Import sendmail 8.16.1

svn path=/vendor/sendmail/dist/; revision=363203 svn path=/vendor/sendmail/8.16.1/; revision=363204; tag=vendor/sendmail/8.16.1
2020-07-14 21:40:53 +00:00 · 2020-07-14 21:40:53 +00:00 · cee0d44ab3 · 2020-12-20 02:59:44 +00:00
commit cee0d44ab3
parent 1c3e417caf
261 changed files with 23551 additions and 19557 deletions
--- a/240
+++ b/240
@ -1,4 +1,3 @@
 # $Id: CACerts,v 8.6 2013-01-18 15:14:17 ca Exp $
 # This file contains some CA certificates that are used to sign the
 # certificates of mail servers of members of the sendmail consortium
 # who may reply to questions etc sent to sendmail.org.
@ -10,189 +9,92 @@ Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
-            92:91:67:de:e0:ef:2c:e4
+            81:9d:41:0f:40:55:ac:4a
    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=Claus Assmann CA RSA 2015/emailAddress=ca+ca-rsa2015@esmtp.org
+        Issuer: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=CA/emailAddress=ca+ca-rsa2018@esmtp.org
        Validity
-            Not Before: Mar  2 19:15:29 2015 GMT
+            Not Before: Feb 27 02:30:55 2018 GMT
-            Not After : Mar  1 19:15:29 2018 GMT
+            Not After : Feb 26 02:30:55 2021 GMT
-        Subject: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=Claus Assmann CA RSA 2015/emailAddress=ca+ca-rsa2015@esmtp.org
+        Subject: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=CA/emailAddress=ca+ca-rsa2018@esmtp.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
-                    00:b9:1a:a1:56:ce:cb:16:af:4f:96:ba:2a:70:31:
+                    00:b8:a3:8d:79:28:c1:1f:9c:11:74:43:26:e1:3b:
-                    70:d3:86:6c:7a:46:26:47:42:3f:de:49:57:3e:08:
+                    cc:14:87:5b:6b:64:4c:ed:79:1b:7f:2a:03:d0:7b:
-                    1e:10:25:bf:06:8f:ca:fd:f4:5e:6a:01:7d:31:4d:
+                    ef:9e:88:b0:64:36:ee:58:ef:fd:d9:c7:20:b3:71:
-                    50:88:18:43:71:66:65:42:9c:90:97:0d:95:f2:14:
+                    e9:6d:1e:a7:bc:c1:7c:3b:fe:2a:e4:16:2f:bc:d6:
-                    ef:d7:5e:77:ef:7d:b5:49:3f:02:bb:83:20:f7:e6:
+                    2c:f5:98:f9:c4:21:1c:ca:c3:7e:57:89:c8:a9:2f:
-                    fc:9a:cd:13:df:60:41:28:8e:39:07:a6:a4:40:98:
+                    da:6b:9b:52:d6:c9:9d:98:97:6d:08:7c:a6:37:4e:
-                    15:1e:46:b6:04:2e:f9:ab:32:d1:8b:fe:52:81:f1:
+                    d4:26:bb:db:73:b0:38:ef:7d:1e:dd:8e:dd:8e:17:
-                    d2:e1:c3:cf:bf:ab:40:a7:f0:e4:e5:a2:82:37:30:
+                    2f:a0:3d:a9:0e:4d:f0:2b:b8:14:23:33:ad:c8:a0:
-                    8c:10:7d:aa:a8:7c:7e:76:cc:5f:1a:24:d0:8c:94:
+                    e5:9d:0f:27:ad:83:a2:78:90:05:ec:29:06:91:07:
-                    f6:f2:7f:4a:be:2f:38:67:c0:06:e6:9e:51:ad:55:
+                    45:6c:5f:ba:8e:1d:f1:d7:1b:2d:f9:99:ba:2e:27:
-                    d0:cb:26:71:cf:f4:af:7d:5a:41:81:16:fb:26:ec:
+                    e1:03:7d:e9:d2:54:35:cc:39:79:07:83:d8:93:9b:
-                    f0:35:01:6e:db:f9:e9:00:d7:d0:89:7b:cf:88:16:
+                    d6:ef:72:ab:d4:63:8e:6b:f7:00:66:5f:77:e8:b6:
-                    8b:1c:8f:77:1f:5d:ef:70:04:28:76:c5:1b:c6:23:
+                    bc:de:5f:8c:d0:ce:1a:c4:db:03:9d:e4:ee:0a:ec:
-                    8d:49:6b:f0:b8:21:56:d6:7d:68:6c:be:21:e3:e6:
+                    77:c5:f2:30:69:7e:70:12:e5:c2:4a:28:3f:e7:19:
-                    e3:1d:6f:a5:ea:dc:83:e4:27:b3:6f:5f:1b:3d:33:
+                    eb:af:41:fb:e6:a6:1d:b5:fd:2b:99:03:f5:20:90:
-                    a1:d5:d3:f0:73:1a:12:eb:d9:95:00:71:59:16:b4:
+                    38:73:bd:43:70:da:cf:1f:34:5d:ab:17:4b:73:cf:
-                    e4:60:38:b2:2e:7f:b7:d4:c5:e9:3f:74:e4:48:38:
+                    f9:3d:e1:a2:79:14:de:d8:40:85:82:c4:5a:84:82:
-                    29:89
+                    32:f1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
-                B1:69:DB:5E:9B:CE:1A:B4:1D:B2:6A:FC:5A:22:97:B6:24:14:6F:32
+                42:37:75:E7:8F:12:CF:D9:EB:21:22:7D:8A:E8:49:21:FD:E2:3A:3A
            X509v3 Authority Key Identifier: 
-                keyid:B1:69:DB:5E:9B:CE:1A:B4:1D:B2:6A:FC:5A:22:97:B6:24:14:6F:32
+                keyid:42:37:75:E7:8F:12:CF:D9:EB:21:22:7D:8A:E8:49:21:FD:E2:3A:3A
-                DirName:/C=US/ST=California/L=Berkeley/O=Endmail Org/OU=MTA/CN=Claus Assmann CA RSA 2015/emailAddress=ca+ca-rsa2015@esmtp.org
+                DirName:/C=US/ST=California/L=Berkeley/O=Endmail Org/OU=MTA/CN=CA/emailAddress=ca+ca-rsa2018@esmtp.org
-                serial:92:91:67:DE:E0:EF:2C:E4
+                serial:81:9D:41:0F:40:55:AC:4A
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
-                email:ca+ca-rsa2015@esmtp.org
+                email:ca+ca-rsa2018@esmtp.org
            X509v3 Issuer Alternative Name: 
-                email:ca+ca-rsa2015@esmtp.org
+                email:ca+ca-rsa2018@esmtp.org
    Signature Algorithm: sha1WithRSAEncryption
-         0a:ce:07:39:77:08:c5:3a:00:04:e8:a0:3b:f7:d2:4c:79:02:
+         0b:4c:e5:c2:ed:0a:e5:7b:95:29:22:d4:8f:5f:cb:1b:b1:e3:
-         23:0b:da:c0:55:39:82:71:0a:0c:83:e2:de:f2:3b:fe:23:bc:
+         4c:fc:90:e7:2e:97:87:87:a2:63:0d:6d:4d:f0:1f:0d:84:11:
-         9b:13:34:d1:29:0a:16:3f:01:7d:9f:fb:4b:aa:12:dc:3b:7e:
+         dc:df:b7:fa:c3:c6:2e:07:e9:a0:e9:a6:9f:54:17:ad:1a:d0:
-         b9:27:7b:ec:0c:3f:c0:d9:f5:d8:a8:a1:9c:1c:3a:2f:40:df:
+         36:be:31:cc:a5:85:a0:45:4a:87:45:80:7e:de:ea:97:68:e0:
-         27:1a:1a:a0:74:00:19:b7:82:0e:f9:45:86:bf:32:da:0e:72:
+         2b:09:5d:9a:31:6f:f5:78:22:c5:66:2a:99:70:9e:6d:c4:ab:
-         0a:4c:2c:39:21:63:c3:1f:61:6e:e2:4d:ba:7a:26:1a:15:ce:
+         f6:90:01:70:53:07:66:6c:a6:b5:ce:4b:36:05:83:87:0c:a7:
-         b1:f6:1a:59:04:70:ed:e8:72:05:4c:fc:84:c6:a5:f4:e2:4a:
+         e0:1e:34:d0:5e:76:a4:20:71:cd:9d:c1:ae:82:27:e0:6f:16:
-         40:e4:42:70:87:9a:a7:02:26:3a:47:34:09:e0:7b:88:ca:fb:
+         57:74:e7:63:9f:d0:3d:72:91:6d:97:a4:82:23:84:dd:6e:0d:
-         99:d9:9b:bb:0c:52:8a:93:d5:59:30:0b:55:42:b4:bb:d2:b1:
+         da:43:00:a7:ce:2f:f8:79:04:67:6a:e5:b0:ab:30:d8:f1:90:
-         49:55:81:a4:70:a0:49:19:f2:4f:61:94:af:e9:d7:62:68:65:
+         10:43:3b:09:77:27:34:a4:d4:c0:25:4e:21:32:a3:ab:60:1c:
-         97:67:00:26:b8:9b:b2:2c:d0:2c:83:7d:3e:b3:31:73:b9:55:
+         9d:6e:e2:65:39:51:7f:cd:9f:88:3a:7e:f4:38:af:7b:5b:a7:
-         49:53:fa:a3:ad:1b:02:67:08:9e:ce:9e:eb:9f:47:0d:6c:95:
+         bb:7b:70:97:21:59:fc:5c:55:a1:db:74:0a:37:1e:33:97:5f:
-         e9:6c:30:92:c1:94:67:ad:d9:e3:b9:61:ea:a9:72:98:81:3a:
+         70:32:98:b3:d9:99:4e:08:3c:de:01:82:17:9b:49:d7:fa:c9:
-         62:80:70:20:9a:3e:c4:1f:6f:bd:b4:00:ec:b1:fe:71:da:91:
+         45:8d:93:cc:42:d6:36:f2:39:3a:47:28:3f:6f:6a:e5:23:f3:
-         15:89:f7:8f
+         5c:d4:a3:1b
 -----BEGIN CERTIFICATE-----
-MIIFJzCCBA+gAwIBAgIJAJKRZ97g7yzkMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
+MIIE4jCCA8qgAwIBAgIJAIGdQQ9AVaxKMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD
 VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIQmVya2VsZXkx
-FDASBgNVBAoMC0VuZG1haWwgT3JnMQwwCgYDVQQLDANNVEExIjAgBgNVBAMMGUNs
+FDASBgNVBAoMC0VuZG1haWwgT3JnMQwwCgYDVQQLDANNVEExCzAJBgNVBAMMAkNB
-YXVzIEFzc21hbm4gQ0EgUlNBIDIwMTUxJjAkBgkqhkiG9w0BCQEWF2NhK2NhLXJz
+MSYwJAYJKoZIhvcNAQkBFhdjYStjYS1yc2EyMDE4QGVzbXRwLm9yZzAeFw0xODAy
-YTIwMTVAZXNtdHAub3JnMB4XDTE1MDMwMjE5MTUyOVoXDTE4MDMwMTE5MTUyOVow
+MjcwMjMwNTVaFw0yMTAyMjYwMjMwNTVaMIGOMQswCQYDVQQGEwJVUzETMBEGA1UE
-gaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhC
+CAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIQmVya2VsZXkxFDASBgNVBAoMC0VuZG1h
-ZXJrZWxleTEUMBIGA1UECgwLRW5kbWFpbCBPcmcxDDAKBgNVBAsMA01UQTEiMCAG
+aWwgT3JnMQwwCgYDVQQLDANNVEExCzAJBgNVBAMMAkNBMSYwJAYJKoZIhvcNAQkB
-A1UEAwwZQ2xhdXMgQXNzbWFubiBDQSBSU0EgMjAxNTEmMCQGCSqGSIb3DQEJARYX
+FhdjYStjYS1yc2EyMDE4QGVzbXRwLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
-Y2ErY2EtcnNhMjAxNUBlc210cC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ADCCAQoCggEBALijjXkowR+cEXRDJuE7zBSHW2tkTO15G38qA9B7756IsGQ27ljv
-ggEKAoIBAQC5GqFWzssWr0+WuipwMXDThmx6RiZHQj/eSVc+CB4QJb8Gj8r99F5q
+/dnHILNx6W0ep7zBfDv+KuQWL7zWLPWY+cQhHMrDfleJyKkv2mubUtbJnZiXbQh8
-AX0xTVCIGENxZmVCnJCXDZXyFO/XXnfvfbVJPwK7gyD35vyazRPfYEEojjkHpqRA
+pjdO1Ca723OwOO99Ht2O3Y4XL6A9qQ5N8Cu4FCMzrcig5Z0PJ62DoniQBewpBpEH
-mBUeRrYELvmrMtGL/lKB8dLhw8+/q0Cn8OTlooI3MIwQfaqofH52zF8aJNCMlPby
+RWxfuo4d8dcbLfmZui4n4QN96dJUNcw5eQeD2JOb1u9yq9Rjjmv3AGZfd+i2vN5f
-f0q+LzhnwAbmnlGtVdDLJnHP9K99WkGBFvsm7PA1AW7b+ekA19CJe8+IFoscj3cf
+jNDOGsTbA53k7grsd8XyMGl+cBLlwkooP+cZ669B++amHbX9K5kD9SCQOHO9Q3Da
-Xe9wBCh2xRvGI41Ja/C4IVbWfWhsviHj5uMdb6Xq3IPkJ7NvXxs9M6HV0/BzGhLr
+zx80XasXS3PP+T3honkU3thAhYLEWoSCMvECAwEAAaOCAT8wggE7MB0GA1UdDgQW
-2ZUAcVkWtORgOLIuf7fUxek/dORIOCmJAgMBAAGjggFWMIIBUjAdBgNVHQ4EFgQU
+BBRCN3XnjxLP2eshIn2K6Ekh/eI6OjCBwwYDVR0jBIG7MIG4gBRCN3XnjxLP2esh
-sWnbXpvOGrQdsmr8WiKXtiQUbzIwgdoGA1UdIwSB0jCBz4AUsWnbXpvOGrQdsmr8
+In2K6Ekh/eI6OqGBlKSBkTCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
-WiKXtiQUbzKhgaukgagwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
+b3JuaWExETAPBgNVBAcMCEJlcmtlbGV5MRQwEgYDVQQKDAtFbmRtYWlsIE9yZzEM
-bmlhMREwDwYDVQQHDAhCZXJrZWxleTEUMBIGA1UECgwLRW5kbWFpbCBPcmcxDDAK
+MAoGA1UECwwDTVRBMQswCQYDVQQDDAJDQTEmMCQGCSqGSIb3DQEJARYXY2ErY2Et
-BgNVBAsMA01UQTEiMCAGA1UEAwwZQ2xhdXMgQXNzbWFubiBDQSBSU0EgMjAxNTEm
+cnNhMjAxOEBlc210cC5vcmeCCQCBnUEPQFWsSjAMBgNVHRMEBTADAQH/MCIGA1Ud
-MCQGCSqGSIb3DQEJARYXY2ErY2EtcnNhMjAxNUBlc210cC5vcmeCCQCSkWfe4O8s
+EQQbMBmBF2NhK2NhLXJzYTIwMThAZXNtdHAub3JnMCIGA1UdEgQbMBmBF2NhK2Nh
-5DAMBgNVHRMEBTADAQH/MCIGA1UdEQQbMBmBF2NhK2NhLXJzYTIwMTVAZXNtdHAu
+LXJzYTIwMThAZXNtdHAub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQALTOXC7Qrle5Up
-b3JnMCIGA1UdEgQbMBmBF2NhK2NhLXJzYTIwMTVAZXNtdHAub3JnMA0GCSqGSIb3
+ItSPX8sbseNM/JDnLpeHh6JjDW1N8B8NhBHc37f6w8YuB+mg6aafVBetGtA2vjHM
-DQEBBQUAA4IBAQAKzgc5dwjFOgAE6KA799JMeQIjC9rAVTmCcQoMg+Le8jv+I7yb
+pYWgRUqHRYB+3uqXaOArCV2aMW/1eCLFZiqZcJ5txKv2kAFwUwdmbKa1zks2BYOH
-EzTRKQoWPwF9n/tLqhLcO365J3vsDD/A2fXYqKGcHDovQN8nGhqgdAAZt4IO+UWG
+DKfgHjTQXnakIHHNncGugifgbxZXdOdjn9A9cpFtl6SCI4Tdbg3aQwCnzi/4eQRn
-vzLaDnIKTCw5IWPDH2Fu4k26eiYaFc6x9hpZBHDt6HIFTPyExqX04kpA5EJwh5qn
+auWwqzDY8ZAQQzsJdyc0pNTAJU4hMqOrYBydbuJlOVF/zZ+IOn70OK97W6e7e3CX
-AiY6RzQJ4HuIyvuZ2Zu7DFKKk9VZMAtVQrS70rFJVYGkcKBJGfJPYZSv6ddiaGWX
+IVn8XFWh23QKNx4zl19wMpiz2ZlOCDzeAYIXm0nX+slFjZPMQtY28jk6Ryg/b2rl
-ZwAmuJuyLNAsg30+szFzuVVJU/qjrRsCZwiezp7rn0cNbJXpbDCSwZRnrdnjuWHq
+I/Nc1KMb
 qXKYgTpigHAgmj7EH2+9tADssf5x2pEVifeP
 -----END CERTIFICATE-----
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f1:41:b3:3d:ba:bd:33:49
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=Claus Assmann CA RSA 2012/emailAddress=ca+ca-rsa2012@esmtp.org
        Validity
            Not Before: Mar 10 02:47:46 2012 GMT
            Not After : Mar 10 02:47:46 2015 GMT
        Subject: C=US, ST=California, L=Berkeley, O=Endmail Org, OU=MTA, CN=Claus Assmann CA RSA 2012/emailAddress=ca+ca-rsa2012@esmtp.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a2:80:fc:c6:ce:7f:60:38:65:f4:38:f9:7a:d9:
                    87:fd:47:eb:3f:2c:4a:c9:38:77:6a:77:94:92:7f:
                    83:3d:99:57:2c:5f:37:bb:ba:12:10:17:56:fa:eb:
                    43:a6:4b:4c:1e:30:32:07:94:2f:5a:d8:65:49:29:
                    fa:24:d1:f0:0b:45:2d:e5:d5:cb:7d:60:dc:a6:ce:
                    a4:47:35:30:ee:5e:8d:c2:30:e7:a7:63:32:b0:59:
                    80:cc:8c:99:64:77:8f:50:8e:88:51:47:36:ea:9a:
                    f3:b4:c0:8c:a6:ab:c6:42:57:88:b9:5f:9f:61:15:
                    bb:79:65:93:ca:a9:fd:17:eb:87:26:8b:eb:b7:2b:
                    7e:33:05:2b:ba:c0:46:f7:08:fd:da:c1:50:9b:3d:
                    26:83:5c:53:97:89:2c:cc:5f:f2:7b:a8:b7:3d:fb:
                    f2:b4:89:0d:43:ef:18:5c:21:75:71:cc:f0:c2:a3:
                    84:69:c0:a7:f3:9b:de:c1:c7:5a:5c:7e:68:da:49:
                    71:af:58:a8:51:9f:bd:f9:3d:bb:a5:92:fa:7b:1d:
                    52:f5:fe:90:59:95:27:65:a4:af:97:9a:4f:01:39:
                    59:7d:08:6f:a1:8f:42:47:49:bf:12:52:53:39:74:
                    8d:62:3b:bd:4c:4f:05:0f:c4:b9:3e:da:a8:0e:96:
                    05:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                08:38:E3:88:92:53:6E:F1:56:69:27:44:B5:4C:A0:18:CA:06:97:EB
            X509v3 Authority Key Identifier: 
                keyid:08:38:E3:88:92:53:6E:F1:56:69:27:44:B5:4C:A0:18:CA:06:97:EB
                DirName:/C=US/ST=California/L=Berkeley/O=Endmail Org/OU=MTA/CN=Claus Assmann CA RSA 2012/emailAddress=ca+ca-rsa2012@esmtp.org
                serial:F1:41:B3:3D:BA:BD:33:49
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Alternative Name: 
                email:ca+ca-rsa2012@esmtp.org
            X509v3 Issuer Alternative Name: 
                email:ca+ca-rsa2012@esmtp.org
    Signature Algorithm: sha1WithRSAEncryption
        9a:8f:4d:23:5b:30:80:e1:94:e4:66:9c:3a:17:8b:79:49:5b:
        ec:5d:e5:a1:22:2d:71:37:a1:51:e7:1d:b1:0d:a9:9b:aa:a9:
        0d:c7:cd:d6:24:f9:e0:f0:57:be:4f:74:0c:4b:7a:42:4c:70:
        19:2e:8e:eb:cb:1b:00:26:27:eb:1c:42:33:d5:ec:32:b4:6c:
        7d:a3:04:a1:5c:00:49:c9:0d:4c:4d:28:37:06:22:77:ec:40:
        15:25:3a:23:84:ae:1f:da:90:dd:c9:dc:27:ee:7c:ec:e5:df:
        b8:ba:1e:3f:ee:c2:91:a2:3f:22:92:1e:f3:06:7e:aa:e9:c3:
        11:2d:3d:2f:85:f7:fc:d7:e2:f8:6d:70:a6:40:62:69:e7:52:
        ed:1b:19:38:72:86:08:a1:3d:47:c8:68:82:41:db:db:2a:52:
        25:d7:49:aa:9e:c5:83:22:7d:2f:0b:df:8c:90:2d:b5:aa:33:
        c7:9b:e8:39:8f:bb:79:5b:13:2d:4e:a9:69:59:c7:09:26:e2:
        b5:53:80:86:72:bb:7c:be:e9:46:5b:d8:b2:78:42:d6:5d:c3:
        bb:3a:3b:5f:0f:e8:c3:60:fb:88:9f:3a:2b:9f:d3:7d:9f:c7:
        32:aa:4d:34:a7:66:a1:25:16:95:a6:69:e7:86:a3:5c:b9:b9:
        df:58:05:e3
 -----BEGIN CERTIFICATE-----
 MIIFJzCCBA+gAwIBAgIJAPFBsz26vTNJMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
 VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIQmVya2VsZXkx
 FDASBgNVBAoTC0VuZG1haWwgT3JnMQwwCgYDVQQLEwNNVEExIjAgBgNVBAMTGUNs
 YXVzIEFzc21hbm4gQ0EgUlNBIDIwMTIxJjAkBgkqhkiG9w0BCQEWF2NhK2NhLXJz
 YTIwMTJAZXNtdHAub3JnMB4XDTEyMDMxMDAyNDc0NloXDTE1MDMxMDAyNDc0Nlow
 gaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhC
 ZXJrZWxleTEUMBIGA1UEChMLRW5kbWFpbCBPcmcxDDAKBgNVBAsTA01UQTEiMCAG
 A1UEAxMZQ2xhdXMgQXNzbWFubiBDQSBSU0EgMjAxMjEmMCQGCSqGSIb3DQEJARYX
 Y2ErY2EtcnNhMjAxMkBlc210cC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
 ggEKAoIBAQCigPzGzn9gOGX0OPl62Yf9R+s/LErJOHdqd5SSf4M9mVcsXze7uhIQ
 F1b660OmS0weMDIHlC9a2GVJKfok0fALRS3l1ct9YNymzqRHNTDuXo3CMOenYzKw
 WYDMjJlkd49QjohRRzbqmvO0wIymq8ZCV4i5X59hFbt5ZZPKqf0X64cmi+u3K34z
 BSu6wEb3CP3awVCbPSaDXFOXiSzMX/J7qLc9+/K0iQ1D7xhcIXVxzPDCo4RpwKfz
 m97Bx1pcfmjaSXGvWKhRn735Pbulkvp7HVL1/pBZlSdlpK+Xmk8BOVl9CG+hj0JH
 Sb8SUlM5dI1iO71MTwUPxLk+2qgOlgUtAgMBAAGjggFWMIIBUjAdBgNVHQ4EFgQU
 CDjjiJJTbvFWaSdEtUygGMoGl+swgdoGA1UdIwSB0jCBz4AUCDjjiJJTbvFWaSdE
 tUygGMoGl+uhgaukgagwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
 bmlhMREwDwYDVQQHEwhCZXJrZWxleTEUMBIGA1UEChMLRW5kbWFpbCBPcmcxDDAK
 BgNVBAsTA01UQTEiMCAGA1UEAxMZQ2xhdXMgQXNzbWFubiBDQSBSU0EgMjAxMjEm
 MCQGCSqGSIb3DQEJARYXY2ErY2EtcnNhMjAxMkBlc210cC5vcmeCCQDxQbM9ur0z
 STAMBgNVHRMEBTADAQH/MCIGA1UdEQQbMBmBF2NhK2NhLXJzYTIwMTJAZXNtdHAu
 b3JnMCIGA1UdEgQbMBmBF2NhK2NhLXJzYTIwMTJAZXNtdHAub3JnMA0GCSqGSIb3
 DQEBBQUAA4IBAQCaj00jWzCA4ZTkZpw6F4t5SVvsXeWhIi1xN6FR5x2xDambqqkN
 x83WJPng8Fe+T3QMS3pCTHAZLo7ryxsAJifrHEIz1ewytGx9owShXABJyQ1MTSg3
 BiJ37EAVJTojhK4f2pDdydwn7nzs5d+4uh4/7sKRoj8ikh7zBn6q6cMRLT0vhff8
 1+L4bXCmQGJp51LtGxk4coYIoT1HyGiCQdvbKlIl10mqnsWDIn0vC9+MkC21qjPH
 m+g5j7t5WxMtTqlpWccJJuK1U4CGcrt8vulGW9iyeELWXcO7OjtfD+jDYPuInzor
 n9N9n8cyqk00p2ahJRaVpmnnhqNcubnfWAXj
 -----END CERTIFICATE-----
--- a/1
+++ b/1
@ -271,4 +271,3 @@ Kresolve sequence dnsmx canon
  be used if set instead of LOCAL_RELAY ($R).  This will be fixed in a
  future version.
