Wish list:

	Remove this file from the stable release.

	anvil rate limit for sasl_username.

	permit_tempfail_action (default: defer_if_reject) to be
	used as the default value for dnswl_tempfail_action and
	rhswl_tempfail_action. Steal liberally from the code that
	implements unverified_recipient_tempfail_action etc.

	Support filtering of messages that are generated by Postfix:
	This would apply to postmaster notices and bounce messages
	(DKIM), and address verification (BATV).

	Replace sscanf() numerical conversions by strto[dl]()
	for better error reporting.

	Consistency: in postconf.proto make <dt>..</dt> tags bold.

	Milter addrcpt - use Sendmail-compatible default DSN settings.

	postscreen(8): listen on multiple IP addresses and enforce
	that the client contacts the primary MX address first (i.e.
	punish hosts that contact the secondary before the primary).
	The downside with any approach that relies on temporary
	punishment is that it does not scale to configurations
	with multiple equal-preference MX hosts. Such hosts would
	have to share the postscreen cache, causing an unacceptable
	performance bottleneck and a single point of failure.

	According to a paper by Ted Unangst at BSDCON09, kqueue
	reports state changes, i.e. kqueue indicates when the socket
	becomes readable. Specifically, he writes when kqueue reports
	a socket becomes readable but no data is read from that
	socket, later kqueue calls won't report the socket as
	readable. That's not what happens on FreeBSD 8.0, where
	kqueue will keep reporting the socket as readable when
	nothing is read.  Also, FreeBSD 8.0 kqueue still reports
	the socket as readable after a read operation does not empty
	the kernel buffer.  We need a test program for this that 
	repeats these tests with OpenBSD and NetBSD (and MacOS X
	once they fix their kqueue implementation).

	Would it help if there were different cleanup_service
	parameter names for different message paths? smtpd(8) uses
	the same cleanup_service value for receiving remote mail
	and for submitting postmaster problem reports. Do we need
	separate mumble_cleanup_service_name parameters for "inject",
	"notify" and "forward" (with backwards compatinble defaults)?

	IF/ENDIF support for CIDR tables.

	Make postconf aware of magical suffixes (the ones that
	combine with transport names) and show them in "postconf
	-n" output. Making this work with "postconf -d" is trickier.

	Need a regular expression table to translate address
	verification responses into hard/soft/accept reply codes.

	Is there a way to make sendmail -V work after local alias
	expansion? Majordomo-like mailing lists would benefit from
	this; the example in VERP_README does not work in the general
	case.

	When an alias is a member of an :include: list with owner-
	alias, local(8) needs an option to deliver alias or alias->user
	indirectly. What happens when an :include: list with owner-
	alias includes another list?

	Don't allow empty result values in pcre and regexp maps.
	Postfix doesn't allow them anywhere else (check this).

	Make PCRE_MAX_CAPTURE configurable.

	Add some checks for tokens starting with #. A challenge
	is to report sensible context from the guts of some low-level
	parser, without introducing a great deal of clumsiness.

	Add sendmail macros for {verify} and maybe other TLS info.

	Find out if we are doing the correct thing by looking at
	state->milter_reject_text when expanding {rcpt_addr} or
	{rcpt_host}.

	Find out why post_mail() etc. block when the qmgr fifo is
	full (answer: trigger_timeout). How can this cause delays
	in the queue manager?  When a recipient bounces during
	(transport, nexthop, address) resolution, it is redirected
	to the error or retry mailer; and bounce-after-delivery is
	asynchrounous so it can't block the queue manager, either.

	Add smtpd_sender_login_maps to proxy_read_maps, and make
	sure that defaults are set before proxy_read_maps is
	evaluated. What other parameters are worthy of being
	whitelisted for proxy access?  Is there a way to automate
	this decision?

	How to ensure that proxy_read_maps is processed after all
	its dependencies are initialized, or just bite the bullet
	and rewrite the parameter initialization code.

	The cleanup virtual alias expansion limit does not really
	deliver on its promises. 1) It promises to truncate the
	result without aborting delivery, which would be undesirable
	anyway, but that is not what it does, so that is good.  2)
	It keeps all the recipients from multi-recipient database
	lookup, then terminates further recursion when the result
	exceeds the expansion limit. This behavior achieves the
	original goal that all things shall have a finite size (even
	though but we don'really care how large they are) but may
	result in surprises when recipients are listed in virtual
	alias domains or need expansion for other reasons.  In a
	phone call with Victor, a reasonable way out is to set the
	limit to some large number (100000) and abort delivery when
	the result exceeds the limit.

