for an address family.
-+ File: lmtp/lmtp_connect.c
-+
-+Version 1.19 Postfix release 2.0.16
-+ Postfix snapshot 2.0.16-20031207
-+
-+ Bugfix: Synchronisation of TLS patches in snapshots of 1.18[ab]
-+ was not complete, causing a crash of smtpd if used with the new
-+ proxy agent.
-+ File: smtpd/smtpd.c
-+
-+ Bugfix: SMTP source address binding based on a single hostname
-+ in inet_interfaces did not work since the code counted IPv4 and
-+ IPv6 addresses instead of only the used address family. Fixed,
-+ thereby no longer requiring exact specification of
-+ smtp_bind_address(6) in this case.
-+ File: smtp/smtp_connect.c
-+
-+ Bugfix: The QMQP sink server did not compile correctly. This
-+ program, part of smtpstone tools, is not compiled or installed
-+ by default.
-+ File: smtpstone/qmqp-sink.c
-+
-+ Bugfix: NI_WITHSCOPEID was not correctly defined everywhere,
-+ which could result in EAI_BADFLAGS. Changed location of
-+ definition to correct it.
-+ Files: util/sys_defs.h, util/inet_addr_list.h
-+
-+Version 1.18b Postfix snapshot 2.0.16-20030921
-+
-+ IPv6 support: Added IPv6-enabled code to the new snapshot
-+ check_*_{ns,mx}_access restrictions.
-+ File: smtpd/smtpd_check.c
-+
-+Version 1.18a Postfix release 2.0.16
-+
-+ Update (TLS patches): Updated Lutz Jaenicke's TLS patch to
-+ version 0.8.16. See pfixtls/ChangeLog for details.
-+ Diff contributed by Tuomo Soini.
-+
-+ The TLS+IPv6 patch now contains the original TLS patch
-+ documentation from Lutz Jaenicke.
-+
-+Version 1.18 Postfix releases 2.0.14 - 2.0.15
-+ Postfix snapshot 2.0.14-20030812
-+
-+ Bugfix: Perform actual hostname verification in the SMTP
-+ and QMTP servers. This was never supported in the IPv6
-+ patch. Reported by Wolfgang S. Rupprecht.
-+ Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c
-+
-+ IPv6 address ranges using address/prefixlength (e.g. in
-+ mynetworks and access maps) should be written as
-+ [ipv6:addr:ess]/plen (e.g. [fec0:10:20::]/48). The old
-+ supported syntax, [ipv6:addr:ess/plen] is deprecated and
-+ support will be removed in a later version.
-+ Thanks to Dr. Peter Bieringer and Pekka Savola for discussion.
-+ Files: util/match_ops.c, global/mynetworks.c
-+
-+ Explicitly prefer IPv6 over IPv4 addresses when delivering
-+ to a host when MX lookups are disabled when SMTP address
-+ randomization is on (default).
-+ File: smtp/smtp_addr.c
-+
-+ Compliance: write IPv6 address literals in mail headers
-+ as [IPv6:addr] instead of [addr] as per RFC 2821:4.1.3
-+ tagging requirement, for example [IPv6:fec0:10:20::1].
-+ Pointed out by Dr. Peter Bieringer.
-+ Files: smtpd/smtpd{,_peer,_state}.c, smtpd/smtpd.h
-+
-+Version 1.17 Postfix release 2.0.13, 2.0.14
-+ Postfix snapshot 2.0.13-20030706, 2.0.14-20030812
-+
-+ Bugfix: Two memory allocation/deallocation bugs were
-+ introduced in patch 1.16. The impact of these bugs could
-+ be 'arbitrary' memory corruption.
-+ File: util/match_ops.c
-+
-+Version 1.16 Postfix release 2.0.13
-+ Postfix snapshot 2.0.13-20030706
-+
-+ Cleanup: rewrote match_ops.c. This rewrite is partly based on
-+ patch by Takahiro Igarashi. The rewrite enables some better
-+ handling of scoped addresses, and drops all GPL code from the
-+ patch, easying license considerations. Also, allowed for
-+ use of this code by the CIDR maps.
-+ Files: util/match_ops.[ch]
-+
-+ Bugfix: correctly relay for scoped unicast addresses when
-+ applicable. Until now, while Postfix was able to recognize
-+ scoped addresses, it was not able to see e.g. fe80::10%fxp0
-+ as local in mynetworks validation. KAME-only code.
-+ (I've never heard of people using scoped addresses (think
-+ link-local addresses) for mail relaying though...)
-+ Files: util/inet_addr_list.[ch]
-+
-+ Feature (snapshot only): rewrote CIDR maps code to support
-+ IPv6 addresses, using new match_ops code. Allow the use
-+ of [::/0] since it allows one to easily disable further
-+ checks for IPv6 addresses.
-+ File: util/dict_cidr.c
-+
-+ Consistency: require IPv6 addresses in inet_interfaces to
-+ be enclosed in square brackets.
-+ File: util/inet_addr_host.c
-+
-+ Bugfix: (Linux2-only) A #define was misspelled. This could
-+ lead to Postfix being unable to read the system's local IPv6
-+ addresses (e.g. when using inet_interfaces).
-+ Spotted by Jochen Friedrich.
-+ File: util/sys_defs.h
-+
-+ Cleanup: require non-null host portion in CIDR /
-+ prefixlength notations for IPv6 (was IPv4-only).
-+
-+Version 1.15a Postfix release 2.0.13
-+
-+ Update (TLS patches): Updated Lutz Jaenicke's TLS patch
-+ to version 0.8.15. This version introduces new options
-+ for managing SASL mechanisms. More information at:
-+ http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
-+ Diff contributed by Tuomo Soini.
-+
-+Version 1.15 Postfix release 2.0.12, 2.0.13
-+ Postfix snapshot 2.0.12-20030621
-+
-+ Bugfix (TLS-snapshots only): a change in Postfix snapshot
-+ 2.0.11-20030609 broke initialisation of TLS in smtpd,
-+ causing TLS to both be unadvertised and unaccepted.
-+ This was fixed again by reordering initialisation.
-+ File: smtpd/smtpd.c
-+
-+ Update (TLS patches): Updated Lutz Jaenicke's TLS patch
-+ to version 0.8.14. This version introduces a few fixes and
-+ uses USE_SSL instead of HAS_SSL. More information at:
-+ http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
-+ Diff contributed by Tuomo Soini.
-+
-+ Bugfix (Postfix releases only - this was already added to
-+ the snapshots in patch 1.14). KAME derived systems only.
-+ Correctly decode scoped addresses, including network
-+ interface specifiers.
-+ File: util/inet_addr_local.c
-+
-+Version 1.14 Postfix releases 2.0.9, 2.0.10, 2.0.11, 2.0.12
-+ Postfix snapshots 2.0.9-20030424, 2.0.10-20030521,
-+ 2.0.11-20030609, 2.0.12-20030611
-+
-+ Patch change: made the patch available as an IPv6-only
-+ patch (i.e., without the TLS code). This on popular
-+ request by users and packagers.
-+ A TLS+IPv6 version is still available of course.
-+
-+ Bugfix: correctly decode scoped addresses from now on
-+ (KAME derived systems only). I think the original code
-+ was written by Itojun, so I'm rather puzzled that it
-+ didn't work...
-+ File: util/inet_addr_local.c
-+
-+ Bugfix/portability: Recent KAME snapshots return both
-+ TCP and SCTP address information on getaddrinfo() if
-+ no protocol was specified. This causes the socket counts
-+ to be wrong, confusing child processes.
-+ Merged patch by JINMEI Tatuya of KAME to fix this.
-+ Files: master/master.h, master/master_{ent,conf}.[ch],
-+ util/inet_listen.c
-+
-+ Documentation: added an IPV6_README file to the patch.
-+ This file contains the primary documentation. Also,
-+ added a sample-ipv6.cf to describe the (currently few)
-+ IPv6 related main.cf parameters.
-+
-+ Bugfix: the netmask structures for the *unsupported*
-+ platforms (boldly assume /64) were added to the wrong
-+ list (addresses instead of masks). This bug did not affect
-+ any supported platform though.
-+ File: util/inet_addr_local.c
-+
-+ Portability: added support for HP/Compaq Tru64Unix V5.1
-+ and later. (compiled with CompaqCC only).
-+ Thanks to Sten Spans for providing root access to an
-+ IPv6-connected Tru64 testing machine.
-+
-+Version 1.13 Postfix releases 2.0.4 - 2.0.9
-+ Postfix snapshots 2.0.3-20030126 - 2.0.7-20030319
-+
-+ Bugfix: Due to a missing storage pointer, DNS lookup
-+ results in the permit_mx_backups code were not processed,
-+ and smtpd would likely crash.
-+ Thanks to Wouter de Jong for reporting the crashes.
-+ File: smtpd/smtpd_check.c
-+
-+ Incompatible change: The addresses given to the parameters
-+ smtp_bind_address6 and lmtp_bind_address6 now need to be
-+ enclosed in square brackets for consistency.
-+ Files: [ls]mtp/[ls]mtp_connect.c
-+
-+Version 1.12 Postfix releases 2.0.2, 2.0.3
-+ Postfix snapshots 2.0.2-20030115, 2.0.3-20030126
-+
-+ Bugfix/workaround (Solaris): A simplified comparison
-+ function for Solaris' qsort() function, would result
-+ in corruption of network addresses in the SMTP client.
-+ Fixed. Reported with possible fix by Edvard Tuinder.
-+ File: smtp/smtp_addr.c
-+
-+Version 1.11 Postfix releases 2.0.0.x, 2.0.1, 2.0.2
-+ Postfix snapshots 2.0.0-20030105, 2.0.1-20030112
-+ 2.0.2-20030115
-+
-+ Bugfix (Solaris): Properly initialize lifconf structure
-+ when requesting host interface addresses. If you get
-+ warnings about SIOCGLIFCONF with earlier versions,
-+ please upgrade.
-+ File: util/inet_addr_local.c
-+
-+ Patch fix: fixed compilation errors in case the patch is
-+ applied but built without IPv6 support (i.e., on unsupported
-+ platforms).
-+
-+Version 1.10 Postfix snapshots 1.1.12-200212{19,21}
-+ Postfix releases 2.0.0, 2.0.0.{1,2}
-+ Postfix snapshots 2.0.0-20021223 - 2.0.0-20030101
-+
-+ 'Bugfix': don't show spurious warnings on Linux systems
-+ about missing /proc/net/if_inet6 unless verbose mode
-+ is enabled.
-+ File: util/inet_addr_local.c
-+
-+ Bugfix: If unable to create a socket for a specific adress
-+ in the SMTP client (e.g., when trying to create an IPv6
-+ connection while the local host has no configured IPv6
-+ addresses), then stop the attempt.
-+ File: smtp/smtp_connect.c
-+
-+ Small bugfix: never query DNS for <localpart@[domain.tld]>.
-+ This syntax now correctly generates an error immediately.
-+ File: global/resolve_local.c
-+
-+ Updated TLS patch to 0.8.12-1.1.12-20021219-0.9.6h, fixing
-+ a bug with "sendmail -bs".
-+
-+Version 1.9 Postfix version 1.1.11-20021115
-+ Postfix version 1.1.12-2002{1124,1209-1213}
-+
-+ Bugfix: with getifaddrs() code (*BSD, linux-USAGI), IPv4
-+ netmasks were set to /32 effectively. Work around broken
-+ netmask data structures (*BSD only perhaps).
-+
-+ Bugfix: same data corruption in another place created
-+ entirely wrong IPv4 netmasks. Work around broken
-+ SIOCGIFNETMASK structure.
-+
-+ New code was added for correct IPv6 netmasks. The original
-+ code did not contain IPv6 netmask support at all!
-+ For Solaris, use SIOCGLIF*; Linux: /proc/net/if_inet6.
-+ Getifaddrs() support is used otherwise. This should cover
-+ all supported systems. Other systems also work, prefix
-+ length is always set to /64 then.
-+
-+ Since there are no classes (context: Class A, class B etc
-+ networks) with IPv6, default to IPv6 subnet style if the
-+ mynetworks style is 'class'. I recommend against this style
-+ anyway.
-+
-+ Added support to display IPv6 nets mynetworks output.
-+
-+Version 1.8 Postfix version 1.1.11-200211{01,15}
-+
-+ An earlier author of the patch made a typo in the GAI_STRERROR()
-+ macro, resulting in bogus error messages when checking for
-+ PTR records. Fixed.
-+
-+ IPv4-mapped addresses in the smtpd are converted to true IPv4
-+ addresses just after the connection has been made. This means
-+ that all IPv4-mapped addresses are now logged as true IPv4
-+ addresses. Hence beside RBL checks, also access maps now treat
-+ IPv4-mapped addresses as native IPv4. Note that ::ffff:...
-+ entries in your access tables will no longer work.
-+
-+ You can now specify IPv6 'parent' networks in your access maps,
-+ e.g. to reject all mail from 3ffe:200:... nodes, add the line
-+ 3ffe:200 REJECT
-+ Use of trailing colons is discouraged because postmap will
-+ warn about it possibly being an alias...
-+ NOTE: I'll soon obsolete this again in favor of the more
-+ common address/len notation. This was just so trivial to add
-+ that it didn't hurt and I needed it :)
-+
-+ For easy reference, the version of the TLS/IPv6 patch can be
-+ dynamically queried using the tls_ipv6_version variable.
-+ This gives the short version (like, "1.8").
-+
-+ The service bind address for 'inet' sockets in master.cf (e.g.,
-+ smtpd), must be enclosed in square brackets '[..]' for IPv6
-+ addresses. The old style (without brackets) still works but is
-+ unsupported and may be removed in the future. Example
-+ [::1]:smtp inet n - n - - smtpd
-+
-+Version 1.7 Postfix version 1.1.11-20021029 - 1.1.11-20021101
-+
-+ Postfix' SMTP client performs randomization of MX addresses
-+ when sending mail. This however could result in A records
-+ being used before AAAA records. This has been corrected.
-+
-+ Note that from Postfix version 1.1.11-20021029 on, there is
-+ a proxy_interfaces parameter. This has of course not been
-+ ported to IPv6 addresses...
-+
-+Version 1.6 Postfix version 1.1.11-20020928
-+
-+ Added IPv6 support for backup_mx_networks feature; also the
-+ behaviour when DNS lookups fail when checking whether the
-+ local host is an MX for a domain conforms to the IPv4 case:
-+ defer rather than allow.
-+
-+Version 1.5 Postfix version 1.1.11-20020917
-+
-+ I introduced two bugs when I rewrote my older LMTP IPv6 patch.
-+ These bugs effectively rendered LMTP useless. Now fixed.
-+ Bugs spotted by Kaj Niemi.
-+
-+ Now supports Solaris 8 and 9. Due to lack of testing equipment,
-+ this has been only tested in production on Solaris 9, both
-+ with gcc and the Sun Workshop Compiler.
-+
-+Version 1.4 Postfix version 1.1.11-20020822 - 1.1.11-20020917
-+
-+ OpenBSD (>=200003) and FreeBSD release 4 and up now use
-+ getifaddrs(). This makes for cleaner code. The old code
-+ seems to be bug-ridden anyway.
-+
-+ Got rid of some compiler warnings. Should be cleaner on
-+ Alpha as well now. Thanks to Sten Spans for providing me
-+ access to an Alpha running FreeBSD4.
-+
-+ Fixed an old bug in smtpd memory alloation if you compiled
-+ without IPv6 support (the wrong buffer size was used. This
-+ was harmless for IPv6-enabled compiles since the sizes were
-+ equal then).
-+
-+ Added ChangeLog to the patch (as IPv6-ChangeLog) (this
-+ was absent in 1.3 contrary to docs).
-+
-+Version 1.3 Postfix version 1.1.11-20020613 - 1.1.11-20020718
-+
-+ FYI: In postfix version 1.1.11-20020718, DNS lookups for
-+ AAAA can be done natively. The code matches the code in
-+ the patch (though the #ifdef changed from INET6 to T_AAAA).
-+ This change causes the patch for 1.1.11-20020718 to be a
-+ bit smaller.
-+
-+Version 1.2 Postfix version 1.1.11-20020613
-+
-+ Added IPv6 support for the LMTP client.
-+
-+ Added lmtp_bind_address and lmtp_bind_address6 parameters,
-+ similar to those for smtp.
-+
-+ Added IPv6 support for the QMQP server.
-+
-+Version 1.1 Postfix version 1.1.11-20020602 - 1.1.11-20020613
-+
-+ Added parameter smtp_bind_address6. By using this parameter,
-+ it is possible to bind to an IPv6 address, independently of
-+ IPv4 address binding.
-+
-+ Lutz fixed a bug in his TLS patch regarding SASL. Incorporated.
-+
-+Version 1.0.x Postfix version 1.1.8-20020505 - 1.1.11-20020602
-+
-+ Patch derived from PLD's IPv6 patch for Postfix, revision 1.10
-+ which applied to early Postfix snapshots 1.1.x. Updated this
-+ patch to apply to 1.1.8-20020505.
-+
-+ Added compile-time checks for SS_LEN. Some Linux installations,
-+ and maybe other systems, do define SA_LEN, but not SS_LEN.
-+
-+ Several updates of postfix snapshots.
-+
-diff -urNad postfix-release/makedefs /tmp/dpep.cXJuVH/postfix-release/makedefs
---- postfix-release/makedefs 2005-02-03 10:22:12.217284683 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/makedefs 2005-02-03 10:22:12.847144188 -0700
-@@ -327,6 +327,33 @@
- ;;
- esac
-
-+# Check for IPv6 support
-+
-+if [ -z "$NO_IPV6" ] ; then
-+if [ -f /usr/include/netinet6/in6.h ] ; then
-+ grep __KAME__ /usr/include/netinet6/in6.h 2>&1 >/dev/null
-+ if [ $? = 1 ]; then
-+ INET6=
-+ else
-+ if [ -f /usr/local/v6/lib/libinet6.a ]; then
-+ INET6=kame
-+ else
-+ INET6=kame-merged
-+ fi
-+ fi
-+fi
-+if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h ]; then
-+ case "$SYSTYPE" in
-+ SUNOS5) INET6=solaris ;;
-+ OSF1) INET6=osf1 ;;
-+ *) ;;
-+ esac
-+fi
-+if [ -z "$INET6" -a -f /usr/include/netinet/ip6.h -a -f /usr/include/linux/icmpv6.h ]; then
-+ INET6=linux
-+fi
-+fi # [-z NO_IPV6]
-+
- # Defaults that can be overruled (make makefiles CC=cc OPT=-O6 DEBUG=)
- # Disable optimizations by default when compiling for Purify. Disable
- # optimizations by default with gcc 2.8, until the compiler is known to
-@@ -346,6 +373,31 @@
- -Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
- -Wunused'}
-
-+case "$INET6" in
-+kame)
-+ CCARGS="$CCARGS -DINET6 -DINET6_KAME"
-+ CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
-+ if test -f /usr/local/v6/lib/libinet6.a; then
-+ SYSLIBS="$SYSLIBS -L/usr/local/v6/lib -linet6"
-+ fi
-+ ;;
-+kame-merged)
-+ CCARGS="$CCARGS -DINET6 -DINET6_KAME"
-+ CCARGS="$CCARGS -D__ss_family=ss_family -D__ss_len=ss_len"
-+ ;;
-+solaris|osf1)
-+ CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family -D__ss_len=ss_len"
-+ ;;
-+linux)
-+ CCARGS="$CCARGS -DINET6 -D__ss_family=ss_family"
-+ if test -f /usr/include/libinet6/netinet/ip6.h -a \
-+ -f /usr/lib/libinet6.a; then
-+ CCARGS="$CCARGS -I/usr/include/libinet6 -DUSAGI_LIBINET6"
-+ SYSLIBS="$SYSLIBS -linet6"
-+ fi
-+ ;;
-+esac
-+
- export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
-
- sed 's/ / /g' <<EOF
-diff -urNad postfix-release/man/man8/tlsmgr.8 /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8
---- postfix-release/man/man8/tlsmgr.8 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/man/man8/tlsmgr.8 2005-02-03 10:22:12.848143965 -0700
-@@ -0,0 +1,130 @@
-+.TH TLSMGR 8
-+.ad
-+.fi
-+.SH NAME
-+tlsmgr
-+\-
-+Postfix TLS session cache and PRNG handling manager
-+.SH SYNOPSIS
-+.na
-+.nf
-+\fBtlsmgr\fR [generic Postfix daemon options]
-+.SH DESCRIPTION
-+.ad
-+.fi
-+The tlsmgr process does housekeeping on the session cache database
-+files. It runs through the databases and removes expired entries
-+and entries written by older (incompatible) versions.
-+
-+The tlsmgr is responsible for the PRNG handling. The used internal
-+OpenSSL PRNG has a pool size of 8192 bits (= 1024 bytes). The pool
-+is initially seeded at startup from an external source (EGD or
-+/dev/urandom) and additional seed is obtained later during program
-+run at a configurable period. The exact time of seed query is
-+using random information and is equally distributed in the range of
-+[0-\fBtls_random_reseed_period\fR] with a \fBtls_random_reseed_period\fR
-+having a default of 1 hour.
-+
-+Tlsmgr can be run chrooted and with dropped privileges, as it will
-+connect to the entropy source at startup.
-+
-+The PRNG is additionally seeded internally by the data found in the
-+session cache and timevalues.
-+
-+Tlsmgr reads the old value of the exchange file at startup to keep
-+entropy already collected during previous runs.
-+
-+From the PRNG random pool a cryptographically strong 1024 byte random
-+sequence is written into the PRNG exchange file. The file is updated
-+periodically with the time changing randomly from
-+[0-\fBtls_random_prng_update_period\fR].
-+.SH STANDARDS
-+.na
-+.nf
-+.SH SECURITY
-+.na
-+.nf
-+.ad
-+.fi
-+Tlsmgr is not security-sensitive. It only deals with external data
-+to be fed into the PRNG, the contents is never trusted. The session
-+cache housekeeping will only remove entries if expired and will never
-+touch the contents of the cached data.
