Import sendmail 8.15.1

svn path=/vendor/sendmail/dist/; revision=275719 svn path=/vendor/sendmail/8.15.1/; revision=275720; tag=vendor/sendmail/8.15.1
2014-12-12 04:10:50 +00:00 · 2014-12-12 04:10:50 +00:00 · ba87e25c2e · 2020-12-20 02:59:44 +00:00
commit ba87e25c2e
parent 4a67213fda
79 changed files with 16984 additions and 10380 deletions
--- a/6
+++ b/6
@ -1,8 +1,4 @@
 The FAQ is no longer maintained with the sendmail release.  It is
 available at http://www.sendmail.org/faq/ .
-A plain-text version of the questions only, with URLs referring to
+$Revision: 8.25 $, Last updated $Date: 2014-01-27 12:49:52 $
 the answers, is posted to comp.mail.sendmail on the 10th and 25th
 of each month.
 $Revision: 8.24 $, Last updated $Date: 1999-02-07 03:21:03 $
--- a/5
+++ b/5
@ -28,8 +28,9 @@ sendmail/SECURITY for more installation information.
   /etc/mail/submit.cf.  This can be done in the cf/cf by using
   "sh ./Build install-cf".
-   Please read sendmail/SECURITY before continuing; you have to create a
+   Please read sendmail/SECURITY before continuing; you may have to create
-   new user smmsp and a new group smmsp for the default installation.
+   a new user smmsp and a new group smmsp for the default installation
   if you are updating from a really old version.
   Then install the sendmail binary built in step 3 by cd-ing back to
   sendmail/ and running "sh ./Build install".
--- a/13
+++ b/13
@ -62,9 +62,9 @@ This list is not guaranteed to be complete.
  libmilter and hence the communication fails.  This can be avoided by
  increasing the constant MILTER_CHUNK_SIZE in
  include/libmilter/mfdef.h and recompiling sendmail, libmilter, and
-  all (statically linked) milters (or by using an undocumented compile
+  all (statically linked) milters (or by using undocumented compile
-  time option:  _FFR_MAXDATASIZE; you have to read the source code in
+  time options: _FFR_MAXDATASIZE/_FFR_MDS_NEGOTIATE; you have to
-  order to use this properly).
+  read the source code in order to use these properly).
 * Sender addresses whose domain part cause a temporary A record lookup
  failure but have a valid MX record will be temporarily rejected in
@ -102,6 +102,11 @@ Kresolve sequence dnsmx canon
  Header addresses that have the \231 character (and possibly others
  in the range \201 - \237) behave in odd and usually unexpected ways.
 * AuthRealm for Cyrus SASL may not work as expected. The man page
  and the actual usage for sasl_server_new() seem to differ.
  Feedback for the "correct" usage is welcome, a patch to match
  the description of the man page is in contrib/AuthRealm.p0.
 * accept() problem on SVR4.
  Apparently, the sendmail daemon loop (doing accept()s on the network)
@ -252,7 +257,7 @@ Kresolve sequence dnsmx canon
 * Race condition for delivery to set-user-ID files
-  Sendmail will deliver to a fail if the file is owned by the DefaultUser
+  Sendmail will deliver to a file if the file is owned by the DefaultUser
  or has the set-user-ID bit set.  Unfortunately, some systems clear that bit
  when a file is modified.  Sendmail compensates by resetting the file mode
  back to it's original settings.  Unfortunately, there's still a
--- a/22
+++ b/22
@ -211,29 +211,11 @@ There are other files you should read.  Rooted in this directory are:
 +--------------+
 There are several related RFCs that you may wish to read -- they are
-available via anonymous FTP to several sites.  For a list of the
+available from several sites, see
 primary repositories see:
 	http://www.isi.edu/in-notes/rfc-retrieval.txt
 They are also online at:
 	http://www.rfc-editor.org/
 	http://www.ietf.org/
 They can also be retrieved via electronic mail by sending
 email to one of:
 	mail-server@nisc.sri.com
 		Put "send rfcNNN" in message body
 	nis-info@nis.nsf.net
 		Put "send RFCnnn.TXT-1" in message body
 	sendrfc@jvnc.net
 		Put "RFCnnn" as Subject: line
 For further instructions see:
 	http://www.isi.edu/in-notes/rfc-editor/rfc-info
 Important RFCs for electronic mail are:
 	RFC821	SMTP protocol
--- a/124
+++ b/124
@ -5,6 +5,124 @@ This listing shows the version of the sendmail binary, the version
 of the sendmail configuration files, the date of release, and a
 summary of the changes in that release.
 8.15.1/8.15.1	2014/12/06
 	SECURITY: Properly set the close-on-exec flag for file descriptors
 		(except stdin, stdout, and stderr) before executing mailers.
 	If header rewriting fails due to a temporary map lookup failure,
 		queue the mail for later retry instead of sending it
 		without rewriting the header.  Note: this is done
 		while the mail is being sent and hence the transaction
 		is aborted, which only works for SMTP/LMTP mailers
 		hence the handling of temporary map failures is
 		suppressed for other mailers. SMTP/LMTP servers may
 		complain about aborted transactions when this problem
 		occurs.
 		See also "DNS Lookups" in sendmail/TUNING.
 	Incompatible Change: Use uncompressed IPv6 addresses by default,
 		i.e., they will not contain "::".  For example,
 		instead of ::1 it will be 0:0:0:0:0:0:0:1.  This
 		permits a zero subnet to have a more specific match,
 		such as different map entries for IPv6:0:0 vs IPv6:0.
 		This change requires that configuration data
 		(including maps, files, classes, custom ruleset,
 		etc) must use the same format, so make certain such
 		configuration data is updated before using 8.15.
 		As a very simple check search for patterns like
 		'IPv6:[0-9a-fA-F:]*::' and 'IPv6::'. If necessary,
 		the prior format can be retained by compiling with:
 		APPENDDEF(`conf_sendmail_ENVDEF', `-DIPV6_FULL=0')
 		in your devtools/Site/site.config.m4 file.
 	If debugging is turned on (-d0.14) also print the OpenSSL
 		versions, both build time and run time
 		(provided STARTTLS is compiled in).
 	If a connection to the MTA is dropped by the client before its
 		hostname can be validated, treat it as "may be forged",
 		so that the unvalidated hostname is not passed to a
 		milter in xxfi_connect().
 	Add a timeout for communication with socket map servers
 		which can be specified using the -d option.
 	Add a compile time option HESIOD_ALLOW_NUMERIC_LOGIN to allow
 		numeric logins even if HESIOD is enabled.
 	The new option CertFingerprintAlgorithm specifies the finger-
 		print algorithm (digest) to use for the presented cert.
 		If the option is not set, md5 is used and the macro
 		{cert_md5} contains the cert fingerprint.
 		However, if the option is set, the specified algorithm
 		(e.g., sha1) is used and the macro {cert_fp} contains
 		the cert fingerprint.
 		That is, as long as the option is not set, the behaviour
 		does not change, but otherwise, {cert_md5} is superseded
 		by {cert_fp} even if you set CertFingerprintAlgorithm
 		to md5.
 	The options ServerSSLOptions and ClientSSLOptions can be used
 		to set SSL options for the server and client side
 		respectively. See SSL_CTX_set_options(3) for a list.
 		Note: this change turns on SSL_OP_NO_SSLv2 and
 		SSL_OP_NO_TICKET for the client. See doc/op/op.me
 		for details.
 	The option CipherList sets the list of ciphers for STARTTLS.
 		See ciphers(1) for possible values.
 	Do not log "STARTTLS: internal error: tls_verify_cb: ssl == NULL"
 		if a CRLFfile is in use (and LogLevel is 14 or higher.)
 	Store a more specific TLS protocol version in ${tls_version}
 		instead of a generic one, e.g., TLSv1 instead of
 		TLSv1/SSLv3.
 	Properly set {client_port} value on little endian machines.
 		Patch from Kelsey Cummings of Sonic.net.
 	Per RFC 3848, indicate in the Received: header whether SSL or
 		SMTP AUTH was negotiated by setting the protocol clause
 		to ESMTPS, ESMTPA, or ESMTPSA instead of ESMTP.
 	If the 'C' flag is listed as TLSSrvOptions the requirement for the
 		TLS server to have a cert is removed.  This only works
 		under very specific circumstances and should only be used
 		if the consequences are understood, e.g., clients
 		may not work with a server using this.
 	The options ClientCertFile, ClientKeyFile, ServerCertFile, and
 		ServerKeyFile can take a second file name, which must be
 		separated from the first with a comma (note: do not use
 		any spaces) to set up a second cert/key pair. This can
 		be used to have certs of different types, e.g., RSA
 		and DSA.
 	A new map type "arpa" is available to reverse an IP (IPv4 or IPv6)
 		address. It returns the string for the PTR lookup, but
 		without trailing {ip6,in-addr}.arpa.
 	New operation mode  'C' just checks the configuration file, e.g.,
 		sendmail -C new.cf -bC
 		will perform a basic syntax/consistency check of new.cf.
 	The mailer flag 'I' is deprecated and will be removed in a
 		future version.
 	Allow local (not just TCP) socket connections to the server, e.g.,
 		O DaemonPortOptions=Family=local, Addr=/var/mta/server.sock
 		can be used.
 	If the new option MaxQueueAge is set to a value greater than zero,
 		entries in the queue will be retried during a queue run
 		only if the individual retry time has been reached which
 		is doubled for each attempt.  The maximum retry time is
 		limited by the specified value.
 	New DontBlameSendmail option GroupReadableDefaultAuthInfoFile
 		to relax requirement for DefaultAuthInfo file.
 	Reset timeout after receiving a message to appropriate value if
 		STARTTLS is in use.  Based on patch by Kelsey Cummings
 		of Sonic.net.
 	Report correct error messages from the LDAP library for a range of
 		small negative return values covering those used by OpenLDAP.
 	Fix compilation with Berkeley DB 5.0 and 6.0.  Patch from
 		Allan E Johannesen of Worcester Polytechnic Institute.
 	CONFIG: FEATURE(`nopercenthack') takes one parameter: reject or
 		nospecial which describes whether to disallow "%" in the
 		local part of an address.
 	DEVTOOLS: Fix regression in auto-detection of libraries when only
 		shared libraries are available.  Problem reported by
 		Bryan Costales.
 	LIBMILTER: Mark communication socket as close-on-exec in case
 		a user's filter starts other applications.
 		Based on patch from Paul Howarth.
 	Portability:
 		SunOS 5.12 has changed the API for sigwait(2) to conform
 		with XPG7.  Based on patch from Roger Faulkner of Oracle.
 	Deleted Files:
 		libsm/path.c
 8.14.9/8.14.9	2014/05/21
 	SECURITY: Properly set the close-on-exec flag for file descriptors
 		(except stdin, stdout, and stderr) before executing mailers.
@ -681,7 +799,7 @@ summary of the changes in that release.
 	LIBMILTER: The "hostname" argument of the xxfi_connect() callback
 		previously was the equivalent of {client_ptr}.  However,
 		this did not match the documentation of the function, hence
-		it has been changed to {client_name}.  See doc/op/op.*
+		it has been changed to {client_name}.  See doc/op/op.me
 		about these macros.
 8.13.7/8.13.7	2006/06/14
@ -3509,11 +3627,11 @@ summary of the changes in that release.
 	Add new STARTTLS related options CACERTPath, CACERTFile,
 		ClientCertFile, ClientKeyFile, DHParameters, RandFile,
 		ServerCertFile, and ServerKeyFile.  These are documented in
-		cf/README and doc/op/op.*.
+		cf/README and doc/op/op.me.
 	New STARTTLS related macros: ${cert_issuer}, ${cert_subject},
 		${tls_version}, ${cipher}, ${cipher_bits}, ${verify},
 		${server_name}, and ${server_addr}.  These are documented
-		in cf/README and doc/op/op.*.
+		in cf/README and doc/op/op.me.
 	Add support for the Entropy Gathering Daemon (EGD) for better
 		random data.
 	New DontBlameSendmail option InsufficientEntropy for systems which
--- a/cf/README
+++ b/cf/README
@ -397,6 +397,10 @@ SMTP_MAILER_CHARSET	[undefined] If defined, messages containing 8-bit data
 			that ARRIVE from an address that resolves to one of
 			the SMTP mailers and which are converted to MIME will
 			be labeled with this character set.
 RELAY_MAILER_CHARSET	[undefined] If defined, messages containing 8-bit data
 			that ARRIVE from an address that resolves to the
 			relay mailers and which are converted to MIME will
 			be labeled with this character set.
 SMTP_MAILER_LL		[990] The maximum line length for SMTP mailers
 			(except the relay mailer).
 RELAY_MAILER_LL		[2040] The maximum line length for the relay mailer.
@ -743,6 +747,16 @@ nouucp		Don't route UUCP addresses.  This feature takes one
 		2. don't remove "!" from OperatorChars if `reject' is
 		given as parameter.
 nopercenthack	Don't treat % as routing character.  This feature takes one
 		parameter:
 		`reject': reject addresses which have % in the local
 			part unless it originates from a system
 			that is allowed to relay.
 		`nospecial': don't do anything special with %.
 		Warnings: 1. See the notice in the anti-spam section.
 		2. Don't remove % from OperatorChars if `reject' is
 		given as parameter.
 nocanonify	Don't pass addresses to $[ ... $] for canonification
 		by default, i.e., host/domain names are considered canonical,
 		except for unqualified names, which must not be used in this
@ -2442,17 +2456,19 @@ should only be used for sites which have no control over the addresses
 that they provide a gateway for.  Use this FEATURE with caution as it
 can allow spammers to relay through your server if not setup properly.
-NOTICE: It is possible to relay mail through a system which the anti-relay
+NOTICE: It is possible to relay mail through a system which the
-rules do not prevent: the case of a system that does use FEATURE(`nouucp',
+anti-relay rules do not prevent: the case of a system that does use
-`nospecial') (system A) and relays local messages to a mail hub (e.g., via
+FEATURE(`nouucp', `nospecial') / FEATURE(`nopercenthack', `nospecial')
-LOCAL_RELAY or LUSER_RELAY) (system B).  If system B doesn't use
+(system A) and relays local messages to a mail hub (e.g., via
-FEATURE(`nouucp') at all, addresses of the form
+LOCAL_RELAY or LUSER_RELAY) (system B).  If system B doesn't use the
-<example.net!user@local.host> would be relayed to <user@example.net>.
+same feature (nouucp / nopercenthack) at all, addresses of the form
-System A doesn't recognize `!' as an address separator and therefore
+<example.net!user@local.host> / <user%example.net@local.host>
-forwards it to the mail hub which in turns relays it because it came from
+would be relayed to <user@example.net>.
-a trusted local host.  So if a mailserver allows UUCP (bang-format)
+System A doesn't recognize `!' / `%' as an address separator and
-addresses, all systems from which it allows relaying should do the same
+therefore forwards it to the mail hub which in turns relays it
-or reject those addresses.
+because it came from a trusted local host.  So if a mailserver
 allows UUCP (bang-format) / %-hack addresses, all systems from which
 it allows relaying should do the same or reject those addresses.
 As of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has
 an unresolvable domain (i.e., one that DNS, your local name service,
@ -3990,6 +4006,13 @@ confWORK_TIME_FACTOR	RetryFactor	[90000] Cost of each delivery attempt.
 confQUEUE_SORT_ORDER	QueueSortOrder	[Priority] Queue sort algorithm:
 					Priority, Host, Filename, Random,
 					Modification, or Time.
 confMAX_QUEUE_AGE	MaxQueueAge	[undefined] If set to a value greater
 					than zero, entries in the queue
 					will be retried during a queue run
 					only if the individual retry time
 					has been reached which is doubled
 					for each attempt.  The maximum retry
 					time is limited by the specified value.
 confMIN_QUEUE_AGE	MinQueueAge	[0] The minimum amount of time a job
 					must sit in the queue between queue
 					runs.  This allows you to set the
@ -4208,7 +4231,7 @@ confAUTH_MECHANISMS	AuthMechanisms	[GSSAPI KERBEROS_V4 DIGEST-MD5
 confAUTH_REALM		AuthRealm	[undefined] The authentication realm
 					that is passed to the Cyrus SASL
 					library.  If no realm is specified,
-					$j is used.
+					$j is used.  See KNOWNBUGS.
 confDEF_AUTH_INFO	DefaultAuthInfo	[undefined] Name of file that contains
 					authentication information for
 					outgoing connections.  This file must
@ -4241,6 +4264,14 @@ confTLS_SRV_OPTIONS	TLSSrvOptions	If this option is 'V' no client
 					verification is performed, i.e.,
 					the server doesn't ask for a
 					certificate.
 confSERVER_SSL_OPTIONS	ServerSSLOptions	[undefined] SSL related
 					options for server side.  See
 					SSL_CTX_set_options(3) for a list.
 confCLIENT_SSL_OPTIONS	ClientSSLOptions	[undefined] SSL related
 					options for client side. See
 					SSL_CTX_set_options(3) for a list.
 confCIPHER_LIST		CipherList	[undefined] Cipher list for TLS.
 					See ciphers(1) for possible values.
 confLDAP_DEFAULT_SPEC	LDAPDefaultSpec	[undefined] Default map
 					specification for LDAP maps.  The
 					value should only contain LDAP
@ -4281,6 +4312,10 @@ confRAND_FILE		RandFile	[undefined] File containing random
 					requires this option if the compile
 					flag HASURANDOM is not set (see
 					sendmail/README).
 confCERT_FINGERPRINT_ALGORITHM	CertFingerprintAlgorithm
 					[undefined] The fingerprint algorithm
 					(digest) to use for the presented
 					cert.
 confNICE_QUEUE_RUN	NiceQueueRun	[undefined]  If set, the priority of
 					queue runners is set the given value
 					(nice(3)).
--- a/cf/cf/generic-bsd4.4.cf
+++ b/cf/cf/generic-bsd4.4.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:51 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -259,6 +259,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -509,6 +512,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -532,6 +541,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -539,6 +550,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -651,6 +664,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -783,6 +797,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -820,6 +835,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-hpux10.cf
+++ b/cf/cf/generic-hpux10.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:51 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -260,6 +260,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -510,6 +513,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -533,6 +542,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -540,6 +551,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -652,6 +665,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -784,6 +798,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -821,6 +836,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-hpux9.cf
+++ b/cf/cf/generic-hpux9.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:51 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -260,6 +260,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -510,6 +513,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -533,6 +542,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -540,6 +551,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -652,6 +665,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -784,6 +798,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -821,6 +836,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-linux.cf
+++ b/cf/cf/generic-linux.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:51 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -127,7 +127,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -264,6 +264,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -514,6 +517,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -537,6 +546,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -544,6 +555,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -656,6 +669,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -788,6 +802,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -825,6 +840,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-mpeix.cf
+++ b/cf/cf/generic-mpeix.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:51 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -260,6 +260,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -510,6 +513,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -533,6 +542,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -540,6 +551,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -652,6 +665,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -784,6 +798,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -821,6 +836,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-nextstep3.3.cf
+++ b/cf/cf/generic-nextstep3.3.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:51 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -259,6 +259,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -509,6 +512,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -532,6 +541,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -539,6 +550,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -651,6 +664,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -783,6 +797,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -820,6 +835,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-osf1.cf
+++ b/cf/cf/generic-osf1.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:52 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -260,6 +260,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -510,6 +513,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -533,6 +542,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -540,6 +551,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -652,6 +665,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -784,6 +798,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -821,6 +836,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-solaris.cf
+++ b/cf/cf/generic-solaris.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:52 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -259,6 +259,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -509,6 +512,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -532,6 +541,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -539,6 +550,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -651,6 +664,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -783,6 +797,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -820,6 +835,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-sunos4.1.cf
+++ b/cf/cf/generic-sunos4.1.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:52 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -260,6 +260,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -510,6 +513,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -533,6 +542,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -540,6 +551,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -652,6 +665,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -784,6 +798,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -821,6 +836,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/generic-ultrix4.cf
+++ b/cf/cf/generic-ultrix4.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:52 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.14.9
+DZ8.15.1
 ###############
@ -260,6 +260,9 @@ O PrivacyOptions=authwarnings
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -510,6 +513,12 @@ O MaxHeadersLength=32768
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -533,6 +542,8 @@ O MaxHeadersLength=32768
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -540,6 +551,8 @@ O MaxHeadersLength=32768
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -652,6 +665,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -784,6 +798,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -821,6 +836,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/cf/submit.cf
+++ b/cf/cf/submit.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@lab.smi.sendmail.com on Tue May 20 12:12:52 PDT 2014
+##### built by ca@sandman.dev-lab.sendmail.com on Tue Dec 2 16:21:20 PST 2014
-##### in /home/ca/sm8.git/sendmail/OpenSource/sendmail-8.14.9/cf/cf
+##### in /x/ca/sm8.git/sendmail/OpenSource/sendmail-8.15.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -114,7 +114,7 @@ D{MTAHost}[127.0.0.1]
 # Configuration version number
-DZ8.14.9/Submit
+DZ8.15.1/Submit
 ###############
@ -251,6 +251,9 @@ O PrivacyOptions=goaway,noetrn,restrictqrun
 # minimum time in queue before retry
 #O MinQueueAge=30m
 # maximum time in queue before retry (if > 0; only for exponential delay)
 #O MaxQueueAge
 # how many jobs can you process in the queue?
 #O MaxQueueRunSize=0
@ -501,6 +504,12 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 # SMTP STARTTLS server options
 #O TLSSrvOptions
 # SSL cipherlist
 #O CipherList
 # server side SSL options
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # Input mail filters
 #O InputMailFilters
@ -524,6 +533,8 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -531,6 +542,8 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 # Name to use for EHLO (defaults to $j)
 #O HeloName
 ############################
 # QUEUE GROUP DEFINITIONS  #
 ############################
@ -647,6 +660,7 @@ R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -781,6 +795,7 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -818,6 +833,8 @@ R$* < @$* > $*		$#esmtp $@ $2 $: $1 < @ $2 > $3	user@host.domain
 R$=L			$#local $: @ $1		special local names
 R$+			$#local $: $1			regular local names
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
--- a/cf/feature/bcc.m4
+++ b/cf/feature/bcc.m4
@ -0,0 +1,90 @@
 divert(-1)
 #
 # Copyright (c) 2014 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
 #
 divert(-1)
 # Arguments:
 # 1: Map to use
 #   - empty/none: default map bcctable
 #   - `access': to use access_db (with bcc: as tag)
 #   - map definition
 #   The map contains domain names and the RHS should be simply "ok".
 #   If the access map is used, then its lookup algorithm is used.
 #   Otherwise:
 #    domain	ok
 #   matches anything@domain
 #    .domain	ok
 #   matches any subdomain, e.g., l@sub.domain and l@sub.dom.domain
 #   On a match, the original address will be used as bcc address unless
 #   argument 3 is set.
 # 2: Name of host ([mailer:]host)
 # 3: Default bcc address: if set, this will be always used.
 #   Only one of 2/3 can be empty.
 #   Note: if Bcc address is used then only one copy will be sent!
 #   (due to duplicate elimination)
 # 4: Map definition for canonicalRcpt map of address rewriting to
 #   apply to the added bcc envelope recipients.
 #   The option -T<TMPF> is required to handle temporary map failures.
 #
 # The ruleset must return either
 # - an e-mail address (user@dom.ain) which is then added as "bcc" recipient.
 # - an empty string: do not add a "bcc" recipient, or
 # - $#error: fail the SMTP transaction (e.g., temporary lookup failure)
 #
 # This feature sets O AddBcc=true
 ifelse(lower(_ARG_),`access',`define(`_BCC_ACCESS_', `1')')
 define(`_ADD_BCC_', `1')
 ifdef(`_BCC_ACCESS_', `dnl
 ifdef(`_ACCESS_TABLE_', `',
 	`errprint(`*** ERROR: FEATURE(`bcc') requires FEATURE(`access_db')
 ')')')
 ifdef(`_BCC_ACCESS_', `', `
 LOCAL_CONFIG
 Kbcctable ifelse(defn(`_ARG_'), `', DATABASE_MAP_TYPE MAIL_SETTINGS_DIR`bcctable', `_ARG_')')
 LOCAL_CONFIG
 O AddBcc=true
 ifelse(len(X`'_ARG2_),`1', `', `
 DA`'_ARG2_')
 ifelse(len(X`'_ARG4_), `1', `',
 `define(`_CANONIFY_BCC_', `1')dnl
 define(`_NEED_SMTPOPMODES_', `1')dnl
 # canonical address look up for AddBcc recipients
 KcanonicalRcpt _ARG4_
 ')dnl
 LOCAL_RULESETS
 Sbcc
 R< $+ >			$1
 ifdef(`_BCC_ACCESS_', `dnl
 R$+ @ $+		$: $1@$2 $| $>SearchList <! bcc> $| <D:$2> <>',
 `R$+ @ $+		$: $1@$2 $| $>BCC $2')
 R$* $| <?>		$@
 R$* $| $*		$: ifelse(len(X`'_ARG3_),`1', `$1', `_ARG3_')
 ifdef(`_CANONIFY_BCC_', `dnl
 R$+ @ $+		$: $1@$2 $| <$(canonicalRcpt $1 @ $2 $: $)>
 R$* $| <>		$@
 R$* $| <$* <TMPF>>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
 R$* $| <$+>		$@ $2			map matched?
 ')
 ifdef(`_BCC_ACCESS_', `', `
 SBCC
 R$+		$: $1 < $(bcctable $1 $: ? $) >
 R$- . $+ <?>	$: $2 < $(bcctable .$2 $: ? $) >
 R$- . $+ <?>	$: $>BCC $2
 R$* <$*>	$: <$2>
 ')
--- a/cf/feature/ldap_routing.m4
+++ b/cf/feature/ldap_routing.m4
@ -35,6 +35,8 @@ ifelse(len(X`'_ARG6_), `1', `define(`_LDAP_ROUTE_MAPTEMP_', `_QUEUE_')',
       _ARG6_, `tempfail', `define(`_LDAP_ROUTE_MAPTEMP_', `_TEMPFAIL_')',
       _ARG6_, `queue', `define(`_LDAP_ROUTE_MAPTEMP_', `_QUEUE_')')
 define(`_NEED_SMTPOPMODES_', `1')
 LOCAL_CONFIG
 # LDAP routing maps
 Kldapmh ifelse(len(X`'_ARG1_), `1',
--- a/cf/feature/nopercenthack.m4
+++ b/cf/feature/nopercenthack.m4
@ -0,0 +1,27 @@
 divert(-1)
 #
 # Copyright (c) 1998, 1999 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 # Copyright (c) 1983 Eric P. Allman.  All rights reserved.
 # Copyright (c) 1988, 1993
 #	The Regents of the University of California.  All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
 #
 divert(0)
 VERSIONID(`$Id: nopercenthack.m4,v 8.14 2013/01/31 15:07:00 ca Exp $')
 divert(-1)
 ifelse(defn(`_ARG_'), `', 
 	`errprint(`*** ERROR: missing argument for FEATURE(nopercenthack):
 		use `reject' or `nospecial'. See cf/README.
 ')define(`_NO_PERCENTHACK_', `e')',
 	substr(_ARG_,0,1), `r', `define(`_NO_PERCENTHACK_', `r')',
 	substr(_ARG_,0,1), `n', `define(`_NO_PERCENTHACK_', `n')',
 	`errprint(`*** ERROR: illegal argument _ARG_ for FEATURE(nopercenthack)
 ')
 	')
--- a/cf/feature/prefixmod.m4
+++ b/cf/feature/prefixmod.m4
@ -0,0 +1,24 @@
 divert(-1)
 #
 # Copyright (c) 2014 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
 #
 divert(-1)
 # Arguments:
 # 1: prefix to match; must be one or more tokens
 #    (this is not a "substring" match)
 # 2: flags to set
 # NYI: 3: replacement for 1 (empty for now)
 ifelse(defn(`_ARG_'), `', `errprint(`Feature "prefixmod" requires argument')',
 	`define(`_PREFIX_MOD_', _ARG_)')
 ifelse(len(X`'_ARG2_),`1', `errprint(`Feature "prefixmod" requires two arguments')',
 	`define(`_PREFIX_FLAGS_', _ARG2_)')
 define(`_NEED_MACRO_MAP_', `1')
--- a/cf/hack/xconnect.m4
+++ b/cf/hack/xconnect.m4
@ -0,0 +1,37 @@
 divert(-1)
 #
 # Copyright (c) 1998-2011 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 # Copyright (c) 1983 Eric P. Allman.  All rights reserved.
 # Copyright (c) 1988, 1993
 #	The Regents of the University of California.  All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
 divert(0)
 VERSIONID(`$Id: xconnect.m4,v 1.3 2013-11-22 20:51:13 ca Exp $')
 divert(-1)
 ifdef(`_ACCESS_TABLE_', `dnl
 LOCAL_RULESETS
 #
 # x_connect ruleset for looking up XConnect: tag in access DB to enable
 # XCONNECT support in MTA
 #
 Sx_connect
 dnl workspace: {client_name} $| {client_addr}
 R$+ $| $+		$: $>D < $1 > <?> <! XConnect> < $2 >
 dnl workspace: <result-of-lookup> <{client_addr}>
 dnl OR $| $+ if client_name is empty
 R   $| $+		$: $>A < $1 > <?> <! XConnect> <>	empty client_name
 dnl workspace: <result-of-lookup> <{client_addr}>
 R<?> <$+>		$: $>A < $1 > <?> <! XConnect> <>	no: another lookup
 dnl workspace: <result-of-lookup> (<>|<{client_addr}>)
 R<?> <$*>		$# no					found nothing
 dnl workspace: <result-of-lookup> (<>|<{client_addr}>) | OK
 R<$+> <$*>		$@ yes					found in access DB',
 	`errprint(`*** ERROR: HACK(xconnect) requires FEATURE(access_db)
 ')')
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@ -149,7 +149,7 @@ DL`'LUSER_RELAY',
 `dnl')
 # operators that cannot be in local usernames (i.e., network indicators)
-CO @ % ifdef(`_NO_UUCP_', `', `!')
+CO @ ifdef(`_NO_PERCENTHACK_', `', `%') ifdef(`_NO_UUCP_', `', `!')