	Should the postscreen save permanent white/black list lookup
	results to the temporary cache, and query the temporary
	cache first? Skipping white/black list lookups will speed
	up the handling of "good" clients without a permanent
	whitelist entry.  Of course, this means that updates to the
	white/black lists do not immediately take effect. Workarounds:
	1) use a shorter temporary cache TTL for clients on the
	permanent black/white lists; 2) ignore cached white/black
	list lookup results after "postfix reload"; 2) adjust the
	logging, for example "WHITELISTED address (cached)" and
	"BLACKLISTED address (cached)" to eliminate surprises.
	Comparing the cache entry time with the white/blacklist
	file modification time is not foolproof: for example, pcre
	or CIDR tables are read only once.

	It would be nice if the generic dict_cache(3) cache manager
	could postpone process suicide until cache cleanup is
	completed (but that is not possible when postscreen forks
	into the background to finish already-accepted connections,
	and it is not desirable when a host is being shut down).

	When postscreen drops a connection, a 521 "greeting" should
	be of the form "521 servername..." and not have an enhanced
	status code. The "521 5.7.1" form can be used after EHLO.
	Of course no spammer is going to complain about Postfix
	SMTP compliance.

	Find a place to document all the mail routing mechanisms
	in one place so people can figure out how Postfix works.

	Investigate viability of Sendmail socket maps (the moral
	equivalent of tcp_table(5)), and dns maps.

	The access map BCC action is marked "not stable", perhaps
	because people would also expect BCC actions in header/body_checks.
	How much would it take to make the queue file editing code
	generally usable?

	Move smtpd_command_filter into smtpd_chat_query() and update
	the session transcript (see smtp_chat_reply() for an example).

	SMTP connection caching without storing connections, to
	improve TLS mail delivery performance.

	postscreen has separate socket budgets for whitelisted
	clients and for other clients. If we add a dummy SMTP engine
	then we extend the session length for non-whitelisted clients
	and need to increase the socket budget (or create a new
	budget class, which complicates the user interface).

	Should not milter8_mail_event() unset the "hold" default
	reply? Better, the default reply should not be used for
	this purpose.

	Unescape the pregreeter's HELO command argument so that
	<CR><LF> don't show up as ??.

	Make postscreen logging easier. Always log connect, then log
	why the connection is or is not forwarded.

	Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server
	runs with process limit of 1. But this means the master
	never learns that the process is successful and will always
	pause $service_throttle_time before restarting a failed service.

	Don't bother maintaining a per-service lockfile when a
	server runs with process limit of 1. The purpose of the
	lockfile is to avoid thundering herd problems when the kernel
	wakes up multiple processes for each new client connection.

	Concurrency/speed-matching: invoke a before-queue (smtpd_proxy)
	filter after the entire message is received, so that fewer
	filter processes will be running simultaneously.  In some
	parts of the world, after-queue filtering is problematic.

	This is different than the MailChannels patented solution
	to multiplex many slow SMTP connections over a few fast
	SMTP connections. We simply postpone opening the connection
	to the filter, and rely on the before-filter SMTP server
	to reject invalid recipients. MailChannels uses one
	connection-to-MTA to discover invalid recipients, receives
	the email message with a potentially reduced bitrate, and
	then uses another connection-to-MTA to deliver the message
	quickly.

	Implement PREPEND action for milter_header_checks. Save the
	to-be-prepended text to buffer, then emit it along with the
	new header.

	Fix the header_body_checks API, so that the name of the map
	class (e.g. milter_header_checks) is available for logging.

	Fix the mime_state and header_body_checks APIs, so that
	they use VSTRINGs. This simplifies REPLACE actions.

	Update FILTER_README for multi-instance support, and rename
	the old document to FILTER_LEGACY_README.

	Need to sign delivery status notifications, to avoid surprises
	when eventually people start enforcing DKIM etc. signatures.

	Either document or remove the internal_mail_filter_classes
	feature (it's disabled by default).

	"postconf -N" option to print user-defined parameter names
	(these have no defaults, since they exist only when 
	specified in main.cf or with "-o name=value").