-+.SH DIAGNOSTICS
-+.ad
-+.fi
-+Problems and transactions are logged to the syslog daemon.
-+.SH BUGS
-+.ad
-+.fi
-+There is no automatic means to limit the number of entries in the
-+session caches and/or the size of the session cache files.
-+.SH CONFIGURATION PARAMETERS
-+.na
-+.nf
-+.ad
-+.fi
-+The following \fBmain.cf\fR parameters are especially relevant to
-+this program. See the Postfix \fBmain.cf\fR file for syntax details
-+and for default values. Use the \fBpostfix reload\fR command after
-+a configuration change.
-+.SH Session Cache
-+.ad
-+.fi
-+.IP \fBsmtpd_tls_session_cache_database\fR
-+Name of the SDBM file (type sdbm:) containing the SMTP server session
-+cache. If the file does not exist, it is created.
-+.IP \fBsmtpd_tls_session_cache_timeout\fR
-+Expiry time of SMTP server session cache entries in seconds. Entries
-+older than this are removed from the session cache. A cleanup-run is
-+performed periodically every \fBsmtpd_tls_session_cache_timeout\fR
-+seconds. Default is 3600 (= 1 hour).
-+.IP \fBsmtp_tls_session_cache_database\fR
-+Name of the SDBM file (type sdbm:) containing the SMTP client session
-+cache. If the file does not exist, it is created.
-+.IP \fBsmtp_tls_session_cache_timeout\fR
-+Expiry time of SMTP client session cache entries in seconds. Entries
-+older than this are removed from the session cache. A cleanup-run is
-+performed periodically every \fBsmtp_tls_session_cache_timeout\fR
-+seconds. Default is 3600 (= 1 hour).
-+.SH Pseudo Random Number Generator
-+.ad
-+.fi
-+.IP \fBtls_random_source\fR
-+Name of the EGD socket or device or regular file to obtain entropy
-+from. The type of entropy source must be specified by preceding the
-+name with the appropriate type: egd:/path/to/egd_socket,
-+dev:/path/to/devicefile, or /path/to/regular/file.
-+tlsmgr opens \fBtls_random_source\fR and tries to read
-+\fBtls_random_bytes\fR from it.
-+.IP \fBtls_random_bytes\fR
-+Number of bytes to be read from \fBtls_random_source\fR.
-+Default value is 32 bytes. If using EGD, a maximum of 255 bytes is read.
-+.IP \fBtls_random_exchange_name\fR
-+Name of the file written by tlsmgr and read by smtp and smtpd at
-+startup. The length is 1024 bytes. Default value is
-+/etc/postfix/prng_exch.
-+.IP \fBtls_random_reseed_period\fR
-+Time in seconds until the next reseed from external sources is due.
-+This is the maximum value. The actual point in time is calculated
-+with a random factor equally distributed between 0 and this maximum
-+value. Default is 3600 (= 60 minutes).
-+.IP \fBtls_random_prng_update_period\fR
-+Time in seconds until the PRNG exchange file is updated with new
-+pseude random values. This is the maximum value. The actual point
-+in time is calculated with a random factor equally distributed
-+between 0 and this maximum value. Default is 60 (= 1 minute).
-+.SH SEE ALSO
-+.na
-+.nf
-+smtp(8) SMTP client
-+smtpd(8) SMTP server
-+.SH LICENSE
-+.na
-+.nf
-+.ad
-+.fi
-+The Secure Mailer license must be distributed with this software.
-+.SH AUTHOR(S)
-+.na
-+.nf
-diff -urNad postfix-release/proto/Makefile.in /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in
---- postfix-release/proto/Makefile.in 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/proto/Makefile.in 2005-02-03 10:22:12.848143965 -0700
-@@ -29,6 +29,7 @@
- ../html/SMTPD_POLICY_README.html \
- ../html/SMTPD_PROXY_README.html \
- ../html/STANDARD_CONFIGURATION_README.html \
-+ ../html/TLS_README.html \
- ../html/TUNING_README.html \
- ../html/UUCP_README.html ../html/ULTRIX_README.html \
- ../html/VERP_README.html ../html/VIRTUAL_README.html \
-@@ -59,6 +60,7 @@
- ../README_FILES/SMTPD_ACCESS_README \
- ../README_FILES/SMTPD_POLICY_README ../README_FILES/SMTPD_PROXY_README \
- ../README_FILES/STANDARD_CONFIGURATION_README \
-+ ../README_FILES/TLS_README \
- ../README_FILES/TUNING_README \
- ../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
- ../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
-@@ -233,6 +235,9 @@
- ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
- $(POSTLINK) $? >$@
-
-+../html/TLS_README.html: TLS_README.html
-+ $(POSTLINK) $? >$@
-+
- ../html/TUNING_README.html: TUNING_README.html
- $(POSTLINK) $? >$@
-
-@@ -356,6 +361,9 @@
- ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
- $(HT2READ) $? >$@
-
-+../README_FILES/TLS_README: TLS_README.html
-+ $(HT2READ) $? >$@
-+
- ../README_FILES/TUNING_README: TUNING_README.html
- $(HT2READ) $? >$@
-
-diff -urNad postfix-release/proto/postconf.proto /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto
---- postfix-release/proto/postconf.proto 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/proto/postconf.proto 2005-02-03 10:22:12.985113413 -0700
-@@ -3814,6 +3814,20 @@
- <dd>Permit the request when the client IP address matches any
- network listed in $mynetworks. </dd>
-
-+<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
-+
-+<dd> Permit the request when the remote SMTP client certificate is
-+verified successfully. This option must be used only if a special
-+CA issues the certificates and only this CA is listed as trusted
-+CA, otherwise all clients with a recognized certificate would be
-+allowed to relay. </dd>
-+
-+<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
-+
-+<dd>Permit the request when the remote SMTP client certificate is
-+verified successfully, and the certificate fingerprint is listed
-+in $relay_clientcerts. </dd>
-+
- <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
-
- <dd>Reject the request when the reversed client network address is
-@@ -6787,3 +6801,618 @@
- remote domains. Available before Postfix version 2.0. With Postfix 2.1
- and later, this is replaced by separate controls: virtual_alias_domains
- and virtual_alias_maps. </p>
-+
-+%PARAM smtpd_tls_cert_file
-+
-+<p> File with the Postfix SMTP server RSA certificate in PEM format.
-+This file may also contain the server private key. </p>
-+
-+<p> Both RSA and DSA certificates are supported. When both types
-+are present, the cipher used determines which certificate will be
-+presented to the client. For Netscape and OpenSSL clients without
-+special cipher choices the RSA certificate is preferred. </p>
-+
-+<p> In order to verify a certificate, the CA certificate (in case
-+of a certificate chain, all CA certificates) must be available.
-+You should add these certificates to the server certificate, the
-+server certificate first, then the issuing CA(s). </p>
-+
-+<p> Example: the certificate for "server.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate of "root CA".
-+Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
-+root_CA.pem > server.pem". </p>
-+
-+<p> If you want to accept certificates issued by these CAs yourself,
-+you can also add the CA certificates to the smtpd_tls_CAfile, in
-+which case it is not necessary to have them in the smtpd_tls_dcert_file
-+or smtpd_tls_cert_file. </p>
-+
-+<p> A certificate supplied here must be usable as SSL server
-+certificate and hence pass the "openssl verify -purpose sslserver
-+..." test. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_cert_file = /etc/postfix/server.pem
-+</pre>
-+
-+%PARAM smtpd_tls_key_file $smtpd_tls_cert_file
-+
-+<p> File with the Postfix SMTP server RSA private key in PEM format.
-+This file may be combined with the server certificate file specified
-+with $smtpd_tls_cert_file. </p>
-+
-+<p> The private key must not be encrypted. In other words, the key
-+must be accessible without password. </p>
-+
-+%PARAM smtpd_tls_dcert_file
-+
-+<p> File with the Postfix SMTP server DSA certificate in PEM format.
-+This file may also contain the server private key. <p>
-+
-+<p> See the discussion under smtpd_tls_cert_file for more details.
-+</p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
-+</pre>
-+
-+%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file
-+
-+<p> File with the Postfix SMTP server DSA private key in PEM format.
-+This file may be combined with the server certificate file specified
-+with $smtpd_tls_dcert_file. </p>
-+
-+<p> The private key must not be encrypted. In other words, the key
-+must be accessible without password. </p>
-+
-+%PARAM smtpd_tls_CAfile
-+
-+<p> The file with the certificate of the certification authority
-+(CA) that issued the Postfix SMTP server certificate. This is
-+needed only when the CA certificate is not already present in the
-+server certificate file. This file may also contain the CA
-+certificates of other trusted CAs. You must use this file for the
-+list of trusted CAs if you want to use chroot-mode. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+
-+%PARAM smtpd_tls_CApath
-+
-+<p> Directory with PEM format certificate authority certificates
-+that the Postfix SMTP server offers to remote SMTP clients for the
-+purpose of client certificate verification. Do not forget to create
-+the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
-+/etc/postfix/certs". </p>
-+
-+<p> To use this option in chroot mode, this directory (or a copy)
-+must be inside the chroot jail. Please note that in this case the
-+CA certificates are not offered to the client, so that e.g. Netscape
-+clients might not offer certificates issued by them. Use of this
-+feature is therefore not recommended. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_CApath = /etc/postfix/certs
-+</pre>
-+
-+%PARAM smtpd_tls_loglevel 0
-+
-+<p> Enable additional Postfix SMTP server logging of TLS activity.
-+Each logging level also includes the information that is logged at
-+a lower logging level. </p>
-+
-+<dl compact>
-+
-+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
-+
-+<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
-+
-+<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
-+
-+<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
-+process. </dd>
-+
-+<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS. </dd>
-+
-+</dl>
-+
-+<p> Use "smtpd_tls_loglevel = 3" only in case of problems. Use of
-+loglevel 4 is strongly discouraged. </p>
-+
-+%PARAM smtpd_tls_received_header no
-+
-+<p> Request that the Postfix SMTP server produces Received: message
-+headers that include information about the protocol and cipher used,
-+as well as the client CommonName and client certificate issuer
-+CommonName. This is disabled by default, as the information may
-+be modified in transit through other mail servers. Only information
-+that was recorded by the final destination can be trusted. </p>
-+
-+%PARAM smtpd_use_tls no
-+
-+<p> Enable TLS support in the Postfix SMTP server. </p>
-+
-+<p> Note: when invoked via "sendmail -bs", Postfix will never offer
-+STARTTLS due to insufficient privileges to access the server private
-+key. This is intended behavior. </p>
-+
-+%PARAM smtpd_enforce_tls no
-+
-+<p> Require that remote SMTP clients use TLS encryption. According
-+to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-+SMTP server. This option is off by default and should only rarely
-+be used. </p>
-+
-+<p> This option implies "smtpd_use_tls = yes". </p>
-+
-+<p> Note: when invoked via "sendmail -bs", Postfix will never offer
-+STARTTLS due to insufficient privileges to access the server private
-+key. This is intended behavior. </p>
-+
-+%PARAM smtpd_tls_wrappermode no
-+
-+<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
-+instead of using the STARTTLS command. </p>
-+
-+<p> If you want to support this service, enable a special port in
-+master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
-+server's command line. Port 465 (smtps) was once chosen for this
-+purpose. </p>
-+
-+%PARAM smtpd_tls_ask_ccert no
-+
-+<p> Ask a remote SMTP client for a client certificate. This
-+information is needed for certificate based mail relaying with,
-+for example, the permit_tls_clientcerts feature. </p>
-+
-+<p> Some clients such as Netscape will either complain if no
-+certificate is available (for the list of CAs in /etc/postfix/certs)
-+or will offer multiple client certificates to choose from. This
-+may be annoying, so this option is "off" by default. </p>
-+
-+%PARAM smtpd_tls_req_ccert no
-+
-+<p> When TLS encryption is enforced, require a remote SMTP client
-+certificate in order to allow TLS connections to proceed. This
-+option implies "smtpd_tls_ask_ccert = yes". </p>
-+
-+<p> When TLS encryption is optional, remote SMTP clients can bypass
-+the restriction by simply not using STARTTLS at all. For this reason
-+a TLS connection will be handled as if only "smtpd_tls_ask_ccert
-+= yes" is specified. </p>
-+
-+%PARAM smtpd_tls_ccert_verifydepth 5
-+
-+<p> The verification depth for remote SMTP client certificates. A
-+depth of 1 is sufficient if the issuing CA is listed in a local CA
-+file. The default value should also suffice for longer chains (the
-+root CA issues special CA which then issues the actual certificate...).
-+</p>
-+
-+%PARAM smtpd_tls_auth_only no
-+
-+<p> When TLS encryption is optional in the Postfix SMTP server, do
-+not announce or accept SASL authentication over un-encrypted
-+connections. </p>
-+
-+%PARAM smtpd_tls_session_cache_database
-+
-+<p> Name of the SDBM file (type sdbm:) containing the optional
-+Postfix SMTP server TLS session cache. SDBM is required in order
-+to support concurrent updates. The file is created if it does not
-+exist. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
-+</pre>
-+
-+%PARAM smtpd_tls_session_cache_timeout 3600s
-+
-+<p> The expiration time of Postfix SMTP server TLS session cache
-+information. A cache cleanup is performed periodically every
-+$smtpd_tls_session_cache_timeout seconds. </p>
-+
-+%PARAM relay_clientcerts
-+
-+<p> The list of remote SMTP client certificates for which the
-+Postfix SMTP server will allow access with the permit_tls_clientcerts
-+feature. This feature does not use certificate names, because
-+Postfix list manipulation routines treat whitespace and some other
-+characters as special. Instead we use certificate fingerprints as
-+they are difficult to fake but easy to use for lookup. </p>
-+
-+<p> Postfix lookup tables are in the form of (key, value) pairs.
-+Since we only need the key, the value can be chosen freely, e.g.
-+the name of the user or host:
-+D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+relay_clientcerts = hash:/etc/postfix/relay_clientcerts
-+</pre>
-+
-+%PARAM smtpd_tls_cipherlist
-+
-+<p> Controls the Postfix SMTP server TLS cipher selection scheme.
-+For details, see the OpenSSL documentation. Note: do not use ""
-+quotes around the parameter value. </p>
-+
-+%PARAM smtpd_tls_dh1024_param_file
-+
-+<p> File with DH parameters that the Postfix SMTP server should
-+use with EDH ciphers. </p>
-+
-+<p> Instead of using the exact same parameter sets as distributed
-+with other TLS packages, it is more secure to generate your own
-+set of parameters with something like the following command: </p>
-+
-+<pre>
-+openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
-+</pre>
-+
-+<p> Your actual source for entropy may differ. Some systems have
-+/dev/random; on other system you may consider using the "Entropy
-+Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
-+</p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
-+</pre>
-+
-+%PARAM smtpd_tls_dh512_param_file
-+
-+<p> File with DH parameters that the Postfix SMTP server should
-+use with EDH ciphers. </p>
-+
-+<p> See also the discussion under the smtpd_tls_dh1024_param_file
-+configuration parameter. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
-+</pre>
-+
-+%PARAM smtpd_starttls_timeout 300s
-+
-+<p> The time limit for Postfix SMTP server write and read operations
-+during TLS startup and shutdown handshake procedures. </p>
-+
-+%PARAM smtp_tls_cert_file
-+
-+<p> File with the Postfix SMTP client RSA certificate in PEM format.
-+This file may also contain the client private key, and these may
-+be the same as the server certificate and key file. </p>
-+
-+<p> In order to verify certificates, the CA certificate (in case
-+of a certificate chain, all CA certificates) must be available.
-+You should add these certificates to the server certificate, the
-+server certificate first, then the issuing CA(s). </p>
-+
-+<p> Example: the certificate for "client.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate of "root CA".
-+Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
-+root_CA.pem > client.pem". </p>
-+
-+<p> If you want to accept remote SMTP server certificates issued
-+by these CAs yourself, you can also add the CA certificates to the
-+smtp_tls_CAfile, in which case it is not necessary to have them in
-+the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
-+
-+<p> A certificate supplied here must be usable as SSL client certificate and
-+hence pass the "openssl verify -purpose sslclient ..." test. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_cert_file = /etc/postfix/client.pem
-+</pre>
-+
-+%PARAM smtp_tls_key_file $smtp_tls_cert_file
-+
-+<p> File with the Postfix SMTP client RSA private key in PEM format.
-+This file may be combined with the client certificate file specified
-+with $smtp_tls_cert_file. </p>
-+
-+<p> The private key must not be encrypted. In other words, the key
-+must be accessible without password. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_key_file = $smtp_tls_cert_file
-+</pre>
-+
-+%PARAM smtp_tls_CAfile
-+
-+<p> The file with the certificate of the certification authority
-+(CA) that issued the Postfix SMTP client certificate. This is
-+needed only when the CA certificate is not already present in the
-+client certificate file. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+
-+%PARAM smtp_tls_CApath
-+
-+<p> Directory with PEM format certificate authority certificates
-+that the Postfix SMTP client uses to verify a remote SMTP server
-+certificate. Don't forget to create the necessary "hash" links
-+with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
-+</p>
-+
-+<p> To use this option in chroot mode, this directory (or a copy)
-+must be inside the chroot jail. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_CApath = /etc/postfix/certs
-+</pre>
-+
-+%PARAM smtp_tls_loglevel 0
-+
-+<p> Enable additional Postfix SMTP client logging of TLS activity.
-+Each logging level also includes the information that is logged at
-+a lower logging level. </p>
-+
-+<dl compact>
-+
-+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
-+
-+<dt> </dt> <dd> 1 Log TLS handshake and certificate information. </dd>
-+
-+<dt> </dt> <dd> 2 Log levels during TLS negotiation. </dd>
-+
-+<dt> </dt> <dd> 3 Log hexadecimal and ASCII dump of TLS negotiation
-+process. </dd>
-+
-+<dt> </dt> <dd> 4 Log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS. </dd>
-+
-+</dl>
-+
-+<p> Use "smtp_tls_loglevel = 3" only in case of problems. Use of
-+loglevel 4 is strongly discouraged. </p>
-+
-+%PARAM smtp_tls_session_cache_database
-+
-+<p> Name of the SDBM file (type sdbm:) containing the optional
-+Postfix SMTP client TLS session cache. SDBM is required in order
-+to support concurrent updates. The file is created if it does not
-+exist. </p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
-+</pre>
-+
-+%PARAM smtp_tls_session_cache_timeout 3600s
-+
-+<p> The expiration time of Postfix SMTP client TLS session cache
-+information. A cache cleanup is performed periodically every
-+$smtp_tls_session_cache_timeout seconds. </p>
-+
-+%PARAM smtp_use_tls no
-+
-+<p> Always use TLS when a remote SMTP server announces STARTTLS
-+support. Beware: some remote SMTP servers offer STARTTLS even if
-+it is not configured. If the TLS handshake fails, and no other
-+server is available, delivery is deferred and mail stays in the
-+queue. If this is a concern for you, use the smtp_tls_per_site
-+feature instead. </p>
-+
-+%PARAM smtp_enforce_tls no
-+
-+<p> Require that remote SMTP servers use TLS encryption. This also
-+requires that the remote SMTP server hostname matches the information
-+in the remote server certificate, and that the remote SMTP server
-+certificate was issued by a CA that is trusted by the Postfix SMTP
-+client. If the certificate doesn't verify or the hostname doesn't
-+match, delivery is deferred and mail stays in the queue. </p>
-+
-+<p> The hostname used in the check is performed against all names
-+provided as dNSNames in the SubjectAlternativeName. If no dNSNames
-+are specified, the CommonName is checked. The behavior may be
-+changed with the smtp_tls_enforce_peername option. </p>
-+
-+<p> This option is useful only if you are definitely sure that you
-+will only connect to servers that support RFC 2487 _and_ that
-+provide valid server certificates. It is relatively safe to use
-+for local clients that only send email to one mailhub with the
-+necessary STARTTLS support. </p>
-+
-+%PARAM smtp_tls_enforce_peername yes
-+
-+<p> When TLS encryption is enforced, require that the remote SMTP
-+server hostname matches the information in the remote SMTP server
-+certificate. As of RFC 2487 the requirements for hostname checking
-+for MTA clients are not set. </p>
-+
-+<p> This option can be set to "no" to disable strict peer name
-+checking. This setting has no effect on sessions that are controlled
-+via the smtp_tls_per_site table. </p>
-+
-+<p> Disabling the hostname verification can make sense in closed
-+environment where special CAs are created. If not used carefully,
-+this option opens the danger of a "man-in-the-middle" attack (the
-+CommonName of this attacker will be logged). </p>
-+
-+%PARAM smtp_tls_per_site
-+
-+<p> Optional lookup tables with the Postfix SMTP client TLS usage
-+policy by next-hop domain name and by remote SMTP server hostname.