 $Revision: 8.61 $, Last updated $Date: 2011-04-07 17:48:23 $
--- a/1334
+++ b/1334
--- a/4
+++ b/4
@ -431,8 +431,7 @@ makemap		A program that creates the keyed maps used by the $( ... $)
 		expect to preprocess must human-convenient formats
 		using sed scripts before this program will like them.
 		But it should be functionally complete.
-praliases	A program to print the DBM or NEWDB version of the
+praliases	A program to print the map version of the aliases file.
 		aliases file.
 rmail		Source for rmail(8).  This is used as a delivery
 		agent for for UUCP, and could presumably be used by
 		other non-socket oriented mailers.  Older versions of
@ -447,4 +446,3 @@ sendmail	Source for the sendmail program itself.
 test		Some test scripts (currently only for compilation aids).
 vacation	Source for the vacation program.  NOT PART OF SENDMAIL!
 $Revision: 8.96 $, Last updated $Date: 2013-11-22 20:51:01 $
--- a/144
+++ b/144
@ -5,6 +5,124 @@ This listing shows the version of the sendmail binary, the version
 of the sendmail configuration files, the date of release, and a
 summary of the changes in that release.
 8.16.1/8.16.1	2020/07/05
 	SECURITY: If sendmail tried to reuse an SMTP session which had
 		already been closed by the server, then the connection
 		cache could have invalid information about the session.
 		One possible consequence was that STARTTLS was not
 		used even if offered.  This problem has been fixed
 		by clearing out all relevant status information
 		when a closed session is encountered.
 	OpenSSL versions before 0.9.8 are no longer supported.
 	OpenSSL version 1.1.0 and 1.1.1 are supported.
 	Initial support for DANE (see RFC 7672 et.al.) is available if
 		the compile time option DANE is set.  Only TLSA RR 3-1-x
 		is currently implemented.
 	New options SSLEngine and SSLEnginePath to support OpenSSL engines.
 		Note: this feature has so far only been tested with the
 		"chil" engine; please report problems with other engines
 		if you encounter any.
 	New option CRLPath to specify a directory which contains
 		hashes pointing to certificate revocations files.
 		Based on patch from Al Smith.
 	New rulesets tls_srv_features and tls_clt_features which
 		can return a (semicolon separated) list of TLS related
 		options, e.g., CipherList, CertFile, KeyFile,
 		see doc/op/op.me for details.
 	To automatically handle TLS interoperability problems for outgoing
 		mail, sendmail can now immediately try a connection again
 		without STARTTLS after a TLS handshake failure.
 		This can be configured globally via the option
 		TLSFallbacktoClear or per session via the 'C' flag
 		of tls_clt_features.
 		This also adds the new value "CLEAR" for the macro
 		{verify}: STARTTLS has been disabled internally for
 		a clear text delivery attempt.
 	Apply Timeout.starttls also to the server waiting for the TLS
 		handshake to begin.  Based on patch from Simon Hradecky.
 	New compile time option TLS_EC to enable the use of elliptic
 		curve cryptography in STARTTLS (previously available as
 		_FFR_TLS_EC).
 	Handle MIME boundaries specified in headers which contain CRLF.
 	Fix detection of loopback net (it was broken when compiled
 		with NETINET6) and only set the macros {if_addr_out}
 		and {if_family_out} if the interface of the outgoing
 		connection does not belong to the loopback net.
 	Fix logic to enable a milter to delete a recipient in
 		DeliveryMode=interactive even if it might be subject
 		to alias expansion.
 	Log name of a milter making changes (this was missing for
 		some functions).
 	Log the actual reply of a server when an SMTP delivery problem
 		occurs in a "reply=" field if possible.
 	Log user= for failed AUTH attempts if possible.  Based on
 		patch from Packet Hack, Jim Hranicky, Kevin A. McGrail,
 		and Joe Quinn.
 	Add CDB as map type. Note: CDB is a "Constant DataBase", i.e.,
 		no changes can be made after it is created, hence it
 		does not work with vacation(1) nor editmap(8) (except
 		for query mode).
 	Fix some memory leaks (mostly in error cases) and properly handle
 		copied varargs in sm_io_vfprintf(). The issues were found
 		using Coverity Scan and reported (including patches) by
 		Ondřej Lysoněk of Red Hat.
 	Do not override ServerSSLOptions and ClientSSLOptions when they
 		are specified on the command line.  Based on patch from
 		Hiroki Sato.
 	Add RFC7505 Null MX support for domains that declare they do not
 		accept mail.
 	New compile time option LDAP_NETWORK_TIMEOUT which is set
 		automatically when LDAPMAP is used and
 		LDAP_OPT_NETWORK_TIMEOUT is available to enable the
 		new -c option for LDAP maps to specify the network timeout.
 	CONFIG: New FEATURE(`tls_session_features') to enable standard
 		rules for tls_srv_features and tls_clt_features; for
 		details see cf/README.
 	CONFIG: New options confSSL_ENGINE and confSSL_ENGINE_PATH
 		for SSLEngine and SSLEnginePath, respectively.
 	CONFIG: New options confDANE to enable DANE support.
 	CONFIG: New option confTLS_FALLBACK_TO_CLEAR for TLSFallbacktoClear.
 	CONFIG: New extension CITag: for TLS restrictions, see cf/README
 		for details.
 	CONFIG: FEATURE(`blacklist_recipients') renamed to
 		FEATURE(`blocklist_recipients').
 	CONTRIB: cidrexpand updated to support IPv6 CIDR ranges and to
 		canonicalize IPv6 addresses; if cidrexpand is used with IPv6
 		addresses then UseCompressedIPv6Addresses must be disabled.
 	DOC: The dns map can return multiple values in a single result
 		if the -z option is used.
 	DOC: Note to set MustQuoteChars=. due to DKIM signatures.
 	LIBMILTER: Fix typo in a macro. Patch from Ignacio Goyret
 		of Alcatel-Lucent.
 	LIBMILTER: Fix reference in xxfi_negotiate documentation.
 		Patch from Sven Neuhaus.
 	LIBMILTER: Fix function name in smfi_addrcpt_par documentation.
 		Patch from G.W. Haywood.
 	LIBMILTER: Fix a potential memory leak in smfi_setsymlist().
 		Patch from Martin Svec.
 	MAKEMAP: New map type "implicit" refers to the first available type,
 		i.e., it depends on the compile time options NEWDB, DBM,
 		and CDB. This can be used in conjunction with the
 		"implicit" map type in sendmail.cf.
 		Note: makemap, libsmdb, and sendmail must be compiled
 		with the same options (and library versions of course).
 	Portability:
 		Add support for Darwin 14-18 (Mac OS X 10.x).
 		New option HAS_GETHOSTBYNAME2: set if your system
 		supports gethostbyname2(2).
 		Set SM_CONF_SEM=2 for FreeBSD 12 and later due to
 		changes in sys/sem.h
 		On Linux set MAXHOSTNAMELEN (the maximum length
 		of a FQHN) to 256 if it is less than that value.
 	Added Files:
 		cf/feature/blocklist_recipients.m4
 		cf/feature/tls_failures.m4
 		devtools/OS/Darwin.14.x
 		devtools/OS/Darwin.15.x
 		devtools/OS/Darwin.16.x
 		libsmdb/smcdb.c
 		sendmail/ratectrl.h
 8.15.2/8.15.2	2015/07/03
 	If FEATURE(`nopercenthack') is used then some bogus input triggered
 		a recursion which was caught and logged as
@ -104,7 +222,7 @@ summary of the changes in that release.
 	The option CipherList sets the list of ciphers for STARTTLS.
 		See ciphers(1) for possible values.
 	Do not log "STARTTLS: internal error: tls_verify_cb: ssl == NULL"
-		if a CRLFfile is in use (and LogLevel is 14 or higher.)
+		if a CRLFile is in use (and LogLevel is 14 or higher.)
 	Store a more specific TLS protocol version in ${tls_version}
 		instead of a generic one, e.g., TLSv1 instead of
 		TLSv1/SSLv3.
@ -127,7 +245,7 @@ summary of the changes in that release.
 	A new map type "arpa" is available to reverse an IP (IPv4 or IPv6)
 		address. It returns the string for the PTR lookup, but
 		without trailing {ip6,in-addr}.arpa.
-	New operation mode  'C' just checks the configuration file, e.g.,
+	New operation mode 'C' just checks the configuration file, e.g.,
 		sendmail -C new.cf -bC
 		will perform a basic syntax/consistency check of new.cf.
 	The mailer flag 'I' is deprecated and will be removed in a
@ -740,7 +858,7 @@ summary of the changes in that release.
 		Patches from Nelson Fung.
 	CONTRIB: cidrexpand uses a hash symbol as comment character and
 		ignores everything after it unless it is in quotes or
-		preceeded by a backslash.
+		preceded by a backslash.
 	DEVTOOLS: New macro confMKDIR: if set to a program that creates
 		directories, then it used for "make install" to create
 		the required installation directories.
@ -2465,7 +2583,7 @@ summary of the changes in that release.
 		noted by Greg Robinson of the Defence Science and
 		Technology Organisation of Australia.
 	CONFIG: dnsbl: If an argument specifies an error message in case
-		of temporary lookup failures for DNS based blacklists
+		of temporary lookup failures for DNS based blocklists
 		then use it.
 	LIBMILTER: Install mfdef.h, required by mfapi.h.  Problem noted by
 		Richard A. Nelson of Debian.
@ -2539,7 +2657,7 @@ summary of the changes in that release.
 		is "pw", which means to use getpwnam().  New mailbox database
 		types can be added by adding custom code to libsm/mbdb.c.
 	Queue file names are now 15 characters long, rather than 14 characters
-		long, to accomodate envelope splitting.  File systems with
+		long, to accommodate envelope splitting.  File systems with
 		a 14 character file name length limit are no longer
 		supported.
 	Recipient list used for delivery now gets internally ordered by
@ -2580,7 +2698,7 @@ summary of the changes in that release.
 	New ruleset srv_features to enable/disable certain features in the
 		server per connection.  See doc/op/op.me for details.
 	New ruleset tls_rcpt to decide whether to send e-mail to a particular
-		recipient; useful to decide whether a conection is secure
+		recipient; useful to decide whether a connection is secure
 		enough on a per recipient basis.
 	New option TLSSrvOptions to modify some aspects of the server
 		for STARTTLS.
@ -2591,7 +2709,7 @@ summary of the changes in that release.
 	Macro expand filenames/directories for certs and keys in the .cf file.
 		Proposed by Neil Rickert of Northern Illinois University.
 	Generate an ephemeral RSA key for a STARTTLS connection only if
-		really required.  This change results in a noticable
+		really required.  This change results in a noticeable
 		performance gains on most machines.  Moreover, if shared
 		memory is in use, reuse the key several times.
 	Add queue groups which can be used to group queue directories with
@ -3500,7 +3618,7 @@ summary of the changes in that release.
 	CONFIG: Reject addresses of the form a!b if FEATURE(`nouucp', `r')
 		is used.  Problem noted by Phil Homewood of Asia Online,
 		patch from Neil Rickert of Northern Illinois University.
-	CONFIG: Change the default DNS based blacklist server for
+	CONFIG: Change the default DNS based blocklist server for
 		FEATURE(`dnsbl') to blackholes.mail-abuse.org.
 	CONFIG: Deal correctly with the 'C' flag in {daemon_flags}, i.e.,
 		implicitly assume canonical host names.
@ -4736,7 +4854,7 @@ summary of the changes in that release.
 		from Per Hedeland of Ericsson.
 	If a resolver ANY query is larger than the UDP packet size, the
 		resolver will fall back to TCP.  However, some
-		misconfigured firewalls black 53/TCP so the ANY lookup
+		misconfigured firewalls block 53/TCP so the ANY lookup
 		fails whereas an MX or A record might succeed.  Therefore,
 		don't fail on ANY queries.
 	If an SMTP recipient is rejected due to syntax errors in the
@ -5152,7 +5270,7 @@ summary of the changes in that release.
 		line up into 2046-character output lines (excluding the
 		newline).  If an input line was 2047 characters long
 		(excluding CR-LF) and the last character was a '.',
-		mail.local saw it as the end of input, transfered it to the
+		mail.local saw it as the end of input, transferred it to the
 		user mailbox and tried to write an `ok' back to sendmail.
 		If the message was much longer, both sendmail and
 		mail.local would deadlock waiting for each other to read
@ -6039,7 +6157,7 @@ summary of the changes in that release.
 	CONFIG: FEATURE(nodns) now warns the user that the feature is a
 		no-op.  Patch from Kari Hurtta of the Finnish
 		Meteorological Institute.
-	CONFIG: OSTYPE(osf1) now sets DefaultUserID (confDEF_USER_ID) to
+	CONFIG: OSTYPE(osf1) now sets DefaultUser (confDEF_USER_ID) to
 		daemon since DEC's /bin/mail will drop the envelope
 		sender if run as mailnull.  See the Digital UNIX section
 		of src/README for more information.  Problem noted by
@ -7632,7 +7750,7 @@ summary of the changes in that release.
 		instead of 0644.  Suggested by Ann-Kian Yeo of the
 		National University of Singapore.
 	Print errors if setgid/setuid/etc. fail during delivery.  This helps
-		detect cases where DefaultUid is set to something that the
+		detect cases where DefaultUser is set to something that the
 		system can't cope with.
 	PORTABILITY FIXES:
 		Support for AIX/RS 2.2.1 from Mark Whetzel of Western
@ -9840,7 +9958,7 @@ summary of the changes in that release.
 		gethostname() (instead of myhostname(), which tries
 		to fully qualify the name) to be consistent with
 		SunOS.  If your hostname is unqualified, this fixes
-		transfers to slave servers.  Bug noted by Keith
+		transfers to secondary servers.  Bug noted by Keith
 		McMillan of Ameritech Services, Inc.
 	Fix Ultrix problem: gethostbyname() can return a very large
 		(> 500) h_length field, which causes the sockaddr
--- a/cf/README
+++ b/cf/README
@ -396,7 +396,7 @@ SMTP_MAILER_MAXMSGS	[undefined] If defined, the maximum number of
 			messages to deliver in a single connection for the
 			smtp, smtp8, esmtp, or dsmtp mailers.
 SMTP_MAILER_MAXRCPTS	[undefined] If defined, the maximum number of
-			recipients to deliver in a single connection for the
+			recipients to deliver in a single envelope for the
 			smtp, smtp8, esmtp, or dsmtp mailers.
 SMTP_MAILER_ARGS	[TCP $h] The arguments passed to the smtp mailer.
 			About the only reason you would want to change this
@ -1250,7 +1250,7 @@ access_db	Turns on the access database feature.  The access db gives
 		important information about this feature.  Notice:
 		"-T<TMPF>" is meant literal, do not replace it by anything.
-blacklist_recipients
+blocklist_recipients
 		Turns on the ability to block incoming mail for certain
 		recipient usernames, hostnames, or addresses.  For
 		example, you can block incoming mail to user nobody,
@ -1579,7 +1579,7 @@ require_rdns	Reject mail from connecting SMTP clients without proper
 		Entries such as
 			Connect:1.2.3.4		OK
 			Connect:1.2		RELAY
-		will whitelist IP address 1.2.3.4, so that the rDNS
+		will allowlist IP address 1.2.3.4, so that the rDNS
 		blocking does apply to that IP address
 		Entries such as
@ -2602,7 +2602,7 @@ requires a tag.  For example,
 	From:another.dom	REJECT
 This would deny mails from spammer@some.dom but you could still
-send mail to that address even if FEATURE(`blacklist_recipients')
+send mail to that address even if FEATURE(`blocklist_recipients')
 is enabled.  Your system will allow relaying to friend.domain, but
 not from it (unless enabled by other means).  Connections from that
 domain will be allowed even if it ends up in one of the DNS based
@ -2723,7 +2723,7 @@ sender address.
 If you use:
-	FEATURE(`blacklist_recipients')
+	FEATURE(`blocklist_recipients')
 then you can add entries to the map for local users, hosts in your
 domains, or addresses in your domain which should not receive mail:
@ -2747,14 +2747,14 @@ as value part in the access map.  Taking the example from above:
 Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com.
 That's why tagged entries should be used.
-There are several DNS based blacklists which can be found by
+There are several DNS based blocklists which can be found by
 querying a search engine.  These are databases of spammers
 maintained in DNS.  To use such a database, specify
 	FEATURE(`dnsbl', `dnsbl.example.com')
 This will cause sendmail to reject mail from any site listed in the
-DNS based blacklist.  You must select a DNS based blacklist domain
+DNS based blocklist.  You must select a DNS based blocklist domain
 to check by specifying an argument to the FEATURE.  The default
 error message is
@ -2789,14 +2789,14 @@ This FEATURE can be included several times to query different
 DNS based rejection lists.
 Notice: to avoid checking your own local domains against those
-blacklists, use the access_db feature and add:
+blocklists, use the access_db feature and add:
 	Connect:10.1		OK
 	Connect:127.0.0.1	RELAY
 to the access map, where 10.1 is your local network.  You may
 want to use "RELAY" instead of "OK" to allow also relaying
-instead of just disabling the DNS lookups in the blacklists.
+instead of just disabling the DNS lookups in the blocklists.
 The features described above make use of the check_relay, check_mail,
@ -2849,7 +2849,7 @@ my.domain and you have
 in the access map, then any e-mail with a sender address of
 <user@my.domain> will not be rejected by check_relay even though
 it would match the hostname or IP address.  This allows spammers
-to get around DNS based blacklist by faking the sender address.  To
+to get around DNS based blocklist by faking the sender address.  To
 avoid this problem you have to use tagged entries:
 	To:my.domain		RELAY
@ -2978,7 +2978,7 @@ limits per client IP address or net.  These features can limit the
 rate of connections (connections per time unit) or the number of
 incoming SMTP connections, respectively.  If enabled, appropriate
 rulesets are called at the end of check_relay, i.e., after DNS
-blacklists and generic access_db operations.  The features require
+blocklists and generic access_db operations.  The features require
 FEATURE(`access_db') to be listed earlier in the mc file.
 Note: FEATURE(`delay_checks') delays those connection control checks
@ -3071,13 +3071,13 @@ rulesets and map lookups, they are modified as follows: each non-printable
 character and the characters '<', '>', '(', ')', '"', '+', ' ' are replaced
 by their HEX value with a leading '+'.  For example:
-/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email=
+/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/emailAddress=
 darth+cert@endmail.org
 is encoded as:
 /C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org
 (line breaks have been inserted for readability).
@ -3089,30 +3089,27 @@ Examples:
 To allow relaying for everyone who can present a cert signed by
 /C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org
 simply use:
 CertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org	RELAY
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org	RELAY
 To allow relaying only for a subset of machines that have a cert signed by
 /C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org
 use:
 CertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org	SUBJECT
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org	SUBJECT
 CertSubject:/C=US/ST=California/O=endmail.org/OU=private/CN=
-DeathStar/Email=deathstar@endmail.org		RELAY
+DeathStar/emailAddress=deathstar@endmail.org		RELAY
-Notes:
+Note: line breaks have been inserted after "CN=" for readability,
- line breaks have been inserted after "CN=" for readability,
+each tagged entry must be one (long) line in the access map.
  each tagged entry must be one (long) line in the access map.
 - if OpenSSL 0.9.7 or newer is used then the "Email=" part of a DN
  is replaced by "emailAddress=".
 Of course it is also possible to write a simple ruleset that allows
 relaying for everyone who can present a cert that can be verified, e.g.,
@ -3188,16 +3185,23 @@ CN:name		name must match ${cn_subject}
 CN		${client_name}/${server_name} must match ${cn_subject}
 CS:name		name must match ${cert_subject}
 CI:name		name must match ${cert_issuer}
 CITag:MYTag	look up MYTag:${cert_issuer} in access map; the check
 		only succeeds if it is found with a RHS of OK.
 Example: e-mail sent to secure.example.com should only use an encrypted
 connection.  E-mail received from hosts within the laptop.example.com domain
 should only be accepted if they have been authenticated.  The host which
 receives e-mail for darth@endmail.org must present a cert that uses the
-CN smtp.endmail.org.
+CN smtp.endmail.org.  E-mail sent to safe.example.com must be verified,
 have a matching CN, and must present a cert signed by a CA with one of
 the listed DNs.
-TLS_Srv:secure.example.com      ENCR:112
+TLS_Srv:secure.example.com	ENCR:112
-TLS_Clt:laptop.example.com      PERM+VERIFY:112
+TLS_Clt:laptop.example.com	PERM+VERIFY:112
 TLS_Rcpt:darth@endmail.org	ENCR:112+CN:smtp.endmail.org
 TLS_Srv:safe.example.net	VERIFY+CN++CITag:MyCA
 MyCA:/C=US/ST=CA/O=safe/CN=example.net/		OK
 MyCA:/C=US/ST=CA/O=secure/CN=example.net/	OK
 TLS Options per Session
@ -3217,6 +3221,7 @@ options:
 - Options: compare {Server,Client}SSLOptions.
 - CipherList: same as the global option.
 - CertFile, KeyFile: {Server,Client}{Cert,Key}File
 - Flags: see doc/op/op.me for details.
 If FEATURE(`tls_session_features') is used, then default rulesets
 are activated which look up entries in the access map with the tags
@ -3234,15 +3239,12 @@ If FEATURE(`tls_session_features') is not used the user can provide
 their own rulesets which must return the appropriate data.
 If the rulesets are not defined or do not return a value, the
 default TLS options are not modified.
 (These rulesets require the sendmail binary to be built with
 _FFR_TLS_SE_OPTS enabled.)
-About 2): the ruleset try_tls (srv_features) can be used that work
+About 2): the ruleset try_tls (srv_features) can be used together
-together with the access map.  Entries for the access map must be
+with the access map.  Entries for the access map must be tagged
-tagged with Try_TLS (Srv_Features) and refer to the hostname or IP
+with Try_TLS (Srv_Features) and refer to the hostname or IP address
-address of the connecting system.  A default case can be specified
+of the connecting system.  A default case can be specified by using
-by using just the tag.  For example, the following entries in the
+just the tag.  For example, the following entries in the access map:
 access map:
 	Try_TLS:broken.server	NO
 	Srv_Features:my.domain	v
@ -3654,7 +3656,7 @@ for.  In particular:
  if your system allows "file giveaways" (that is, if a non-root
  user can chown any file they own to any other user).
-* If your system allows file giveaways, DO NOT create a publically
+* If your system allows file giveaways, DO NOT create a publicly
  writable directory for forward files.  This will allow anyone
  to steal anyone else's e-mail.  Instead, create a script that
  copies the .forward file from users' home directories once a
@ -4011,6 +4013,10 @@ confUSERDB_SPEC		UserDatabaseSpec
 confFALLBACK_MX		FallbackMXhost	[undefined] Fallback MX host.
 confFALLBACK_SMARTHOST	FallbackSmartHost
 					[undefined] Fallback smart host.
 confTLS_FALLBACK_TO_CLEAR	TLSFallbacktoClear
 					[undefined] If set, immediately try
 					a connection again without STARTTLS
 					after a TLS handshake failure.
 confTRY_NULL_MX_LIST	TryNullMXList	[False] If this host is the best MX
 					for a host and other arrangements
 					haven't been made, try connecting
@ -4364,10 +4370,13 @@ confCLIENT_KEY		ClientKeyFile	[undefined] File containing the
 					cert.
 confCRL			CRLFile		[undefined] File containing certificate
 					revocation status, useful for X.509v3
-					authentication. Note that CRL requires
+					authentication.
-					at least OpenSSL version 0.9.7.
+confCRL_PATH		CRLPath		[undefined] Directory containing
 					hashes pointing to certificate
 					revocation status files.
 confDH_PARAMETERS	DHParameters	[undefined] File containing the
 					DH parameters.
 confDANE		DANE		[false] Enable DANE support.
 confRAND_FILE		RandFile	[undefined] File containing random
 					data (use prefix file:) or the
 					name of the UNIX socket if EGD is
@ -4379,6 +4388,9 @@ confCERT_FINGERPRINT_ALGORITHM	CertFingerprintAlgorithm
 					[undefined] The fingerprint algorithm
 					(digest) to use for the presented
 					cert.
 confSSL_ENGINE		SSLEngine	[undefined] Name of SSLEngine.
 confSSL_ENGINE_PATH	SSLEnginePath	[undefined] Path to dynamic library
 					for SSLEngine.
 confNICE_QUEUE_RUN	NiceQueueRun	[undefined]  If set, the priority of
 					queue runners is set the given value
 					(nice(3)).
@ -4799,7 +4811,6 @@ M4 DIVERSIONS
   5	locally interpreted names (overrides $R)
   6	local configuration (at top of file)
   7	mailer definitions
-   8	DNS based blacklists
+   8	DNS based blocklists
   9	special local rulesets (1 and 2)
 $Revision: 8.730 $, Last updated $Date: 2014-01-16 15:55:51 $
--- a/cf/cf/Makefile
+++ b/cf/cf/Makefile
@ -103,7 +103,7 @@ M4FILES=\
 	${CFDIR}/feature/bcc.m4 \
 	${CFDIR}/feature/bestmx_is_local.m4 \
 	${CFDIR}/feature/bitdomain.m4 \
-	${CFDIR}/feature/blacklist_recipients.m4 \
+	${CFDIR}/feature/blocklist_recipients.m4 \
 	${CFDIR}/feature/conncontrol.m4 \
 	${CFDIR}/feature/dnsbl.m4 \
 	${CFDIR}/feature/domaintable.m4 \
--- a/cf/cf/generic-bsd4.4.cf
+++ b/cf/cf/generic-bsd4.4.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -521,6 +521,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -540,12 +546,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1265,6 +1275,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1276,6 +1287,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-hpux10.cf
+++ b/cf/cf/generic-hpux10.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-hpux9.cf
+++ b/cf/cf/generic-hpux9.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-linux.cf
+++ b/cf/cf/generic-linux.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -127,7 +127,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -526,6 +526,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -545,12 +551,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1270,6 +1280,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1281,6 +1292,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-mpeix.cf
+++ b/cf/cf/generic-mpeix.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-nextstep3.3.cf
+++ b/cf/cf/generic-nextstep3.3.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -521,6 +521,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -540,12 +546,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1265,6 +1275,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1276,6 +1287,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-osf1.cf
+++ b/cf/cf/generic-osf1.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-solaris.cf
+++ b/cf/cf/generic-solaris.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -521,6 +521,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -540,12 +546,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1265,6 +1275,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1276,6 +1287,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-sunos4.1.cf
+++ b/cf/cf/generic-sunos4.1.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/generic-ultrix4.cf
+++ b/cf/cf/generic-ultrix4.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 ###############
@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/cf/knecht.mc
+++ b/cf/cf/knecht.mc
@ -46,7 +46,7 @@ define(`CYRUS_MAILER_PATH', `/usr/local/cyrus/bin/deliver')
 define(`CYRUS_MAILER_FLAGS', `fAh5@/:|')
 FEATURE(`access_db')
-FEATURE(`blacklist_recipients')
+FEATURE(`blocklist_recipients')
 FEATURE(`local_lmtp')
 FEATURE(`virtusertable')
 FEATURE(`mailertable')
@ -234,7 +234,7 @@ Kstorage macro
 LOCAL_RULESETS
 ######################################################################
-### check for the existance of the X-MailScanner Header
+### check for the existence of the X-MailScanner Header
 HX-MailScanner:		$>+CheckXMSc
 D{SobigFPat}Found to be clean
 D{SobigFMsg}This message may contain the Sobig.F virus.