	Make the "unknown recipient" test configurable as
	first|last|never, with "yes"=="last" for backwards
	compatibility. The "first" setting is good for performance
	(stress=yes) when all users are defined in local files; but
	it may perform worse when users are in networked tables.

	Cleanup: make DNSBL query format configurable beyond the
	client's reversed IP address.

	With 'final delivery' in the LMTP client, need an option
	to also add delivered-to and other pipe(8) features.  This
	requires making mail_copy() functionality available in
	non-mailbox context.

	Cleanup: modernize the "add missing From: header" code, to
	``phrase <addr>'' form. Most likely, quote the entire phrase
	if it contains any text that is special, then rfc822_externalize
	the whole thing.

	SMTP server: make the server_addr and server_port available
	to policy server, Dovecot, and perhaps Milters.

	Med: local and remote source port and IP address for smtpd
	policy hook.

	Maybe change maps_rbl_reject_code default to 521, and
	update wording in STRESS_README.

	Encapsulate time_t comparisons so that they can be made
	system dependent (use difftime() where available).

	Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that
	they can be made system dependent.

	Plan for time_t larger than long, or wait for LP64 to
	dominate the world?

	Make "AUTH=<>" appendage to MAIL FROM configurable, enabled
	by default.

	To support ternary operator without a huge parsing effort,
	consider ${value?{xxx}:{yyy}} where ${name} is existing
	syntax, and where ?{text} and :{text} are new syntax that
	is unlikely to break existing configurations. Or perhaps
	it's just too ugly.

	Write delivery rate delay example (which _README?) and auth
	failure cache example (SASL_README). Then include them in
	SOHO_README.

	Look for alternatives for the use of non_smtpd_milters.
	This involves some way to force local submissions to go
	through a local SMTP client and server, without triggering
	"mail loops back to myself" false alarms. The advantage is
	that it makes smtpd_mumble_restrictions available for local
	and remote mail; the disadvantage is that it makes local
	submissions more dependent on networking.  One possibility
	is to use "pickup -o content_filter=smtp:127.0.0.1:10025",
	or a dedicated SMTP client/server on UNIX-domain sockets;
	we could also decide to always suppress "mail loop" detection
	for loopback connections.  Another option is to have the
	pickup or cleanup server drive an SMTP client directly;
	this would require extension of the mail_stream() interface,
	plus a way to handle bounced/deferred recipients intelligently,
	but it would be at odds with Postfix design where delivery
	agents access queue files directly; exposing delivery agents
	to raw queue files violates another Postfix design principle.

	Consolidate duplicated code in *_server_accept_{pass,inet}().

	Consolidate duplicated code in {inet,unix,upass}_trigger.c.

	In the SMTP client, handle 421 replies in smtp_loop() by
	having the input function raise a flag after detecting 421
	(kill connection caching and be sure to do the right thing
	with RSET probes), leave the smtp_loop() per-command reply
	handlers unchanged, and have the smtp_loop() reader loop
	bail out with smtp_site_fail("server disconnected after
	%s", where), but only in the case that it isn't already in
	the final state. But first we need to clean up the handling
	of do/don't cache, expired, bad and dead sessions.

	Combine smtpd_peer.c and qmqpd_peer.c into a single function
	that produces a client context object, and provide attribute
	print/scan routines that pass these client context objects
	around. With this, we no longer have to update multiple
	pieces of code when a client attribute is added. Ditto for
	SASL and TLS context.

	Make TLS_BIO_BUFSIZE run-time adjustable, to future-proof
	Postfix for remote connections with MSS > 8 kbytes.

	Don't log "warning: XXXXX: undeliverable postmaster
	notification discarded" for spam from outside.

	Really need a cleanup driver that allows testing against
	Milter applications instead of synthetic events. This would
	have to provide stubs for clients that talk to Postfix
	daemon processes. See if this approach can also be used for
	other daemons.

	smtpd(8) exempts $address_verify_sender from access controls,
	but it doesn't know whether cleanup(8) or delivery agents
	modify the sender. Would it be possible to "calibrate" this
	exemption, perhaps by having delivery agents pass the probe
	sender to the verify server, keeping in mind that the probe
	sender may differ per delivery agent due to output rewriting.