 # a class with just dot (for identifying canonical names)
 C..
@ -387,6 +387,9 @@ _OPTION(QueueSortOrder, `confQUEUE_SORT_ORDER', `priority')
 # minimum time in queue before retry
 _OPTION(MinQueueAge, `confMIN_QUEUE_AGE', `30m')
 # maximum time in queue before retry (if > 0; only for exponential delay)
 _OPTION(MaxQueueAge, `confMAX_QUEUE_AGE', `')
 # how many jobs can you process in the queue?
 _OPTION(MaxQueueRunSize, `confMAX_QUEUE_RUN_SIZE', `0')
@ -641,6 +644,12 @@ _OPTION(AuthMaxBits, `confAUTH_MAX_BITS', `')
 # SMTP STARTTLS server options
 _OPTION(TLSSrvOptions, `confTLS_SRV_OPTIONS', `')
 # SSL cipherlist
 _OPTION(CipherList, `confCIPHER_LIST', `')
 # server side SSL options
 _OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
 # client side SSL options
 _OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
 # Input mail filters
 _OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
@ -674,6 +683,8 @@ _OPTION(CRLFile, `confCRL', `')
 _OPTION(DHParameters, `confDH_PARAMETERS', `')
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 _OPTION(RandFile, `confRAND_FILE', `')
 # fingerprint algorithm (digest) to use for the presented cert
 _OPTION(CertFingerprintAlgorithm, `confCERT_FINGERPRINT_ALGORITHM', `')
 # Maximum number of "useless" commands before slowing down
 _OPTION(MaxNOOPCommands, `confMAX_NOOP_COMMANDS', `20')
@ -681,6 +692,10 @@ _OPTION(MaxNOOPCommands, `confMAX_NOOP_COMMANDS', `20')
 # Name to use for EHLO (defaults to $j)
 _OPTION(HeloName, `confHELO_NAME')
 ifdef(`_NEED_SMTPOPMODES_', `dnl
 # SMTP operation modes
 C{SMTPOpModes} s d D')
 ############################
 `# QUEUE GROUP DEFINITIONS  #'
 ############################
@ -808,10 +823,12 @@ R$- :: $+		$@ $>Canonify2 $2 < @ $1 .DECNET >	resolve DECnet names
 R$- . $- :: $+		$@ $>Canonify2 $3 < @ $1.$2 .DECNET >	numeric DECnet addr
 ',
 	`dnl')
-# if we have % signs, take the rightmost one
+ifdef(`_NO_PERCENTHACK_', `dnl',
 `# if we have % signs, take the rightmost one
 R$* % $*		$1 @ $2				First make them all @s.
 R$* @ $* @ $*		$1 % $2 @ $3			Undo all but the last.
 R$* @ $*		$@ $>Canonify2 $1 < @ $2 >	Insert < > and finish
 ')
 # else we must be a local name
 R$*			$@ $>Canonify2 $1
@ -1036,6 +1053,13 @@ R$* $=O $* < @ *LOCAL* >
 			$@ $>Parse0 $>canonify $1 $2 $3	...@*LOCAL* -> ...
 R$* < @ *LOCAL* >	$: $1
 ifdef(`_ADD_BCC_', `dnl
 R$+			$: $>ParseBcc $1', `dnl')
 ifdef(`_PREFIX_MOD_', `dnl
 dnl do this only for addr_type=e r?
 R _PREFIX_MOD_ $+	$: $1 $(macro {rcpt_flags} $@ _PREFIX_FLAGS_ $)
 ')dnl
 #
 #  Parse1 -- the bottom half of ruleset 0.
 #
@ -1198,6 +1222,13 @@ ifdef(`_MAILER_smtp_',
 R$=L			$#_LOCAL_ $: @ $1		special local names
 R$+			$#_LOCAL_ $: $1			regular local names
 ifdef(`_ADD_BCC_', `dnl
 SParseBcc
 R$+			$: $&{addr_type} $| $&A $| $1
 Re b $| $+ $| $+	$>MailerToTriple < $1 > $2	copy?
 R$* $| $* $| $+		$@ $3				no copy
 ')
 ###########################################################################
 ###   Ruleset 5 -- special rewriting after aliases have been expanded   ###
 ###########################################################################
@ -1457,9 +1488,6 @@ ifdef(`_LDAP_ROUTING_', `dnl
 ###		Parsed address (user < @ domain . >)
 ######################################################################
 # SMTP operation modes
 C{SMTPOpModes} s d D
 SLDAPExpand
 # do the LDAP lookups
 R<$+><$+><$*>	$: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> <$3>
@ -2137,6 +2165,9 @@ dnl workspace: localpart<@domain> | localpart
 ifelse(defn(`_NO_UUCP_'), `r',
 `R$* ! $* < @ $* >	$: <REMOTE> $2 < @ BANG_PATH >
 R$* ! $* 		$: <REMOTE> $2 < @ BANG_PATH >', `dnl')
 ifelse(defn(`_NO_PERCENTHACK_'), `r',
 `R$* % $* < @ $* >	$: <REMOTE> $1 < @ PERCENT_HACK >
 R$* % $* 		$: <REMOTE> $1 < @ PERCENT_HACK >', `dnl')
 # anything terminating locally is ok
 ifdef(`_RELAY_ENTIRE_DOMAIN_', `dnl
 R$+ < @ $* $=m >	$@ RELAY', `dnl')
--- a/cf/m4/version.m4
+++ b/cf/m4/version.m4
@ -11,8 +11,8 @@ divert(-1)
 # the sendmail distribution.
 #
 #
-VERSIONID(`$Id: version.m4,v 8.236 2013-11-27 00:38:51 ca Exp $')
+VERSIONID(`$Id: version.m4,v 8.237 2014-01-27 12:55:17 ca Exp $')
 #
 divert(0)
 # Configuration version number
-DZ8.14.9`'ifdef(`confCF_VERSION', `/confCF_VERSION')
+DZ8.15.1`'ifdef(`confCF_VERSION', `/confCF_VERSION')
--- a/contrib/AuthRealm.p0
+++ b/contrib/AuthRealm.p0
@ -0,0 +1,44 @@
 Patch from John Marshall (slightly modified).
 diff --git a/sendmail/srvrsmtp.c b/sendmail/srvrsmtp.c
 index 7dba983..bf804ab 100644
 --- a/sendmail/srvrsmtp.c
 +++ b/sendmail/srvrsmtp.c
@@ -84,7 +84,7 @@ static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
 # define RESET_SASLCONN	\
 	do							\
 	{							\
 -		result = reset_saslconn(&conn, AuthRealm, remoteip, \
 +		result = reset_saslconn(&conn, hostname, remoteip, \
 					localip, auth_id, &ext_ssf); \
 		if (result != SASL_OK)				\
 			sasl_ok = false;			\
@@ -938,8 +938,6 @@ smtp(nullserver, d_flags, e)
 	e->e_features = features;
 	hostname = macvalue('j', e);
 #if SASL
 -	if (AuthRealm == NULL)
 -		AuthRealm = hostname;
 	sasl_ok = bitset(SRV_OFFER_AUTH, features);
 	n_mechs = 0;
 	authenticating = SASL_NOT_AUTH;
@@ -948,8 +946,8 @@ smtp(nullserver, d_flags, e)
 	if (sasl_ok)
 	{
 # if SASL >= 20000
 -		result = sasl_server_new("smtp", AuthRealm, NULL, NULL, NULL,
 -					 NULL, 0, &conn);
 +		result = sasl_server_new("smtp", hostname, AuthRealm, NULL,
 +					 NULL, NULL, 0, &conn);
 # elif SASL > 10505
 		/* use empty realm: only works in SASL > 1.5.5 */
 		result = sasl_server_new("smtp", AuthRealm, "", NULL, 0, &conn);
@@ -5392,7 +5390,7 @@ reset_saslconn(sasl_conn_t **conn, char *hostname,
 	sasl_dispose(conn);
 # if SASL >= 20000
 -	result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
 +	result = sasl_server_new("smtp", hostname, AuthRealm, NULL, NULL,
 				 NULL, 0, conn);
 # elif SASL > 10505
 	/* use empty realm: only works in SASL > 1.5.5 */
--- a/devtools/bin/Build
+++ b/devtools/bin/Build
@ -675,30 +675,30 @@ then
 	echo "Creating $obj using $BUILDTOOLS/OS/$oscf"
 	${mkdir} $obj
-		ln="ln -s"
+	ln="ln -s"
-		(cd $obj
+	(cd $obj
-		# This glob doesn't actually glob to something everywhere,
+	# This glob doesn't actually glob to something everywhere,
-		# thus the protective measures.
+	# thus the protective measures.
-		for i in ${obj_rel_base_dir}/${src_dir}/*.[chly13458]
+	for i in ${obj_rel_base_dir}/${src_dir}/*.[chly13458]
-		do
+	do
-			if [ -f $i ]
+		if [ -f $i ]
 			then
 				$ln $i .
 			fi
 		done
 		# This glob doesn't actually glob to something everywhere,
 		# thus the protective measures.
 		for i in ${obj_rel_base_dir}/${src_dir}/*.0
 		do
 			if [ -f $i ]
 			then
 				$ln $i `basename $i`.dist
 			fi
 		done)
 		if [ -f helpfile ]
 		then
-			(cd $obj; $ln ${obj_rel_base_dir}/${src_dir}/helpfile .)
+			$ln $i .
 		fi
 	done
 	# This glob doesn't actually glob to something everywhere,
 	# thus the protective measures.
 	for i in ${obj_rel_base_dir}/${src_dir}/*.0
 	do
 		if [ -f $i ]
 		then
 			$ln $i `basename $i`.dist
 		fi
 	done)
 	if [ -f helpfile ]
 	then
 		(cd $obj; $ln ${obj_rel_base_dir}/${src_dir}/helpfile .)
 	fi
 	rm -f $obj/.settings$$
 	echo 'divert(-1)' > $obj/.settings$$
--- a/doc/op/op.me
+++ b/doc/op/op.me
@ -93,7 +93,7 @@ Version \\$2
 .Ve $Revision: 8.759 $
 .rm Ve
 .sp
-For Sendmail Version 8.14
+For Sendmail Version 8.15
 .)l
 .(f
 Sendmail is a trademark of Proofpoint, Inc.
@ -3262,6 +3262,8 @@ to program and files.
 Accept a group-readable key file for STARTTLS.
 .ip GroupReadableSASLDBFile
 Accept a group-readable Cyrus SASL password file.
 .ip GroupReadableDefaultAuthInfoFile
 Accept a group-readable DefaultAuthInfo file for SASL.
 .ip GroupWritableAliasFile
 Allow group-writable alias files.
 .ip GroupWritableDirPathSafe
@ -4870,12 +4872,28 @@ used for the security layer of a SASL mechanism.
 The message body type
 (7BIT or 8BITMIME),
 as determined from the envelope.
 .ip ${cert_fp}
 The fingerprint of the presented certificate (STARTTLS only).
 Note: this macro is only defined if the option
 .b CertFingerprintAlgorithm
 is set,
 in which case the specified fingerprint algorithm is used.
 The valid algorithms depend on the OpenSSL version,
 but usually md5, sha1, and sha256 are available.
 See
 .(b
 openssl dgst -h
 .)b
 for a list.
 .ip ${cert_issuer}
 The DN (distinguished name) of the CA (certificate authority)
 that signed the presented certificate (the cert issuer)
 (STARTTLS only).
 .ip ${cert_md5}
 The MD5 hash of the presented certificate (STARTTLS only).
 Note: this macro is only defined if the option
 .b CertFingerprintAlgorithm
 is not set.
 .ip ${cert_subject}
 The DN of the presented certificate (called the cert subject)
 (STARTTLS only).
@ -5756,6 +5774,8 @@ for this mailer.
 .ip i
 Do User Database rewriting on envelope sender address.
 .ip I
 This flag is deprecated
 and will be removed from a future version.
 This mailer will be speaking SMTP
 to another
 .i sendmail
@ -6534,6 +6554,7 @@ The authentication realm that is passed to the Cyrus SASL library.
 If no realm is specified,
 .b $j
 is used.
 See also KNOWNBUGS.
 .ip BadRcptThrottle=\fIN\fP
 [no short name]
 If set and the specified number of recipients in a single SMTP
@ -6554,6 +6575,22 @@ as filenames (or as links to them).
 [no short name]
 File containing one or more CA certificates;
 see section about STARTTLS for more information.
 .ip CertFingerprintAlgorithm
 Specify the fingerprint algorithm (digest) to use for the presented cert.
 If the option is not set,
 md5 is used and the macro
 .p ${cert_md5}
 contains the cert fingerprint.
 If the option is explicitly set,
 the specified algorithm (e.g., sha1) is used
 and the macro
 .b ${cert_fp}
 contains the cert fingerprint.
 .ip CipherList
 Specify cipher list for STARTTLS.
 See
 .i ciphers (1)
 for possible values.
 .ip CheckAliases
 [n]
 Validate the RHS of aliases when rebuilding the alias database.
@ -6636,6 +6673,24 @@ in order to give settings for each protocol family
 (e.g., one for Family=inet and one for Family=inet6).
 A restriction placed on one family only affects
 outgoing connections on that particular family.
 .ip ClientSSLOptions
 A space separated list of SSL related options for client side.
 See
 .i SSL_CTX_set_options (3)
 for a list;
 the available values depend on the OpenSSL version against which
 .i sendmail
 is compiled.
 By default,
 .i SSL_OP_ALL
 .i SSL_OP_NO_SSLv2
 .i SSL_OP_NO_TICKET
 .i -SSL_OP_TLSEXT_PADDING
 are used
 (if those options are available).
 Options can be cleared by preceeding them with a minus sign.
 It is also possible to specify numerical values, e.g.,
 .b -0x0010 .
 .ip ColonOkInAddr
 [no short name]
 If set, colons are acceptable in e-mail addresses
@ -6784,8 +6839,10 @@ The
 key is used for error messages and logging.
 The
 .i Addr ess
-mask may be a numeric address in IPv4 dot notation or IPv6 colon notation
+mask may be
-or a network name.
+a numeric address in IPv4 dot notation or IPv6 colon notation,
 or a network name,
 or a path to a local socket.
 Note that if a network name is specified,
 only the first IP address returned for it will be used.
 This may cause indeterminate behavior for network names
@ -6798,6 +6855,10 @@ IPv6 users who wish to also accept IPv6 connections
 should add additional Family=inet6
 .b DaemonPortOptions
 lines.
 For a local socket, use
 Family=local
 or
 Family=unix.
 The
 .i InputMailFilters
 key overrides the default list of input mail filters listed in the
@ -7543,6 +7604,13 @@ If there is insufficient space
 gives a 452 response
 to the MAIL command.
 This invites the sender to try again later.
 .ip MaxQueueAge=\fIage\fP
 [no short name]
 If this is set to a value greater than zero,
 entries in the queue will be retried during a queue run
 only if the individual retry time has been reached
 which is doubled for each attempt.
 The maximum retry time is limited by the specified value.
 .ip MinQueueAge=\fIage\fP
 [no short name]
 Don't process any queued jobs
@ -8031,6 +8099,22 @@ is used when sendmail acts as server
 [no short name]
 File containing the private key belonging to the server certificate
 (used for STARTTLS).
 .ip ServerSSLOptions
 A space separated list of SSL related options for client side.
 See
 .i SSL_CTX_set_options (3)
 for a list;
 the available values depend on the OpenSSL version against which
 .i sendmail
 is compiled.
 By default,
 .i SSL_OP_ALL
 .i -SSL_OP_TLSEXT_PADDING
 are used
 (if those options are available).
 Options can be cleared by preceeding them with a minus sign.
 It is also possible to specify numerical values, e.g.,
 .b -0x0010 .
 .ip ServiceSwitchFile=\fIfilename\fP
 [no short name]
 If your host operating system has a service switch abstraction
@ -8186,7 +8270,11 @@ consisting of single characters
 with intervening white space or commas.
 The flag ``V'' disables client verification, and hence
 it is not possible to use a client certificate for relaying.
-Currently there are no other flags available.
+The flag ``C'' removes the requirement for the TLS server
 to have a cert.
 This only works under very specific circumstances
 and should only be used if the consequences are understood,
 e.g., clients may not work with a server using this.
 .ip TempFileMode=\fImode\fP
 [F]
 The file mode for transcript files, files to which
@ -8786,6 +8874,31 @@ A, AAAA, AFSDB, CNAME, MX, NS, PTR, SRV, and TXT.
 A map lookup will return only one record.
 Hence for some types, e.g., MX records, the return value might be a random
 element of the list due to randomizing in the DNS resolver.
 .ip arpa
 Returns the ``reverse'' for the given IP (IPv4 or IPv6) address,
 i.e., the string for the PTR lookup,
 but without trailing
 .b ip6.arpa
 or
 .b in-addr.arpa .
 For example, the following configuration lines:
 .(b
 Karpa arpa
 SArpa
 R$+	$: $(arpa $1 $)
 .)b 
 work like this in test mode:
 .(b
 sendmail -bt
 ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
 Enter <ruleset> <address>
 > Arpa IPv6:1:2:dead:beef:9876:0:0:1
 Arpa               input: IPv6 : 1 : 2 : dead : beef : 9876 : 0 : 0 : 1
 Arpa             returns: 1 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 6 . 7 . 8 . 9 . f . e . e . b . d . a . e . d . 2 . 0 . 0 . 0 . 1 . 0 . 0 . 0
 > Arpa 1.2.3.4
 Arpa               input: 1 . 2 . 3 . 4
 Arpa             returns: 4 . 3 . 2 . 1
 .)b
 .ip sequence
 The arguments on the `K' line are a list of maps;
 the resulting map searches the argument maps in order
@ -9211,6 +9324,11 @@ The dns map has another flag:
 .ip "\-B"
 basedomain: specify a domain that is always appended to queries.
 .pp
 Socket maps have an optional flag:
 .ip "\-d"
 timeout: specify the timeout (in seconds) for communication
 with the socket map server.
 .pp
 The following additional flags are present in the ldap map only:
 .ip "\-R"
 Do not auto chase referrals.  sendmail must be compiled with
@ -10699,6 +10817,19 @@ To allow for automatic startup of sendmail, private keys
 must be stored unencrypted.
 The keys are only protected by the permissions of the file system.
 Never make a private key available to a third party.
 .pp
 The options
 .i ClientCertFile ,
 .i ClientKeyFile ,
 .i ServerCertFile ,
 and
 .i ServerKeyFile
 can take a second file name,
 which must be separated from the first with a comma
 (note: do not use any spaces)
 to set up a second cert/key pair.
 This can be used to have certs of different types,
 e.g., RSA and DSA.
 .sh 3 "PRNG for STARTTLS"
 .pp
 STARTTLS requires a strong pseudo random number generator (PRNG)
@ -10883,6 +11014,7 @@ Operation modes are:
 m	Deliver mail (default)
 s	Speak SMTP on input side
 a\(dg	``Arpanet'' mode (get envelope sender information from header)
 C	Check the configuration file
 d	Run as a daemon in background
 D	Run as a daemon in foreground
 t	Run in test mode
--- a/doc/op/op.ps
+++ b/doc/op/op.ps
--- a/editmap/editmap.c
+++ b/editmap/editmap.c
@ -76,7 +76,6 @@ main(argc, argv)
 {
 	char *progname;
 	char *cfile;
 	bool verbose = false;
 	bool query = false;
 	bool update = false;
 	bool remove = false;
@ -131,7 +130,7 @@ main(argc, argv)
 	(void) sm_strlcpy(user_info.smdbu_name, RunAsUserName,
 			  SMDB_MAX_USER_NAME_LEN);
-#define OPTIONS		"C:fquxvN"
+#define OPTIONS		"C:fquxN"
 	while ((opt = getopt(argc, argv, OPTIONS)) != -1)
 	{
 		switch (opt)
@ -159,10 +158,6 @@ main(argc, argv)
 			nops++;
 			break;
 		  case 'v':
 			verbose = true;
 			break;
 		  case 'N':
 			inclnull = true;
 			break;
--- a/include/sendmail/sendmail.h
+++ b/include/sendmail/sendmail.h
@ -117,9 +117,7 @@ extern bool	filechanged __P((char *, int, struct stat *));
 #define DBS_WORLDWRITABLEFORWARDFILE			39
 #define DBS_WORLDWRITABLEINCLUDEFILE			40
 #define DBS_GROUPREADABLEKEYFILE			41
-#if _FFR_GROUPREADABLEAUTHINFOFILE
+#define DBS_GROUPREADABLEAUTHINFOFILE			42
 # define DBS_GROUPREADABLEAUTHINFOFILE			42
 #endif /* _FFR_GROUPREADABLEAUTHINFOFILE */
 /* struct defining such things */
 struct dbsval
--- a/include/sm/bdb.h
+++ b/include/sm/bdb.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2003 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 2002, 2003, 2014 Proofpoint, Inc. and its suppliers.
 *	All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
@ -19,7 +19,7 @@
 #  define DB_VERSION_MAJOR 1
 # endif /* ! DB_VERSION_MAJOR */
-# if DB_VERSION_MAJOR >= 4 && DB_VERSION_MINOR >= 1
+# if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1) || DB_VERSION_MAJOR >= 5
 #  define DBTXN	NULL ,
@ -32,7 +32,7 @@
 #  define SM_DB_FLAG_ADD(flag)	(flag) |= DB_FCNTL_LOCKING
-# else /* DB_VERSION_MAJOR >= 4 && DB_VERSION_MINOR >= 1 */
+# else /* (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1) || DB_VERSION_MAJOR >= 5 */
 #  define DBTXN
 #  if !HASFLOCK && defined(DB_FCNTL_LOCKING)
@ -41,7 +41,7 @@
 #   define SM_DB_FLAG_ADD(flag)	((void) 0)
 #  endif /* !HASFLOCK && defined(DB_FCNTL_LOCKING) */
-# endif /* DB_VERSION_MAJOR >= 4 && DB_VERSION_MINOR >= 1 */
+# endif /* (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1) || DB_VERSION_MAJOR >= 5 */
 #endif /* NEWDB */
 #endif /* ! SM_BDB_H */
--- a/include/sm/cdefs.h
+++ b/include/sm/cdefs.h
@ -121,11 +121,11 @@
 */
 # ifndef SM_CONF_FORMAT_TEST
-#  if __GNUC__ == 2 && __GNUC_MINOR__ >= 7
+#  if (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) || __GNUC__ > 2
 #   define SM_CONF_FORMAT_TEST	1
-#  else /* __GNUC__ == 2 && __GNUC_MINOR__ >= 7 */
+#  else
 #   define SM_CONF_FORMAT_TEST	0
-#  endif /* __GNUC__ == 2 && __GNUC_MINOR__ >= 7 */
+#  endif
 # endif /* SM_CONF_FORMAT_TEST */
 # ifndef PRINTFLIKE
--- a/include/sm/conf.h
+++ b/include/sm/conf.h
@ -473,6 +473,9 @@ typedef int		pid_t;
 #   ifndef HASGETUSERSHELL
 #    define HASGETUSERSHELL 0	/* getusershell(3) causes core dumps pre-2.7 */
 #   endif /* ! HASGETUSERSHELL */
 #   if SOLARIS < 21200
 #    define SIGWAIT_TAKES_1_ARG	1	/* S12 moves to UNIX V7 semantic */
 #   endif /* SOLARIS < 21200 */
 #  else /* SOLARIS */
 			/* SunOS 4.0.3 or 4.1.x */
@ -1906,6 +1909,7 @@ extern struct passwd *	sendmail_mpe_getpwuid __P((uid_t));
 #  define GIDSET_T		gid_t
 #  define SOCKADDR_LEN_T	size_t
 #  define SOCKOPT_LEN_T		size_t
 #  define SIGWAIT_TAKES_1_ARG	1
 #  ifndef _PATH_UNIX
 #   define _PATH_UNIX		"/stand/unix"
 #  endif /* ! _PATH_UNIX */
@ -2920,6 +2924,10 @@ typedef void		(*sigfunc_t) __P((int));
 # define FD_SETSIZE	256
 #endif /* ! FD_SETSIZE */
 #ifndef SIGWAIT_TAKES_1_ARG
 # define SIGWAIT_TAKES_1_ARG	0
 #endif /* ! SIGWAIT_TAKES_1_ARG */
 /*
 **  Size of prescan buffer.
 **	Despite comments in the _sendmail_ book, this probably should
--- a/include/sm/errstring.h
+++ b/include/sm/errstring.h
@ -49,9 +49,17 @@ extern int errno;
 #define E_SM_WRFILE	(E_PSEUDOBASE + 11)	/* o readable file */
 #define E_DNSBASE	(E_PSEUDOBASE + 20)	/* base for DNS h_errno */
 #define E_SMDBBASE	(E_PSEUDOBASE + 40)	/* base for libsmdb errors */
-#define E_LDAPBASE	(E_PSEUDOBASE + 70)	/* base for LDAP errors */
+#define E_LDAPREALBASE	(E_PSEUDOBASE + 70)	/* start of range for LDAP */
-#define E_LDAPURLBASE	(E_PSEUDOBASE + 200)	/* base for LDAP URL errors */
+#define E_LDAPBASE	(E_LDAPREALBASE + E_LDAP_SHIM)	/* LDAP error zero */
 #define E_LDAPURLBASE	(E_PSEUDOBASE + 230)	/* base for LDAP URL errors */
 /*
 **  OpenLDAP uses small negative errors for internal (non-protocol)
 **  errors.  We expect them to be between zero and -E_LDAP_SHIM
 **  (and then offset by E_LDAPBASE).
 */
 #define E_LDAP_SHIM	30
 /* libsmdb */
 #define SMDBE_OK			0
--- a/include/sm/fdset.h
+++ b/include/sm/fdset.h
@ -17,9 +17,9 @@
 **	before.
 */
-#  define SM_FD_SET(fd, pfdset)		FD_SET(fd, pfdset)
+#define SM_FD_SET(fd, pfdset)	FD_SET(fd, pfdset)
-#  define SM_FD_ISSET(fd, pfdset)	FD_ISSET(fd, pfdset)
+#define SM_FD_ISSET(fd, pfdset)	FD_ISSET(fd, pfdset)
-#  define SM_FD_SETSIZE			FD_SETSIZE
+#define SM_FD_SETSIZE		FD_SETSIZE
-#  define SM_FD_OK_SELECT(fd)		(FD_SETSIZE <= 0 || (fd) < FD_SETSIZE)
+#define SM_FD_OK_SELECT(fd)	(SM_FD_SETSIZE <= 0 || (fd) < SM_FD_SETSIZE)
 #endif /* SM_FDSET_H */
--- a/libmilter/engine.c
+++ b/libmilter/engine.c
@ -726,7 +726,7 @@ sendreply(r, sd, timeout_ptr, ctx)
 }
 /*
-**  CLR_MACROS -- clear set of macros starting from a given index
+**  MI_CLR_MACROS -- clear set of macros starting from a given index
 **
 **	Parameters:
 **		ctx -- context structure
@ -1816,7 +1816,7 @@ dec_arg2(buf, len, s1, s2)
 }
 /*
-**  SENDOK -- is it ok for the filter to send stuff to the MTA?
+**  MI_SENDOK -- is it ok for the filter to send stuff to the MTA?
 **
 **	Parameters:
 **		ctx -- context structure
--- a/libmilter/handler.c
+++ b/libmilter/handler.c
@ -15,7 +15,7 @@ SM_RCSID("@(#)$Id: handler.c,v 8.40 2013-11-22 20:51:36 ca Exp $")
 #if !_FFR_WORKERS_POOL
 /*
-**  HANDLE_SESSION -- Handle a connected session in its own context
+**  MI_HANDLE_SESSION -- Handle a connected session in its own context
 **
 **	Parameters:
 **		ctx -- context structure
--- a/libmilter/listener.c
+++ b/libmilter/listener.c
@ -728,6 +728,7 @@ mi_listener(conn, dbg, smfi, timeout, backlog)
 	int acnt = 0;	/* error count for accept() failures */
 	int scnt = 0;	/* error count for select() failures */
 	int save_errno = 0;
 	int fdflags;
 #if !_FFR_WORKERS_POOL
 	sthread_t thread_id;
 #endif /* !_FFR_WORKERS_POOL */
@ -885,6 +886,20 @@ mi_listener(conn, dbg, smfi, timeout, backlog)
 		}
 #endif /* _FFR_DUP_FD */
 		/*
 		**  Need to set close-on-exec for connfd in case a user's
 		**  filter starts other applications.
 		**  Note: errors will not stop processing (for now).
 		*/
 		if ((fdflags = fcntl(connfd, F_GETFD, 0)) == -1 ||
 		    fcntl(connfd, F_SETFD, fdflags | FD_CLOEXEC) == -1)
 		{
 			smi_log(SMI_LOG_ERR,
 				"%s: Unable to set close-on-exec: %s",
 				smfi->xxfi_name, sm_errstring(errno));
 		}
 		if (setsockopt(connfd, SOL_SOCKET, SO_KEEPALIVE,
 				(void *) &sockopt, sizeof sockopt) < 0)
 		{
--- a/libmilter/signal.c
+++ b/libmilter/signal.c
@ -104,11 +104,11 @@ mi_signal_thread(name)
 	for (;;)
 	{
 		sigerr = sig = 0;
-#if defined(SOLARIS) || defined(__svr5__)
+#if SIGWAIT_TAKES_1_ARG
 		if ((sig = sigwait(&set)) < 0)
-#else /* defined(SOLARIS) || defined(__svr5__) */
+#else
 		if ((sigerr = sigwait(&set, &sig)) != 0)
-#endif /* defined(SOLARIS) || defined(__svr5__) */
+#endif
 		{
 			/* some OS return -1 and set errno: copy it */
 			if (sigerr <= 0)
--- a/libmilter/worker.c
+++ b/libmilter/worker.c
@ -254,7 +254,7 @@ nonblocking(int fd, const char *name)
 }
 /*
-**  MI_POOL_CONTROLER_INIT -- Launch the worker pool controller
+**  MI_POOL_CONTROLLER_INIT -- Launch the worker pool controller
 **		Must be called before starting sessions.
 **
 **	Parameters:
--- a/libsm/Makefile.m4
+++ b/libsm/Makefile.m4
@ -6,7 +6,7 @@ define(`confREQUIRE_LIBSM', `true')
 define(`confREQUIRE_SM_OS_H', `true')
 PREPENDDEF(`confENVDEF', `confMAPDEF')
 bldPRODUCT_START(`library', `libsm')
-define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strerror.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c path.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
+define(`bldSOURCES', ` assert.c debug.c errstring.c exc.c heap.c match.c rpool.c strdup.c strerror.c strl.c clrerr.c fclose.c feof.c ferror.c fflush.c fget.c fpos.c findfp.c flags.c fopen.c fprintf.c fpurge.c fput.c fread.c fscanf.c fseek.c fvwrite.c fwalk.c fwrite.c get.c makebuf.c put.c refill.c rewind.c setvbuf.c smstdio.c snprintf.c sscanf.c stdio.c strio.c ungetc.c vasprintf.c vfprintf.c vfscanf.c vprintf.c vsnprintf.c wbuf.c wsetup.c string.c stringf.c xtrap.c strto.c test.c strcasecmp.c strrevcmp.c signal.c clock.c config.c shm.c sem.c mbdb.c strexit.c cf.c ldap.c niprop.c mpeix.c memstat.c util.c inet6_ntop.c ')
 bldPRODUCT_END
 dnl msg.c
 dnl syslogio.c
--- a/libsm/errstring.c
+++ b/libsm/errstring.c
@ -264,10 +264,12 @@ sm_errstring(errnum)
 #if LDAPMAP
 	/*
-	**  LDAP error messages.