--- a/cf/cf/submit.cf
+++ b/cf/cf/submit.cf
@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@ -114,7 +114,7 @@ D{MTAHost}[127.0.0.1]
 # Configuration version number
-DZ8.15.2/Submit
+DZ8.16.1/Submit
 ###############
@ -513,6 +513,12 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
 # SSL Engine
 #O SSLEngine
 # Path to dynamic library for SSLEngine
 #O SSLEnginePath
 # TLS: fall back to clear text after handshake failure?
 #O TLSFallbacktoClear
 # Input mail filters
 #O InputMailFilters
@ -532,12 +538,16 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
 # Directory containing hashes pointing to certificate revocation status files
 #O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
 # enable DANE?
 #O DANE=false
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@ -1257,6 +1267,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
 R$*		$@ $>"TLS_connection" $1
 ######################################################################
@ -1268,6 +1279,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
 RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
--- a/cf/feature/bcc.m4
+++ b/cf/feature/bcc.m4
@ -76,7 +76,7 @@ R$* $| $*		$: ifelse(len(X`'_ARG3_),`1', `$1', `_ARG3_')
 ifdef(`_CANONIFY_BCC_', `dnl
 R$+ @ $+		$: $1@$2 $| <$(canonicalRcpt $1 @ $2 $: $)>
 R$* $| <>		$@
-R$* $| <$* <TMPF>>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R$* $| <$* <TMPF>>	$#error $@ 4.3.0 $: _TMPFMSG_(`BCC')
 R$* $| <$+>		$@ $2			map matched?
 ')
--- a/cf/feature/blacklist_recipients.m4
+++ b/cf/feature/blacklist_recipients.m4
@ -13,7 +13,6 @@ divert(0)
 VERSIONID(`$Id: blacklist_recipients.m4,v 8.14 2013-11-22 20:51:11 ca Exp $')
 divert(-1)
-ifdef(`_ACCESS_TABLE_',
+errprint(`WARNING: FEATURE(blacklist_recipients) is deprecated; use FEATURE(blocklist_recipients.m4).
-	`define(`_BLACKLIST_RCPT_', 1)',
+')
-	`errprint(`*** ERROR: FEATURE(blacklist_recipients) requires FEATURE(access_db)
+FEATURE(`blocklist_recipients')
 ')')
--- a/cf/feature/blocklist_recipients.m4
+++ b/cf/feature/blocklist_recipients.m4
@ -0,0 +1,19 @@
 divert(-1)
 #
 # Copyright (c) 1998, 1999 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
 #
 divert(0)
 VERSIONID(`$Id: blocklist_recipients.m4,v 8.14 2013-11-22 20:51:11 ca Exp $')
 divert(-1)
 ifdef(`_ACCESS_TABLE_',
 	`define(`_BLOCKLIST_RCPT_', 1)',
 	`errprint(`*** ERROR: FEATURE(blocklist_recipients) requires FEATURE(access_db)
 ')')
--- a/cf/feature/check_cert_altnames.m4
+++ b/cf/feature/check_cert_altnames.m4
@ -0,0 +1,17 @@
 divert(-1)
 #
 # Copyright (c) 2019 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
 #
 divert(0)dnl
 VERSIONID(`$Id: block_bad_helo.m4,v 1.2 2013-11-22 20:51:11 ca Exp $')
 divert(-1)
 define(`_FFR_TLS_ALTNAMES', `1')
 divert(6)dnl
 O SetCertAltnames=true
--- a/cf/feature/dnsbl.m4
+++ b/cf/feature/dnsbl.m4
@ -17,7 +17,7 @@ define(`_DNSBL_R_',`')
 ifelse(defn(`_ARG_'), `', 
 	`errprint(`*** ERROR: missing argument for FEATURE(`dnsbl')')')
 LOCAL_CONFIG
-# map for DNS based blacklist lookups
+# map for DNS based blocklist lookups
 Kdnsbl DNSBL_MAP -T<TMP>ifdef(`DNSBL_MAP_OPT',` DNSBL_MAP_OPT')')
 divert(-1)
 define(`_DNSBL_SRV_', `_ARG_')dnl
--- a/cf/feature/enhdnsbl.m4
+++ b/cf/feature/enhdnsbl.m4
@ -16,7 +16,7 @@ ifdef(`_EDNSBL_R_',`dnl',`dnl
 VERSIONID(`$Id: enhdnsbl.m4,v 1.13 2013-11-22 20:51:11 ca Exp $')
 LOCAL_CONFIG
 define(`_EDNSBL_R_',`')dnl
-# map for enhanced DNS based blacklist lookups
+# map for enhanced DNS based blocklist lookups
 Kednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5')
 ')
 divert(-1)
--- a/cf/feature/tls_failures.m4
+++ b/cf/feature/tls_failures.m4
@ -0,0 +1,13 @@
 divert(-1)
 #
 # Copyright (c) 2020 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 #
 # By using this file, you agree to the terms and conditions set
 # forth in the LICENSE file which can be found at the top level of
 # the sendmail distribution.
 #
 errprint(`*** ERROR: FEATURE(tls_failures) has been replaced by confTLS_FALLBACK_TO_CLEAR
 ')
 define(`confTLS_FALLBACK_TO_CLEAR', `true')
--- a/cf/m4/cfhead.m4
+++ b/cf/m4/cfhead.m4
@ -72,6 +72,15 @@ define(`_ARG9_',`_ACC_ARG_9_(_ARGS_)')
 dnl define if not yet defined: if `$1' is not defined it will be `$2'
 define(`_DEFIFNOT',`ifdef(`$1',`',`define(`$1',`$2')')')
 dnl ----------------------------------------
 dnl Use a "token" for this error message to make them unique?
 dnl Note: this is not a documented option. To enable it, use:
 dnl define(`_USETMPFTOKEN_', `1')dnl
 ifdef(`_USETMPFTOKEN_', `
 define(_TMPFMSG_, `"451 Temporary system failure $1. Please try again later."')
 ', `dnl
 define(_TMPFMSG_, `"451 Temporary system failure. Please try again later."')
 ')
 dnl ----------------------------------------
 dnl add a char $2 to a string $1 if it is not there
 define(`_ADDCHAR_',`define(`_I_',`eval(index(`$1',`$2') >= 0)')`'ifelse(_I_,`1',`$1',`$1$2')')
 dnl ----
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@ -161,7 +161,7 @@ ifdef(`_ACCESS_TABLE_', `dnl
 # access_db acceptance class
 C{Accept}OK RELAY
 ifdef(`_DELAY_COMPAT_8_10_',`dnl
-ifdef(`_BLACKLIST_RCPT_',`dnl
+ifdef(`_BLOCKLIST_RCPT_',`dnl
 # possible access_db RHS for spam friends/haters
 C{SpamTag}SPAMFRIEND SPAMHATER')')',
 `dnl')
@ -197,7 +197,9 @@ ifdef(`_MACRO_MAP_', `', `# macro storage map
 define(`_MACRO_MAP_', `1')dnl
 Kmacro macro')
 # possible values for TLS_connection in access map
-C{Tls}VERIFY ENCR', `dnl')
+C{Tls}VERIFY ENCR
 C{TlsVerified}OK TRUSTED
 dnl', `dnl')
 ifdef(`_CERT_REGEX_ISSUER_', `dnl
 # extract relevant part from cert issuer
 KCERTIssuer regex _CERT_REGEX_ISSUER_', `dnl')
@ -653,6 +655,12 @@ _OPTION(CipherList, `confCIPHER_LIST', `')
 _OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
 # client side SSL options
 _OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
 # SSL Engine
 _OPTION(SSLEngine, `confSSL_ENGINE', `')
 # Path to dynamic library for SSLEngine
 _OPTION(SSLEnginePath, `confSSL_ENGINE_PATH', `')
 # TLS: fall back to clear text after handshake failure?
 _OPTION(TLSFallbacktoClear, `confTLS_FALLBACK_TO_CLEAR', `')
 # Input mail filters
 _OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
@ -682,12 +690,16 @@ _OPTION(ClientCertFile, `confCLIENT_CERT', `')
 _OPTION(ClientKeyFile, `confCLIENT_KEY', `')
 # File containing certificate revocation lists 
 _OPTION(CRLFile, `confCRL', `')
 # Directory containing hashes pointing to certificate revocation status files
 _OPTION(CRLPath, `confCRL_PATH', `')
 # DHParameters (only required if DSA/DH is used)
 _OPTION(DHParameters, `confDH_PARAMETERS', `')
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 _OPTION(RandFile, `confRAND_FILE', `')
 # fingerprint algorithm (digest) to use for the presented cert
 _OPTION(CertFingerprintAlgorithm, `confCERT_FINGERPRINT_ALGORITHM', `')
 # enable DANE?
 _OPTION(DANE, `confDANE', `false')
 # Maximum number of "useless" commands before slowing down
 _OPTION(MaxNOOPCommands, `confMAX_NOOP_COMMANDS', `20')
@ -1500,7 +1512,7 @@ R<$* <TMPF>> <$*> <$+> <$+> <$*>	$: $&{opMode} $| TMPF <$&{addr_type}> $| $3
 R<$*> <$* <TMPF>> <$+> <$+> <$*>	$: $&{opMode} $| TMPF <$&{addr_type}> $| $3
 ifelse(_LDAP_ROUTE_MAPTEMP_, `_TEMPFAIL_', `dnl
 # ... temp fail RCPT SMTP commands
-R$={SMTPOpModes} $| TMPF <e r> $| $+	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."')
+R$={SMTPOpModes} $| TMPF <e r> $| $+	$#error $@ 4.3.0 $: _TMPFMSG_(`OPM')')
 # ... return original address for MTA to queue up
 R$* $| TMPF <$*> $| $+			$@ $3
@ -1733,7 +1745,7 @@ dnl if mark is <NO> then change it to <RELAY> if domain is "authorized"
 dnl what if access map returns something else than RELAY?
 dnl we are only interested in RELAY entries...
-dnl other To: entries: blacklist recipient; generic entries?
+dnl other To: entries: blocklist recipient; generic entries?
 dnl if it is an error we probably do not want to relay anyway
 ifdef(`_RELAY_HOSTS_ONLY_',
 `R<NO> $* < @ $=R >		$: <RELAY> $1 < @ $2 >
@ -1807,7 +1819,7 @@ R<QUARANTINE:$+> <$*>	$#error $@ quarantine $: $1
 dnl error tag
 R<ERROR:$-.$-.$-:$+> <$*>	$#error $@ $1.$2.$3 $: $4
 R<ERROR:$+> <$*>		$#error $: $1
-ifdef(`_ATMPF_', `R<$* _ATMPF_> <$*>		$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<$* _ATMPF_> <$*>		$#error $@ 4.3.0 $: _TMPFMSG_(`CR')', `dnl')
 dnl generic error from access map
 R<$+> <$*>		$#error $: $1', `dnl')
@ -1976,7 +1988,7 @@ R<REJECT> $*		$#error ifdef(`confREJECT_MSG', `$: confREJECT_MSG', `$@ 5.7.1 $:
 dnl error tag
 R<ERROR:$-.$-.$-:$+> $*		$#error $@ $1.$2.$3 $: $4
 R<ERROR:$+> $*		$#error $: $1
-ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: _TMPFMSG_(`CM')', `dnl')
 dnl generic error from access map
 R<$+> $*		$#error $: $1		error from access db',
 `dnl')
@ -2108,9 +2120,9 @@ R$* $=O $* < @ $* @@ $=w . > $*	$@ $>"Rcpt_ok" $1 $2 $3
 R$* < @ $* @@ $=w . > $*	$: $1 < @ $3 > $4
 R$* < @ $* @@ $* > $*		$: $1 < @ $2 > $4')
-ifdef(`_BLACKLIST_RCPT_',`dnl
+ifdef(`_BLOCKLIST_RCPT_',`dnl
 ifdef(`_ACCESS_TABLE_', `dnl
-# blacklist local users or any host from receiving mail
+# blocklist local users or any host from receiving mail
 R$*			$: <?> $1
 dnl user is now tagged with @ to be consistent with check_mail
 dnl and to distinguish users from hosts (com would be host, com@ would be user)
@ -2143,7 +2155,7 @@ R<QUARANTINE:$+> $*	$#error $@ quarantine $: $1
 dnl error tag
 R<ERROR:$-.$-.$-:$+> $*		$#error $@ $1.$2.$3 $: $4
 R<ERROR:$+> $*		$#error $: $1
-ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: _TMPFMSG_(`ROK1')', `dnl')
 dnl generic error from access map
 R<$+> $*		$#error $: $1		error from access db
 R@ $*			$1		remove mark', `dnl')', `dnl')
@ -2198,7 +2210,7 @@ R$+ < @ $+ > $| $*	$: <$3> <$1 <@ $2>>',
 ifdef(`_ACCESS_TABLE_', `dnl
 dnl workspace: <Result-of-lookup | ?> <localpart<@domain>>
 R<RELAY> $*		$@ RELAY
-ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`ROK2')', `dnl')
 R<$*> <$*>		$: $2',`dnl')
@ -2268,7 +2280,7 @@ dnl Connect:My.Host.Domain	RELAY
 dnl Connect:My.Net		REJECT
 dnl since in check_relay client_name is checked before client_addr
 R<REJECT> $* 		$@ REJECT		rejected IP address')
-ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`YOK1')', `dnl')
 R<$*> <$*>		$: $2', `dnl')
 R$*			$: [ $1 ]		put brackets around it...
 R$=w			$@ RELAY		... and see if it is local
@ -2287,7 +2299,7 @@ R<?> $+ < @ $=w >	$@ RELAY		FROM local', `dnl')
 ifdef(`_RELAY_DB_FROM_', `dnl
 R<?> $+ < @ $+ >	$: <@> $>SearchList <! From> $| <F:$1@$2> ifdef(`_RELAY_DB_FROM_DOMAIN_', ifdef(`_RELAY_HOSTS_ONLY_', `<E:$2>', `<D:$2>')) <>
 R<@> <RELAY>		$@ RELAY		RELAY FROM sender ok
-ifdef(`_ATMPF_', `R<@> <_ATMPF_>		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<@> <_ATMPF_>		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`YOK2')', `dnl')
 ', `dnl
 ifdef(`_RELAY_DB_FROM_DOMAIN_',
 `errprint(`*** ERROR: _RELAY_DB_FROM_DOMAIN_ requires _RELAY_DB_FROM_
@ -2331,7 +2343,7 @@ ifdef(`_ACCESS_TABLE_', `dnl
 R<?> $*			$: $>D <$1> <?> <+ Connect> <$1>',`dnl')')
 ifdef(`_ACCESS_TABLE_', `dnl
 R<RELAY> $*		$@ RELAY
-ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`YOK3')', `dnl')
 R<$*> <$*>		$: $2',`dnl')
 dnl end of _PROMISCUOUS_RELAY_
 divert(0)
@ -2384,7 +2396,7 @@ ifdef(`_ACCESS_TABLE_', `',
 `errprint(`*** ERROR: FEATURE(`delay_checks', `argument') requires FEATURE(`access_db')
 ')')dnl
 dnl one of the next two rules is supposed to match
-dnl this code has been copied from BLACKLIST... etc
+dnl this code has been copied from BLOCKLIST... etc
 dnl and simplified by omitting some < >.
 R<?> $+ < @ $=w >	$: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 > <U: $1@>
 R<?> $+ < @ $* >	$: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 >
@ -2688,7 +2700,7 @@ R<?>$*		$: $>A <$&{server_addr}> <?> <! TLS_TRY_TAG> <>
 R<?>$*		$: <$(access TLS_TRY_TAG`'_TAG_DELIM_ $: ? $)>
 R<?>$*		$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R<$* _ATMPF_>$*	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R<$* _ATMPF_>$*	$#error $@ 4.3.0 $: _TMPFMSG_(`TT')', `dnl')
 R<NO>$*		$#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]"')
 ######################################################################
@ -2721,7 +2733,7 @@ R$* $| $+	$: $1 $| $>SearchList <! TLS_RCPT_TAG> $| $2 <>
 dnl found nothing: stop here
 R$* $| <?>	$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`TR')', `dnl')
 dnl use the generic routine (for now)
 R$* $| <$+>	$@ $>"TLS_connection" $&{verify} $| <$2>')
@ -2751,7 +2763,7 @@ R$* $| <?>$*	$: $1 $| $>A <$&{client_addr}> <?> <! TLS_CLT_TAG> <>
 dnl do a default lookup: just TLS_CLT_TAG
 R$* $| <?>$*	$: $1 $| <$(access TLS_CLT_TAG`'_TAG_DELIM_ $: ? $)>
 ifdef(`_ATMPF_', `dnl tempfail?
-R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`TC')', `dnl')
 R$*		$@ $>"TLS_connection" $1', `dnl
 R$* $| $*	$@ $>"TLS_connection" $1')
@ -2769,6 +2781,8 @@ ifdef(`_LOCAL_TLS_SERVER_', `dnl
 R$*			$: $1 $| $>"Local_tls_server" $1
 R$* $| $#$*		$#$2
 R$* $| $*		$: $1', `dnl')
 ifdef(`_TLS_FAILURES_',`dnl
 R$*		$: $(macro {saved_verify} $@ $1 $) $1')
 ifdef(`_ACCESS_TABLE_', `dnl
 dnl store name of other side
 R$*		$: $(macro {TLS_Name} $@ $&{server_name} $) $1
@ -2777,7 +2791,7 @@ R$* $| <?>$*	$: $1 $| $>A <$&{server_addr}> <?> <! TLS_SRV_TAG> <>
 dnl do a default lookup: just TLS_SRV_TAG
 R$* $| <?>$*	$: $1 $| <$(access TLS_SRV_TAG`'_TAG_DELIM_ $: ? $)>
 ifdef(`_ATMPF_', `dnl tempfail?
-R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`TS')', `dnl')
 R$*		$@ $>"TLS_connection" $1', `dnl
 R$*		$@ $>"TLS_connection" $1')
@ -2798,6 +2812,7 @@ STLS_connection
 ifdef(`_ACCESS_TABLE_', `dnl', `dnl use default error
 dnl deal with TLS handshake failures: abort
 RSOFTWARE	$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') TLS handshake."
 RDANE_FAIL	$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') DANE check failed."
 divert(-1)')
 dnl common ruleset for tls_{client|server}
 dnl input: ${verify} $| <ResultOfLookup> [<>]
@ -2813,14 +2828,19 @@ R$* $| <$={Tls} $*>		$: $1 $| <ifdef(`TLS_PERM_ERR', `503:5.7.0', `403:4.7.0')>
 dnl workspace: ${verify} $| [<SMTP:ESC>] <ResultOfLookup>
 # deal with TLS handshake failures: abort
 RSOFTWARE $| <$-:$+> $* 	$#error $@ $2 $: $1 " TLS handshake failed."
-dnl no <reply:dns> i.e. not requirements in the access map
+dnl no <reply:dns> i.e. no requirements in the access map
 dnl use default error
 RSOFTWARE $| $* 		$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') TLS handshake failed."
 # deal with TLS protocol errors: abort
 RPROTOCOL $| <$-:$+> $* 	$#error $@ $2 $: $1 " STARTTLS failed."
-dnl no <reply:dns> i.e. not requirements in the access map
+dnl no <reply:dns> i.e. no requirements in the access map
 dnl use default error
 RPROTOCOL $| $* 		$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') STARTTLS failed."
 # deal with DANE errors: abort
 RDANE_FAIL $| <$-:$+> $* 	$#error $@ $2 $: $1 " DANE check failed."
 dnl no <reply:dns> i.e. no requirements in the access map
 dnl use default error
 RDANE_FAIL $| $* 		$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') DANE check failed."
 R$* $| <$*> <VERIFY>		$: <$2> <VERIFY> <> $1
 dnl separate optional requirements
 R$* $| <$*> <VERIFY + $+>	$: <$2> <VERIFY> <$3> $1
@ -2834,16 +2854,16 @@ R$* $| $*			$@ OK
 # other side did authenticate (via STARTTLS)
 dnl workspace: <SMTP:ESC> <{VERIFY,ENCR}[:BITS]> <[extensions]> ${verify}
 dnl only verification required and it succeeded
-R<$*><VERIFY> <> OK		$@ OK
+R<$*><VERIFY> <> $={TlsVerified}	$@ OK
 dnl verification required and it succeeded but extensions are given
 dnl change it to <SMTP:ESC> <REQ:0>  <extensions>
-R<$*><VERIFY> <$+> OK		$: <$1> <REQ:0> <$2>
+R<$*><VERIFY> <$+> $={TlsVerified}	$: <$1> <REQ:0> <$2>
 dnl verification required + some level of encryption
-R<$*><VERIFY:$-> <$*> OK	$: <$1> <REQ:$2> <$3>
+R<$*><VERIFY:$-> <$*> $={TlsVerified}	$: <$1> <REQ:$2> <$3>
 dnl just some level of encryption required
 R<$*><ENCR:$-> <$*> $*		$: <$1> <REQ:$2> <$3>
 dnl workspace:
-dnl 1. <SMTP:ESC> <VERIFY [:bits]>  <[extensions]> {verify} (!= OK)
+dnl 1. <SMTP:ESC> <VERIFY [:bits]>  <[extensions]> {verify} (!~ $={TlsVerified})
 dnl 2. <SMTP:ESC> <REQ:bits>  <[extensions]>
 dnl verification required but ${verify} is not set (case 1.)
 R<$-:$+><VERIFY $*> <$*>	$#error $@ $2 $: $1 " authentication required"
@ -2851,6 +2871,7 @@ R<$-:$+><VERIFY $*> <$*> FAIL	$#error $@ $2 $: $1 " authentication failed"
 R<$-:$+><VERIFY $*> <$*> NO	$#error $@ $2 $: $1 " not authenticated"
 R<$-:$+><VERIFY $*> <$*> NOT	$#error $@ $2 $: $1 " no authentication requested"
 R<$-:$+><VERIFY $*> <$*> NONE	$#error $@ $2 $: $1 " other side does not support STARTTLS"
 R<$-:$+><VERIFY $*> <$*> CLEAR	$#error $@ $2 $: $1 " STARTTLS disabled locally"
 dnl some other value for ${verify}
 R<$-:$+><VERIFY $*> <$*> $+	$#error $@ $2 $: $1 " authentication failure " $4
 dnl some level of encryption required: get the maximum level (case 2.)
@ -2884,7 +2905,6 @@ R<$-:$+> $+			$@ $>"TLS_req" $3 $| <$1:$2>
 dnl  further requirements for this ruleset:
 dnl	name of "other side" is stored is {TLS_name} (client/server_name)
 dnl
 dnl	currently only CN[:common_name] is implemented
 dnl	right now this is only a logical AND
 dnl	i.e. all requirements must be true
 dnl	how about an OR? CN must be X or CN must be Y or ..
@ -2896,6 +2916,11 @@ dnl no additional requirements: ok
 R $| $+		$@ OK
 dnl require CN: but no CN specified: use name of other side
 R<CN> $* $| <$+>		$: <CN:$&{TLS_Name}> $1 $| <$2>
 ifdef(`_FFR_TLS_ALTNAMES', `dnl
 R<CN:$={cert_altnames}> $* $| <$+>	$@ $>"TLS_req" $2 $| <$3>
 R<CN:$-.$+> $* $| <$+>			$: <CN:*.$2> $3 $| <$4>
 R<CN:$={cert_altnames}> $* $| <$+>	$@ $>"TLS_req" $3 $| <$3>
 R<CN:$*> $* $| <$+>			$: <CN:$&{TLS_Name}> $2 $| <$3>', `dnl')
 dnl match, check rest
 R<CN:$&{cn_subject}> $* $| <$+>		$@ $>"TLS_req" $1 $| <$2>
 dnl CN does not match
@ -2911,6 +2936,10 @@ R<CI:$&{cert_issuer}> $* $| <$+>	$@ $>"TLS_req" $1 $| <$2>
 dnl CI does not match
 dnl  1   2      3  4
 R<CI:$+> $* $| <$-:$+>	$#error $@ $4 $: $3 " Cert Issuer " $&{cert_issuer} " does not match " $1
 dnl
 R<CITag:$-> $* $| <$+>	$: <$(access $1:$&{cert_issuer} $: ? $)> $2 $| <$3>
 R<?> $* $| <$-:$+>	$#error $@ $3 $: $2 " Cert Issuer " $&{cert_issuer} " not acceptable"
 R<OK> $* $| <$+>	$@ $>"TLS_req" $1 $| <$2>
 dnl return from recursive call
 ROK			$@ OK
@ -2970,7 +2999,7 @@ dnl if it returns SUBJECT we perform a similar check on the
 dnl cert subject.
 ifdef(`_ACCESS_TABLE_', `dnl
 R$*			$: <?> $&{verify}
-R<?> OK			$: OK		authenticated: continue
+R<?> $={TlsVerified}	$: OK		authenticated: continue
 R<?> $*			$@ NO		not authenticated
 ifdef(`_CERT_REGEX_ISSUER_', `dnl
 R$*			$: $(CERTIssuer $&{cert_issuer} $)',
@ -3029,7 +3058,7 @@ R$+		$: $>SearchList <! ClientRate> $| $1 <>
 dnl found nothing: stop here
 R<?>		$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R<$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R<$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`RC')', `dnl')
 dnl use the generic routine (for now)
 R<0>		$@ OK		no limit
 R<$+>		$: <$1> $| $(arith l $@ $1 $@ $&{client_rate} $)
@ -3051,7 +3080,7 @@ R$+		$: $>SearchList <! ClientConn> $| $1 <>
 dnl found nothing: stop here
 R<?>		$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R<$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R<$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`CC')', `dnl')
 dnl use the generic routine (for now)
 R<0>		$@ OK		no limit
 R<$+>		$: <$1> $| $(arith l $@ $1 $@ $&{client_connections} $)
--- a/cf/m4/version.m4
+++ b/cf/m4/version.m4
@ -1,6 +1,6 @@
 divert(-1)
 #
-# Copyright (c) 1998-2015 Proofpoint, Inc. and its suppliers.