	Update attr_print/scan() so they can send/receive file
	descriptors. This simplifies kludgy code in many daemons.

	Would there be a problem adding $smtpd_mumble_restrictions
	and $smtpd_sender_login_maps to the default proxy_read_maps
	settings?

	Remove defer(8) and trace(8) references and man pages. These
	are services not program names. On the other hand we have
	man pages for lmtp(8) and smtp(8), but not for relay(8).
	Likewise, retry(8) does not have a man page.

	Bind all deliveries to the same local delivery process,
	making Postfix perform as poorly as monolithic mailers, but
	giving a possibility to eliminate duplicate deliveries.

	Maybe declare loop when resolve_local(mxhost) is true?

	Update message content length when adding/removing headers.

	Need scache size limit.

	Make postcat header/body aware so people can grep headers.
	What headers? primary, mime, nested? What body? Does it
	include the mime and attached headers?

	REDIRECT should override original recipient info, and
	probably override DSN as well.

	Find out if with Sendmail, a Milter "add recipient" request
	results in NOTIFY=NONE as Postfix does now.

	Update FILTER_README with mailing list suggestions to tag
	with a badness indicator and then filter down-stream.

	Make null local-part handling configurable: either expand
	into mailer-daemon (current bahavior) or disallow (strict
	behavior, currently implemented only in the SMTP server).

	The type of var_message_limit (and other file size/offset
	configuration parameters or internal protocol attributes)
	should be changed from int to off_t.  This also requires
	checking all expressions in which var_message_limit etc.
	appears: qmqpd, netstring, deliver_request, ...

	Add M flag (enable multi-recipient delivery) to pipe daemon.

	The usage of TLScontext->cache_type is unclear. It specifies
	a TLS session cache type (smtpd, smtp, or lmtp), but it is
	sometimes used as an indicator that TLS session caching is
	unavailable.  In reality, that decision is made by not
	registering call-back functions for cache maintenance.

	Postfix TLS library code should copy any strings that it
	receives from the application, instead of passing them
	around as pointers. TLScontext->cache_type is a case in
	point.

	Are transport:nexthop null fields the same as in the case
	of default_transport etc. parameters?

	Don't lose bits when converting st_dev into maildir file
	name. It's 64 bits on Linux. Found with the BEAM source
	code analyzer. Is this really a problem, or are they just
	using 64 bits for upwards compatibility with LP64 systems?

	Do or don't introduce unknown_reverse_client_reject_code.

	Check that "UINT32 == unsigned int" choice is ok (i.e. LP64
	UNIX).

	Tempfail when a Milter application tries to negotiate content
	access, while it is configured in an SMTP server that runs
	before the smtpd_proxy filter.

	Log DSN original recipient when rejecting mail.

	Keep whitespace between label and ":"?

	Make the map case folding/locking options configurable, if
	not at run-time then at least at compile time so we get
	consistent behavior across applications.

	Investigate what it would take to eliminate oqmgr, and to
	make the old behavior configurable in a unified queue
	manager.  This would shave another 2.7 KLOC from the source
	footprint.

	Document the case folding strategy for match_list like
	features.

	Eliminate the (incoming,deferred)->active rename operation.
	This requires an in-memory hash of queue file names to avoid 
	duplicate open() operations.

	Softbounce fallback-to-ISP for SOHO users. This heuristic
	assumes that when direct-to-MX delivery fails with 5XX,
	delivery via the ISP may still succeed.  This could be
	implemented by enabling soft bounces for destinations other
	than the smtp_fallback_relay. So the only benefit of this
	over the existing soft_bounce feature is that it has no
	effect on smtp_fallback_relay deliveries.

	Centralize main.cf parameter input so that defaults work
	consistently. What about parameter names that are prefixed
	with mail delivery transport names?

	Fix default time unit handling so that we can have a default
	bounce lifetime of $maximal_queue_lifetime, without causing
	panics when a non-default maximal_queue_lifetime setting
	includes no time unit.

	After the 20051222 ISASCII paranoia, lowercase() lowercases
	ASCII text only.

	Privacy: remove local command/pathname details from remote
	delivery status reports, and log them via local msg_warn().

	Is it safe to cache a connection after it has been used for
	more than some number of address verification probes?

	Try to recognize that Resent- headers appear in blocks,
	newest block first. But don't break on incorrect header
	block organization.

