26 files changed, 343 insertions, 114 deletions
diff --git a/cf/README b/cf/README
index 91e69a9182231..983aa2821a1ae 100644
--- a/cf/README
+++ b/cf/README
@@ -396,7 +396,7 @@ SMTP_MAILER_MAXMSGS	[undefined] If defined, the maximum number of
 			messages to deliver in a single connection for the
 			smtp, smtp8, esmtp, or dsmtp mailers.
 SMTP_MAILER_MAXRCPTS	[undefined] If defined, the maximum number of
-			recipients to deliver in a single connection for the
+			recipients to deliver in a single envelope for the
 			smtp, smtp8, esmtp, or dsmtp mailers.
 SMTP_MAILER_ARGS	[TCP $h] The arguments passed to the smtp mailer.
 			About the only reason you would want to change this
@@ -1250,7 +1250,7 @@ access_db	Turns on the access database feature.  The access db gives
 		important information about this feature.  Notice:
 		"-T<TMPF>" is meant literal, do not replace it by anything.
 
-blacklist_recipients
+blocklist_recipients
 		Turns on the ability to block incoming mail for certain
 		recipient usernames, hostnames, or addresses.  For
 		example, you can block incoming mail to user nobody,
@@ -1579,7 +1579,7 @@ require_rdns	Reject mail from connecting SMTP clients without proper
 		Entries such as
 			Connect:1.2.3.4		OK
 			Connect:1.2		RELAY
-		will whitelist IP address 1.2.3.4, so that the rDNS
+		will allowlist IP address 1.2.3.4, so that the rDNS
 		blocking does apply to that IP address
 
 		Entries such as
@@ -2602,7 +2602,7 @@ requires a tag.  For example,
 	From:another.dom	REJECT
 
 This would deny mails from spammer@some.dom but you could still
-send mail to that address even if FEATURE(`blacklist_recipients')
+send mail to that address even if FEATURE(`blocklist_recipients')
 is enabled.  Your system will allow relaying to friend.domain, but
 not from it (unless enabled by other means).  Connections from that
 domain will be allowed even if it ends up in one of the DNS based
@@ -2723,7 +2723,7 @@ sender address.
 
 If you use:
 
-	FEATURE(`blacklist_recipients')
+	FEATURE(`blocklist_recipients')
 
 then you can add entries to the map for local users, hosts in your
 domains, or addresses in your domain which should not receive mail:
@@ -2747,14 +2747,14 @@ as value part in the access map.  Taking the example from above:
 Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com.
 That's why tagged entries should be used.
 
-There are several DNS based blacklists which can be found by
+There are several DNS based blocklists which can be found by
 querying a search engine.  These are databases of spammers
 maintained in DNS.  To use such a database, specify
 
 	FEATURE(`dnsbl', `dnsbl.example.com')
 
 This will cause sendmail to reject mail from any site listed in the
-DNS based blacklist.  You must select a DNS based blacklist domain
+DNS based blocklist.  You must select a DNS based blocklist domain
 to check by specifying an argument to the FEATURE.  The default
 error message is
 
@@ -2789,14 +2789,14 @@ This FEATURE can be included several times to query different
 DNS based rejection lists.
 
 Notice: to avoid checking your own local domains against those
-blacklists, use the access_db feature and add:
+blocklists, use the access_db feature and add:
 
 	Connect:10.1		OK
 	Connect:127.0.0.1	RELAY
 
 to the access map, where 10.1 is your local network.  You may
 want to use "RELAY" instead of "OK" to allow also relaying
-instead of just disabling the DNS lookups in the blacklists.
+instead of just disabling the DNS lookups in the blocklists.
 
 
 The features described above make use of the check_relay, check_mail,
@@ -2849,7 +2849,7 @@ my.domain and you have
 in the access map, then any e-mail with a sender address of
 <user@my.domain> will not be rejected by check_relay even though
 it would match the hostname or IP address.  This allows spammers
-to get around DNS based blacklist by faking the sender address.  To
+to get around DNS based blocklist by faking the sender address.  To
 avoid this problem you have to use tagged entries:
 
 	To:my.domain		RELAY
@@ -2978,7 +2978,7 @@ limits per client IP address or net.  These features can limit the
 rate of connections (connections per time unit) or the number of
 incoming SMTP connections, respectively.  If enabled, appropriate
 rulesets are called at the end of check_relay, i.e., after DNS
-blacklists and generic access_db operations.  The features require
+blocklists and generic access_db operations.  The features require
 FEATURE(`access_db') to be listed earlier in the mc file.
 
 Note: FEATURE(`delay_checks') delays those connection control checks
@@ -3071,13 +3071,13 @@ rulesets and map lookups, they are modified as follows: each non-printable
 character and the characters '<', '>', '(', ')', '"', '+', ' ' are replaced
 by their HEX value with a leading '+'.  For example:
 
-/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/Email=
+/C=US/ST=California/O=endmail.org/OU=private/CN=Darth Mail (Cert)/emailAddress=
 darth+cert@endmail.org
 
 is encoded as:
 
 /C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org
 
 (line breaks have been inserted for readability).
 
@@ -3089,30 +3089,27 @@ Examples:
 To allow relaying for everyone who can present a cert signed by
 
 /C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org
 
 simply use:
 
 CertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org	RELAY
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org	RELAY
 
 To allow relaying only for a subset of machines that have a cert signed by
 
 /C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org
 
 use:
 
 CertIssuer:/C=US/ST=California/O=endmail.org/OU=private/CN=
-Darth+20Mail+20+28Cert+29/Email=darth+2Bcert@endmail.org	SUBJECT
+Darth+20Mail+20+28Cert+29/emailAddress=darth+2Bcert@endmail.org	SUBJECT
 CertSubject:/C=US/ST=California/O=endmail.org/OU=private/CN=
-DeathStar/Email=deathstar@endmail.org		RELAY
+DeathStar/emailAddress=deathstar@endmail.org		RELAY
 
-Notes:
-- line breaks have been inserted after "CN=" for readability,
-  each tagged entry must be one (long) line in the access map.
-- if OpenSSL 0.9.7 or newer is used then the "Email=" part of a DN
-  is replaced by "emailAddress=".
+Note: line breaks have been inserted after "CN=" for readability,
+each tagged entry must be one (long) line in the access map.
 