+# Copyright (c) 1998-2016 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 # Copyright (c) 1983 Eric P. Allman.  All rights reserved.
 # Copyright (c) 1988, 1993
@ -15,4 +15,4 @@ VERSIONID(`$Id: version.m4,v 8.237 2014-01-27 12:55:17 ca Exp $')
 #
 divert(0)
 # Configuration version number
-DZ8.15.2`'ifdef(`confCF_VERSION', `/confCF_VERSION')
+DZ8.16.1`'ifdef(`confCF_VERSION', `/confCF_VERSION')
--- a/cf/ostype/hpux10.m4
+++ b/cf/ostype/hpux10.m4
@ -23,5 +23,5 @@ ifdef(`LOCAL_SHELL_PATH',, `define(`LOCAL_SHELL_PATH', /usr/bin/sh)')dnl
 ifdef(`UUCP_MAILER_ARGS',, `define(`UUCP_MAILER_ARGS', `uux - -r -a$g -gC $h!rmail ($u)')')dnl
 define(`confTIME_ZONE', `USE_TZ')dnl
 dnl
-dnl	For maximum compability with HP-UX, use:
+dnl	For maximum compatibility with HP-UX, use:
 dnl	define(`confME_TOO', True)dnl
--- a/cf/ostype/hpux9.m4
+++ b/cf/ostype/hpux9.m4
@ -23,5 +23,5 @@ ifdef(`UUCP_MAILER_ARGS',, `define(`UUCP_MAILER_ARGS', `uux - -r -a$g -gC $h!rma
 define(`confTIME_ZONE', `USE_TZ')dnl
 define(`confEBINDIR', `/usr/lib')dnl
 dnl
-dnl	For maximum compability with HP-UX, use:
+dnl	For maximum compatibility with HP-UX, use:
 dnl	define(`confME_TOO', True)dnl
--- a/contrib/cidrexpand
+++ b/contrib/cidrexpand
@ -1,13 +1,14 @@
 #!/usr/bin/perl -w
-
+#
-# $Id: cidrexpand,v 8.8 2006-08-07 17:18:37 ca Exp $
+# usage:
 #  cidrexpand < /etc/mail/access | makemap -r hash /etc/mail/access
 #
 # v 0.4
 #
 # 17 July 2000 Derek J. Balling (dredd@megacity.org)
-# 
+#
 # Acts as a preparser on /etc/mail/access_db to allow you to use address/bit
-# notation. 
+# notation.
 #
 # If you have two overlapping CIDR blocks with conflicting actions
 # e.g.   10.2.3.128/25 REJECT and 10.2.3.143 ACCEPT
@ -25,114 +26,156 @@
 #     Added code to deal with the prefix tags that may now be included in
 #     the access_db
 #
-#     Added clarification in the notes for what to do if you have 
+#     Added clarification in the notes for what to do if you have
 #     exceptions to a larger CIDR block.
 #
-#  26 Jul 2006 Richard Rognlie (richard@sendmail.com>
+#  26 Jul 2006 Richard Rognlie (richard@sendmail.com)
 #     Added code to strip "comments" (anything after a non-escaped #)
 #     # characters after a \ or within quotes (single and double) are
-#     left intact. 
+#     left intact.
 #
 #     e.g.
 #	From:1.2.3.4	550 Die spammer # spammed us 2006.07.26
 #     becomes
-#	From:1.2.3.4	550 Die spammer 
+#	From:1.2.3.4	550 Die spammer
 #
 #  3 August 2006
 #
 #     Corrected a bug to have it handle the special case of "0.0.0.0/0"
 #     since Net::CIDR doesn't handle it properly.
 #
-# usage: 
+#  27 April 2016
-#  cidrexpand < /etc/mail/access | makemap -r hash /etc/mail/access
+#     Corrected IPv6 handling.  Note that UseCompressedIPv6Addresses must
 #     be turned off for this to work; there are three reasons for this:
 #       1) if the MTA uses compressed IPv6 addresses then CIDR 'cuts'
 #          in the compressed range *cannot* be matched, as the MTA simply
 #          won't look for them.  E.g., there's no way to accurately
 #          match "IPv6:fe80::/64" when for the address "IPv6:fe80::54ad"
 #          the MTA doesn't lookup up "IPv6:fe80:0:0:0"
 #       2) cidrexpand only generates uncompressed addresses, so CIDR
 #          'cuts' to the right of the compressed range won't be matched
 #          either.  Why doesn't it generate compressed address output?
 #          Oh, because:
 #       3) compressed addresses are ambiguous when colon-groups are
 #          chopped off!  You want an access map entry for
 #               IPv6:fe80::0:5420
 #          but not for
 #               IPv6:fe80::5420:1234
 #          ?  Sorry, the former is really
 #               IPv6:fe80::5420
 #          which will also match the latter!
 #
 #  25 July 2016
 #     Since cidrexpand already requires UseCompressedIPv6Addresses to be
 #     turned off, it can also canonicalize non-CIDR IPv6 addresses to the
 #     format that sendmail looks up, expanding compressed addresses and
 #     trimming superfluous leading zeros.
 #
 # Report bugs to: <dredd@megacity.org>
 #
 use strict;
-use Net::CIDR;
+use Net::CIDR qw(cidr2octets cidrvalidate);
 use Getopt::Std;
-our ($opt_c,$opt_t);
+sub print_expanded_v4network;
-getopts('ct:');
+sub print_expanded_v6network;
-my $spaceregex = '\s+';
+our %opts;
-if ($opt_t)
+getopts('ct:', \%opts);
-{
+
-    $spaceregex = $opt_t;
+# Delimiter between the key and value
-}
+my $space_re = exists $opts{t} ? $opts{t} : '\s+';
 # Regexp that matches IPv4 address literals
 my $ipv4_re = qr"(?:\d+\.){3}\d+";
 # Regexp that matches IPv6 address literals, plus a lot more.
 # Further checks are required for verifying that it's really one
 my $ipv6_re = qr"[0-9A-Fa-f:]{2,39}(?:\.\d+\.\d+\.\d+)?";
 while (<>)
 {
    chomp;
-    my ($prefix,$left,$right,$space);
+    my ($prefix, $network, $len, $right);
-    if ( (/\#/) && $opt_c )
+    if ( (/\#/) && $opts{c} )
    {
 	# print "checking...\n";
 	my $i;
 	my $qtype='';
-	for ($i=0 ; $i<length($_) ; $i++) 
+	for ($i=0 ; $i<length($_) ; $i++)
 	{
 	    my $ch = substr($_,$i,1);
-	    if ($ch eq '\\') 
+	    if ($ch eq '\\')
 	    {
 		$i++;
 		next;
 	    }
-	    elsif ($qtype eq '' && $ch eq '#') 
+	    elsif ($qtype eq '' && $ch eq '#')
 	    {
 		substr($_,$i) = '';
 		last;
 	    }
-	    elsif ($qtype ne '' && $ch eq $qtype) 
+	    elsif ($qtype ne '' && $ch eq $qtype)
 	    {
 		$qtype = '';
 	    }
-	    elsif ($qtype eq '' && $ch =~ /[\'\"]/) 
+	    elsif ($qtype eq '' && $ch =~ /[\'\"]/)
 	    {
 		$qtype = $ch;
 	    }
 	}
-    } 
+    }
-    
+
-    if (! /^(|\S\S*:)(\d+\.){3}\d+\/\d\d?$spaceregex.*/ )
+    if (($prefix, $network, $len, $right) =
 	    m!^(|\S+:)(${ipv4_re})/(\d+)(${space_re}.*)$!)
    {
-	print "$_\n";
+	print_expanded_v4network($network, $len, $prefix, $right);
    }
    elsif ((($prefix, $network, $len, $right) =
 	    m!^((?:\S+:)?[Ii][Pp][Vv]6:)(${ipv6_re})(?:/(\d+))?(${space_re}.*)$!) &&
 	    (!defined($len) || $len <= 128) &&
 	    defined(cidrvalidate($network)))
    {
 	print_expanded_v6network($network, $len // 128, $prefix, $right);
    }
    else
    {
-	($prefix,$left,$space,$right) = 
+	print "$_\n";
 	    /^(|\S\S*:)((?:\d+\.){3}\d+\/\d\d?)($spaceregex)(.*)$/;
 	my @new_lefts = expand_network($left);
 	foreach my $nl (@new_lefts)
 	{
 	    print "$prefix$nl$space$right\n";
 	}
    }
 }
 sub expand_network
 {
    my $left_input = shift;
    my @rc = ($left_input);
    my ($network,$mask) = split /\//, $left_input;
    if (defined $mask)
    {
 	return (0..255)	if $mask == 0;
-	my @parts = split /\./, $network;
+sub print_expanded_v4network
-	while ($#parts < 3)
+{
-	{
+    my ($network, $len, $prefix, $suffix) = @_;
-	    push @parts, "0";
+
-	}
+    # cidr2octets() doesn't handle a prefix-length of zero, so do
-	my $clean_input = join '.', @parts;
+    # that ourselves
-	$clean_input .= "/$mask";
+    foreach my $nl ($len == 0 ? (0..255) : cidr2octets("$network/$len"))
-	my @octets = Net::CIDR::cidr2octets($clean_input);
+    {
-	@rc = @octets;
+	print "$prefix$nl$suffix\n";
    }
 }
 sub print_expanded_v6network
 {
    my ($network, $len, $prefix, $suffix) = @_;
    # cidr2octets() doesn't handle a prefix-length of zero, so do
    # that ourselves.  Easiest is to just recurse on bottom and top
    # halves with a length of 1
    if ($len == 0) {
 	print_expanded_v6network("::", 1, $prefix, $suffix);
 	print_expanded_v6network("8000::", 1, $prefix, $suffix);
    }
    else
    {
 	foreach my $nl (cidr2octets("$network/$len"))
 	{
 	    # trim leading zeros from each group
 	    $nl =~ s/(^|:)0+(?=[^:])/$1/g;
 	    print "$prefix$nl$suffix\n";
 	}
    }
    return @rc;
 }
--- a/contrib/dnsblaccess.m4
+++ b/contrib/dnsblaccess.m4
@ -24,7 +24,7 @@ dnl ##	email.  A tempfail-message value of `t' temporarily rejects
 dnl ##	with a default message.  Otherwise the value should be your
 dnl ##	own message.  The keytag is used to lookup the access map to
 dnl ##	further refine the result.  I recommend a qualified keytag
-dnl ##	(containing a ".") as less likely to accidently conflict with
+dnl ##	(containing a ".") as less likely to accidentally conflict with
 dnl ##	other access tags.
 dnl ##
 dnl ##	This is best illustrated with an example.  Please do not use
@ -66,7 +66,7 @@ ifdef(`_ACCESS_TABLE_', `dnl',
 ifdef(`_EDNSBL_R_',`dnl',`dnl
 define(`_EDNSBL_R_', `1')dnl ## prevent multiple redefines of the map.
 LOCAL_CONFIG
-# map for enhanced DNS based blacklist lookups
+# map for enhanced DNS based blocklist lookups
 Kednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5')
 ')
 divert(-1)
--- a/contrib/expn.pl
+++ b/contrib/expn.pl
@ -945,7 +945,7 @@ sub mxredirect
 	return undef;
 }
 # follow mx records, return a hostname
-# also follow temporary redirections comming from &domainify and
+# also follow temporary redirections coming from &domainify and
 # &mxlookup
 sub mx
 {
--- a/contrib/mmuegel
+++ b/contrib/mmuegel
@ -268,7 +268,7 @@ sed 's/^X//' << 'SHAR_EOF' > 'libs/date.pl' &&
 ;#		Fixed a couple of problems with &ls as pointed out by
 ;#		Thomas Richter (richter@ki1.chemie.fu-berlin.de), thanks Thomas!
 ;#		Also added a couple of SunOS 4.1.1 strftime-ish formats, %i and %k
-;#		for space padded hours (` 1' to `12' and ` 0' to `23' respectivly),
+;#		for space padded hours (` 1' to `12' and ` 0' to `23' respectively),
 ;#		and %C for locale long date/time format.  Changed &ampmH to take a
 ;#		pad char parameter to make to evaled code for %i and %k simpler. 
 ;#		Added %E for suffixed day-of-month (ie 1st, 3rd, 4th etc).
@ -398,7 +398,7 @@ X
 X	# watch out in 2070...
 X	$year += ($year < 70) ? 2000 : 1900;
 X
-X	# now loop throught the supplied format looking for tags...
+X	# now loop through the supplied format looking for tags...
 X	while (($pos = index ($format, '%')) != -1) {
 X
 X		# grab the format tag
@ -471,7 +471,7 @@ sub ls {
 X	return ((&gettime ($TZ, time))[5] == @_[0]) ? "%R" : " %Y";
 }
 X
-# pad - pad $in with leading $pad until lenght $len
+# pad - pad $in with leading $pad until length $len
 sub pad {
 X	local ($in, $len, $pad) = @_;
 X	local ($out) = "$in";
@ -661,7 +661,7 @@ X
 ;# otherwise, $Status will be 0 and $Error_Msg will contain an error message.
 ;# 
 ;# If $Use_Sendmail is 1 then sendmail is used to send the message. Normally
-;# a mailer such as Mail is used. By specifiying this you can include 
+;# a mailer such as Mail is used. By specifying this you can include 
 ;# headers in addition to text in either $Message or $Message_Is_File.
 ;# If either $Message or $Message_Is_File contain a Subject: header then
 ;# $Subject is ignored; otherwise, a Subject: header is automatically created.
@ -1026,15 +1026,15 @@ X
 ;#
 ;# Does not care about order of switches, options, and arguments like 
 ;# getopts.pl. Thus all non-switches/options will be kept in ARGV even if they
-;# are not at the end. If $Pass_Invalid is set all unkown options will be
+;# are not at the end. If $Pass_Invalid is set all unknown options will be
 ;# passed back to the caller by keeping them in @ARGV. This is useful when
 ;# parsing a command line for your script while ignoring options that you
 ;# may pass to another script. If this is set New_Getopts tries to maintain 
-;# the switch clustering on the unkown switches.
+;# the switch clustering on the unknown switches.
 ;#
 ;# Accepts the special argument -usage to print the Usage string. Also accepts 
 ;# the special option -version which prints the contents of the string 
-;# $VERSION. $VERSION may or may not have an embeded \n in it. If -usage 
+;# $VERSION. $VERSION may or may not have an embedded \n in it. If -usage 
 ;# or -version are specified a status of -1 is returned. Note that the usage
 ;# option is only accepted if the usage string is not null.
 ;# 
@ -1048,8 +1048,8 @@ X
 ;#    $Switch_To_Order {"v"} = 1;
 ;#    $Switch_To_Order {"x"} = 2;
 ;#
-;# Note that in the case of multiple occurances of an option $Switch_To_Order
+;# Note that in the case of multiple occurrences of an option $Switch_To_Order
-;# will store each occurance of the argument via a string that emulates
+;# will store each occurrence of the argument via a string that emulates
 ;# an array. This is done by using join ($;, ...). You can retrieve the
 ;# array by using split (/$;/, ...).
 ;#
@ -1062,7 +1062,7 @@ X
 ;# Another exciting ;-) feature that newgetopts has. Along with creating the 
 ;# normal $opt_ scalars for the last value of an argument the list @opt_ is 
 ;# created. It is an array which contains all the values of arguments to the 
-;# basename of the variable. They are stored in the order which they occured 
+;# basename of the variable. They are stored in the order which they occurred 
 ;# on the command line starting with $[. Note that blank arguments are stored 
 ;# as "". Along with providing support for multiple options on the command 
 ;# line this also provides a method of counting the number of times an option 
@ -1293,8 +1293,8 @@ X
 ;#      All other lines will be indented to match the amount of whitespace of
 ;#      $Offset.
 ;#
-;#    + If $Bullet_Indent is $TRUE $Offset will only be applied to the begining
+;#    + If $Bullet_Indent is $TRUE $Offset will only be applied to the beginning
-;#      of lines as they occured in the original $String. Lines that are created
+;#      of lines as they occurred in the original $String. Lines that are created
 ;#      by this routine will always be indented by blank spaces.
 ;#
 ;#    + If $Columns is 0 no word-wrap is done. This might be useful to still
@ -1306,7 +1306,7 @@ X
 ;#    + If $Offset_Blank is $TRUE then empty lines will have $Offset pre-pended
 ;#      to them. Otherwise, they will still empty.
 ;#
-;# This is a realy workhorse routine that I use in many places because of its
+;# This is a really workhorse routine that I use in many places because of its
 ;# veratility.
 ;#
 ;# Arguments:
@ -1668,7 +1668,7 @@ sed 's/^X//' << 'SHAR_EOF' > 'man/postclip.1' &&
 of the message. This keeps bounced mail private and helps to avoid disk space problems. \*(mp tries its best to keep as much of the header trail as possible.
 Hopefully only the original body of the message will be filtered. Only messages
 that have a subject that begins with 'Returned mail:' are filtered. This
-ensures that other mail is not accidently mucked with. Finally, note that
+ensures that other mail is not accidentally mucked with. Finally, note that
 \fBsendmail\fR is used to deliver the message after it has been (possibly)
 filtered. All of the original headers will remain intact.
 .sp 1 
--- a/devtools/M4/header.m4
+++ b/devtools/M4/header.m4
@ -25,7 +25,7 @@ define(`confSHELL', `/bin/sh')
 define(`confBEFORE', `')
 define(`confLIBDIRS', `')
 define(`confINCDIRS', `')
-define(`confLIBSEARCH', `db bind resolv 44bsd')
+define(`confLIBSEARCH', `db bind resolv 44bsd cdb')
 define(`confLIBSEARCHPATH', `/lib /usr/lib /usr/shlib')
 define(`confSHAREDLIB_EXT', `.so')
 define(`confSITECONFIG', `site.config')
--- a/devtools/OS/Darwin.14.x
+++ b/devtools/OS/Darwin.14.x
@ -0,0 +1,25 @@
 #	$Id: Darwin.13.x,v 1.1 2013-12-02 22:11:06 gshapiro Exp $
 dnl	DO NOT EDIT THIS FILE.
 dnl	Place personal settings in devtools/Site/site.config.m4
 #
 define(`confCC', `cc -pipe ${Extra_CC_Flags}')
 define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
 define(`confENVDEF', `-DDARWIN=140000 -DBIND_8_COMPAT -DNETINET6')
 define(`confLDOPTS', `${Extra_LD_Flags}')
 define(`confMTLDOPTS', `-lpthread')
 define(`confMILTER_STATIC', `')
 define(`confDEPEND_TYPE', `CC-M')
 define(`confOPTIMIZE', `-O3')
 define(`confRANLIBOPTS', `-c')
 define(`confHFDIR', `/usr/share/sendmail')
 define(`confINSTALL_RAWMAN')
 define(`confMANOWN', `root')
 define(`confMANGRP', `wheel')
 define(`confUBINOWN', `root')
 define(`confUBINGRP', `wheel')
 define(`confSBINOWN', `root')
 define(`confSBINGRP', `wheel')
 define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
 define(`confSHAREDLIB_EXT', `.dylib')
--- a/devtools/OS/Darwin.15.x
+++ b/devtools/OS/Darwin.15.x
@ -0,0 +1,23 @@
 dnl	DO NOT EDIT THIS FILE.
 dnl	Place personal settings in devtools/Site/site.config.m4
 #
 define(`confCC', `cc -pipe ${Extra_CC_Flags}')
 define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
 define(`confENVDEF', `-DDARWIN=150000 -DBIND_8_COMPAT -DNETINET6')
 define(`confLDOPTS', `${Extra_LD_Flags}')
 define(`confMTLDOPTS', `-lpthread')
 define(`confMILTER_STATIC', `')
 define(`confDEPEND_TYPE', `CC-M')
 define(`confOPTIMIZE', `-O3')
 define(`confRANLIBOPTS', `-c')
 define(`confHFDIR', `/usr/share/sendmail')
 define(`confINSTALL_RAWMAN')
 define(`confMANOWN', `root')
 define(`confMANGRP', `wheel')
 define(`confUBINOWN', `root')
 define(`confUBINGRP', `wheel')
 define(`confSBINOWN', `root')
 define(`confSBINGRP', `wheel')
 define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
 define(`confSHAREDLIB_EXT', `.dylib')
--- a/devtools/OS/Darwin.16.x
+++ b/devtools/OS/Darwin.16.x
@ -0,0 +1,23 @@
 dnl	DO NOT EDIT THIS FILE.
 dnl	Place personal settings in devtools/Site/site.config.m4
 #
 define(`confCC', `cc -pipe ${Extra_CC_Flags}')
 define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
 define(`confENVDEF', `-DDARWIN=160000 -DBIND_8_COMPAT -DNETINET6')
 define(`confLDOPTS', `${Extra_LD_Flags}')
 define(`confMTLDOPTS', `-lpthread')
 define(`confMILTER_STATIC', `')
 define(`confDEPEND_TYPE', `CC-M')
 define(`confOPTIMIZE', `-O3')
 define(`confRANLIBOPTS', `-c')
 define(`confHFDIR', `/usr/share/sendmail')
 define(`confINSTALL_RAWMAN')
 define(`confMANOWN', `root')
 define(`confMANGRP', `wheel')
 define(`confUBINOWN', `root')
 define(`confUBINGRP', `wheel')
 define(`confSBINOWN', `root')
 define(`confSBINGRP', `wheel')
 define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
 define(`confSHAREDLIB_EXT', `.dylib')
--- a/devtools/OS/Darwin.17.x
+++ b/devtools/OS/Darwin.17.x
@ -0,0 +1,23 @@
 dnl	DO NOT EDIT THIS FILE.
 dnl	Place personal settings in devtools/Site/site.config.m4
 #
 define(`confCC', `cc -pipe ${Extra_CC_Flags}')
 define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
 define(`confENVDEF', `-DDARWIN=170000 -DBIND_8_COMPAT -DNETINET6')
 define(`confLDOPTS', `${Extra_LD_Flags}')
 define(`confMTLDOPTS', `-lpthread')
 define(`confMILTER_STATIC', `')
 define(`confDEPEND_TYPE', `CC-M')
 define(`confOPTIMIZE', `-O3')
 define(`confRANLIBOPTS', `-c')
 define(`confHFDIR', `/usr/share/sendmail')
 define(`confINSTALL_RAWMAN')
 define(`confMANOWN', `root')
 define(`confMANGRP', `wheel')
 define(`confUBINOWN', `root')
 define(`confUBINGRP', `wheel')
 define(`confSBINOWN', `root')
 define(`confSBINGRP', `wheel')
 define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
 define(`confSHAREDLIB_EXT', `.dylib')
--- a/devtools/OS/Darwin.18.x
+++ b/devtools/OS/Darwin.18.x
@ -0,0 +1,23 @@
 dnl	DO NOT EDIT THIS FILE.
 dnl	Place personal settings in devtools/Site/site.config.m4
 #
 define(`confCC', `cc -pipe ${Extra_CC_Flags}')
 define(`confMAPDEF', `-DNEWDB -DNIS -DMAP_REGEX')
 define(`confENVDEF', `-DDARWIN=180000 -DBIND_8_COMPAT -DNETINET6')
 define(`confLDOPTS', `${Extra_LD_Flags}')
 define(`confMTLDOPTS', `-lpthread')
 define(`confMILTER_STATIC', `')
 define(`confDEPEND_TYPE', `CC-M')
 define(`confOPTIMIZE', `-O3')
 define(`confRANLIBOPTS', `-c')
 define(`confHFDIR', `/usr/share/sendmail')
 define(`confINSTALL_RAWMAN')
 define(`confMANOWN', `root')
 define(`confMANGRP', `wheel')
 define(`confUBINOWN', `root')
 define(`confUBINGRP', `wheel')
 define(`confSBINOWN', `root')
 define(`confSBINGRP', `wheel')
 define(`confLDOPTS_SO', `-dynamiclib -flat_namespace -undefined suppress -single_module')
 define(`confSHAREDLIB_EXT', `.dylib')
--- a/devtools/README
+++ b/devtools/README
@ -137,7 +137,7 @@ confLIBGRP	    bin			The group for libraries.
 confLIBMODE	    444			The mode of installed libraries.
 confLIBOWN	    root		The owner for libraries.
 confLIBS	    [varies]		-l flags passed to ld.
-confLIBSEARCH	    db bind resolv 44bsd
+confLIBSEARCH	    db bind resolv 44bsd cdb
 					Search for these libraries for
 					linking with programs.
 confLIBSEARCHPATH   /lib /usr/lib /usr/shlib
@ -177,7 +177,8 @@ confMANROOTMAN	    /usr/share/man/man	The root of the man subtree, for
 					unformatted manual pages.
 confMAPDEF	    [varies]		The map definitions, e.g.,
 					-DNDBM -DNEWDB.  -DNEWDB is always
-					added if libdb.* can be found.
+					added if libdb.* can be found,
 					-DCDB is added if libcdb.* is found.
 confMBINDIR	    /usr/sbin		The location of the MTA (sm-mta,
 					sendmail) binary.
 confMBINGRP	    bin			The group of the MTA binary (sm-mta).