+	**  LDAP error messages.  Handle small negative errors from
 	**  libldap (in the range -E_LDAP_SHIM to zero, offset by E_LDAPBASE)
 	**  as well.
 	*/
-	if (errnum >= E_LDAPBASE)
+	if (errnum >= E_LDAPBASE - E_LDAP_SHIM)
 		return ldap_err2string(errnum - E_LDAPBASE);
 #endif /* LDAPMAP */
--- a/libsm/local.h
+++ b/libsm/local.h
@ -20,6 +20,7 @@
 */
 #include <sm/time.h>
 #include <sm/fdset.h>
 #if !SM_CONF_MEMCHR
 # include <memory.h>
 #endif /* !SM_CONF_MEMCHR */
@ -244,7 +245,7 @@ int sm_flags __P((int));
 		sm_io_to.tv_sec = (to) / 1000; \
 		sm_io_to.tv_usec = ((to) - (sm_io_to.tv_sec * 1000)) * 1000; \
 	} \
-	if (FD_SETSIZE > 0 && (fd) >= FD_SETSIZE) \
+	if (!SM_FD_OK_SELECT(fd)) \
 	{ \
 		errno = EINVAL; \
 		return SM_IO_EOF; \
--- a/libsm/mbdb.c
+++ b/libsm/mbdb.c
@ -315,7 +315,7 @@ mbdb_pw_lookup(name, user)
 {
 	struct passwd *pw;
-#ifdef HESIOD
+#if HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN
 	/* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
 	{
 		char *p;
@ -326,7 +326,7 @@ mbdb_pw_lookup(name, user)
 		if (*p == '\0')
 			return EX_NOUSER;
 	}
-#endif /* HESIOD */
+#endif /* HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN */
 	errno = 0;
 	pw = getpwnam(name);
--- a/libsm/path.c
+++ b/libsm/path.c
@ -1,15 +0,0 @@
 /*
 * Copyright (c) 2000-2001 Proofpoint, Inc. and its suppliers.
 *	All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 */
 #include <sm/gen.h>
 SM_RCSID("@(#)$Id: path.c,v 1.10 2013-11-22 20:51:43 ca Exp $")
 #include <sm/path.h>
 #include <sm/string.h>
--- a/libsm/refill.c
+++ b/libsm/refill.c
@ -25,6 +25,7 @@ SM_RCSID("@(#)$Id: refill.c,v 1.54 2013-11-22 20:51:43 ca Exp $")
 #include <sm/io.h>
 #include <sm/conf.h>
 #include <sm/assert.h>
 #include <sm/fdset.h>
 #include "local.h"
 static int sm_lflush __P((SM_FILE_T *, int *));
@ -65,7 +66,7 @@ static int sm_lflush __P((SM_FILE_T *, int *));
 		errno = EAGAIN;						\
 		return SM_IO_EOF;					\
 	}								\
-	if (FD_SETSIZE > 0 && (fd) >= FD_SETSIZE)			\
+	if (!SM_FD_OK_SELECT(fd))					\
 	{								\
 		errno = EINVAL;						\
 		return SM_IO_EOF;					\
--- a/libsm/stdio.c
+++ b/libsm/stdio.c
@ -317,7 +317,7 @@ sm_stdsetinfo(fp, what, valp)
 }
 /*
-**  SM_GETINFO -- get information about the open file
+**  SM_STDGETINFO -- get information about the open file
 **
 **	Parameters:
 **		fp -- file to get info for
--- a/libsm/vfprintf.c
+++ b/libsm/vfprintf.c
@ -156,7 +156,7 @@ sm_bprintf(fp, fmt, ap)
 #define FPT		0x100		/* Floating point number */
 /*
-**  SM_IO_VPRINTF -- performs actual formating for o/p
+**  SM_IO_VFPRINTF -- performs actual formating for o/p
 **
 **	Parameters:
 **		fp -- file pointer for o/p
--- a/libsmdb/smdb.c
+++ b/libsmdb/smdb.c
@ -198,12 +198,16 @@ smdb_open_database(database, db_name, mode, mode_mask, sff, type, user_info,
 	SMDB_USER_INFO *user_info;
 	SMDB_DBPARAMS *params;
 {
 #if defined(NEWDB) && defined(NDBM)
 	bool type_was_default = false;
 #endif
 	if (type == SMDB_TYPE_DEFAULT)
 	{
 		type_was_default = true;
 #ifdef NEWDB
 # ifdef NDBM
 		type_was_default = true;
 # endif
 		type = SMDB_TYPE_HASH;
 #else /* NEWDB */
 # ifdef NDBM
--- a/src/README
+++ b/src/README
@ -189,10 +189,11 @@ replies are text based and encoded as netstrings.  The socket map
 uses the same syntax as milters the specify the remote endpoint,
 e.g.:
-Ksocket mySocketMap inet:12345@127.0.0.1
+KmySocketMap socket inet:12345@127.0.0.1
 See doc/op/op.me for details.
 +---------------+
 | COMPILE FLAGS |
 +---------------+
@ -630,8 +631,7 @@ EGD		Define this if your system has EGD installed, see
 		http://egd.sourceforge.net/ .  It should be used to
 		seed the PRNG for STARTTLS if HASURANDOMDEV is not defined.
 STARTTLS	Enables SMTP STARTTLS (RFC 2487).  This requires OpenSSL
-		(http://www.OpenSSL.org/); use OpenSSL 0.9.5a or later
+		(http://www.OpenSSL.org/); use OpenSSL 0.9.8zc or later.
 		(if compatible with this version), do not use 0.9.3.
 		See STARTTLS COMPILATION AND CONFIGURATION for further
 		information.
 TLS_NO_RSA	Turn off support for RSA algorithms in STARTTLS.
@ -653,6 +653,9 @@ REQUIRES_DIR_FSYNC	Turn on support for file systems that require to
 		chattr +S on Linux.
 DBMMODE		The default file permissions to use when creating new
 		database files for maps and aliases.  Defaults to 0640.
 IPV6_FULL	Use uncompressed IPv6 addresses (set by default).  This
 		permits a zero subnet to have a more specific match,
 		such as different map entries for IPv6:0:0 vs IPv6:0.
 Generic notice: If you enable a compile time option that needs
 libraries or include files that don't come with sendmail or are
@ -1733,6 +1736,7 @@ Fedora Core 5, 64 bit version
 	Problem noted by Daniel Krones, solution suggested by
 	Anthony Howe.
 +--------------+
 | MANUAL PAGES |
 +--------------+
--- a/src/TRACEFLAGS
+++ b/src/TRACEFLAGS
@ -87,11 +87,17 @@
 71,>99	milter.c	quarantine on errors
 73	queue.c		shared memory updates
 74,>99	map.c		LDAP map defer
 #if _FFR_XCNCT
 75			debug FFR_XC*
 #endif /* _FFR_XCNCT */
 80			content length
 81			sun remote mode
 83	collect.c	timeout
 84	deliver.c	timeout
 85	map.c		dprintf map
 #if _FFR_PROXY
 87	srvrsmtp.c	proxy mode
 #endif
 89	conf.c		>=8 use sm_dprintf() instead of syslog()
 91	mci.c		syslogging of MCI cache information
 93,>99	*		Prevent daemon connection fork for profiling/debugging
--- a/src/TUNING
+++ b/src/TUNING
@ -1,4 +1,4 @@
-# Copyright (c) 2001-2003 Proofpoint, Inc. and its suppliers.
+# Copyright (c) 2001-2003, 2014 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
@ -135,6 +135,17 @@ to send e-mail then either the -G option should be used or
 should be added to the .mc file.
 Note: starting with 8.15, sendmail will not ignore temporary map
 lookup failures during header rewriting, which means that DNS lookup
 problems even for headers will cause messages to stay in the queue.
 Hence it is strongly suggested to use the nocanonify feature;
 at least turning it on for the MTA, but maybe disabling it for the
 MSA, i.e., use Modifiers for DaemonPortOptions accordingly.
 As a last resort, it is possible to override the host map to ignore
 temporary failures, e.g.,
 Khost host -t
 However, this can cause inconsistent header rewriting.
 * Mailing Lists and Large Aliases (1-n Mailing)
 -----------------------------------------------
--- a/src/bf.c
+++ b/src/bf.c
@ -695,7 +695,8 @@ sm_bfcommit(fp)
 			sm_dprintf("bfcommit(%s): to disk\n", bfp->bf_filename);
 			if (tTd(58, 32))
 				sm_dprintf("bfcommit(): filemode %o flags %ld\n",
-					   bfp->bf_filemode, bfp->bf_flags);
+					   (unsigned int) bfp->bf_filemode,
 					   bfp->bf_flags);
 		}
 		if (stat(bfp->bf_filename, &st) == 0)
--- a/src/collect.c
+++ b/src/collect.c
@ -59,7 +59,7 @@ collect_eoh(e, numhdrs, hdrslen)
 		sm_dprintf("collect: rscheck(\"check_eoh\", \"%s $| %s\")\n",
 			   hnum, hsize);
 	(void) rscheck("check_eoh", hnum, hsize, e, RSF_UNSTRUCTURED|RSF_COUNT,
-			3, NULL, e->e_id, NULL);
+			3, NULL, e->e_id, NULL, NULL);
 	/*
 	**  Process the header,
@ -297,6 +297,7 @@ collect(fp, smtpmode, hdrp, e, rsetsize)
 	int hdrslen;
 	int numhdrs;
 	int afd;
 	int old_rd_tmo;
 	unsigned char *pbp;
 	unsigned char peekbuf[8];
 	char bufbuf[MAXLINE];
@ -311,7 +312,7 @@ collect(fp, smtpmode, hdrp, e, rsetsize)
 	dbto = smtpmode ? ((int) TimeOuts.to_datablock * 1000)
 			: SM_TIME_FOREVER;
 	sm_io_setinfo(fp, SM_IO_WHAT_TIMEOUT, &dbto);
-	set_tls_rd_tmo(TimeOuts.to_datablock);
+	old_rd_tmo = set_tls_rd_tmo(TimeOuts.to_datablock);
 	c = SM_IO_EOF;
 	inputerr = false;
 	headeronly = hdrp != NULL;
@ -720,7 +721,7 @@ collect(fp, smtpmode, hdrp, e, rsetsize)
 	}
 	if (headeronly)
-		return;
+		goto end;
 	if (mstate != MS_BODY)
 	{
@ -940,6 +941,9 @@ collect(fp, smtpmode, hdrp, e, rsetsize)
 				 + e->e_nrcpts * WkRecipFact;
 		markstats(e, (ADDRESS *) NULL, STATS_NORMAL);
 	}
  end:
 	(void) set_tls_rd_tmo(old_rd_tmo);
 }
 /*
@ -1026,8 +1030,8 @@ dferror(df, msg, e)
 #endif /* 0 */
 	}
 	else
-		syserr("421 4.3.0 collect: Cannot write %s (%s, uid=%d, gid=%d)",
+		syserr("421 4.3.0 collect: Cannot write %s (%s, uid=%ld, gid=%ld)",
-			dfname, msg, (int) geteuid(), (int) getegid());
+			dfname, msg, (long) geteuid(), (long) getegid());
 	if (sm_io_reopen(SmFtStdio, SM_TIME_DEFAULT, SM_PATH_DEVNULL,
 			 SM_IO_WRONLY, NULL, df) == NULL)
 		sm_syslog(LOG_ERR, e->e_id,
--- a/src/conf.c
+++ b/src/conf.c
--- a/src/daemon.c
+++ b/src/daemon.c
@ -32,7 +32,7 @@ SM_RCSID("@(#)$Id: daemon.c,v 8.698 2013-11-22 20:51:55 ca Exp $")
 #endif /* defined(USE_SOCK_STREAM) */
 #if STARTTLS
-#  include <openssl/rand.h>
+# include <openssl/rand.h>
 #endif /* STARTTLS */
 #include <sm/time.h>
@ -517,14 +517,12 @@ getrequests(e)
 				macdefine(&BlankEnvelope.e_macro, A_PERM,
 					macid("{daemon_family}"), "unspec");
 				break;
-#if _FFR_DAEMON_NETUNIX
+#if NETUNIX
 # if NETUNIX
 			  case AF_UNIX:
 				macdefine(&BlankEnvelope.e_macro, A_PERM,
 					macid("{daemon_family}"), "local");
 				break;
-# endif /* NETUNIX */
+#endif /* NETUNIX */
 #endif /* _FFR_DAEMON_NETUNIX */
 #if NETINET
 			  case AF_INET:
 				macdefine(&BlankEnvelope.e_macro, A_PERM,
@ -827,6 +825,17 @@ getrequests(e)
 			OutChannel = outchannel;
 			DisConnected = false;
 #if _FFR_XCNCT
 			t = xconnect(inchannel);
 			if (t <= 0)
 			{
 				clrbitn(D_XCNCT, Daemons[curdaemon].d_flags);
 				clrbitn(D_XCNCT_M, Daemons[curdaemon].d_flags);
 			}
 			else
 				setbitn(t, Daemons[curdaemon].d_flags);
 #endif /* _FFR_XCNCT */
 #if XLA
 			if (!xla_host_ok(RealHostName))
@ -1060,8 +1069,7 @@ opendaemonsocket(d, firsttime)
 			(void) sleep(5);
 		if (firsttime || d->d_socket < 0)
 		{
-#if _FFR_DAEMON_NETUNIX
+#if NETUNIX
 # if NETUNIX
 			if (d->d_addr.sa.sa_family == AF_UNIX)
 			{
 				int rval;
@ -1084,8 +1092,7 @@ opendaemonsocket(d, firsttime)
 				/* Don't try to overtake an existing socket */
 				(void) unlink(d->d_addr.sunix.sun_path);
 			}
-# endif /* NETUNIX */
+#endif /* NETUNIX */
 #endif /* _FFR_DOMAIN_NETUNIX */
 			d->d_socket = socket(d->d_addr.sa.sa_family,
 					     SOCK_STREAM, 0);
 			if (d->d_socket < 0)
@ -1113,7 +1120,7 @@ opendaemonsocket(d, firsttime)
 				continue;
 			}
-			if (SM_FD_SETSIZE > 0 && d->d_socket >= SM_FD_SETSIZE)
+			if (!SM_FD_OK_SELECT(d->d_socket))
 			{
 				save_errno = EINVAL;
 				syserr("opendaemonsocket: daemon %s: server SMTP socket (%d) too large",
@ -1168,13 +1175,11 @@ opendaemonsocket(d, firsttime)
 			switch (d->d_addr.sa.sa_family)
 			{
-#if _FFR_DAEMON_NETUNIX
+#ifdef NETUNIX
 # ifdef NETUNIX
 			  case AF_UNIX:
 				socksize = sizeof(d->d_addr.sunix);
 				break;
-# endif /* NETUNIX */
+#endif /* NETUNIX */
 #endif /* _FFR_DAEMON_NETUNIX */
 #if NETINET
 			  case AF_INET:
 				socksize = sizeof(d->d_addr.sin);
@ -1493,6 +1498,9 @@ setsockaddroptions(p, d)
 			  case SM_DEFER:
 			  case SM_DELIVER:
 			  case SM_FORK:
 #if _FFR_PROXY
 			  case SM_PROXY_REQ:
 #endif /* _FFR_PROXY */
 				d->d_dm = *v;
 				break;
 			  default:
@ -1512,13 +1520,11 @@ setsockaddroptions(p, d)
 #endif /* !_FFR_DPO_CS */
 			if (isascii(*v) && isdigit(*v))
 				d->d_addr.sa.sa_family = atoi(v);
-#if _FFR_DAEMON_NETUNIX
+#ifdef NETUNIX
 # ifdef NETUNIX
 			else if (sm_strcasecmp(v, "unix") == 0 ||
 				 sm_strcasecmp(v, "local") == 0)
 				d->d_addr.sa.sa_family = AF_UNIX;
-# endif /* NETUNIX */
+#endif /* NETUNIX */
 #endif /* _FFR_DAEMON_NETUNIX */
 #if NETINET
 			else if (sm_strcasecmp(v, "inet") == 0)
 				d->d_addr.sa.sa_family = AF_INET;
@ -1628,14 +1634,14 @@ setsockaddroptions(p, d)
 	{
 		switch (d->d_addr.sa.sa_family)
 		{
-#if _FFR_DAEMON_NETUNIX
+#if NETUNIX
 # if NETUNIX
 		  case AF_UNIX:
 			if (strlen(addr) >= sizeof(d->d_addr.sunix.sun_path))
 			{
 				errno = ENAMETOOLONG;
-				syserr("setsockaddroptions: domain socket name too long: %s > %d",
+				syserr("setsockaddroptions: domain socket name too long: %s > %ld",
-				       addr, sizeof(d->d_addr.sunix.sun_path));
+				       addr,
 				       (long) sizeof(d->d_addr.sunix.sun_path));
 				break;
 			}
@ -1646,8 +1652,7 @@ setsockaddroptions(p, d)
 					  addr,
 					  sizeof(d->d_addr.sunix.sun_path));
 			break;
-# endif /* NETUNIX */
+#endif /* NETUNIX */
 #endif	/* _FFR_DAEMON_NETUNIX */
 #if NETINET
 		  case AF_INET:
 			if (!isascii(*addr) || !isdigit(*addr) ||
@ -1998,16 +2003,14 @@ addr_family(addr)
 		return AF_INET6;
 	}
 #endif /* NETINET6 */
-#if _FFR_DAEMON_NETUNIX
+#if NETUNIX
 # if NETUNIX
 	if (*addr == '/')
 	{
 		if (tTd(16, 9))
 			sm_dprintf("addr_family(%s): LOCAL\n", addr);
 		return AF_UNIX;
 	}
-# endif /* NETUNIX */
+#endif /* NETUNIX */
 #endif	/* _FFR_DAEMON_NETUNIX */
 	if (tTd(16, 9))
 		sm_dprintf("addr_family(%s): UNSPEC\n", addr);
 	return AF_UNSPEC;
@ -2045,7 +2048,7 @@ chkclientmodifiers(flag)
 #if MILTER
 /*
-**  SETUP_DAEMON_FILTERS -- Parse per-socket filters
+**  SETUP_DAEMON_MILTERS -- Parse per-socket filters
 **
 **	Parameters:
 **		none
@ -3047,8 +3050,7 @@ shutdown_daemon()
 			(void) close(Daemons[i].d_socket);
 			Daemons[i].d_socket = -1;
-#if _FFR_DAEMON_NETUNIX
+#if NETUNIX
 # if NETUNIX
 			/* Remove named sockets */
 			if (Daemons[i].d_addr.sa.sa_family == AF_UNIX)
 			{
@ -3070,8 +3072,7 @@ shutdown_daemon()
 						  sm_errstring(errno));
 				}
 			}
-# endif /* NETUNIX */
+#endif /* NETUNIX */
 #endif	/* _FFR_DAEMON_NETUNIX */
 		}
 	}
@ -3413,7 +3414,7 @@ getauthinfo(fd, may_be_forged)
 	char ibuf[MAXNAME + 1];
 	static char hbuf[MAXNAME + MAXAUTHINFO + 11];
-	*may_be_forged = false;
+	*may_be_forged = true;
 	falen = sizeof(RealHostAddr);
 	if (isatty(fd) || (i = getpeername(fd, &RealHostAddr.sa, &falen)) < 0 ||
 	    falen <= 0 || RealHostAddr.sa.sa_family == 0)
@ -3430,6 +3431,8 @@ getauthinfo(fd, may_be_forged)
 				return NULL;
 			errno = 0;
 		}
 		*may_be_forged = false;
 		(void) sm_strlcpyn(hbuf, sizeof(hbuf), 2, RealUserName,
 				   "@localhost");
 		if (tTd(9, 1))
@ -3446,8 +3449,10 @@ getauthinfo(fd, may_be_forged)
 	}
 	/* cross check RealHostName with forward DNS lookup */
-	if (anynet_ntoa(&RealHostAddr)[0] != '[' &&
+	if (anynet_ntoa(&RealHostAddr)[0] == '[' ||
-	    RealHostName[0] != '[')
+	    RealHostName[0] == '[')
 		*may_be_forged = false;
 	else
 	{
 		int family;
@ -3473,19 +3478,16 @@ getauthinfo(fd, may_be_forged)
 		/* try to match the reverse against the forward lookup */
 		hp = sm_gethostbyname(RealHostName, family);
-		if (hp == NULL)
+		if (hp != NULL)
 		{
 			/* XXX: Could be a temporary error on forward lookup */
 			*may_be_forged = true;
 		}
 		else
 		{
 			for (ha = hp->h_addr_list; *ha != NULL; ha++)
 			{
 				if (addrcmp(hp, *ha, &RealHostAddr) == 0)
 				{
 					*may_be_forged = false;
 					break;
 				}
 			}
 			*may_be_forged = *ha == NULL;
 #if NETINET6
 			freehostent(hp);
 			hp = NULL;
@ -4259,11 +4261,11 @@ anynet_ntop(s6a, dst, dst_len)
 			return NULL;
 		dst += sz;
 		dst_len -= sz;
-# if _FFR_IPV6_FULL
+# if IPV6_FULL
 		ap = sm_inet6_ntop(s6a, dst, dst_len);
-# else /* _FFR_IPV6_FULL */
+# else /* IPV6_FULL */
 		ap = (char *) inet_ntop(AF_INET6, s6a, dst, dst_len);
-# endif /* _FFR_IPV6_FULL */
+# endif /* IPV6_FULL */
 		/* Restore pointer to beginning of string */
 		if (ap != NULL)
--- a/src/deliver.c
+++ b/src/deliver.c
@ -37,7 +37,7 @@ static void	sendenvelope __P((ENVELOPE *, int));
 static int	coloncmp __P((const char *, const char *));
 #if STARTTLS
-#  include <openssl/err.h>
+# include <openssl/err.h>
 static int	starttls __P((MAILER *, MCI *, ENVELOPE *));
 static int	endtlsclt __P((MCI *));
 #endif /* STARTTLS */
@ -1223,6 +1223,7 @@ should_try_fbsh(e, tried_fallbacksmarthost, hostbuf, hbsz, status)
 	}
 	return false;
 }
 /*
 **  DELIVER -- Deliver a message to a list of addresses.
 **
@ -1392,6 +1393,8 @@ deliver(e, firstto)
 	else
 		p = e->e_from.q_paddr;
 	rpath = remotename(p, m, RF_SENDERADDR|RF_CANONICAL, &rcode, e);
 	if (rcode != EX_OK && bitnset(M_xSMTP, m->m_flags))
 		goto cleanup;
 	if (strlen(rpath) > MAXNAME)
 	{
 		rpath = shortenstring(rpath, MAXSHORTSTR);
@ -1468,6 +1471,7 @@ deliver(e, firstto)
 		/* running LMTP or SMTP */
 		clever = true;
 		*pvp = NULL;
 		setbitn(M_xSMTP, m->m_flags);
 	}
 	else if (bitnset(M_LMTP, m->m_flags))
 	{
@ -1600,7 +1604,7 @@ deliver(e, firstto)
 		quarantine = (e->e_quarmsg != NULL);
 		rcode = rscheck("check_compat", e->e_from.q_paddr, to->q_paddr,
 				e, RSF_RMCOMM|RSF_COUNT, 3, NULL,
-				e->e_id, NULL);
+				e->e_id, NULL, NULL);
 		if (rcode == EX_OK)
 		{
 			/* do in-code checking if not discarding */
@ -2465,8 +2469,8 @@ deliver(e, firstto)
 						       ctladdr->q_gid) == -1
 					    && suidwarn)
 					{
-						syserr("openmailer: initgroups(%s, %d) failed",
+						syserr("openmailer: initgroups(%s, %ld) failed",
-							user, ctladdr->q_gid);
+							user, (long) ctladdr->q_gid);
 						exit(EX_TEMPFAIL);
 					}
 				}
@ -2492,8 +2496,8 @@ deliver(e, firstto)
 					if (initgroups(DefUser, DefGid) == -1 &&
 					    suidwarn)
 					{
-						syserr("openmailer: initgroups(%s, %d) failed",
+						syserr("openmailer: initgroups(%s, %ld) failed",
-						       DefUser, DefGid);
+						       DefUser, (long) DefGid);
 						exit(EX_TEMPFAIL);
 					}
 				}
@ -2522,9 +2526,9 @@ deliver(e, firstto)
 				    new_gid != getegid())
 				{
 					/* Only root can change the gid */
-					syserr("openmailer: insufficient privileges to change gid, RunAsUid=%d, new_gid=%d, gid=%d, egid=%d",
+					syserr("openmailer: insufficient privileges to change gid, RunAsUid=%ld, new_gid=%ld, gid=%ld, egid=%ld",
-					       (int) RunAsUid, (int) new_gid,
+					       (long) RunAsUid, (long) new_gid,
-					       (int) getgid(), (int) getegid());
+					       (long) getgid(), (long) getegid());
 					exit(EX_TEMPFAIL);
 				}
@ -2619,8 +2623,8 @@ deliver(e, firstto)
 				if (RunAsUid != 0 && new_euid != RunAsUid)
 				{
 					/* Only root can change the uid */
-					syserr("openmailer: insufficient privileges to change uid, new_euid=%d, RunAsUid=%d",
+					syserr("openmailer: insufficient privileges to change uid, new_euid=%ld, RunAsUid=%ld",
-					       (int) new_euid, (int) RunAsUid);
+					       (long) new_euid, (long) RunAsUid);
 					exit(EX_TEMPFAIL);
 				}
@ -2662,9 +2666,9 @@ deliver(e, firstto)
 			}
 			if (tTd(11, 2))
-				sm_dprintf("openmailer: running as r/euid=%d/%d, r/egid=%d/%d\n",
+				sm_dprintf("openmailer: running as r/euid=%ld/%ld, r/egid=%ld/%ld\n",
-					   (int) getuid(), (int) geteuid(),
+					   (long) getuid(), (long) geteuid(),
-					   (int) getgid(), (int) getegid());
+					   (long) getgid(), (long) getegid());
 			/* move into some "safe" directory */
 			if (m->m_execdir != NULL)
@ -2964,8 +2968,8 @@ deliver(e, firstto)
 				QuickAbort = false;
 				SuprErrs = true;
 				if (rscheck("try_tls", host, NULL, e,
-					    RSF_RMCOMM, 7, host, NOQID, NULL)
+					    RSF_RMCOMM, 7, host, NOQID, NULL,
-								!= EX_OK
+					    NULL) != EX_OK
 				    || Errors > olderrors)
 				{
 					usetls = false;
@ -3039,7 +3043,7 @@ deliver(e, firstto)
 			if (rscheck("tls_server",
 				    macvalue(macid("{verify}"), e),
 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 5,
-				    host, NOQID, NULL) != EX_OK ||
+				    host, NOQID, NULL, NULL) != EX_OK ||
 			    Errors > olderrors ||
 			    rcode == EX_SOFTWARE)
 			{
@ -3364,7 +3368,7 @@ deliver(e, firstto)
 # if STARTTLS
 				i = rscheck("tls_rcpt", to->q_user, NULL, e,
 					    RSF_RMCOMM|RSF_COUNT, 3,
-					    mci->mci_host, e->e_id, NULL);
+					    mci->mci_host, e->e_id, NULL, NULL);
 				if (i != EX_OK)
 				{
 					markfailure(e, to, mci, i, false);
@ -3590,7 +3594,7 @@ deliver(e, firstto)
 	if (tobuf[0] != '\0')
 	{
-		giveresponse(rcode, NULL, m, mci, ctladdr, xstart, e, tochain);
+		giveresponse(rcode, NULL, m, mci, ctladdr, xstart, e, NULL);
 #if 0
 		/*
 		**  This code is disabled for now because I am not
@ -4166,14 +4170,13 @@ giveresponse(status, dsn, m, mci, ctladdr, xstart, e, to)
 	/*
 	**  Final cleanup.
-	**	Log a record of the transaction.  Compute the new
+	**	Log a record of the transaction.  Compute the new ExitStat
-	**	ExitStat -- if we already had an error, stick with
+	**	-- if we already had an error, stick with that.