	Hard limits on cache sizes (anvil, specifically).

	Laptop friendliness: make the qmgr remember when the next
	deferred queue scan needs to be done, and have the pickup
	server stat() the maildrop directory before searching it.

	Low: replace_sender/replace_recipient actions in access
	maps, so they can be used in policy servers?

	Low: configurable order of local(8) delivery methods.

	Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
	to limit the total time spent trying to connect.

	Med: transform IPv4-in-IPv6 address literals to IPv4 form
	when comparing against local IP addresses?

	Med: transform IPv4-in-IPv6 address literals to IPv4 form
	when eliminating MX mailer loops?

	Med: Postfix requires [] around IPv6 address information
	in match lists such as mynetworks, debug_peer_list etc.,
	but the [] must not be specified in access(5) maps. Other
	places don't care.  For now, this gotcha is documented in
	IPV6_README and in postconf(5) with each feature that may
	use IPv6 address information. The general recommendation
	is not to use [] unless absolutely necessary.

	Med: the partial address matching of IPv6 addresses in
	access(5) maps is a bit lame: it repeatedly truncates the
	last ":octetpair" from the printable address representation
	until a match is found or until truncation is no longer
	possible.  Since one or more ":" are usually omitted from
	the printable IPv6 address representation, this does not
	really try all the possibilities that one might expect to
	be tried. For now, this gotcha is documented in access(5).

	Low: reject HELO with any domain name or IP address that
	this MTA is the final destination for.

	Low: should the Delivered-To: test in local(8) be configurable?

	Low: make mail_addr_find() lookup configurable.

	Low: update events.c so that 1-second timer requests do not
	suffer from rounding errors. This is needed for 1-second
	SMTP session caching time limits. A 1-second interval would
	become arbitrarily short when an event is scheduled just
	before the current second rolls over.

	Low: configurable internal/system locking method.

	Low: add INSTALL section for pre-existing Postfix systems.

	Low: add INSTALL section for pre-existing RPM Postfixes.

	Low: disallow smtpd_recipient_limit < 100 (the RFC minimum).

	Low: noise filter: allow smtp(8) to retry immediately if
	all MXes return a quick ECONNRESET or 4xx reply during the
	initial handshake. Retry once? How many times?

	Low: make post-install a "postfix-only script" so it can
	take data from the environment instead of main.cf.

	Low: randomize deferred mail backoff.

	Med: separate ulimit for delivery to command?

	Med: postsuper -r should do something with recipients in
	bounce logfiles, to make sure the sender will be notified.
	To be perfectly safe, no process other than the queue manager
	should move a queue file away from the active queue.

	This could involve tagging a queue file, and use up another
	permission bit (postsuper tags a "hot" file, qmgr requeues it).

	Low: postsuper re-run after renaming files, but only a
	limited number of times.

	Low: smtp-source may block when sending large test messages.

	Med: find a way to log the sender address when MAIL FROM
	is rejected due to lack of disk space.

	Low: revise other local delivery agent duplicate filters.

	Low: all table lookups should consistently use internalized
	(unquoted) or externalized (quoted) forms as lookup keys.
	smtpd, qmgr, local, etc. use unquoted address forms as keys.
	cleanup uses quoted forms.

	Low: have a configurable list of errno values for mailbox
	or maildir delivery that result in deferral rather than
	bouncing mail. What about "killed by signal" exits?

	Low: after reorganizing configuration parameters, add flags
	to all parameters whose value can be read from file.

	Medium: need in-process caching for map lookups. LDAP servers
	seem to need this in particular. Need a way to expire cached
	results that are too old.

	Low: generic showq protocol, to allow for more intelligent
	processing than just mailq. Maybe marry this with postsuper.

	Low: default domain for appending to unqualified recipients,
	so that unqualified names can be delivered locally.

	Low: The $process_id_directory setting is not used anywhere
	in Postfix. Problem reported by Michael Smith, texas.net.
	This should be documented, or better, the code should warn
	about attempts to set read-only parameters.

	Low: postconf -e edits parameters that postconf won't list.

	Low: while converting 8bit text to quoted-printable, perhaps
	use =46rom to avoid having to produce >From when delivering
	to mailbox.

	virtual_mailbox_path expression like forward_path, so that
	people can specify prefix and suffix.