--- a/devtools/bin/Build
+++ b/devtools/bin/Build
@ -543,6 +543,8 @@ elif [ -r ${OBJ_ROOT}/obj${prefix}.$rel$sfx ]; then
 	abs_obj_dir=${OBJ_ROOT}/obj${prefix}.$rel$sfx
 elif [ -r ${OBJ_ROOT}/obj${prefix}.$sfx ]; then
 	abs_obj_dir=${OBJ_ROOT}/obj${prefix}.$sfx
 elif [ -r ${OBJ_ROOT}/obj${prefix}$sfx ]; then
 	abs_obj_dir=${OBJ_ROOT}/obj${prefix}$sfx
 fi
 if [ -n "$abs_obj_dir" ]
--- a/devtools/bin/configure.sh
+++ b/devtools/bin/configure.sh
@ -115,11 +115,13 @@ do
 		fi
 		if [ -f $p/lib$l.a -o -f $p/lib$l$SOEXT ]
 		then
-			case $l
+			case $l in
 			in
 			  db)
 				mapdef="$mapdef -DNEWDB"
 				;;
 			  cdb)
 				mapdef="$mapdef -DCDB"
 				;;
 			  bind|resolv)
 				if [ -n "$resolver" ]
 				then
--- a/doc/op/op.me
+++ b/doc/op/op.me
@ -90,10 +90,9 @@ Proofpoint, Inc.
 .de Ve
 Version \\$2
 ..
 .Ve $Revision: 8.759 $
 .rm Ve
 .sp
-For Sendmail Version 8.15
+For Sendmail Version 8.16
 .)l
 .(f
 Sendmail is a trademark of Proofpoint, Inc.
@ -149,8 +148,9 @@ RFC 2554 (SMTP Service Extension for Authentication),
 RFC 2821 (Simple Mail Transfer Protocol),
 RFC 2822 (Internet Message Format),
 RFC 2852 (Deliver By SMTP Service Extension),
 RFC 2920 (SMTP Service Extension for Command Pipelining),
 and
-RFC 2920 (SMTP Service Extension for Command Pipelining).
+RFC 7505 (A "Null MX" No Service Resource Record for Domains That Accept No Mail).
 However, since
 .i sendmail
 is designed to work in a wider world,
@ -309,9 +309,8 @@ program; for details see
 .sh 3 "Creating a Site Configuration File"
 .\"XXX
 .pp
-(This section is not yet complete.
+See sendmail/README for various compilation flags that can be set,
-For now, see the file devtools/README for details.)
+and devtools/README for details how to set them.
 See sendmail/README for various compilation flags that can be set.
 .sh 3 "Tweaking the Makefile"
 .pp
 .\" .b "XXX This should all be in the Site Configuration File section."
@ -323,6 +322,8 @@ notably the
 database.
 At least one of these should be defined if at all possible.
 .nr ii 1i
 .ip CDB
 Constant DataBase (tinycdb).
 .ip NDBM
 The ``new DBM'' format,
 available on nearly all systems around today.
@ -1224,7 +1225,9 @@ A recipient address is mapped to a queue group as follows.
 First, if there is a ruleset called ``queuegroup'',
 and if this ruleset maps the address to a queue group name,
 then that queue group is chosen.
-That is, the argument for the ruleset is the recipient address
+That is, the argument for the ruleset is
 the recipient address
 (i.e., the address part of the resolved triple)
 and the result should be
 .b $#
 followed by the name of a queue group.
@ -1282,7 +1285,7 @@ In case one of the queue runners tries delivery to a slow recipient site
 at the end of a queue run, the next queue run may be substantially delayed.
 In general this should be smoothed out due to the distribution of
 those slow jobs, however, for sites with small number of
-queue entries this might introduce noticable delays.
+queue entries this might introduce noticeable delays.
 In general, persistent queue runners are only useful for
 sites with big queues.
 .sh 3 "Manual Intervention"
@ -2908,7 +2911,7 @@ Therefore it is necessary to run the client mail queue periodically.
 .pp
 .i Sendmail
 has several parameters to control resource usage.
-Besides those mentionted in the previous section, there are at least
+Besides those mentioned in the previous section, there are at least
 .b MaxDaemonChildren ,
 .b ConnectionRateThrottle ,
 .b MaxQueueChildren ,
@ -2954,7 +2957,7 @@ by looking for the macro definitions of
 and
 .b MAXETRNCOMMANDS .
 If an SMTP command is issued more often than the corresponding
-.b MAXcmdCOMMANDS 
+.b MAXcmdCOMMANDS
 value, then the response is delayed exponentially,
 starting with a sleep time of one second,
 up to a maximum of four minutes (as defined by
@ -2966,7 +2969,7 @@ then this could make a DoS attack even worse since it
 keeps a connection open longer than necessary.
 Therefore a connection is terminated with a 421 SMTP reply code
 if the number of commands exceeds the limit by a factor of two and
-.b MAXBADCOMMANDS 
+.b MAXBADCOMMANDS
 is set to a value greater than zero (the default is 25).
 .sh 2 "Delivery Mode"
 .pp
@ -3038,8 +3041,9 @@ should not be used by the SMTP server.
 .pp
 The level of logging can be set for
 .i sendmail .
-The default using a standard configuration table is level 9.
+The default using a standard configuration is level 9.
-The levels are as follows:
+The levels are approximately as follows
 (some log types are using different level depending on various factors):
 .nr ii 0.5i
 .ip 0
 Minimal logging.
@ -3078,7 +3082,7 @@ questionable situations.
 .ip 14
 Logs refused connections.
 .ip 15
-Log all incoming and outgoing SMTP commands.
+Log all incoming SMTP commands.
 .ip 20
 Logs attempts to run locked queue files.
 These are not errors,
@ -3280,7 +3284,7 @@ Accept group-writable
 .i \&.forward
 files as safe for program and file delivery.
 .ip GroupWritableIncludeFile
-Allow group wriable
+Allow group writable
 .i :include:
 files.
 .ip GroupWritableIncludeFileSafe
@ -3355,7 +3359,7 @@ Allow world writable
 .i \&.forward
 files.
 .ip WorldWritableIncludefile
-Allow world wriable
+Allow world writable
 .i :include:
 files.
 .ip WriteMapToHardLink
@ -3932,7 +3936,7 @@ The complete syntax for ruleset 0 is:
 .)b
 This specifies the
 {mailer, host, user}
-3-tuple necessary to direct the mailer.
+3-tuple (triple) necessary to direct the mailer.
 Note: the third element (
 .i user
 ) is often also called
@ -3964,9 +3968,11 @@ If the
 is the built-in IPC mailer,
 the
 .i host
-may be a colon-separated list of hosts
+may be a colon (or comma) separated list of hosts.
-that are searched in order for the first working address
+Each is separately MX expanded and the results are concatenated
-(exactly like MX records).
+to make (essentially) one long MX list.
 Hosts separated by a comma have the same MX preference,
 and for each colon separated host the MX preference is increased.
 The
 .i user
 is later rewritten by the mailer-specific envelope rewriting set
@ -4148,7 +4154,7 @@ macro
 for use in the argv expansion of the specified mailer.
 Notice: since the envelope sender address will be used if
 a delivery status notification must be send,
-i.e., is may specify a recipient,
+i.e., it may specify a recipient,
 it is also run through ruleset zero.
 If ruleset zero returns a temporary error
 .b 4xy
@ -4515,7 +4521,7 @@ for details, as well as
 and note this warning:
 Options already set before are not cleared!
 .ip CipherList
-Specify cipher list for STARTTLS,
+Specify cipher list for STARTTLS (does not apply to TLSv1.3),
 see
 .i ciphers (1)
 for possible values.
@ -4526,6 +4532,28 @@ for the session.
 File containing a certificate.
 .ip KeyFile
 File containing the private key for the certificate.
 .ip Flags
 Currently the only valid flags are
 .br
 .i R
 to require a CRL for each encountered certificate during verification
 (by default a missing CRL is ignored),
 .br
 .i c
 and
 .i C
 which basically clears/sets the option
 .i TLSFallbacktoClear
 for just this session, respectively,
 .br
 .i d
 to turn off DANE which is obviously only valid for
 .i tls_clt_features
 and requires DANE to be compiled in.
 This might be needed in case of a misconfiguration,
 e.g.,
 specifying invalid TLSA RRs.
 .br
 .lp
 .lp
 Example:
@ -4550,9 +4578,6 @@ and
 .i KeyFile
 must be specified together;
 specifying only one is an error.
 .pp
 These rulesets require the sendmail binary to be built with _FFR_TLS_SE_OPTS
 enabled (see the "For Future Release" section).
 .sh 4 "authinfo"
 .pp
 The
@ -4589,9 +4614,9 @@ is ignored (even if the ruleset does not return a ``useful'' result).
 The
 .i queuegroup
 ruleset is used to map a recipient address to a queue group name.
-The input for the ruleset is a recipient address as specified by the
+The input for the ruleset is
-.sm "SMTP RCPT"
+the recipient address
-command.
+(i.e., the address part of the resolved triple)
 The ruleset should return
 .b $#
 followed by the name of a queue group.
@ -4615,7 +4640,7 @@ pause.
 If the return value starts with anything else or is not a number,
 it is silently ignored.
 Note: this ruleset is not invoked (and hence the feature is disabled)
-when the smtps (SMTP over SSL) is used, i.e.,
+when smtps (SMTP over SSL) is used, i.e.,
 the
 .i s
 modifier is set for the daemon via
@ -4651,9 +4676,11 @@ to an IP host address.
 .pp
 The host name passed in after the
 .q $@
-may also be a colon-separated list of hosts.
+may also be a colon or comma separated list of hosts.
 Each is separately MX expanded and the results are concatenated
 to make (essentially) one long MX list.
 Hosts separated by a comma have the same MX preference,
 and for each colon separated host the MX preference is increased.
 The intent here is to create
 .q fake
 MX records that are not published in DNS
@ -5224,7 +5251,7 @@ The output of the
 function, i.e., the number of seconds since 0 hours, 0 minutes,
 0 seconds, January 1, 1970, Coordinated Universal Time (UTC).
 .ip ${tls_version}
-The TLS/SSL version used for the connection, e.g., TLSv1, SSLv3, SSLv2;
+The TLS/SSL version used for the connection, e.g., TLSv1.2, TLSv1;
 defined after STARTTLS has been used.
 .ip ${total_rate}
 The total number of incoming connections over the time interval specified
@ -5241,6 +5268,7 @@ NOT	no cert requested.
 FAIL	cert presented but could not be verified,
 	e.g., the signing CA is missing.
 NONE	STARTTLS has not been performed.
 CLEAR	STARTTLS has been disabled internally for a clear text delivery attempt.
 TEMP	temporary error occurred.
 PROTOCOL	some protocol error occurred
 	at the ESMTP level (not TLS).
@ -5859,7 +5887,7 @@ Do User Database rewriting on recipients as well as senders.
 Normally when
 .i sendmail
 connects to a host via SMTP,
-it checks to make sure that this isn't accidently the same host name
+it checks to make sure that this isn't accidentally the same host name
 as might happen if
 .i sendmail
 is misconfigured or if a long-haul network interface is set in loopback mode.
@ -5893,7 +5921,7 @@ macro occurs in the
 part of the mailer definition,
 that field will be repeated as necessary
 for all qualifying users.
-Removing this flag can defeat duplicate supression on a remote site
+Removing this flag can defeat duplicate suppression on a remote site
 as each recipient is sent in a separate transaction.
 .ip M\(dg
 This mailer wants a
@ -6519,6 +6547,10 @@ is specified),
 (if
 .sm NDBM
 is specified),
 .q cdb
 (if
 .sm CDB
 is specified),
 .q stab
 (internal symbol table \*- not normally used
 unless you have no other database lookup),
@ -6647,7 +6679,7 @@ see section about STARTTLS for more information.
 Specify the fingerprint algorithm (digest) to use for the presented cert.
 If the option is not set,
 md5 is used and the macro
-.p ${cert_md5}
+.b ${cert_md5}
 contains the cert fingerprint.
 If the option is explicitly set,
 the specified algorithm (e.g., sha1) is used
@ -6655,7 +6687,7 @@ and the macro
 .b ${cert_fp}
 contains the cert fingerprint.
 .ip CipherList
-Specify cipher list for STARTTLS.
+Specify cipher list for STARTTLS (does not apply to TLSv1.3).
 See
 .i ciphers (1)
 for possible values.
@ -6756,7 +6788,7 @@ By default,
 .i -SSL_OP_TLSEXT_PADDING
 are used
 (if those options are available).
-Options can be cleared by preceeding them with a minus sign.
+Options can be cleared by preceding them with a minus sign.
 It is also possible to specify numerical values, e.g.,
 .b -0x0010 .
 .ip ColonOkInAddr
@ -6851,9 +6883,18 @@ Solaris and pre-4.4BSD kernel users should see the note in sendmail/README .
 [no short name]
 Name of file that contains certificate
 revocation status, useful for X.509v3 authentication.
 CRL checking requires at least OpenSSL version 0.9.7.
 Note: if a CRLFile is specified but the file is unusable,
 STARTTLS is disabled.
 .ip CRLPath=\fIname\fP
 [no short name]
 Name of directory that contains hashes pointing to
 certificate revocation status files.
 Symbolic links can be generated with the following
 two (Bourne) shell commands:
 .(b
 C=FileName_of_CRL
 ln -s $C `openssl crl -noout -hash < $C`.r0
 .)b
 .ip DHParameters
 This option applies to the server side only.
 Possible values are:
@ -6948,7 +6989,7 @@ can be a sequence (without any delimiters)
 of the following characters:
 .(b
 .ta 1i
-a	always require authentication
+a	always require AUTH
 b	bind to interface through which mail has been received
 c	perform hostname canonification (.cf)
 f	require fully qualified hostname (.cf)
@ -6961,7 +7002,7 @@ O	optional; if opening the socket fails ignore it
 S	don't offer STARTTLS
 .)b
 That is, one way to specify a message submission agent (MSA) that
-always requires authentication is:
+always requires AUTH is:
 .(b
 O DaemonPortOptions=Name=MSA, Port=587, M=Ea
 .)b
@ -7000,7 +7041,7 @@ This will also override possible settings via
 Note,
 .i sendmail
 will listen on a new socket
-for each occurence of the
+for each occurrence of the
 .b DaemonPortOptions
 option in a configuration file.
 The modifier ``O'' causes sendmail to ignore a socket
@ -7296,6 +7337,18 @@ are:
 .\"8BITMIME\(->7BIT conversions are done.
 In all cases properly declared 8BITMIME data will be converted to 7BIT
 as needed.
 .p
 Note: if an automatic conversion is performed, a header with
 the following format will be added:
 .(b
 X-MIME-Autoconverted: from OLD to NEW by $j id $i
 .)b
 where
 .\" format?
 OLD
 and
 NEW
 describe the original format and the converted format, respectively.
 .ip ErrorHeader=\fIfile-or-message\fP
 [E]
 Prepend error messages with the indicated message.
@ -7393,6 +7446,10 @@ and then in
 .ip HeloName=\fIname\fP
 [no short name]
 Set the name to be used for HELO/EHLO (instead of $j).
 .ip HelpFile=\fIfile\fP
 [H]
 Specify the help file for SMTP.
 If no file name is specified, "helpfile" is used.
 .ip HoldExpensive
 [c]
 If an outgoing mailer is marked as being expensive,
@ -7520,9 +7577,10 @@ If not set, there is no limit to the number of children --
 that is, the system load average controls this.
 .ip MaxHeadersLength=\fIN\fP
 [no short name]
-The maximum length of the sum of all headers.
+If set to a value greater than zero it specifies
 the maximum length of the sum of all headers.
 This can be used to prevent a denial of service attack.
-The default is no limit.
+The default is 32K.
 .ip MaxHopCount=\fIN\fP
 [h]
 The maximum hop count.
@ -7706,6 +7764,12 @@ Sets the list of characters that must be quoted if used in a full name
 that is in the phrase part of a ``phrase <address>'' syntax.
 The default is ``\'.''.
 The characters ``@,;:\e()[]'' are always added to this list.
 Note: To avoid potential breakage of
 DKIM signatures it is useful to set
 .(b
 O MustQuoteChars=.
 .)b
 Moreover, relaxed header signing should be used for DKIM signatures.
 .ip NiceQueueRun
 [no short name]
 The priority of queue runners (nice(3)).
@ -8189,7 +8253,7 @@ By default,
 .i -SSL_OP_TLSEXT_PADDING
 are used
 (if those options are available).
-Options can be cleared by preceeding them with a minus sign.
+Options can be cleared by preceding them with a minus sign.
 It is also possible to specify numerical values, e.g.,
 .b -0x0010 .
 .ip ServiceSwitchFile=\fIfilename\fP
@ -8301,6 +8365,31 @@ Defaults to
 If set, issue temporary errors (4xy) instead of permanent errors (5xy).
 This can be useful during testing of a new configuration to avoid
 erroneous bouncing of mails.
 .ip SSLEngine
 Name of SSL engine to use.
 The available values depend on the OpenSSL version against which
 .i sendmail
 is compiled,
 see
 .(b
 openssl engine -v
 .)b
 for some information.
 .ip SSLEnginePath
 Path to dynamic library for SSL engine.
 This option is only useful if
 .i SSLEngine
 is set.
 If both are set, the engine will be loaded dynamically at runtime
 using the concatenation of the path,
 a slash "/",
 the string "lib",
 the value of
 .i SSLEngine ,
 and the string ".so".
 If only
 .i SSLEngine
 is set then the static version of the engine is used.
 .ip StatusFile=\fIfile\fP
 [S]
 Log summary statistics in the named
@ -8340,6 +8429,22 @@ PostMilter is useful only when
 .i sendmail
 is running as an SMTP server; in all other situations it
 acts the same as True.
 .ip TLSFallbacktoClear
 [no short name]
 If set,
 .i sendmail
 immediately tries an outbound connection again without STARTTLS
 after a TLS handshake failure.
 Note:
 this applies to all connections even if TLS specific requirements are set
 (see rulesets
 .i tls_rcpt
 and
 .i tls_client
 ).
 Hence such requirements will cause an error on a retry without STARTTLS.
 Therefore they should only trigger a temporary failure so the connection
 is later on tried again.
 .ip TLSSrvOptions
 [no short name]
 List of options for SMTP STARTTLS for the server
@ -8824,6 +8929,12 @@ $[\fIhostname\fP$]
 .)b
 .pp
 There are many defined classes.
 .ip cdb
 Database lookups using the cdb(3) library.
 .i Sendmail
 must be compiled with
 .b CDB
 defined.
 .ip dbm
 Database lookups using the ndbm(3) library.
 .i Sendmail
@ -8885,7 +8996,7 @@ only the first value will be returned
 unless the
 .b \-z
 (value separator)
-map flag is set.
+map option is set.
 Also, the
 .b \-1
 map flag will treat a multiple value return
@ -8906,14 +9017,11 @@ The format of the text file is defined by the
 and
 .b \-z
 (field delimiter)
-flags.
+options.
 .ip ph
 PH query map.
 Contributed and supported by
 Mark Roth, roth@uiuc.edu.
 For more information,
 consult the web site
 .q http://www-dev.cites.uiuc.edu/sendmail/ .
 .ip nsd
 nsd map for IRIX 6.5 and later.
 Contributed and supported by Bob Mende of SGI,
@ -8922,11 +9030,15 @@ mende@sgi.com.
 Internal symbol table lookups.
 Used internally for aliasing.
 .ip implicit
-Really should be called
+Sequentially try a list of available map types:
-.q alias
+.i hash ,
-\(em this is used to get the default lookups
+.i dbm ,
-for alias files,
+and
-and is the default if no class is specified for alias files.
+.i cdb .
 It is the default for alias files if no class is specified.
 If is no matching map type is found,
 the text version is used for the alias file,
 but other maps fail to open.
 .ip user
 Looks up users using
 .i getpwnam (3).
@ -8948,15 +9060,24 @@ This can be used to find out if this machine is the target for an MX record,
 and mail can be accepted on that basis.
 If the
 .b \-z
-flag is given, then all MX names are returned,
+option is given, then all MX names are returned,
 separated by the given delimiter.
 Note: the return value is deterministic,
 i.e., even if multiple MX records have the same preference,
 they will be returned in the same order.
 .ip dns
 This map requires the option -R to specify the DNS resource record
-type to lookup. The following types are supported:
+type to lookup.
 The following types are supported:
 A, AAAA, AFSDB, CNAME, MX, NS, PTR, SRV, and TXT.
-A map lookup will return only one record.
+A map lookup will return only one record
 unless the
 .b \-z
 (value separator)
 option is set.
 Hence for some types, e.g., MX records, the return value might be a random
-element of the list due to randomizing in the DNS resolver.
+element of the results due to randomizing in the DNS resolver,
 if only one element is returned.
 .ip arpa
 Returns the ``reverse'' for the given IP (IPv4 or IPv6) address,
 i.e., the string for the PTR lookup,
@ -8969,7 +9090,7 @@ For example, the following configuration lines:
 Karpa arpa
 SArpa
 R$+	$: $(arpa $1 $)
-.)b 
+.)b
 work like this in test mode:
 .(b
 sendmail -bt
@ -9069,33 +9190,45 @@ if used, it is substituted by the substring matches, delimited by
 .b $|
 or the string specified with the the
 .b \-d
-flag.  The flags available for the map are
+option.
 The options available for the map are
 .(b
 .ta 4n
 -n	not
 -f	case sensitive
 -b	basic regular expressions (default is extended)
 -s	substring match
-d	set the delimiter used for -s
+-d	set the delimiter string used for -s
 -a	append string to key
 -m	match only, do not replace/discard value
 -D	perform no lookup in deferred delivery mode.
 .)b
 The
 .b \-s
-flag can include an optional parameter which can be used
+option can include an optional parameter which can be used
-to select the substrings in the result of the lookup.  For example,
+to select the substrings in the result of the lookup.
 For example,
 .(b
 -s1,3,4
 .)b
 The delimiter string specified via the
 .b \-d
 option is the sequence of characters after
 .b d
 ending at the first space.
 Hence it isn't possible to specify a space as delimiter,
 so if the option is immediately followed by a space
 the delimiter string is empty,
 which means the substrings are joined.
 Notes: to match a
 .b $
 in a string,
 \\$$
 must be used.
-If the pattern contains spaces, they must be replaced
+If the pattern contains spaces,
-with the blank substitution character, unless it is
+they must be replaced with the blank substitution character,
-space itself.
+unless it is space itself.
 .ip program
 The arguments on the
 .b K
@ -9185,12 +9318,12 @@ and is one of the following upper case words:
 .ta 9n
 OK	the key was found, result contains the looked up value
 NOTFOUND	the key was not found, the result is empty
-TEMP	a temporary failure occured
+TEMP	a temporary failure occurred
-TIMEOUT	a timeout occured on the server side
+TIMEOUT	a timeout occurred on the server side
-PERM	a permanent failure occured
+PERM	a permanent failure occurred
 .)b
-In case of errors (status TEMP, TIMEOUT or PERM) the result field may 
+In case of errors (status TEMP, TIMEOUT or PERM) the result field may
 contain an explanatory message.
 However, the explanatory message is not used any further by
 .i sendmail .
@ -9206,7 +9339,7 @@ Example replies:
 in case of successful lookups, or:
 .(b
-8:NOTFOUND, 
+8:NOTFOUND,
 .)b
 in case the key was not found, or:
@ -9331,7 +9464,7 @@ or
 to indicate newline or tab respectively.
 If omitted entirely,
 the column separator is any sequence of white space.
-For LDAP maps this is the separator character
+For LDAP and some other maps this is the separator character
 to combine multiple values
 into a single return string.
 If not set,
@ -9413,6 +9546,11 @@ timeout: specify the timeout (in seconds) for communication
 with the socket map server.
 .pp
 The following additional flags are present in the ldap map only:
 .ip "\-c\fItimeout\fP"
 Set the LDAP network timeout.
 sendmail must be compiled with
 .b \-DLDAP_OPT_NETWORK_TIMEOUT
 to use this flag.
 .ip "\-R"
 Do not auto chase referrals.  sendmail must be compiled with
 .b \-DLDAP_REFERRALS
@ -9480,6 +9618,9 @@ Should be one of
 .b LDAP_AUTH_SIMPLE ,
 or
 .b LDAP_AUTH_KRBV4 .
 The leading
 .b LDAP_AUTH_
 can be omitted and the value is case-insensitive.
 .ip "\-P\fIpasswordfile\fP"
 The file containing the secret key for the
 .b LDAP_AUTH_SIMPLE
@ -9530,8 +9671,9 @@ and the data is located in
 .pp
 The program
 .i makemap (8)
-can be used to build any of the three database-oriented maps.
+can be used to build database-oriented maps.
-It takes the following flags:
+It takes at least the following flags
 (for a complete list see its man page):
 .ip \-f
 Do not fold upper to lower case in the map.
 .ip \-N
@ -9980,8 +10122,10 @@ configuration file.
 If set,
 the new version of the DBM library
 that allows multiple databases will be used.
-If neither NDBM nor NEWDB are set,
+If neither CDB, NDBM, nor NEWDB are set,
 a much less efficient method of alias lookup is used.
 .ip CWDB
 If set, use the cdb (tinycdb) package.
 .ip NEWDB
 If set, use the new database package from Berkeley (from 4.4BSD).
 This package is substantially faster than DBM or NDBM.
@ -10418,7 +10562,7 @@ Addresses in this header should receive error messages.
 This header is a Content-Transfer-Encoding header.
 .ip H_CTYPE
 This header is a Content-Type header.
-.ip H_STRIPVAL
+.ip H_BCC
 Strip the value from the header (for Bcc:).
 .nr ii 5n
 .lp
@ -10440,7 +10584,7 @@ struct hdrinfo	HdrInfo[] =
 	"to",	H_RCPT,
 	"resent-to",	H_RCPT,
 	"cc",	H_RCPT,
-	"bcc",	H_RCPT\^|\^H_STRIPVAL,
+	"bcc",	H_RCPT\^|\^H_BCC,
 	     /* message identification and control */
 	"message",	H_EOH,
 	"text",	H_EOH,
@ -10864,7 +11008,7 @@ it is necessary to understand at least some basics about X.509 certificates
 and public key cryptography.
 This information can be found in books about SSL/TLS
 or on WWW sites, e.g.,
-.q http://www.OpenSSL.org/ .
+.q https://www.OpenSSL.org/ .
 .sh 3 "Certificates for STARTTLS"
 .pp
 When acting as a server,
@ -11003,6 +11147,43 @@ The macros which are subject to this encoding are
 {cert_subject}, {cert_issuer}, {cn_subject}, {cn_issuer},
 as well as
 {auth_authen} and {auth_author}.