-+</p>
-+
-+<p> Table format: domain names or server hostnames are specified
-+on the left-hand side; no wildcards are allowed. On the right hand
-+side specify one of the following keywords: </p>
-+
-+<dl>
-+
-+<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
-+
-+<dt> MAY </dt> <dd>Try to use STARTTLS if offered,
-+otherwise use the un-encrypted connection. </dd>
-+
-+<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
-+remote SMTP server hostname matches the information in the remote
-+SMTP server certificate, and require that the remote SMTP server
-+certificate was issued by a trusted CA. </dd>
-+
-+<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
-+not require that the remote SMTP server hostname matches the
-+information in the remote SMTP server certificate, or that the
-+server certificate was issued by a trusted CA. </dd>
-+
-+</dl>
-+
-+<p> Special hint for enforcement mode: since no secure DNS lookup
-+mechanism is available, the recommended setup is: specify local
-+transport(5) table entries for sensitive domains with explicit
-+smtp:[mailhost] destinations (since you can assure security of this
-+table unlike DNS), then specify MUST for these mail hosts in the
-+smtp_tls_per_site table. </p>
-+
-+%PARAM smtp_tls_scert_verifydepth 5
-+
-+<p> The verification depth for remote SMTP server certificates. A
-+depth of 1 is sufficient, if the certificate is directly issued by
-+a CA listed in the CA files. The default value (5) should suffice
-+for longer chains (the root CA issues special CA which then issues
-+the actual certificate...). </p>
-+
-+%PARAM smtp_tls_note_starttls_offer no
-+
-+<p> Log the hostname of a remote SMTP server that offers STARTTLS,
-+when TLS is not already enabled for that server. </p>
-+
-+<p> The logfile record looks like: </p>
-+
-+<pre>
-+postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
-+</pre>
-+
-+%PARAM smtp_tls_cipherlist
-+
-+<p> Controls the Postfix SMTP client TLS cipher selection scheme.
-+For details, see the OpenSSL documentation. Note: do not use ""
-+quotes around the parameter value. </p>
-+
-+%PARAM smtp_starttls_timeout 300s
-+
-+<p> Time limit for Postfix SMTP client write and read operations
-+during TLS startup and shutdown handshake procedures. </p>
-+
-+%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
-+
-+<p> File with the Postfix SMTP client DSA private key in PEM format.
-+The private key must not be encrypted. In other words, the key must
-+be accessible without password. </p>
-+
-+<p> This file may be combined with the server certificate file
-+specified with $smtp_tls_cert_file. </p>
-+
-+%PARAM smtp_tls_dcert_file
-+
-+<p> File with the Postfix SMTP client DSA certificate in PEM format.
-+This file may also contain the server private key. </p>
-+
-+<p> See the discussion under smtp_tls_cert_file for more details.
-+</p>
-+
-+<p> Example: </p>
-+
-+<pre>
-+smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-+</pre>
-+
-+%PARAM tls_random_exchange_name ${config_directory}/prng_exch
-+
-+<p> Name of the pseudo random number generator (PRNG) seed file
-+that is maintained by tlsmgr(8), and that is read by the smtp(8)
-+and smtpd(8) processes upon startup. The file length is fixed at
-+1024 bytes, and is created by tlsmgr(8) when it does not exist.
-+</p>
-+
-+<p> Since this file is changed by Postfix, it should probably be
-+kept in the /var file system, instead of under $config_directory.
-+The location should not be inside the chroot jail. </p>
-+
-+%PARAM tls_random_source
-+
-+<p> The external entropy source for the in-memory tlsmgr(8) pseudo
-+random number generator (PRNG) pool. Be sure to specify a non-blocking
-+source. If this source is not a regular file, the entropy source
-+type must be prepended: egd:/path/to/egd_socket for a source with
-+EGD compatible socket interface, or dev:/path/to/device for a
-+device file. </p>
-+
-+%PARAM tls_random_bytes 32
-+
-+<p> The number of bytes that tlsmgr(8) reads from $tls_random_source
-+when (re)seeding the in-memory pseudo random number generator (PRNG)
-+pool. The default of 32 bytes (256 bits) is good enough for 128bit
-+symmetric keys. If using EGD, a maximum of 255 bytes is read. </p>
-+
-+%PARAM tls_random_reseed_period 3600s
-+
-+<p> The maximal time between attempts by tlsmgr(8) to re-seed the
-+in-memory pseudo random number generator (PRNG) pool from external
-+sources. The actual time between re-seeding attempts is calculated
-+using the PRNG, and is between 0 and the time specified. </p>
-+
-+%PARAM tls_random_prng_update_period 60s
-+
-+<p> The maximal time between attempts by tlsmgr(8) to rewrite the
-+pseudo random number generator (PRNG) seed file specified with
-+$tls_random_exchange_name. This file is read by smtpd(8) and smtpd(8)
-+processes in order to seed their PRNGs. The actual time between
-+rewriting attempts is calculated using the PRNG, and is between 0
-+and the time specified. </p>
-+
-+%PARAM tls_daemon_random_source
-+
-+<p> Optional external source of entropy that can be read by smtpd(8)
-+and smtpd(8) processes in order to initialize their PRNGs. Be sure
-+to specify a non-blocking source. The entropy source type must be
-+prepended to the source name: egd:/path/to/egd_socket for a source
-+with EGD compatible socket interface, or dev:/path/to/device for
-+a device file. </p>
-+
-+<p> Examples: </p>
-+
-+<pre>
-+tls_daemon_random_source = dev:/dev/urandom
-+tls_daemon_random_source = egd:/var/run/egd-pool
-+</pre>
-+
-+%PARAM tls_daemon_random_bytes 32
-+
-+<p> The amount of data that smtpd(8) and smtpd(8) processes read
-+from the entropy source specified with $tls_daemon_random_source.
-+The default of 32 bytes (equivalent to 256 bits) is sufficient to
-+generate a 128bit (or 168bit) session key. </p>
-+
-+<p> Usage of this option may drain EGD (consider the case of 50
-+smtp(8) processes starting up with a full queue and "postfix start",
-+which will request 1600 bytes of entropy). This is however not
-diff -urNad postfix-release/proto/TLS_README.html /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html
---- postfix-release/proto/TLS_README.html 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/proto/TLS_README.html 2005-02-03 10:22:12.994111406 -0700
-@@ -0,0 +1,1093 @@
-+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
-+ "http://www.w3.org/TR/html4/loose.dtd">
-+
-+<html>
-+
-+<head>
-+
-+<title>Postfix TLS Support </title>
-+
-+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-+
-+</head>
-+
-+<body>
-+
-+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix TLS Support
-+</h1>
-+
-+<hr>
-+
-+<h2> Purpose of this document </h2>
-+
-+<p> This document describes how to configure the Transport Layer
-+Security (TLS) support in the Postfix SMTP client and Postfix SMTP server,
-+and how to configure the TLS manager daemon that maintains the
-+Pseudo Random Number Generator (PRNG) pool and the TLS session
-+cache information. </p>
-+
-+<p> Topics covered in this document: </p>
-+
-+<ul>
-+
-+<li><a href="#server_tls">SMTP Server specific settings</a>
-+
-+<li> <a href="#client_tls">SMTP Client specific settings</a>
-+
-+<li><a href="#tlsmgr_controls"> TLS manager specific settings </a>
-+
-+<li><a href="#problems"> Reporting problems </a>
-+
-+<li><a href="#credits"> Credits </a>
-+
-+</ul>
-+
-+<h2><a name="server_tls">SMTP Server specific settings</a></h2>
-+
-+<p> Topics covered in this section: </p>
-+
-+<ul>
-+
-+<li><a href="#server_cert_key">Server-side certificate and private
-+key configuration </a>
-+
-+<li><a href="#server_logging"> Server-side TLS activity logging
-+</a>
-+
-+<li><a href="#server_enable">Enabling TLS in the Postfix SMTP server </a>
-+
-+<li><a href="#server_vrfy_client">Client certificate verification</a>
-+
-+<li><a href="#server_tls_auth">Supporting AUTH over TLS only</a>
-+
-+<li><a href="#server_tls_cache">Server-side TLS session cache</a>
-+
-+<li><a href="#server_access">Server access control</a>
-+
-+<li><a href="#server_cipher">Server-side cipher controls</a>
-+
-+<li><a href="#server_misc"> Miscellaneous server controls</a>
-+
-+</ul>
-+
-+<h3><a name="server_cert_key">Server-side certificate and private
-+key configuration </a> </h3>
-+
-+<p> In order to use TLS, the Postfix SMTP server needs a certificate
-+and a private key. Both must be in "pem" format. The private key
-+must not be encrypted, meaning: the key must be accessible without
-+password. Both certificate and private key may be in the same
-+file. </p>
-+
-+<p> Both RSA and DSA certificates are supported. Typically you will
-+only have RSA certificates issued by a commercial CA. In addition,
-+the tools supplied with OpenSSL will by default issue RSA certificates.
-+You can have both at the same time, in which case the cipher used
-+determines which certificate is presented. For Netscape and OpenSSL
-+clients without special cipher choices, the RSA certificate is
-+preferred. </p>
-+
-+<p> In order for remote SMTP clients to check the Postfix SMTP
-+server certificates, the CA certificate (in case of a certificate
-+chain, all CA certificates) must be available. You should add
-+these certificates to the server certificate, the server certificate
-+first, then the issuing CA(s). </p>
-+
-+<p> Example: the certificate for "server.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate issued by "root
-+CA". Create the server.pem file with: </p>
-+
-+<blockquote>
-+<pre>
-+cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem
-+</pre>
-+</blockquote>
-+
-+<p> If you want the Postfix SMTP server to accept remote SMTP client
-+certificates issued by these CAs, you can also add the CA certificates
-+to the smtpd_tls_CAfile, in which case it is not necessary to have
-+them in the smtpd_tls_cert_file or smtpd_tls_dcert_file. </p>
-+
-+<p> A Postfix SMTP server certificate supplied here must be usable
-+as SSL server certificate and hence pass the "openssl verify -purpose
-+sslserver
-+..." test. </p>
-+
-+<p> RSA key and certificate examples: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_cert_file = /etc/postfix/server.pem
-+smtpd_tls_key_file = $smtpd_tls_cert_file
-+</pre>
-+</blockquote>
-+
-+<p> Their DSA counterparts: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
-+smtpd_tls_dkey_file = $smtpd_tls_dcert_file
-+</pre>
-+</blockquote>
-+
-+<p> The Postfix SMTP server certificate was issued by a certification
-+authority (CA), the CA-cert of which must be provided with the CA
-+file if it is not already provided in the certificate file. The
-+CA file may also contain the CA certificates of other trusted CAs.
-+You must use this file for the list of trusted CAs if you want to
-+use chroot-mode. No default is supplied for this value as of now.
-+</p>
-+
-+<p> Example: </p>
-+<blockquote>
-+<pre>
-+smtpd_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+</blockquote>
-+
-+<p> To verify a remote SMTP client certificate, the Postfix SMTP
-+server needs to know the certificates of the issuing certification
-+authorities. These certificates in "pem" format are collected in
-+a directory. The same CA certificates are offered to clients for
-+client verification. Don't forget to create the necessary "hash"
-+links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical
-+place for the CA certificates may also be $OPENSSL_HOME/certs, so
-+there is no default and you explicitly have to set the value here!
-+</p>
-+
-+<p> To use this option in chroot mode, this directory itself or a
-+copy of it must be inside the chroot jail. Please note also, that
-+the CAs in this directory are not listed to the client, so that
-+e.g. Netscape might not offer certificates issued by them. For
-+this reason, the use of this feature is discouraged. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_CApath = /etc/postfix/certs
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_logging"> Server-side TLS activity logging </a> </h3>
-+
-+<p> To get additional information about Postfix SMTP server TLS
-+activity you can increase the loglevel from 0..4. Each logging
-+level also includes the information that is logged at a lower
-+logging level. </p>
-+
-+<blockquote>
-+
-+<table>
-+
-+<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
-+
-+<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
-+</td> </tr>
-+
-+<tr> <td> 2 </td> <td> Log levels during TLS negotiation. </td>
-+</tr>
-+
-+<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
-+negotiation process </td> </tr>
-+
-+<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS </td> </tr>
-+
-+</table>
-+
-+</blockquote>
-+
-+<p> Use loglevel 3 only in case of problems. Use of loglevel 4 is
-+strongly discouraged. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_loglevel = 0
-+</pre>
-+</blockquote>
-+
-+<p> To include information about the protocol and cipher used as
-+well as the client and issuer CommonName into the "Received:"
-+message header, set the smtpd_tls_received_header variable to true.
-+The default is no, as the information is not necessarily authentic.
-+Only information recorded at the final destination is reliable,
-+since the headers may be changed by intermediate servers. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_received_header = yes
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_enable">Enabling TLS in the Postfix SMTP server </a> </h3>
-+
-+<p> By default, TLS is disabled in the Postfix SMTP server, so no
-+difference to plain Postfix is visible. Explicitly switch it on
-+using "smtpd_use_tls = yes". </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_use_tls = yes
-+</pre>
-+</blockquote>
-+
-+<p> Note: when an unprivileged user invokes "sendmail -bs", STARTTLS
-+is never offered due to insufficient privileges to access the server
-+private key. This is intended behavior. </p>
-+
-+<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
-+accepts no commands (except QUIT of course) without TLS encryption,
-+by setting "smtpd_enforce_tls = yes". According to RFC 2487 this
-+MUST NOT be applied in case of a publicly-referenced Postfix SMTP
-+server. So this option is off by default and should only seldom
-+be used. Using this option implies "smtpd_use_tls = yes". </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_enforce_tls = yes
-+</pre>
-+</blockquote>
-+
-+<p> Besides RFC 2487 some clients, namely Outlook [Express] prefer
-+to run the non-standard "wrapper" mode, not the STARTTLS enhancement
-+to SMTP. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when
-+run on a port<>25 and OE (5.01 Mac on all ports). </p>
-+
-+<p> It is strictly discouraged to use this mode from main.cf. If
-+you want to support this service, enable a special port in master.cf
-+and specify "-o smtpd_tls_wrappermode = yes" as an smtpd(8) command
-+line option. Port 465 (smtps) was once chosen for this feature.
-+</p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_wrappermode = no
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_vrfy_client">Client certificate verification</a> </h3>
-+
-+<p> To receive a remote SMTP client certificate, the Postfix SMTP
-+server must explicitly ask for one by sending the $smtpd_tls_CAfile
-+certificates to the client. Unfortunately, Netscape clients will
-+either complain if no matching client certificate is available or
-+will offer the user client a list of certificates to choose from.
-+This might be annoying, so this option is "off" by default. You
-+will however need the certificate if you want to use certificate
-+based relaying with, for example, the permit_tls_client_certs
-+feature. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_ask_ccert = no
-+</pre>
-+</blockquote>
-+
-+<p> You may also decide to REQUIRE a remote SMTP client certificate
-+before allowing TLS connections. This feature is included for
-+completeness, and implies "smtpd_tls_ask_ccert = yes". </p>
-+
-+<p> Please be aware, that this will inhibit TLS connections without
-+a proper client certificate and that it makes sense only when
-+non-TLS submission is disabled (smtpd_enforce_tls = yes). Otherwise,
-+clients could bypass the restriction by simply not using STARTTLS
-+at all. </p>
-+
-+<p> When TLS is not enforced, the connection will be handled as
-+if only "smtpd_tls_ask_ccert = yes" is specified, and a warning is
-+logged. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_req_ccert = no
-+</pre>
-+</blockquote>
-+
-+<p> A client certificate verification depth of 1 is sufficient if
-+the certificate is directly issued by a CA listed in the CA file.
-+The default value (5) should also suffice for longer chains (root
-+CA issues special CA which then issues the actual certificate...)
-+</p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_ccert_verifydepth = 5
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
-+
-+<p> Sending AUTH data over an un-encrypted channel poses a security
-+risk. When TLS layer encryption is required (smtpd_enforce_tls =
-+yes), the Postfix SMTP server will announce and accept AUTH only
-+after the TLS layer has been activated with STARTTLS. When TLS
-+layer encryption is optional (smtpd_enforce_tls = no), it may
-+however still be useful to only offer AUTH when TLS is active. To
-+maintain compatibility with non-TLS clients, the default is to
-+accept AUTH without encryption. In order to change this behavior,
-+set "smtpd_tls_auth_only = yes". </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_auth_only = no
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_tls_cache">Server-side TLS session cache</a> </h3>
-+
-+<p> The Postfix SMTP server and the remote SMTP client negotiate a
-+session, which takes some computer time and network bandwidth. By
-+default, this session information is cached only in the smtpd(8)
-+process actually using this session and is lost when the process
-+terminates. To share the session information between multiple
-+smtpd(8) processes, a persistent session cache can be used based
-+on the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
-+</pre>
-+</blockquote>
-+
-+<p> Cached Postfix SMTP server session information expires after
-+a certain amount of time. Postfix/TLS does not use the OpenSSL
-+default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
-+recommends a maximum of 24 hours. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_session_cache_timeout = 3600s
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_access">Server access control</a> </h3>
-+
-+<p> Postfix TLS support introduces two additional features for
-+Postfix SMTP server access control: </p>
-+
-+<blockquote>
-+
-+<dl>
-+
-+<dt> permit_tls_clientcerts </dt> <dd> <p> Allow the remote SMTP
-+client SMTP request if the client certificate passes verification,
-+and if its fingerprint is listed in the list of client certificates
-+(see relay_clientcerts discussion below). </p> </dd>
-+
-+<dt> permit_tls_all_clientcerts </dt> <dd> <p> Allow the remote
-+client SMTP request if the client certificate passes verification.
-+</p> </dd>
-+
-+</dl>
-+
-+</blockquote>
-+
-+<p> The permit_tls_all_clientcerts feature must be used with caution,
-+because it can result in too many access permissions. Use this
-+feature only if a special CA issues the client certificates, and
-+only if this CA is listed as trusted CA. If other CAs are trusted,
-+any owner of a valid client certificate would be authorized.
-+The permit_tls_all_clientcerts feature can be practical for a
-+specially created email relay server. </p>
-+
-+<p> It is however recommended to stay with the permit_tls_clientcerts
-+feature and list all certificates via $relay_clientcerts, as
-+permit_tls_all_clientcerts does not permit any control when a
-+certificate must no longer be used (e.g. an employee leaving). </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_recipient_restrictions =
-+ ...
-+ permit_tls_clientcerts
-+ reject_unauth_destination
-+ ...
-+</pre>
-+</blockquote>
-+
-+<p> The Postfix list manipulation routines give special treatment
-+to whitespace and some other characters, making the use of certificate
-+names unpractical. Instead we use the certificate fingerprints as
-+they are difficult to fake but easy to use for lookup. Postfix
-+lookup tables are in the form of (key, value) pairs. Since we only
-+need the key, the value can be chosen freely, e.g. the name of
-+the user or host:</p>
-+
-+<blockquote>
-+<pre>
-+D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
-+</pre>
-+</blockquote>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+relay_clientcerts = hash:/etc/postfix/relay_clientcerts
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
-+
-+<p> To influence the Postfix SMTP server cipher selection scheme,
-+you can give cipherlist string. A detailed description would go
-+to far here, please refer to the openssl documentation. If you
-+don't know what to do with it, simply don't touch it and leave the
-+(openssl-)compiled in default! </p>
-+
-+<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_cipherlist = DEFAULT
-+</pre>
-+</blockquote>
-+
-+<p> If you want to take advantage of ciphers with EDH, DH parameters
-+are needed. Instead of using the built-in DH parameters for both
-+1024bit and 512bit, it is better to generate "own" parameters,
-+since otherwise it would "pay" for a possible attacker to start a
-+brute force attack against parameters that are used by everybody.
-+For this reason, the parameters chosen are already different from
-+those distributed with other TLS packages. </p>
-+
-+<p> To generate your own set of DH parameters, use: </p>
-+
-+<blockquote>
-+<pre>
-+openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
-+openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
-+</pre>
-+</blockquote>
-+
-+<p> Your source for "entropy" might vary; some systems have
-+/dev/random; on other systems you might consider the "Entropy
-+Gathering Daemon EGD", available at http://www.lothar.com/tech/crypto/.
-+</p>
-+
-+<p> Examples: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
-+smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
-+</pre>
-+</blockquote>
-+
-+<h3><a name="server_misc"> Miscellaneous server controls</a> </h3>
-+
-+<p> The smtpd_starttls_timeout parameter limits the time of Postfix
-+SMTP server write and read operations during TLS startup and shutdown
-+handshake procedures. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtpd_starttls_timeout = 300s
-+</pre>
-+</blockquote>
-+
-+<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
-+
-+<p> Topics covered in this section: </p>
-+
-+<ul>
-+
-+<li><a href="#client_cert_key">Client-side certificate and private
-+key configuration </a>
-+
-+<li><a href="#client_logging"> Client-side TLS activity logging
-+</a>
-+
-+<li><a href="#client_tls_cache">Client-side TLS session cache</a>
-+
-+<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
-+
-+<li><a href="#client_vrfy_server">Server certificate verification</a>
-+
-+<li> <a href="#client_cipher">Client-side cipher controls </a>
-+
-+<li> <a href="#client_misc"> Miscellaneous client controls </a>
-+
-+</ul>
-+
-+<h3><a name="client_cert_key">Client-side certificate and private
-+key configuration </a> </h3>
-+
-+During TLS startup negotiation the Postfix SMTP client may present
-+a certificate to the remote SMTP server. The Netscape client is
-+rather clever here and lets the user select between only those
-+certificates that match CA certificates offered by the remote SMTP
-+server. As the Postfix SMTP client uses the "SSL_connect()" function
-+from the OpenSSL package, this is not possible and we have to choose
-+just one certificate. So for now the default is to use _no_
-+certificate and key unless one is explicitly specified here. </p>
-+
-+<p> Both RSA and DSA certificates are supported. You can have both
-+at the same time, in which case the cipher used determines which
-+certificate is presented. </p>
-+
-+<p> It is possible for the Postfix SMTP client to use the same
-+key/certificate pair as the Postfix SMTP server. If a certificate
-+is to be presented, it must be in "pem" format. The private key
-+must not be encrypted, meaning: it must be accessible without
-+password. Both parts (certificate and private key) may be in the
-+same file. </p>
-+
-+<p> In order for remote SMTP servers to verify the Postfix SMTP
-+client certificates, the CA certificate (in case of a certificate
-+chain, all CA certificates) must be available. You should add
-+these certificates to the client certificate, the client certificate
-+first, then the issuing CA(s). </p>
-+
-+<p> Example: the certificate for "client.dom.ain" was issued by
-+"intermediate CA" which itself has a certificate of "root CA".