 	**	that.
 	*/
 	if (OpMode != MD_VERIFY && !bitset(EF_VRFYONLY, e->e_flags) &&
 	    LogLevel > ((status == EX_TEMPFAIL) ? 8 : (status == EX_OK) ? 7 : 6))
-		logdelivery(m, mci, dsn, statmsg + off, ctladdr, xstart, e);
+		logdelivery(m, mci, dsn, statmsg + off, ctladdr, xstart, e, to, status);
 	if (tTd(11, 2))
 		sm_dprintf("giveresponse: status=%d, dsn=%s, e->e_message=%s, errnum=%d\n",
@ -4215,6 +4218,8 @@ giveresponse(status, dsn, m, mci, ctladdr, xstart, e, to)
 **		xstart -- the transaction start time, used for
 **			computing transaction delay.
 **		e -- the current envelope.
 **		to -- the current recipient (NULL if none).
 **		rcode -- status code
 **
 **	Returns:
 **		none
@ -4224,7 +4229,7 @@ giveresponse(status, dsn, m, mci, ctladdr, xstart, e, to)
 */
 void
-logdelivery(m, mci, dsn, status, ctladdr, xstart, e)
+logdelivery(m, mci, dsn, status, ctladdr, xstart, e, to, rcode)
 	MAILER *m;
 	register MCI *mci;
 	char *dsn;
@ -4232,6 +4237,8 @@ logdelivery(m, mci, dsn, status, ctladdr, xstart, e)
 	ADDRESS *ctladdr;
 	time_t xstart;
 	register ENVELOPE *e;
 	ADDRESS *to;
 	int rcode;
 {
 	register char *bp;
 	register char *p;
@ -4276,6 +4283,16 @@ logdelivery(m, mci, dsn, status, ctladdr, xstart, e)
 		bp += strlen(bp);
 	}
 # if _FFR_LOG_MORE2
 #  if STARTTLS
 	p = macvalue(macid("{verify}"), e);
 	if (p == NULL || *p == '\0')
 		p = "NONE";
 	(void) sm_snprintf(bp, SPACELEFT(buf, bp), ", tls_verify=%.20s", p);
 	bp += strlen(bp);
 #  endif /* STARTTLS */
 # endif /* _FFR_LOG_MORE2 */
 	/* pri: changes with each delivery attempt */
 	(void) sm_snprintf(bp, SPACELEFT(buf, bp), ", pri=%ld",
 		PRT_NONNEGL(e->e_msgpriority));
@ -4342,6 +4359,43 @@ logdelivery(m, mci, dsn, status, ctladdr, xstart, e)
 #  define STATLEN	203
 # endif /* (STATLEN) > 203 */
 #if _FFR_LOGREPLY
 	/*
 	**  Notes:
 	**  per-rcpt status: to->q_rstatus
 	**  global status: e->e_text
 	**
 	**  We (re)use STATLEN here, is that a good choice?
 	**
 	**  stat=Deferred: ...
 	**  has sometimes the same text?
 	**
 	**  Note: this doesn't show the stage at which the error happened.
 	**  can/should we log that?
 	**  XS_* in reply() basically encodes the state.
 	*/
 	/* only show errors */
 	if (rcode != EX_OK && to != NULL && to->q_rstatus != NULL &&
 	    *to->q_rstatus != '\0')
 	{
 		(void) sm_snprintf(bp, SPACELEFT(buf, bp),
 			", reply=%s",
 			shortenstring(to->q_rstatus, STATLEN));
 		bp += strlen(bp);
 	}
 	else if (rcode != EX_OK && e->e_text != NULL)
 	{
 		(void) sm_snprintf(bp, SPACELEFT(buf, bp),
 			", reply=%d %s%s%s",
 			e->e_rcode,
 			e->e_renhsc,
 			(e->e_renhsc[0] != '\0') ? " " : "",
 			shortenstring(e->e_text, STATLEN));
 		bp += strlen(bp);
 	}
 #endif
 	/* stat: max 210 bytes */
 	if ((bp - buf) > (sizeof(buf) - ((STATLEN) + 20)))
 	{
@ -4368,6 +4422,7 @@ logdelivery(m, mci, dsn, status, ctladdr, xstart, e)
 		for (q = p + l; q > p; q--)
 		{
 			/* XXX a comma in an address will break this! */
 			if (*q == ',')
 				break;
 		}
@ -5327,8 +5382,8 @@ mailfile(filename, mailer, ctladdr, sfflags, e)
 				if (RunAsUid != 0 && RealUid != RunAsUid)
 				{
 					/* Only root can change the uid */
-					syserr("mailfile: insufficient privileges to change uid, RunAsUid=%d, RealUid=%d",
+					syserr("mailfile: insufficient privileges to change uid, RunAsUid=%ld, RealUid=%ld",
-						(int) RunAsUid, (int) RealUid);
+						(long) RunAsUid, (long) RealUid);
 					RETURN(EX_TEMPFAIL);
 				}
 			}
@ -5368,9 +5423,9 @@ mailfile(filename, mailer, ctladdr, sfflags, e)
 				     RealGid != getegid()))
 				{
 					/* Only root can change the gid */
-					syserr("mailfile: insufficient privileges to change gid, RealGid=%d, RunAsUid=%d, gid=%d, egid=%d",
+					syserr("mailfile: insufficient privileges to change gid, RealGid=%ld, RunAsUid=%ld, gid=%ld, egid=%ld",
-					       (int) RealGid, (int) RunAsUid,
+					       (long) RealGid, (long) RunAsUid,
-					       (int) getgid(), (int) getegid());
+					       (long) getgid(), (long) getegid());
 					RETURN(EX_TEMPFAIL);
 				}
 			}
@ -5411,8 +5466,8 @@ mailfile(filename, mailer, ctladdr, sfflags, e)
 		{
 			if (initgroups(RealUserName, RealGid) == -1 && suidwarn)
 			{
-				syserr("mailfile: initgroups(%s, %d) failed",
+				syserr("mailfile: initgroups(%s, %ld) failed",
-					RealUserName, RealGid);
+					RealUserName, (long) RealGid);
 				RETURN(EX_TEMPFAIL);
 			}
 		}
@ -5474,9 +5529,9 @@ mailfile(filename, mailer, ctladdr, sfflags, e)
 		}
 		if (tTd(11, 2))
-			sm_dprintf("mailfile: running as r/euid=%d/%d, r/egid=%d/%d\n",
+			sm_dprintf("mailfile: running as r/euid=%ld/%ld, r/egid=%ld/%ld\n",
-				(int) getuid(), (int) geteuid(),
+				(long) getuid(), (long) geteuid(),
-				(int) getgid(), (int) getegid());
+				(long) getgid(), (long) getegid());
 		/* move into some "safe" directory */
--- a/src/envelope.c
+++ b/src/envelope.c
@ -42,11 +42,9 @@ clrsessenvelope(e)
 	macdefine(&e->e_macro, A_PERM, macid("{cipher}"), "");
 	macdefine(&e->e_macro, A_PERM, macid("{tls_version}"), "");
 	macdefine(&e->e_macro, A_PERM, macid("{verify}"), "");
 # if _FFR_TLS_1
 	macdefine(&e->e_macro, A_PERM, macid("{alg_bits}"), "");
 	macdefine(&e->e_macro, A_PERM, macid("{cn_issuer}"), "");
 	macdefine(&e->e_macro, A_PERM, macid("{cn_subject}"), "");
 # endif /* _FFR_TLS_1 */
 #endif /* STARTTLS */
 }
@ -246,6 +244,16 @@ dropenvelope(e, fulldrop, split)
 		e->e_flags |= EF_FATALERRS|EF_CLRQUEUE;
 	}
 #if _FFR_PROXY
 	if (tTd(87, 2))
 	{
 		q = e->e_sendqueue;
 		sm_dprintf("dropenvelope: mode=%c, e=%p, sibling=%p, nrcpts=%d, sendqueue=%p, next=%p, state=%d\n",
 			e->e_sendmode, e, e->e_sibling, e->e_nrcpts, q,
 			(q == NULL) ? (void *)0 : q->q_next,
 			(q == NULL) ? -1 : q->q_state);
 	}
 #endif /* _FFR_PROXY */
 	e->e_flags &= ~EF_QUEUERUN;
 	for (q = e->e_sendqueue; q != NULL; q = q->q_next)
@ -253,6 +261,10 @@ dropenvelope(e, fulldrop, split)
 		if (QS_IS_UNDELIVERED(q->q_state))
 			queueit = true;
 #if _FFR_PROXY
 		if (queueit && e->e_sendmode == SM_PROXY)
 			queueit = false;
 #endif /* _FFR_PROXY */
 		/* see if a notification is needed */
 		if (bitset(QPINGONFAILURE, q->q_flags) &&
@ -577,9 +589,9 @@ dropenvelope(e, fulldrop, split)
 			if (!split_by_recipient(e) &&
 			    bitset(EF_FATALERRS, e->e_flags))
 			{
-				syserr("!dropenvelope(%s): cannot commit data file %s, uid=%d",
+				syserr("!dropenvelope(%s): cannot commit data file %s, uid=%ld",
 					e->e_id, queuename(e, DATAFL_LETTER),
-					(int) geteuid());
+					(long) geteuid());
 			}
 			for (ee = e->e_sibling; ee != NULL; ee = ee->e_sibling)
 				queueup(ee, false, true);
--- a/src/err.c
+++ b/src/err.c
@ -94,7 +94,7 @@ fatal_error(exc)
 **	reply code defaults to 451 or 554, depending on errno.
 **
 **	Parameters:
-**		fmt -- the format string.  An optional '!' or '@',
+**		fmt -- the format string.  An optional '!', '@', or '+',
 **			followed by an optional three-digit SMTP
 **			reply code, followed by message text.
 **		(others) -- parameters
@ -127,8 +127,7 @@ syserr(fmt, va_alist)
 {
 	register char *p;
 	int save_errno = errno;
-	bool panic;
+	bool panic, exiting, keep;
 	bool exiting;
 	char *user;
 	char *enhsc;
 	char *errtxt;
@ -136,21 +135,22 @@ syserr(fmt, va_alist)
 	char ubuf[80];
 	SM_VA_LOCAL_DECL
 	panic = exiting = keep = false;
 	switch (*fmt)
 	{
 	  case '!':
 		++fmt;
-		panic = true;
+		panic = exiting = true;
 		exiting = true;
 		break;
 	  case '@':
 		++fmt;
 		panic = false;
 		exiting = true;
 		break;
 	  case '+':
 		++fmt;
 		keep = true;
 		break;
 	  default:
 		panic = false;
 		exiting = false;
 		break;
 	}
@ -182,7 +182,7 @@ syserr(fmt, va_alist)
 	puterrmsg(MsgBuf);
 	/* save this message for mailq printing */
-	if (!panic && CurEnv != NULL)
+	if (!panic && CurEnv != NULL && (!keep || CurEnv->e_message == NULL))
 	{
 		char *nmsg = sm_rpool_strdup_x(CurEnv->e_rpool, errtxt);
@ -479,6 +479,108 @@ message(msg, va_alist)
 	}
 }
 #if _FFR_PROXY
 /*
 **  EMESSAGE -- print message (not necessarily an error)
 **	(same as message() but requires reply code and enhanced status code)
 **
 **	Parameters:
 **		replycode -- SMTP reply code.
 **		enhsc -- enhanced status code.
 **		msg -- the message (sm_io_printf fmt) -- it can begin with
 **			an SMTP reply code.  If not, 050 is assumed.
 **		(others) -- sm_io_printf arguments
 **
 **	Returns:
 **		none
 **
 **	Side Effects:
 **		none.
 */
 /*VARARGS3*/
 void
 # ifdef __STDC__
 emessage(const char *replycode, const char *enhsc, const char *msg, ...)
 # else /* __STDC__ */
 emessage(replycode, enhsc, msg, va_alist)
 	const char *replycode;
 	const char *enhsc;
 	const char *msg;
 	va_dcl
 # endif /* __STDC__ */
 {
 	char *errtxt;
 	SM_VA_LOCAL_DECL
 	errno = 0;
 	SM_VA_START(ap, msg);
 	errtxt = fmtmsg(MsgBuf, CurEnv->e_to, replycode, enhsc, 0, msg, ap);
 	SM_VA_END(ap);
 	putoutmsg(MsgBuf, false, false);
 	/* save this message for mailq printing */
 	switch (MsgBuf[0])
 	{
 	  case '4':
 	  case '8':
 		if (CurEnv->e_message != NULL)
 			break;
 		/* FALLTHROUGH */
 	  case '5':
 		if (CurEnv->e_rpool == NULL && CurEnv->e_message != NULL)
 			sm_free(CurEnv->e_message);
 		CurEnv->e_message = sm_rpool_strdup_x(CurEnv->e_rpool, errtxt);
 		break;
 	}
 }
 /*
 **  EXTSC -- check and extract a status codes
 **
 **	Parameters:
 **		msg -- string with possible enhanced status code.
 **		delim -- delim for enhanced status code.
 **		replycode -- pointer to storage for SMTP reply code;
 **			must be != NULL and have space for at least
 **			4 characters.
 **		enhsc -- pointer to storage for enhanced status code;
 **			must be != NULL and have space for at least
 **			10 characters ([245].[0-9]{1,3}.[0-9]{1,3})
 **
 **	Returns:
 **		-1  -- no SMTP reply code.
 **		>=3 -- offset of error text in msg.
 **		(<=4  -- no enhanced status code)
 */
 int
 extsc(msg, delim, replycode, enhsc)
 	const char *msg;
 	int delim;
 	char *replycode;
 	char *enhsc;
 {
 	int offset;
 	SM_REQUIRE(replycode != NULL);
 	SM_REQUIRE(enhsc != NULL);
 	replycode[0] = '\0';
 	enhsc[0] = '\0';
 	if (msg == NULL)
 		return -1;
 	if (!ISSMTPREPLY(msg))
 		return -1;
 	sm_strlcpy(replycode, msg, 4);
 	if (msg[3] == '\0')
 		return 3;
 	offset = 4;
 	if (isenhsc(msg + 4, delim))
 		offset = extenhsc(msg + 4, delim, enhsc) + 4;
 	return offset;
 }
 #endif /* _FFR_PROXY */
 /*
 **  NMESSAGE -- print message (not necessarily an error)
@ -1138,7 +1240,7 @@ sm_errstring(errnum)
 	}
 #if LDAPMAP
-	if (errnum >= E_LDAPBASE)
+	if (errnum >= E_LDAPBASE - E_LDAP_SHIM)
 		return ldap_err2string(errnum - E_LDAPBASE);
 #endif /* LDAPMAP */
--- a/src/headers.c
+++ b/src/headers.c
@ -360,7 +360,7 @@ dochompheader(line, pflag, hdrp, e)
 				macdefine(&e->e_macro, A_PERM,
 					macid("{addr_type}"), "h");
 			(void) rscheck(rs, fvalue, NULL, e, rscheckflags, 3,
-				       NULL, e->e_id, NULL);
+				       NULL, e->e_id, NULL, NULL);
 		}
 	}
@ -415,7 +415,7 @@ dochompheader(line, pflag, hdrp, e)
 				**  the RCPT mailer.
 				*/
-		    		if (bitnset(M_NOMHHACK,
+				if (bitnset(M_NOMHHACK,
 					    e->e_from.q_mailer->m_flags))
 				{
 					h->h_flags &= ~H_CHECK;
@ -1194,6 +1194,22 @@ logsender(e, msgid)
 				", daemon=%.20s", p);
 		sbp += strlen(sbp);
 	}
 # if _FFR_LOG_MORE1
 #  if STARTTLS
 	p = macvalue(macid("{verify}"), e);
 	if (p == NULL || *p == '\0')
 		p = "NONE";
 	(void) sm_snprintf(sbp, SPACELEFT(sbuf, sbp), ", tls_verify=%.20s", p);
 	sbp += strlen(sbp);
 #  endif /* STARTTLS */
 #  if SASL
 	p = macvalue(macid("{auth_type}"), e);
 	if (p == NULL || *p == '\0')
 		p = "NONE";
 	(void) sm_snprintf(sbp, SPACELEFT(sbuf, sbp), ", auth=%.20s", p);
 	sbp += strlen(sbp);
 #  endif /* SASL */
 # endif /* _FFR_LOG_MORE1 */
 	sm_syslog(LOG_INFO, e->e_id, "%.850s, relay=%s", sbuf, name);
 #else /* (SYSLOG_BUFSIZE) >= 256 */
@ -1892,8 +1908,10 @@ putheader(mci, hdr, e, flags)
 			if (bitset(H_FROM, h->h_flags))
 				oldstyle = false;
-			commaize(h, p, oldstyle, mci, e,
+			if (!commaize(h, p, oldstyle, mci, e,
-				 PXLF_HEADER | PXLF_STRIPMQUOTE);
+				      PXLF_HEADER | PXLF_STRIPMQUOTE)
 			    && bitnset(M_xSMTP, mci->mci_mailer->m_flags))
 				goto writeerr;
 		}
 		else
 		{
@ -2169,6 +2187,12 @@ commaize(h, p, oldstyle, mci, e, putflags)
 #endif /* USERDB */
 		status = EX_OK;
 		name = remotename(name, mci->mci_mailer, flags, &status, e);
 		if (status != EX_OK && bitnset(M_xSMTP, mci->mci_mailer->m_flags))
 		{
 			if (status == EX_TEMPFAIL)
 				mci->mci_flags |= MCIF_NOTSTICKY;
 			goto writeerr;
 		}
 		if (*name == '\0')
 		{
 			*p = savechar;
--- a/src/main.c
+++ b/src/main.c
@ -406,9 +406,7 @@ main(argc, argv, envp)
 			  case MD_HOSTSTAT:
 			  case MD_PURGESTAT:
 			  case MD_ARPAFTP:
 #if _FFR_CHECKCONFIG
 			  case MD_CHECKCONFIG:
 #endif /* _FFR_CHECKCONFIG */
 				OpMode = j;
 				break;
@ -645,6 +643,17 @@ main(argc, argv, envp)
 		sm_printoptions(FFRCompileOptions);
 	}
 #if STARTTLS
 	if (tTd(0, 14))
 	{
 		/* exit(EX_CONFIG) if different? */
 		sm_dprintf("       OpenSSL: compiled 0x%08x\n",
 			   (uint) OPENSSL_VERSION_NUMBER);
 		sm_dprintf("       OpenSSL: linked   0x%08x\n",
 			   (uint) SSLeay());
 	}
 #endif /* STARTTLS */
 	/* clear sendmail's environment */
 	ExternalEnviron = environ;
 	emptyenviron[0] = NULL;
@ -2566,6 +2575,38 @@ main(argc, argv, envp)
 		**  Set _ macro in BlankEnvelope before calling newenvelope().
 		*/
 #if _FFR_XCNCT
 		if (bitnset(D_XCNCT, *p_flags) || bitnset(D_XCNCT_M, *p_flags))
 		{
 			/* copied from getauthinfo() */
 			if (RealHostName == NULL)
 			{
 				RealHostName = newstr(hostnamebyanyaddr(&RealHostAddr));
 				if (strlen(RealHostName) > MAXNAME)
 					RealHostName[MAXNAME] = '\0'; /* XXX - 1 ? */
 			}
 			snprintf(buf, sizeof(buf), "%s [%s]",
 				RealHostName, anynet_ntoa(&RealHostAddr));
 			forged = bitnset(D_XCNCT_M, *p_flags);
 			if (forged)
 			{
 				(void) sm_strlcat(buf, " (may be forged)",
 						sizeof(buf));
 				macdefine(&BlankEnvelope.e_macro, A_PERM,
 					  macid("{client_resolve}"), "FORGED");
 			}
 			/* HACK! variable used only two times right below */
 			authinfo = buf;
 			if (tTd(75, 9))
 				sm_syslog(LOG_INFO, NOQID,
 					"main: where=not_calling_getauthinfo, RealHostAddr=%s",
 					anynet_ntoa(&RealHostAddr));
 		}
 		else
 		/* WARNING: "non-braced" else */
 #endif /* _FFR_XCNCT */
 		authinfo = getauthinfo(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
 						     NULL), &forged);
 		macdefine(&BlankEnvelope.e_macro, A_TEMP, '_', authinfo);
@ -2622,13 +2663,13 @@ main(argc, argv, envp)
 #if NETINET
 		  case AF_INET:
 			(void) sm_snprintf(pbuf, sizeof(pbuf), "%d",
-					   RealHostAddr.sin.sin_port);
+					   ntohs(RealHostAddr.sin.sin_port));
 			break;
 #endif /* NETINET */
 #if NETINET6
 		  case AF_INET6:
 			(void) sm_snprintf(pbuf, sizeof(pbuf), "%d",
-					   RealHostAddr.sin6.sin6_port);
+					   ntohs(RealHostAddr.sin6.sin6_port));
 			break;
 #endif /* NETINET6 */
 		  default:
@ -3696,12 +3737,12 @@ drop_privileges(to_real_uid)
 	GIDSET_T emptygidset[1];
 	if (tTd(47, 1))
-		sm_dprintf("drop_privileges(%d): Real[UG]id=%d:%d, get[ug]id=%d:%d, gete[ug]id=%d:%d, RunAs[UG]id=%d:%d\n",
+		sm_dprintf("drop_privileges(%d): Real[UG]id=%ld:%ld, get[ug]id=%ld:%ld, gete[ug]id=%ld:%ld, RunAs[UG]id=%ld:%ld\n",
 			   (int) to_real_uid,
-			   (int) RealUid, (int) RealGid,
+			   (long) RealUid, (long) RealGid,
-			   (int) getuid(), (int) getgid(),
+			   (long) getuid(), (long) getgid(),
-			   (int) geteuid(), (int) getegid(),
+			   (long) geteuid(), (long) getegid(),
-			   (int) RunAsUid, (int) RunAsGid);
+			   (long) RunAsUid, (long) RunAsGid);
 	if (to_real_uid)
 	{
@ -3776,15 +3817,15 @@ drop_privileges(to_real_uid)
 	{
 		if (setgid(RunAsGid) < 0 && (!UseMSP || getegid() != RunAsGid))
 		{
-			syserr("drop_privileges: setgid(%d) failed",
+			syserr("drop_privileges: setgid(%ld) failed",
-			       (int) RunAsGid);
+			       (long) RunAsGid);
 			rval = EX_OSERR;
 		}
 		errno = 0;
 		if (rval == EX_OK && getegid() != RunAsGid)
 		{
-			syserr("drop_privileges: Unable to set effective gid=%d to RunAsGid=%d",
+			syserr("drop_privileges: Unable to set effective gid=%ld to RunAsGid=%ld",
-			       (int) getegid(), (int) RunAsGid);
+			       (long) getegid(), (long) RunAsGid);
 			rval = EX_OSERR;
 		}
 	}
--- a/src/map.c
+++ b/src/map.c
@ -204,6 +204,20 @@ map_parseargs(map, ap)
 			map->map_app = ++p;
 			break;
 		  case 'd':
 			{
 				char *h;
 				++p;
 				h = strchr(p, ' ');
 				if (h != NULL)
 					*h = '\0';
 				map->map_timeout = convtime(p, 's');
 				if (h != NULL)
 					*h = ' ';
 			}
 			break;
 		  case 'T':
 			map->map_tapp = ++p;
 			break;
@ -1826,7 +1840,7 @@ ndbm_map_store(map, lhs, rhs)
 				data.dptr = buf;
 				if (tTd(38, 9))
 					sm_dprintf("ndbm_map_store append=%s\n",
-						data.dptr);
+						(char *)data.dptr);
 			}
 		}
 		status = dbm_store((DBM *) map->map_db1,
@ -7366,7 +7380,6 @@ arith_map_lookup(map, name, av, statp)
 	return NULL;
 }
 #if _FFR_ARPA_MAP
 char *
 arpa_map_lookup(map, name, av, statp)
 	MAP *map;
@ -7419,7 +7432,7 @@ arpa_map_lookup(map, name, av, statp)
 	{
 		struct in_addr in_addr;
-		r = anynet_pton(AF_INET, name, &in_addr);
+		r = inet_pton(AF_INET, name, &in_addr);
 		if (r == 1)
 		{
 			unsigned char *src;
@ -7445,7 +7458,6 @@ arpa_map_lookup(map, name, av, statp)
 	}
 	return rval;
 }
 #endif /* _FFR_ARPA_MAP */
 #if SOCKETMAP
@ -7466,6 +7478,7 @@ socket_map_open(map, mode)
 {
 	STAB *s;
 	int sock = 0;
 	int tmo;
 	SOCKADDR_LEN_T addrlen = 0;
 	int addrno = 0;
 	int save_errno;
@ -7865,6 +7878,13 @@ socket_map_open(map, mode)
 		return false;
 	}
 	tmo = map->map_timeout;
 	if (tmo == 0)
 		tmo = 30000;	/* default: 30s */
 	else
 		tmo *= 1000;	/* s -> ms */
 	sm_io_setinfo(map->map_db1, SM_IO_WHAT_TIMEOUT, &tmo);
 	/* Save connection for reuse */
 	s->s_socketmap = map;
 	return true;
@ -7999,8 +8019,16 @@ socket_map_lookup(map, name, av, statp)
 	if (sm_io_fscanf(f, SM_TIME_DEFAULT, "%9u", &replylen) != 1)
 	{
-		syserr("451 4.3.0 socket_map_lookup(%s): failed to read length parameter of reply",
+		if (errno == EAGAIN)
-			map->map_mname);
+		{
 			syserr("451 4.3.0 socket_map_lookup(%s): read timeout",
 				map->map_mname);
 		}
 		else
 		{
 			syserr("451 4.3.0 socket_map_lookup(%s): failed to read length parameter of reply %d",
 				map->map_mname, errno);
 		}
 		*statp = EX_TEMPFAIL;
 		goto errcl;
 	}
--- a/src/mci.c
+++ b/src/mci.c
@ -352,6 +352,7 @@ mci_get(host, m)
 #if PIPELINING
 	mci->mci_okrcpts = 0;
 #endif /* PIPELINING */
 	mci->mci_flags &= ~MCIF_NOTSTICKY;
 	if (mci->mci_rpool == NULL)
 		mci->mci_rpool = sm_rpool_new_x(NULL);
--- a/src/milter.c
+++ b/src/milter.c
@ -204,7 +204,7 @@ static size_t MilterMaxDataSize = MILTER_MAX_DATA_SIZE;
 	fd_set fds; \
 	struct timeval tv; \
 \
-	if (SM_FD_SETSIZE > 0 && m->mf_sock >= SM_FD_SETSIZE) \
+	if (!SM_FD_OK_SELECT(m->mf_sock)) \
 	{ \
 		if (tTd(64, 5)) \
 			sm_dprintf("milter_%s(%s): socket %d is larger than FD_SETSIZE %d\n", \
@ -1642,8 +1642,8 @@ milter_set_option(name, val, sticky)
 		    MilterMaxDataSize != MILTER_MDS_1M)
 		{
 			sm_syslog(LOG_WARNING, NOQID,
-				"WARNING: Milter.%s=%d, allowed are only %d, %d, and %d",
+				"WARNING: Milter.%s=%lu, allowed are only %d, %d, and %d",
-				name, MilterMaxDataSize,
+				name, (unsigned long) MilterMaxDataSize,
 				MILTER_MDS_64K, MILTER_MDS_256K,
 				MILTER_MDS_1M);
 			if (MilterMaxDataSize < MILTER_MDS_64K)
@ -2421,7 +2421,9 @@ milter_negotiate(m, e, milters)
 	if (tTd(64, 5))
 		sm_dprintf("milter_negotiate(%s): send: version %lu, fflags 0x%lx, pflags 0x%lx\n",
-			m->mf_name, ntohl(fvers), ntohl(fflags), ntohl(pflags));
+			m->mf_name, (unsigned long) ntohl(fvers),
 			(unsigned long) ntohl(fflags),
 			(unsigned long) ntohl(pflags));
 	response = milter_read(m, &rcmd, &rlen, m->mf_timeout[SMFTO_READ], e,
 				"negotiate");
@ -2526,8 +2528,9 @@ milter_negotiate(m, e, milters)
 		{
 			/* this should not happen... */
 			sm_syslog(LOG_WARNING, NOQID,
-				  "WARNING: Milter.maxdatasize: configured=%d, set by libmilter=%d",
+				  "WARNING: Milter.maxdatasize: configured=%lu, set by libmilter=%d",
-		    		  MilterMaxDataSize, MILTER_MDS_1M);
+				  (unsigned long) MilterMaxDataSize,
 				  MILTER_MDS_1M);
 			MilterMaxDataSize = MILTER_MDS_1M;
 		}
 	}
@ -2536,16 +2539,18 @@ milter_negotiate(m, e, milters)
 		if (MilterMaxDataSize != MILTER_MDS_256K)
 		{
 			sm_syslog(LOG_WARNING, NOQID,
-				  "WARNING: Milter.maxdatasize: configured=%d, set by libmilter=%d",
+				  "WARNING: Milter.maxdatasize: configured=%lu, set by libmilter=%d",
-		    		  MilterMaxDataSize, MILTER_MDS_256K);
+				  (unsigned long) MilterMaxDataSize,
 				  MILTER_MDS_256K);
 			MilterMaxDataSize = MILTER_MDS_256K;
 		}
 	}
 	else if (MilterMaxDataSize != MILTER_MDS_64K)
 	{
 		sm_syslog(LOG_WARNING, NOQID,
-			  "WARNING: Milter.maxdatasize: configured=%d, set by libmilter=%d",
+			  "WARNING: Milter.maxdatasize: configured=%lu, set by libmilter=%d",
-	    		  MilterMaxDataSize, MILTER_MDS_64K);
+			  (unsigned long) MilterMaxDataSize,
 			  MILTER_MDS_64K);
 		MilterMaxDataSize = MILTER_MDS_64K;
 	}
 	m->mf_pflags &= ~SMFI_INTERNAL;
@ -3976,6 +3981,7 @@ milter_connect(hostname, addr, e, state)
 	else
 		milter_per_connection_check(e);
 #if !_FFR_MILTER_CONNECT_REPLYCODE
 	/*
 	**  SMFIR_REPLYCODE can't work with connect due to
 	**  the requirements of SMTP.  Therefore, ignore the
@ -4000,6 +4006,7 @@ milter_connect(hostname, addr, e, state)
 			response = NULL;
 		}
 	}
 #endif /* !_FFR_MILTER_CONNECT_REPLYCODE */
 	return response;
 }
--- a/src/parseaddr.c
+++ b/src/parseaddr.c
@ -2362,6 +2362,10 @@ sameaddr(a, b)
 	if (strcmp(a->q_user, b->q_user) != 0)
 		return false;
 	/* do the required flags match? */
 	if (!ADDR_FLAGS_MATCH(a, b))
 		return false;
 	/* if we have good uids for both but they differ, these are different */
 	if (a->q_mailer == ProgMailer)
 	{
@ -2409,6 +2413,7 @@ struct qflags
 	unsigned long	qf_bit;
 };
 /* :'a,.s;^#define \(Q[A-Z]*\)	.*;	{ "\1",	\1	},; */
 static struct qflags	AddressFlags[] =
 {
 	{ "QGOODUID",		QGOODUID	},
@ -2426,6 +2431,12 @@ static struct qflags	AddressFlags[] =
 	{ "QDELIVERED",		QDELIVERED	},
 	{ "QDELAYED",		QDELAYED	},
 	{ "QTHISPASS",		QTHISPASS	},
 	{ "QALIAS",		QALIAS		},
 	{ "QBYTRACE",		QBYTRACE	},
 	{ "QBYNDELAY",		QBYNDELAY	},
 	{ "QBYNRELAY",		QBYNRELAY	},
 	{ "QINTBCC",		QINTBCC		},
 	{ "QDYNMAILER",		QDYNMAILER	},
 	{ "QRCPTOK",		QRCPTOK		},
 	{ NULL,			0		}
 };
@ -2789,7 +2800,7 @@ remotename(name, m, flags, pstat, e)
 	{
 		sm_dprintf("remotename => `");
 		xputs(sm_debug_file(), buf);
-		sm_dprintf("'\n");
+		sm_dprintf("', stat=%d\n", *pstat);
 	}
 	return buf;
 }
@ -3060,6 +3071,8 @@ dequote_map(map, name, av, statp)
 **		logid -- id for sm_syslog.
 **		addr -- if not NULL and ruleset returns $#error:
 **				store mailer triple here.
 **		addrstr -- if not NULL and ruleset does not return $#:
 **				address string
 **
 **	Returns:
 **		EX_OK -- if the rwset doesn't resolve to $#error
@ -3067,7 +3080,7 @@ dequote_map(map, name, av, statp)
 */
 int
-rscheck(rwset, p1, p2, e, flags, logl, host, logid, addr)
+rscheck(rwset, p1, p2, e, flags, logl, host, logid, addr, addrstr)
 	char *rwset;
 	char *p1;
 	char *p2;
@ -3077,6 +3090,7 @@ rscheck(rwset, p1, p2, e, flags, logl, host, logid, addr)
 	char *host;
 	char *logid;
 	ADDRESS *addr;
 	char **addrstr;
 {
 	char *volatile buf;
 	size_t bufsize;
@ -3150,6 +3164,16 @@ rscheck(rwset, p1, p2, e, flags, logl, host, logid, addr)
 		(void) REWRITE(pvp, rsno, e);
 		if (bitset(RSF_UNSTRUCTURED, flags))
 			SuprErrs = saveSuprErrs;
 		if (pvp[0] != NULL && (pvp[0][0] & 0377) != CANONNET &&
 		    bitset(RSF_ADDR, flags) && addrstr != NULL)
 		{
 			cataddr(&(pvp[0]), NULL, ubuf, sizeof(ubuf), ' ', true);
 			*addrstr = sm_rpool_strdup_x(e->e_rpool, ubuf);
 			goto finis;
 		}
 		if (pvp[0] == NULL || (pvp[0][0] & 0377) != CANONNET ||
 		    pvp[1] == NULL || (strcmp(pvp[1], "error") != 0 &&
 				       strcmp(pvp[1], "discard") != 0))
--- a/src/queue.c
+++ b/src/queue.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-2009, 2011, 2012 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 1998-2009, 2011, 2012, 2014 Proofpoint, Inc. and its suppliers.