 .sh 2 "DANE"
 .pp
 Initial support for DANE (see RFC 7672 et.al.)
 is available if
 .i sendmail
 is compiled with the option
 .b DANE .
 Only TLSA RR 3-1-x (DANE-EE) is currently implemented.
 The option
 .(b
 O DANE=true
 .)b
 enables this feature at run time
 and it automatically adds
 .b use_dnssec
 and
 .b use_edns0
 to
 .(b
 O ResolverOptions
 .)b
 This requires a (preferrably local)
 validating DNS resolver which supports those options.
 If the client finds a usable TLSA RR and the check
 succeeds the macro
 .b ${verify}
 is set to
 .b TRUSTED .
 All non-DNS maps are considered
 .i secure
 just like DNS lookups with DNSSEC.
 Be aware that the implementation might not handle all
 error conditions as required by the RFCs.
 Moreover, TLSA RRs are not looked up for some features,
 e.g.,
 .i FallBackSmartHost .
 .sh 1 "ACKNOWLEDGEMENTS"
 .pp
 I've worked on
@ -11243,7 +11424,6 @@ this is equivalent to using \-p.)
 .ip \-q\fItime\fP
 Try to process the queued up mail.
 If the time is given,
 a
 .i sendmail
 will start one or more processes to run through the queue(s) at the specified
 time interval to deliver queued mail; otherwise, it only runs once.
@ -11307,7 +11487,7 @@ together, and items with different key letters
 .q and'ed
 together.
 .ip "\-Q[reason]"
-Quarantine a normal queue items with the given reason or
+Quarantine normal queue items with the given reason or
 unquarantine quarantined queue items if no reason is given.
 This should only be used with some sort of item matching using
 .b \-q[!]\fIXstring\fP
@ -11512,11 +11692,10 @@ but is actually realiased when the job is processed.
 There will be one line for each recipient.
 Version 1 qf files
 also include a leading colon-terminated list of flags,
-which can be
+some of which are
 `S' to return a message on successful final delivery,
 `F' to return a message on failure,
 `D' to return a message if the message is delayed,
 `B' to indicate that the body should be returned,
 `N' to suppress returning the body,
 and
 `P' to declare this as a ``primary'' (command line or SMTP-session) address.
@ -11727,7 +11906,6 @@ replace it with a blank sheet for double-sided output.
 .\".sz 10
 .\"Eric Allman
 .\".sp
 .\"Version $Revision: 8.759 $
 .\".ce 0
 .bp 3
 .ce
--- a/doc/op/op.ps
+++ b/doc/op/op.ps
--- a/editmap/Makefile
+++ b/editmap/Makefile
@ -8,6 +8,8 @@ all: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
 clean: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
 check: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
 install: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
--- a/editmap/editmap.0
+++ b/editmap/editmap.0
@ -2,20 +2,20 @@ EDITMAP(8)                                                          EDITMAP(8)
-NNAAMMEE
+[1mNAME[0m
-       eeddiittmmaapp - query and edit single records in database maps for sendmail
+       [1meditmap [22m- query and edit single records in database maps for sendmail
-SSYYNNOOPPSSIISS
+[1mSYNOPSIS[0m
-       eeddiittmmaapp  [--CC  _f_i_l_e]  [--NN]  [--ff] [--qq||--uu||--xx] maptype mapname key [ "value
+       [1meditmap  [22m[[1m-C  [4m[22mfile[24m]  [[1m-N[22m]  [[1m-f[22m] [[1m-q|-u|-x[22m] maptype mapname key [ "value
       ..." ]
-DDEESSCCRRIIPPTTIIOONN
+[1mDESCRIPTION[0m
-       EEddiittmmaapp queries or edits one record in database maps used by the  keyed
+       [1mEditmap [22mqueries or edits one record in database maps used by the  keyed
       map  lookups  in sendmail(8).  Arguments are passed on the command line
       and output (for queries) is directed to standard output.
-       Depending on how it is compiled, eeddiittmmaapp handles up to three  different
+       Depending on how it is compiled, [1meditmap [22mhandles up to three  different
-       database formats, selected using the _m_a_p_t_y_p_e parameter.  They may be
+       database formats, selected using the [4mmaptype[24m parameter.  They may be
       dbm    DBM format maps.  This requires the ndbm(3) library.
@ -23,39 +23,39 @@ DDEESSCCRRIIPPTTIIOONN
       hash   Hash format maps.  This also requires the Berkeley DB library.
-       If the _T_r_u_s_t_e_d_U_s_e_r option is set in the sendmail configuration file and
+       If the [4mTrustedUser[24m option is set in the sendmail configuration file and
-       eeddiittmmaapp  is  invoked  as root, the generated files will be owned by the
+       [1meditmap  [22mis  invoked  as root, the generated files will be owned by the
-       specified _T_r_u_s_t_e_d_U_s_e_r_.
+       specified [4mTrustedUser.[0m
-   FFllaaggss
+   [1mFlags[0m
-       --CC     Use the specified sseennddmmaaiill configuration file for looking up the
+       [1m-C     [22mUse the specified [1msendmail [22mconfiguration file for looking up the
              TrustedUser option.
-       --NN     Include  the  null  byte that terminates strings in the map (for
+       [1m-N     [22mInclude  the  null  byte that terminates strings in the map (for
              alias maps).
-       --ff     Normally all upper case letters in the key are folded  to  lower
+       [1m-f     [22mNormally all upper case letters in the key are folded  to  lower
              case.   This  flag disables that behaviour.  This is intended to
-              mesh with the -f flag in the KK line in sendmail.cf.   The  value
+              mesh with the -f flag in the [1mK [22mline in sendmail.cf.   The  value
              is never case folded.
-       --qq     Query  the  map for the specified key.  If found, print value to
+       [1m-q     [22mQuery  the  map for the specified key.  If found, print value to
              standard output and exit with 0.  If not  found  then  print  an
              error message to stdout and exit with EX_UNAVAILABLE.
-       --uu     Update  the record for _k_e_y with _v_a_l_u_e or inserts a new record if
+       [1m-u     [22mUpdate  the record for [4mkey[24m with [4mvalue[24m or inserts a new record if
              one doesn't exist.  Exits with 0 on success or EX_IOERR on fail-
              ure.
-       --xx     Deletes  the specific key from the map.  Exits with 0 on success
+       [1m-x     [22mDeletes  the specific key from the map.  Exits with 0 on success
              or EX_IOERR on failure.
-       SSEEEE AALLSSOO
+       [1mSEE ALSO[0m
              sendmail(8), makemap(8)
-HHIISSTTOORRYY
+[1mHISTORY[0m
-       The eeddiittmmaapp command has no history.
+       The [1meditmap [22mcommand has no history.
--- a/editmap/editmap.c
+++ b/editmap/editmap.c
@ -23,19 +23,19 @@ SM_UNUSED(static char copyright[]) =
 #ifndef lint
 SM_UNUSED(static char id[]) = "@(#)$Id: editmap.c,v 1.26 2013-11-22 20:51:26 ca Exp $";
-#endif /* ! lint */
+#endif
 #include <sys/types.h>
 #ifndef ISC_UNIX
 # include <sys/file.h>
-#endif /* ! ISC_UNIX */
+#endif
 #include <ctype.h>
 #include <stdlib.h>
 #include <unistd.h>
 #ifdef EX_OK
 # undef EX_OK		/* unistd.h may have another use for this */
-#endif /* EX_OK */
+#endif
 #include <sysexits.h>
 #include <assert.h>
 #include <sendmail/sendmail.h>
@ -100,7 +100,7 @@ main(argc, argv)
 #if HASFCHOWN
 	FILE *cfp;
 	char buf[MAXLINE];
-#endif /* HASFCHOWN */
+#endif
 	static char rnamebuf[MAXNAME];	/* holds RealUserName */
 	extern char *optarg;
 	extern int optind;
--- a/include/libmilter/mfapi.h
+++ b/include/libmilter/mfapi.h
@ -43,11 +43,11 @@
 /* Only need to export C interface if used by C++ source code */
 #ifdef __cplusplus
 extern "C" {
-#endif /* __cplusplus */
+#endif
 #ifndef _SOCK_ADDR
 # define _SOCK_ADDR	struct sockaddr
-#endif /* ! _SOCK_ADDR */
+#endif
 /*
 **  libmilter functions return one of the following to indicate
@ -58,7 +58,7 @@ extern "C" {
 #define MI_FAILURE	(-1)
 #if _FFR_WORKERS_POOL
 # define MI_CONTINUE	1
-#endif /* _FFR_WORKERS_POOL */
+#endif
 /* "forward" declarations */
 typedef struct smfi_str SMFICTX;
@ -76,17 +76,17 @@ typedef int	sfsistat;
 #if defined(__linux__) && defined(__GNUC__) && defined(__cplusplus) && __GNUC_MINOR__ >= 8
 # define SM__P(X)	__PMT(X)
-#else /* __linux__ && __GNUC__ && __cplusplus && _GNUC_MINOR__ >= 8 */
+#else
 # define SM__P(X)	__P(X)
-#endif /* __linux__ && __GNUC__ && __cplusplus && _GNUC_MINOR__ >= 8 */
+#endif
 /* Some platforms don't define __P -- do it for them here: */
 #ifndef __P
 # ifdef __STDC__
 #  define __P(X) X
-# else /* __STDC__ */
+# else
 #  define __P(X) ()
-# endif /* __STDC__ */
+# endif
 #endif /* __P */
 #if SM_CONF_STDBOOL_H
@ -464,7 +464,7 @@ LIBMILTER_API int smfi_chgheader __P((SMFICTX *, char *, int, char *));
 **
 **	SMFICTX *ctx; Opaque context structure
 **	char *headerf; Header field name
-**	int index; The Nth occurence of header field name
+**	int index; The Nth occurrence of header field name
 **	char *headerv; New header field value (empty for delete header)
 */
@ -594,10 +594,10 @@ LIBMILTER_API int smfi_setsymlist __P((SMFICTX *, int, char *));
 #if _FFR_THREAD_MONITOR
 LIBMILTER_API int smfi_set_max_exec_time __P((unsigned int));
-#endif /* _FFR_THREAD_MONITOR */
+#endif
 #ifdef __cplusplus
 }
-#endif /* __cplusplus */
+#endif
 #endif /* ! _LIBMILTER_MFAPI_H */
--- a/include/libmilter/mfdef.h
+++ b/include/libmilter/mfdef.h
@ -19,7 +19,7 @@
 #ifndef SMFI_PROT_VERSION
 # define SMFI_PROT_VERSION	6	/* MTA - libmilter protocol version */
-#endif /* SMFI_PROT_VERSION */
+#endif
 /* Shared protocol constants */
 #define MILTER_LEN_BYTES	4	/* length of 32 bit integer in bytes */
@ -121,6 +121,6 @@
 #if _FFR_MILTER_CHECK
 # define SMFIP_TEST	0x80000000L
-#endif /* _FFR_MILTER_CHECK */
+#endif
 #endif /* !_LIBMILTER_MFDEF_H */
--- a/include/libsmdb/smdb.h
+++ b/include/libsmdb/smdb.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2002 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 1999-2002, 2018 Proofpoint, Inc. and its suppliers.
 *	All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
@ -18,13 +18,13 @@
 # include <sm/gen.h>
 # include <sm/errstring.h>
-# ifdef NDBM
+# if NDBM
 #  include <ndbm.h>
-# endif /* NDBM */
+# endif
-# ifdef NEWDB
+# if NEWDB
 #  include "sm/bdb.h"
-# endif /* NEWDB */
+# endif
 /*
 **  Some size constants
@ -119,7 +119,6 @@ typedef int (*db_get_func) __P((SMDB_DATABASE *db,
 **		flags -- put options:
 **			SMDBF_NO_OVERWRITE - Return an error if key alread
 **					     exists.
 **			SMDBF_ALLOW_DUP - Allow duplicates in btree maps.
 **
 **	Returns:
 **		0 - Success, otherwise errno.
@ -190,6 +189,7 @@ struct database_struct
 	db_lockfd_func		smdb_lockfd;
 	void			*smdb_impl;
 };
 /*
 **  DB_CURSOR_CLOSE -- Close a cursor
 **
@ -244,10 +244,10 @@ typedef int (*db_cursor_get_func) __P((SMDB_CURSOR *cursor,
 **  Flags for DB_CURSOR_GET
 */
-#define SMDB_CURSOR_GET_FIRST	0
+#define SMDB_CURSOR_GET_FIRST	0	/* NOT USED by any application */
-#define SMDB_CURSOR_GET_LAST	1
+#define SMDB_CURSOR_GET_LAST	1	/* NOT USED by any application */
 #define SMDB_CURSOR_GET_NEXT	2
-#define SMDB_CURSOR_GET_RANGE	3
+#define SMDB_CURSOR_GET_RANGE	3	/* NOT USED by any application */
 /*
 **  DB_CURSOR_PUT -- Put the key/value at this cursor.
@ -313,12 +313,34 @@ typedef unsigned int SMDB_FLAG;
 # define SMDB_TYPE_DEFAULT	NULL
 # define SMDB_TYPE_DEFAULT_LEN	0
 # define SMDB_TYPE_IMPL		"implicit"
 # define SMDB_TYPE_IMPL_LEN	9
 # define SMDB_TYPE_HASH		"hash"
 # define SMDB_TYPE_HASH_LEN	5
 # define SMDB_TYPE_BTREE	"btree"
 # define SMDB_TYPE_BTREE_LEN	6
 # define SMDB_TYPE_NDBM		"dbm"
 # define SMDB_TYPE_NDBM_LEN	4
 # define SMDB_TYPE_CDB		"cdb"
 # define SMDB_TYPE_CDB_LEN	4
 # define SMDB_IS_TYPE_HASH(type)	(strncmp(type, SMDB_TYPE_HASH, SMDB_TYPE_HASH_LEN) == 0)
 # define SMDB_IS_TYPE_BTREE(type)	(strncmp(type, SMDB_TYPE_BTREE, SMDB_TYPE_BTREE_LEN) == 0)
 # define SMDB_IS_TYPE_NDBM(type)	(strncmp(type, SMDB_TYPE_NDBM, SMDB_TYPE_NDBM_LEN) == 0)
 # define SMDB_IS_TYPE_CDB(type)	(strncmp(type, SMDB_TYPE_CDB, SMDB_TYPE_CDB_LEN) == 0)
 # define SMDB_IS_TYPE_DEFAULT(t) (((t) == SMDB_TYPE_DEFAULT) \
 	|| (strncmp(type, SMDB_TYPE_IMPL, SMDB_TYPE_IMPL_LEN) == 0)	\
 	)
 # if CDB >= 2
 #  define SMCDB_FILE_EXTENSION "db"
 # else
 #  define SMCDB_FILE_EXTENSION "cdb"
 # endif
 # define SMDB1_FILE_EXTENSION "db"
 # define SMDB2_FILE_EXTENSION "db"
 # define SMNDB_DIR_FILE_EXTENSION "dir"
 /*
 **  These are flags
@ -326,26 +348,22 @@ typedef unsigned int SMDB_FLAG;
 /* Flags for put */
 # define SMDBF_NO_OVERWRITE	0x00000001
 # define SMDBF_ALLOW_DUP	0x00000002
 typedef int (smdb_open_func) __P((SMDB_DATABASE **, char *, int, int, long, SMDB_DBTYPE, SMDB_USER_INFO *, SMDB_DBPARAMS *));
 extern SMDB_DATABASE	*smdb_malloc_database __P((void));
 extern void		smdb_free_database __P((SMDB_DATABASE *));
-extern int		smdb_open_database __P((SMDB_DATABASE **, char *, int,
+extern smdb_open_func	smdb_open_database;
-						int, long, SMDB_DBTYPE,
+# if NEWDB
-						SMDB_USER_INFO *,
+extern smdb_open_func	smdb_db_open;
-						SMDB_DBPARAMS *));
+# else
-# ifdef NEWDB
+#  define smdb_db_open 	NULL
-extern int		smdb_db_open __P((SMDB_DATABASE **, char *, int, int,
+# endif
-					  long, SMDB_DBTYPE, SMDB_USER_INFO *,
+# if NDBM
-					  SMDB_DBPARAMS *));
+extern smdb_open_func	smdb_ndbm_open;
-# endif /* NEWDB */
+# else
-# ifdef NDBM
+#  define smdb_ndbm_open 	NULL
-extern int		smdb_ndbm_open __P((SMDB_DATABASE **, char *, int, int,
+# endif
 					    long, SMDB_DBTYPE,
 					    SMDB_USER_INFO *,
 					    SMDB_DBPARAMS *));
 # endif /* NDBM */
 extern int		smdb_add_extension __P((char *, int, char *, char *));
 extern int		smdb_setup_file __P((char *, char *, int, long,
 					     SMDB_USER_INFO *, struct stat *));
@ -353,8 +371,15 @@ extern int		smdb_lock_file __P((int *, char *, int, long, char *));
 extern int		smdb_unlock_file __P((int));
 extern int		smdb_filechanged __P((char *, char *, int,
 					      struct stat *));
-extern void		smdb_print_available_types __P((void));
+extern void		smdb_print_available_types __P((bool));
 extern bool		smdb_is_db_type __P((const char *));
 extern char		*smdb_db_definition __P((SMDB_DBTYPE));
 extern int		smdb_lock_map __P((SMDB_DATABASE *, int));
 extern int		smdb_unlock_map __P((SMDB_DATABASE *));
 # if CDB
 extern smdb_open_func	smdb_cdb_open;
 # else
 #  define smdb_cdb_open 	NULL
 # endif
 #endif /* ! _SMDB_H_ */
--- a/include/sendmail/pathnames.h
+++ b/include/sendmail/pathnames.h
@ -19,34 +19,34 @@
 #  ifndef _PATH_SENDMAILCF
 #   if defined(USE_VENDOR_CF_PATH) && defined(_PATH_VENDOR_CF)
 #    define _PATH_SENDMAILCF	_PATH_VENDOR_CF
-#   else /* defined(USE_VENDOR_CF_PATH) && defined(_PATH_VENDOR_CF) */
+#   else
 #    define _PATH_SENDMAILCF	"/etc/mail/sendmail.cf"
-#   endif /* defined(USE_VENDOR_CF_PATH) && defined(_PATH_VENDOR_CF) */
+#   endif
 #  endif /* ! _PATH_SENDMAILCF */
 #  ifndef _PATH_SENDMAILPID
 #   ifdef BSD4_4
 #    define _PATH_SENDMAILPID	"/var/run/sendmail.pid"
-#   else /* BSD4_4 */
+#   else
 #    define _PATH_SENDMAILPID	"/etc/mail/sendmail.pid"
-#   endif /* BSD4_4 */
+#   endif
 #  endif /* ! _PATH_SENDMAILPID */
 #  ifndef _PATH_SENDMAIL
 #   define _PATH_SENDMAIL 	"/usr/lib/sendmail"
-#  endif /* ! _PATH_SENDMAIL */
+#  endif
 #  ifndef _PATH_MAILDIR
 #   define _PATH_MAILDIR	"/var/spool/mail"
-#  endif /* ! _PATH_MAILDIR */
+#  endif
 #  ifndef _PATH_LOCTMP
 #   define _PATH_LOCTMP		"/tmp/local.XXXXXX"
-#  endif /* ! _PATH_LOCTMP */
+#  endif
 #  ifndef _PATH_HOSTS
 #   define _PATH_HOSTS		"/etc/hosts"
-#  endif /* ! _PATH_HOSTS */
+#  endif
--- a/include/sendmail/sendmail.h
+++ b/include/sendmail/sendmail.h
@ -29,7 +29,7 @@
 **********************************************************************/
 #ifndef MAXMAILERS
 # define MAXMAILERS	25	/* maximum mailers known to system */
-#endif /* ! MAXMAILERS */
+#endif
 /*
 **  Flags passed to safefile/safedirpath.
--- a/include/sm/assert.h
+++ b/include/sm/assert.h
@ -47,19 +47,19 @@ sm_abort __P((
 # ifndef SM_CHECK_ALL
 #  define SM_CHECK_ALL		1
-# endif /* ! SM_CHECK_ALL */
+# endif
 # ifndef SM_CHECK_REQUIRE
 #  define SM_CHECK_REQUIRE	SM_CHECK_ALL
-# endif /* ! SM_CHECK_REQUIRE */
+# endif
 # ifndef SM_CHECK_ENSURE
 #  define SM_CHECK_ENSURE	SM_CHECK_ALL
-# endif /* ! SM_CHECK_ENSURE */
+# endif
 # ifndef SM_CHECK_ASSERT
 #  define SM_CHECK_ASSERT	SM_CHECK_ALL
-# endif /* ! SM_CHECK_ASSERT */
+# endif
 # if SM_CHECK_REQUIRE
 #  if defined(__STDC__) || defined(__cplusplus)
--- a/include/sm/bdb.h
+++ b/include/sm/bdb.h
@ -17,7 +17,7 @@
 # include <db.h>
 # ifndef DB_VERSION_MAJOR
 #  define DB_VERSION_MAJOR 1
-# endif /* ! DB_VERSION_MAJOR */
+# endif
 # if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR >= 1) || DB_VERSION_MAJOR >= 5
--- a/include/sm/cdefs.h
+++ b/include/sm/cdefs.h
@ -6,7 +6,7 @@
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 *
- *	$Id: cdefs.h,v 1.17 2013-11-22 20:51:31 ca Exp $
+ *	$Id: cdefs.h,v 1.17 2013/11/22 20:51:31 ca Exp $
 */
 /*
@ -27,7 +27,7 @@
 # if SM_CONF_SYS_CDEFS_H
 #  include <sys/cdefs.h>
-# endif /* SM_CONF_SYS_CDEFS_H */
+# endif
 /*
 **  Define the standard C language portability macros
@ -86,9 +86,9 @@
 #  if __GNUC__ >= 2
 #   if __GNUC__ == 2 && __GNUC_MINOR__ < 7
 #    define SM_UNUSED(decl) decl
-#   else /* __GNUC__ == 2 && __GNUC_MINOR__ < 7 */
+#   else
 #    define SM_UNUSED(decl) decl __attribute__((__unused__))
-#   endif /* __GNUC__ == 2 && __GNUC_MINOR__ < 7 */
+#   endif
 #  else /* __GNUC__ >= 2 */
 #   define SM_UNUSED(decl) decl
 #  endif /* __GNUC__ >= 2 */
@ -112,9 +112,9 @@
 # ifdef SM_OMIT_BOGUS_WARNINGS
 #  define SM_NONVOLATILE volatile
-# else /* SM_OMIT_BOGUS_WARNINGS */
+# else
 #  define SM_NONVOLATILE
-# endif /* SM_OMIT_BOGUS_WARNINGS */
+# endif
 /*
 **  Turn on format string argument checking.
@ -131,17 +131,17 @@
 # ifndef PRINTFLIKE
 #  if SM_CONF_FORMAT_TEST
 #   define PRINTFLIKE(x,y) __attribute__ ((__format__ (__printf__, x, y)))
-#  else /* SM_CONF_FORMAT_TEST */
+#  else
 #   define PRINTFLIKE(x,y)
-#  endif /* SM_CONF_FORMAT_TEST */
+#  endif
 # endif /* ! PRINTFLIKE */
 # ifndef SCANFLIKE
 #  if SM_CONF_FORMAT_TEST
 #   define SCANFLIKE(x,y) __attribute__ ((__format__ (__scanf__, x, y)))
-#  else /* SM_CONF_FORMAT_TEST */
+#  else
 #   define SCANFLIKE(x,y)
-#  endif /* SM_CONF_FORMAT_TEST */
+#  endif
 # endif /* ! SCANFLIKE */
 #endif /* ! SM_CDEFS_H */
--- a/include/sm/clock.h
+++ b/include/sm/clock.h
@ -22,7 +22,7 @@
 # include <sm/signal.h>
 # if SM_CONF_SETITIMER
 #  include <sys/time.h>
-# endif /* SM_CONF_SETITIMER */
+# endif
 /*
 **  STRUCT SM_EVENT -- event queue.
@ -37,9 +37,9 @@ struct sm_event
 {
 # if SM_CONF_SETITIMER
 	struct timeval	ev_time;	/* time of the call (microseconds) */
-# else /* SM_CONF_SETITIMER */
+# else
 	time_t		ev_time;	/* time of the call (seconds) */
-# endif /* SM_CONF_SETITIMER */
+# endif
 	void		(*ev_func)__P((int));
 					/* function to call */
 	int		ev_arg;		/* argument to ev_func */
--- a/include/sm/conf.h
+++ b/include/sm/conf.h
--- a/include/sm/config.h
+++ b/include/sm/config.h
@ -31,9 +31,9 @@
 # ifndef SM_CONF_STDBOOL_H
 #  if !defined(__clang__) && defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
 #   define SM_CONF_STDBOOL_H		1
-#  else /* !defined(__clang__) && defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L */
+#  else
 #   define SM_CONF_STDBOOL_H		0
-#  endif /* !defined(__clang__) && defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L */