-+Create the client.pem file with: </p>
-+
-+<blockquote>
-+<pre>
-+cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem
-+</pre>
-+</blockquote>
-+
-+<p> If you want the Postfix SMTP client to accept certificates
-+issued by these CAs, you can also add the CA certificates to the
-+smtp_tls_CAfile, in which case it is not necessary to have them in
-+the smtp_tls_cert_file or smtp_tls_dcert_file. </p>
-+
-+<p> A Postfix SMTP client certificate supplied here must be usable
-+as SSL client certificate and hence pass the "openssl verify -purpose
-+sslclient
-+..." test. </p>
-+
-+<p> RSA key and certificate examples: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_cert_file = /etc/postfix/client.pem
-+smtp_tls_key_file = $smtp_tls_cert_file
-+</pre>
-+</blockquote>
-+
-+<p> Their DSA counterparts: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-+smtp_tls_dkey_file = $smtpd_tls_cert_file
-+</pre>
-+</blockquote>
-+
-+<p> The Postfix SMTP client certificate was issued by a certification
-+authority (CA), the CA-cert of which must be provided with the CA
-+file if it is not already provided in the certificate file. The
-+CA file may also contain the CA certificates of other trusted CAs.
-+You must use this file for the list of trusted CAs if you want to
-+use chroot-mode. No default is supplied for this value as of now.
-+</p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_CAfile = /etc/postfix/CAcert.pem
-+</pre>
-+</blockquote>
-+
-+<p> To verify a remote SMTP server certificate, the Postfix SMTP
-+client needs to know the certificates of the issuing certification
-+authorities. These certificates in "pem" format are collected in
-+a directory. Don't forget to create the necessary "hash" links with
-+$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs. A typical place for
-+the CA certificates may also be $OPENSSL_HOME/certs, so there is
-+no default and you explicitly have to set the value here! </p>
-+
-+<p> To use this option in chroot mode, this directory itself or a
-+copy of it must be inside the chroot jail. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_CApath = /etc/postfix/certs
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_logging"> Client-side TLS activity logging </a> </h3>
-+
-+<p> To get additional information about Postfix SMTP client TLS
-+activity you can increase the loglevel from 0..4. Each logging
-+level also includes the information that is logged at a lower
-+logging level. </p>
-+
-+<blockquote>
-+
-+<table>
-+
-+<tr> <td> 0 </td> <td> Disable logging of TLS activity.</td> </tr>
-+
-+<tr> <td> 1 </td> <td> Log TLS handshake and certificate information.
-+</td> </tr>
-+
-+<tr> <td> 2 </td> <td> Log levels during TLS negotiation. </td>
-+</tr>
-+
-+<tr> <td> 3 </td> <td> Log hexadecimal and ASCII dump of TLS
-+negotiation process </td> </tr>
-+
-+<tr> <td> 4 </td> <td> Log hexadecimal and ASCII dump of complete
-+transmission after STARTTLS </td> </tr>
-+
-+</table>
-+
-+</blockquote>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_loglevel = 0
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_tls_cache">Client-side TLS session cache</a> </h3>
-+
-+<p> The remote SMTP server and the Postfix SMTP client negotiate a
-+session, which takes some computer time and network bandwidth. By
-+default, this session information is cached only in the smtp(8)
-+process actually using this session and is lost when the process
-+terminates. To share the session information between multiple
-+smtp(8) processes, a persistent session cache can be used based on
-+the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
-+</pre>
-+</blockquote>
-+
-+<p> Cached Postfix SMTP client session information expires after
-+a certain amount of time. Postfix/TLS does not use the OpenSSL
-+default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
-+recommends a maximum of 24 hours. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_session_cache_timeout = 3600s
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
-+</h3>
-+
-+<p> By default, TLS is disabled in the Postfix SMTP client, so no
-+difference to plain Postfix is visible. If you enable TLS, the
-+Postfix SMTP client will send STARTTLS when TLS support is announced
-+by the remote SMTP server. </p>
-+
-+<p> WARNING: MS Exchange servers will announce STARTTLS support
-+even when the service is not configured, so that the TLS handshake
-+will fail. It may be wise to not use this option on your central
-+mail hub, as you don't know in advance whether you are going to
-+connect to such a host. Instead, use the smtp_tls_per_site
-+recipient/site specific options that are described below. </p>
-+
-+<p> When the TLS handshake fails and no other server is available,
-+the Postfix SMTP client defers the delivery attempt, and the mail
-+stays in the queue. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_use_tls = yes
-+</pre>
-+</blockquote>
-+
-+<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
-+will not deliver mail over un-encrypted connections. In this mode,
-+the remote SMTP server hostname must match the information in the
-+remote server certificate, and the server certificate must be issued
-+by a CA that is trusted by the Postfix SMTP client. If the remote
-+server certificate doesn't verify or the remote SMTP server hostname
-+doesn't match, and no other server is available, the delivery
-+attempt is deferred and the mail stays in the queue. </p>
-+
-+<p> The remote SMTP server hostname used in the check is beyond
-+question, as it must be the principal hostname (no CNAME allowed
-+here). Checks are performed against all names provided as dNSNames
-+in the SubjectAlternativeName. If no dNSNames are specified, the
-+CommonName is checked. The behavior may be changed with the
-+smtp_tls_enforce_peername option which is discussed below. </p>
-+
-+<p> This option is useful only if you know that you will only
-+connect to servers that support RFC 2487 _and_ that present server
-+certificates that meet the above requirements. An example would
-+be a client only sends email to one specific mailhub that offers
-+the necessary STARTTLS support. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_enforce_tls = no
-+</pre>
-+</blockquote>
-+
-+<p> As of RFC 2487 the requirements for hostname checking for MTA
-+clients are not set. When TLS is required (smtp_enforce_tls = yes),
-+the option smtp_tls_enforce_peername can be set to "no" to disable
-+strict remote SMTP server hostname checking. In this case, the mail
-+delivery will proceed regardless of the CommonName etc. listed in
-+the certificate. </p>
-+
-+<p> Note: the smtp_tls_enforce_peername setting has no effect on
-+sessions that are controlled via the smtp_tls_per_site table. </p>
-+
-+<p> Disabling the remote SMTP server hostname verification can
-+make sense in closed environment where special CAs are created.
-+If not used carefully, this option opens the danger of a
-+"man-in-the-middle" attack (the CommonName of this possible attacker
-+is logged). </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_enforce_peername = yes
-+</pre>
-+</blockquote>
-+
-+<p> Generally, trying TLS can be a bad idea, as some servers offer
-+STARTTLS but the negotiation will fail leading to unexplainable
-+failures. Instead, it may be a good idea to choose the TLS usage
-+policy based on the recipient or the mailhub to which you are
-+connecting. </p>
-+
-+<p> Deciding the TLS usage policy per recipient may be difficult,
-+since a single email delivery attempt can involve several recipients.
-+Instead, use of TLS is controlled by the Postfix next-hop destination
-+domain name and by the remote SMTP server hostname. If either of these
-+matches an entry in the smtp_tls_per_site table, appropriate action
-+is taken. </p>
-+
-+<p> The remote SMTP server hostname is simply the DNS name of the
-+server that the Postfix SMTP client connects to. The next-hop
-+destination is Postfix specific. By default, this is the domain
-+name in the recipient address, but this information can be overruled
-+by the transport(5) table or by the relayhost parameter setting.
-+In these cases the relayhost etc. must be listed in the smtp_tls_per_site
-+table, instead of the recipient domain name. </p>
-+
-+<p> Format of the table: domain or host names are specified on the
-+left-hand side; no wildcards are allowed. On the right hand side
-+specify one of the following keywords: </p>
-+
-+<blockquote>
-+
-+<dl>
-+
-+<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
-+
-+<dt> MAY </dt> <dd> Try to use STARTTLS if offered,
-+otherwise use the un-encrypted connection. </dd>
-+
-+<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
-+remote SMTP server hostname matches the information in the remote
-+SMTP server certificate, and require that the remote SMTP server
-+certificate was issued by a trusted CA. </dd>
-+
-+<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
-+not require that the remote SMTP server hostname matches the
-+information in the remote SMTP server certificate, or that the
-+server certificate was issued by a trusted CA. </dd>
-+
-+</dl>
-+
-+</blockquote>
-+
-+<p> The actual TLS usage policy depends not only on whether the
-+next-hop destination or remote SMTP server hostname are found in
-+the smtp_tls_per_site table, but also on the smtp_enforce_tls
-+setting: </p>
-+
-+<ul>
-+
-+<li> <p> If no match was found, the policy is applied as specified
-+with smtp_enforce_tls. </p>
-+
-+<li> <p> If a match was found, and the smtp_enforce_tls policy is
-+"enforce", NONE explicitly switches it off; otherwise the "enforce"
-+mode is used even for entries that specify MAY. </p>
-+
-+</ul>
-+
-+<p> Special hint for TLS enforcement mode: since no secure DNS
-+lookup mechanism is available, mail can be delivered to the wrong
-+remote SMTP server. This is not prevented by specifying MUST for
-+the next-hop domain name. The recommended setup is: specify local
-+transport(5) table entries for sensitive domains with explicit
-+smtp:[mailhost] destinations (since you can assure security of this
-+table unlike DNS), then specify MUST for these mail hosts in the
-+smtp_tls_per_site table. </p>
-+
-+<!-- XXX What it we were to require that each MX host lists the
-+domain it is responsible for in its server certificate, and that
-+Postfix/TLS includes the next-hop domain name in the peer name
-+verification process? -->
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_per_site = hash:/etc/postfix/tls_per_site
-+</pre>
-+</blockquote>
-+
-+<p> As we decide on a "per site" basis whether or not to use TLS,
-+it would be good to have a list of sites that offered "STARTTLS".
-+We can collect it ourselves with this option. </p>
-+
-+<p> If the smtp_tls_note_starttls_offer feature is enabled and a
-+server offers STARTTLS while TLS is not already enabled for that
-+server, the Postfix SMTP client logs a line as follows: </p>
-+
-+<blockquote>
-+<pre>
-+postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
-+</pre>
-+</blockquote>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_note_starttls_offer = yes
-+</pre>
-+</blockquote>
-+
-+<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
-+
-+<p> When verifying a remote SMTP server certificate, a verification
-+depth of 1 is sufficient if the certificate is directly issued by
-+a CA specified with smtp_tls_CAfile or smtp_tls_CApath. The default
-+value of 5 should also suffice for longer chains (root CA issues
-+special CA which then issues the actual certificate...) </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_scert_verifydepth = 5
-+</pre>
-+</blockquote>
-+
-+<h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
-+
-+<p> To influence the Postfix SMTP client cipher selection scheme,
-+you can give cipherlist string. A detailed description would go
-+to far here, please refer to the openssl documentation. If you
-+don't know what to do with it, simply don't touch it and leave the
-+(openssl-)compiled in default! </p>
-+
-+<p> DO NOT USE " to enclose the string, specify just the string!!! </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_tls_cipherlist = DEFAULT
-+</pre>
-+</blockquote>
-+
-+<h3> <a name="client_misc"> Miscellaneous client controls </a> </h3>
-+
-+<p> The smtp_starttls_timeout parameter limits the time of Postfix
-+SMTP client write and read operations during TLS startup and shutdown
-+handshake procedures. In case of problems the Postfix SMTP client
-+tries the next network address on the mail exchanger list, and
-+defers delivery if no alternative server is available. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+smtp_starttls_timeout = 300s
-+</pre>
-+</blockquote>
-+
-+<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
-+
-+<p> The security of cryptographic software such as TLS depends
-+critically on the ability to generate unpredictable numbers for
-+keys and other information. To this end, the tlsmgr(8) process
-+maintains a Pseudo Random Number Generator (PRNG) pool. This is
-+a fixed-size 1024-byte exchange file that is read by the smtp(8)
-+and smtpd(8) processes when they initialize. These processes also
-+add some more entropy to the file by stirring in their own time
-+and process id information. </p>
-+
-+<p> The tlsmgr(8) process creates the file if it does not already
-+exist, and rewrites the file at random time intervals with information
-+from its in-memory PRNG pool. The default location is under the
-+Postfix configuration directory, which is not the proper place for
-+information that is modified by Postfix. Instead, the file location
-+should probably be on the /var partition (but _not_ inside the
-+chroot jail). </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+tls_random_exchange_name = /etc/postfix/prng_exch
-+</pre>
-+</blockquote>
-+
-+<p> In order to feed its in-memory PRNG pool, the tlsmgr(8) reads
-+entropy from an external source, both at startup and during run-time.
-+Specify a good entropy source, like EGD or /dev/urandom; be sure
-+to only use non-blocking sources. If the entropy source is not a
-+regular file, you must prepend the source type to the source name:
-+"dev:" for a device special file, or "egd:" for a source with EGD
-+compatible socket interface. </p>
-+
-+<p> Examples (specify only one in main.cf): </p>
-+
-+<blockquote>
-+<pre>
-+tls_random_source = dev:/dev/urandom
-+tls_random_source = egd:/var/run/egd-pool
-+</pre>
-+</blockquote>
-+
-+<p> By default, tlsmgr(8) reads 32 bytes from the external entropy
-+source at each seeding event. This amount (256bits) is more than
-+sufficient for generating a 128bit symmetric key. With EGD and
-+device entropy sources, the tlsmgr(8) limits the amount of data
-+read at each step to 255 bytes. If you specify a regular file as
-+entropy source, a larger amount of data can be read. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+tls_random_bytes = 32
-+</pre>
-+</blockquote>
-+
-+<p> In order to update its in-memory PRNG pool, the tlsmgr(8)
-+queries the external entropy source again after a random amount of
-+time. The time is calculated using the PRNG, and is between 0 and
-+the maximal time specified with tls_random_reseed_period. The
-+default maximal time interval is 1 hour. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+tls_random_reseed_period = 3600s
-+</pre>
-+</blockquote>
-+
-+<p> The tlsmgr(8) re-generates the 1024 byte seed exchange file
-+after a random amount of time. The time is calculated using the
-+PRNG, and is between 0 and the maximal time specified with
-+tls_random_update_period. The default maximal time interval is 60
-+seconds. </p>
-+
-+<p> Example: </p>
-+
-+<blockquote>
-+<pre>
-+tls_random_prng_update_period = 60s
-+</pre>
-+</blockquote>
-+
-+<p> If you have an entropy source available that is not easily
-+drained (like /dev/urandom), the smtp(8) and smtpd(8) daemons can
-+load additional entropy on startup. By default, an amount of 32
-+bytes is read, the equivalent to 256 bits. This is more than
-+sufficient to generate a 128bit (or 168bit) session key. However,
-+when Postfix needs to generate more than one key it can drain the
-+EGD. Consider the case of 50 smtp(8) processes starting up with a
-+full queue; this will request 1600bytes of entropy. This is however
-+not fatal, as long as "entropy" data can still be read from the
-+seed file that is maintained by tlsmgr(8). </p>
-+
-+<p> Examples: </p>
-+
-+<blockquote>
-+<pre>
-+tls_daemon_random_source = dev:/dev/urandom
-+tls_daemon_random_source = egd:/var/run/egd-pool
-+tls_daemon_random_bytes = 32
-+</pre>
-+</blockquote>
-+
-+<h2> <a name="problems"> Reporting problems </a> </h2>
-+
-+<p> When reporting a problem, please be thorough in the report.
-+Patches, when possible, are greatly appreciated too. </p>
-+
-+<p> Please differentiate when possible between: </p>
-+
-+<ul>
-+
-+<li> Problems in the IPv6 code: <postfix-ipv6 at stack.nl>
-+
-+<li> Problems in the TLS code: <postfix_tls at aet.tu-cottbus.de>
-+
-+<li> Problems in vanilla Postfix: <postfix-users at postfix.org>
-+
-+</ul>
-+
-+<h2><a name="credits">Credits </a> </h2>
-+
-+<ul>
-+
-+<li> TLS support for Postfix was originally developed by Lutz
-+Jänicke at Cottbus Technical University.
-+
-+<li> This part of the documentation was compiled by Wietse Venema
-+</p>
-+
-+</ul>
-+
-+</body>
-+
-+</html>
-diff -urNad postfix-release/README_FILES/IPV6_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README
---- postfix-release/README_FILES/IPV6_README 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/IPV6_README 2005-02-03 10:22:13.048099363 -0700
-@@ -0,0 +1,158 @@
-+Postfix IPv6 / IPv6+TLS patch
-+Maintained by Dean C. Strik <dean at ipnet6.org>
-+
-+These patches add IPv6 support to Postfix. A combo TLS+IPv6 patch is
-+available as a replacement for Lutz Jaenicke's TLS patch.
-+
-+More information about these IPv6 patches can be found on Dean Strik's
-+postfix website at
-+ http://www.ipnet6.org/postfix/
-+
-+CONTENTS
-+---------
-+ - Supported platforms
-+ - Downloads
-+ - Installation
-+ - Configuration
-+ - Mailing list
-+ - Known issues
-+ - Reporting bugs
-+
-+SUPPORTED PLATFORMS
-+--------------------
-+
-+Currently, the following platforms are supported:
-+ - FreeBSD 4.x/5.x
-+ - OpenBSD 2.x/3.x
-+ - NetBSD 1.5+
-+ - Solaris 8/9
-+ - Linux 2.x
-+ - Darwin 7.3+
-+ - Tru64Unix V5.1+
-+Postfix may work on other versions of these operating systems or
-+other operating systems entirely. If you find a problem on one
-+of the above platforms, please contact me at <dean at ipnet6.org>.
-+
-+DOWNLOADS
-+----------
-+
-+The official download site is
-+
-+ http://www.ipnet6.org/postfix/
-+
-+Patches are offered as HTTP and FTP downloads here. To directly
-+access the files on the FTP server, use the following address:
-+
-+ ftp://ftp.stack.nl/pub/postfix/tls+ipv6/
-+
-+The patches are in gzipped context diff format.
-+
-+INSTALLATION
-+-------------
-+
-+The patch is distributed as a gzipped context diff. This used to
-+be unified diff (more readable), but it was changed because to
-+avoid unidiff limitations.
-+
-+We assume postfix is already extracted, to the directory
-+ postfix-2.1.1
-+
-+1. Decompress the patch:
-+ e.g. $ gunzip tls+ipv6-1.24-pf-2.1.1.patch.gz
-+2. Change directory to the postfix source directory
-+ e.g. $ cd postfix-2.1.1
-+3. Apply the patch
-+ e.g. $ patch -s -p 1 < ../tls+ipv6-1.24-pf-2.1.1.patch
-+4. Build postfix. The IPv6 patch does not require additional environment
-+ variables or arguments to 'make'.
-+
-+CONFIGURATION
-+--------------
-+
-+In theory, no post-installation configuration of postfix is
-+required, although you may want to extend the value of the
-+'mynetworks' parameter to include the IPv6 networks the system is
-+in.
-+
-+Also you can restrict Postfix to use IPv6-only or IPv4-only by
-+changing the 'inet_interfaces' parameter.
-+
-+The main.cf parameters regarding IPv6 are documented in the file
-+'sample-ipv6.cf' in the samples/ directory.
-+
-+MAILING LISTS
-+--------------
-+
-+I've created two mailing lists about using IPv6 with Postfix.
-+There's a general list (postfix-ipv6) that can be used for discussion.
-+Also, there's an announcement-only list (postfix-ipv6-announce)
-+for people who only want to get the announcements.
-+All announcements are cross-posted to postfix-ipv6 though.
-+
-+List name: postfix-ipv6
-+List type: Discussion / general (incl. announcements)
-+List info: http://lists.stack.nl/mailman/listinfo/postfix-ipv6
-+List archive: http://lists.stack.nl/pipermail/postfix-ipv6
-+List admin: Dean Strik <dean at ipnet6.org>
-+
-+List name: postfix-ipv6-announce
-+List type: Announcements only, moderated
-+List info: http://lists.stack.nl/mailman/listinfo/postfix-ipv6-announce
-+List archive: http://lists.stack.nl/pipermail/postfix-ipv6-announce
-+List admin: Dean Strik <dean at ipnet6.org>
-+
-+KNOWN ISSUES
-+-------------
-+
-+The patch comes with an IPv6-ChangeLog file. Please always validate
-+whether you have the latest version. You can always download the
-+latest ChangeLog at
-+
-+ ftp://ftp.stack.nl/pub/postfix/tls+ipv6/ChangeLog
-+
-+The following 'issues' and todo items are known (none critical):
-+
-+ - It is not currently supported to use Postfix network daemons
-+ (such as smtp and smtpd) chrooted on Linux systems without
-+ mounting the proc filesystem under /var/spool/postfix/proc
-+ This is because the proc filesystem is required on Linux to
-+ obtain the system's IPv6 address information.
-+
-+ - The 'smtp_host_lookup' parameter is not effective with IPv6.
-+ This is because a different lookup mechanism is used that
-+ cannot easily disable the 'local' (i.e., non-DNS) lookups.
-+ Whether local files or the DNS are used first, is determined
-+ by your operating system, e.g. in /etc/nsswitch.conf or
-+ /etc/host.conf.
-+
-+ - The order of IPv6/IPv4 outgoing connection attempts is not
-+ yet configurable. This will be configurable in a later,
-+ soon to be released version. Currently, IPv6 is tried before
-+ IPv4.
-+
-+ - No IPv6 open relay checks. Since there is no IPv6 RBL service
-+ around at the moment (I'm considering setting one up but it's
-+ not a very hot issue), no lookups for IPv6 clients are ever done.
-+ Let's not have a lot of worthless DNS traffic. Of course, when
-+ this gets implemented, IPv6 client lookups will only be made
-+ to DNSBLs that support these.
-+
-+ - Tru64Unix: Using 'mynetworks_style = subnet' (which I do not
-+ recommend in any case...) causes Postfix to assume a /64 for
-+ all IPv6-connected IPv6 subnets. I have yet to find a good way
-+ for obtaining the prefixlength. Suggestions are welcome!