 *	All rights reserved.
 * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
 * Copyright (c) 1988, 1993
@ -125,13 +125,6 @@ static SM_DEBUG_T DebugLeakQ = SM_DEBUG_INITIALIZER("leak_q",
 	"@(#)$Debug: leak_q - trace memory leaks during queue processing $");
 #endif /* SM_HEAP_CHECK */
 /*
 **  We use EmptyString instead of "" to avoid
 **  'zero-length format string' warnings from gcc
 */
 static const char EmptyString[] = "";
 static void	grow_wlist __P((int, int));
 static int	multiqueue_cache __P((char *, int, QUEUEGRP *, int, unsigned int *));
 static int	gatherq __P((int, int, bool, bool *, bool *, int *));
@ -304,7 +297,7 @@ hash_q(p, h)
 **	d	data file directory name (added in 8.12)
 **	E	error recipient
 **	F	flag bits
-**	G	free (was: queue delay algorithm if _FFR_QUEUEDELAY)
+**	G	free
 **	H	header
 **	I	data file's inode number
 **	K	time of last delivery attempt
@ -320,7 +313,7 @@ hash_q(p, h)
 **	T	init time
 **	V	queue file version
 **	X	free (was: character set if _FFR_SAVE_CHARSET)
-**	Y	free (was: current delay if _FFR_QUEUEDELAY)
+**	Y	free
 **	Z	original envelope id from ESMTP
 **	!	deliver by (added in 8.12)
 **	$	define macro
@ -404,8 +397,8 @@ queueup(e, announce, msync)
 			printopenfds(true);
 			errno = save_errno;
-			syserr("!queueup: cannot create queue file %s, euid=%d, fd=%d, fp=%p",
+			syserr("!queueup: cannot create queue file %s, euid=%ld, fd=%d, fp=%p",
-				tf, (int) geteuid(), tfd, tfp);
+				tf, (long) geteuid(), tfd, tfp);
 			/* NOTREACHED */
 		}
 		e->e_lockfp = tfp;
@ -427,8 +420,8 @@ queueup(e, announce, msync)
 						break;
 					if (LogLevel > 0 && (i % 32) == 0)
 						sm_syslog(LOG_ALERT, e->e_id,
-							  "queueup: cannot create %s, euid=%d: %s",
+							  "queueup: cannot create %s, euid=%ld: %s",
-							  tf, (int) geteuid(),
+							  tf, (long) geteuid(),
 							  sm_errstring(errno));
 				}
 #if SM_OPEN_EXLOCK
@ -473,8 +466,8 @@ queueup(e, announce, msync)
 			printopenfds(true);
 			errno = save_errno;
-			syserr("!queueup: cannot create queue temp file %s, uid=%d",
+			syserr("!queueup: cannot create queue temp file %s, uid=%ld",
-				tf, (int) geteuid());
+				tf, (long) geteuid());
 		}
 	}
@ -518,8 +511,8 @@ queueup(e, announce, msync)
 		    sm_io_setinfo(e->e_dfp, SM_BF_COMMIT, NULL) < 0 &&
 		    errno != EINVAL)
 		{
-			syserr("!queueup: cannot commit data file %s, uid=%d",
+			syserr("!queueup: cannot commit data file %s, uid=%ld",
-			       queuename(e, DATAFL_LETTER), (int) geteuid());
+			       queuename(e, DATAFL_LETTER), (long) geteuid());
 		}
 		if (e->e_dfp != NULL &&
 		    SuperSafe == SAFE_INTERACTIVE && msync)
@ -560,8 +553,8 @@ queueup(e, announce, msync)
 		if (dfd < 0 || (dfp = sm_io_open(SmFtStdiofd, SM_TIME_DEFAULT,
 						 (void *) &dfd, SM_IO_WRONLY_B,
 						 NULL)) == NULL)
-			syserr("!queueup: cannot create data temp file %s, uid=%d",
+			syserr("!queueup: cannot create data temp file %s, uid=%ld",
-				df, (int) geteuid());
+				df, (long) geteuid());
 		if (fstat(dfd, &stbuf) < 0)
 			e->e_dfino = -1;
 		else
@ -595,8 +588,8 @@ queueup(e, announce, msync)
 		}
 		if (sm_io_close(dfp, SM_TIME_DEFAULT) < 0)
-			syserr("!queueup: cannot save data temp file %s, uid=%d",
+			syserr("!queueup: cannot save data temp file %s, uid=%ld",
-				df, (int) geteuid());
+				df, (long) geteuid());
 		e->e_putbody = putbody;
 	}
@ -733,9 +726,15 @@ queueup(e, announce, msync)
 			(void) sm_io_putc(tfp, SM_TIME_DEFAULT, 'F');
 		if (bitset(QPINGONDELAY, q->q_flags))
 			(void) sm_io_putc(tfp, SM_TIME_DEFAULT, 'D');
 		if (bitset(QINTBCC, q->q_flags))
 			(void) sm_io_putc(tfp, SM_TIME_DEFAULT, 'B');
 		if (q->q_alias != NULL &&
 		    bitset(QALIAS, q->q_alias->q_flags))
 			(void) sm_io_putc(tfp, SM_TIME_DEFAULT, 'A');
 		/* _FFR_RCPTFLAGS */
 		if (bitset(QDYNMAILER, q->q_flags))
 			(void) sm_io_putc(tfp, SM_TIME_DEFAULT, QDYNMAILFLG);
 		(void) sm_io_putc(tfp, SM_TIME_DEFAULT, ':');
 		(void) sm_io_fprintf(tfp, SM_TIME_DEFAULT, "%s\n",
 				     denlstring(q->q_paddr, true, false));
@ -747,10 +746,10 @@ queueup(e, announce, msync)
 				tag = "quarantined";
 			e->e_to = q->q_paddr;
-			message(tag);
+			message("%s", tag);
 			if (LogLevel > 8)
 				logdelivery(q->q_mailer, NULL, q->q_status,
-					    tag, NULL, (time_t) 0, e);
+					    tag, NULL, (time_t) 0, e, q, EX_OK);
 			e->e_to = NULL;
 		}
 		if (tTd(40, 1))
@ -888,8 +887,8 @@ queueup(e, announce, msync)
 		(void) sm_strlcpy(qf, queuename(e, ANYQFL_LETTER),
 				  sizeof(qf));
 		if (rename(tf, qf) < 0)
-			syserr("cannot rename(%s, %s), uid=%d",
+			syserr("cannot rename(%s, %s), uid=%ld",
-				tf, qf, (int) geteuid());
+				tf, qf, (long) geteuid());
 		else
 		{
 			/*
@ -1785,7 +1784,7 @@ runner_work(e, sequenceno, didfork, skip, njobs)
 		if (shouldqueue(w->w_pri, w->w_ctime))
 		{
 			if (Verbose)
-				message(EmptyString);
+				message("%s", "");
 			if (QueueSortOrder == QSO_BYPRIORITY)
 			{
 				if (Verbose)
@ -1813,7 +1812,7 @@ runner_work(e, sequenceno, didfork, skip, njobs)
 		{
 			if (Verbose)
 			{
-				message(EmptyString);
+				message("%s", "");
 				message("Running %s/%s (sequence %d of %d)",
 					qid_printqueue(w->w_qgrp, w->w_qdir),
 					w->w_name + 2, sequenceno, njobs);
@ -2042,9 +2041,7 @@ run_work_group(wgrp, flags)
 	{
 		IgnoreHostStatus = true;
 		MinQueueAge = 0;
 #if _FFR_EXPDELAY
 		MaxQueueAge = 0;
 #endif /* _FFR_EXPDELAY */
 	}
 	/*
@ -2871,7 +2868,6 @@ gatherq(qgrp, qdir, doall, full, more, pnentries)
 				break;
 			  case 'K':
 #if _FFR_EXPDELAY
 				if (MaxQueueAge > 0)
 				{
 					time_t lasttry, delay;
@ -2884,7 +2880,6 @@ gatherq(qgrp, qdir, doall, full, more, pnentries)
 						w->w_tooyoung = true;
 					break;
 				}
 #endif /* _FFR_EXPDELAY */
 				age = curtime() - (time_t) atol(&lbuf[1]);
 				if (age >= 0 && MinQueueAge > 0 &&
@ -4096,8 +4091,9 @@ readqf(e, openonly)
 		if (LogLevel > 0)
 		{
 			sm_syslog(LOG_ALERT, e->e_id,
-				  "bogus queue file, uid=%d, gid=%d, mode=%o",
+				  "bogus queue file, uid=%ld, gid=%ld, mode=%o",
-				  st.st_uid, st.st_gid, st.st_mode);
+				  (long) st.st_uid, (long) st.st_gid,
 				  (unsigned int) st.st_mode);
 		}
 		if (tTd(40, 8))
 			sm_dprintf("readqf(%s): bogus file\n", qf);
@ -4418,6 +4414,14 @@ readqf(e, openonly)
 							ctladdr->q_flags |= QALIAS;
 						break;
 					  case 'B':
 						qflags |= QINTBCC;
 						break;
 					  case QDYNMAILFLG:
 						qflags |= QDYNMAILER;
 						break;
 					  default: /* ignore or complain? */
 						break;
 					}
@ -4426,7 +4430,7 @@ readqf(e, openonly)
 			else
 				qflags |= QPRIMARY;
 			macdefine(&e->e_macro, A_PERM, macid("{addr_type}"),
-				"e r");
+				((qflags & QINTBCC) != 0) ? "e b" : "e r");
 			if (*p != '\0')
 				q = parseaddr(++p, NULLADDR, RF_COPYALL, '\0',
 						NULL, e, true);
@ -4443,6 +4447,10 @@ readqf(e, openonly)
 				q->q_flags |= qflags;
 				q->q_finalrcpt = frcpt;
 				q->q_orcpt = orcpt;
 #if _FFR_RCPTFLAGS
 				if (bitset(QDYNMAILER, qflags))
 					newmodmailer(q, QDYNMAILFLG);
 #endif
 				(void) recipient(q, &e->e_sendqueue, 0, e);
 			}
 			frcpt = NULL;
@ -4500,24 +4508,6 @@ readqf(e, openonly)
 			nomore = true;
 			break;
 #if _FFR_QUEUEDELAY
 		  case 'G':
 		  case 'Y':
 			/*
 			**  Maintain backward compatibility for
 			**  users who defined _FFR_QUEUEDELAY in
 			**  previous releases.  Remove this
 			**  code in 8.14 or 8.15.
 			*/
 			if (qfver == 5 || qfver == 7)
 				break;
 			/* If not qfver 5 or 7, then 'G' or 'Y' is invalid */
 			/* FALLTHROUGH */
 #endif /* _FFR_QUEUEDELAY */
 		  default:
 			syserr("readqf: %s: line %d: bad line \"%s\"",
 				qf, LineNumber, shortenstring(bp, MAXSHORTSTR));
@ -4635,6 +4625,14 @@ readqf(e, openonly)
 static void prtstr __P((char *, int));
 #if _FFR_BOUNCE_QUEUE
 # define SKIP_BOUNCE_QUEUE	\
 		if (i == BounceQueue)	\
 			continue;
 #else
 # define SKIP_BOUNCE_QUEUE
 #endif
 static void
 prtstr(s, ml)
 	char *s;
@ -4698,6 +4696,7 @@ printnqe(out, prefix)
 	{
 		int j;
 		SKIP_BOUNCE_QUEUE
 		k++;
 		for (j = 0; j < Queue[i]->qg_numqueues; j++)
 		{
@ -5643,8 +5642,8 @@ loseqfile(e, why)
 	{
 		p = queuename(e, LOSEQF_LETTER);
 		if (rename(buf, p) < 0)
-			syserr("cannot rename(%s, %s), uid=%d",
+			syserr("cannot rename(%s, %s), uid=%ld",
-			       buf, p, (int) geteuid());
+			       buf, p, (long) geteuid());
 		else if (LogLevel > 0)
 			sm_syslog(LOG_ALERT, e->e_id,
 				  "Losing %s: %s", buf, why);
@ -6656,8 +6655,8 @@ init_sem(owner)
 		r = sm_semsetowner(SemId, RunAsUid, RunAsGid, 0660);
 		if (r != 0)
 			sm_syslog(LOG_ERR, NOQID,
-				"key=%ld, sm_semsetowner=%d, RunAsUid=%d, RunAsGid=%d",
+				"key=%ld, sm_semsetowner=%d, RunAsUid=%ld, RunAsGid=%ld",
-				(long) SemKey, r, RunAsUid, RunAsGid);
+				(long) SemKey, r, (long) RunAsUid, (long) RunAsGid);
 	}
 #endif /* SM_CONF_SEM */
 #endif /* _FFR_USE_SEM_LOCKING */
@ -6815,8 +6814,8 @@ write_key_file(keypath, key)
 				int err = errno;
 				sm_syslog(LOG_ALERT, NOQID,
-					  "ownership change on %s to %d failed: %s",
+					  "ownership change on %s to %ld failed: %s",
-					  keypath, RunAsUid, sm_errstring(err));
+					  keypath, (long) RunAsUid, sm_errstring(err));
 			}
 #  endif /* HASFCHOWN */
 		}
@ -6966,8 +6965,8 @@ init_shm(qn, owner, hash)
 			i = sm_shmsetowner(ShmId, RunAsUid, RunAsGid, 0660);
 			if (i != 0)
 				sm_syslog(LOG_ERR, NOQID,
-					"key=%ld, sm_shmsetowner=%d, RunAsUid=%d, RunAsGid=%d",
+					"key=%ld, sm_shmsetowner=%d, RunAsUid=%ld, RunAsGid=%ld",
-					(long) ShmKey, i, RunAsUid, RunAsGid);
+					(long) ShmKey, i, (long) RunAsUid, (long) RunAsGid);
 		}
 		p = (int *) Pshm;
 		if (owner)
@ -7155,19 +7154,19 @@ setup_queues(owner)
 		    safefile(" ", RunAsUid, RunAsGid, RunAsUserName, sff,
 			     QueueFileMode, NULL) != 0)
 		{
-			syserr("can not write to queue directory %s (RunAsGid=%d, required=%d)",
+			syserr("can not write to queue directory %s (RunAsGid=%ld, required=%ld)",
-				basedir, (int) RunAsGid, (int) st.st_gid);
+				basedir, (long) RunAsGid, (long) st.st_gid);
 		}
 		if (bitset(S_IWOTH|S_IXOTH, st.st_mode))
 		{
 #if _FFR_MSP_PARANOIA
 			syserr("dangerous permissions=%o on queue directory %s",
-				(int) st.st_mode, basedir);
+				(unsigned int) st.st_mode, basedir);
 #else /* _FFR_MSP_PARANOIA */
 			if (LogLevel > 0)
 				sm_syslog(LOG_ERR, NOQID,
 					  "dangerous permissions=%o on queue directory %s",
-					  (int) st.st_mode, basedir);
+					  (unsigned int) st.st_mode, basedir);
 #endif /* _FFR_MSP_PARANOIA */
 		}
 #if _FFR_MSP_PARANOIA
@ -7619,7 +7618,7 @@ cmpidx(a, b)
 }
 /*
-**  MAKEWORKGROUP -- balance queue groups into work groups per MaxQueueChildren
+**  MAKEWORKGROUPS -- balance queue groups into work groups per MaxQueueChildren
 **
 **  Take the now defined queue groups and assign them to work groups.
 **  This is done to balance out the number of concurrently active
@ -7691,6 +7690,7 @@ makeworkgroups()
 	NumWorkGroups = 0;
 	for (i = 0; i < NumQueue; i++)
 	{
 		SKIP_BOUNCE_QUEUE
 		total_runners += si[i].sg_maxqrun;
 		if (MaxQueueChildren <= 0 || total_runners <= MaxQueueChildren)
 			NumWorkGroups++;
@ -7716,6 +7716,8 @@ makeworkgroups()
 	dir = 1;
 	for (i = 0; i < NumQueue; i++)
 	{
 		SKIP_BOUNCE_QUEUE
 		/* a to-and-fro packing scheme, continue from last position */
 		if (j >= NumWorkGroups)
 		{
--- a/src/readcf.c
+++ b/src/readcf.c
@ -33,6 +33,51 @@ static void	toomany __P((int, int));
 static char	*extrquotstr __P((char *, char **, char *, bool *));
 static void	parse_class_words __P((int, char *));
 #if _FFR_BOUNCE_QUEUE
 static char *bouncequeue = NULL;
 static void initbouncequeue __P((void));
 /*
 **  INITBOUNCEQUEUE -- determine BounceQueue if option is set.
 **
 **	Parameters:
 **		none.
 **
 **	Returns:
 **		none.
 **
 **	Side Effects:
 **		sets BounceQueue
 */
 static void
 initbouncequeue()
 {
 	STAB *s;
 	BounceQueue = NOQGRP;
 	if (bouncequeue == NULL || bouncequeue[0] == '\0')
 		return;
 	s = stab(bouncequeue, ST_QUEUE, ST_FIND);
 	if (s == NULL)
 	{
 		(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
 			"Warning: option BounceQueue: unknown queue group %s\n",
 			bouncequeue);
 	}
 	else
 		BounceQueue = s->s_quegrp->qg_index;
 }
 #endif /* _FFR_BOUNCE_QUEUE */
 #if _FFR_RCPTFLAGS
 void setupdynmailers __P((void));
 #else
 #define setupdynmailers()
 #endif
 /*
 **  READCF -- read configuration file.
 **
@ -117,13 +162,18 @@ readcf(cfname, safe, e)
 #if STARTTLS
 	Srv_SSL_Options = SSL_OP_ALL;
 	Clt_SSL_Options = SSL_OP_ALL
-#ifdef SSL_OP_NO_SSLv2
+# ifdef SSL_OP_NO_SSLv2
 		| SSL_OP_NO_SSLv2
-#endif
+# endif
-#ifdef SSL_OP_NO_TICKET
+# ifdef SSL_OP_NO_TICKET
 		| SSL_OP_NO_TICKET
-#endif
+# endif
 		;
 # ifdef SSL_OP_TLSEXT_PADDING
 	/* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
 	Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
 	Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
 # endif /* SSL_OP_TLSEXT_PADDING */
 #endif /* STARTTLS */
 	if (DontLockReadFiles)
 		sff |= SFF_NOLOCK;
@ -725,6 +775,10 @@ readcf(cfname, safe, e)
 	(void) sm_io_close(cf, SM_TIME_DEFAULT);
 	FileName = NULL;
 #if _FFR_BOUNCE_QUEUE
 	initbouncequeue();
 #endif
 	/* initialize host maps from local service tables */
 	inithostmaps();
@ -751,6 +805,7 @@ readcf(cfname, safe, e)
 			}
 		}
 	}
 	setupdynmailers();
 }
 /*
@ -1170,6 +1225,127 @@ fileclass(class, filename, fmt, ismap, safe, optional)
 	if (pid > 0)
 		(void) waitfor(pid);
 }
 #if _FFR_RCPTFLAGS
 /* first character for dynamically created mailers */
 static char dynmailerp = ' ';
 /* list of first characters for cf defined mailers */
 static char frst[MAXMAILERS + 1];
 /*
 **  SETUPDYNMAILERS -- find a char that isn't used as first element of any
 **		mailer name.
 **
 **	Parameters:
 **		none
 **
 **	Returns:
 **		none
 **	
 **	Note: space is not valid in cf defined mailers hence the function
 **		will always find a char. It's not nice, but this is for
 **		internal names only.
 */
 void
 setupdynmailers()
 {
 	int i;
 	char pp[] = "YXZ0123456789ABCDEFGHIJKLMNOPQRSTUVWyxzabcfghijkmnoqtuvw ";
 	frst[MAXMAILERS] = '\0';
 	for (i = 0; i < strlen(pp); i++)
 	{
 		if (strchr(frst, pp[i]) == NULL)
 		{
 			dynmailerp = pp[i];
 			if (tTd(25, 8))
 				sm_dprintf("dynmailerp=%c\n", dynmailerp);
 			return;
 		}
 	}
 	/* NOTREACHED */
 	SM_ASSERT(0);
 }
 /*
 **  NEWMODMAILER -- Create a new mailer with modifications
 **
 **	Parameters:
 **		rcpt -- current RCPT
 **		fl -- flag to set
 **
 **	Returns:
 **		true iff successful.
 **
 **	Note: this creates a copy of the mailer for the rcpt and
 **		modifies exactly one flag.  It does not work
 **		for multiple flags!
 */
 #define SM_ARRAY_SIZE(array)   (sizeof(array) / sizeof((array)[0]))
 bool
 newmodmailer(rcpt, fl)
 	ADDRESS *rcpt;
 	char fl;
 {
 	int idx;
 	struct mailer *m;
 	STAB *s;
 	char mname[256];
 	SM_REQUIRE(rcpt != NULL);
 	if (rcpt->q_mailer == NULL)
 		return false;
 	if (tTd(25, 8))
 		sm_dprintf("newmodmailer: rcpt=%s\n", rcpt->q_paddr);
 	SM_REQUIRE(rcpt->q_mailer->m_name != NULL);
 	SM_REQUIRE(rcpt->q_mailer->m_name[0] != '\0');
 	sm_strlcpy(mname, rcpt->q_mailer->m_name, sizeof(mname));
 	mname[0] = dynmailerp;
 	if (tTd(25, 8))
 		sm_dprintf("newmodmailer: name=%s\n", mname);
 	s = stab(mname, ST_MAILER, ST_ENTER);
 	if (s->s_mailer != NULL)
 	{
 		idx = s->s_mailer->m_mno;
 		if (tTd(25, 6))
 			sm_dprintf("newmodmailer: found idx=%d\n", idx);
 	}
 	else
 	{
 		idx = rcpt->q_mailer->m_mno;
 		idx += MAXMAILERS;
 		if (tTd(25, 6))
 			sm_dprintf("newmodmailer: idx=%d\n", idx);
 		if (idx > SM_ARRAY_SIZE(Mailer))
 			return false;
 	}
 	m = Mailer[idx];
 	if (m == NULL)
 		m = (struct mailer *) xalloc(sizeof(*m));
 	memset((char *) m, '\0', sizeof(*m));
 	STRUCTCOPY(*rcpt->q_mailer, *m);
 	Mailer[idx] = m;
 	/* "modify" the mailer */
 	setbitn(bitidx(fl), m->m_flags);
 	rcpt->q_mailer = m;
 	m->m_mno = idx;
 	m->m_name = newstr(mname);
 	if (tTd(25, 1))
 		sm_dprintf("newmodmailer: mailer[%d]=%s %p\n",
 			idx, Mailer[idx]->m_name, Mailer[idx]);
 	return true;
 }
 #endif /* _FFR_RCPTFLAGS */
 /*
 **  MAKEMAILER -- define a new mailer.
 **
@ -1203,6 +1379,7 @@ fileclass(class, filename, fmt, ismap, safe, optional)