 Of course it is also possible to write a simple ruleset that allows
 relaying for everyone who can present a cert that can be verified, e.g.,
@@ -3188,16 +3185,23 @@ CN:name		name must match ${cn_subject}
 CN		${client_name}/${server_name} must match ${cn_subject}
 CS:name		name must match ${cert_subject}
 CI:name		name must match ${cert_issuer}
+CITag:MYTag	look up MYTag:${cert_issuer} in access map; the check
+		only succeeds if it is found with a RHS of OK.
 
 Example: e-mail sent to secure.example.com should only use an encrypted
 connection.  E-mail received from hosts within the laptop.example.com domain
 should only be accepted if they have been authenticated.  The host which
 receives e-mail for darth@endmail.org must present a cert that uses the
-CN smtp.endmail.org.
+CN smtp.endmail.org.  E-mail sent to safe.example.com must be verified,
+have a matching CN, and must present a cert signed by a CA with one of
+the listed DNs.
 
-TLS_Srv:secure.example.com      ENCR:112
-TLS_Clt:laptop.example.com      PERM+VERIFY:112
+TLS_Srv:secure.example.com	ENCR:112
+TLS_Clt:laptop.example.com	PERM+VERIFY:112
 TLS_Rcpt:darth@endmail.org	ENCR:112+CN:smtp.endmail.org
+TLS_Srv:safe.example.net	VERIFY+CN++CITag:MyCA
+MyCA:/C=US/ST=CA/O=safe/CN=example.net/		OK
+MyCA:/C=US/ST=CA/O=secure/CN=example.net/	OK
 
 
 TLS Options per Session
@@ -3217,6 +3221,7 @@ options:
 - Options: compare {Server,Client}SSLOptions.
 - CipherList: same as the global option.
 - CertFile, KeyFile: {Server,Client}{Cert,Key}File
+- Flags: see doc/op/op.me for details.
 
 If FEATURE(`tls_session_features') is used, then default rulesets
 are activated which look up entries in the access map with the tags
@@ -3234,15 +3239,12 @@ If FEATURE(`tls_session_features') is not used the user can provide
 their own rulesets which must return the appropriate data.
 If the rulesets are not defined or do not return a value, the
 default TLS options are not modified.
-(These rulesets require the sendmail binary to be built with
-_FFR_TLS_SE_OPTS enabled.)
 
-About 2): the ruleset try_tls (srv_features) can be used that work
-together with the access map.  Entries for the access map must be
-tagged with Try_TLS (Srv_Features) and refer to the hostname or IP
-address of the connecting system.  A default case can be specified
-by using just the tag.  For example, the following entries in the
-access map:
+About 2): the ruleset try_tls (srv_features) can be used together
+with the access map.  Entries for the access map must be tagged
+with Try_TLS (Srv_Features) and refer to the hostname or IP address
+of the connecting system.  A default case can be specified by using
+just the tag.  For example, the following entries in the access map:
 
 	Try_TLS:broken.server	NO
 	Srv_Features:my.domain	v
@@ -3654,7 +3656,7 @@ for.  In particular:
   if your system allows "file giveaways" (that is, if a non-root
   user can chown any file they own to any other user).
 
-* If your system allows file giveaways, DO NOT create a publically
+* If your system allows file giveaways, DO NOT create a publicly
   writable directory for forward files.  This will allow anyone
   to steal anyone else's e-mail.  Instead, create a script that
   copies the .forward file from users' home directories once a
@@ -4011,6 +4013,10 @@ confUSERDB_SPEC		UserDatabaseSpec
 confFALLBACK_MX		FallbackMXhost	[undefined] Fallback MX host.
 confFALLBACK_SMARTHOST	FallbackSmartHost
 					[undefined] Fallback smart host.
+confTLS_FALLBACK_TO_CLEAR	TLSFallbacktoClear
+					[undefined] If set, immediately try
+					a connection again without STARTTLS
+					after a TLS handshake failure.
 confTRY_NULL_MX_LIST	TryNullMXList	[False] If this host is the best MX
 					for a host and other arrangements
 					haven't been made, try connecting
@@ -4364,10 +4370,13 @@ confCLIENT_KEY		ClientKeyFile	[undefined] File containing the
 					cert.
 confCRL			CRLFile		[undefined] File containing certificate
 					revocation status, useful for X.509v3
-					authentication. Note that CRL requires
-					at least OpenSSL version 0.9.7.
+					authentication.
+confCRL_PATH		CRLPath		[undefined] Directory containing
+					hashes pointing to certificate
+					revocation status files.
 confDH_PARAMETERS	DHParameters	[undefined] File containing the
 					DH parameters.
+confDANE		DANE		[false] Enable DANE support.
 confRAND_FILE		RandFile	[undefined] File containing random
 					data (use prefix file:) or the
 					name of the UNIX socket if EGD is
@@ -4379,6 +4388,9 @@ confCERT_FINGERPRINT_ALGORITHM	CertFingerprintAlgorithm
 					[undefined] The fingerprint algorithm
 					(digest) to use for the presented
 					cert.
+confSSL_ENGINE		SSLEngine	[undefined] Name of SSLEngine.
+confSSL_ENGINE_PATH	SSLEnginePath	[undefined] Path to dynamic library
+					for SSLEngine.
 confNICE_QUEUE_RUN	NiceQueueRun	[undefined]  If set, the priority of
 					queue runners is set the given value
 					(nice(3)).
@@ -4799,7 +4811,6 @@ M4 DIVERSIONS
    5	locally interpreted names (overrides $R)
    6	local configuration (at top of file)
    7	mailer definitions
-   8	DNS based blacklists
+   8	DNS based blocklists
    9	special local rulesets (1 and 2)
 