+#  endif
 # endif /* ! SM_CONF_STDBOOL_H */
 /*
@ -42,7 +42,7 @@
 # ifndef SM_CONF_SYS_CDEFS_H
 #  define SM_CONF_SYS_CDEFS_H		0
-# endif /* ! SM_CONF_SYS_CDEFS_H */
+# endif
 /*
 **  SM_CONF_STDDEF_H is 1 if <stddef.h> exists
@ -50,7 +50,7 @@
 # ifndef SM_CONF_STDDEF_H
 #  define SM_CONF_STDDEF_H		1
-# endif /* ! SM_CONF_STDDEF_H */
+# endif
 /*
 **  Configuration macro that specifies whether strlcpy/strlcat are available.
@ -60,7 +60,7 @@
 # ifndef SM_CONF_STRL
 #  define SM_CONF_STRL			0
-# endif /* ! SM_CONF_STRL */
+# endif
 /*
 **  Configuration macro indicating that setitimer is available
@ -68,7 +68,7 @@
 # ifndef SM_CONF_SETITIMER
 #  define SM_CONF_SETITIMER		1
-# endif /* ! SM_CONF_SETITIMER */
+# endif
 /*
 **  Does <sys/types.h> define uid_t and gid_t?
@ -76,14 +76,14 @@
 # ifndef SM_CONF_UID_GID
 #  define SM_CONF_UID_GID		1
-# endif /* ! SM_CONF_UID_GID */
+# endif
 /*
 **  Does <sys/types.h> define ssize_t?
 */
 # ifndef SM_CONF_SSIZE_T
 #  define SM_CONF_SSIZE_T		1
-# endif /* ! SM_CONF_SSIZE_T */
+# endif
 /*
 **  Does the C compiler support long long?
@ -95,9 +95,9 @@
 #  else /* defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L */
 #   if defined(__GNUC__)
 #    define SM_CONF_LONGLONG		1
-#   else /* defined(__GNUC__) */
+#   else
 #    define SM_CONF_LONGLONG		0
-#   endif /* defined(__GNUC__) */
+#   endif
 #  endif /* defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L */
 # endif /* ! SM_CONF_LONGLONG */
@ -108,7 +108,7 @@
 # ifndef SM_CONF_QUAD_T
 #  define SM_CONF_QUAD_T		0
-# endif /* ! SM_CONF_QUAD_T */
+# endif
 /*
 **  Configuration macro indicating that shared memory is available
@ -116,7 +116,7 @@
 # ifndef SM_CONF_SHM
 #  define SM_CONF_SHM		0
-# endif /* ! SM_CONF_SHM */
+# endif
 /*
 **  Does <setjmp.h> define sigsetjmp?
@ -124,7 +124,7 @@
 # ifndef SM_CONF_SIGSETJMP
 #  define SM_CONF_SIGSETJMP	1
-# endif /* ! SM_CONF_SIGSETJMP */
+# endif
 /*
 **  Does <sysexits.h> exist, and define the EX_* macros with values
@ -133,17 +133,17 @@
 # ifndef SM_CONF_SYSEXITS_H
 #  define SM_CONF_SYSEXITS_H	0
-# endif /* ! SM_CONF_SYSEXITS_H */
+# endif
 /* has memchr() prototype? (if not: needs memory.h) */
 # ifndef SM_CONF_MEMCHR
 #  define SM_CONF_MEMCHR	1
-# endif /* ! SM_CONF_MEMCHR */
+# endif
 /* try LLONG tests in libsm/t-types.c? */
 # ifndef SM_CONF_TEST_LLONG
 #  define SM_CONF_TEST_LLONG	1
-# endif /* !SM_CONF_TEST_LLONG */
+# endif
 /* LDAP Checks */
 # if LDAPMAP
@ -161,9 +161,9 @@
 #   if USING_NETSCAPE_LDAP || LDAP_API_VERSION >= 2004
 #    define SM_CONF_LDAP_MEMFREE	1
-#   else /* USING_NETSCAPE_LDAP || LDAP_API_VERSION >= 2004 */
+#   else
 #    define SM_CONF_LDAP_MEMFREE	0
-#   endif /* USING_NETSCAPE_LDAP || LDAP_API_VERSION >= 2004 */
+#   endif
 #  endif /* ! SM_CONF_LDAP_MEMFREE */
 /* Does the LDAP library have ldap_initialize()? */
@ -177,13 +177,13 @@
 /* OpenLDAP does it with LDAP_OPT_URI */
 #   ifdef LDAP_OPT_URI
 #    define SM_CONF_LDAP_INITIALIZE	1
-#   endif /* LDAP_OPT_URI */
+#   endif
 #  endif /* !SM_CONF_LDAP_INITIALIZE */
 # endif /* LDAPMAP */
 /* don't use strcpy() */
 # ifndef DO_NOT_USE_STRCPY
 #  define DO_NOT_USE_STRCPY	1
-# endif /* ! DO_NOT_USE_STRCPY */
+# endif
 #endif /* ! SM_CONFIG_H */
--- a/include/sm/debug.h
+++ b/include/sm/debug.h
@ -94,7 +94,7 @@ struct sm_debug
 # ifndef SM_DEBUG_CHECK
 #  define SM_DEBUG_CHECK 1
-# endif /* ! SM_DEBUG_CHECK */
+# endif
 # if SM_DEBUG_CHECK
 /*
--- a/include/sm/errstring.h
+++ b/include/sm/errstring.h
@ -18,12 +18,12 @@
 #if defined(__QNX__)
 # define E_PSEUDOBASE	512
-#endif /* defined(__QNX__) */
+#endif
 #include <errno.h>
 #if NEEDINTERRNO
 extern int errno;
-#endif /* NEEDINTERRNO */
+#endif
 /*
 **  These are used in a few cases where we need some special
@ -33,7 +33,7 @@ extern int errno;
 #ifndef E_PSEUDOBASE
 # define E_PSEUDOBASE	256
-#endif /* ! E_PSEUDOBASE */
+#endif
 #define E_SM_OPENTIMEOUT (E_PSEUDOBASE + 0)	/* Timeout on file open */
 #define E_SM_NOSLINK	(E_PSEUDOBASE + 1)	/* Symbolic links not allowed */
@ -88,7 +88,6 @@ extern int errno;
 #define SMDBE_OLD_VERSION		(E_SMDBBASE + 23)
 #define SMDBE_VERSION_MISMATCH		(E_SMDBBASE + 24)
-extern const char *sm_errstring __P((int _errno));
+extern const char *sm_errstring __P((int _errnum));
 #endif /* SM_ERRSTRING_H */
--- a/include/sm/gen.h
+++ b/include/sm/gen.h
@ -43,7 +43,7 @@
 # else /* SM_CONF_STDDEF_H */
 #  ifndef NULL
 #   define NULL	0
-#  endif /* ! NULL */
+#  endif
 #  define offsetof(type, member)	((size_t)(&((type *)0)->member))
 # endif /* SM_CONF_STDDEF_H */
--- a/include/sm/heap.h
+++ b/include/sm/heap.h
@ -25,7 +25,7 @@
 /* change default to 0 for production? */
 # ifndef SM_HEAP_CHECK
 #  define SM_HEAP_CHECK		1
-# endif /* ! SM_HEAP_CHECK */
+# endif
 # if SM_HEAP_CHECK
 #  define sm_malloc_x(sz) sm_malloc_tagged_x(sz, __FILE__, __LINE__, SmHeapGroup)
--- a/include/sm/io.h
+++ b/include/sm/io.h
@ -53,7 +53,7 @@
 #define SM_IO_WHAT_MODE		1
 #define SM_IO_WHAT_VECTORS	2
 #define SM_IO_WHAT_FD		3
-#define SM_IO_WHAT_TYPE		4
+/* was WHAT_TYPE		4 unused */
 #define SM_IO_WHAT_ISTYPE	5
 #define SM_IO_IS_READABLE	6
 #define SM_IO_WHAT_TIMEOUT	7
@ -342,7 +342,7 @@ __END_DECLS
 __BEGIN_DECLS
 int	sm_rget __P((SM_FILE_T *, int));
 int	sm_vfscanf __P((SM_FILE_T *, int SM_NONVOLATILE, const char *,
-			va_list SM_NONVOLATILE));
+			va_list));
 int	sm_wbuf __P((SM_FILE_T *, int, int));
 __END_DECLS
@ -383,7 +383,7 @@ __END_DECLS
 # ifndef _POSIX_SOURCE
 #  define sm_io_getc(fp, t)	sm_getc(fp, t)
 #  define sm_io_putc(fp, t, x)	sm_putc(fp, t, x)
-# endif /* _POSIX_SOURCE */
+# endif
 #endif /* lint */
 #endif /* SM_IO_H */
--- a/include/sm/ldap.h
+++ b/include/sm/ldap.h
@ -22,13 +22,13 @@
 # ifndef LDAPMAP_MAX_ATTR
 #  define LDAPMAP_MAX_ATTR	64
-# endif /* ! LDAPMAP_MAX_ATTR */
+# endif
 # ifndef LDAPMAP_MAX_FILTER
 #  define LDAPMAP_MAX_FILTER	1024
-# endif /* ! LDAPMAP_MAX_FILTER */
+# endif
 # ifndef LDAPMAP_MAX_PASSWD
 #  define LDAPMAP_MAX_PASSWD	256
-# endif /* ! LDAPMAP_MAX_PASSWD */
+# endif
 # if LDAPMAP
@ -91,9 +91,12 @@ struct sm_ldap_struct
 	/* ldapmap_lookup options */
 	char		ldap_attrsep;
-# if _FFR_LDAP_NETWORK_TIMEOUT
+#  if LDAP_NETWORK_TIMEOUT
 	int		ldap_networktmo;
-# endif /* _FFR_LDAP_NETWORK_TIMEOUT */
+#  endif
 #  if _FFR_SM_LDAP_DBG
 	int		ldap_debug;
 #  endif
 	/* Linked list of maps sharing the same LDAP binding */
 	void		*ldap_next;
@ -135,7 +138,7 @@ extern void	sm_ldap_close __P((SM_LDAP_STRUCT *));
 /* Portability defines */
 #  if !SM_CONF_LDAP_MEMFREE
 #   define ldap_memfree(x)	((void) 0)
-#  endif /* !SM_CONF_LDAP_MEMFREE */
+#  endif
 # endif /* LDAPMAP */
 #endif /* ! SM_LDAP_H */
--- a/include/sm/limits.h
+++ b/include/sm/limits.h
@ -31,13 +31,13 @@
 # ifndef LLONG_MIN
 #  define LLONG_MIN	((LONGLONG_T)(~(ULLONG_MAX >> 1)))
-# endif /* ! LLONG_MIN */
+# endif
 # ifndef LLONG_MAX
 #  define LLONG_MAX	((LONGLONG_T)(ULLONG_MAX >> 1))
-# endif /* ! LLONG_MAX */
+# endif
 # ifndef ULLONG_MAX
 #  define ULLONG_MAX	((ULONGLONG_T)(-1))
-# endif /* ! ULLONG_MAX */
+# endif
 /*
 **  PATH_MAX is defined by the POSIX standard.  All modern systems
@ -47,9 +47,9 @@
 # ifndef PATH_MAX
 #  ifdef MAXPATHLEN
 #   define PATH_MAX	MAXPATHLEN
-#  else /* MAXPATHLEN */
+#  else
 #   define PATH_MAX	2048
-#  endif /* MAXPATHLEN */
+#  endif
 # endif /* ! PATH_MAX */
 #endif /* ! SM_LIMITS_H */
--- a/include/sm/notify.h
+++ b/include/sm/notify.h
@ -0,0 +1,19 @@
 /*
 * Copyright (c) 2016 Proofpoint, Inc. and its suppliers.
 *      All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 */
 #ifndef SM_NOTIFY_H
 #define SM_NOTIFY_H
 int sm_notify_init __P((int));
 int sm_notify_start __P((bool, int));
 int sm_notify_stop __P((bool, int));
 int sm_notify_rcv __P((char *, size_t, int));
 int sm_notify_snd __P((char *, size_t));
 #endif /* ! SM_MSG_H */
--- a/include/sm/os/sm_os_freebsd.h
+++ b/include/sm/os/sm_os_freebsd.h
@ -1,12 +1,10 @@
 /*
- * Copyright (c) 2000-2001 Proofpoint, Inc. and its suppliers.
+ * Copyright (c) 2000-2001, 2018 Proofpoint, Inc. and its suppliers.
 *	All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 *
 *	$Id: sm_os_freebsd.h,v 1.12 2013-11-22 20:51:34 ca Exp $
 */
 /*
@ -32,10 +30,14 @@
 #ifndef SM_CONF_SHM
 # define SM_CONF_SHM	1
-#endif /* SM_CONF_SHM */
+#endif
 #ifndef SM_CONF_SEM
-# define SM_CONF_SEM	1
+# if __FreeBSD__ > 11
-#endif /* SM_CONF_SEM */
+#  define SM_CONF_SEM	2 /* union semun is now longer available by default */
 # else
 #  define SM_CONF_SEM	1
 # endif
 #endif
 #ifndef SM_CONF_MSG
 # define SM_CONF_MSG	1
-#endif /* SM_CONF_MSG */
+#endif
--- a/include/sm/rpool.h
+++ b/include/sm/rpool.h
@ -123,7 +123,7 @@ typedef struct
 #if _FFR_PERF_RPOOL
 	int	sm_nbigblocks;
 	int	sm_npools;
-#endif /* _FFR_PERF_RPOOL */
+#endif
 } SM_RPOOL_T;
@ -167,10 +167,10 @@ sm_rpool_malloc __P((
 #if DO_NOT_USE_STRCPY
 extern char *sm_rpool_strdup_x __P((SM_RPOOL_T *rpool, const char *s));
-#else /* DO_NOT_USE_STRCPY */
+#else
 # define sm_rpool_strdup_x(rpool, str) \
 	strcpy(sm_rpool_malloc_x(rpool, strlen(str) + 1), str)
-#endif /* DO_NOT_USE_STRCPY */
+#endif
 extern SM_RPOOL_ATTACH_T
 sm_rpool_attach_x __P((
--- a/include/sm/sem.h
+++ b/include/sm/sem.h
@ -35,10 +35,10 @@ union semun
 # ifndef SEM_A
 #  define SEM_A	0200
-# endif /* SEM_A */
+# endif
 # ifndef SEM_R
 #  define SEM_R	0400
-# endif /* SEM_R */
+# endif
 # define SM_NSEM	1
--- a/include/sm/shm.h
+++ b/include/sm/shm.h
@ -34,10 +34,10 @@ extern int sm_shmsetowner __P((int, uid_t, gid_t, mode_t));
 /* for those braindead systems... (e.g., SunOS 4) */
 #  ifndef SHM_R
 #   define SHM_R       0400
-#  endif /* SHM_R */
+#  endif
 #  ifndef SHM_W
 #   define SHM_W       0200
-#  endif /* SHM_W */
+#  endif
 # endif /* SM_CONF_SHM */
 #endif /* ! SM_SHM_H */
--- a/include/sm/string.h
+++ b/include/sm/string.h
@ -30,7 +30,7 @@ extern bool
 sm_match __P((const char *_str, const char *_pattern));
 extern char *
-sm_strdup __P((char *));
+sm_strdup __P((const char *));
 extern char *
 sm_strndup_x __P((const char *_str, size_t _len));
@ -87,7 +87,7 @@ sm_strlcpyn __P((char *,
 # if !HASSTRERROR
 extern char *
 strerror __P((int _errno));
-# endif /* !HASSTRERROR */
+# endif
 extern int
 sm_strrevcmp __P((const char *, const char *));
@ -109,5 +109,7 @@ sm_strtoull __P((const char *, char**, int));
 extern void
 stripquotes __P((char *));
 extern void
 unfoldstripquotes __P((char *));
 #endif /* SM_STRING_H */
--- a/include/sm/test.h
+++ b/include/sm/test.h
@ -20,9 +20,9 @@
 # if defined(__STDC__) || defined(__cplusplus)
 #  define SM_TEST(cond) sm_test(cond, #cond, __FILE__, __LINE__)
-# else /* defined(__STDC__) || defined(__cplusplus) */
+# else
 #  define SM_TEST(cond) sm_test(cond, "cond", __FILE__, __LINE__)
-# endif /* defined(__STDC__) || defined(__cplusplus) */
+# endif
 extern int SmTestIndex;
 extern int SmTestNumErrors;
--- a/include/sm/types.h
+++ b/include/sm/types.h
@ -38,11 +38,11 @@
 # if !SM_CONF_UID_GID
 #  define uid_t		int
 #  define gid_t		int
-# endif /* !SM_CONF_UID_GID */
+# endif
 # if !SM_CONF_SSIZE_T
 #  define ssize_t	int
-# endif /* !SM_CONF_SSIZE_T */
+# endif
 /*
 **  Define LONGLONG_T and ULONGLONG_T, which are portable locutions
--- a/include/sm/varargs.h
+++ b/include/sm/varargs.h
@ -32,6 +32,11 @@
 #  define SM_VA_COPY(dst, src)	__va_copy((dst), (src))
 # else
 #  define SM_VA_COPY(dst, src)	memcpy(&(dst), &(src), sizeof((dst)))
 #  define SM_VA_END_COPY(ap)	do { } while (0)
 # endif
 # ifndef SM_VA_END_COPY
 #  define SM_VA_END_COPY(ap)	va_end(ap)
 # endif
 /*
--- a/include/sm/xtrap.h
+++ b/include/sm/xtrap.h
@ -25,9 +25,9 @@ extern SM_DEBUG_T SmXtrapReport;
 # if SM_DEBUG_CHECK
 #  define sm_xtrap_check() (++SmXtrapCount == sm_debug_level(&SmXtrapDebug))
-# else /* SM_DEBUG_CHECK */
+# else
 #  define sm_xtrap_check() (0)
-# endif /* SM_DEBUG_CHECK */
+# endif
 # define sm_xtrap_raise_x(exc) \
 		if (sm_xtrap_check()) \
--- a/libmilter/Makefile
+++ b/libmilter/Makefile
@ -6,10 +6,10 @@ OPTIONS= $(CONFIG) $(FLAGS)
 all: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
 check: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
 clean: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
 check: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
 install: FRC
 	$(SHELL) $(BUILD) $(OPTIONS) $@
--- a/libmilter/README
+++ b/libmilter/README
@ -115,7 +115,7 @@ T=C:5m;S:10s;R:10s;E:5m
 where 's' is seconds and 'm' is minutes.
-Which filters are invoked and their sequencing is handled by the 
+Which filters are invoked and their sequencing is handled by the
 InputMailFilters option. Note: if InputMailFilters is not defined no filters
 will be used.
@ -207,28 +207,19 @@ libmilter requires pthread support in the operating system.  Moreover, it
 requires that the library functions it uses are thread safe; which is true
 for the operating systems libmilter has been developed and tested on.  On
 some operating systems this requires special compile time options (e.g.,
-not just -pthread).  libmilter is currently known to work on (modulo problems
+not just -pthread).
 in the pthread support of some specific versions):
 FreeBSD 3.x, 4.x
 SunOS 5.x (x >= 5)
 AIX 4.3.x
 HP UX 11.x
 Linux (recent versions/distributions)
 libmilter is currently not supported on:
 So far, libmilter is not supported on:
 IRIX 6.x
 Ultrix
 Feedback about problems (and possible fixes) is welcome.
 +--------------------------+
 | SOURCE FOR SAMPLE FILTER |
 +--------------------------+
 Note that the filter example.c may not be thread safe on some operating
 systems.  You should check your system man pages for the functions used
-below to verify the functions are thread safe.
+to verify they are thread safe.
 $Revision: 8.42 $, Last updated $Date: 2006-06-29 17:10:16 $
--- a/libmilter/comm.c
+++ b/libmilter/comm.c
@ -139,9 +139,9 @@ mi_rd_cmd(sd, timeout, cmd, rlen, name)
 	}
 #if _FFR_ADD_NULL
 	buf = malloc(expl + 1);
-#else /* _FFR_ADD_NULL */
+#else
 	buf = malloc(expl);
-#endif /* _FFR_ADD_NULL */
+#endif
 	if (buf == NULL)
 	{
 		*cmd = SMFIC_MALLOC;
@ -194,7 +194,7 @@ mi_rd_cmd(sd, timeout, cmd, rlen, name)
 #if _FFR_ADD_NULL
 			/* makes life simpler for common string routines */
 			buf[expl] = '\0';
-#endif /* _FFR_ADD_NULL */
+#endif
 			return buf;
 		}
 		i += len;
--- a/libmilter/docs/api.html
+++ b/libmilter/docs/api.html
@ -15,7 +15,7 @@ $Id: api.html,v 1.39 2013-11-22 20:51:39 ca Exp $
    <LI><A HREF="#Miscellaneous">Miscellaneous</A>
 </UL>
-<H2><A NAME="LibraryControlFunctions">Library Control Functions</A></H2> 
+<H2><A NAME="LibraryControlFunctions">Library Control Functions</A></H2>
 Before handing control to libmilter (by calling
 <A HREF="smfi_main.html">smfi_main</A>), a filter may call the following
@ -23,11 +23,12 @@ functions to set libmilter parameters.
 In particular, the filter must call
 <A HREF="smfi_register.html">smfi_register</A> to register its callbacks.
 Each function will return either MI_SUCCESS or MI_FAILURE to
-indicate the status of the operation.  
+indicate the status of the operation.
 <P>
-None of these functions communicate with the MTA.  All alter the
+None of these functions communicate with the MTA.
-library's state, some of which is communicated to the MTA inside
+All alter the library's state, some of which
 is communicated to the MTA inside
 <A HREF="smfi_main.html">smfi_main</A>.
 <P>
@ -54,7 +55,7 @@ library's state, some of which is communicated to the MTA inside
 <H2><A NAME="DataAccessFunctions">Data Access Functions</A></H2>
 The following functions may be called from within the filter-defined callbacks
-to access information about the current connection or message.  
+to access information about the current connection or message.
 <P>
 <TABLE BORDER="1" CELLSPACING=0 CELLPADDING=2><TR bgcolor="#dddddd"><TH>Function</TH><TH>Description</TH></TR>
 <TR><TD><A HREF="smfi_getsymval.html">smfi_getsymval</A></TD><TD>Return the value
@ -80,33 +81,38 @@ The following functions change a message's contents and attributes.
 <EM>They may only be called in <A HREF="xxfi_eom.html">xxfi_eom</A></EM>.
 All of these functions may invoke additional communication with the MTA.
 They will return either MI_SUCCESS or MI_FAILURE to indicate the status of
-the operation.  Message data (senders, recipients, headers, body chunks)
+the operation.
 Message data (senders, recipients, headers, body chunks)
 passed to these functions via parameters is copied and does not need to be
 preserved (i.e., allocated memory can be freed).
 <P>
-A filter must have set the appropriate flag (listed below) in the
+A filter which might call a message modification function
-description passed to <A HREF="smfi_register.html">smfi_register</A>
+must set the appropriate flag
-to call any message modification function.  Failure to do so will
+(<A HREF="#SMFIF">listed below</A>),
-cause the MTA to treat a call to the function as a failure of the
+either
-filter, terminating its connection.
+in the description passed to <A HREF="smfi_register.html">smfi_register</A>
 or via <A HREF="xxfi_negotiate.html">xxfi_negotiate</A>.
 Failure to do so will cause the MTA to treat a call to the function
 as a failure of the filter, terminating its connection.
 <P>
 Note that the status returned indicates only whether or not the
 filter's message was successfully sent to the MTA, not whether or not
-the MTA performed the requested operation.  For example,
+the MTA performed the requested operation.
 For example,
 <A HREF="smfi_addheader.html">smfi_addheader</A>, when called with an
 illegal header name, will return MI_SUCCESS even though the MTA may
 later refuse to add the illegal header.
 <P>
-<TABLE BORDER="1" CELLSPACING=0 CELLPADDING=2><TR BGCOLOR="#dddddd"><TH>Function</TH><TH>Description</TH><TH>SMFIF_* flag</TR>
+<TABLE BORDER="1" CELLSPACING=0 CELLPADDING=2><TR BGCOLOR="#dddddd"><TH>Function</TH><TH>Description</TH><TH><A NAME="SMFIF">SMFIF_* flag</A></TH></TR>
 <TR><TD><A HREF="smfi_addheader.html">smfi_addheader</A></TD><TD>Add a header to
-the message.</TD><TD>SMFIF_ADDHDRS</TD></TR> 
+the message.</TD><TD>SMFIF_ADDHDRS</TD></TR>
-<TR><TD><A HREF="smfi_chgheader.html">smfi_chgheader</A></TD><TD>Change or delete a header.</TD><TD>SMFIF_CHGHDRS</TD></TR> 
+<TR><TD><A HREF="smfi_chgheader.html">smfi_chgheader</A></TD><TD>Change or delete a header.</TD><TD>SMFIF_CHGHDRS</TD></TR>
 <TR><TD><A HREF="smfi_insheader.html">smfi_insheader</A></TD><TD>Insert a
-header into the message.</TD><TD>SMFIF_ADDHDRS</TD></TR> 
+header into the message.</TD><TD>SMFIF_ADDHDRS</TD></TR>
 <TR><TD><A HREF="smfi_chgfrom.html">smfi_chgfrom</A></TD><TD>Change the
 envelope sender address.</TD><TD>SMFIF_CHGFROM</TD></TR>
@ -180,40 +186,43 @@ which are registered via <A HREF="smfi_register.html">smfi_register</A>:
 <TR><TD><A HREF="xxfi_close.html">xxfi_close</A></TD><TD>connection cleanup</TD></TR>
-<TR><TD><A HREF="xxfi_negotiate.html">xxfi_negotiate</A></TD><TD>option negotiattion</TD></TR>
+<TR><TD><A HREF="xxfi_negotiate.html">xxfi_negotiate</A></TD><TD>option negotiation</TD></TR>
 </TABLE>
 <P>
 The above callbacks should all return one of the following return values,
-having the indicated meanings.  Any return other than one of the below
+having the indicated meanings.
-values constitutes an error, and will cause sendmail to terminate its
+Any return other than one of the below values constitutes an error,
-connection to the offending filter.
+and will cause sendmail to terminate its connection to the offending filter.
 <P><A NAME="conn-spec">Milter</A> distinguishes between recipient-,
-message-, and connection-oriented routines.  Recipient-oriented
+message-, and connection-oriented routines.
-callbacks may affect the processing of a single message recipient;
+Recipient-oriented callbacks may affect the processing
-message-oriented callbacks, a single message; connection-oriented
+of a single message recipient;
-callbacks, an entire connection (during which multiple messages may be
+message-oriented callbacks, a single message;
-delivered to multiple sets of recipients).
+connection-oriented callbacks, an entire connection
 (during which multiple messages may be delivered
 to multiple sets of recipients).
 <A HREF="xxfi_envrcpt.html">xxfi_envrcpt</A> is recipient-oriented.
 <A HREF="xxfi_negotiate.html">xxfi_negotiate</A>,
 <A HREF="xxfi_connect.html">xxfi_connect</A>,
 <A HREF="xxfi_helo.html">xxfi_helo</A> and
-<A HREF="xxfi_close.html">xxfi_close</A> are connection-oriented.  All
+<A HREF="xxfi_close.html">xxfi_close</A> are connection-oriented.
-other callbacks are message-oriented.
+All other callbacks are message-oriented.