-+
-+REPORTING BUGS
-+---------------
-+
-+Of course there may be bugs in the patch. Please report bugs in the
-+patch to <dean at ipnet6.org>. Please be thorough in the report.
-+Patches, when possible, are greatly appreciated too!
-+
-+Please differentiate when possible between
-+ - Problems in vanilla Postfix: <mailto:postfix-users at postfix.org>
-+ - Problems in Lutz' TLS patch: <mailto:postfix_tls at aet.tu-cottbus.de>
-+ - Problems in the IPv6 code: <mailto:postfix-ipv6 at stack.nl>
-+
-+--
-+Dean Strik <dean at ipnet6.org>
-diff -urNad postfix-release/README_FILES/SASL_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README
---- postfix-release/README_FILES/SASL_README 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/SASL_README 2005-02-03 10:22:13.048099363 -0700
-@@ -12,6 +12,9 @@
-
- H�Ho�ow�w P�Po�os�st�tf�fi�ix�x u�us�se�es�s S�SA�AS�SL�L a�au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n i�in�nf�fo�or�rm�ma�at�ti�io�on�n
-
-+Note: To use SASL support on Debian GNU/Linux, you must install the
-+postfix-tls package.
-+
- Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP clients
- to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a
- remote SMTP server.
-@@ -123,21 +126,21 @@
- smtpd_recipient_restrictions =
- permit_mynetworks permit_sasl_authenticated ...
-
--In /usr/local/lib/sasl/smtpd.conf (SASL version 1.5.5) or /usr/local/lib/sasl2/
--smtpd.conf (SASL version 2.1.1) you need to specify how the server should
--validate client passwords.
--
--In order to authenticate against the UNIX password database, try:
--
--(SASL version 1.5.5)
-+In /etc/postfix/sasl/smtpd.conf you need to specify how the server
-+should validate client passwords.
-
-- /usr/local/lib/sasl/smtpd.conf:
-- pwcheck_method: pwcheck
-+IMPORTANT: If you configure SASL to use PAM (pluggable authentication
-+modules) authentication, the Postfix SMTP server will abort because
-+the SASL password file does not exist (default: /etc/sasldb in
-+version 1.5.5, or /etc/sasldb2 in version 2.1.1). To fix, disable
-+CRAM-MD5 authentication by specifying 'mech_list: PLAIN LOGIN ANONYMOUS'
-+in /etc/postfix/sasl/smtpd.conf, or by deleting /usr/lib/sasl/libcrammd5.so
-+(for version 1.5.5).
-
--(SASL version 2.1.1)
-+In order to authenticate against the UNIX password database, try:
-
-- /usr/local/lib/sasl2/smtpd.conf:
-- pwcheck_method: pwcheck
-+ /etc/postfix/sasl/smtpd.conf:
-+ pwcheck_method: pwcheck
-
- The name of the file in /usr/local/lib/sasl (SASL version 1.5.5) or /usr/local/
- lib/sasl2 (SASL version 2.1.1) used by the SASL library for configuration can
-@@ -151,16 +154,9 @@
- IMPORTANT: postfix processes need to have group read+execute permission for the
- /var/pwcheck directory, otherwise authentication attempts will fail.
-
--Alternately, in SASL 1.5.26 and later (including 2.1.1), try:
--
--(SASL version 1.5.26)
--
-- /usr/local/lib/sasl/smtpd.conf:
-- pwcheck_method: saslauthd
--
--(SASL version 2.1.1)
-+Alternately, in SASL 2.1.1 and later, try:
-
-- /usr/local/lib/sasl2/smtpd.conf:
-+ /etc/postfix/sasl/smtpd.conf:
- pwcheck_method: saslauthd
-
- The saslauthd daemon is also contained in the cyrus-sasl source tarball. It is
-@@ -169,15 +165,8 @@
-
- In order to authenticate against SASL's own password database:
-
--(SASL version 1.5.5)
--
-- /usr/local/lib/sasl/smtpd.conf:
-- pwcheck_method: sasldb
--
--(SASL version 2.1.1)
--
-- /usr/local/lib/sasl2/smtpd.conf:
-- pwcheck_method: auxprop
-+ /etc/postfix/sasl/smtpd.conf:
-+ pwcheck_method: sasldb
-
- This will use the SASL password file (default: /etc/sasldb in version 1.5.5, or
- /etc/sasldb2 in version 2.1.1), which is maintained with the saslpasswd or
-diff -urNad postfix-release/README_FILES/TLS_README /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README
---- postfix-release/README_FILES/TLS_README 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/README_FILES/TLS_README 2005-02-03 10:22:13.049099140 -0700
-@@ -0,0 +1,731 @@
-+P�Po�os�st�tf�fi�ix�x T�TL�LS�S S�Su�up�pp�po�or�rt�t
-+
-+-------------------------------------------------------------------------------
-+
-+P�Pu�ur�rp�po�os�se�e o�of�f t�th�hi�is�s d�do�oc�cu�um�me�en�nt�t
-+
-+This document describes how to configure the Transport Layer Security (TLS)
-+support in the Postfix SMTP client and Postfix SMTP server, and how to
-+configure the TLS manager daemon that maintains the Pseudo Random Number
-+Generator (PRNG) pool and the TLS session cache information.
-+
-+Topics covered in this document:
-+
-+ * SMTP Server specific settings
-+ * SMTP Client specific settings
-+ * TLS manager specific settings
-+ * Reporting problems
-+ * Credits
-+
-+S�SM�MT�TP�P S�Se�er�rv�ve�er�r s�sp�pe�ec�ci�if�fi�ic�c s�se�et�tt�ti�in�ng�gs�s
-+
-+Topics covered in this section:
-+
-+ * Server-side certificate and private key configuration
-+ * Server-side TLS activity logging
-+ * Enabling TLS in the Postfix SMTP server
-+ * Client certificate verification
-+ * Supporting AUTH over TLS only
-+ * Server-side TLS session cache
-+ * Server access control
-+ * Server-side cipher controls
-+ * Miscellaneous server controls
-+
-+S�Se�er�rv�ve�er�r-�-s�si�id�de�e c�ce�er�rt�ti�if�fi�ic�ca�at�te�e a�an�nd�d p�pr�ri�iv�va�at�te�e k�ke�ey�y c�co�on�nf�fi�ig�gu�ur�ra�at�ti�io�on�n
-+
-+In order to use TLS, the Postfix SMTP server needs a certificate and a private
-+key. Both must be in "pem" format. The private key must not be encrypted,
-+meaning: the key must be accessible without password. Both certificate and
-+private key may be in the same file.
-+
-+Both RSA and DSA certificates are supported. Typically you will only have RSA
-+certificates issued by a commercial CA. In addition, the tools supplied with
-+OpenSSL will by default issue RSA certificates. You can have both at the same
-+time, in which case the cipher used determines which certificate is presented.
-+For Netscape and OpenSSL clients without special cipher choices, the RSA
-+certificate is preferred.
-+
-+In order for remote SMTP clients to check the Postfix SMTP server certificates,
-+the CA certificate (in case of a certificate chain, all CA certificates) must
-+be available. You should add these certificates to the server certificate, the
-+server certificate first, then the issuing CA(s).
-+
-+Example: the certificate for "server.dom.ain" was issued by "intermediate CA"
-+which itself has a certificate issued by "root CA". Create the server.pem file
-+with:
-+
-+ cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem
-+
-+If you want the Postfix SMTP server to accept remote SMTP client certificates
-+issued by these CAs, you can also add the CA certificates to the
-+smtpd_tls_CAfile, in which case it is not necessary to have them in the
-+smtpd_tls_cert_file or smtpd_tls_dcert_file.
-+
-+A Postfix SMTP server certificate supplied here must be usable as SSL server
-+certificate and hence pass the "openssl verify -purpose sslserver ..." test.
-+
-+RSA key and certificate examples:
-+
-+ smtpd_tls_cert_file = /etc/postfix/server.pem
-+ smtpd_tls_key_file = $smtpd_tls_cert_file
-+
-+Their DSA counterparts:
-+
-+ smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
-+ smtpd_tls_dkey_file = $smtpd_tls_dcert_file
-+
-+The Postfix SMTP server certificate was issued by a certification authority
-+(CA), the CA-cert of which must be provided with the CA file if it is not
-+already provided in the certificate file. The CA file may also contain the CA
-+certificates of other trusted CAs. You must use this file for the list of
-+trusted CAs if you want to use chroot-mode. No default is supplied for this
-+value as of now.
-+
-+Example:
-+
-+ smtpd_tls_CAfile = /etc/postfix/CAcert.pem
-+
-+To verify a remote SMTP client certificate, the Postfix SMTP server needs to
-+know the certificates of the issuing certification authorities. These
-+certificates in "pem" format are collected in a directory. The same CA
-+certificates are offered to clients for client verification. Don't forget to
-+create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
-+certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
-+so there is no default and you explicitly have to set the value here!
-+
-+To use this option in chroot mode, this directory itself or a copy of it must
-+be inside the chroot jail. Please note also, that the CAs in this directory are
-+not listed to the client, so that e.g. Netscape might not offer certificates
-+issued by them. For this reason, the use of this feature is discouraged.
-+
-+Example:
-+
-+ smtpd_tls_CApath = /etc/postfix/certs
-+
-+S�Se�er�rv�ve�er�r-�-s�si�id�de�e T�TL�LS�S a�ac�ct�ti�iv�vi�it�ty�y l�lo�og�gg�gi�in�ng�g
-+
-+To get additional information about Postfix SMTP server TLS activity you can
-+increase the loglevel from 0..4. Each logging level also includes the
-+information that is logged at a lower logging level.
-+
-+ 0 Disable logging of TLS activity.
-+
-+ 1 Log TLS handshake and certificate information.
-+
-+ 2 Log levels during TLS negotiation.
-+
-+ 3 Log hexadecimal and ASCII dump of TLS negotiation process
-+
-+ 4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
-+
-+Use loglevel 3 only in case of problems. Use of loglevel 4 is strongly
-+discouraged.
-+
-+Example:
-+
-+ smtpd_tls_loglevel = 0
-+
-+To include information about the protocol and cipher used as well as the client
-+and issuer CommonName into the "Received:" message header, set the
-+smtpd_tls_received_header variable to true. The default is no, as the
-+information is not necessarily authentic. Only information recorded at the
-+final destination is reliable, since the headers may be changed by intermediate
-+servers.
-+
-+Example:
-+
-+ smtpd_tls_received_header = yes
-+
-+E�En�na�ab�bl�li�in�ng�g T�TL�LS�S i�in�n t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P s�se�er�rv�ve�er�r
-+
-+By default, TLS is disabled in the Postfix SMTP server, so no difference to
-+plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
-+
-+Example:
-+
-+ smtpd_use_tls = yes
-+
-+Note: when an unprivileged user invokes "sendmail -bs", STARTTLS is never
-+offered due to insufficient privileges to access the server private key. This
-+is intended behavior.
-+
-+You can ENFORCE the use of TLS, so that the Postfix SMTP server accepts no
-+commands (except QUIT of course) without TLS encryption, by setting
-+"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
-+case of a publicly-referenced Postfix SMTP server. So this option is off by
-+default and should only seldom be used. Using this option implies
-+"smtpd_use_tls = yes".
-+
-+Example:
-+
-+ smtpd_enforce_tls = yes
-+
-+Besides RFC 2487 some clients, namely Outlook [Express] prefer to run the non-
-+standard "wrapper" mode, not the STARTTLS enhancement to SMTP. This is true for
-+OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all
-+ports).
-+
-+It is strictly discouraged to use this mode from main.cf. If you want to
-+support this service, enable a special port in master.cf and specify "-
-+o smtpd_tls_wrappermode = yes" as an smtpd(8) command line option. Port 465
-+(smtps) was once chosen for this feature.
-+
-+Example:
-+
-+ smtpd_tls_wrappermode = no
-+
-+C�Cl�li�ie�en�nt�t c�ce�er�rt�ti�if�fi�ic�ca�at�te�e v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n
-+
-+To receive a remote SMTP client certificate, the Postfix SMTP server must
-+explicitly ask for one by sending the $smtpd_tls_CAfile certificates to the
-+client. Unfortunately, Netscape clients will either complain if no matching
-+client certificate is available or will offer the user client a list of
-+certificates to choose from. This might be annoying, so this option is "off" by
-+default. You will however need the certificate if you want to use certificate
-+based relaying with, for example, the permit_tls_client_certs feature.
-+
-+Example:
-+
-+ smtpd_tls_ask_ccert = no
-+
-+You may also decide to REQUIRE a remote SMTP client certificate before allowing
-+TLS connections. This feature is included for completeness, and implies
-+"smtpd_tls_ask_ccert = yes".
-+
-+Please be aware, that this will inhibit TLS connections without a proper client
-+certificate and that it makes sense only when non-TLS submission is disabled
-+(smtpd_enforce_tls = yes). Otherwise, clients could bypass the restriction by
-+simply not using STARTTLS at all.
-+
-+When TLS is not enforced, the connection will be handled as if only
-+"smtpd_tls_ask_ccert = yes" is specified, and a warning is logged.
-+
-+Example:
-+
-+ smtpd_tls_req_ccert = no
-+
-+A client certificate verification depth of 1 is sufficient if the certificate
-+is directly issued by a CA listed in the CA file. The default value (5) should
-+also suffice for longer chains (root CA issues special CA which then issues the
-+actual certificate...)
-+
-+Example:
-+
-+ smtpd_tls_ccert_verifydepth = 5
-+
-+S�Su�up�pp�po�or�rt�ti�in�ng�g A�AU�UT�TH�H o�ov�ve�er�r T�TL�LS�S o�on�nl�ly�y
-+
-+Sending AUTH data over an un-encrypted channel poses a security risk. When TLS
-+layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
-+will announce and accept AUTH only after the TLS layer has been activated with
-+STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
-+may however still be useful to only offer AUTH when TLS is active. To maintain
-+compatibility with non-TLS clients, the default is to accept AUTH without
-+encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
-+
-+Example:
-+
-+ smtpd_tls_auth_only = no
-+
-+S�Se�er�rv�ve�er�r-�-s�si�id�de�e T�TL�LS�S s�se�es�ss�si�io�on�n c�ca�ac�ch�he�e
-+
-+The Postfix SMTP server and the remote SMTP client negotiate a session, which
-+takes some computer time and network bandwidth. By default, this session
-+information is cached only in the smtpd(8) process actually using this session
-+and is lost when the process terminates. To share the session information
-+between multiple smtpd(8) processes, a persistent session cache can be used
-+based on the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used.
-+
-+Example:
-+
-+ smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
-+
-+Cached Postfix SMTP server session information expires after a certain amount
-+of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
-+time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours.
-+
-+Example:
-+
-+ smtpd_tls_session_cache_timeout = 3600s
-+
-+S�Se�er�rv�ve�er�r a�ac�cc�ce�es�ss�s c�co�on�nt�tr�ro�ol�l
-+
-+Postfix TLS support introduces two additional features for Postfix SMTP server
-+access control:
-+
-+ permit_tls_clientcerts
-+ Allow the remote SMTP client SMTP request if the client certificate
-+ passes verification, and if its fingerprint is listed in the list of
-+ client certificates (see relay_clientcerts discussion below).
-+
-+ permit_tls_all_clientcerts
-+ Allow the remote client SMTP request if the client certificate passes
-+ verification.
-+
-+The permit_tls_all_clientcerts feature must be used with caution, because it
-+can result in too many access permissions. Use this feature only if a special
-+CA issues the client certificates, and only if this CA is listed as trusted CA.
-+If other CAs are trusted, any owner of a valid client certificate would be
-+authorized. The permit_tls_all_clientcerts feature can be practical for a
-+specially created email relay server.
-+
-+It is however recommended to stay with the permit_tls_clientcerts feature and
-+list all certificates via $relay_clientcerts, as permit_tls_all_clientcerts
-+does not permit any control when a certificate must no longer be used (e.g. an
-+employee leaving).
-+
-+Example:
-+
-+ smtpd_recipient_restrictions =
-+ ...
-+ permit_tls_clientcerts
-+ reject_unauth_destination
-+ ...
-+
-+The Postfix list manipulation routines give special treatment to whitespace and
-+some other characters, making the use of certificate names unpractical. Instead
-+we use the certificate fingerprints as they are difficult to fake but easy to
-+use for lookup. Postfix lookup tables are in the form of (key, value) pairs.
-+Since we only need the key, the value can be chosen freely, e.g. the name of
-+the user or host:
-+
-+ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
-+
-+Example:
-+
-+ relay_clientcerts = hash:/etc/postfix/relay_clientcerts
-+
-+S�Se�er�rv�ve�er�r-�-s�si�id�de�e c�ci�ip�ph�he�er�r c�co�on�nt�tr�ro�ol�ls�s
-+
-+To influence the Postfix SMTP server cipher selection scheme, you can give
-+cipherlist string. A detailed description would go to far here, please refer to
-+the openssl documentation. If you don't know what to do with it, simply don't
-+touch it and leave the (openssl-)compiled in default!
-+
-+DO NOT USE " to enclose the string, specify just the string!!!
-+
-+Example:
-+
-+ smtpd_tls_cipherlist = DEFAULT
-+
-+If you want to take advantage of ciphers with EDH, DH parameters are needed.
-+Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
-+better to generate "own" parameters, since otherwise it would "pay" for a
-+possible attacker to start a brute force attack against parameters that are
-+used by everybody. For this reason, the parameters chosen are already different
-+from those distributed with other TLS packages.
-+
-+To generate your own set of DH parameters, use:
-+
-+ openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
-+ openssl gendh -out /etc/postfix/dh_512.pem -2 -rand /var/run/egd-pool 512
-+
-+Your source for "entropy" might vary; some systems have /dev/random; on other
-+systems you might consider the "Entropy Gathering Daemon EGD", available at
-+http://www.lothar.com/tech/crypto/.
-+
-+Examples:
-+
-+ smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
-+ smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
-+
-+M�Mi�is�sc�ce�el�ll�la�an�ne�eo�ou�us�s s�se�er�rv�ve�er�r c�co�on�nt�tr�ro�ol�ls�s
-+
-+The smtpd_starttls_timeout parameter limits the time of Postfix SMTP server
-+write and read operations during TLS startup and shutdown handshake procedures.
-+
-+Example:
-+
-+ smtpd_starttls_timeout = 300s
-+
-+S�SM�MT�TP�P C�Cl�li�ie�en�nt�t s�sp�pe�ec�ci�if�fi�ic�c s�se�et�tt�ti�in�ng�gs�s
-+
-+Topics covered in this section:
-+
-+ * Client-side certificate and private key configuration
-+ * Client-side TLS activity logging
-+ * Client-side TLS session cache
-+ * Enabling TLS in the Postfix SMTP client
-+ * Server certificate verification
-+ * Client-side cipher controls
-+ * Miscellaneous client controls
-+
-+C�Cl�li�ie�en�nt�t-�-s�si�id�de�e c�ce�er�rt�ti�if�fi�ic�ca�at�te�e a�an�nd�d p�pr�ri�iv�va�at�te�e k�ke�ey�y c�co�on�nf�fi�ig�gu�ur�ra�at�ti�io�on�n
-+
-+During TLS startup negotiation the Postfix SMTP client may present a
-+certificate to the remote SMTP server. The Netscape client is rather clever
-+here and lets the user select between only those certificates that match CA
-+certificates offered by the remote SMTP server. As the Postfix SMTP client uses
-+the "SSL_connect()" function from the OpenSSL package, this is not possible and
-+we have to choose just one certificate. So for now the default is to use _no_
-+certificate and key unless one is explicitly specified here.
-+
-+Both RSA and DSA certificates are supported. You can have both at the same
-+time, in which case the cipher used determines which certificate is presented.
-+
-+It is possible for the Postfix SMTP client to use the same key/certificate pair
-+as the Postfix SMTP server. If a certificate is to be presented, it must be in
-+"pem" format. The private key must not be encrypted, meaning: it must be
-+accessible without password. Both parts (certificate and private key) may be in
-+the same file.
-+
-+In order for remote SMTP servers to verify the Postfix SMTP client
-+certificates, the CA certificate (in case of a certificate chain, all CA
-+certificates) must be available. You should add these certificates to the
-+client certificate, the client certificate first, then the issuing CA(s).
-+
-+Example: the certificate for "client.dom.ain" was issued by "intermediate CA"
-+which itself has a certificate of "root CA". Create the client.pem file with:
-+
-+ cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem
-+
-+If you want the Postfix SMTP client to accept certificates issued by these CAs,
-+you can also add the CA certificates to the smtp_tls_CAfile, in which case it
-+is not necessary to have them in the smtp_tls_cert_file or smtp_tls_dcert_file.
-+
-+A Postfix SMTP client certificate supplied here must be usable as SSL client
-+certificate and hence pass the "openssl verify -purpose sslclient ..." test.
-+
-+RSA key and certificate examples:
-+
-+ smtp_tls_cert_file = /etc/postfix/client.pem
-+ smtp_tls_key_file = $smtp_tls_cert_file
-+
-+Their DSA counterparts:
-+
-+ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
-+ smtp_tls_dkey_file = $smtpd_tls_cert_file
-+
-+The Postfix SMTP client certificate was issued by a certification authority
-+(CA), the CA-cert of which must be provided with the CA file if it is not
-+already provided in the certificate file. The CA file may also contain the CA
-+certificates of other trusted CAs. You must use this file for the list of
-+trusted CAs if you want to use chroot-mode. No default is supplied for this
-+value as of now.
-+
-+Example:
-+
-+ smtp_tls_CAfile = /etc/postfix/CAcert.pem
-+
-+To verify a remote SMTP server certificate, the Postfix SMTP client needs to
-+know the certificates of the issuing certification authorities. These
-+certificates in "pem" format are collected in a directory. Don't forget to
-+create the necessary "hash" links with $OPENSSL_HOME/bin/c_rehash /etc/postfix/
-+certs. A typical place for the CA certificates may also be $OPENSSL_HOME/certs,
-+so there is no default and you explicitly have to set the value here!