-$Revision: 8.730 $, Last updated $Date: 2014-01-16 15:55:51 $
diff --git a/cf/cf/Makefile b/cf/cf/Makefile
index efec478cb95a5..bf6f031b2f11e 100644
--- a/cf/cf/Makefile
+++ b/cf/cf/Makefile
@@ -103,7 +103,7 @@ M4FILES=\
 	${CFDIR}/feature/bcc.m4 \
 	${CFDIR}/feature/bestmx_is_local.m4 \
 	${CFDIR}/feature/bitdomain.m4 \
-	${CFDIR}/feature/blacklist_recipients.m4 \
+	${CFDIR}/feature/blocklist_recipients.m4 \
 	${CFDIR}/feature/conncontrol.m4 \
 	${CFDIR}/feature/dnsbl.m4 \
 	${CFDIR}/feature/domaintable.m4 \
diff --git a/cf/cf/generic-bsd4.4.cf b/cf/cf/generic-bsd4.4.cf
index ef642a4aa7b86..c1c9ce64751d4 100644
--- a/cf/cf/generic-bsd4.4.cf
+++ b/cf/cf/generic-bsd4.4.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -521,6 +521,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -540,12 +546,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1265,6 +1275,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1276,6 +1287,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-hpux10.cf b/cf/cf/generic-hpux10.cf
index 827e77d0411dc..7442b076a85a1 100644
--- a/cf/cf/generic-hpux10.cf
+++ b/cf/cf/generic-hpux10.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-hpux9.cf b/cf/cf/generic-hpux9.cf
index dbd7fe595eeef..2f39b3d8f5c44 100644
--- a/cf/cf/generic-hpux9.cf
+++ b/cf/cf/generic-hpux9.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-linux.cf b/cf/cf/generic-linux.cf
index 1eff0fa117f03..17bf46e498666 100644
--- a/cf/cf/generic-linux.cf
+++ b/cf/cf/generic-linux.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -127,7 +127,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -526,6 +526,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -545,12 +551,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1270,6 +1280,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1281,6 +1292,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-mpeix.cf b/cf/cf/generic-mpeix.cf
index 149826d56ef8d..f0520de5d0ef6 100644
--- a/cf/cf/generic-mpeix.cf
+++ b/cf/cf/generic-mpeix.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-nextstep3.3.cf b/cf/cf/generic-nextstep3.3.cf
index c997dc8f3f4f3..b51bbf80487ad 100644
--- a/cf/cf/generic-nextstep3.3.cf
+++ b/cf/cf/generic-nextstep3.3.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:56 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -521,6 +521,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -540,12 +546,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1265,6 +1275,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1276,6 +1287,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-osf1.cf b/cf/cf/generic-osf1.cf
index 103a3616bb2fd..2c9c7a5911e3f 100644
--- a/cf/cf/generic-osf1.cf
+++ b/cf/cf/generic-osf1.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-solaris.cf b/cf/cf/generic-solaris.cf
index 538d84f63491b..0c4c232ecbbe3 100644
--- a/cf/cf/generic-solaris.cf
+++ b/cf/cf/generic-solaris.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -122,7 +122,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -521,6 +521,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -540,12 +546,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1265,6 +1275,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1276,6 +1287,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-sunos4.1.cf b/cf/cf/generic-sunos4.1.cf
index 3d1482cfe16ed..98a6084d6a75d 100644
--- a/cf/cf/generic-sunos4.1.cf
+++ b/cf/cf/generic-sunos4.1.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/generic-ultrix4.cf b/cf/cf/generic-ultrix4.cf
index 84c74b8e84bad..0e3a8e89c2165 100644
--- a/cf/cf/generic-ultrix4.cf
+++ b/cf/cf/generic-ultrix4.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -123,7 +123,7 @@ DnMAILER-DAEMON
 CPREDIRECT
 
 # Configuration version number
-DZ8.15.2
+DZ8.16.1
 
 
 ###############
@@ -522,6 +522,12 @@ O MaxHeadersLength=32768
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -541,12 +547,16 @@ O MaxHeadersLength=32768
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1266,6 +1276,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1277,6 +1288,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/cf/knecht.mc b/cf/cf/knecht.mc
index 720389189eb40..2b79eb2279272 100644
--- a/cf/cf/knecht.mc
+++ b/cf/cf/knecht.mc
@@ -46,7 +46,7 @@ define(`CYRUS_MAILER_PATH', `/usr/local/cyrus/bin/deliver')
 define(`CYRUS_MAILER_FLAGS', `fAh5@/:|')
 
 FEATURE(`access_db')
-FEATURE(`blacklist_recipients')
+FEATURE(`blocklist_recipients')
 FEATURE(`local_lmtp')
 FEATURE(`virtusertable')
 FEATURE(`mailertable')
@@ -234,7 +234,7 @@ Kstorage macro
 
 LOCAL_RULESETS
 ######################################################################
-### check for the existance of the X-MailScanner Header
+### check for the existence of the X-MailScanner Header
 HX-MailScanner:		$>+CheckXMSc
 D{SobigFPat}Found to be clean
 D{SobigFMsg}This message may contain the Sobig.F virus.
diff --git a/cf/cf/submit.cf b/cf/cf/submit.cf
index 6295d32db006f..63d7cb720eb74 100644
--- a/cf/cf/submit.cf
+++ b/cf/cf/submit.cf
@@ -16,8 +16,8 @@
 #####
 #####		SENDMAIL CONFIGURATION FILE
 #####
-##### built by ca@sandman.dev-lab.sendmail.com on Thu Jul 2 05:24:31 PDT 2015
-##### in /x/ca/smi.git/sendmail/OpenSource/sendmail-8.15.2/cf/cf
+##### built by ca@lab.smi.sendmail.com on Thu Jul 2 22:41:57 PDT 2020
+##### in /var/tmp/ca/sm8.git/sendmail/OpenSource/sendmail-8.16.1/cf/cf
 ##### using ../ as configuration include directory
 #####
 ######################################################################
@@ -114,7 +114,7 @@ D{MTAHost}[127.0.0.1]
 
 
 # Configuration version number
-DZ8.15.2/Submit
+DZ8.16.1/Submit
 
 
 ###############
@@ -513,6 +513,12 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 #O ServerSSLOptions
 # client side SSL options
 #O ClientSSLOptions
+# SSL Engine
+#O SSLEngine
+# Path to dynamic library for SSLEngine
+#O SSLEnginePath
+# TLS: fall back to clear text after handshake failure?
+#O TLSFallbacktoClear
 
 # Input mail filters
 #O InputMailFilters
@@ -532,12 +538,16 @@ O PidFile=/var/spool/clientmqueue/sm-client.pid
 #O ClientKeyFile
 # File containing certificate revocation lists 
 #O CRLFile
+# Directory containing hashes pointing to certificate revocation status files
+#O CRLPath
 # DHParameters (only required if DSA/DH is used)
 #O DHParameters
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 #O RandFile
 # fingerprint algorithm (digest) to use for the presented cert
 #O CertFingerprintAlgorithm
+# enable DANE?
+#O DANE=false
 
 # Maximum number of "useless" commands before slowing down
 #O MaxNOOPCommands=20
@@ -1257,6 +1267,7 @@ R$* $| $*	$@ $>"TLS_connection" $1
 ###		${verify}
 ######################################################################
 Stls_server
+
 R$*		$@ $>"TLS_connection" $1
 
 ######################################################################
@@ -1268,6 +1279,7 @@ R$*		$@ $>"TLS_connection" $1
 ######################################################################
 STLS_connection
 RSOFTWARE	$#error $@ 4.7.0 $: "403 TLS handshake."
+RDANE_FAIL	$#error $@ 4.7.0 $: "403 DANE check failed."
 