 **		enters the mailer into the mailer table.
 */
 void
 makemailer(line)
 	char *line;
@ -1233,6 +1410,9 @@ makemailer(line)
 		return;
 	}
 	m->m_name = newstr(line);
 #if _FFR_RCPTFLAGS
 	frst[nextmailer] = line[0];
 #endif
 	m->m_qgrp = NOQGRP;
 	m->m_uid = NO_UID;
 	m->m_gid = NO_GID;
@ -1274,12 +1454,10 @@ makemailer(line)
 			{
 				if (!(isascii(*p) && isspace(*p)))
 				{
 #if _FFR_DEPRECATE_MAILER_FLAG_I
 					if (*p == M_INTERNAL)
 						sm_syslog(LOG_WARNING, NOQID,
 							  "WARNING: mailer=%s, flag=%c deprecated",
 							  m->m_name, *p);
 #endif /* _FFR_DEPRECATE_MAILER_FLAG_I */
 					setbitn(bitidx(*p), m->m_flags);
 				}
 			}
@ -1934,6 +2112,7 @@ printmailer(fp, m)
 	}
 	(void) sm_io_fprintf(fp, SM_TIME_DEFAULT, "\n");
 }
 /*
 **  SETOPTION -- set global processing option
 **
@ -2175,12 +2354,10 @@ static struct optioninfo
 	{ "AuthOptions",		O_SASLOPTS,	OI_NONE	},
 #define O_QUEUE_FILE_MODE	0xbe
 	{ "QueueFileMode",		O_QUEUE_FILE_MODE, OI_NONE	},
-#if _FFR_TLS_1
+#define O_DIG_ALG	0xbf
-# define O_DHPARAMS5	0xbf
+	{ "CertFingerprintAlgorithm",		O_DIG_ALG,	OI_NONE	},
-	{ "DHParameters512",		O_DHPARAMS5,	OI_NONE	},
+#define O_CIPHERLIST	0xc0
 # define O_CIPHERLIST	0xc0
 	{ "CipherList",			O_CIPHERLIST,	OI_NONE	},
 #endif /* _FFR_TLS_1 */
 #define O_RANDFILE	0xc1
 	{ "RandFile",			O_RANDFILE,	OI_NONE	},
 #define O_TLS_SRV_OPTS	0xc2
@ -2266,16 +2443,12 @@ static struct optioninfo
 # define O_RCPTSHUTDG	0xe2
 	{ "BadRcptShutdownGood",	O_RCPTSHUTDG,	OI_SAFE	},
 #endif /* _FFR_BADRCPT_SHUTDOWN */
-#if STARTTLS && _FFR_TLS_1
+#define O_SRV_SSL_OPTIONS	0xe3
 # define O_SRV_SSL_OPTIONS	0xe3
 	{ "ServerSSLOptions",		O_SRV_SSL_OPTIONS,	OI_NONE	},
-# define O_CLT_SSL_OPTIONS	0xe4
+#define O_CLT_SSL_OPTIONS	0xe4
 	{ "ClientSSLOptions",		O_CLT_SSL_OPTIONS,	OI_NONE	},
-#endif /* STARTTLS && _FFR_TLS_1 */
+#define O_MAX_QUEUE_AGE	0xe5
 #if _FFR_EXPDELAY
 # define O_MAX_QUEUE_AGE	0xe5
 	{ "MaxQueueAge",	O_MAX_QUEUE_AGE,	OI_NONE },
 #endif /* _FFR_EXPDELAY */
 #if _FFR_RCPTTHROTDELAY
 # define O_RCPTTHROTDELAY	0xe6
 	{ "BadRcptThrottleDelay",	O_RCPTTHROTDELAY,	OI_SAFE	},
@ -2292,15 +2465,23 @@ static struct optioninfo
 # define O_REJECTNUL	0xe9
 	{ "RejectNUL",	O_REJECTNUL,	OI_SAFE	},
 #endif /* _FFR_REJECT_NUL_BYTE */
 #if _FFR_BOUNCE_QUEUE
 # define O_BOUNCEQUEUE 0xea
 	{ "BounceQueue",		O_BOUNCEQUEUE,	OI_NONE },
 #endif /* _FFR_BOUNCE_QUEUE */
 #if _FFR_ADD_BCC
 # define O_ADDBCC 0xeb
 	{ "AddBcc",			O_ADDBCC,	OI_NONE },
 #endif
 	{ NULL,				'\0',		OI_NONE	}
 };
-#if STARTTLS && _FFR_TLS_1
+#if STARTTLS
 static struct ssl_options
 {
 	const char	*sslopt_name;	/* name of the flag */
-	long		sslopt_bits;	/* bits to set/clear */
+	unsigned long	sslopt_bits;	/* bits to set/clear */
 } SSL_Option[] =
 {
 /* Workaround for bugs are turned on by default (as well as some others) */
@ -2405,10 +2586,13 @@ static struct ssl_options
 #endif
 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
 	{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG",	SSL_OP_CRYPTOPRO_TLSEXT_BUG	},
 #endif
 #ifdef SSL_OP_TLSEXT_PADDING
 	{ "SSL_OP_TLSEXT_PADDING",	SSL_OP_TLSEXT_PADDING	},
 #endif
 	{ NULL,		0		}
 };
-#endif /* STARTTLS && _FFR_TLS_1 */
+#endif /* STARTTLS */
 # define CANONIFY(val)
@ -2451,9 +2635,9 @@ setoption(opt, val, safe, sticky, e)
 	char *newval;
 	char exbuf[MAXLINE];
 #endif /* STARTTLS || SM_CONF_SHM */
-#if STARTTLS && _FFR_TLS_1
+#if STARTTLS
-	long *pssloptions = NULL;
+	unsigned long *pssloptions = NULL;
-#endif /* STARTTLS && _FFR_TLS_1 */
+#endif
 	errno = 0;
 	if (opt == ' ')
@ -2698,6 +2882,11 @@ setoption(opt, val, safe, sticky, e)
 			set_delivery_mode(*val, e);
 			break;
 #if _FFR_PROXY
 		  case SM_PROXY_REQ:
 			set_delivery_mode(*val, e);
 			break;
 #endif /* _FFR_PROXY */
 		  default:
 			syserr("Unknown delivery mode %c", *val);
@ -3151,11 +3340,9 @@ setoption(opt, val, safe, sticky, e)
 		MinQueueAge = convtime(val, 'm');
 		break;
 #if _FFR_EXPDELAY
 	  case O_MAX_QUEUE_AGE:
 		MaxQueueAge = convtime(val, 'm');
 		break;
 #endif /* _FFR_EXPDELAY */
 	  case O_DEFCHARSET:	/* default character set for mimefying */
 		DefaultCharSet = newstr(denlstring(val, true, true));
@ -3370,9 +3557,9 @@ setoption(opt, val, safe, sticky, e)
 				RunAsGid = pw->pw_gid;
 			else if (UseMSP && *p == '\0')
 				(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
-						     "WARNING: RunAsUser for MSP ignored, check group ids (egid=%d, want=%d)\n",
+						     "WARNING: RunAsUser for MSP ignored, check group ids (egid=%ld, want=%ld)\n",
-						     (int) EffGid,
+						     (long) EffGid,
-						     (int) pw->pw_gid);
+						     (long) pw->pw_gid);
 		}
 # ifdef UID_MAX
 		if (RunAsUid > UID_MAX)
@ -3394,9 +3581,9 @@ setoption(opt, val, safe, sticky, e)
 				else if (UseMSP)
 					(void) sm_io_fprintf(smioout,
 							     SM_TIME_DEFAULT,
-							     "WARNING: RunAsUser for MSP ignored, check group ids (egid=%d, want=%d)\n",
+							     "WARNING: RunAsUser for MSP ignored, check group ids (egid=%ld, want=%ld)\n",
-							     (int) EffGid,
+							     (long) EffGid,
-							     (int) runasgid);
+							     (long) runasgid);
 			}
 			else
 			{
@ -3411,9 +3598,9 @@ setoption(opt, val, safe, sticky, e)
 				else if (UseMSP)
 					(void) sm_io_fprintf(smioout,
 							     SM_TIME_DEFAULT,
-							     "WARNING: RunAsUser for MSP ignored, check group ids (egid=%d, want=%d)\n",
+							     "WARNING: RunAsUser for MSP ignored, check group ids (egid=%ld, want=%ld)\n",
-							     (int) EffGid,
+							     (long) EffGid,
-							     (int) gr->gr_gid);
+							     (long) gr->gr_gid);
 			}
 		}
 		if (tTd(47, 5))
@ -3741,11 +3928,10 @@ setoption(opt, val, safe, sticky, e)
 		SET_STRING_EXP(CACertPath);
 	  case O_DHPARAMS:
 		SET_STRING_EXP(DHParams);
 # if _FFR_TLS_1
 	  case O_DHPARAMS5:
 		SET_STRING_EXP(DHParams5);
 	  case O_CIPHERLIST:
 		SET_STRING_EXP(CipherList);
 	  case O_DIG_ALG:
 		SET_STRING_EXP(CertFingerprintAlgorithm);
 	  case O_SRV_SSL_OPTIONS:
 		pssloptions = &Srv_SSL_Options;
 	  case O_CLT_SSL_OPTIONS:
@ -3755,6 +3941,7 @@ setoption(opt, val, safe, sticky, e)
 		{
 			bool clearmode;
 			char *q;
 			unsigned long sslopt_val;
 			struct ssl_options *sslopts;
 			while (*p == ' ')
@ -3769,28 +3956,54 @@ setoption(opt, val, safe, sticky, e)
 				p++;
 			if (*p != '\0')
 				*p++ = '\0';
-			for (sslopts = SSL_Option;
+			sslopt_val = 0;
-			     sslopts->sslopt_name != NULL; sslopts++)
+			if (isdigit(*q))
 			{
-				if (sm_strcasecmp(q, sslopts->sslopt_name) == 0)
+				char *end;
-					break;
+
 				sslopt_val = strtoul(q, &end, 0);
 				/* not a complete "syntax" check but good enough */
 				if (end == q)
 				{
 					errno = 0;
 					syserr("readcf: %s option value %s not a number",
 						o->o_name, q);
 					sslopt_val = 0;
 				}
 			}
 			if (sslopts->sslopt_name == NULL)
 			{
 				errno = 0;
 				syserr("readcf: %s option value %s unrecognized",
 					o->o_name, q);
 			}
 			else if (clearmode)
 				*pssloptions &= ~sslopts->sslopt_bits;
 			else
-				*pssloptions |= sslopts->sslopt_bits;
+			{
 				for (sslopts = SSL_Option;
 				     sslopts->sslopt_name != NULL; sslopts++)
 				{
 					if (sm_strcasecmp(q, sslopts->sslopt_name) == 0)
 					{
 						sslopt_val = sslopts->sslopt_bits;
 						break;
 					}
 				}
 				if (sslopts->sslopt_name == NULL)
 				{
 					errno = 0;
 					syserr("readcf: %s option value %s unrecognized",
 						o->o_name, q);
 				}
 			}
 			if (sslopt_val != 0)
 			{
 				if (clearmode)
 					*pssloptions &= ~sslopt_val;
 				else
 					*pssloptions |= sslopt_val;
 			}
 		}
 		if (tTd(37, 8))
 			sm_dprintf("ssloptions=%#lx\n", *pssloptions);
 		pssloptions = NULL;
 		break;
 # endif /* _FFR_TLS_1 */
 	  case O_CRLFILE:
 # if OPENSSL_VERSION_NUMBER > 0x00907000L
 		SET_STRING_EXP(CRLFile);
@ -3831,7 +4044,6 @@ setoption(opt, val, safe, sticky, e)
 			  case 'V':
 				TLS_Srv_Opts |= TLS_I_NO_VRFY;
 				break;
 # if _FFR_TLS_1
 			/*
 			**  Server without a cert? That works only if
 			**  AnonDH is enabled as cipher, which is not in the
@ -3843,7 +4055,6 @@ setoption(opt, val, safe, sticky, e)
 			  case 'C':
 				TLS_Srv_Opts &= ~TLS_I_SRV_CERT;
 				break;
 # endif /* _FFR_TLS_1 */
 			  case ' ':	/* ignore */
 			  case '\t':	/* ignore */
 			  case ',':	/* ignore */
@ -3876,10 +4087,9 @@ setoption(opt, val, safe, sticky, e)
 	  case O_CACERTFILE:
 	  case O_CACERTPATH:
 	  case O_DHPARAMS:
-# if _FFR_TLS_1
+	  case O_SRV_SSL_OPTIONS:
-	  case O_DHPARAMS5:
+	  case O_CLT_SSL_OPTIONS:
 	  case O_CIPHERLIST:
 # endif /* _FFR_TLS_1 */
 	  case O_CRLFILE:
 # if _FFR_CRLPATH
 	  case O_CRLPATH:
@ -4056,6 +4266,18 @@ setoption(opt, val, safe, sticky, e)
 		break;
 #endif /* _FFR_REJECT_NUL_BYTE */
 #if _FFR_BOUNCE_QUEUE
 	  case O_BOUNCEQUEUE:
 		bouncequeue = newstr(val);
 		break;
 #endif /* _FFR_BOUNCE_QUEUE */
 #if _FFR_ADD_BCC
 	  case O_ADDBCC:
 		AddBcc = atobool(val);
 		break;
 #endif
 	  default:
 		if (tTd(37, 1))
 		{
--- a/src/recipient.c
+++ b/src/recipient.c
@ -667,8 +667,8 @@ recipient(new, sendq, aliaslevel, e)
 			new->q_status = "5.7.1";
 			if (new->q_alias->q_ruser == NULL)
 				usrerrenh(new->q_status,
-					  "550 UID %d is an unknown user: cannot mail to programs",
+					  "550 UID %ld is an unknown user: cannot mail to programs",
-					  new->q_alias->q_uid);
+					  (long) new->q_alias->q_uid);
 			else
 				usrerrenh(new->q_status,
 					  "550 User %s@%s doesn't have a valid shell for mailing to programs",
@ -890,8 +890,8 @@ recipient(new, sendq, aliaslevel, e)
 			new->q_status = "5.7.1";
 			if (new->q_alias->q_ruser == NULL)
 				usrerrenh(new->q_status,
-					  "550 UID %d is an unknown user: cannot mail to files",
+					  "550 UID %ld is an unknown user: cannot mail to files",
-					  new->q_alias->q_uid);
+					  (long) new->q_alias->q_uid);
 			else
 				usrerrenh(new->q_status,
 					  "550 User %s@%s doesn't have a valid shell for mailing to files",
@ -1174,7 +1174,7 @@ finduser(name, fuzzyp, user)
 	*fuzzyp = false;
-#if HESIOD
+#if HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN
 	/* DEC Hesiod getpwnam accepts numeric strings -- short circuit it */
 	for (p = name; *p != '\0'; p++)
 		if (!isascii(*p) || !isdigit(*p))
@ -1185,7 +1185,7 @@ finduser(name, fuzzyp, user)
 			sm_dprintf("failed (numeric input)\n");
 		return EX_NOUSER;
 	}
-#endif /* HESIOD */
+#endif /* HESIOD && !HESIOD_ALLOW_NUMERIC_LOGIN */
 	/* look up this login name using fast path */
 	status = sm_mbdb_lookup(name, user);
@ -1446,8 +1446,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 	if (tTd(27, 2))
 		sm_dprintf("include(%s)\n", fname);
 	if (tTd(27, 4))
-		sm_dprintf("   ruid=%d euid=%d\n",
+		sm_dprintf("   ruid=%ld euid=%ld\n",
-			(int) getuid(), (int) geteuid());
+			(long) getuid(), (long) geteuid());
 	if (tTd(27, 14))
 	{
 		sm_dprintf("ctladdr ");
@ -1455,8 +1455,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 	}
 	if (tTd(27, 9))
-		sm_dprintf("include: old uid = %d/%d\n",
+		sm_dprintf("include: old uid = %ld/%ld\n",
-			   (int) getuid(), (int) geteuid());
+			   (long) getuid(), (long) geteuid());
 	if (forwarding)
 	{
@ -1483,8 +1483,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 	    !bitnset(DBS_NONROOTSAFEADDR, DontBlameSendmail))
 	{
 		if (tTd(27, 4))
-			sm_dprintf("include: not safe (euid=%d, RunAsUid=%d)\n",
+			sm_dprintf("include: not safe (euid=%ld, RunAsUid=%ld)\n",
-				   (int) geteuid(), (int) RunAsUid);
+				   (long) geteuid(), (long) RunAsUid);
 		ctladdr->q_flags |= QUNSAFEADDR;
 	}
@ -1512,8 +1512,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 			if (initgroups(user, gid) == -1)
 			{
 				rval = EAGAIN;
-				syserr("include: initgroups(%s, %d) failed",
+				syserr("include: initgroups(%s, %ld) failed",
-					user, gid);
+					user, (long) gid);
 				goto resetuid;
 			}
 		}
@ -1533,7 +1533,7 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 		if (gid != 0 && setgid(gid) < -1)
 		{
 			rval = EAGAIN;
-			syserr("setgid(%d) failure", gid);
+			syserr("setgid(%ld) failure", (long) gid);
 			goto resetuid;
 		}
 		if (uid != 0)
@ -1542,8 +1542,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 			if (seteuid(uid) < 0)
 			{
 				rval = EAGAIN;
-				syserr("seteuid(%d) failure (real=%d, eff=%d)",
+				syserr("seteuid(%ld) failure (real=%ld, eff=%ld)",
-					uid, (int) getuid(), (int) geteuid());
+					(long) uid, (long) getuid(), (long) geteuid());
 				goto resetuid;
 			}
 # endif /* MAILER_SETUID_METHOD == USE_SETEUID */
@ -1551,8 +1551,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 			if (setreuid(0, uid) < 0)
 			{
 				rval = EAGAIN;
-				syserr("setreuid(0, %d) failure (real=%d, eff=%d)",
+				syserr("setreuid(0, %ld) failure (real=%ld, eff=%ld)",
-					uid, (int) getuid(), (int) geteuid());
+					(long) uid, (long) getuid(), (long) geteuid());
 				goto resetuid;
 			}
 # endif /* MAILER_SETUID_METHOD == USE_SETREUID */
@ -1561,8 +1561,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 #endif /* MAILER_SETUID_METHOD != USE_SETUID */
 	if (tTd(27, 9))
-		sm_dprintf("include: new uid = %d/%d\n",
+		sm_dprintf("include: new uid = %ld/%ld\n",
-			   (int) getuid(), (int) geteuid());
+			   (long) getuid(), (long) geteuid());
 	/*
 	**  If home directory is remote mounted but server is down,
@ -1655,8 +1655,8 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 	{
 		/* don't use this :include: file */
 		if (tTd(27, 4))
-			sm_dprintf("include: not safe (uid=%d): %s\n",
+			sm_dprintf("include: not safe (uid=%ld): %s\n",
-				   (int) uid, sm_errstring(rval));
+				   (long) uid, sm_errstring(rval));
 	}
 	else if ((fp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, fname,
 				  SM_IO_RDONLY, NULL)) == NULL)
@ -1683,28 +1683,28 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e)
 		{
 # if USESETEUID
 			if (seteuid(0) < 0)
-				syserr("!seteuid(0) failure (real=%d, eff=%d)",
+				syserr("!seteuid(0) failure (real=%ld, eff=%ld)",
-				       (int) getuid(), (int) geteuid());
+				       (long) getuid(), (long) geteuid());
 # else /* USESETEUID */
 			if (setreuid(-1, 0) < 0)
-				syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)",
+				syserr("!setreuid(-1, 0) failure (real=%ld, eff=%ld)",
-				       (int) getuid(), (int) geteuid());
+				       (long) getuid(), (long) geteuid());
 			if (setreuid(RealUid, 0) < 0)
-				syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)",
+				syserr("!setreuid(%ld, 0) failure (real=%ld, eff=%ld)",
-				       (int) RealUid, (int) getuid(),
+				       (long) RealUid, (long) getuid(),
-				       (int) geteuid());
+				       (long) geteuid());
 # endif /* USESETEUID */
 		}
 		if (setgid(savedgid) < 0)
-			syserr("!setgid(%d) failure (real=%d eff=%d)",
+			syserr("!setgid(%ld) failure (real=%ld eff=%ld)",
-			       (int) savedgid, (int) getgid(),
+			       (long) savedgid, (long) getgid(),
-			       (int) getegid());
+			       (long) getegid());
 	}
 #endif /* HASSETREUID || USESETEUID */
 	if (tTd(27, 9))
-		sm_dprintf("include: reset uid = %d/%d\n",
+		sm_dprintf("include: reset uid = %ld/%ld\n",
-			   (int) getuid(), (int) geteuid());
+			   (long) getuid(), (long) geteuid());
 	if (rval == E_SM_OPENTIMEOUT)
 		usrerr("451 4.4.1 open timeout on %s", fname);
--- a/src/savemail.c
+++ b/src/savemail.c
@ -581,6 +581,10 @@ returntosender(msg, returnq, flags, e)
 	else
 		ee->e_flags |= EF_NO_BODY_RETN;
 #if _FFR_BOUNCE_QUEUE
 	if (BounceQueue != NOQGRP)
 		ee->e_qgrp = ee->e_dfqgrp = BounceQueue;
 #endif /* _FFR_BOUNCE_QUEUE */
 	if (!setnewqueue(ee))
 	{
 		syserr("554 5.3.0 returntosender: cannot select queue for %s",
@ -702,8 +706,15 @@ returntosender(msg, returnq, flags, e)
 	/* mark statistics */
 	markstats(ee, NULLADDR, STATS_NORMAL);
-	/* actually deliver the error message */
+#if _FFR_BOUNCE_QUEUE
-	sendall(ee, SM_DELIVER);
+	if (BounceQueue == NOQGRP)
 	{
 #endif
 		/* actually deliver the error message */
 		sendall(ee, SM_DELIVER);
 #if _FFR_BOUNCE_QUEUE
 	}
 #endif
 	(void) dropenvelope(ee, true, false);
 	/* check for delivery errors */
--- a/src/sendmail.0
+++ b/src/sendmail.0
@ -48,6 +48,8 @@ DDEESSCCRRIIPPTTIIOONN
              Also,  the ``From:'' and ``Sender:'' fields are examined for the
              name of the sender.
       --bbCC    Check the configuration file.
       --bbdd    Run as a daemon.  SSeennddmmaaiill will fork and run in background  lis-
              tening on socket 25 for incoming SMTP connections.  This is nor-
              mally run from /etc/rc.
--- a/src/sendmail.8
+++ b/src/sendmail.8
@ -92,6 +92,9 @@ Also,
 the ``From:'' and ``Sender:'' 
 fields are examined for the name of the sender.
 .TP
 .B \-bC
 Check the configuration file.
 .TP
 .B \-bd
 Run as a daemon.
 .B Sendmail
--- a/src/sendmail.h
+++ b/src/sendmail.h
@ -122,7 +122,7 @@ SM_UNUSED(static char SmailId[]) = "@(#)$Id: sendmail.h,v 8.1104 2013-11-22 20:5
 # endif /* HESIOD */
 #if STARTTLS
-#  include <openssl/ssl.h>
+# include <openssl/ssl.h>
 # if !TLS_NO_RSA
 #  if _FFR_FIPSMODE
 #   define RSA_KEYLENGTH	1024
@ -199,9 +199,17 @@ typedef int (*sasl_callback_ft)(void);
 # define INADDR_NONE	0xffffffff
 #endif /* ! INADDR_NONE */
 /* By default use uncompressed IPv6 address format (no "::") */
 #ifndef IPV6_FULL
 # define IPV6_FULL	1
 #endif
 /* (f)open() modes for queue files */
-# define QF_O_EXTRA	0
+#define QF_O_EXTRA	0
 #if _FFR_PROXY || _FFR_LOGREPLY
 # define _FFR_ERRCODE	1
 #endif
 /*
@ -283,11 +291,23 @@ typedef struct address ADDRESS;
 #define QBYTRACE	0x00008000	/* DeliverBy: trace */
 #define QBYNDELAY	0x00010000	/* DeliverBy: notify, delay */
 #define QBYNRELAY	0x00020000	/* DeliverBy: notify, relayed */
 #define QINTBCC		0x00040000	/* internal Bcc */
 #define QDYNMAILER	0x00080000	/* "dynamic mailer" */
 #define QTHISPASS	0x40000000	/* temp: address set this pass */
 #define QRCPTOK		0x80000000	/* recipient() processed address */
 #define QDYNMAILFLG	'Y'
 #define Q_PINGFLAGS	(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY)
 #if _FFR_RCPTFLAGS
 # define QMATCHFLAGS (QINTBCC|QDYNMAILER)
 # define QMATCH_FLAG(a) ((a)->q_flags & QMATCHFLAGS)
 # define ADDR_FLAGS_MATCH(a, b)	(QMATCH_FLAG(a) == QMATCH_FLAG(b))
 #else
 # define ADDR_FLAGS_MATCH(a, b)	true
 #endif
 /* values for q_state */
 #define QS_OK		0		/* address ok (for now)/not yet tried */
 #define QS_SENT		1		/* good address, delivery complete */
@ -422,6 +442,7 @@ struct mailer
 };
 /* bits for m_flags */
 #define M_xSMTP		0x01	/* internal: {ES,S,L}MTP */
 #define M_ESMTP		'a'	/* run Extended SMTP */
 #define M_ALIASABLE	'A'	/* user can be LHS of an alias */
 #define M_BLANKEND	'b'	/* ensure blank line at end of message */
@ -449,6 +470,7 @@ struct mailer
 #define M_NHDR		'n'	/* don't insert From line */
 #define M_MANYSTATUS	'N'	/* MAIL11V3: DATA returns multi-status */
 #define M_RUNASRCPT	'o'	/* always run mailer as recipient */
 		/*	'O'	   free? */
 #define M_FROMPATH	'p'	/* use reverse-path in MAIL FROM: */
 		/*	'P'	   CF: include Return-Path: */
 #define M_VRFY250	'q'	/* VRFY command returns 250 instead of 252 */
@ -464,11 +486,14 @@ struct mailer
 #define M_NOHOSTSTAT	'W'	/* ignore long term host status information */
 		/*	'x'	   CF: include Full-Name: */
 #define M_XDOT		'X'	/* use hidden-dot algorithm */
 		/*	'y'	   free? */
 		/*	'Y'	   free? */
 #define M_LMTP		'z'	/* run Local Mail Transport Protocol */
 #define M_DIALDELAY	'Z'	/* apply dial delay sleeptime */
 #define M_NOMX		'0'	/* turn off MX lookups */
 #define M_NONULLS	'1'	/* don't send null bytes */
 #define M_FSMTP		'2'	/* force SMTP (no ESMTP even if offered) */
 		/*	'4'	   free? */
 #define M_EBCDIC	'3'	/* extend Q-P encoding for EBCDIC */
 #define M_TRYRULESET5	'5'	/* use ruleset 5 after local aliasing */
 #define M_7BITHDRS	'6'	/* strip headers to 7 bits even in 8 bit path */
@ -498,7 +523,11 @@ EXTERN MAILER	*FileMailer;	/* ptr to *file* mailer */
 EXTERN MAILER	*InclMailer;	/* ptr to *include* mailer */
 EXTERN MAILER	*LocalMailer;	/* ptr to local mailer */
 EXTERN MAILER	*ProgMailer;	/* ptr to program mailer */
 #if _FFR_RCPTFLAGS
 EXTERN MAILER	*Mailer[MAXMAILERS * 2 + 1];
 #else
 EXTERN MAILER	*Mailer[MAXMAILERS + 1];
 #endif
 /*
 **  Queue group definition structure.
@ -742,6 +771,12 @@ MCI
 #define MCIF_INLONGLINE 0x01000000	/* in the middle of a long line */
 #define MCIF_AUTH2	0x02000000	/* got 2 AUTH lines */
 #define MCIF_ONLY_EHLO	0x10000000	/* use only EHLO in smtpinit */
 #if _FFR_HANDLE_HDR_RW_TEMPFAIL
 /* an error is not sticky (if put{header,body}() etc fail) */
 # define MCIF_NOTSTICKY	0x20000000
 #else
 # define MCIF_NOTSTICKY	0
 #endif
 #define MCIF_EXTENS	(MCIF_EXPN | MCIF_SIZE | MCIF_8BITMIME | MCIF_DSN | MCIF_8BITOK | MCIF_AUTH | MCIF_ENHSTAT | MCIF_TLS | MCIF_AUTH2)
@ -945,10 +980,16 @@ struct envelope
 	int		e_dlvr_flag;	/* deliver by flag */
 	SM_RPOOL_T	*e_rpool;	/* resource pool for this envelope */
 	unsigned int	e_features;	/* server features */
 #if _FFR_MILTER_ENHSC
 #define ENHSC_LEN	11
 #if _FFR_MILTER_ENHSC
 	char		e_enhsc[ENHSC_LEN];	/* enhanced status code */
 #endif /* _FFR_MILTER_ENHSC */
 #if _FFR_ERRCODE
 	/* smtp error codes during delivery */
 	int		e_rcode;	/* reply code */
 	char		e_renhsc[ENHSC_LEN];	/* enhanced status code */
 	char		*e_text;	/* reply text */
 #endif /* _FFR_ERRCODE */
 };
 #define PRT_NONNEGL(v)	((v) < 0 ? LONG_MAX : (v))
@ -1141,7 +1182,7 @@ extern int	macid_parse __P((char *, char **));
 #define macid(name)  macid_parse(name, NULL)
 extern char	*macname __P((int));
 extern char	*macvalue __P((int, ENVELOPE *));
-extern int	rscheck __P((char *, char *, char *, ENVELOPE *, int, int, char *, char *, ADDRESS *));
+extern int	rscheck __P((char *, char *, char *, ENVELOPE *, int, int, char *, char *, ADDRESS *, char **));
 extern int	rscap __P((char *, char *, char *, ENVELOPE *, char ***, char *, int));
 extern void	setclass __P((int, char *));
 extern int	strtorwset __P((char *, char **, int));
@ -1305,15 +1346,6 @@ MAP
 #define MA_UNAVAIL	1		/* member map is not available */
 #define MA_TRYAGAIN	2		/* member map returns temp failure */
 /* macros to handle MapTempFail */
 #define BIT_IS_MTP	0x01	/* temp.failure occurred */
 #define BIT_ASK_MTP	0x02	/* do we care about MapTempFail? */
 #define RESET_MAPTEMPFAIL	MapTempFail = 0
 #define INIT_MAPTEMPFAIL	MapTempFail = BIT_ASK_MTP
 #define SET_MAPTEMPFAIL		MapTempFail |= BIT_IS_MTP
 #define IS_MAPTEMPFAIL		bitset(BIT_IS_MTP, MapTempFail)
 #define ASK_MAPTEMPFAIL		bitset(BIT_ASK_MTP, MapTempFail)
 /*
 **  The class of a map -- essentially the functions to call
 */
@ -1633,6 +1665,10 @@ EXTERN bool	V6LoopbackAddrFound;	/* found an IPv6 loopback address */
 /* values for e_sendmode -- send modes */
 #define SM_DELIVER	'i'		/* interactive delivery */
 #if _FFR_PROXY
 #define SM_PROXY_REQ	's'		/* synchronous mode requested */
 #define SM_PROXY	'S'		/* synchronous mode activated */
 #endif /* _FFR_PROXY */
 #define SM_FORK		'b'		/* deliver in background */
 #if _FFR_DM_ONE
 #define SM_DM_ONE	'o' /* deliver first TA in background, then queue */
@ -1641,7 +1677,11 @@ EXTERN bool	V6LoopbackAddrFound;	/* found an IPv6 loopback address */
 #define SM_DEFER	'd'		/* defer map lookups as well as queue */
 #define SM_VERIFY	'v'		/* verify only (used internally) */
 #define DM_NOTSET	(-1)	/* DeliveryMode (per daemon) option not set */
 #if _FFR_PROXY
 # define SM_IS_INTERACTIVE(m)	((m) == SM_DELIVER || (m) == SM_PROXY_REQ || (m) == SM_PROXY)
 #else /* _FFR_PROXY */
 # define SM_IS_INTERACTIVE(m)	((m) == SM_DELIVER)
 #endif /* _FFR_PROXY */
 #define WILL_BE_QUEUED(m)	((m) == SM_QUEUE || (m) == SM_DEFER)