-+
-+To use this option in chroot mode, this directory itself or a copy of it must
-+be inside the chroot jail.
-+
-+Example:
-+
-+ smtp_tls_CApath = /etc/postfix/certs
-+
-+C�Cl�li�ie�en�nt�t-�-s�si�id�de�e T�TL�LS�S a�ac�ct�ti�iv�vi�it�ty�y l�lo�og�gg�gi�in�ng�g
-+
-+To get additional information about Postfix SMTP client TLS activity you can
-+increase the loglevel from 0..4. Each logging level also includes the
-+information that is logged at a lower logging level.
-+
-+ 0 Disable logging of TLS activity.
-+
-+ 1 Log TLS handshake and certificate information.
-+
-+ 2 Log levels during TLS negotiation.
-+
-+ 3 Log hexadecimal and ASCII dump of TLS negotiation process
-+
-+ 4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS
-+
-+Example:
-+
-+ smtp_tls_loglevel = 0
-+
-+C�Cl�li�ie�en�nt�t-�-s�si�id�de�e T�TL�LS�S s�se�es�ss�si�io�on�n c�ca�ac�ch�he�e
-+
-+The remote SMTP server and the Postfix SMTP client negotiate a session, which
-+takes some computer time and network bandwidth. By default, this session
-+information is cached only in the smtp(8) process actually using this session
-+and is lost when the process terminates. To share the session information
-+between multiple smtp(8) processes, a persistent session cache can be used
-+based on the SDBM databases (routines included in Postfix/TLS). Since
-+concurrent writing must be supported, only SDBM can be used.
-+
-+Example:
-+
-+ smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache
-+
-+Cached Postfix SMTP client session information expires after a certain amount
-+of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
-+time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours.
-+
-+Example:
-+
-+ smtp_tls_session_cache_timeout = 3600s
-+
-+E�En�na�ab�bl�li�in�ng�g T�TL�LS�S i�in�n t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P c�cl�li�ie�en�nt�t
-+
-+By default, TLS is disabled in the Postfix SMTP client, so no difference to
-+plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send
-+STARTTLS when TLS support is announced by the remote SMTP server.
-+
-+WARNING: MS Exchange servers will announce STARTTLS support even when the
-+service is not configured, so that the TLS handshake will fail. It may be wise
-+to not use this option on your central mail hub, as you don't know in advance
-+whether you are going to connect to such a host. Instead, use the
-+smtp_tls_per_site recipient/site specific options that are described below.
-+
-+When the TLS handshake fails and no other server is available, the Postfix SMTP
-+client defers the delivery attempt, and the mail stays in the queue.
-+
-+Example:
-+
-+ smtp_use_tls = yes
-+
-+You can ENFORCE the use of TLS, so that the Postfix SMTP client will not
-+deliver mail over un-encrypted connections. In this mode, the remote SMTP
-+server hostname must match the information in the remote server certificate,
-+and the server certificate must be issued by a CA that is trusted by the
-+Postfix SMTP client. If the remote server certificate doesn't verify or the
-+remote SMTP server hostname doesn't match, and no other server is available,
-+the delivery attempt is deferred and the mail stays in the queue.
-+
-+The remote SMTP server hostname used in the check is beyond question, as it
-+must be the principal hostname (no CNAME allowed here). Checks are performed
-+against all names provided as dNSNames in the SubjectAlternativeName. If no
-+dNSNames are specified, the CommonName is checked. The behavior may be changed
-+with the smtp_tls_enforce_peername option which is discussed below.
-+
-+This option is useful only if you know that you will only connect to servers
-+that support RFC 2487 _and_ that present server certificates that meet the
-+above requirements. An example would be a client only sends email to one
-+specific mailhub that offers the necessary STARTTLS support.
-+
-+Example:
-+
-+ smtp_enforce_tls = no
-+
-+As of RFC 2487 the requirements for hostname checking for MTA clients are not
-+set. When TLS is required (smtp_enforce_tls = yes), the option
-+smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP
-+server hostname checking. In this case, the mail delivery will proceed
-+regardless of the CommonName etc. listed in the certificate.
-+
-+Note: the smtp_tls_enforce_peername setting has no effect on sessions that are
-+controlled via the smtp_tls_per_site table.
-+
-+Disabling the remote SMTP server hostname verification can make sense in closed
-+environment where special CAs are created. If not used carefully, this option
-+opens the danger of a "man-in-the-middle" attack (the CommonName of this
-+possible attacker is logged).
-+
-+Example:
-+
-+ smtp_tls_enforce_peername = yes
-+
-+Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the
-+negotiation will fail leading to unexplainable failures. Instead, it may be a
-+good idea to choose the TLS usage policy based on the recipient or the mailhub
-+to which you are connecting.
-+
-+Deciding the TLS usage policy per recipient may be difficult, since a single
-+email delivery attempt can involve several recipients. Instead, use of TLS is
-+controlled by the Postfix next-hop destination domain name and by the remote
-+SMTP server hostname. If either of these matches an entry in the
-+smtp_tls_per_site table, appropriate action is taken.
-+
-+The remote SMTP server hostname is simply the DNS name of the server that the
-+Postfix SMTP client connects to. The next-hop destination is Postfix specific.
-+By default, this is the domain name in the recipient address, but this
-+information can be overruled by the transport(5) table or by the relayhost
-+parameter setting. In these cases the relayhost etc. must be listed in the
-+smtp_tls_per_site table, instead of the recipient domain name.
-+
-+Format of the table: domain or host names are specified on the left-hand side;
-+no wildcards are allowed. On the right hand side specify one of the following
-+keywords:
-+
-+ NONE
-+ Don't use TLS at all.
-+ MAY
-+ Try to use STARTTLS if offered, otherwise use the un-encrypted
-+ connection.
-+ MUST
-+ Require usage of STARTTLS, require that the remote SMTP server hostname
-+ matches the information in the remote SMTP server certificate, and
-+ require that the remote SMTP server certificate was issued by a trusted
-+ CA.
-+ MUST_NOPEERMATCH
-+ Require usage of STARTTLS, but do not require that the remote SMTP
-+ server hostname matches the information in the remote SMTP server
-+ certificate, or that the server certificate was issued by a trusted CA.
-+
-+The actual TLS usage policy depends not only on whether the next-hop
-+destination or remote SMTP server hostname are found in the smtp_tls_per_site
-+table, but also on the smtp_enforce_tls setting:
-+
-+ * If no match was found, the policy is applied as specified with
-+ smtp_enforce_tls.
-+
-+ * If a match was found, and the smtp_enforce_tls policy is "enforce", NONE
-+ explicitly switches it off; otherwise the "enforce" mode is used even for
-+ entries that specify MAY.
-+
-+Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is
-+available, mail can be delivered to the wrong remote SMTP server. This is not
-+prevented by specifying MUST for the next-hop domain name. The recommended
-+setup is: specify local transport(5) table entries for sensitive domains with
-+explicit smtp:[mailhost] destinations (since you can assure security of this
-+table unlike DNS), then specify MUST for these mail hosts in the
-+smtp_tls_per_site table.
-+
-+Example:
-+
-+ smtp_tls_per_site = hash:/etc/postfix/tls_per_site
-+
-+As we decide on a "per site" basis whether or not to use TLS, it would be good
-+to have a list of sites that offered "STARTTLS". We can collect it ourselves
-+with this option.
-+
-+If the smtp_tls_note_starttls_offer feature is enabled and a server offers
-+STARTTLS while TLS is not already enabled for that server, the Postfix SMTP
-+client logs a line as follows:
-+
-+ postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
-+
-+Example:
-+
-+ smtp_tls_note_starttls_offer = yes
-+
-+S�Se�er�rv�ve�er�r c�ce�er�rt�ti�if�fi�ic�ca�at�te�e v�ve�er�ri�if�fi�ic�ca�at�ti�io�on�n
-+
-+When verifying a remote SMTP server certificate, a verification depth of 1 is
-+sufficient if the certificate is directly issued by a CA specified with
-+smtp_tls_CAfile or smtp_tls_CApath. The default value of 5 should also suffice
-+for longer chains (root CA issues special CA which then issues the actual
-+certificate...)
-+
-+Example:
-+
-+ smtp_tls_scert_verifydepth = 5
-+
-+C�Cl�li�ie�en�nt�t-�-s�si�id�de�e c�ci�ip�ph�he�er�r c�co�on�nt�tr�ro�ol�ls�s
-+
-+To influence the Postfix SMTP client cipher selection scheme, you can give
-+cipherlist string. A detailed description would go to far here, please refer to
-+the openssl documentation. If you don't know what to do with it, simply don't
-+touch it and leave the (openssl-)compiled in default!
-+
-+DO NOT USE " to enclose the string, specify just the string!!!
-+
-+Example:
-+
-+ smtp_tls_cipherlist = DEFAULT
-+
-+M�Mi�is�sc�ce�el�ll�la�an�ne�eo�ou�us�s c�cl�li�ie�en�nt�t c�co�on�nt�tr�ro�ol�ls�s
-+
-+The smtp_starttls_timeout parameter limits the time of Postfix SMTP client
-+write and read operations during TLS startup and shutdown handshake procedures.
-+In case of problems the Postfix SMTP client tries the next network address on
-+the mail exchanger list, and defers delivery if no alternative server is
-+available.
-+
-+Example:
-+
-+ smtp_starttls_timeout = 300s
-+
-+T�TL�LS�S m�ma�an�na�ag�ge�er�r s�sp�pe�ec�ci�if�fi�ic�c s�se�et�tt�ti�in�ng�gs�s
-+
-+The security of cryptographic software such as TLS depends critically on the
-+ability to generate unpredictable numbers for keys and other information. To
-+this end, the tlsmgr(8) process maintains a Pseudo Random Number Generator
-+(PRNG) pool. This is a fixed-size 1024-byte exchange file that is read by the
-+smtp(8) and smtpd(8) processes when they initialize. These processes also add
-+some more entropy to the file by stirring in their own time and process id
-+information.
-+
-+The tlsmgr(8) process creates the file if it does not already exist, and
-+rewrites the file at random time intervals with information from its in-memory
-+PRNG pool. The default location is under the Postfix configuration directory,
-+which is not the proper place for information that is modified by Postfix.
-+Instead, the file location should probably be on the /var partition (but _not_
-+inside the chroot jail).
-+
-+Example:
-+
-+ tls_random_exchange_name = /etc/postfix/prng_exch
-+
-+In order to feed its in-memory PRNG pool, the tlsmgr(8) reads entropy from an
-+external source, both at startup and during run-time. Specify a good entropy
-+source, like EGD or /dev/urandom; be sure to only use non-blocking sources. If
-+the entropy source is not a regular file, you must prepend the source type to
-+the source name: "dev:" for a device special file, or "egd:" for a source with
-+EGD compatible socket interface.
-+
-+Examples (specify only one in main.cf):
-+
-+ tls_random_source = dev:/dev/urandom
-+ tls_random_source = egd:/var/run/egd-pool
-+
-+By default, tlsmgr(8) reads 32 bytes from the external entropy source at each
-+seeding event. This amount (256bits) is more than sufficient for generating a
-+128bit symmetric key. With EGD and device entropy sources, the tlsmgr(8) limits
-+the amount of data read at each step to 255 bytes. If you specify a regular
-+file as entropy source, a larger amount of data can be read.
-+
-+Example:
-+
-+ tls_random_bytes = 32
-+
-+In order to update its in-memory PRNG pool, the tlsmgr(8) queries the external
-+entropy source again after a random amount of time. The time is calculated
-+using the PRNG, and is between 0 and the maximal time specified with
-+tls_random_reseed_period. The default maximal time interval is 1 hour.
-+
-+Example:
-+
-+ tls_random_reseed_period = 3600s
-+
-+The tlsmgr(8) re-generates the 1024 byte seed exchange file after a random
-+amount of time. The time is calculated using the PRNG, and is between 0 and the
-+maximal time specified with tls_random_update_period. The default maximal time
-+interval is 60 seconds.
-+
-+Example:
-+
-+ tls_random_prng_update_period = 60s
-+
-+If you have an entropy source available that is not easily drained (like /dev/
-+urandom), the smtp(8) and smtpd(8) daemons can load additional entropy on
-+startup. By default, an amount of 32 bytes is read, the equivalent to 256 bits.
-+This is more than sufficient to generate a 128bit (or 168bit) session key.
-+However, when Postfix needs to generate more than one key it can drain the EGD.
-+Consider the case of 50 smtp(8) processes starting up with a full queue; this
-+will request 1600bytes of entropy. This is however not fatal, as long as
-+"entropy" data can still be read from the seed file that is maintained by
-+tlsmgr(8).
-+
-+Examples:
-+
-+ tls_daemon_random_source = dev:/dev/urandom
-+ tls_daemon_random_source = egd:/var/run/egd-pool
-+ tls_daemon_random_bytes = 32
-+
-+R�Re�ep�po�or�rt�ti�in�ng�g p�pr�ro�ob�bl�le�em�ms�s
-+
-+When reporting a problem, please be thorough in the report. Patches, when
-+possible, are greatly appreciated too.
-+
-+Please differentiate when possible between:
-+
-+ * Problems in the IPv6 code: stack.nl>
-+ * Problems in the TLS code: aet.tu-cottbus.de>
-+ * Problems in vanilla Postfix: postfix.org>
-+
-+C�Cr�re�ed�di�it�ts�s
-+
-+ * TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
-+ Technical University.
-+ * This part of the documentation was compiled by Wietse Venema
-+
-diff -urNad postfix-release/src/global/inet_interfaces_to_af.c /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c
---- postfix-release/src/global/inet_interfaces_to_af.c 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.c 2005-02-03 10:22:13.050098917 -0700
-@@ -0,0 +1,27 @@
-+#include <sys_defs.h>
-+#include <stdlib.h>
-+#include <sys/socket.h>
-+#include <mail_params.h>
-+#include <inet_interfaces_to_af.h>
-+
-+int inet_interfaces_to_af (char *inet_interfaces)
-+{
-+ int af = -1;
-+
-+ if (inet_interfaces == NULL || *inet_interfaces == '\0')
-+ return (af);
-+ if (strcasecmp(inet_interfaces, INET_INTERFACES_ALL) == 0 ||
-+ strcasecmp(inet_interfaces, INET_INTERFACES_LOCAL) == 0)
-+ af = AF_UNSPEC;
-+ else if (strcasecmp(inet_interfaces, "IPv6:" DEF_INET_INTERFACES) == 0)
-+#ifdef INET6
-+ af = AF_INET6;
-+#else
-+ msg_fatal("unable to bind to IPv6 only (%s=%s): IPv6 not compiled in",
-+ VAR_INET_INTERFACES, inet_interfaces);
-+#endif
-+ else if (strcasecmp(inet_interfaces, "IPv4:" DEF_INET_INTERFACES) == 0)
-+ af = AF_INET;
-+
-+ return (af);
-+}
-diff -urNad postfix-release/src/global/inet_interfaces_to_af.h /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h
---- postfix-release/src/global/inet_interfaces_to_af.h 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/inet_interfaces_to_af.h 2005-02-03 10:22:13.050098917 -0700
-@@ -0,0 +1,6 @@
-+#ifndef _INET_INTERFACES_TO_AF_H_INCLUDED_
-+#define _INET_INTERFACES_TO_AF_H_INCLUDED_
-+
-+extern int inet_interfaces_to_af (char *);
-+
-+#endif
-diff -urNad postfix-release/src/global/mail_params.c /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c
---- postfix-release/src/global/mail_params.c 2005-02-03 10:22:12.220284014 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.c 2005-02-03 10:22:13.050098917 -0700
-@@ -46,6 +46,7 @@
- /* int var_message_limit;
- /* char *var_mail_release;
- /* char *var_mail_version;
-+/* char *var_tlsipv6_version;
- /* int var_ipc_idle_limit;
- /* int var_ipc_ttl_limit;
- /* char *var_db_type;
-@@ -163,6 +164,7 @@
- #include "mail_proto.h"
- #include "verp_sender.h"
- #include "mail_params.h"
-+#include "pfixtls.h"
-
- /*
- * Special configuration variables.
-@@ -207,6 +209,9 @@
- int var_message_limit;
- char *var_mail_release;
- char *var_mail_version;
-+#ifdef INET6
-+char *var_tlsipv6_version;
-+#endif
- int var_ipc_idle_limit;
- int var_ipc_ttl_limit;
- char *var_db_type;
-@@ -233,6 +238,31 @@
- int var_in_flow_delay;
- char *var_par_dom_match;
- char *var_config_dirs;
-+char *var_tls_rand_exch_name;
-+char *var_smtpd_tls_cert_file;
-+char *var_smtpd_tls_key_file;
-+char *var_smtpd_tls_dcert_file;
-+char *var_smtpd_tls_dkey_file;
-+char *var_smtpd_tls_CAfile;
-+char *var_smtpd_tls_CApath;
-+char *var_smtpd_tls_cipherlist;
-+char *var_smtpd_tls_dh512_param_file;
-+char *var_smtpd_tls_dh1024_param_file;
-+int var_smtpd_tls_loglevel;
-+char *var_smtpd_tls_scache_db;
-+int var_smtpd_tls_scache_timeout;
-+char *var_smtp_tls_cert_file;
-+char *var_smtp_tls_key_file;
-+char *var_smtp_tls_dcert_file;
-+char *var_smtp_tls_dkey_file;
-+char *var_smtp_tls_CAfile;
-+char *var_smtp_tls_CApath;
-+char *var_smtp_tls_cipherlist;
-+int var_smtp_tls_loglevel;
-+char *var_smtp_tls_scache_db;
-+int var_smtp_tls_scache_timeout;
-+char *var_tls_daemon_rand_source;
-+int var_tls_daemon_rand_bytes;
-
- char *var_import_environ;
- char *var_export_environ;
-@@ -488,6 +518,9 @@
- VAR_ALIAS_DB_MAP, DEF_ALIAS_DB_MAP, &var_alias_db_map, 0, 0,
- VAR_MAIL_RELEASE, DEF_MAIL_RELEASE, &var_mail_release, 1, 0,
- VAR_MAIL_VERSION, DEF_MAIL_VERSION, &var_mail_version, 1, 0,
-+#ifdef INET6
-+ VAR_TLSIPV6_VERSION, DEF_TLSIPV6_VERSION, &var_tlsipv6_version, 1, 0,
-+#endif
- VAR_DB_TYPE, DEF_DB_TYPE, &var_db_type, 1, 0,
- VAR_HASH_QUEUE_NAMES, DEF_HASH_QUEUE_NAMES, &var_hash_queue_names, 1, 0,
- VAR_RCPT_DELIM, DEF_RCPT_DELIM, &var_rcpt_delim, 0, 1,
-@@ -512,6 +545,26 @@
- VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
- VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
- VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
-+ VAR_TLS_RAND_EXCH_NAME, DEF_TLS_RAND_EXCH_NAME, &var_tls_rand_exch_name, 0, 0,
-+ VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
-+ VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
-+ VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
-+ VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
-+ VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
-+ VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
-+ VAR_SMTPD_TLS_CLIST, DEF_SMTPD_TLS_CLIST, &var_smtpd_tls_cipherlist, 0, 0,
-+ VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
-+ VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
-+ VAR_SMTPD_TLS_SCACHE_DB, DEF_SMTPD_TLS_SCACHE_DB, &var_smtpd_tls_scache_db, 0, 0,
-+ VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
-+ VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
-+ VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
-+ VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
-+ VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
-+ VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
-+ VAR_SMTP_TLS_CLIST, DEF_SMTP_TLS_CLIST, &var_smtp_tls_cipherlist, 0, 0,
-+ VAR_SMTP_TLS_SCACHE_DB, DEF_SMTP_TLS_SCACHE_DB, &var_smtp_tls_scache_db, 0, 0,
-+ VAR_TLS_DAEMON_RAND_SOURCE, DEF_TLS_DAEMON_RAND_SOURCE, &var_tls_daemon_rand_source, 0, 0,
- 0,
- };
- static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
-@@ -534,6 +587,9 @@
- VAR_TOKEN_LIMIT, DEF_TOKEN_LIMIT, &var_token_limit, 1, 0,
- VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
- VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
-+ VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
-+ VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
-+ VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 0, 0,
- 0,
- };
- static CONFIG_TIME_TABLE time_defaults[] = {
-@@ -546,6 +602,8 @@
- VAR_FORK_DELAY, DEF_FORK_DELAY, &var_fork_delay, 1, 0,
- VAR_FLOCK_DELAY, DEF_FLOCK_DELAY, &var_flock_delay, 1, 0,
- VAR_FLOCK_STALE, DEF_FLOCK_STALE, &var_flock_stale, 1, 0,
-+ VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
-+ VAR_SMTP_TLS_SCACHTIME, DEF_SMTP_TLS_SCACHTIME, &var_smtp_tls_scache_timeout, 0, 0,
- VAR_DAEMON_TIMEOUT, DEF_DAEMON_TIMEOUT, &var_daemon_timeout, 1, 0,
- VAR_IN_FLOW_DELAY, DEF_IN_FLOW_DELAY, &var_in_flow_delay, 0, 10,
- 0,
-diff -urNad postfix-release/src/global/mail_params.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h
---- postfix-release/src/global/mail_params.h 2005-02-03 10:22:12.200288474 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_params.h 2005-02-03 10:22:13.052098471 -0700
-@@ -129,7 +129,9 @@
- * Virtual host support. Default is to listen on all machine interfaces.