 
 
diff --git a/cf/feature/bcc.m4 b/cf/feature/bcc.m4
index 9454143f2060e..5bb754bd04a34 100644
--- a/cf/feature/bcc.m4
+++ b/cf/feature/bcc.m4
@@ -76,7 +76,7 @@ R$* $| $*		$: ifelse(len(X`'_ARG3_),`1', `$1', `_ARG3_')
 ifdef(`_CANONIFY_BCC_', `dnl
 R$+ @ $+		$: $1@$2 $| <$(canonicalRcpt $1 @ $2 $: $)>
 R$* $| <>		$@
-R$* $| <$* <TMPF>>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."
+R$* $| <$* <TMPF>>	$#error $@ 4.3.0 $: _TMPFMSG_(`BCC')
 R$* $| <$+>		$@ $2			map matched?
 ')
 
diff --git a/cf/feature/blacklist_recipients.m4 b/cf/feature/blacklist_recipients.m4
index 706d11754393b..5312a2e50687b 100644
--- a/cf/feature/blacklist_recipients.m4
+++ b/cf/feature/blacklist_recipients.m4
@@ -13,7 +13,6 @@ divert(0)
 VERSIONID(`$Id: blacklist_recipients.m4,v 8.14 2013-11-22 20:51:11 ca Exp $')
 divert(-1)
 
-ifdef(`_ACCESS_TABLE_',
-	`define(`_BLACKLIST_RCPT_', 1)',
-	`errprint(`*** ERROR: FEATURE(blacklist_recipients) requires FEATURE(access_db)
-')')
+errprint(`WARNING: FEATURE(blacklist_recipients) is deprecated; use FEATURE(blocklist_recipients.m4).
+')
+FEATURE(`blocklist_recipients')
diff --git a/cf/feature/blocklist_recipients.m4 b/cf/feature/blocklist_recipients.m4
new file mode 100644
index 0000000000000..7c5a1df022181
--- /dev/null
+++ b/cf/feature/blocklist_recipients.m4
@@ -0,0 +1,19 @@
+divert(-1)
+#
+# Copyright (c) 1998, 1999 Proofpoint, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+divert(0)
+VERSIONID(`$Id: blocklist_recipients.m4,v 8.14 2013-11-22 20:51:11 ca Exp $')
+divert(-1)
+
+ifdef(`_ACCESS_TABLE_',
+	`define(`_BLOCKLIST_RCPT_', 1)',
+	`errprint(`*** ERROR: FEATURE(blocklist_recipients) requires FEATURE(access_db)
+')')
diff --git a/cf/feature/check_cert_altnames.m4 b/cf/feature/check_cert_altnames.m4
new file mode 100644
index 0000000000000..9fae74ef0a3c3
--- /dev/null
+++ b/cf/feature/check_cert_altnames.m4
@@ -0,0 +1,17 @@
+divert(-1)
+#
+# Copyright (c) 2019 Proofpoint, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+#
+
+divert(0)dnl
+VERSIONID(`$Id: block_bad_helo.m4,v 1.2 2013-11-22 20:51:11 ca Exp $')
+divert(-1)
+define(`_FFR_TLS_ALTNAMES', `1')
+divert(6)dnl
+O SetCertAltnames=true
diff --git a/cf/feature/dnsbl.m4 b/cf/feature/dnsbl.m4
index 63b86759c320a..dd8fd52583f93 100644
--- a/cf/feature/dnsbl.m4
+++ b/cf/feature/dnsbl.m4
@@ -17,7 +17,7 @@ define(`_DNSBL_R_',`')
 ifelse(defn(`_ARG_'), `', 
 	`errprint(`*** ERROR: missing argument for FEATURE(`dnsbl')')')
 LOCAL_CONFIG
-# map for DNS based blacklist lookups
+# map for DNS based blocklist lookups
 Kdnsbl DNSBL_MAP -T<TMP>ifdef(`DNSBL_MAP_OPT',` DNSBL_MAP_OPT')')
 divert(-1)
 define(`_DNSBL_SRV_', `_ARG_')dnl
diff --git a/cf/feature/enhdnsbl.m4 b/cf/feature/enhdnsbl.m4
index b3a86b969c266..f0ba5c50d4821 100644
--- a/cf/feature/enhdnsbl.m4
+++ b/cf/feature/enhdnsbl.m4
@@ -16,7 +16,7 @@ ifdef(`_EDNSBL_R_',`dnl',`dnl
 VERSIONID(`$Id: enhdnsbl.m4,v 1.13 2013-11-22 20:51:11 ca Exp $')
 LOCAL_CONFIG
 define(`_EDNSBL_R_',`')dnl
-# map for enhanced DNS based blacklist lookups
+# map for enhanced DNS based blocklist lookups
 Kednsbl dns -R A -a. -T<TMP> -r`'ifdef(`EDNSBL_TO',`EDNSBL_TO',`5')
 ')
 divert(-1)
diff --git a/cf/feature/tls_failures.m4 b/cf/feature/tls_failures.m4
new file mode 100644
index 0000000000000..94982110f0b84
--- /dev/null
+++ b/cf/feature/tls_failures.m4
@@ -0,0 +1,13 @@
+divert(-1)
+#
+# Copyright (c) 2020 Proofpoint, Inc. and its suppliers.
+#	All rights reserved.
+#
+# By using this file, you agree to the terms and conditions set
+# forth in the LICENSE file which can be found at the top level of
+# the sendmail distribution.
+#
+
+errprint(`*** ERROR: FEATURE(tls_failures) has been replaced by confTLS_FALLBACK_TO_CLEAR
+')
+define(`confTLS_FALLBACK_TO_CLEAR', `true')
diff --git a/cf/m4/cfhead.m4 b/cf/m4/cfhead.m4
index eacdfb72f0ae1..6d12e8582627c 100644
--- a/cf/m4/cfhead.m4
+++ b/cf/m4/cfhead.m4
@@ -72,6 +72,15 @@ define(`_ARG9_',`_ACC_ARG_9_(_ARGS_)')
 dnl define if not yet defined: if `$1' is not defined it will be `$2'
 define(`_DEFIFNOT',`ifdef(`$1',`',`define(`$1',`$2')')')
 dnl ----------------------------------------
+dnl Use a "token" for this error message to make them unique?
+dnl Note: this is not a documented option. To enable it, use:
+dnl define(`_USETMPFTOKEN_', `1')dnl
+ifdef(`_USETMPFTOKEN_', `
+define(_TMPFMSG_, `"451 Temporary system failure $1. Please try again later."')
+', `dnl
+define(_TMPFMSG_, `"451 Temporary system failure. Please try again later."')
+')
+dnl ----------------------------------------
 dnl add a char $2 to a string $1 if it is not there
 define(`_ADDCHAR_',`define(`_I_',`eval(index(`$1',`$2') >= 0)')`'ifelse(_I_,`1',`$1',`$1$2')')
 dnl ----
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index 696bf36a53576..618dde00e24a8 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -161,7 +161,7 @@ ifdef(`_ACCESS_TABLE_', `dnl
 # access_db acceptance class
 C{Accept}OK RELAY
 ifdef(`_DELAY_COMPAT_8_10_',`dnl
-ifdef(`_BLACKLIST_RCPT_',`dnl
+ifdef(`_BLOCKLIST_RCPT_',`dnl
 # possible access_db RHS for spam friends/haters
 C{SpamTag}SPAMFRIEND SPAMHATER')')',
 `dnl')
@@ -197,7 +197,9 @@ ifdef(`_MACRO_MAP_', `', `# macro storage map
 define(`_MACRO_MAP_', `1')dnl
 Kmacro macro')
 # possible values for TLS_connection in access map
-C{Tls}VERIFY ENCR', `dnl')
+C{Tls}VERIFY ENCR
+C{TlsVerified}OK TRUSTED
+dnl', `dnl')
 ifdef(`_CERT_REGEX_ISSUER_', `dnl
 # extract relevant part from cert issuer
 KCERTIssuer regex _CERT_REGEX_ISSUER_', `dnl')
@@ -653,6 +655,12 @@ _OPTION(CipherList, `confCIPHER_LIST', `')
 _OPTION(ServerSSLOptions, `confSERVER_SSL_OPTIONS', `')
 # client side SSL options
 _OPTION(ClientSSLOptions, `confCLIENT_SSL_OPTIONS', `')
+# SSL Engine
+_OPTION(SSLEngine, `confSSL_ENGINE', `')
+# Path to dynamic library for SSLEngine
+_OPTION(SSLEnginePath, `confSSL_ENGINE_PATH', `')
+# TLS: fall back to clear text after handshake failure?
+_OPTION(TLSFallbacktoClear, `confTLS_FALLBACK_TO_CLEAR', `')
 