@ -1736,6 +1776,7 @@ EXTERN unsigned long	PrivacyFlags;	/* privacy flags */
 #define RSF_RMCOMM		0x0001	/* strip comments */
 #define RSF_UNSTRUCTURED	0x0002	/* unstructured, ignore syntax errors */
 #define RSF_COUNT		0x0004	/* count rejections (statistics)? */
 #define RSF_ADDR		0x0008	/* reassemble address */
 /*
 **  Flags passed to mime8to7 and putheader.
@ -1893,6 +1934,10 @@ struct termescape
 #define D_OPTIONAL	'O'	/* optional socket */
 #define D_DISABLE	((char)0x02)	/* optional socket disabled */
 #define D_ISSET		((char)0x03)	/* this client struct is set */
 #if _FFR_XCNCT
 #define D_XCNCT	((char)0x04)	/* X-Connect was used */
 #define D_XCNCT_M	((char)0x05)	/* X-Connect was used + "forged" */
 #endif /* _FFR_XCNCT */
 #if STARTTLS
 /*
@ -1947,7 +1992,7 @@ struct termescape
 /* functions */
 extern bool	init_tls_library __P((bool _fipsmode));
-extern bool	inittls __P((SSL_CTX **, unsigned long, long, bool, char *, char *, char *, char *, char *));
+extern bool	inittls __P((SSL_CTX **, unsigned long, unsigned long, bool, char *, char *, char *, char *, char *));
 extern bool	initclttls __P((bool));
 extern void	setclttls __P((bool));
 extern bool	initsrvtls __P((bool));
@ -1960,10 +2005,9 @@ EXTERN char	*CACertPath;	/* path to CA certificates (dir. with hashes) */
 EXTERN char	*CACertFile;	/* file with CA certificate */
 EXTERN char	*CltCertFile;	/* file with client certificate */
 EXTERN char	*CltKeyFile;	/* file with client private key */
 # if _FFR_TLS_1
 EXTERN char	*CipherList;	/* list of ciphers */
-EXTERN char	*DHParams5;	/* file with DH parameters (512) */
+EXTERN char	*CertFingerprintAlgorithm;	/* name of fingerprint alg */
-# endif /* _FFR_TLS_1 */
+EXTERN const EVP_MD	*EVP_digest;	/* digest for cert fp */
 EXTERN char	*DHParams;	/* file with DH parameters */
 EXTERN char	*RandFile;	/* source of random data */
 EXTERN char	*SrvCertFile;	/* file with server certificate */
@ -1973,7 +2017,7 @@ EXTERN char	*CRLFile;	/* file CRLs */
 EXTERN char	*CRLPath;	/* path to CRLs (dir. with hashes) */
 #endif /* _FFR_CRLPATH */
 EXTERN unsigned long	TLS_Srv_Opts;	/* TLS server options */
-EXTERN long	Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
+EXTERN unsigned long	Srv_SSL_Options, Clt_SSL_Options; /* SSL options */
 #endif /* STARTTLS */
 /*
@ -2054,9 +2098,7 @@ EXTERN int	QueueFileMode;	/* mode on files in mail queue */
 EXTERN int	QueueMode;	/* which queue items to act upon */
 EXTERN int	QueueSortOrder;	/* queue sorting order algorithm */
 EXTERN time_t	MinQueueAge;	/* min delivery interval */
 #if _FFR_EXPDELAY
 EXTERN time_t	MaxQueueAge;	/* max delivery interval */
 #endif /* _FFR_EXPDELAY */
 EXTERN time_t	QueueIntvl;	/* intervals between running the queue */
 EXTERN char	*QueueDir;	/* location of queue directory */
 EXTERN QUEUE_CHAR	*QueueLimitId;		/* limit queue run to id */
@ -2064,6 +2106,9 @@ EXTERN QUEUE_CHAR	*QueueLimitQuarantine;	/* limit queue run to quarantine reason
 EXTERN QUEUE_CHAR	*QueueLimitRecipient;	/* limit queue run to rcpt */
 EXTERN QUEUE_CHAR	*QueueLimitSender;	/* limit queue run to sender */
 EXTERN QUEUEGRP	*Queue[MAXQUEUEGROUPS + 1];	/* queue groups */
 #if _FFR_BOUNCE_QUEUE
 EXTERN int	BounceQueue;
 #endif
 /* functions */
 extern void	assign_queueid __P((ENVELOPE *));
@ -2265,7 +2310,7 @@ extern unsigned char	tTdvect[100];	/* trace vector */
 	} while (0)
 /* reply types (text in SmtpMsgBuffer) */
-#define XS_DEFAULT	0
+#define XS_DEFAULT	0	/* other commands, e.g., RSET */
 #define XS_STARTTLS	1
 #define XS_AUTH		2
 #define XS_GREET	3
@ -2274,14 +2319,16 @@ extern unsigned char	tTdvect[100];	/* trace vector */
 #define XS_RCPT		6
 #define XS_DATA		7
 #define XS_EOM		8
-#define XS_DATA2	9
+#define XS_DATA2	9	/* LMTP */
-#define XS_RCPT2	10
+#define XS_QUIT		10
 #define XS_QUIT		15
 /*
 **  Global variables.
 */
 #if _FFR_ADD_BCC
 EXTERN bool AddBcc;
 #endif
 #if _FFR_ADDR_TYPE_MODES
 EXTERN bool	AddrTypeModes;	/* addr_type: extra "mode" information */
 #endif /* _FFR_ADDR_TYPE_MODES */
@ -2504,6 +2551,10 @@ extern void	buffer_errors __P((void));
 extern void	flush_errors __P((bool));
 extern void PRINTFLIKE(1, 2)	message __P((const char *, ...));
 extern void PRINTFLIKE(1, 2)	nmessage __P((const char *, ...));
 #if _FFR_PROXY
 extern void PRINTFLIKE(3, 4)	emessage __P((const char *, const char *, const char *, ...));
 extern int extsc __P((const char *, int, char *, char *));
 #endif /* _FFR_PROXY */
 extern void PRINTFLIKE(1, 2)	syserr __P((const char *, ...));
 extern void PRINTFLIKE(2, 3)	usrerrenh __P((char *, const char *, ...));
 extern void PRINTFLIKE(1, 2)	usrerr __P((const char *, ...));
@ -2519,7 +2570,7 @@ extern bool	rebuildaliases __P((MAP *, bool));
 extern void	setalias __P((char *));
 /* logging */
-extern void	logdelivery __P((MAILER *, MCI *, char *, const char *, ADDRESS *, time_t, ENVELOPE *));
+extern void	logdelivery __P((MAILER *, MCI *, char *, const char *, ADDRESS *, time_t, ENVELOPE *, ADDRESS *, int));
 extern void	logsender __P((ENVELOPE *, char *));
 extern void PRINTFLIKE(3, 4) sm_syslog __P((int, const char *, const char *, ...));
@ -2719,10 +2770,10 @@ extern sigfunc_t	setsignal __P((int, sigfunc_t));
 extern void	sm_setuserenv __P((const char *, const char *));
 extern void	settime __P((ENVELOPE *));
 #if STARTTLS
-extern void	set_tls_rd_tmo __P((int));
+extern int	set_tls_rd_tmo __P((int));
-#else /* STARTTLS */
+#else
-#define set_tls_rd_tmo(rd_tmo)
+# define set_tls_rd_tmo(rd_tmo)	0
-#endif /* STARTTLS */
+#endif
 extern char	*sfgets __P((char *, int, SM_FILE_T *, time_t, char *));
 extern char	*shortenstring __P((const char *, size_t));
 extern char	*shorten_hostname __P((char []));
@ -2778,12 +2829,18 @@ extern char *xalloc_tagged __P((int, char*, int));
 #else /* SM_HEAP_CHECK */
 extern char *xalloc __P((int));
 #endif /* SM_HEAP_CHECK */
 #if _FFR_XCNCT
 extern int xconnect __P((SM_FILE_T *));
 #endif /* _FFR_XCNCT */
 extern void	xputs __P((SM_FILE_T *, const char *));
 extern char	*xtextify __P((char *, char *));
 extern bool	xtextok __P((char *));
 extern int	xunlink __P((char *));
 extern char	*xuntextify __P((char *));
 #if _FFR_RCPTFLAGS
 extern bool	newmodmailer __P((ADDRESS *, char fl));
 #endif
 #undef EXTERN
 #endif /* ! _SENDMAIL_H */
--- a/src/sfsasl.c
+++ b/src/sfsasl.c
@ -13,6 +13,7 @@ SM_RCSID("@(#)$Id: sfsasl.c,v 8.121 2013-11-22 20:51:56 ca Exp $")
 #include <stdlib.h>
 #include <sendmail.h>
 #include <sm/time.h>
 #include <sm/fdset.h>
 #include <errno.h>
 /* allow to disable error handling code just in case... */
@ -415,7 +416,7 @@ sfdcsasl(fin, fout, conn, tmo)
 #if STARTTLS
 # include "sfsasl.h"
-#  include <openssl/err.h>
+# include <openssl/err.h>
 /* Structure used by the "tls" file type */
 struct tls_obj
@ -618,9 +619,8 @@ tls_retry(ssl, rfd, wfd, tlsstart, timeout, err, where)
 			  where, rfd, wfd, err);
 	}
-	if (FD_SETSIZE > 0 &&
+	if ((err == SSL_ERROR_WANT_READ && !SM_FD_OK_SELECT(rfd)) ||
-	    ((err == SSL_ERROR_WANT_READ && rfd >= FD_SETSIZE) ||
+	    (err == SSL_ERROR_WANT_WRITE && !SM_FD_OK_SELECT(wfd)))
 	     (err == SSL_ERROR_WANT_WRITE && wfd >= FD_SETSIZE)))
 	{
 		if (LogLevel > 5)
 		{
@ -685,17 +685,21 @@ tls_retry(ssl, rfd, wfd, tlsstart, timeout, err, where)
 **		rd_tmo -- read timeout
 **
 **	Results:
-**		none
+**		previous read timeout
 **	This is a hack: there is no way to pass it in
 */
 static int tls_rd_tmo = -1;
-void
+int
 set_tls_rd_tmo(rd_tmo)
 	int rd_tmo;
 {
 	int old_rd_tmo;
 	old_rd_tmo = tls_rd_tmo;
 	tls_rd_tmo = rd_tmo;
 	return old_rd_tmo;
 }
 /*
@ -820,7 +824,7 @@ tls_read(fp, buf, size)
 		}
 		else if (LogLevel > 7)
 			sm_syslog(LOG_WARNING, NOQID,
-				  "STARTTLS: read error=%s (%d), retry=%d, ssl_err=%d",
+				  "STARTTLS: read error=%s (%d), errno=%d, retry=%d, ssl_err=%d",
 				  err, r, errno, try, ssl_err);
 		errno = save_errno;
 	}
--- a/src/sm_resolve.c
+++ b/src/sm_resolve.c
@ -235,7 +235,7 @@ parse_dns_reply(data, len)
 			if (LogLevel > 5)
 				sm_syslog(LOG_WARNING, NOQID,
 					  "ERROR: DNS RDLENGTH=%d > data len=%d",
-					  size, len - (p - data));
+					  size, len - (int)(p - data));
 			dns_free_data(r);
 			return NULL;
 		}
--- a/src/srvrsmtp.c
+++ b/src/srvrsmtp.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-2010, 2012, 2013 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 1998-2010, 2012-2014 Proofpoint, Inc. and its suppliers.
 *	All rights reserved.
 * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
 * Copyright (c) 1988, 1993
@ -30,7 +30,7 @@ SM_RCSID("@(#)$Id: srvrsmtp.c,v 8.1016 2013-11-22 20:51:56 ca Exp $")
 static int saslmechs __P((sasl_conn_t *, char **));
 #endif /* SASL */
 #if STARTTLS
-#  include <openssl/err.h>
+# include <openssl/err.h>
 # include <sysexits.h>
 static SSL_CTX	*srv_ctx = NULL;	/* TLS server context */
@ -204,6 +204,174 @@ parse_esmtp_args(e, addr_st, p, delimptr, which, args, esmtp_args)
 		args[argno] = NULL;
 }
 #if _FFR_ADD_BCC
 /*
 **  ADDRCPT -- Add a rcpt to sendq list
 **
 **	Parameters:
 **		rcpt -- rcpt
 **		sendq -- a pointer to the head of a queue to put
 **			these people into.
 **		e -- the envelope in which to add these recipients.
 **
 **	Returns:
 **		The number of addresses added to the list.
 */
 static int
 addrcpt(rcpt, sendq, e)
 	char *rcpt;
 	ADDRESS **sendq;
 	ENVELOPE *e;
 {
 	int r;
 	char *oldto;
 	ADDRESS *a;
 	SM_REQUIRE(rcpt != NULL);
 	SM_REQUIRE(sendq != NULL);
 	SM_REQUIRE(e != NULL);
 	oldto = e->e_to;
 	if (tTd(25, 1))
 		sm_dprintf("addrcpt: rcpt=%s\n", rcpt);
 	r = Errors;
 	a = NULL;
 	SM_TRY
 	{
 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e b");
 		a = parseaddr(rcpt, NULLADDR, RF_COPYALL, ' ', NULL, e, true);
 		if (a == NULL)
 			return 0;
 		a->q_flags &= ~Q_PINGFLAGS;
 		a->q_flags |= QINTBCC;
 		a->q_owner = "<>";
 		/* disable alias expansion? */
 		a = recipient(a, sendq, 0, e);
 	}
 	SM_FINALLY
 	{
 		e->e_to = oldto;
 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
 	}
 	SM_END_TRY
 	if (tTd(25, 1))
 		sm_dprintf("addrcpt: rcpt=%s, flags=%#lx\n", rcpt,
 			a != NULL ? a->q_flags : 0);
 	Errors = r;
 	return 1;
 }
 /*
 **  ADDBCC -- Maybe create a copy of an e-mail
 **
 **	Parameters:
 **		a -- current RCPT
 **		e -- the envelope.
 **
 **	Returns:
 **		nothing
 **
 **	Side Effects:
 **		rscheck() can trigger an "exception"
 */
 static void
 addbcc(a, e)
 	ADDRESS *a;
 	ENVELOPE *e;
 {
 	int nobcc;
 	char *newrcpt, empty[1];
 	if (!AddBcc)
 		return;
 	nobcc = false;
 	empty[0] = '\0';
 	newrcpt = empty;
 	nobcc = rscheck("bcc", a->q_paddr, NULL, e, RSF_ADDR, 12, NULL, NOQID,
 			NULL, &newrcpt);
 	if (tTd(25, 1))
 		sm_dprintf("addbcc: nobcc=%d, Errors=%d, newrcpt=<%s>\n", nobcc, Errors, newrcpt);
 	if (nobcc != EX_OK || Errors > 0 || *newrcpt == '\0')
 		return;
 	(void) addrcpt(newrcpt, &e->e_sendqueue, e);
 	return;
 }
 #else /* _FFR_ADD_BCC */
 # define addbcc(a, e)
 #endif /* _FFR_ADD_BCC */
 #if _FFR_RCPTFLAGS
 /*
 **  RCPTMODS -- Perform rcpt modifications if requested
 **
 **	Parameters:
 **		rcpt -- current RCPT
 **		e -- the envelope.
 **
 **	Returns:
 **		nothing.
 */
 void
 rcptmods(rcpt, e)
 	ADDRESS *rcpt;
 	ENVELOPE *e;
 {
 	char *fl;
 	SM_REQUIRE(rcpt != NULL);
 	SM_REQUIRE(e != NULL);
 	fl = macvalue(macid("{rcpt_flags}"), e);
 	if (fl == NULL || *fl == '\0')
 		return;
 	if (tTd(25, 1))
 		sm_dprintf("rcptmods: rcpt=%s, flags=%s\n", rcpt->q_paddr, fl);
 	/* parse flags */
 	for ( ; *fl != '\0'; ++fl)
 	{
 		switch (*fl)
 		{
 		  case 'n':
 			rcpt->q_flags &= ~Q_PINGFLAGS;
 			rcpt->q_flags |= QINTBCC;
 			rcpt->q_owner = "<>";
 			break;
 		  case 'N':
 			rcpt->q_flags &= ~Q_PINGFLAGS;
 			rcpt->q_owner = "<>";
 			break;
 		  case QDYNMAILFLG:
 			rcpt->q_flags |= QDYNMAILER;
 			newmodmailer(rcpt, *fl);
 			break;
 		  default:
 			sm_syslog(LOG_INFO, e->e_id,
 				  "rcpt=%s, rcpt_flags=%s, status=unknown",
 				  rcpt->q_paddr, fl);
 			break;
 		}
 	}
 	/* reset macro to avoid confusion later on */
 	macdefine(&e->e_macro, A_PERM, macid("{rcpt_flags}"), NULL);
 }
 #else /* _FFR_RCPTFLAGS */
 # define rcptmods(a, e)
 #endif /* _FFR_RCPTFLAGS */
 /*
 **  SMTP -- run the SMTP protocol.
 **
@ -541,6 +709,24 @@ do								\
 				qid_printname(e), CurSmtpClient, inp);	\
 	}
 /*
 **  Determine the correct protocol keyword to use in the
 **  Received: header, following RFC 3848.
 */
 #if !STARTTLS
 # define tls_active	false
 #endif
 #if SASL
 # define auth_active	(authenticating == SASL_IS_AUTH)
 #else
 # define auth_active	false
 #endif
 #define GET_PROTOCOL()					\
 	(auth_active					\
 	    ? (tls_active ? "ESMTPSA" : "ESMTPA")	\
 	    : (tls_active ? "ESMTPS"  : "ESMTP"))
 static bool SevenBitInput_Saved;	/* saved version of SevenBitInput */
 void
@ -577,6 +763,7 @@ smtp(nullserver, d_flags, e)
 	SMTP_T smtp;
 	char *addr;
 	char *greetcode = "220";
 	const char *greetmsg = "not accepting messages";
 	char *hostname;			/* my hostname ($j) */
 	QUEUE_CHAR *new;
 	char *args[MAXSMTPARGS];
@ -907,11 +1094,7 @@ smtp(nullserver, d_flags, e)
 	}
 #endif /* SASL */
-#if STARTTLS
+	(void) set_tls_rd_tmo(TimeOuts.to_nextcommand);
 	set_tls_rd_tmo(TimeOuts.to_nextcommand);
 #endif /* STARTTLS */
 #if MILTER
 	if (smtp.sm_milterize)
@ -968,7 +1151,73 @@ smtp(nullserver, d_flags, e)
 		response = milter_connect(q, RealHostAddr, e, &state);
 		switch (state)
 		{
 #if _FFR_MILTER_CONNECT_REPLYCODE
 		  case SMFIR_REPLYCODE:
 			if (*response == '5')
 			{
 				if (MilterLogLevel > 3)
 					sm_syslog(LOG_INFO, e->e_id,
 						  "Milter: connect: host=%s, addr=%s, reject=%s",
 						  peerhostname,
 						  anynet_ntoa(&RealHostAddr),
 						  response);
 				greetcode = "554"; /* Required by 2821 3.1 */
 				nullserver = newstr(response);
 				if (strlen(nullserver) > 4)
 				{
 					int skip;
 					greetmsg = nullserver + 4;
 					/* skip over enhanced status code */
 					skip = isenhsc(greetmsg, ' ');
 					if (skip > 0)
 						greetmsg += skip + 1;
 				}
 				smtp.sm_milterize = false;
 				break;
 			}
 			else if (strncmp(response, "421 ", 4) == 0)
 			{
 				int skip;
 				const char *msg = response + 4;
 				if (MilterLogLevel > 3)
 					sm_syslog(LOG_INFO, e->e_id,
 						  "Milter: connect: host=%s, addr=%s, shutdown=%s",
 						  peerhostname,
 						  anynet_ntoa(&RealHostAddr),
 						  response);
 				tempfail = true;
 				smtp.sm_milterize = false;
 				/* skip over enhanced status code */
 				skip = isenhsc(msg, ' ');
 				if (skip > 0)
 					msg += skip + 1;
 				message("421 %s %s", MyHostName, msg);
 				/* arrange to ignore send list */
 				e->e_sendqueue = NULL;
 				goto doquit;
 			}
 			else
 			{
 				if (MilterLogLevel > 3)
 					sm_syslog(LOG_INFO, e->e_id,
 						  "Milter: connect: host=%s, addr=%s, temp failing commands=%s",
 						  peerhostname,
 						  anynet_ntoa(&RealHostAddr),
 						  response);
 				/*tempfail = true;*/
 				smtp.sm_milterize = false;
 				nullserver = newstr(response);
 				break;
 			}
 #else /* _FFR_MILTER_CONNECT_REPLYCODE */
 		  case SMFIR_REPLYCODE:	/* REPLYCODE shouldn't happen */
 #endif /* _FFR_MILTER_CONNECT_REPLYCODE */
 		  case SMFIR_REJECT:
 			if (MilterLogLevel > 3)
 				sm_syslog(LOG_INFO, e->e_id,
@ -1006,7 +1255,7 @@ smtp(nullserver, d_flags, e)
 			goto doquit;
 		}
 		if (response != NULL)
-			sm_free(response); /* XXX */
+			sm_free(response);
 	}
 #endif /* MILTER */
@ -1097,8 +1346,8 @@ smtp(nullserver, d_flags, e)
 	/* output the first line, inserting "ESMTP" as second word */
 	if (*greetcode == '5')
-		(void) sm_snprintf(inp, sizeof(inp),
+		(void) sm_snprintf(inp, sizeof(inp), "%s %s", hostname,
-				"%s not accepting messages", hostname);
+				   greetmsg);
 	else
 		expand(SmtpGreeting, inp, sizeof(inp), e);
@ -1400,6 +1649,8 @@ smtp(nullserver, d_flags, e)
 							   *ssf);
 				}
 				protocol = GET_PROTOCOL();
 				/*
 				**  Only switch to encrypted connection
 				**  if a security layer has been negotiated
@ -1898,11 +2149,9 @@ smtp(nullserver, d_flags, e)
 			SSL_set_accept_state(srv_ssl);
 #  define SSL_ACC(s)	SSL_accept(s)
 			tlsstart = curtime();
  ssl_retry:
-			if ((r = SSL_ACC(srv_ssl)) <= 0)
+			if ((r = SSL_accept(srv_ssl)) <= 0)
 			{
 				int i, ssl_err;
@ -1962,7 +2211,7 @@ smtp(nullserver, d_flags, e)
 				     macvalue(macid("{verify}"), e),
 				     "STARTTLS", e,
 				     RSF_RMCOMM|RSF_COUNT,
-				     5, NULL, NOQID, NULL) != EX_OK ||
+				     5, NULL, NOQID, NULL, NULL) != EX_OK ||
 			    Errors > 0)
 			{
 				extern char MsgBuf[];
@ -2052,7 +2301,7 @@ smtp(nullserver, d_flags, e)
 			DELAY_CONN("EHLO");
 			if (c->cmd_code == CMDEHLO)
 			{
-				protocol = "ESMTP";
+				protocol = GET_PROTOCOL();
 				SmtpPhase = "server EHLO";
 			}
 			else
@ -2468,7 +2717,7 @@ smtp(nullserver, d_flags, e)
 #endif /* _FFR_MAIL_MACRO */
 			if (rscheck("check_mail", addr,
 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
-				    NULL, e->e_id, NULL) != EX_OK ||
+				    NULL, e->e_id, NULL, NULL) != EX_OK ||
 			    Errors > 0)
 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
 			macdefine(&e->e_macro, A_PERM,
@ -2731,7 +2980,7 @@ smtp(nullserver, d_flags, e)
 				macid("{addr_type}"), "e r");
 			if (rscheck("check_rcpt", addr,
 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
-				    NULL, e->e_id, p_addr_st) != EX_OK ||
+				    NULL, e->e_id, p_addr_st, NULL) != EX_OK ||
 			    Errors > 0)
 				goto rcpt_done;
 			macdefine(&e->e_macro, A_PERM,
@ -2744,6 +2993,9 @@ smtp(nullserver, d_flags, e)
 			milter_cmd_safe = true;
 #endif
 			addbcc(a, e);
 			rcptmods(a, e);
 			/* save in recipient list after ESMTP mods */
 			a = recipient(a, &e->e_sendqueue, 0, e);
 			/* may trigger exception... */
@ -2821,6 +3073,7 @@ smtp(nullserver, d_flags, e)
 #if !MILTER
 		rcpt_done:
 #endif /* !MILTER */
 			macdefine(&e->e_macro, A_PERM,
 				macid("{rcpt_mailer}"), NULL);
 			macdefine(&e->e_macro, A_PERM,
@ -2974,8 +3227,8 @@ smtp(nullserver, d_flags, e)
 			{
 				/* do config file checking of the address */
 				if (rscheck(vrfy ? "check_vrfy" : "check_expn",
-					    p, NULL, e, RSF_RMCOMM,
+					    p, NULL, e, RSF_RMCOMM, 3, NULL,
-					    3, NULL, NOQID, NULL) != EX_OK ||
+					    NOQID, NULL, NULL) != EX_OK ||
 				    Errors > 0)
 					sm_exc_raisenew_x(&EtypeQuickAbort, 1);
 				(void) sendtolist(p, NULLADDR, &vrfyqueue, 0, e);
@ -3070,9 +3323,8 @@ smtp(nullserver, d_flags, e)
 			**  available to make a decision.
 			*/
-			if (rscheck("check_etrn", p, NULL, e,
+			if (rscheck("check_etrn", p, NULL, e, RSF_RMCOMM, 3,
-				    RSF_RMCOMM, 3, NULL, NOQID, NULL)
+				    NULL, NOQID, NULL, NULL) != EX_OK ||
 								!= EX_OK ||
 			    Errors > 0)
 				break;
@ -3371,7 +3623,7 @@ smtp_data(smtp, e)
 	(void) sm_snprintf(buf, sizeof(buf), "%u", smtp->sm_nrcpts);
 	if (rscheck("check_data", buf, NULL, e,
 		    RSF_RMCOMM|RSF_UNSTRUCTURED|RSF_COUNT, 3, NULL,
-		    e->e_id, NULL) != EX_OK)
+		    e->e_id, NULL, NULL) != EX_OK)
 		return true;
 #if MILTER && SMFI_VERSION > 3
@ -3494,7 +3746,7 @@ smtp_data(smtp, e)
 	/* rscheck() will set Errors or EF_DISCARD if it trips */
 	(void) rscheck("check_eom", buf, NULL, e, RSF_UNSTRUCTURED|RSF_COUNT,
-		       3, NULL, e->e_id, NULL);
+		       3, NULL, e->e_id, NULL, NULL);
 #if MILTER
 	milteraccept = true;
@ -3735,6 +3987,38 @@ smtp_data(smtp, e)
 	_res.retrans = TimeOuts.res_retrans[RES_TO_FIRST];
 #endif /* NAMED_BIND */
 #if _FFR_PROXY
 	if (SM_PROXY_REQ == e->e_sendmode)
 	{
 		/* is proxy mode possible? */
 		if (e->e_sibling == NULL && e->e_nrcpts == 1
 		    && smtp->sm_nrcpts == 1
 		    && (a = e->e_sendqueue) != NULL && a->q_next == NULL)
 		{
 			a->q_flags &= ~(QPINGONFAILURE|QPINGONSUCCESS|
 					QPINGONDELAY);
 			e->e_errormode = EM_QUIET;
 			e->e_sendmode = SM_PROXY;
 		}
 		else
 		{
 			if (tTd(87, 2))
 			{
 				a = e->e_sendqueue;
 				sm_dprintf("srv: mode=%c, e=%p, sibling=%p, nrcpts=%d, sm_nrcpts=%d, sendqueue=%p, next=%p\n",
 				e->e_sendmode, e, e->e_sibling, e->e_nrcpts,
 				smtp->sm_nrcpts, a,
 				(a == NULL) ? (void *)0 : a->q_next);
 			}
 			/* switch to interactive mode */
 			e->e_sendmode = SM_DELIVER;
 			if (LogLevel > 9)
 				sm_syslog(LOG_DEBUG, e->e_id,
 					  "proxy mode requested but not possible");
 		}
 	}
 #endif /* _FFR_PROXY */
 	for (ee = e; ee != NULL; ee = ee->e_sibling)
 	{
@ -3779,6 +4063,84 @@ smtp_data(smtp, e)
 	oldid = CurEnv->e_id;
 	CurEnv->e_id = id;
 #if _FFR_PROXY
 	a = e->e_sendqueue;
 	if (tTd(87, 1))
 	{
 		sm_dprintf("srv: mode=%c, e=%p, sibling=%p, nrcpts=%d, msg=%s, sendqueue=%p, next=%p, state=%d, SmtpError=%s, rcode=%d, renhsc=%s, text=%s\n",
 		e->e_sendmode, e, e->e_sibling, e->e_nrcpts, e->e_message, a,
 		(a == NULL) ? (void *)0 : a->q_next,
 		(a == NULL) ? -1 : a->q_state, SmtpError, e->e_rcode,
 		e->e_renhsc, e->e_text);
 	}
 	if (SM_PROXY == e->e_sendmode && a->q_state != QS_SENT &&
 	    a->q_state != QS_VERIFIED) /* discarded! */
 	{
 		char *m, *errtext;
 		char replycode[4];
 		char enhsc[10];
 		int offset;
 #define NN_MSG(e)	(((e)->e_message != NULL) ? (e)->e_message : "")
 		m = e->e_message;
 #define SM_MSG_DEFERRED "Deferred: "
 		if (m != NULL && strncmp(SM_MSG_DEFERRED, m,
 					 sizeof(SM_MSG_DEFERRED) - 1) == 0)
 			m += sizeof(SM_MSG_DEFERRED) - 1;
 		offset = extsc(m, ' ', replycode, enhsc);
 		if (tTd(87, 2))
 		{
 			sm_dprintf("srv: SmtpError=%s, rcode=%d, renhsc=%s, replycode=%s, enhsc=%s, offset=%d\n",
 				SmtpError, e->e_rcode, e->e_renhsc,
 				replycode, enhsc, offset);
 		}
 #define DIG2CHAR(d)	((d) + '0')
 		if (e->e_rcode != 0 && (replycode[0] == '\0' ||
 		    replycode[0] == DIG2CHAR(REPLYTYPE(e->e_rcode))))
 		{
 			replycode[0] = DIG2CHAR(REPLYTYPE(e->e_rcode));
 			replycode[1] = DIG2CHAR(REPLYCLASS(e->e_rcode));
 			replycode[2] = DIG2CHAR(REPLYMINOR(e->e_rcode));
 			replycode[3] = '\0';
 			if (e->e_renhsc[0] == replycode[0])
 				sm_strlcpy(enhsc, e->e_renhsc, sizeof(enhsc));
 			if (offset < 0)
 				offset = 0;
 		}
 		if (e->e_text != NULL)
 		{
 			(void) strreplnonprt(e->e_text, '_');
 			errtext = e->e_text;
 		}
 		else
 			errtext = m + offset;
 		if (replycode[0] != '\0' && enhsc[0] != '\0')
 			emessage(replycode, enhsc, "%s", errtext);
 		else if (replycode[0] != '\0')
 			emessage(replycode, smtptodsn(atoi(replycode)),
 				 "%s", errtext);
 		else if (QS_IS_TEMPFAIL(a->q_state))
 		{
 			if (m != NULL)
 				message("450 4.5.1 %s", m);
 			else
 				message("450 4.5.1 Temporary error");
 		}
 		else
 		{
 			if (m != NULL)
 				message("550 5.5.1 %s", m);
 			else
 				message("550 5.0.0 Permanent error");
 		}
 	}
 	else
 	{
 #endif /* _FFR_PROXY */
 		/* issue success message */
 #if _FFR_MSG_ACCEPT
 		if (MessageAccept != NULL && *MessageAccept != '\0')
@ -3791,6 +4153,9 @@ smtp_data(smtp, e)
 		else
 #endif /* _FFR_MSG_ACCEPT */
 		message("250 2.0.0 %s Message accepted for delivery", id);
 #if _FFR_PROXY
 	}
 #endif /* _FFR_PROXY */
 	CurEnv->e_id = oldid;
 	/* if we just queued, poke it */
@ -3937,7 +4302,7 @@ logundelrcpts(e, msg, level, all)
 			    ? e->e_enhsc :
 #endif /* _FFR_MILTER_ENHSC */
 			    a->q_status,
-			    msg, NULL, (time_t) 0, e);
+			    msg, NULL, (time_t) 0, e, a, EX_OK /* ??? */);
 	}
 	e->e_to = NULL;
 }
@ -4339,8 +4704,8 @@ mail_esmtp_args(a, kp, vp, e)
 		SuprErrs = true;
 		QuickAbort = false;
 		if (strcmp(auth_param, "<>") != 0 &&
-		     (rscheck("trust_auth", auth_param, NULL, e, RSF_RMCOMM,
+		     (rscheck("trust_auth", auth_param, NULL, e, RSF_RMCOMM, 9,
-			      9, NULL, NOQID, NULL) != EX_OK || Errors > 0))
+			      NULL, NOQID, NULL, NULL) != EX_OK || Errors > 0))
 		{
 			if (tTd(95, 8))
 			{
--- a/src/tls.c
+++ b/src/tls.c
@ -13,21 +13,21 @@
 SM_RCSID("@(#)$Id: tls.c,v 8.127 2013-11-27 02:51:11 gshapiro Exp $")
 #if STARTTLS
-#  include <openssl/err.h>
+# include <openssl/err.h>
-#  include <openssl/bio.h>
+# include <openssl/bio.h>
-#  include <openssl/pem.h>
+# include <openssl/pem.h>
-#  ifndef HASURANDOMDEV
+# ifndef HASURANDOMDEV
-#   include <openssl/rand.h>
+#  include <openssl/rand.h>
-#  endif /* ! HASURANDOMDEV */
+# endif /* ! HASURANDOMDEV */
 # if !TLS_NO_RSA
 static RSA *rsa_tmp = NULL;	/* temporary RSA key */
 static RSA *tmp_rsa_key __P((SSL *, int, int));
 # endif /* !TLS_NO_RSA */
-#  if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L
+# if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x00907000L
 static int	tls_verify_cb __P((X509_STORE_CTX *));
-#  else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
+# else /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
 static int	tls_verify_cb __P((X509_STORE_CTX *, void *));
-#  endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
+# endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
 # if OPENSSL_VERSION_NUMBER > 0x00907000L
 static int x509_verify_cb __P((int, X509_STORE_CTX *));
@ -41,7 +41,7 @@ static int x509_verify_cb __P((int, X509_STORE_CTX *));
 static void	apps_ssl_info_cb __P((CONST097 SSL *, int , int));
 static bool	tls_ok_f __P((char *, char *, int));
 static bool	tls_safe_f __P((char *, long, bool));
-static int	tls_verify_log __P((int, X509_STORE_CTX *, char *));
+static int	tls_verify_log __P((int, X509_STORE_CTX *, const char *));
 # if !NO_DH
 static DH *get_dh512 __P((void));
@ -311,8 +311,25 @@ init_tls_library(fipsmode)
 		}
 	}
 #endif /* _FFR_FIPSMODE  */
 	if (bv && CertFingerprintAlgorithm != NULL)
 	{
 		const EVP_MD *md;
 		md = EVP_get_digestbyname(CertFingerprintAlgorithm);
 		if (NULL == md)
 		{
 			bv = false;
 			if (LogLevel > 0)
 				sm_syslog(LOG_ERR, NOQID,
 					"STARTTLS=init, CertFingerprintAlgorithm=%s, status=invalid"
 					, CertFingerprintAlgorithm);
 		}
 		else
 			EVP_digest = md;
 	}
 	return bv;