- */
- #define VAR_INET_INTERFACES "inet_interfaces" /* listen addresses */
--#define DEF_INET_INTERFACES "all"
-+#define INET_INTERFACES_ALL "all"
-+#define INET_INTERFACES_LOCAL "loopback-only"
-+#define DEF_INET_INTERFACES INET_INTERFACES_ALL
- extern char *var_inet_interfaces;
-
- #define VAR_PROXY_INTERFACES "proxy_interfaces" /* proxies, NATs */
-@@ -519,6 +521,34 @@
- #define DEF_DUP_FILTER_LIMIT 1000
- extern int var_dup_filter_limit;
-
-+#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
-+#define DEF_TLS_RAND_EXCH_NAME "${queue_directory}/prng_exch"
-+extern char *var_tls_rand_exch_name;
-+
-+#define VAR_TLS_RAND_SOURCE "tls_random_source"
-+#define DEF_TLS_RAND_SOURCE ""
-+extern char *var_tls_rand_source;
-+
-+#define VAR_TLS_RAND_BYTES "tls_random_bytes"
-+#define DEF_TLS_RAND_BYTES 32
-+extern int var_tls_rand_bytes;
-+
-+#define VAR_TLS_DAEMON_RAND_SOURCE "tls_daemon_random_source"
-+#define DEF_TLS_DAEMON_RAND_SOURCE ""
-+extern char *var_tls_daemon_rand_source;
-+
-+#define VAR_TLS_DAEMON_RAND_BYTES "tls_daemon_random_bytes"
-+#define DEF_TLS_DAEMON_RAND_BYTES 32
-+extern int var_tls_daemon_rand_bytes;
-+
-+#define VAR_TLS_RESEED_PERIOD "tls_random_reseed_period"
-+#define DEF_TLS_RESEED_PERIOD "3600s"
-+extern int var_tls_reseed_period;
-+
-+#define VAR_TLS_PRNG_UPD_PERIOD "tls_random_prng_update_period"
-+#define DEF_TLS_PRNG_UPD_PERIOD "60s"
-+extern int var_tls_prng_upd_period;
-+
- /*
- * Queue manager: relocated databases.
- */
-@@ -768,6 +798,10 @@
- #define DEF_SMTP_XFWD_TMOUT "300s"
- extern int var_smtp_xfwd_tmout;
-
-+#define VAR_SMTP_STARTTLS_TMOUT "smtp_starttls_timeout"
-+#define DEF_SMTP_STARTTLS_TMOUT "300s"
-+extern int var_smtp_starttls_tmout;
-+
- #define VAR_SMTP_MAIL_TMOUT "smtp_mail_timeout"
- #define DEF_SMTP_MAIL_TMOUT "300s"
- extern int var_smtp_mail_tmout;
-@@ -828,6 +862,10 @@
- #define DEF_SMTP_BIND_ADDR ""
- extern char *var_smtp_bind_addr;
-
-+#define VAR_SMTP_BIND_ADDR6 "smtp_bind_address6"
-+#define DEF_SMTP_BIND_ADDR6 ""
-+extern char *var_smtp_bind_addr6;
-+
- #define VAR_SMTP_HELO_NAME "smtp_helo_name"
- #define DEF_SMTP_HELO_NAME "$myhostname"
- extern char *var_smtp_helo_name;
-@@ -869,6 +907,10 @@
- #define DEF_SMTPD_TMOUT "300s"
- extern int var_smtpd_tmout;
-
-+#define VAR_SMTPD_STARTTLS_TMOUT "smtpd_starttls_timeout"
-+#define DEF_SMTPD_STARTTLS_TMOUT "300s"
-+extern int var_smtpd_starttls_tmout;
-+
- #define VAR_SMTPD_RCPT_LIMIT "smtpd_recipient_limit"
- #define DEF_SMTPD_RCPT_LIMIT 1000
- extern int var_smtpd_rcpt_limit;
-@@ -901,6 +943,150 @@
- #define DEF_SMTPD_NOOP_CMDS ""
- extern char *var_smtpd_noop_cmds;
-
-+#define VAR_SMTPD_TLS_WRAPPER "smtpd_tls_wrappermode"
-+#define DEF_SMTPD_TLS_WRAPPER 0
-+extern bool var_smtpd_tls_wrappermode;
-+
-+#define VAR_SMTPD_USE_TLS "smtpd_use_tls"
-+#define DEF_SMTPD_USE_TLS 0
-+extern bool var_smtpd_use_tls;
-+
-+#define VAR_SMTPD_ENFORCE_TLS "smtpd_enforce_tls"
-+#define DEF_SMTPD_ENFORCE_TLS 0
-+extern bool var_smtpd_enforce_tls;
-+
-+#define VAR_SMTPD_TLS_AUTH_ONLY "smtpd_tls_auth_only"
-+#define DEF_SMTPD_TLS_AUTH_ONLY 0
-+extern bool var_smtpd_tls_auth_only;
-+
-+#define VAR_SMTPD_TLS_ACERT "smtpd_tls_ask_ccert"
-+#define DEF_SMTPD_TLS_ACERT 0
-+extern bool var_smtpd_tls_ask_ccert;
-+
-+#define VAR_SMTPD_TLS_RCERT "smtpd_tls_req_ccert"
-+#define DEF_SMTPD_TLS_RCERT 0
-+extern bool var_smtpd_tls_req_ccert;
-+
-+#define VAR_SMTPD_TLS_CCERT_VD "smtpd_tls_ccert_verifydepth"
-+#define DEF_SMTPD_TLS_CCERT_VD 5
-+extern int var_smtpd_tls_ccert_vd;
-+
-+#define VAR_SMTPD_TLS_CERT_FILE "smtpd_tls_cert_file"
-+#define DEF_SMTPD_TLS_CERT_FILE ""
-+extern char *var_smtpd_tls_cert_file;
-+
-+#define VAR_SMTPD_TLS_KEY_FILE "smtpd_tls_key_file"
-+#define DEF_SMTPD_TLS_KEY_FILE "$smtpd_tls_cert_file"
-+extern char *var_smtpd_tls_key_file;
-+
-+#define VAR_SMTPD_TLS_DCERT_FILE "smtpd_tls_dcert_file"
-+#define DEF_SMTPD_TLS_DCERT_FILE ""
-+extern char *var_smtpd_tls_dcert_file;
-+
-+#define VAR_SMTPD_TLS_DKEY_FILE "smtpd_tls_dkey_file"
-+#define DEF_SMTPD_TLS_DKEY_FILE "$smtpd_tls_dcert_file"
-+extern char *var_smtpd_tls_dkey_file;
-+
-+#define VAR_SMTPD_TLS_CA_FILE "smtpd_tls_CAfile"
-+#define DEF_SMTPD_TLS_CA_FILE ""
-+extern char *var_smtpd_tls_CAfile;
-+
-+#define VAR_SMTPD_TLS_CA_PATH "smtpd_tls_CApath"
-+#define DEF_SMTPD_TLS_CA_PATH ""
-+extern char *var_smtpd_tls_CApath;
-+
-+#define VAR_SMTPD_TLS_CLIST "smtpd_tls_cipherlist"
-+#define DEF_SMTPD_TLS_CLIST ""
-+extern char *var_smtpd_tls_cipherlist;
-+
-+#define VAR_SMTPD_TLS_512_FILE "smtpd_tls_dh512_param_file"
-+#define DEF_SMTPD_TLS_512_FILE ""
-+extern char *var_smtpd_tls_dh512_param_file;
-+
-+#define VAR_SMTPD_TLS_1024_FILE "smtpd_tls_dh1024_param_file"
-+#define DEF_SMTPD_TLS_1024_FILE ""
-+extern char *var_smtpd_tls_dh1024_param_file;
-+
-+#define VAR_SMTPD_TLS_LOGLEVEL "smtpd_tls_loglevel"
-+#define DEF_SMTPD_TLS_LOGLEVEL 0
-+extern int var_smtpd_tls_loglevel;
-+
-+#define VAR_SMTPD_TLS_RECHEAD "smtpd_tls_received_header"
-+#define DEF_SMTPD_TLS_RECHEAD 0
-+extern bool var_smtpd_tls_received_header;
-+
-+#define VAR_SMTPD_TLS_SCACHE_DB "smtpd_tls_session_cache_database"
-+#define DEF_SMTPD_TLS_SCACHE_DB ""
-+extern char *var_smtpd_tls_scache_db;
-+
-+#define VAR_SMTPD_TLS_SCACHTIME "smtpd_tls_session_cache_timeout"
-+#define DEF_SMTPD_TLS_SCACHTIME "3600s"
-+extern int var_smtpd_tls_scache_timeout;
-+
-+#define VAR_SMTP_TLS_PER_SITE "smtp_tls_per_site"
-+#define DEF_SMTP_TLS_PER_SITE ""
-+extern char *var_smtp_tls_per_site;
-+
-+#define VAR_SMTP_USE_TLS "smtp_use_tls"
-+#define DEF_SMTP_USE_TLS 0
-+extern bool var_smtp_use_tls;
-+
-+#define VAR_SMTP_ENFORCE_TLS "smtp_enforce_tls"
-+#define DEF_SMTP_ENFORCE_TLS 0
-+extern bool var_smtp_enforce_tls;
-+
-+#define VAR_SMTP_TLS_ENFORCE_PN "smtp_tls_enforce_peername"
-+#define DEF_SMTP_TLS_ENFORCE_PN 1
-+extern bool var_smtp_tls_enforce_peername;
-+
-+#define VAR_SMTP_TLS_SCERT_VD "smtp_tls_scert_verifydepth"
-+#define DEF_SMTP_TLS_SCERT_VD 5
-+extern int var_smtp_tls_scert_vd;
-+
-+#define VAR_SMTP_TLS_CERT_FILE "smtp_tls_cert_file"
-+#define DEF_SMTP_TLS_CERT_FILE ""
-+extern char *var_smtp_tls_cert_file;
-+
-+#define VAR_SMTP_TLS_KEY_FILE "smtp_tls_key_file"
-+#define DEF_SMTP_TLS_KEY_FILE "$smtp_tls_cert_file"
-+extern char *var_smtp_tls_key_file;
-+
-+#define VAR_SMTP_TLS_DCERT_FILE "smtp_tls_dcert_file"
-+#define DEF_SMTP_TLS_DCERT_FILE ""
-+extern char *var_smtp_tls_dcert_file;
-+
-+#define VAR_SMTP_TLS_DKEY_FILE "smtp_tls_dkey_file"
-+#define DEF_SMTP_TLS_DKEY_FILE "$smtp_tls_dcert_file"
-+extern char *var_smtp_tls_dkey_file;
-+
-+#define VAR_SMTP_TLS_CA_FILE "smtp_tls_CAfile"
-+#define DEF_SMTP_TLS_CA_FILE ""
-+extern char *var_smtp_tls_CAfile;
-+
-+#define VAR_SMTP_TLS_CA_PATH "smtp_tls_CApath"
-+#define DEF_SMTP_TLS_CA_PATH ""
-+extern char *var_smtp_tls_CApath;
-+
-+#define VAR_SMTP_TLS_CLIST "smtp_tls_cipherlist"
-+#define DEF_SMTP_TLS_CLIST ""
-+extern char *var_smtp_tls_cipherlist;
-+
-+#define VAR_SMTP_TLS_LOGLEVEL "smtp_tls_loglevel"
-+#define DEF_SMTP_TLS_LOGLEVEL 0
-+extern int var_smtp_tls_loglevel;
-+
-+#define VAR_SMTP_TLS_NOTEOFFER "smtp_tls_note_starttls_offer"
-+#define DEF_SMTP_TLS_NOTEOFFER 0
-+extern bool var_smtp_tls_note_starttls_offer;
-+
-+#define VAR_SMTP_TLS_SCACHE_DB "smtp_tls_session_cache_database"
-+#define DEF_SMTP_TLS_SCACHE_DB ""
-+extern char *var_smtp_tls_scache_db;
-+
-+#define VAR_SMTP_TLS_SCACHTIME "smtp_tls_session_cache_timeout"
-+#define DEF_SMTP_TLS_SCACHTIME "3600s"
-+extern int var_smtp_tls_scache_timeout;
-+
- /*
- * SASL authentication support, SMTP server side.
- */
-@@ -916,6 +1102,10 @@
- #define DEF_SMTPD_SASL_APPNAME "smtpd"
- extern char *var_smtpd_sasl_appname;
-
-+#define VAR_SMTPD_SASL_TLS_OPTS "smtpd_sasl_tls_security_options"
-+#define DEF_SMTPD_SASL_TLS_OPTS "$smtpd_sasl_security_options"
-+extern char *var_smtpd_sasl_opts;
-+
- #define VAR_SMTPD_SASL_REALM "smtpd_sasl_local_domain"
- #define DEF_SMTPD_SASL_REALM ""
- extern char *var_smtpd_sasl_realm;
-@@ -945,6 +1135,14 @@
- #define DEF_SMTP_SASL_OPTS "noplaintext, noanonymous"
- extern char *var_smtp_sasl_opts;
-
-+#define VAR_SMTP_SASL_TLS_OPTS "smtp_sasl_tls_security_options"
-+#define DEF_SMTP_SASL_TLS_OPTS "$var_smtp_sasl_opts"
-+extern char *var_smtp_sasl_tls_opts;
-+
-+#define VAR_SMTP_SASL_TLSV_OPTS "smtp_sasl_tls_verified_security_options"
-+#define DEF_SMTP_SASL_TLSV_OPTS "$var_smtp_sasl_tls_opts"
-+extern char *var_smtp_sasl_tls_verified_opts;
-+
- /*
- * LMTP server. The soft error limit determines how many errors an LMTP
- * client may make before we start to slow down; the hard error limit
-@@ -1075,6 +1273,14 @@
- #define DEF_LMTP_QUIT_TMOUT "300s"
- extern int var_lmtp_quit_tmout;
-
-+#define VAR_LMTP_BIND_ADDR "lmtp_bind_address"
-+#define DEF_LMTP_BIND_ADDR ""
-+extern char *var_lmtp_bind_addr;
-+
-+#define VAR_LMTP_BIND_ADDR6 "lmtp_bind_address6"
-+#define DEF_LMTP_BIND_ADDR6 ""
-+extern char *var_lmtp_bind_addr6;
-+
- #define VAR_LMTP_SEND_XFORWARD "lmtp_send_xforward_command"
- #define DEF_LMTP_SEND_XFORWARD 0
- extern bool var_lmtp_send_xforward;
-@@ -1234,6 +1440,10 @@
- #define DEF_RELAY_RCPT_CODE 550
- extern int var_relay_rcpt_code;
-
-+#define VAR_RELAY_CCERTS "relay_clientcerts"
-+#define DEF_RELAY_CCERTS ""
-+extern char *var_relay_ccerts;
-+
- #define VAR_CLIENT_CHECKS "smtpd_client_restrictions"
- #define DEF_CLIENT_CHECKS ""
- extern char *var_client_checks;
-@@ -1352,6 +1562,8 @@
- #define PERMIT_AUTH_DEST "permit_auth_destination"
- #define REJECT_UNAUTH_DEST "reject_unauth_destination"
- #define CHECK_RELAY_DOMAINS "check_relay_domains"
-+#define PERMIT_TLS_CLIENTCERTS "permit_tls_clientcerts"
-+#define PERMIT_TLS_ALL_CLIENTCERTS "permit_tls_all_clientcerts"
- #define VAR_RELAY_CODE "relay_domains_reject_code"
- #define DEF_RELAY_CODE 554
- extern int var_relay_code;
-diff -urNad postfix-release/src/global/mail_proto.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h
---- postfix-release/src/global/mail_proto.h 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_proto.h 2005-02-03 10:22:13.052098471 -0700
-@@ -42,6 +42,7 @@
- #define MAIL_SERVICE_LOCAL "local"
- #define MAIL_SERVICE_PICKUP "pickup"
- #define MAIL_SERVICE_QUEUE "qmgr"
-+#define MAIL_SERVICE_TLSMGR "tlsmgr"
- #define MAIL_SERVICE_RESOLVE "resolve"
- #define MAIL_SERVICE_REWRITE "rewrite"
- #define MAIL_SERVICE_VIRTUAL "virtual"
-diff -urNad postfix-release/src/global/mail_version.h /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h
---- postfix-release/src/global/mail_version.h 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mail_version.h 2005-02-03 10:22:13.052098471 -0700
-@@ -31,6 +31,14 @@
- #endif
- extern char *var_mail_version;
-
-+#define VAR_TLSIPV6_VERSION "tls_ipv6_version"
-+#ifdef INET6
-+#define DEF_TLSIPV6_VERSION "1.24"
-+#else
-+#define DEF_TLSIPV6_VERSION ""
-+#endif
-+extern char *var_tlsipv6_version;
-+
- /*
- * Release date.
- */
-diff -urNad postfix-release/src/global/Makefile.in /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in
---- postfix-release/src/global/Makefile.in 2005-02-03 10:22:12.218284460 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/Makefile.in 2005-02-03 10:22:13.053098248 -0700
-@@ -23,7 +23,8 @@
- sent.c smtp_stream.c split_addr.c string_list.c strip_addr.c \
- sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
- tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
-- verify_clnt.c verp_sender.c virtual8_maps.c xtext.c
-+ verify_clnt.c verp_sender.c virtual8_maps.c xtext.c pfixtls.c \
-+ wildcard_inet_addr.c inet_interfaces_to_af.c
- OBJS = abounce.o been_here.o bounce.o bounce_log.o \
- canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
- clnt_stream.o debug_peer.o debug_process.o defer.o \
-@@ -47,7 +48,8 @@
- sent.o smtp_stream.o split_addr.o string_list.o strip_addr.o \
- sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
- tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
-- verify_clnt.o verp_sender.o virtual8_maps.o xtext.o
-+ verify_clnt.o verp_sender.o virtual8_maps.o xtext.o \
-+ wildcard_inet_addr.o inet_interfaces_to_af.o
- HDRS = abounce.h been_here.h bounce.h bounce_log.h \
- canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
- debug_peer.h debug_process.h defer.h deliver_completed.h \
-@@ -69,7 +71,7 @@
- resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
- string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
- trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \
-- xtext.h
-+ xtext.h pfixtls.h wildcard_inet_addr.h inet_interfaces_to_af.h
- TESTSRC = rec2stream.c stream2rec.c recdump.c
- DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
- CFLAGS = $(DEBUG) $(OPT) $(DEFS)
-@@ -898,6 +900,7 @@
- mail_params.o: ../../include/attr.h
- mail_params.o: verp_sender.h
- mail_params.o: mail_params.h
-+mail_params.o: pfixtls.h
- mail_pathname.o: mail_pathname.c
- mail_pathname.o: ../../include/sys_defs.h
- mail_pathname.o: ../../include/stringops.h
-diff -urNad postfix-release/src/global/mynetworks.c /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c
---- postfix-release/src/global/mynetworks.c 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/mynetworks.c 2005-02-03 10:22:13.054098025 -0700
-@@ -28,6 +28,13 @@
- /* IBM T.J. Watson Research
- /* P.O. Box 704
- /* Yorktown Heights, NY 10598, USA
-+/*
-+/* Dean C. Strik
-+/* Department ICT Services
-+/* Eindhoven University of Technology
-+/* P.O. Box 513
-+/* 5600 MB Eindhoven, Netherlands
-+/* E-mail: <dean at ipnet6.org>
- /*--*/
-
- /* System library. */
-@@ -42,7 +49,8 @@
- #define IN_CLASSD_NSHIFT 28
- #endif
-
--#define BITS_PER_ADDR 32
-+#define BITS_PER_ADDR_V4 32
-+#define BITS_PER_ADDR_V6 128
-
- /* Utility library. */
-
-@@ -50,6 +58,12 @@
- #include <vstring.h>
- #include <inet_addr_list.h>
- #include <name_mask.h>
-+#ifdef INET6
-+#include <string.h>
-+#include <sys/socket.h>
-+#include <netinet/in.h>
-+#include <netdb.h>
-+#endif
-
- /* Global library. */
-
-@@ -75,18 +89,25 @@
- const char *mynetworks(void)
- {
- static VSTRING *result;
-+ int bits_per_addr;
-+#ifdef INET6
-+ char hbuf[NI_MAXHOST];
-+#endif
-
- if (result == 0) {
- char *myname = "mynetworks";
- INET_ADDR_LIST *my_addr_list;
- INET_ADDR_LIST *my_mask_list;
-- unsigned long addr;
-- unsigned long mask;
-+ unsigned long addr = 0;
-+ unsigned long mask = 0;
- struct in_addr net;
-- int shift;
-+ int shift = 0;
- int junk;
- int i;
- int mask_style;
-+#ifdef INET6
-+ struct sockaddr *sa;
-+#endif
-
- mask_style = name_mask("mynetworks mask style", mask_styles,
- var_mynetworks_style);
-@@ -107,8 +128,23 @@
- my_mask_list = own_inet_mask_list();
-
- for (i = 0; i < my_addr_list->used; i++) {
-+#ifdef INET6
-+ sa = (struct sockaddr *)&my_addr_list->addrs[i];
-+ if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6) {
-+ msg_warn("%s: unknown family in address list", myname);
-+ continue;
-+ }
-+ if (sa->sa_family == AF_INET) {
-+ bits_per_addr = BITS_PER_ADDR_V4;
-+ addr = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr);
-+ mask = ntohl(((struct sockaddr_in *)
-+ &my_mask_list->addrs[i])->sin_addr.s_addr);
-+ } else
-+ bits_per_addr = BITS_PER_ADDR_V6;
-+#else
- addr = ntohl(my_addr_list->addrs[i].s_addr);
- mask = ntohl(my_mask_list->addrs[i].s_addr);
-+#endif
-
- switch (mask_style) {
-
-@@ -117,6 +153,9 @@
- * ISP who gave you a small portion of their network.