 # Input mail filters
 _OPTION(InputMailFilters, `confINPUT_MAIL_FILTERS', `')
@@ -682,12 +690,16 @@ _OPTION(ClientCertFile, `confCLIENT_CERT', `')
 _OPTION(ClientKeyFile, `confCLIENT_KEY', `')
 # File containing certificate revocation lists 
 _OPTION(CRLFile, `confCRL', `')
+# Directory containing hashes pointing to certificate revocation status files
+_OPTION(CRLPath, `confCRL_PATH', `')
 # DHParameters (only required if DSA/DH is used)
 _OPTION(DHParameters, `confDH_PARAMETERS', `')
 # Random data source (required for systems without /dev/urandom under OpenSSL)
 _OPTION(RandFile, `confRAND_FILE', `')
 # fingerprint algorithm (digest) to use for the presented cert
 _OPTION(CertFingerprintAlgorithm, `confCERT_FINGERPRINT_ALGORITHM', `')
+# enable DANE?
+_OPTION(DANE, `confDANE', `false')
 
 # Maximum number of "useless" commands before slowing down
 _OPTION(MaxNOOPCommands, `confMAX_NOOP_COMMANDS', `20')
@@ -1500,7 +1512,7 @@ R<$* <TMPF>> <$*> <$+> <$+> <$*>	$: $&{opMode} $| TMPF <$&{addr_type}> $| $3
 R<$*> <$* <TMPF>> <$+> <$+> <$*>	$: $&{opMode} $| TMPF <$&{addr_type}> $| $3
 ifelse(_LDAP_ROUTE_MAPTEMP_, `_TEMPFAIL_', `dnl
 # ... temp fail RCPT SMTP commands
-R$={SMTPOpModes} $| TMPF <e r> $| $+	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."')
+R$={SMTPOpModes} $| TMPF <e r> $| $+	$#error $@ 4.3.0 $: _TMPFMSG_(`OPM')')
 # ... return original address for MTA to queue up
 R$* $| TMPF <$*> $| $+			$@ $3
 
@@ -1733,7 +1745,7 @@ dnl if mark is <NO> then change it to <RELAY> if domain is "authorized"
 
 dnl what if access map returns something else than RELAY?
 dnl we are only interested in RELAY entries...
-dnl other To: entries: blacklist recipient; generic entries?
+dnl other To: entries: blocklist recipient; generic entries?
 dnl if it is an error we probably do not want to relay anyway
 ifdef(`_RELAY_HOSTS_ONLY_',
 `R<NO> $* < @ $=R >		$: <RELAY> $1 < @ $2 >
@@ -1807,7 +1819,7 @@ R<QUARANTINE:$+> <$*>	$#error $@ quarantine $: $1
 dnl error tag
 R<ERROR:$-.$-.$-:$+> <$*>	$#error $@ $1.$2.$3 $: $4
 R<ERROR:$+> <$*>		$#error $: $1
-ifdef(`_ATMPF_', `R<$* _ATMPF_> <$*>		$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<$* _ATMPF_> <$*>		$#error $@ 4.3.0 $: _TMPFMSG_(`CR')', `dnl')
 dnl generic error from access map
 R<$+> <$*>		$#error $: $1', `dnl')
 