 <P>
 <TABLE BORDER="1" CELLSPACING=0 CELLPADDING=2>
  <TR BGCOLOR="#dddddd"><TH>Return value</TH><TH>Description</TH></TR>
  <TR VALIGN="TOP">
-     <TD>SMFIS_CONTINUE</TD> 
+     <TD>SMFIS_CONTINUE</TD>
     <TD>Continue processing the current connection, message, or recipient.
     </TD>
  </TR>
  <TR VALIGN="TOP">
     <TD>SMFIS_REJECT</TD>
     <TD>For a connection-oriented routine, reject this connection; call <A HREF="xxfi_close.html">xxfi_close</A>.<BR>
-        For a message-oriented routine (except 
+        For a message-oriented routine (except
        <A HREF="xxfi_abort.html">xxfi_abort</A>), reject this message.<BR>
 	For a recipient-oriented routine, reject the current recipient (but continue processing the current message).
     </TD>
@ -233,8 +242,8 @@ other callbacks are message-oriented.
  <TR valign="top">
     <TD>SMFIS_TEMPFAIL</TD>
     <TD>Return a temporary failure, i.e., the corresponding SMTP command will return an appropriate 4xx status code.
-	 For a message-oriented routine (except <A HREF="xxfi_envfrom.html">xxfi_envfrom</A>), fail for this message. <BR>
+	 For a message-oriented routine (except <A HREF="xxfi_envfrom.html">xxfi_envfrom</A>), fail for this message.<BR>
-	 For a connection-oriented routine, fail for this connection; call <A HREF="xxfi_close.html">xxfi_close</A>. <BR>
+	 For a connection-oriented routine, fail for this connection; call <A HREF="xxfi_close.html">xxfi_close</A>.<BR>
 	 For a recipient-oriented routine, only fail for the current recipient; continue message processing.
     </TD>
  </TR>
--- a/libmilter/docs/design.html
+++ b/libmilter/docs/design.html
@ -31,11 +31,15 @@ administrator to combine multiple independently-developed filters.
 <P>
 We expect to see both vendor-supplied, configurable mail filtering
 applications and a multiplicity of script-like filters designed by and
-for MTA administrators.  A certain degree of coding sophistication and
+for MTA administrators.
-domain knowledge on the part of the filter provider is assumed.  This
+A certain degree of coding sophistication and
-allows filters to exercise fine-grained control at the SMTP level.
+domain knowledge on the part of the filter provider is assumed.
 This allows filters to exercise fine-grained control at the SMTP level.
 However, as will be seen in the example, many filtering applications
-can be written with relatively little protocol knowledge.
+can be written with relatively little protocol knowledge,
 but a basic understanding (e.g., as documented in RFC 5321:
 <EM>The dialog is purposely lock-step, one-at-a-time</EM>)
 is necessary.
 <P>
 Given these expectations, the API is designed to achieve the following
--- a/libmilter/docs/index.html
+++ b/libmilter/docs/index.html
@ -10,7 +10,7 @@ $Id: index.html,v 1.14 2013-11-22 20:51:39 ca Exp $
 <H1>Filtering Mail with Sendmail</H1>
 <!--
-<P><B>Disclaimer</B>: 
+<P><B>Disclaimer</B>:
 This preliminary API description is provided for review only.  This
 specification may change based on feedback from reviewers, and does
 not bind Sendmail to offer this functionality in any release.
--- a/libmilter/docs/installation.html
+++ b/libmilter/docs/installation.html
@ -17,7 +17,7 @@ $Id: installation.html,v 1.24 2013-11-22 20:51:39 ca Exp $
 To compile a filter, modify the Makefile provided with the sample program, or:
 <UL>
    <LI>Put the include and Sendmail directories in your include path
-    (e.g. -I/path/to/include -I/path/to/sendmail).  
+    (e.g. -I/path/to/include -I/path/to/sendmail).
    <LI>Make sure libmilter.a is in your library path, and link your
    application with it (e.g. "-lmilter").
@ -71,7 +71,7 @@ connection.
 The MTA will try to contact the filter again on each new connection.
 <P>
-There are three fields inside of the <CODE>T=</CODE> equate: S, R, and E.
+There are four fields inside of the <CODE>T=</CODE> equate: C, S, R, and E.
 Note the separator between each is a ";" (semicolon), as ","
 (comma) already separates equates.
 The value of each field is a decimal number followed by a single letter
--- a/libmilter/docs/overview.html
+++ b/libmilter/docs/overview.html
@ -59,6 +59,8 @@ returns to <CODE>MESSAGE</CODE>.
 <PRE>
 For each of N connections
 {
 	For each filter
 		egotiate MTA/milter capabilities/requirements (<A HREF="xxfi_negotiate.html">xxfi_negotiate</A>)
 	For each filter
 		process connection (<A HREF="xxfi_connect.html">xxfi_connect</A>)
 	For each filter
@ -203,11 +205,21 @@ communication with the MTA happens.
 Filters are not terminated asynchronously
 (except by signals that can't be caught).
 In the case of <TT>Abort</TT> the
-<A HREF="xxfi_abort.html">xxfi_abort</A> callback is invoked.
+<A HREF="xxfi_abort.html">xxfi_abort</A> callback is usually invoked
 if there is an active transaction.
 However, if an invoked callback takes too long to execute
 (the maximum time <TT>Abort</TT> waits is currently 5s)
 <!-- XREF: MI_CHK_TIME -->
 then the filter is simply terminated, i.e.,
 neither the
 <A HREF="xxfi_abort.html">xxfi_abort</A> callback
 nor the
 <A HREF="xxfi_close.html">xxfi_close</A> callback
 is invoked.
 <HR size="1">
 <FONT size="-1">
-Copyright (c) 2000, 2001, 2003, 2006 Proofpoint, Inc. and its suppliers.
+Copyright (c) 2000, 2001, 2003, 2006, 2018 Proofpoint, Inc. and its suppliers.
 All rights reserved.
 <BR>
 By using this file, you agree to the terms and conditions set
--- a/libmilter/docs/sample.html
+++ b/libmilter/docs/sample.html
@ -187,7 +187,7 @@ sfsistat
 		++argc;
 	/* log this recipient */
-	if (reject != NULL && rcptaddr != NULL &&
+	if (reject != NULL &amp;&amp; rcptaddr != NULL &amp;&amp;
 	    (strcasecmp(rcptaddr, reject) == 0))
 	{
 		if (fprintf(priv-&gt;mlfi_fp, "RCPT %s -- REJECTED\n",
@ -298,7 +298,7 @@ mlfi_cleanup(ctx, ok)
 		return rstat;
 	/* close the archive file */
-	if (priv-&gt;mlfi_fp != NULL && fclose(priv-&gt;mlfi_fp) == EOF)
+	if (priv-&gt;mlfi_fp != NULL &amp;&amp; fclose(priv-&gt;mlfi_fp) == EOF)
 	{
 		/* failed; we have to wait until later */
 		fprintf(stderr, "Couldn't close archive file %s: %s\n",
--- a/libmilter/docs/smfi_addheader.html
+++ b/libmilter/docs/smfi_addheader.html
@ -32,6 +32,7 @@ Add a header to the current message.
 <TD>Adds a header to the current message.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -45,21 +46,21 @@ Add a header to the current message.
 	</TD></TR>
    <TR valign="top"><TD>headerv</TD>
 	<TD>The header value to be added, a non-NULL, null-terminated string.
-	This may be the empty string.  
+	This may be the empty string.
 	</TD></TR>
    </TABLE>
 </TD></TR>
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_addheader returns MI_FAILURE if:
 <UL><LI>headerf or headerv is NULL.
    <LI>Adding headers in the current connection state is invalid.
    <LI>Memory allocation fails.
    <LI>A network error occurs.
-    <LI>SMFIF_ADDHDRS was not set when <A href="smfi_register.html">smfi_register</A> was called.
+    <LI><A HREF="smfi_register.html#SMFIF_ADDHDRS">SMFIF_ADDHDRS</A> is not set.
 </UL>
 Otherwise, it returns MI_SUCCESS.
 </TD>
@ -67,14 +68,13 @@ Otherwise, it returns MI_SUCCESS.
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH>NOTES</TH>
 <TD>
 <UL><LI>smfi_addheader does not change a message's existing headers.
 To change a header's current value, use
 <A HREF="smfi_chgheader.html">smfi_chgheader</A>.
-    <LI>A filter which calls smfi_addheader must have set the SMFIF_ADDHDRS
+    <LI>A filter which calls smfi_addheader must have set the
-	flag in the smfiDesc_str passed to
+        <A HREF="smfi_register.html#SMFIF_ADDHDRS">SMFIF_ADDHDRS</A> flag.
 	<A href="smfi_register.html">smfi_register</A>.
    <LI>For smfi_addheader, filter order is important.
 	<B>Later filters will see the header changes made by earlier ones.</B>
    <LI>Neither the name nor the value of the header is checked for
@ -101,7 +101,7 @@ To change a header's current value, use
 <!----------- Example code ---------->
 <TR>
-<TH valign="top" align=left>EXAMPLE</TH> 
+<TH valign="top" align=left>EXAMPLE</TH>
 <TD>
 <PRE>
--- a/libmilter/docs/smfi_addrcpt.html
+++ b/libmilter/docs/smfi_addrcpt.html
@ -31,6 +31,7 @@ Add a recipient for the current message.
 <TD>Add a recipient to the message envelope.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -47,13 +48,13 @@ Add a recipient for the current message.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_addrcpt will fail and return MI_FAILURE if:
 <UL><LI>rcpt is NULL.
    <LI>Adding recipients in the current connection state is invalid.
    <LI>A network error occurs.
-    <LI>SMFIF_ADDRCPT was not set when <A href="smfi_register.html">smfi_register</A> was called.
+    <LI><A HREF="smfi_register.html#SMFIF_ADDRCPT">SMFIF_ADDRCPT</A> is not set.
 </UL>
 Otherwise, it will return MI_SUCCESS.
 </TD>
@ -61,11 +62,10 @@ Otherwise, it will return MI_SUCCESS.
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH>NOTES</TH>
 <TD>
-A filter which calls smfi_addrcpt must have set the SMFIF_ADDRCPT flag
+A filter which calls smfi_addrcpt must have set the
-in the smfiDesc_str passed to 
+<A HREF="smfi_register.html#SMFIF_ADDRCPT">SMFIF_ADDRCPT</A> flag.
 <A href="smfi_register.html">smfi_register</A>.
 </TD>
 </TR>
--- a/libmilter/docs/smfi_addrcpt_par.html
+++ b/libmilter/docs/smfi_addrcpt_par.html
@ -32,6 +32,7 @@ Add a recipient for the current message including ESMTP arguments.
 <TD>Add a recipient to the message envelope.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -51,14 +52,13 @@ Add a recipient for the current message including ESMTP arguments.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
-<TD>smfi_addrcpt will fail and return MI_FAILURE if:
+<TD>smfi_addrcpt_par will fail and return MI_FAILURE if:
 <UL><LI>rcpt is NULL.
    <LI>Adding recipients in the current connection state is invalid.
    <LI>A network error occurs.
-    <LI>SMFIF_ADDRCPT_PAR was not set when
+    <LI><A HREF="smfi_register.html#SMFIF_ADDRCPT_PAR">SMFIF_ADDRCPT_PAR</A> is not set._PAR
 	<A href="smfi_register.html">smfi_register</A> was called.
 </UL>
 Otherwise, it will return MI_SUCCESS.
 </TD>
@ -66,11 +66,10 @@ Otherwise, it will return MI_SUCCESS.
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH>NOTES</TH>
 <TD>
-A filter which calls smfi_addrcpt must have set the SMFIF_ADDRCPT_PAR flag
+A filter which calls smfi_addrcpt_par must have set the
-in the smfiDesc_str passed to 
+<A HREF="smfi_register.html#SMFIF_ADDRCPT_PAR">SMFIF_ADDRCPT_PAR</A> flag.
 <A href="smfi_register.html">smfi_register</A>.
 </TD>
 </TR>
--- a/libmilter/docs/smfi_chgfrom.html
+++ b/libmilter/docs/smfi_chgfrom.html
@ -32,6 +32,7 @@ Change the envelope sender (MAIL From) of the current message.
 <TD>Change the envelope sender (MAIL From) of the current message.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -51,13 +52,13 @@ Change the envelope sender (MAIL From) of the current message.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_chgfrom will fail and return MI_FAILURE if:
 <UL><LI>mail is NULL.
    <LI>Changing the sender in the current connection state is invalid.
    <LI>A network error occurs.
-    <LI>SMFIF_CHGFROM was not set when <A href="smfi_register.html">smfi_register</A> was called.
+    <LI><A HREF="smfi_register.html#SMFIF_CHGFROM">SMFIF_CHGFROM</A> is not set.
 </UL>
 Otherwise, it will return MI_SUCCESS.
 </TD>
@ -65,11 +66,10 @@ Otherwise, it will return MI_SUCCESS.
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH>NOTES</TH>
 <TD>
-A filter which calls smfi_chgfrom must have set the SMFIF_CHGFROM flag
+A filter which calls smfi_chgfrom must have set the
-in the smfiDesc_str passed to 
+<A HREF="smfi_register.html#SMFIF_CHGFROM">SMFIF_CHGFROM</A> flag.
 <A href="smfi_register.html">smfi_register</A>.
 <BR>
 Even though all ESMTP arguments could be set via this call,
 it does not make sense to do so for many of them,
--- a/libmilter/docs/smfi_chgheader.html
+++ b/libmilter/docs/smfi_chgheader.html
@ -33,6 +33,7 @@ Change or delete a message header.
 <TD>Changes a header's value for the current message.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -55,7 +56,7 @@ Change or delete a message header.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>
 smfi_chgheader will return MI_FAILURE if
@ -63,17 +64,18 @@ smfi_chgheader will return MI_FAILURE if
    <LI>Modifying headers in the current connection state is invalid.
    <LI>Memory allocation fails.
    <LI>A network error occurs.
-    <LI>SMFIF_CHGHDRS was not set when <A href="smfi_register.html">smfi_register</A> was called.
+    <LI><A HREF="smfi_register.html#SMFIF_CHGHDRS">SMFIF_CHGHDRS</A> is not set.
 </UL>
 Otherwise, it returns MI_SUCCESS.
-</TR>
+</TD></TR>
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH>NOTES</TH>
 <TD>
 <UL><LI>While smfi_chgheader may be used to add new headers, it is more efficient and far safer to use <A href="smfi_addheader.html">smfi_addheader</A>.
-    <LI>A filter which calls smfi_chgheader must have set the SMFIF_CHGHDRS flag in the smfiDesc_str passed to <A href="smfi_register.html">smfi_register</A>.
+    <LI>A filter which calls smfi_chgheader must have set the
        <A HREF="smfi_register.html#SMFIF_CHGHDRS">SMFIF_CHGHDRS</A> flag.
    <LI>For smfi_chgheader, filter order is important.  <B>Later filters will see the header changes made by earlier ones.</B>
    <LI>Neither the name nor the value of the header is checked for
    standards compliance.  However, each line of the header must be under
--- a/libmilter/docs/smfi_delrcpt.html
+++ b/libmilter/docs/smfi_delrcpt.html
@ -31,6 +31,7 @@ Remove a recipient from the current message's envelope.
 <TD>smfi_delrcpt removes the named recipient from the current message's envelope.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -47,14 +48,14 @@ Remove a recipient from the current message's envelope.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_delrcpt will fail and return MI_FAILURE if:
 <UL>
    <LI>rcpt is NULL.
    <LI>Deleting recipients in the current connection state is invalid.
    <LI>A network error occurs.
-    <LI>SMFIF_DELRCPT was not set when <A href="smfi_register.html">smfi_register</A> was called.
+    <LI><A HREF="smfi_register.html#SMFIF_DELRCPT">SMFIF_DELRCPT</A> is not set.
 </UL>
 Otherwise, it will return MI_SUCCESS
 </TD>
@ -62,9 +63,13 @@ Otherwise, it will return MI_SUCCESS
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH>NOTES</TH>
 <TD>
 <LI>
 The addresses to be removed must match exactly.  For example, an address and its expanded form do not match.
 <LI>
 A filter which calls smfi_delrcpt must have set the
 <A HREF="smfi_register.html#SMFIF_DELRCPT">SMFIF_DELRCPT</A> flag.
 </TD>
 </TR>
--- a/libmilter/docs/smfi_getpriv.html
+++ b/libmilter/docs/smfi_getpriv.html
@ -30,6 +30,7 @@ Get the connection-specific data pointer for this connection.
 <TD>None.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -43,7 +44,7 @@ Get the connection-specific data pointer for this connection.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_getpriv returns the private data pointer stored by a prior call to <A href="smfi_setpriv.html">smfi_setpriv</A>, or NULL if none has been set.</TD>
 </TR>
--- a/libmilter/docs/smfi_getsymval.html
+++ b/libmilter/docs/smfi_getsymval.html
@ -31,6 +31,7 @@ Get the value of a sendmail macro.
 <TD>None.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -51,14 +52,14 @@ Get the value of a sendmail macro.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_getsymval returns the value of the given macro as a null-terminated string, or NULL if the macro is not defined.</TD>
 </TR>
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH><A name="notes">NOTES</A></TH> 
+<TH><A name="notes">NOTES</A></TH>
 <TD>
 By default, the following macros are valid in the given contexts:
--- a/libmilter/docs/smfi_insheader.html
+++ b/libmilter/docs/smfi_insheader.html
@ -33,6 +33,7 @@ Prepend a header to the current message.
 <TD>Prepends a header to the current message.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -49,21 +50,21 @@ Prepend a header to the current message.
 	<TD>The header name, a non-NULL, null-terminated string.
 	</TD></TR>
    <TR valign="top"><TD>headerv</TD>
-	<TD>The header value to be added, a non-NULL, null-terminated string.  This may be the empty string.  
+	<TD>The header value to be added, a non-NULL, null-terminated string.  This may be the empty string.
 	</TD></TR>
    </TABLE>
 </TD></TR>
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_insheader returns MI_FAILURE if:
 <UL><LI>headerf or headerv is NULL.
    <LI>Adding headers in the current connection state is invalid.
    <LI>Memory allocation fails.
    <LI>A network error occurs.
-    <LI>SMFIF_ADDHDRS was not set when <A href="smfi_register.html">smfi_register</A> was called.
+    <LI><A HREF="smfi_register.html#SMFIF_ADDHDRS">SMFIF_ADDHDRS</A> is not set.
 </UL>
 Otherwise, it returns MI_SUCCESS.
 </TD>
@ -71,15 +72,15 @@ Otherwise, it returns MI_SUCCESS.
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH>NOTES</TH>
 <TD>
 <UL>
    <LI>smfi_insheader does not change a message's existing headers.
 	To change a header's current value, use
 	<A HREF="smfi_chgheader.html">smfi_chgheader</A>.
-    <LI>A filter which calls smfi_insheader must have set the SMFIF_ADDHDRS
+    <LI>A filter which calls smfi_insheader must have set the
-	flag in the smfiDesc_str passed to
+        <A HREF="smfi_register.html#SMFIF_ADDHDRS">SMFIF_ADDHDRS</A>
-	<A href="smfi_register.html">smfi_register</A>.
+        flag.
    <LI>For smfi_insheader, filter order is important.
 	<B>Later filters will see the header changes made by earlier ones.</B>
    <LI>A filter will receive <EM>only</EM> headers that have been sent
@ -122,7 +123,7 @@ Otherwise, it returns MI_SUCCESS.
 <!----------- Example code ---------->
 <TR>
-<TH valign="top" align=left>EXAMPLE</TH> 
+<TH valign="top" align=left>EXAMPLE</TH>
 <TD>
 <PRE>
--- a/libmilter/docs/smfi_main.html
+++ b/libmilter/docs/smfi_main.html
@ -29,10 +29,11 @@ Hand control to libmilter event loop.
 <TD>smfi_main hands control to the Milter event loop.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_main will return MI_FAILURE if it fails to establish a connection.  This may occur for any of a variety of reasons (e.g. invalid address passed to <A href="smfi_setconn.html">smfi_setconn</A>).  The reason for the failure will be logged.  Otherwise, smfi_main will return MI_SUCCESS.</TD>
 </TR>
--- a/libmilter/docs/smfi_opensocket.html
+++ b/libmilter/docs/smfi_opensocket.html
@ -34,13 +34,14 @@ but before calling <TT>smfi_main()</TT>.
 <TD>smfi_opensocket attempts to create the socket specified previously by
 a call to <TT>smfi_setconn()</TT> which will be the interface between MTAs
 and the filter.
-This allows the calling application to ensure that the
+This allows the calling application to ensure that the socket can be created.
 socket can be created.
 If this is not called,
-<TT>smfi_main()</TT> will do so implicitly.
+<TT>smfi_main()</TT> will create the socket implicitly
 (without removing a potentially existing UNIX domain socket).
 </TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -56,7 +57,7 @@ If this is not called,
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_opensocket will fail and return MI_FAILURE if:
 <UL>
--- a/libmilter/docs/smfi_progress.html
+++ b/libmilter/docs/smfi_progress.html
@ -31,6 +31,7 @@ Notify the MTA that an operation is still in progress.
 on a message, causing the MTA to re-start its timeouts.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -44,7 +45,7 @@ on a message, causing the MTA to re-start its timeouts.</TD>
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_progress will fail and return MI_FAILURE if:
 <UL>
--- a/libmilter/docs/smfi_quarantine.html
+++ b/libmilter/docs/smfi_quarantine.html
@ -31,6 +31,7 @@ Quarantine the message using the given reason.
 <TD>smfi_quarantine quarantines the message using the given reason.</TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -47,13 +48,13 @@ Quarantine the message using the given reason.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>smfi_quarantine will fail and return MI_FAILURE if:
 <UL>
    <LI>reason is NULL or empty.
    <LI>A network error occurs.
-    <LI>SMFIF_QUARANTINE was not set when <A href="smfi_register.html">smfi_register</A> was called.
+    <LI><A HREF="smfi_register.html#SMFIF_QUARANTINE">SMFIF_QUARANTINE</A> is not set.
 </UL>
 Otherwise, it will return MI_SUCCESS
 </TD>
--- a/libmilter/docs/smfi_register.html
+++ b/libmilter/docs/smfi_register.html
@ -37,6 +37,7 @@ is obeyed.
 </TD>
 </TR>
 </TABLE>
 </TD></TR>
 <!----------- Arguments ---------->
 <TR><TH valign="top" align=left>ARGUMENTS</TH><TD>
@ -96,12 +97,12 @@ simply returning SMFIS_CONTINUE.
 <!----------- Return values ---------->
 <TR>
-<TH valign="top" align=left>RETURN VALUES</TH> 
+<TH valign="top" align=left>RETURN VALUES</TH>
 <TD>
 smfi_register may return MI_FAILURE for any of the following reasons:
 <UL>
-<LI>memory allocation failed.  
+<LI>memory allocation failed.
 <LI>incompatible version or illegal flags value.
 </UL>
@ -110,7 +111,7 @@ smfi_register may return MI_FAILURE for any of the following reasons:
 <!----------- Notes ---------->
 <TR align="left" valign=top>
-<TH>NOTES</TH> 
+<TH><A NAME=Notes>NOTES</A></TH>
 <TD>
 <A NAME="flags">The xxfi_flags</A>
@ -120,7 +121,7 @@ the following values, describing the actions the filter may take:
 <TR valign="top" bgcolor="#dddddd"><TH align="left">Flag</TH><TH align="center">Description</TH></TR>
  <TR align="left" valign=top>
    <TD>
-        SMFIF_ADDHDRS
+        <A NAME="SMFIF_ADDHDRS">SMFIF_ADDHDRS</A>
    </TD>
    <TD>
        This filter may <A HREF="smfi_addheader.html">add headers</A>.
@ -128,7 +129,7 @@ the following values, describing the actions the filter may take:
  </TR>
  <TR align="left" valign=top>
    <TD>
-        SMFIF_CHGHDRS
+        <A NAME="SMFIF_CHGHDRS">SMFIF_CHGHDRS</A>
    </TD>
    <TD>
        This filter may
@ -137,7 +138,7 @@ the following values, describing the actions the filter may take:
  </TR>
  <TR align="left" valign=top>
    <TD VALIGN="TOP">
-        SMFIF_CHGBODY
+        <A NAME="SMFIF_CHGBODY">SMFIF_CHGBODY</A>
    </TD>
    <TD>
        This filter may
@ -148,7 +149,7 @@ the following values, describing the actions the filter may take:
  </TR>
  <TR>
    <TD VALIGN="TOP">
-        SMFIF_ADDRCPT
+        <A NAME="SMFIF_ADDRCPT">SMFIF_ADDRCPT</A>
    </TD>
    <TD>
        This filter may
@ -158,7 +159,7 @@ the following values, describing the actions the filter may take:
  </TR>
  <TR>
    <TD VALIGN="TOP">
-	SMFIF_ADDRCPT_PAR
+	<A NAME="SMFIF_ADDRCPT_PAR">SMFIF_ADDRCPT_PAR</A>
    </TD>
    <TD>
 	This filter may
@ -167,7 +168,7 @@ the following values, describing the actions the filter may take:
  </TR>
  <TR>
    <TD VALIGN="TOP">
-        SMFIF_DELRCPT
+        <A NAME="SMFIF_DELRCPT">SMFIF_DELRCPT</A>
    </TD>
    <TD>
        This filter may
@ -176,7 +177,7 @@ the following values, describing the actions the filter may take:
  </TR>
  <TR>
    <TD VALIGN="TOP">
-	SMFIF_QUARANTINE
+	<A NAME="SMFIF_QUARANTINE">SMFIF_QUARANTINE</A>
    </TD>
    <TD>
 	This filter may
@ -186,7 +187,7 @@ the following values, describing the actions the filter may take:
  <TR>
    <TD VALIGN="TOP">
-	SMFIF_CHGFROM
+	<A NAME="SMFIF_CHGFROM">SMFIF_CHGFROM</A>
    </TD>
    <TD>
 	This filter may
@ -196,7 +197,7 @@ the following values, describing the actions the filter may take:
  <TR>
    <TD VALIGN="TOP">
-	SMFIF_SETSYMLIST
+	<A NAME="SMFIF_SETSYMLIST">SMFIF_SETSYMLIST</A>
    </TD>
    <TD>
 	This filter can
--- a/Show More
+++ b/Show More