- */
- case MASK_STYLE_CLASS:
-+#ifdef INET6
-+ if (sa->sa_family == AF_INET) {
-+#endif
- if (IN_CLASSA(addr)) {
- mask = IN_CLASSA_NET;
- shift = IN_CLASSA_NSHIFT;
-@@ -130,24 +169,73 @@
- mask = IN_CLASSD_NET;
- shift = IN_CLASSD_NSHIFT;
- } else {
-+#ifdef INET6
-+ if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf),
-+ NULL, 0, NI_NUMERICHOST))
-+ strncpy(hbuf, "???", sizeof(hbuf));
-+ msg_fatal("%s: bad address class: %s", myname, hbuf);
-+#else
- msg_fatal("%s: bad address class: %s",
- myname, inet_ntoa(my_addr_list->addrs[i]));
-+#endif
- }
- break;
-+#ifdef INET6
-+ } /* if AF_INET */
-+ /*
-+ * There are no classes for IPv6, we default to subnets instead.
-+ */
-+ /* FALLTHROUGH */
-+#endif
-
- /*
- * Subnet mask. This is safe, but breaks backwards
- * compatibility when used as default setting.
- */
- case MASK_STYLE_SUBNET:
-- for (junk = mask, shift = BITS_PER_ADDR; junk != 0; shift--, (junk <<= 1))
-- /* void */ ;
-+#ifdef INET6
-+ if (sa->sa_family == AF_INET6) {
-+ unsigned char *ac, *end;
-+ ac = (unsigned char *)&(((struct sockaddr_in6 *)&my_mask_list->addrs[i])->sin6_addr);
-+ end = ac + bits_per_addr / 8;
-+ shift = bits_per_addr;
-+ while (ac < end) {
-+ switch (*(ac++)) {
-+ case 0xff: shift -= 8; break;
-+ case 0xfe: shift -= 7; break;
-+ case 0xfc: shift -= 6; break;
-+ case 0xf8: shift -= 5; break;
-+ case 0xf0: shift -= 4; break;
-+ case 0xe0: shift -= 3; break;
-+ case 0xc0: shift -= 2; break;
-+ case 0x80: shift -= 1; break;
-+ case 0x00: break;
-+ default: msg_fatal("%s: inconsistent prefixlen",
-+ myname);
-+ }
-+ }
-+ break;
-+ }
-+#endif
-+ /* AF_INET */
-+ junk = mask;
-+ shift = bits_per_addr;
-+ while (junk != 0) {
-+ shift--;
-+ junk <<= 1;
-+ }
- break;
-
- /*
- * Host only. Do not relay authorize other hosts.
- */
- case MASK_STYLE_HOST:
-+#ifdef INET6
-+ if (sa->sa_family == AF_INET6) {
-+ shift = 0;
-+ break;
-+ }
-+#endif
- mask = ~0;
- shift = 0;
- break;
-@@ -156,9 +244,20 @@
- msg_panic("unknown mynetworks mask style: %s",
- var_mynetworks_style);
- }
-+#ifdef INET6
-+ if (sa->sa_family == AF_INET6) {
-+ if (getnameinfo(sa, SA_LEN(sa), hbuf, sizeof(hbuf), NULL, 0,
-+ NI_NUMERICHOST))
-+ msg_fatal("%s: bad address to getnameinfo()", myname);
-+ vstring_sprintf_append(result, "[%s]/%d ",
-+ hbuf, bits_per_addr - shift);
-+ continue;
-+ }
-+#endif
-+ /* AF_INET */
- net.s_addr = htonl(addr & mask);
- vstring_sprintf_append(result, "%s/%d ",
-- inet_ntoa(net), BITS_PER_ADDR - shift);
-+ inet_ntoa(net), bits_per_addr - shift);
- }
- if (msg_verbose)
- msg_info("%s: %s", myname, vstring_str(result));
-diff -urNad postfix-release/src/global/own_inet_addr.c /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c
---- postfix-release/src/global/own_inet_addr.c 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.c 2005-02-03 10:23:37.570246060 -0700
-@@ -50,6 +50,8 @@
- #include <netinet/in.h>
- #include <arpa/inet.h>
- #include <string.h>
-+#include <sys/socket.h>
-+#include <netdb.h>
-
- #ifdef STRCASECMP_IN_STRINGS_H
- #include <strings.h>
-@@ -63,11 +65,13 @@
- #include <inet_addr_local.h>
- #include <inet_addr_host.h>
- #include <stringops.h>
-+#include <sock_addr.h>
-
- /* Global library. */
-
- #include <mail_params.h>
- #include <own_inet_addr.h>
-+#include <inet_interfaces_to_af.h>
-
- /* Application-specific. */
-
-@@ -88,6 +92,10 @@
- char *bufp;
- int nvirtual;
- int nlocal;
-+ int done = 0;
-+ int af;
-+ struct sockaddr_storage *sa;
-+ struct sockaddr_storage *ma;
-
- inet_addr_list_init(addr_list);
- inet_addr_list_init(mask_list);
-@@ -96,27 +104,52 @@
- * If we are listening on all interfaces (default), ask the system what
- * the interfaces are.
- */
-- if (strcasecmp(var_inet_interfaces, DEF_INET_INTERFACES) == 0) {
-- if (inet_addr_local(addr_list, mask_list) == 0)
-- msg_fatal("could not find any active network interfaces");
--#if 0
-- if (addr_list->used == 1)
-- msg_warn("found only one active network interface: %s",
-- inet_ntoa(addr_list->addrs[0]));
--#endif
-+ af = inet_interfaces_to_af(var_inet_interfaces);
-+ if (strcmp(var_inet_interfaces, INET_INTERFACES_ALL) == 0) {
-+ if (af > -1) {
-+ if (inet_addr_local(addr_list, mask_list, af) == 0)
-+ msg_fatal("could not find any active network interfaces");
-+ }
- }
-
- /*
-+ * Select all loopback interfaces from the system's available interface
-+ * list.
-+ */
-+ else if (strcmp(var_inet_interfaces, INET_INTERFACES_LOCAL) == 0) {
-+ int found=0;
-+ inet_addr_list_init(&local_addrs);
-+ inet_addr_list_init(&local_masks);
-+ if (inet_addr_local(&local_addrs, &local_masks, af) == 0)
-+ msg_fatal("could not find any active network interfaces");
-+ for (sa = local_addrs.addrs, ma = local_masks.addrs;
-+ sa < local_addrs.addrs + local_addrs.used; sa++, ma++) {
-+ if (sock_addr_in_loopback(SOCK_ADDR_PTR(sa))) {
-+ inet_addr_list_append(addr_list, SOCK_ADDR_PTR(sa));
-+ inet_addr_list_append(mask_list, SOCK_ADDR_PTR(ma));
-+ found=1;
-+ if (msg_verbose)
-+ msg_info("found one"); /* XXX */
-+ }
-+ }
-+ inet_addr_list_free(&local_addrs);
-+ inet_addr_list_free(&local_masks);
-+ if (!found)
-+ msg_fatal("could not find any loopback addresses");
-+ }
-+
-+ /*
- * If we are supposed to be listening only on specific interface
- * addresses (virtual hosting), look up the addresses of those
- * interfaces.
- */
- else {
- bufp = hosts = mystrdup(var_inet_interfaces);
-- while ((host = mystrtok(&bufp, sep)) != 0)
-+ while ((host = mystrtok(&bufp, sep)) != 0) {
- if (inet_addr_host(addr_list, host) == 0)
- msg_fatal("config variable %s: host not found: %s",
- VAR_INET_INTERFACES, host);
-+ }
- myfree(hosts);
-
- /*
-@@ -129,19 +162,44 @@
-
- inet_addr_list_init(&local_addrs);
- inet_addr_list_init(&local_masks);
-- if (inet_addr_local(&local_addrs, &local_masks) == 0)
-+ if (inet_addr_local(&local_addrs, &local_masks, AF_UNSPEC) == 0)
- msg_fatal("could not find any active network interfaces");
- for (nvirtual = 0; nvirtual < addr_list->used; nvirtual++) {
- for (nlocal = 0; /* see below */ ; nlocal++) {
-- if (nlocal >= local_addrs.used)
-+ if (nlocal >= local_addrs.used) {
-+#ifdef INET6
-+ char hbuf[NI_MAXHOST];
-+ if (getnameinfo((struct sockaddr *)&addr_list->addrs[nvirtual],
-+ SS_LEN(addr_list->addrs[nvirtual]), hbuf,
-+ sizeof(hbuf), NULL, 0, NI_NUMERICHOST) != 0)
-+ strncpy(hbuf, "???", sizeof(hbuf));
-+ msg_fatal("parameter %s: no local interface found for %s",
-+ VAR_INET_INTERFACES, hbuf);
-+#else
- msg_fatal("parameter %s: no local interface found for %s",
- VAR_INET_INTERFACES,
- inet_ntoa(addr_list->addrs[nvirtual]));
-+#endif
-+ }
-+#ifdef INET6
-+ if (addr_list->addrs[nvirtual].ss_family ==
-+ local_addrs.addrs[nlocal].ss_family &&
-+ SS_LEN(addr_list->addrs[nvirtual]) ==
-+ SS_LEN(local_addrs.addrs[nlocal]) &&
-+ memcmp(&addr_list->addrs[nvirtual],
-+ &local_addrs.addrs[nlocal],
-+ SS_LEN(local_addrs.addrs[nlocal])) == 0) {
-+ inet_addr_list_append(mask_list, (struct sockaddr *)
-+ &local_masks.addrs[nlocal]);
-+ break;
-+ }
-+#else
- if (addr_list->addrs[nvirtual].s_addr
- == local_addrs.addrs[nlocal].s_addr) {
- inet_addr_list_append(mask_list, &local_masks.addrs[nlocal]);
- break;
- }
-+#endif
- }
- }
- inet_addr_list_free(&local_addrs);
-@@ -151,6 +209,49 @@
-
- /* own_inet_addr - is this my own internet address */
-
-+#ifdef INET6
-+
-+#ifdef INET6_KAME
-+#define SA6_ARE_ADDR_EQUAL(a, b) ( \
-+ ((a)->sin6_scope_id == 0 || (b)->sin6_scope_id == 0 || \
-+ (a)->sin6_scope_id == (b)->sin6_scope_id) && \
-+ (memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
-+ sizeof(struct in6_addr)) == 0))
-+#else
-+#define SA6_ARE_ADDR_EQUAL(a, b) \
-+ (memcmp(&(a)->sin6_addr, &(b)->sin6_addr, \
-+ sizeof(struct in6_addr)) == 0)
-+#endif
-+
-+int own_inet_addr(struct sockaddr *addr)
-+{
-+ int i;
-+
-+ if (addr_list.used == 0)
-+ own_inet_addr_init(&addr_list, &mask_list);
-+
-+ for (i = 0; i < addr_list.used; i++) {
-+ if (((struct sockaddr *)&addr_list.addrs[i])->sa_family !=
-+ addr->sa_family)
-+ continue;
-+ switch (addr->sa_family) {
-+ case AF_INET:
-+ if (((struct sockaddr_in *)addr)->sin_addr.s_addr ==
-+ ((struct sockaddr_in *)&addr_list.addrs[i])->sin_addr.s_addr)
-+ return (1);
-+ break;
-+ case AF_INET6:
-+ if (SA6_ARE_ADDR_EQUAL((struct sockaddr_in6 *)addr,
-+ (struct sockaddr_in6 *)&addr_list.addrs[i]))
-+ return (1);
-+ break;
-+ default:
-+ continue;
-+ }
-+ }
-+ return (0);
-+}
-+#else
- int own_inet_addr(struct in_addr * addr)
- {
- int i;
-@@ -163,6 +264,7 @@
- return (1);
- return (0);
- }
-+#endif
-
- /* own_inet_addr_list - return list of addresses */
-
-@@ -224,8 +326,15 @@
- proxy_inet_addr_init(&proxy_list);
-
- for (i = 0; i < proxy_list.used; i++)
-+#ifdef INET6
-+ if (proxy_list.addrs[i].ss_family == AF_INET && addr->s_addr ==
-+ ((struct sockaddr_in *)&(proxy_list.addrs[i]))->
-+ sin_addr.s_addr)
-+ return (1);
-+#else
- if (addr->s_addr == proxy_list.addrs[i].s_addr)
- return (1);
-+#endif
- return (0);
- }
-
-diff -urNad postfix-release/src/global/own_inet_addr.h /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h
---- postfix-release/src/global/own_inet_addr.h 2004-12-27 22:31:16.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/own_inet_addr.h 2005-02-03 10:22:13.054098025 -0700
-@@ -15,11 +15,18 @@
- * System library.
- */
- #include <netinet/in.h>
-+#ifdef INET6
-+#include <sys/socket.h>
-+#endif
-
- /*
- * External interface.
- */
-+#ifdef INET6
-+extern int own_inet_addr(struct sockaddr *);
-+#else
- extern int own_inet_addr(struct in_addr *);
-+#endif
- extern struct INET_ADDR_LIST *own_inet_addr_list(void);
- extern struct INET_ADDR_LIST *own_inet_mask_list(void);
- extern int proxy_inet_addr(struct in_addr *);
-diff -urNad postfix-release/src/global/pfixtls.c /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c
---- postfix-release/src/global/pfixtls.c 1969-12-31 17:00:00.000000000 -0700
-+++ /tmp/dpep.cXJuVH/postfix-release/src/global/pfixtls.c 2005-02-03 10:22:13.059096910 -0700
-@@ -0,0 +1,2824 @@
-+#ifdef USE_TLS
-+/*++
-+/* NAME
-+/* pfixtls
-+/* SUMMARY
-+/* interface to openssl routines
-+/* SYNOPSIS
-+/* #include <pfixtls.h>
-+/*
-+/* const long scache_db_version;
-+/* const long openssl_version;
-+/*
-+/* int pfixtls_serverengine;
-+/*
-+/* int pfixtls_clientengine;
-+/*
-+/* int pfixtls_timed_read(fd, buf, len, timeout, unused_context)
-+/* int fd;
-+/* void *buf;
-+/* unsigned len;
-+/* int timeout;
-+/* void *context;
-+/*
-+/* int pfixtls_timed_write(fd, buf, len, timeout, unused_context);
-+/* int fd;
-+/* void *buf;
-+/* unsigned len;
-+/* int timeout;
-+/* void *context;
-+/*
-+/* int pfixtls_init_serverengine(verifydepth, askcert);
-+/* int verifydepth;
-+/* int askcert;
-+/*
-+/* int pfixtls_start_servertls(stream, timeout, peername, peeraddr,
-+/* tls_info, requirecert);
-+/* VSTREAM *stream;
-+/* int timeout;
-+/* const char *peername;
-+/* const char *peeraddr;
-+/* tls_info_t *tls_info;
-+/* int requirecert;
-+/*
-+/* int pfixtls_stop_servertls(stream, failure, tls_info);
-+/* VSTREAM *stream;
-+/* int failure;
-+/* tls_info_t *tls_info;
-+/*
-+/* int pfixtls_init_clientengine(verifydepth);
-+/* int verifydepth;
-+/*
-+/* int pfixtls_start_clienttls(stream, timeout, peername, peeraddr,
-+/* tls_info);
-+/* VSTREAM *stream;
-+/* int timeout;
-+/* const char *peername;
-+/* const char *peeraddr;
-+/* tls_info_t *tls_info;
-+/*
-+/* int pfixtls_stop_clienttls(stream, failure, tls_info);
-+/* VSTREAM *stream;
-+/* int failure;
-+/* tls_info_t *tls_info;
-+/*
-+/* DESCRIPTION
-+/* This module is the interface between Postfix and the OpenSSL library.
-+/*
-+/* pfixtls_timed_read() reads the requested number of bytes calling
-+/* SSL_read(). pfixtls_time_read() will only be called indirect
-+/* as a VSTREAM_FN function.
-+/* pfixtls_timed_write() is the corresponding write function.
-+/*
-+/* pfixtls_init_serverengine() is called once when smtpd is started
-+/* in order to initialize as much of the TLS stuff as possible.
-+/* The certificate handling is also decided during the setup phase,
-+/* so that a peer specific handling is not possible.
-+/*
-+/* pfixtls_init_clientengine() is the corresponding function called
-+/* in smtp. Here we take the peer's (server's) certificate in any
-+/* case.
-+/*
-+/* pfixtls_start_servertls() activates the TLS feature for the VSTREAM
-+/* passed as argument. We expect that all buffers are flushed and the
-+/* TLS handshake can begin immediately. Information about the peer
-+/* is stored into the tls_info structure passed as argument.
-+/*
-+/* pfixtls_stop_servertls() sends the "close notify" alert via
-+/* SSL_shutdown() to the peer and resets all connection specific
-+/* TLS data. As RFC2487 does not specify a seperate shutdown, it
-+/* is supposed that the underlying TCP connection is shut down
-+/* immediately afterwards, so we don't care about additional data
-+/* coming through the channel.
-+/* If the failure flag is set, the session is cleared from the cache.
-+/*
-+/* pfixtls_start_clienttls() and pfixtls_stop_clienttls() are the
-+/* corresponding functions for smtp.
-+/*
-+/* Once the TLS connection is initiated, information about the TLS
-+/* state is available via the tls_info structure:
-+/* protocol holds the protocol name (SSLv2, SSLv3, TLSv1),
-+/* tls_info->cipher_name the cipher name (e.g. RC4/MD5),
-+/* tls_info->cipher_usebits the number of bits actually used (e.g. 40),
-+/* tls_info->cipher_algbits the number of bits the algorithm is based on
-+/* (e.g. 128).
-+/* The last two values may be different when talking to a crippled
-+/* - ahem - export controled peer (e.g. 40/128).
-+/*
-+/* The status of the peer certificate verification is available in
-+/* pfixtls_peer_verified. It is set to 1, when the certificate could
-+/* be verified.
-+/* If the peer offered a certifcate, part of the certificate data are
-+/* available as:
-+/* tls_info->peer_subject X509v3-oneline with the DN of the peer
-+/* tls_info->peer_CN extracted CommonName of the peer
-+/* tls_info->peer_issuer X509v3-oneline with the DN of the issuer
-+/* tls_info->peer_CN extracted CommonName of the issuer
-+/* tls_info->PEER_FINGERPRINT fingerprint of the certificate
-+/*
-+/* DESCRIPTION (SESSION CACHING)
-+/* In order to achieve high performance when using a lot of connections
-+/* with TLS, session caching is implemented. It reduces both the CPU load
-+/* (less cryptograpic operations) and the network load (the amount of
-+/* certificate data exchanged is reduced).
-+/* Since postfix uses a setup of independent processes for receiving
-+/* and sending email, the processes must exchange the session information.
-+/* Several connections at the same time between the identical peers can
-+/* occur, so uniqueness and race conditions have to be taken into
-+/* account.
-+/* I have checked both Apache-SSL (Ben Laurie), using a seperate "gcache"
-+/* process and Apache mod_ssl (Ralf S. Engelshall), using shared memory
-+/* between several identical processes spawned from one parent.
-+/*
-+/* Postfix/TLS uses a database approach based on the internal "dict"
-+/* interface. Since the session cache information is approximately
-+/* 1300 bytes binary data, it will not fit into the dbm/ndbm model.
-+/* It also needs write access to the database, ruling out most other
-+/* interface, leaving Berkeley DB, which however cannot handle concurrent
-+/* access by several processes. Hence a modified SDBM (public domain DBM)
-+/* with enhanced buffer size is used and concurrent write capability
-+/* is used. SDBM is part of Postfix/TLS.
-+/*
-+/* Realization:
-+/* Both (client and server) session cache are realized by individual
-+/* cache databases. A common database would not make sense, since the
-+/* key criteria are different (session ID for server, peername for
-+/* client).
-+/*
-+/* Server side:
-+/* Session created by OpenSSL have a 32 byte session id, yielding a
-+/* 64 char file name. I consider these sessions to be unique. If they
-+/* are not, the last session will win, overwriting the older one in
-+/* the database. Remember: everything that is lost is a temporary
-+/* information and not more than a renegotiation will happen.
-+/* Originating from the same client host, several sessions can come
-+/* in (e.g. from several users sending mail with Netscape at the same
-+/* time), so the session id is the correct identifier; the hostname
-+/* is of no importance, here.
-+/*
-+/* Client side:
-+/* We cannot recall sessions based on their session id, because we would
-+/* have to check every session on disk for a matching server name, so
-+/* the lookup has to be done based on the FQDN of the peer (receiving
-+/* host).
-+/* With regard to uniqueness, we might experience several open connections
-+/* to the same server at the same time. This is even very likely to
-+/* happen, since we might have several mails for the same destination
-+/* in the queue, when a queue run is started. So several smtp's might
-+/* negotiate sessions at the same time. We can however only save one
-+/* session for one host.
-+/* Like on the server side, the "last write" wins. The reason is
-+/* quite simple. If we don't want to overwrite old sessions, an old
-+/* session file will just stay in place until it is expired. In the
-+/* meantime we would lose "fresh" session however. So we will keep the
-+/* fresh one instead to avoid unnecessary renegotiations.
-+/*
-+/* Session lifetime:
-+/* RFC2246 recommends a session lifetime of less than 24 hours. The
-+/* default is 300 seconds (5 minutes) for OpenSSL and is also used
-+/* this way in e.g. mod_ssl. The typical usage for emails might be
-+/* humans typing in emails and sending them, which might take just
-+/* a while, so I think 3600 seconds (1 hour) is a good compromise.
-+/* If the environment is save (the cached session contains secret
-+/* key data), one might even consider using a longer timeout. Anyway,
-+/* since everlasting sessions must be avoided, the session timeout
-+/* is done based on the creation date of the session and so each
-+/* session will timeout eventually.
-+/*
-+/* Connection failures:
-+/* RFC2246 requires us to remove sessions if something went wrong.
-+/* Since the in-memory session cache of other smtp[d] processes cannot
-+/* be controlled by simple means, we completely rely on the disc
-+/* based session caching and remove all sessions from memory after
-+/* connection closure.
-+/*
-+/* Cache cleanup:
-+/* Since old entries have to be removed from the session cache, a
-+/* cleanup process is needed that runs through the collected sess