@@ -1976,7 +1988,7 @@ R<REJECT> $*		$#error ifdef(`confREJECT_MSG', `$: confREJECT_MSG', `$@ 5.7.1 $:
 dnl error tag
 R<ERROR:$-.$-.$-:$+> $*		$#error $@ $1.$2.$3 $: $4
 R<ERROR:$+> $*		$#error $: $1
-ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: _TMPFMSG_(`CM')', `dnl')
 dnl generic error from access map
 R<$+> $*		$#error $: $1		error from access db',
 `dnl')
@@ -2108,9 +2120,9 @@ R$* $=O $* < @ $* @@ $=w . > $*	$@ $>"Rcpt_ok" $1 $2 $3
 R$* < @ $* @@ $=w . > $*	$: $1 < @ $3 > $4
 R$* < @ $* @@ $* > $*		$: $1 < @ $2 > $4')
 
-ifdef(`_BLACKLIST_RCPT_',`dnl
+ifdef(`_BLOCKLIST_RCPT_',`dnl
 ifdef(`_ACCESS_TABLE_', `dnl
-# blacklist local users or any host from receiving mail
+# blocklist local users or any host from receiving mail
 R$*			$: <?> $1
 dnl user is now tagged with @ to be consistent with check_mail
 dnl and to distinguish users from hosts (com would be host, com@ would be user)
@@ -2143,7 +2155,7 @@ R<QUARANTINE:$+> $*	$#error $@ quarantine $: $1
 dnl error tag
 R<ERROR:$-.$-.$-:$+> $*		$#error $@ $1.$2.$3 $: $4
 R<ERROR:$+> $*		$#error $: $1
-ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#error $@ 4.3.0 $: _TMPFMSG_(`ROK1')', `dnl')
 dnl generic error from access map
 R<$+> $*		$#error $: $1		error from access db
 R@ $*			$1		remove mark', `dnl')', `dnl')
@@ -2198,7 +2210,7 @@ R$+ < @ $+ > $| $*	$: <$3> <$1 <@ $2>>',
 ifdef(`_ACCESS_TABLE_', `dnl
 dnl workspace: <Result-of-lookup | ?> <localpart<@domain>>
 R<RELAY> $*		$@ RELAY
-ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`ROK2')', `dnl')
 R<$*> <$*>		$: $2',`dnl')
 
 
@@ -2268,7 +2280,7 @@ dnl Connect:My.Host.Domain	RELAY
 dnl Connect:My.Net		REJECT
 dnl since in check_relay client_name is checked before client_addr
 R<REJECT> $* 		$@ REJECT		rejected IP address')
-ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<_ATMPF_> $*		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`YOK1')', `dnl')
 R<$*> <$*>		$: $2', `dnl')
 R$*			$: [ $1 ]		put brackets around it...
 R$=w			$@ RELAY		... and see if it is local
@@ -2287,7 +2299,7 @@ R<?> $+ < @ $=w >	$@ RELAY		FROM local', `dnl')
 ifdef(`_RELAY_DB_FROM_', `dnl
 R<?> $+ < @ $+ >	$: <@> $>SearchList <! From> $| <F:$1@$2> ifdef(`_RELAY_DB_FROM_DOMAIN_', ifdef(`_RELAY_HOSTS_ONLY_', `<E:$2>', `<D:$2>')) <>
 R<@> <RELAY>		$@ RELAY		RELAY FROM sender ok
-ifdef(`_ATMPF_', `R<@> <_ATMPF_>		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<@> <_ATMPF_>		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`YOK2')', `dnl')
 ', `dnl
 ifdef(`_RELAY_DB_FROM_DOMAIN_',
 `errprint(`*** ERROR: _RELAY_DB_FROM_DOMAIN_ requires _RELAY_DB_FROM_
@@ -2331,7 +2343,7 @@ ifdef(`_ACCESS_TABLE_', `dnl
 R<?> $*			$: $>D <$1> <?> <+ Connect> <$1>',`dnl')')
 ifdef(`_ACCESS_TABLE_', `dnl
 R<RELAY> $*		$@ RELAY
-ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+ifdef(`_ATMPF_', `R<$* _ATMPF_> $*		$#TEMP $@ 4.3.0 $: _TMPFMSG_(`YOK3')', `dnl')
 R<$*> <$*>		$: $2',`dnl')
 dnl end of _PROMISCUOUS_RELAY_
 divert(0)
@@ -2384,7 +2396,7 @@ ifdef(`_ACCESS_TABLE_', `',
 `errprint(`*** ERROR: FEATURE(`delay_checks', `argument') requires FEATURE(`access_db')
 ')')dnl
 dnl one of the next two rules is supposed to match
-dnl this code has been copied from BLACKLIST... etc
+dnl this code has been copied from BLOCKLIST... etc
 dnl and simplified by omitting some < >.
 R<?> $+ < @ $=w >	$: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 > <U: $1@>
 R<?> $+ < @ $* >	$: <> $1 < @ $2 > $| <F: $1@$2 > <D: $2 >
@@ -2688,7 +2700,7 @@ R<?>$*		$: $>A <$&{server_addr}> <?> <! TLS_TRY_TAG> <>
 R<?>$*		$: <$(access TLS_TRY_TAG`'_TAG_DELIM_ $: ? $)>
 R<?>$*		$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R<$* _ATMPF_>$*	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R<$* _ATMPF_>$*	$#error $@ 4.3.0 $: _TMPFMSG_(`TT')', `dnl')
 R<NO>$*		$#error $@ 5.7.1 $: "550 do not try TLS with " $&{server_name} " ["$&{server_addr}"]"')
 
 ######################################################################
@@ -2721,7 +2733,7 @@ R$* $| $+	$: $1 $| $>SearchList <! TLS_RCPT_TAG> $| $2 <>
 dnl found nothing: stop here
 R$* $| <?>	$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`TR')', `dnl')
 dnl use the generic routine (for now)
 R$* $| <$+>	$@ $>"TLS_connection" $&{verify} $| <$2>')
 