 }
 /*
 **  TLS_SET_VERIFY -- request client certificate?
 **
@ -369,12 +386,10 @@ tls_set_verify(ctx, ssl, vrfy)
 # define TLS_S_CRLF_EX	0x00000100	/* CRL file exists */
 # define TLS_S_CRLF_OK	0x00000200	/* CRL file is ok */
-# if _FFR_TLS_1
+# define TLS_S_CERT2_EX	0x00001000	/* 2nd cert file exists */
-#  define TLS_S_CERT2_EX	0x00001000	/* 2nd cert file exists */
+# define TLS_S_CERT2_OK	0x00002000	/* 2nd cert file is ok */
-#  define TLS_S_CERT2_OK	0x00002000	/* 2nd cert file is ok */
+# define TLS_S_KEY2_EX	0x00004000	/* 2nd key file exists */
-#  define TLS_S_KEY2_EX	0x00004000	/* 2nd key file exists */
+# define TLS_S_KEY2_OK	0x00008000	/* 2nd key file is ok */
 #  define TLS_S_KEY2_OK	0x00008000	/* 2nd key file is ok */
 # endif /* _FFR_TLS_1 */
 # define TLS_S_DH_OK	0x00200000	/* DH cert is ok */
 # define TLS_S_DHPAR_EX	0x00400000	/* DH param file exists */
@ -545,7 +560,7 @@ bool
 inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhparam)
 	SSL_CTX **ctx;
 	unsigned long req;
-	long options;
+	unsigned long options;
 	bool srv;
 	char *certfile, *keyfile, *cacertpath, *cacertfile, *dhparam;
 {
@ -556,12 +571,10 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 	bool ok;
 	long sff, status;
 	char *who;
 # if _FFR_TLS_1
 	char *cf2, *kf2;
-# endif /* _FFR_TLS_1 */
+# if SM_CONF_SHM
 #  if SM_CONF_SHM
 	extern int ShmId;
-#  endif /* SM_CONF_SHM */
+# endif /* SM_CONF_SHM */
 # if OPENSSL_VERSION_NUMBER > 0x00907000L
 	BIO *crl_file;
 	X509_CRL *crl;
@ -586,7 +599,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 		return true;
 	ok = true;
 # if _FFR_TLS_1
 	/*
 	**  look for a second filename: it must be separated by a ','
 	**  no blanks allowed (they won't be skipped).
@ -605,7 +617,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 		if (keyfile != NULL && (kf2 = strchr(keyfile, ',')) != NULL)
 			*kf2++ = '\0';
 	}
 # endif /* _FFR_TLS_1 */
 	/*
 	**  Check whether files/paths are defined
@ -625,7 +636,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 		 TLS_S_CRLF_EX, TLS_T_OTHER);
 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
 # if _FFR_TLS_1
 	/*
 	**  if the second file is specified it must exist
 	**  XXX: it is possible here to define only one of those files
@ -641,7 +651,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 		TLS_OK_F(kf2, "KeyFile", bitset(TLS_I_KEY_EX, req),
 			 TLS_S_KEY2_EX, srv ? TLS_T_SRV : TLS_T_CLT);
 	}
 # endif /* _FFR_TLS_1 */
 	/*
 	**  valid values for dhparam are (only the first char is checked)
@ -715,7 +724,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 # endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
 	if (!ok)
 		return ok;
 # if _FFR_TLS_1
 	if (cf2 != NULL)
 	{
 		TLS_SAFE_F(cf2, sff | TLS_UNR(TLS_I_CERT_UNR, req),
@ -728,7 +736,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 			   bitset(TLS_I_KEY_EX, req),
 			   bitset(TLS_S_KEY2_EX, status), TLS_S_KEY2_OK, srv);
 	}
 # endif /* _FFR_TLS_1 */
 	/* create a method and a new context */
 	if ((*ctx = SSL_CTX_new(srv ? SSLv23_server_method() :
@ -823,13 +830,13 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 	*/
 	if (bitset(TLS_I_RSA_TMP, req)
-#   if SM_CONF_SHM
+#  if SM_CONF_SHM
 	    && ShmId != SM_SHM_NO_ID &&
 	    (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
 					NULL)) == NULL
-#   else /* SM_CONF_SHM */
+#  else /* SM_CONF_SHM */
 	    && 0	/* no shared memory: no need to generate key now */
-#   endif /* SM_CONF_SHM */
+#  endif /* SM_CONF_SHM */
 	   )
 	{
 		if (LogLevel > 7)
@ -865,16 +872,25 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 			return false;
 	}
 #if _FFR_TLS_USE_CERTIFICATE_CHAIN_FILE
 # define SSL_CTX_use_cert(ssl_ctx, certfile) \
 	SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile)
 # define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_chain_file"
 #else
 # define SSL_CTX_use_cert(ssl_ctx, certfile) \
 	SSL_CTX_use_certificate_file(ssl_ctx, certfile, SSL_FILETYPE_PEM)
 # define SSL_CTX_USE_CERT "SSL_CTX_use_certificate_file"
 #endif
 	/* get the certificate file */
 	if (bitset(TLS_S_CERT_OK, status) &&
-	    SSL_CTX_use_certificate_file(*ctx, certfile,
+	    SSL_CTX_use_cert(*ctx, certfile) <= 0)
 					 SSL_FILETYPE_PEM) <= 0)
 	{
 		if (LogLevel > 7)
 		{
 			sm_syslog(LOG_WARNING, NOQID,
-				  "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
+				  "STARTTLS=%s, error: %s(%s) failed",
-				  who, certfile);
+				  who, SSL_CTX_USE_CERT, certfile);
 			if (LogLevel > 9)
 				tlslogerr(LOG_WARNING, who);
 		}
@ -899,7 +915,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 			return false;
 	}
 # if _FFR_TLS_1
 	/* XXX this code is pretty much duplicated from above! */
 	/* load private key */
@ -918,13 +933,13 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 	/* get the certificate file */
 	if (bitset(TLS_S_CERT2_OK, status) &&
-	    SSL_CTX_use_certificate_file(*ctx, cf2, SSL_FILETYPE_PEM) <= 0)
+	    SSL_CTX_use_cert(*ctx, cf2) <= 0)
 	{
 		if (LogLevel > 7)
 		{
 			sm_syslog(LOG_WARNING, NOQID,
-				  "STARTTLS=%s, error: SSL_CTX_use_certificate_file(%s) failed",
+				  "STARTTLS=%s, error: %s(%s) failed",
-				  who, cf2);
+				  who, SSL_CTX_USE_CERT, cf2);
 			if (LogLevel > 9)
 				tlslogerr(LOG_WARNING, who);
 		}
@ -944,7 +959,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 				tlslogerr(LOG_WARNING, who);
 		}
 	}
 # endif /* _FFR_TLS_1 */
 	/* SSL_CTX_set_quiet_shutdown(*ctx, 1); violation of standard? */
@ -968,7 +982,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 			options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
 	}
 #endif
-	SSL_CTX_set_options(*ctx, options);
+	SSL_CTX_set_options(*ctx, (long) options);
 # if !NO_DH
 	/* Diffie-Hellman initialization */
@ -1153,7 +1167,6 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 	if (tTd(96, 9))
 		SSL_CTX_set_info_callback(*ctx, apps_ssl_info_cb);
 # if _FFR_TLS_1
 	/* install our own cipher list */
 	if (CipherList != NULL && *CipherList != '\0')
 	{
@ -1171,29 +1184,73 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 			/* failure if setting to this list is required? */
 		}
 	}
-# endif /* _FFR_TLS_1 */
+
 	if (LogLevel > 12)
 		sm_syslog(LOG_INFO, NOQID, "STARTTLS=%s, init=%d", who, ok);
-# if _FFR_TLS_1
+# if 0
 #  if 0
 	/*
 	**  this label is required if we want to have a "clean" exit
 	**  see the comments above at the initialization of cf2
 	*/
    endinittls:
-#  endif /* 0 */
+# endif /* 0 */
 	/* undo damage to global variables */
 	if (cf2 != NULL)
 		*--cf2 = ',';
 	if (kf2 != NULL)
 		*--kf2 = ',';
 # endif /* _FFR_TLS_1 */
 	return ok;
 }
 /*
 **  CERT_FP -- get cert fingerprint
 **
 **	Parameters:
 **		cert -- TLS cert
 **		mac -- macro storage
 **		macro -- where to store cert fp
 **
 **	Returns:
 **		<=0: cert fp calculation failed
 **		>0: cert fp calculation ok
 */
 static int
 cert_fp(cert, evp_digest, mac, macro)
 	X509 *cert;
 	const EVP_MD *evp_digest;
 	MACROS_T *mac;
 	char *macro;
 {
 	unsigned int n;
 	int r;
 	unsigned char md[EVP_MAX_MD_SIZE];
 	char md5h[EVP_MAX_MD_SIZE * 3];
 	static const char hexcodes[] = "0123456789ABCDEF";
 	n = 0;
 	if (X509_digest(cert, EVP_digest, md, &n) == 0 || n <= 0)
 	{
 		macdefine(mac, A_TEMP, macid(macro), "");
 		return 0;
 	}
 	SM_ASSERT((n * 3) + 2 < sizeof(md5h));
 	for (r = 0; r < (int) n; r++)
 	{
 		md5h[r * 3] = hexcodes[(md[r] & 0xf0) >> 4];
 		md5h[(r * 3) + 1] = hexcodes[(md[r] & 0x0f)];
 		md5h[(r * 3) + 2] = ':';
 	}
 	md5h[(n * 3) - 1] = '\0';
 	macdefine(mac, A_TEMP, macid(macro), md5h);
 	return 1;
 }
 /*
 **  TLS_GET_INFO -- get information about TLS connection
 **
@ -1208,9 +1265,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 **		result of authentication.
 **
 **	Side Effects:
-**		sets macros: {cipher}, {tls_version}, {verify},
+**		sets various TLS related macros.
 **		{cipher_bits}, {alg_bits}, {cert}, {cert_subject},
 **		{cert_issuer}, {cn_subject}, {cn_issuer}
 */
 int
@ -1238,7 +1293,7 @@ tls_get_info(ssl, srv, host, mac, certreq)
 	macdefine(mac, A_TEMP, macid("{cipher_bits}"), bitstr);
 	(void) sm_snprintf(bitstr, sizeof(bitstr), "%d", r);
 	macdefine(mac, A_TEMP, macid("{alg_bits}"), bitstr);
-	s = SSL_CIPHER_get_version(c);
+	s = (char *) SSL_get_version(ssl);
 	if (s == NULL)
 		s = "UNKNOWN";
 	macdefine(mac, A_TEMP, macid("{tls_version}"), s);
@ -1252,9 +1307,7 @@ tls_get_info(ssl, srv, host, mac, certreq)
 			  who, verifyok, (unsigned long) cert);
 	if (cert != NULL)
 	{
 		unsigned int n;
 		X509_NAME *subj, *issuer;
 		unsigned char md[EVP_MAX_MD_SIZE];
 		char buf[MAXNAME];
 		subj = X509_get_subject_name(cert);
@ -1268,6 +1321,8 @@ tls_get_info(ssl, srv, host, mac, certreq)
 # define LL_BADCERT	8
 #define CERTFPMACRO (CertFingerprintAlgorithm != NULL ? "{cert_fp}" : "{cert_md5}")
 #define CHECK_X509_NAME(which)	\
 	do {	\
 		if (r == -1)	\
@ -1313,24 +1368,7 @@ tls_get_info(ssl, srv, host, mac, certreq)
 		CHECK_X509_NAME("cn_issuer");
 		macdefine(mac, A_TEMP, macid("{cn_issuer}"),
 			 xtextify(buf, "<>\")"));
-		n = 0;
+		(void) cert_fp(cert, EVP_digest, mac, CERTFPMACRO);
 		if (X509_digest(cert, EVP_md5(), md, &n) != 0 && n > 0)
 		{
 			char md5h[EVP_MAX_MD_SIZE * 3];
 			static const char hexcodes[] = "0123456789ABCDEF";
 			SM_ASSERT((n * 3) + 2 < sizeof(md5h));
 			for (r = 0; r < (int) n; r++)
 			{
 				md5h[r * 3] = hexcodes[(md[r] & 0xf0) >> 4];
 				md5h[(r * 3) + 1] = hexcodes[(md[r] & 0x0f)];
 				md5h[(r * 3) + 2] = ':';
 			}
 			md5h[(n * 3) - 1] = '\0';
 			macdefine(mac, A_TEMP, macid("{cert_md5}"), md5h);
 		}
 		else
 			macdefine(mac, A_TEMP, macid("{cert_md5}"), "");
 	}
 	else
 	{
@ -1338,7 +1376,7 @@ tls_get_info(ssl, srv, host, mac, certreq)
 		macdefine(mac, A_PERM, macid("{cert_issuer}"), "");
 		macdefine(mac, A_PERM, macid("{cn_subject}"), "");
 		macdefine(mac, A_PERM, macid("{cn_issuer}"), "");
-		macdefine(mac, A_TEMP, macid("{cert_md5}"), "");
+		macdefine(mac, A_TEMP, macid(CERTFPMACRO), "");
 	}
 	switch (verifyok)
 	{
@ -1633,9 +1671,9 @@ apps_ssl_info_cb(s, where, ret)
 **	Parameters:
 **		ok -- verify ok?
 **		ctx -- x509 context
 **		name -- from where is this called?
 **
 **	Returns:
 **		0 -- fatal error
 **		1 -- ok
 */
@ -1643,9 +1681,8 @@ static int
 tls_verify_log(ok, ctx, name)
 	int ok;
 	X509_STORE_CTX *ctx;
-	char *name;
+	const char *name;
 {
 	SSL *ssl;
 	X509 *cert;
 	int reason, depth;
 	char buf[512];
@ -1653,17 +1690,6 @@ tls_verify_log(ok, ctx, name)
 	cert = X509_STORE_CTX_get_current_cert(ctx);
 	reason = X509_STORE_CTX_get_error(ctx);
 	depth = X509_STORE_CTX_get_error_depth(ctx);
 	ssl = (SSL *) X509_STORE_CTX_get_ex_data(ctx,
 			SSL_get_ex_data_X509_STORE_CTX_idx());
 	if (ssl == NULL)
 	{
 		/* internal error */
 		sm_syslog(LOG_ERR, NOQID,
 			  "STARTTLS: internal error: tls_verify_cb: ssl == NULL");
 		return 0;
 	}
 	X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
 	sm_syslog(LOG_INFO, NOQID,
 		  "STARTTLS: %s cert verify: depth=%d %s, state=%d, reason=%s",
@ -1729,10 +1755,10 @@ tlslogerr(level, who)
 	unsigned long es;
 	char *file, *data;
 	char buf[256];
 #  define CP (const char **)
 	es = CRYPTO_thread_id();
-	while ((l = ERR_get_error_line_data(CP &file, &line, CP &data, &flags))
+	while ((l = ERR_get_error_line_data((const char **) &file, &line,
 					    (const char **) &data, &flags))
 		!= 0)
 	{
 		sm_syslog(level, NOQID,
--- a/src/usersmtp.c
+++ b/src/usersmtp.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-2006, 2008-2010 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 1998-2006, 2008-2010, 2014 Proofpoint, Inc. and its suppliers.
 *	All rights reserved.
 * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
 * Copyright (c) 1988, 1993
@ -92,6 +92,11 @@ smtpinit(m, mci, e, onlyhelo)
 		CurHostName = MyHostName;
 	SmtpNeedIntro = true;
 	state = mci->mci_state;
 #if _FFR_ERRCODE
 	e->e_rcode = 0;
 	e->e_renhsc[0] = '\0';
 	e->e_text = NULL;
 #endif /* _FFR_ERRCODE */
 	switch (state)
 	{
 	  case MCIS_MAIL:
@ -227,10 +232,7 @@ smtpinit(m, mci, e, onlyhelo)
 	*/
 	if ((UseMSP && Verbose && bitset(MCIF_VERB, mci->mci_flags))
-# if !_FFR_DEPRECATE_MAILER_FLAG_I
+	    || bitnset(M_INTERNAL, m->m_flags))
 	    || bitnset(M_INTERNAL, m->m_flags)
 # endif /* !_FFR_DEPRECATE_MAILER_FLAG_I */
 	   )
 	{
 		/* tell it to be verbose */
 		smtpmessage("VERB", m, mci);
@ -768,9 +770,7 @@ readauth(filename, safe, sai, rpool)
 		pid = -1;
 		sff = SFF_REGONLY|SFF_SAFEDIRPATH|SFF_NOWLINK
 		      |SFF_NOGWFILES|SFF_NOWWFILES|SFF_NOWRFILES;
 # if _FFR_GROUPREADABLEAUTHINFOFILE
 		if (!bitnset(DBS_GROUPREADABLEAUTHINFOFILE, DontBlameSendmail))
 # endif /* _FFR_GROUPREADABLEAUTHINFOFILE */
 			sff |= SFF_NOGRFILES;
 		if (DontLockReadFiles)
 			sff |= SFF_NOLOCK;
@ -2770,7 +2770,10 @@ smtpdata(m, mci, e, ctladdr, xstart)
  writeerr:
 	mci->mci_errno = errno;
 	mci->mci_state = MCIS_ERROR;
-	mci_setstat(mci, EX_TEMPFAIL, "4.4.2", NULL);
+	mci_setstat(mci, bitset(MCIF_NOTSTICKY, mci->mci_flags)
 			 ? EX_NOTSTICKY: EX_TEMPFAIL,
 		    "4.4.2", NULL);
 	mci->mci_flags &= ~MCIF_NOTSTICKY;
 	/*
 	**  If putbody() couldn't finish due to a timeout,
@ -2782,7 +2785,7 @@ smtpdata(m, mci, e, ctladdr, xstart)
 		(void) bfrewind(e->e_dfp);
 	errno = mci->mci_errno;
-	syserr("451 4.4.1 timeout writing message to %s", CurHostName);
+	syserr("+451 4.4.1 timeout writing message to %s", CurHostName);
 	smtpquit(m, mci, e);
 	return EX_TEMPFAIL;
 }
@ -3085,7 +3088,7 @@ reply(m, mci, e, timeout, pfunc, enhstat, rtype)
 	*/
 	bufp = SmtpReplyBuffer;
-	set_tls_rd_tmo(timeout);
+	(void) set_tls_rd_tmo(timeout);
 	for (;;)
 	{
 		register char *p;
@ -3247,6 +3250,48 @@ reply(m, mci, e, timeout, pfunc, enhstat, rtype)
 			firstline = false;
 			continue;
 		}
 #if _FFR_ERRCODE
 # if _FFR_PROXY
 		if ((e->e_rcode == 0 || REPLYTYPE(e->e_rcode) < 5)
 		    && REPLYTYPE(r) > 3 && firstline)
 # endif
 # if _FFR_LOGREPLY
 		if (REPLYTYPE(r) > 3 && firstline)
 # endif
 		{
 			int o = -1;
 # if PIPELINING
 			/*
 			**  ignore error iff: DATA, 5xy error, but we had
 			**  "retryable" recipients. XREF: smtpdata()
 			*/
 			if (!(rtype == XS_DATA && REPLYTYPE(r) == 5 &&
 			      mci->mci_okrcpts <= 0 && mci->mci_retryrcpt))
 # endif /* PIPELINING */
 			{
 				o = extenhsc(bufp + 4, ' ', enhstatcode);
 				if (o > 0)
 				{
 					sm_strlcpy(e->e_renhsc, enhstatcode,
 						sizeof(e->e_renhsc));
 					/* skip SMTP reply code, delimiters */
 					o += 5;
 				}
 				else
 					o = 4;
 				e->e_rcode = r;
 				e->e_text = sm_rpool_strdup_x(e->e_rpool,
 							      bufp + o);
 			}
 			if (tTd(87, 2))
 			{
 				sm_dprintf("user: offset=%d, bufp=%s, rcode=%d, enhstat=%s, text=%s\n",
 					o, bufp, r, e->e_renhsc, e->e_text);
 			}
 		}
 #endif /* _FFR_ERRCODE */
 		firstline = false;
--- a/src/util.c
+++ b/src/util.c
@ -1833,7 +1833,7 @@ dumpfd(fd, printclosed, logit)
 	}
 	(void) sm_snprintf(p, SPACELEFT(buf, p), "mode=%o: ",
-			(int) st.st_mode);
+			(unsigned int) st.st_mode);
 	p += strlen(p);
 	switch (st.st_mode & S_IFMT)
 	{
@ -1936,11 +1936,11 @@ dumpfd(fd, printclosed, logit)
 	  default:
 defprint:
 		(void) sm_snprintf(p, SPACELEFT(buf, p),
-			 "dev=%d/%d, ino=%llu, nlink=%d, u/gid=%d/%d, ",
+			 "dev=%ld/%ld, ino=%llu, nlink=%d, u/gid=%ld/%ld, ",
-			 major(st.st_dev), minor(st.st_dev),
+			 (long) major(st.st_dev), (long) minor(st.st_dev),
 			 (ULONGLONG_T) st.st_ino,
-			 (int) st.st_nlink, (int) st.st_uid,
+			 (int) st.st_nlink, (long) st.st_uid,
-			 (int) st.st_gid);
+			 (long) st.st_gid);
 		p += strlen(p);
 		(void) sm_snprintf(p, SPACELEFT(buf, p), "size=%llu",
 			 (ULONGLONG_T) st.st_size);
@ -2866,3 +2866,139 @@ count_open_connections(hostaddr)
 	return n;
 }
 #if _FFR_XCNCT
 /*
 **  XCONNECT -- get X-CONNECT info
 **
 **	Parameters:
 **		inchannel -- FILE to check
 **
 **	Returns:
 **		-1 on error
 **		0 if X-CONNECT was not given
 **		>0 if X-CONNECT was used successfully (D_XCNCT*)
 */
 int
 xconnect(inchannel)
 	SM_FILE_T *inchannel;
 {
 	int r, i;
 	char *p, *b, delim, inp[MAXINPLINE];
 	SOCKADDR addr;
 	char **pvp;
 	char pvpbuf[PSBUFSIZE];
 	char *peerhostname;	/* name of SMTP peer or "localhost" */
 	extern ENVELOPE BlankEnvelope;
 #define XCONNECT "X-CONNECT "
 #define XCNNCTLEN (sizeof(XCONNECT) - 1)
 	/* Ask the ruleset whether to use x-connect */
 	pvp = NULL;
 	peerhostname = RealHostName;
 	if (peerhostname == NULL)
 		peerhostname = "localhost";
 	r = rscap("x_connect", peerhostname,
 		  anynet_ntoa(&RealHostAddr), &BlankEnvelope,
 		  &pvp, pvpbuf, sizeof(pvpbuf));
 	if (tTd(75, 8))
 		sm_syslog(LOG_INFO, NOQID, "x-connect: rscap=%d", r);
 	if (r == EX_UNAVAILABLE)
 		return 0;
 	if (r != EX_OK)
 	{
 		/* ruleset error */
 		sm_syslog(LOG_INFO, NOQID, "x-connect: rscap=%d", r);
 		return 0;
 	}
 	if (pvp != NULL && pvp[0] != NULL && (pvp[0][0] & 0377) == CANONNET)
 	{
 		/* $#: no x-connect */
 		if (tTd(75, 7))
 			sm_syslog(LOG_INFO, NOQID, "x-connect: nope");
 		return 0;
 	}
 	p = sfgets(inp, sizeof(inp), InChannel, TimeOuts.to_nextcommand, "pre");
 	if (tTd(75, 6))
 		sm_syslog(LOG_INFO, NOQID, "x-connect: input=%s", p);
 	if (p == NULL || strncasecmp(p, XCONNECT, XCNNCTLEN) != 0)
 		return -1;
 	p += XCNNCTLEN;
 	while (isascii(*p) && isspace(*p))
 		p++;
 	/* parameters: IPAddress [Hostname[ M]] */
 	b = p;
 	while (*p != '\0' && isascii(*p) &&
 	       (isalnum(*p) || *p == '.' || *p== ':'))
 		p++;
 	delim = *p;
 	*p = '\0';
 	memset(&addr, '\0', sizeof(addr));
 	addr.sin.sin_addr.s_addr = inet_addr(b);
 	if (addr.sin.sin_addr.s_addr != INADDR_NONE)
 	{
 		addr.sa.sa_family = AF_INET;
 		memcpy(&RealHostAddr, &addr, sizeof(addr));
 		if (tTd(75, 2))
 			sm_syslog(LOG_INFO, NOQID, "x-connect: addr=%s",
 				anynet_ntoa(&RealHostAddr));
 	}
 # if NETINET6
 	else if ((r = inet_pton(AF_INET6, b, &addr.sin6.sin6_addr)) == 1)
 	{
 		addr.sa.sa_family = AF_INET6;
 		memcpy(&RealHostAddr, &addr, sizeof(addr));
 	}
 # endif /* NETINET6 */
 	else
 		return -1;
 	/* more parameters? */
 	if (delim != ' ')
 		return D_XCNCT;
 	while (*p != '\0' && isascii(*p) && isspace(*p))
 		p++;
 	for (b = ++p, i = 0;
 	     *p != '\0' && isascii(*p) && (isalnum(*p) || *p == '.' || *p == '-');
 	     p++, i++)
 		;
 	if (i == 0)
 		return D_XCNCT;
 	delim = *p;
 	if (i > MAXNAME)
 		b[MAXNAME] = '\0';
 	else
 		b[i] = '\0';
 	SM_FREE_CLR(RealHostName);
 	RealHostName = newstr(b);
 	if (tTd(75, 2))
 		sm_syslog(LOG_INFO, NOQID, "x-connect: host=%s", b);
 	*p = delim;
 	b = p;
 	if (*p != ' ')
 		return D_XCNCT;
 	while (*p != '\0' && isascii(*p) && isspace(*p))
 		p++;
 	if (tTd(75, 4))
 	{
 		char *e;
 		e = strpbrk(p, "\r\n");
 		if (e != NULL)
 			*e = '\0';
 		sm_syslog(LOG_INFO, NOQID, "x-connect: rest=%s", p);
 	}
 	if (*p == 'M')
 		return D_XCNCT_M;
 	return D_XCNCT;
 }
 #endif /* _FFR_XCNCT */
--- a/src/version.c
+++ b/src/version.c
@ -13,6 +13,6 @@
 #include <sm/gen.h>
-SM_RCSID("@(#)$Id: version.c,v 8.249 2013-11-27 00:38:50 ca Exp $")
+SM_RCSID("@(#)$Id: version.c,v 8.250 2014-01-27 12:55:16 ca Exp $")
-char	Version[] = "8.14.9";
+char	Version[] = "8.15.1";