@@ -2751,7 +2763,7 @@ R$* $| <?>$*	$: $1 $| $>A <$&{client_addr}> <?> <! TLS_CLT_TAG> <>
 dnl do a default lookup: just TLS_CLT_TAG
 R$* $| <?>$*	$: $1 $| <$(access TLS_CLT_TAG`'_TAG_DELIM_ $: ? $)>
 ifdef(`_ATMPF_', `dnl tempfail?
-R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`TC')', `dnl')
 R$*		$@ $>"TLS_connection" $1', `dnl
 R$* $| $*	$@ $>"TLS_connection" $1')
 
@@ -2769,6 +2781,8 @@ ifdef(`_LOCAL_TLS_SERVER_', `dnl
 R$*			$: $1 $| $>"Local_tls_server" $1
 R$* $| $#$*		$#$2
 R$* $| $*		$: $1', `dnl')
+ifdef(`_TLS_FAILURES_',`dnl
+R$*		$: $(macro {saved_verify} $@ $1 $) $1')
 ifdef(`_ACCESS_TABLE_', `dnl
 dnl store name of other side
 R$*		$: $(macro {TLS_Name} $@ $&{server_name} $) $1
@@ -2777,7 +2791,7 @@ R$* $| <?>$*	$: $1 $| $>A <$&{server_addr}> <?> <! TLS_SRV_TAG> <>
 dnl do a default lookup: just TLS_SRV_TAG
 R$* $| <?>$*	$: $1 $| <$(access TLS_SRV_TAG`'_TAG_DELIM_ $: ? $)>
 ifdef(`_ATMPF_', `dnl tempfail?
-R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R$* $| <$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`TS')', `dnl')
 R$*		$@ $>"TLS_connection" $1', `dnl
 R$*		$@ $>"TLS_connection" $1')
 
@@ -2798,6 +2812,7 @@ STLS_connection
 ifdef(`_ACCESS_TABLE_', `dnl', `dnl use default error
 dnl deal with TLS handshake failures: abort
 RSOFTWARE	$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') TLS handshake."
+RDANE_FAIL	$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') DANE check failed."
 divert(-1)')
 dnl common ruleset for tls_{client|server}
 dnl input: ${verify} $| <ResultOfLookup> [<>]
@@ -2813,14 +2828,19 @@ R$* $| <$={Tls} $*>		$: $1 $| <ifdef(`TLS_PERM_ERR', `503:5.7.0', `403:4.7.0')>
 dnl workspace: ${verify} $| [<SMTP:ESC>] <ResultOfLookup>
 # deal with TLS handshake failures: abort
 RSOFTWARE $| <$-:$+> $* 	$#error $@ $2 $: $1 " TLS handshake failed."
-dnl no <reply:dns> i.e. not requirements in the access map
+dnl no <reply:dns> i.e. no requirements in the access map
 dnl use default error
 RSOFTWARE $| $* 		$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') TLS handshake failed."
 # deal with TLS protocol errors: abort
 RPROTOCOL $| <$-:$+> $* 	$#error $@ $2 $: $1 " STARTTLS failed."
-dnl no <reply:dns> i.e. not requirements in the access map
+dnl no <reply:dns> i.e. no requirements in the access map
 dnl use default error
 RPROTOCOL $| $* 		$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') STARTTLS failed."
+# deal with DANE errors: abort
+RDANE_FAIL $| <$-:$+> $* 	$#error $@ $2 $: $1 " DANE check failed."
+dnl no <reply:dns> i.e. no requirements in the access map
+dnl use default error
+RDANE_FAIL $| $* 		$#error $@ ifdef(`TLS_PERM_ERR', `5.7.0', `4.7.0') $: "ifdef(`TLS_PERM_ERR', `503', `403') DANE check failed."
 R$* $| <$*> <VERIFY>		$: <$2> <VERIFY> <> $1
 dnl separate optional requirements
 R$* $| <$*> <VERIFY + $+>	$: <$2> <VERIFY> <$3> $1
@@ -2834,16 +2854,16 @@ R$* $| $*			$@ OK
 # other side did authenticate (via STARTTLS)
 dnl workspace: <SMTP:ESC> <{VERIFY,ENCR}[:BITS]> <[extensions]> ${verify}
 dnl only verification required and it succeeded
-R<$*><VERIFY> <> OK		$@ OK
+R<$*><VERIFY> <> $={TlsVerified}	$@ OK
 dnl verification required and it succeeded but extensions are given
 dnl change it to <SMTP:ESC> <REQ:0>  <extensions>
-R<$*><VERIFY> <$+> OK		$: <$1> <REQ:0> <$2>
+R<$*><VERIFY> <$+> $={TlsVerified}	$: <$1> <REQ:0> <$2>
 dnl verification required + some level of encryption
-R<$*><VERIFY:$-> <$*> OK	$: <$1> <REQ:$2> <$3>
+R<$*><VERIFY:$-> <$*> $={TlsVerified}	$: <$1> <REQ:$2> <$3>
 dnl just some level of encryption required
 R<$*><ENCR:$-> <$*> $*		$: <$1> <REQ:$2> <$3>
 dnl workspace:
-dnl 1. <SMTP:ESC> <VERIFY [:bits]>  <[extensions]> {verify} (!= OK)
+dnl 1. <SMTP:ESC> <VERIFY [:bits]>  <[extensions]> {verify} (!~ $={TlsVerified})
 dnl 2. <SMTP:ESC> <REQ:bits>  <[extensions]>
 dnl verification required but ${verify} is not set (case 1.)
 R<$-:$+><VERIFY $*> <$*>	$#error $@ $2 $: $1 " authentication required"
@@ -2851,6 +2871,7 @@ R<$-:$+><VERIFY $*> <$*> FAIL	$#error $@ $2 $: $1 " authentication failed"
 R<$-:$+><VERIFY $*> <$*> NO	$#error $@ $2 $: $1 " not authenticated"
 R<$-:$+><VERIFY $*> <$*> NOT	$#error $@ $2 $: $1 " no authentication requested"
 R<$-:$+><VERIFY $*> <$*> NONE	$#error $@ $2 $: $1 " other side does not support STARTTLS"
+R<$-:$+><VERIFY $*> <$*> CLEAR	$#error $@ $2 $: $1 " STARTTLS disabled locally"
 dnl some other value for ${verify}
 R<$-:$+><VERIFY $*> <$*> $+	$#error $@ $2 $: $1 " authentication failure " $4
 dnl some level of encryption required: get the maximum level (case 2.)
@@ -2884,7 +2905,6 @@ R<$-:$+> $+			$@ $>"TLS_req" $3 $| <$1:$2>
 dnl  further requirements for this ruleset:
 dnl	name of "other side" is stored is {TLS_name} (client/server_name)
 dnl
-dnl	currently only CN[:common_name] is implemented
 dnl	right now this is only a logical AND
 dnl	i.e. all requirements must be true
 dnl	how about an OR? CN must be X or CN must be Y or ..
@@ -2896,6 +2916,11 @@ dnl no additional requirements: ok
 R $| $+		$@ OK
 dnl require CN: but no CN specified: use name of other side
 R<CN> $* $| <$+>		$: <CN:$&{TLS_Name}> $1 $| <$2>
+ifdef(`_FFR_TLS_ALTNAMES', `dnl
+R<CN:$={cert_altnames}> $* $| <$+>	$@ $>"TLS_req" $2 $| <$3>
+R<CN:$-.$+> $* $| <$+>			$: <CN:*.$2> $3 $| <$4>
+R<CN:$={cert_altnames}> $* $| <$+>	$@ $>"TLS_req" $3 $| <$3>
+R<CN:$*> $* $| <$+>			$: <CN:$&{TLS_Name}> $2 $| <$3>', `dnl')
 dnl match, check rest
 R<CN:$&{cn_subject}> $* $| <$+>		$@ $>"TLS_req" $1 $| <$2>
 dnl CN does not match
@@ -2911,6 +2936,10 @@ R<CI:$&{cert_issuer}> $* $| <$+>	$@ $>"TLS_req" $1 $| <$2>
 dnl CI does not match
 dnl  1   2      3  4
 R<CI:$+> $* $| <$-:$+>	$#error $@ $4 $: $3 " Cert Issuer " $&{cert_issuer} " does not match " $1
+dnl
+R<CITag:$-> $* $| <$+>	$: <$(access $1:$&{cert_issuer} $: ? $)> $2 $| <$3>
+R<?> $* $| <$-:$+>	$#error $@ $3 $: $2 " Cert Issuer " $&{cert_issuer} " not acceptable"
+R<OK> $* $| <$+>	$@ $>"TLS_req" $1 $| <$2>
 dnl return from recursive call
 ROK			$@ OK
 
@@ -2970,7 +2999,7 @@ dnl if it returns SUBJECT we perform a similar check on the
 dnl cert subject.
 ifdef(`_ACCESS_TABLE_', `dnl
 R$*			$: <?> $&{verify}
-R<?> OK			$: OK		authenticated: continue
+R<?> $={TlsVerified}	$: OK		authenticated: continue
 R<?> $*			$@ NO		not authenticated
 ifdef(`_CERT_REGEX_ISSUER_', `dnl
 R$*			$: $(CERTIssuer $&{cert_issuer} $)',
@@ -3029,7 +3058,7 @@ R$+		$: $>SearchList <! ClientRate> $| $1 <>
 dnl found nothing: stop here
 R<?>		$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R<$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R<$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`RC')', `dnl')
 dnl use the generic routine (for now)
 R<0>		$@ OK		no limit
 R<$+>		$: <$1> $| $(arith l $@ $1 $@ $&{client_rate} $)
@@ -3051,7 +3080,7 @@ R$+		$: $>SearchList <! ClientConn> $| $1 <>
 dnl found nothing: stop here
 R<?>		$@ OK
 ifdef(`_ATMPF_', `dnl tempfail?
-R<$* _ATMPF_>	$#error $@ 4.3.0 $: "451 Temporary system failure. Please try again later."', `dnl')
+R<$* _ATMPF_>	$#error $@ 4.3.0 $: _TMPFMSG_(`CC')', `dnl')
 dnl use the generic routine (for now)
 R<0>		$@ OK		no limit
 R<$+>		$: <$1> $| $(arith l $@ $1 $@ $&{client_connections} $)
diff --git a/cf/m4/version.m4 b/cf/m4/version.m4
index 8d2680534a4a0..dadff627bb2e8 100644
--- a/cf/m4/version.m4
+++ b/cf/m4/version.m4
@@ -1,6 +1,6 @@
 divert(-1)
 #
-# Copyright (c) 1998-2015 Proofpoint, Inc. and its suppliers.
+# Copyright (c) 1998-2016 Proofpoint, Inc. and its suppliers.
 #	All rights reserved.
 # Copyright (c) 1983 Eric P. Allman.  All rights reserved.
 # Copyright (c) 1988, 1993
@@ -15,4 +15,4 @@ VERSIONID(`$Id: version.m4,v 8.237 2014-01-27 12:55:17 ca Exp $')
 #
 divert(0)
 # Configuration version number
-DZ8.15.2`'ifdef(`confCF_VERSION', `/confCF_VERSION')
+DZ8.16.1`'ifdef(`confCF_VERSION', `/confCF_VERSION')
diff --git a/cf/ostype/hpux10.m4 b/cf/ostype/hpux10.m4
index c59828cedaa16..423bd5bb16d10 100644
--- a/cf/ostype/hpux10.m4
+++ b/cf/ostype/hpux10.m4
@@ -23,5 +23,5 @@ ifdef(`LOCAL_SHELL_PATH',, `define(`LOCAL_SHELL_PATH', /usr/bin/sh)')dnl
 ifdef(`UUCP_MAILER_ARGS',, `define(`UUCP_MAILER_ARGS', `uux - -r -a$g -gC $h!rmail ($u)')')dnl
 define(`confTIME_ZONE', `USE_TZ')dnl
 dnl
-dnl	For maximum compability with HP-UX, use:
+dnl	For maximum compatibility with HP-UX, use:
 dnl	define(`confME_TOO', True)dnl
diff --git a/cf/ostype/hpux9.m4 b/cf/ostype/hpux9.m4
index d9fa69faf7d02..76c2258183cb2 100644
--- a/cf/ostype/hpux9.m4
+++ b/cf/ostype/hpux9.m4
@@ -23,5 +23,5 @@ ifdef(`UUCP_MAILER_ARGS',, `define(`UUCP_MAILER_ARGS', `uux - -r -a$g -gC $h!rma
 define(`confTIME_ZONE', `USE_TZ')dnl
 define(`confEBINDIR', `/usr/lib')dnl
 dnl
-dnl	For maximum compability with HP-UX, use:
+dnl	For maximum compatibility with HP-UX, use:
 dnl	define(`confME_TOO', True)dnl